Other hand held devices (smartphones & ipads)

Transcription

1 Martin Edwards, MS, CHC, CHPC HIPAA Compliance Director Dell Healthcare and Life Sciences Services Plano, Texas 1 Portable Diagnostic Equipment at Risk Ultrasound machines ECG machines Radiology/imaging machines Central Processing Units (CPUs) attached to diagnostic equipment Other hand held devices (smartphones & ipads) 2 1

2 Privacy & Security Concerns Many portable and hand held diagnostic devices utilize Windows and other operating systems PHI may be stored directly on the device or on the operating system supporting the clinical application Devices may lack encryption and other security measures Many diagnostic devices are FDA approved for patient care Devices are not always encryptable Devices don t always support other security features (e.g. ID/Password) Alteration of device (adding encryption) may negatively impact device s performance Potentially causing patient harm or ineffectiveness of the device Potential liability for the Covered Entity Alteration of the FDA approved devices may also void warranties and vendor support 3 Lessons Learned Portable ultrasound machine stolen from a patient care area Stolen after normal hours Machine resembled a laptop computer (see next slide) Valued at over $60,000 Law enforcement efforts weren t successful in the recovery of the machine Checked local pawn shops and other resale venues Internet Machine was FDA approved and was not encrypted 4 2

3 5 Forensics Findings Forensic analysis on a similar machine revealed: Images are normally stored on the machine Periodic removal of images was performed Machine s operating system randomly stored PHI, such as patient name, DOB, height/weight, blood pressure, and image of the heart Office of Information Security conducted testing to see how data was stored and at what frequency Ultrasound machine vendor provided technical support in the analysis Unable to definitively identify which patients (if any) PHI may have been compromised; May have been one patient, but unable to identify which patient(s) PHI may be on the machine Over 8,000 patients were issued a breach notification letter Notified DHHS News Media 6 3

4 Assessment of Future Risk A risk assessment was conducted on all portable diagnostic equipment (Biomedical Service, Office of Information Security and Corporate Compliance) Defined high risk portable equipment Equipment that stores or retains PHI Portable means device can be concealed in a computer bag, purse and/or is easily removed from hospital/clinical settings Identified high risk portable imaging devices and high risk nonimaging portable devices Identified significant number of devices falling into the high risk category Assessment evaluated current physical and technical safeguards What detailed PHI may be stored and how much What security features were enabled Location of device 7 Mitigation Against Future Risk Purchase devices that are encrypted, when possible Increase involvement of Biomedical Services in equipment selection process Require device administrators to periodically delete or erase data from devices Recommend specific deletion intervals Store images in RAD, LIS and other clinical record systems Delete temp files on operating systems Secure applicable devices with cable locks or secure to carts Secure other portable diagnostic equipment in secure locations when not in use and after hours Require username and password to operate equipment, when possible Emphasize equipment security to hospital and department leaders 8 4

5 Other Hot Privacy Topics Social Media (Facebook and Twitter) Challenges of Social Media Freedom of Speech (FOS) of employees How do you balance FOS with Patient Privacy? Limited control of access to social media site at work and home Employees access sites via their smartphones 9 Other Hot Privacy Topics Balancing social media and privacy Develop policies addressing employee use at work and at home Effectively communicate policies Define what is appropriate and what may violate patient privacy Communicate consequences of inappropriate postings Monitor postings on hospital sponsored sites Report potential inappropriate postings Possible HIPAA Privacy violation 10 5

6 Other Hot Privacy Topics Verbal disclosure challenges Impact of other regulatory requirements such as: Joint Commission Standard RI Patient and Family Centered Care Open Access in ICUs and other pod like environments How do you respond? 11 6