Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

Transcription

1 Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

2 Agenda Learning objectives for this session Fundamentals of Mobile device use and correlation to HIPAA compliance HIPAA Privacy and Security from a medical practice perspective Practical safeguards behind these policies and procedures Appropriate policies and procedures for compliance and good business practices

3 Learning objectives Understand the current HIPAA compliance enforcement environment related to mobile devices Recognize the most vulnerable aspects of a practice s mobile technology Identify practical and actionable security policies and procedures Appreciate the critical steps that practice professionals must take to protect mobile devices and their practices

4 Fundamentals-the core HIPAA issue Protecting and safeguarding ephi (Protected health information) that is created, maintained, stored or transmitted Laptops, tablets and smartphones can be used for ephi Your practice may utilize other mobile devices as well

5 Fundamentals-mobile devices The expanding list of mobile or portable devices or ephi points of access: Digital Recorders USB media (Flash, Hard Drives, Cards, etc) Portable/wearable Medical Devices

6 Fundamentals-mobile use cases The expanding list of mobile or portable devices or ephi points of access also drives new ephi disclosures! For example the near indispensible use of a smartphone also encourages use of social media This in turn has increased the opportunity to inadvertently or intentionally disclose ephi (posting about a patient for example) or the case of a picture of an office that was sent via Instagram

7 Fundamentals-system paradigm shift VPN An old standard that evolves consistently Cloud An emerging standard that is misunderstood Website Often there are access portals to data, systems or website controls Hosted Applications Internal, Web based or Cloud Hosted offer a variety of new management requirements

8 Fundamentals-system paradigm shift Wi-Fi An common place technology in the public realm, but also in the corporate realm. How are Wi-Fi networks managed, who connects to them, and what other networks do they connect to? Virtual Systems VMware and Citrix; Servers, Applications and workstations Mobile Devices Physical transportation of electronic data (Ingress and Egress) outside the management purview

9 Fundamentals-system paradigm shift More computer processors (PROCS) manufactured in recent years for mobile devises than traditional desktops / workstation computers Dramatic shift from the historical manufacturing and market demand APPS and Jail-Breaking Unknown factors that contribute to vulnerabilities of mobile devices

10 Fundamentals-system paradigm shift More MalWare today being written for mobile device operating systems, specifically Android Operating Systems (OS) There is a general lack of security measures implemented for Mobile devices which make for easy targets New mobile technologies appear and are introduced with little or no oversight and are seldom identified NFC (Near Field Communication) APPs for example

11 Fundamentals-risk factors Guest Wi-Fi Public Wi-Fi Network has access to core network (No VLAN or ACL s) Corporate Wi-Fi Networks do not have proper Access Control Layers; trusted yet infected mobile device introduces Malware to core network Unidentified transportation of PHI via mobile devices USB drive, Smart Card, Digital Recorder, Tablet or Phone

12 Fundamentals-risk factors Old remote user accounts Remote Access controls are not included in HR employee policy; IT does not manage remote user access effectively or monitor for access Hijacked accounts Via a stolen device, Man in the Middle attack or Session Hijacking Stolen devices which contains PHI Devices are not encrypted, or password (security code) protected

13 Fundamentals-risk factors Insecure storage that raises threat of theft such as use in public places, storing a device in a hotel room, transport in cars or public transportation, or even home use! Lack of up to date ephi inventories and media/device inventories The increased risks associated with a bring your own device policy

14 Poll Has your practice experienced a loss or theft in the last 12 months of a: Laptop Tablet Smartphone

15 HIPAA Privacy and Security factors Medical practice use cases that are driving adoption of mobile devices for ephi include: Adoption of EHRs and Meaningful Use Adoption of HIEs and real time data exchange Adoption of the DIRECT secure messaging system Adoption of patient portals and increased patient electronic communication

16 HIPAA Privacy and Security factors Telemedicine Expansion of EHR functionality with mobile devices such as smartphones and tablets (user interfaces designed for mobility) Increased peer support for use of texting Overall increased use of mobile devices in general

17 HIPAA Privacy and Security factors The Security risks are well known and include Interception of an unsecure message or communication Loss of a device that contains data at rest including cached s, text messages or files Inadvertently sending/communicating with the wrong party Mobile malware infections that travel to the domain

18 HIPAA Privacy and Security factors These risks now have a greater Privacy implication due to the HIPAA Breach Notification rule as well as State identity theft regulations Enterprise issues in a BYOD world Standard configurations-how are these assured? Reporting of a loss or theft and follow up wiping and disabling of the device Knowing when a device is joined to your systems

19 Poll Does your practice permit the use of a personal smartphone (BYOD) or are all devices that access ephi supplied by the practice?

20 HIPAA Privacy and Security factors A critical requirement is to conduct and review a HIPAA Security Risk Analysis both for HIPAA compliance as well as Meaningful Use The use of laptops/tablets and smartphones must all be reflected on a HIPAA SRA along with the risk or threat levels

21 HIPAA Incidents-Case studies A physician who forwarded all MS Exchange to a personal Gmail account that was subsequently hacked Loss of a Smartphone with text messages regarding patient care Shoulder surfing at a Starbucks Home use and exposure of ephi when a spouse used the smartphone

22 Action Plan and Safeguards Device encryption for: Laptops Smartphones Tablets Portable devices like USB drives Encryption options: Encrypt individual files with ephi Encrypt entire device Remember-loss or theft of an encrypted device is not considered a breach

23 Poll Does your practice require encryption for all your mobile devices that contain ephi? Yes No Not Sure

24 Action Plan and Safeguards HIPAA requires device authentication Strong authentication contains multiple factors (including for mobile devices) such as: Strong and complex passwords and frequent password change Additional factors such as card swipe, fingerprint (or other biometric), or finger swipe shapes

