North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

Transcription

1 Mobile Device Management Risky Business in Healthcare North Carolina Health Information Management Association February 20, 2013 Chris Apgar, CISSP

2 Agenda HIPAA/HITECH & Mobile Devices Breaches Federal and State Law Implications Text Messaging & PHI Is it Legal? Importance of a Risk Analysis The Mobile Health Revolution Privacy and Security Implications

3 HIPAA/HITECH & Mobile Devices HITECH included breach notification requirements now defined in the omnibus privacy, security, enforcement and breach notification rule If mobile devices are lost or stolen and ephi is not encrypted breach of unsecure PHI Texting ephi, if intercepted, also represents a breach of unsecure PHI

4 HIPAA/HITECH & Mobile Devices Mobile devices passwords required per the HIPAA Security Rule This means passwords need to be activated, strong, regularly changed and not reused for several password change iterations The benefits of multi-factor authentication in reducing risk Remember auto logoff

5 The Rise of the Smart Phone 49% of adult Americans own a smartphone 60% of Americans making > $75 K own one 60% of Americans ages 18 to 35 own one iphone (35%); Android (24%); Blackberry (24%) Pew Internet & American Life Project, 7/2011

6 The Rise of the Smart Phone 90% of smartphone owners used it to access or the Internet 25% do most of their online activities on their smartphone The Pew Internet & American Life Project (July 2011)

7 The Rise of the Tablet Tablets are replacing PCs: 77% of tablet owners use their tablets for activities previously done on their laptop/ desktop 35% of tablet owners use their desktop less 32% of tablet owners use their laptop less Why? (1) Easy to carry (31%); (2) Easy to interface (21%); (3) Quick start-up (15%) Nielsen Study (May 2011)

8 Mobile Device Use Decisions how will mobile devices be used in your workplace: Ban use (unrealistic) Require they be company owned (lowest risk by may not be realistic) Bring your own device (BYOD) with mobile device management (MDM) software and policies

9 Mobile Device Use Decisions how will mobile devices be used in your workplace (continued): BYOD with sandbox and software (not always user friendly) BYOD with mobility management software and policies (may leave PHI stored on device) BYOD with policies (difficult to enforce) BYOD with no controls (highest risk)

10 Mobile Device Use Benefits Allowed use of BYOD increases employee satisfaction and productivity: 78% of surveyed employees believe that BYOD superior company provided device (Six Degrees Group Oct. 2011) BYOD eliminates need to carry multiple devices

11 Mobile Device Use Benefits Perceived decreased costs for companies that elect to adopt BYOD practice Citrix use realized 20% cost savings over three years and drop in desktop support requests and incident reports (Computer Business Review Online Dec. 2011) Thin client (such as Citrix) reduces likelihood of stored PHI

12 Mobile Device Key Risk Areas Information Governance: Litigation Hold compliance Record retention Record destruction Confidentiality Regulatory: GLBA, HIPAA and other laws requiring information security controls

13 Mobile Device Key Risk Areas Information security: Required encryption Breach notification Employee privacy Stored Communications Act Computer trespass Wage & hour compliance IP and Trade Secret protection

14 Mobile Device & Data Loss Top causes of PHI and other sensitive data loss: Lost or stolen devices/media (31%) Hackers (23%) Web 2.0 and file sharing (21%) Unsecured mobile devices/media (13%) misrouted (6%) BYOD are carried more frequently and lost or stolen more frequently than company supplied laptops

15 Mobile Device & System Security 80% of CIOs believe BYOD use increases company vulnerability to attack (Ovum Study 11/2010) 46% increase in development of mobile device malicious software between 2009 and 2010 (McAfee 2/2011) No vetting of apps submitted to Android Play Store 10% of apps store passwords in clear text (Via Forensics Study 8/2011)

16 Mobile Device General Risks BYOD and company issued mobile device backups to personally owned devices such as itunes backup Personal use of cloud-based that includes PHI such as icloud, imessage, Dropbox, Google Docs, SugarSync Use of remote access tools exposing PHI such as Splashtop and LogMeIn

17 BYOD Specific Risks Difficult to enforce information security, especially without use of MDM tools Potential personal property issues: Data difficult to access for security incident investigations Data difficult to access if litigation hold required May not be able to recover sensitive data upon termination