25 Poll Does your current practice policies require a strong device password (more than just 4 characters) and at least twice yearly changes of passwords? Yes No Not Sure

26 Action Plan and Safeguards Device configuration to restrict ephi on devices such as: Limited number of s Web access only with no ephi retention Malware controls Secure technology Secure texting technology

27 Action Plan and Safeguards Device configuration to restrict and protect ephi on a devices such as: Standardized settings to limit data exposure in Bluetooth discovery mode Standardized ability to wipe a lost device (laptops and smartphones) Use of third party software for device tracking and wiping/encryption

28 Poll Does your practice use a third party mobile device management software? Yes No Not Sure

29 Action Plan and Safeguards Restricting access: Limiting the areas of your network that a portable or mobile device can access (access control layers) Role-based access defined in practice policies Staff sanction policies

30 Action Plan and Safeguards Physical security: While onsite, mobile devices should be maintained on person If not on person, device should be secured in a private or locked area While offsite, same policies apply Emphasize that devices should not be left in cars, unsecured in hospitals or homes

31 Action Plan and Safeguards Mobile devices no longer being used: Laptops, tablets, smartphones are all regularly upgraded/replaced Practices needs a policy regarding use/disposal of old devices Often given to employees for personal use Ensure that all ephi is completely removed Consider destruction

32 Action Plan and Safeguards Self-conducted mock audits: Great test of your current privacy and security environment Target highly vulnerable areas such as mobile devices Look for issues such as adherence to password and physical security policies Review results with individual staff and discuss modifications to their current behavior/actions (could include sanctions) Use audits as a practice-wide teaching opportunity

33 Action Plan and Safeguards Staff training: Specific training for use of mobile devices Periodic security reminders (staff meetings, internal newsletters) Practice volunteers must be trained Training on security when devices used remotely should also be included

34 Policy and Procedures to consider Remember that a policy and a procedure are two different documents Procedures must be detailed enough to describe how the policy is met and must be implemented as well as stay up to date and reflective of your practice to pass an OCR investigation! Policy Procedure

35 Policy and Procedures to consider Policy on ing ephi is a core consideration If ephi can be ed, procedures to describe the secure technology used (except for the new Omnibus rule exemption) Policy on texting ephi is another core consideration If ephi can be texted, procedures to describe the secure texting technology used

36 Policy and Procedures to consider Policy and Procedure on authentication controls and safeguards such as password and password changing Policy and Procedure on device data retention Policy and Procedure on not saving screen shots or other ephi to a desktop

37 Policy and Procedures to consider Policy and Procedures on public use including transport and storage and use location Policy and Procedures on home use including transport and storage and use location Policy and Procedures on social media use Policy and Procedures on proper configuration of devices Policy and Procedures on maintaining an ephi inventory

38 Policy and Procedures to consider Policy and Procedures on types of remote access controls and safeguards (VPNs etc.) Policy and Procedure on malware controls for devices Policy and Procedure on device wiping and use of third party mobile device management Policy and Procedures on firewall settings and logging of mobile device access

39 Policy and Procedures to consider Policy and Procedures on maintaining appropriate training programs: What staff are trained When they are trained, and retrained Method of training (face-to-face, webinar, book, other) Log all training activities

40 Policy and Procedures to consider Consider breach response policies and procedures for mobile devices What would you do if a mobile device was lost or stolen? Identify when it happened and what happened Begin process of notifying patients asap Notify HHS and local media asap if breach involved more than 500 individuals Ensure that P and P are reviewed, modified if necessary, and staff retrained Document every step

41 Policy and Procedures to consider Document all policies and procedures If it isn t written down, the policy doesn t exist, the procedure never happened Network with your MGMA colleagues what have they developed that you could use or reference? Consider a spreadsheet to record and track your policies and procedures Review your policies and procedures as if you were an OCR auditor

42 Poll Does your practice have a specific remote and mobile device HIPAA Security training program? Yes No Not Sure

43 HIPAA Enforcement New round of random OCR audits set to begin Enforcement is real Most of the recent press is about settlements that the OCR has reached and not the actual fine that could have been levied Examples: Laptop theft or loss where the device is not encrypted Stolen USB drive

44 Building a culture of confidentiality Emphasize to staff the importance of keeping patient data secure Get buy-in from management Discuss issue in staff communications Copyright Medical Group Management Association (MGMA ). All rights reserved.

45 Building a culture of confidentiality Explain the ramifications of unauthorized disclosures Financial expense to practice (legal, breach notification requirements, equipment replacement) Potential impact on practice reputation (patients, colleagues) Potential impact on referrals Potential government enforcement actions Include issue in performance reviews

46 Resources MGMA Resources at include: HIPAA Security Risk Analysis Toolkit Sample Notice of Privacy Practices Sample Business Associate Agreement OCR resources at include: Model notice of privacy practices Integrating Privacy and Security into your Practice ONC Guide to Privacy and Security of Health Information CMS Stage 1 Meaningful Use Core Measure 15 Conduct a security risk analysis. NIST resources at include: Guide for Conducting Risk Assessments Guide to Storage Encryption Technologies for End User Devices

47 Other solutions PrivaPlan compliance toolkits PrivaPlan conducted risk analyses or policy and procedure review/writing Contact:

48 Key take-aways Mobile devices are increasingly being used by your clinical and administrative staff They are at high risk for loss and theft Devices taken out of the practice are the most vulnerable Practices need effective policies and procedures Encryption should be considered for all mobile devices that contain ephi Staff training and re-training critical Document everything assume OCR will audit your practice tomorrow Build a culture of confidentiality within your organization and prevent problems before they happen!

49 Questions?