18 Text Messaging & PHI Is it Legal? HIPAA and HITECH do not prohibit use of text messaging to send and receive ephi from a mobile device HITECH requires individual and OCR notification if text messaging is unencrypted and messages intercepted Texting ephi represents a risk to covered entities and business associates Risk should be assessed as part of required risk analysis

19 Text Messaging & PHI Is it Legal? HIPAA and HITECH do not specifically require encryption of text messages or mobile devices HIPAA requires risks associated with ephi stored on and transmitted to and from mobile devices be assessed and mitigated if the risk is deemed significant Don t forget Meaningful Use Stage 2 The bottom line does your organization believe text messaging represents a risk sufficient to prohibit texting ephi or is the risk considered acceptable Documentation is critical

20 Importance of a Risk Analysis All covered entities required to periodically conduct risk analyses since April 2005 and many do not Business associates required by statute to conduct periodic risk analyses since February 2010 OCR will enforcing business associate compliance very soon State attorneys general already are

21 Importance of a Risk Analysis Risk analysis represents the proactive process that is the foundation of your security program A through risk analysis should include assessment of mobile device use (especially BYOD) The required risk analysis needs to address more than just technology Risks associated with mobile devices can be high

22 Importance of a Risk Analysis Breaches becoming more and more common; many are preventable Interception of text messages likely to increase Stored text messages and voice mail that include ephi represent a risk More breaches related to workforce carelessness or lack of training Need to account for and mitigate risks or document why a risk will not be mitigated

23 Risk Mitigation Limit BYOD and mobile device use to defined and controlled categories of employees and contractors Require company configuration of mobile devices (company owned) and prohibit employees and contractors from disabling or modifying Restrict company resources that can be accessed remotely (e.g., , calendar and contacts only)

24 Require: Risk Mitigation Encryption of data stored on mobile devices and portable media Password protection (strong passwords, periodic changes, etc.) Maximum password attempts Inactivity timer/auto-logoff Remote wipe capability (all company owned; selective BYOD) Anti-malware protection

25 Risk Mitigation Consider multi-factor authentication Restrict storage of company data BYOD (e.g., only without attachments, calendar entries and contact cards) BYOD subject to all company policies Inform employees and contractors BYOD will be monitored when connected to the company network

26 Risk Mitigation Inform employees and contractors BYOD and associated passwords will be inspected upon reasonable request for company investigations if personally owned mobile devices used for business/clinical purposes Be prepared to provide a company owned mobile device if employees or contractors are required to use mobile devices and do not agree to device inspection

27 Risk Mitigation Require employees and contractors immediately report lost or stolen device Obtain and document employee and contractors agreement to remote wipe in the event of loss, theft, or termination Add inspection of BYOD to exit interview procedures. Robust training is critical

28 Risk Mitigation Policies & Procedures Policies required by HIPAA Privacy and Security Rules OCR Culture of Compliance robust policies and procedures including employee and contractor training Includes development and implementation of mobile device and portable media policies and procedures Don t forget sanctions

29 Mobile Device Agreement Include the following elements in employee/contractor mobile device use agreement (BYOD & company owned): Agree to remote wipe Agree to company monitoring when connected to company network Agree to device inspection incident investigation & legal hold

30 Mobile Device Agreement Mobile device use agreement (BYOD & company owned; continued): Agree to hold company harmless if device is damaged and/or if personal data is viewed Company will configure and install security software

31 Mobile Device Agreement Mobile device use agreement (BYOD & company owned; continued): Employee/contractor won t modify or delete configuration/security software Immediately report if device lost or stolen Limit storage of company data on device Acknowledge company policies and procedures apply to device use

32 Increase in Consumerism Significant increase in the use of Internet and mobile devices for personal health purposes Patient portals Health plan claims access and wellness Mobile device health applications (e.g., prescription management, diabetes management, personal medical record storage, etc.)

33 Increase in Consumerism New health care delivery models Medical in-home visits and treatment Assistive living devices ACO and state equivalents Patient portals Remote diagnostics and patient e- communication Telemedicine Patients can and will share PHI covered entities not responsible for personal decisions

34 Regulations & Mobile Devices: A final word HIPAA Security Rule requires protection of ephi when used, disclosed, stored or transmitted Storage of ephi on mobile devices represents another security environment to protect Encryption of mobile devices used to store ephi no longer addressable given related risks

35 Summary and Q&A Chris Apgar, CISSP CEO & President