HELLO! I am Ashley Hall You can reach me at ashleyh@hscnv.com
Social Work in the 21 st Century: Practicing Efficiently and Ethically in Today s Digital Landscape
ABOUT ME BSW, MSW Data Analyst & Human Services Consultant Passion for Data (weird, I know!)
Introduction 1
Technology... is a queer thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ~C.P. Snow
Step 1: Scare the pants off of you! Overview of HIPAA as related to electronic data Overview of tech being used today and how it can be exploited Consequences of unsecured e-data WORKSHOP INTRODUCTION
WORKSHOP INTRODUCTION Step 2: Train you to fight How to use tech safely Safe and secure tech options
WORKSHOP INTRODUCTION Step 3: Use Tech Efficiently What can we use tech for? What are our options? Tech examples
Scare the Pants off of You 2
HIPAA & e-data
WHAT IS PHI? PHI, or Protected Health Information is individually identifiable health information that: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual. Source: www.hhs.gov
WHAT IS e-phi? e-phi, or electronic protected health information, is any PHI that is stored via electronic media.
HIPAA has a definition for that too! Electronic Media is: (1) Electronic storage material on which data is or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; (2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission. Source: www.hhs.gov WHAT IS ELECTRONIC MEDIA?
PHI is identifiable health information TO SUM UP e-phi is identifiable health information that is stored via electronic media Electronic media is any data that is stored electronically (even copies of paper files) and/or is transmitted electronically (typically via an intranet, the internet, or private networks, etc.)
QUIZ TIME!!! Scenario 1 Jane the social worker has a paper file with case notes and identifiable health information on it. She needs to send it to a colleague who is taking over her case. She decides to just fax that data over. She puts the papers into the fax machine and hits the start button. Has Jane transmitted e-phi?
YES OR NO? Yes - the act of faxing a document automatically creates e-phi No - a fax does not create e-phi Maybe??
Does your office lease one of these? YES OR NO?
QUIZ TIME!!! Scenario 2 John the social worker scans copies of paper intake forms that he receives from clients. He stores these scans on his local computer and backs them up on an external hard drive. Is John storing e-phi?
YES OR NO? Yes - John has created e-phi No - since the forms that were scanned were paper forms, the definition of e- PHI does not apply
Agencies/Practitioners must: HIPAA AND e-phi SECURITY Ensure the confidentiality, integrity, and availability of all e-phi they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and Ensure compliance by their workforce
WHAT TECHNOLOGY IS USED IN SOCIAL WORK PRACTICE? Agencies/Practitioners use: Office desktops/laptops/copiers/scanners Field laptop Computers Mobile devices (including cell phones and tablets) Cloud servers/services Technology provided or maintained by outside vendors Any others?
VULNERABILITIES IN TECHNOLOGY - THE OFFICE Hardware Damage Theft Leasing Software Outdated Nonexistent Network Unprotected No specified guest access Personnel (Including Vendors) Inadequate security process Inadequate security awareness Site Hazards for hardware Unreliable power source Organization Lack of audits Lack of plans
VULNERABILITIES IN TECHNOLOGY - IN THE FIELD Hardware (laptops) Damage Theft Leasing Software Outdated Nonexistent Network Unsecured (public) WIFI Inadequate training Personnel Inadequate security process Inadequate security awareness Site Hazards for hardware Unreliable power source Organization Lack of audits Lack of plans
VULNERABILITIES IN TECHNOLOGY - IN THE CLOUD Email Provider Not HIPAA compliant Unencrypted emails Cloud Operations Free = not HIPAA compliant Uploading or downloading unencrypted data Personnel Inadequate security process Inadequate security awareness Organization BAA with cloud provider? Understanding of what cloud provider does with data it houses
QUICK DEFINITION - BAA So what is a BAA? A business associate agreement (BAA) is a contract between you and any vendor that has access to the PHI that you maintain. The contract protects PHI by ensuring that your business associates are in compliance with HIPAA
VULNERABILITIES IN TECHNOLOGY - OUTSIDE VENDORS A few notes on outside vendors An outside vendor is anyone who has access to, views, modifies, or analyzes client data These can be: consultants, email service providers, IT companies, computer repair services, etc. If an outside vendor has access to PHI, a BAA needs to be signed, no exceptions
VULNERABILITIES IN TECHNOLOGY - OUTSIDE VENDORS Relationship Not HIPAA Compliant No BAA in place Inadequate Policy/Practice No audit of policy/practices done Security/Disaster Plan No security/disaster plan Security/disaster plan inadequate Communication Security Vendors send unencrypted data Vendors access cloud data via unsecured devices
VULNERABILITIES IN TECHNOLOGY - OUTSIDE VENDORS How prevalent is the problem of vendor HIPAA violations? According to HHS breach report, about 28% of data violations happened with a BAA present between 2009 and today. In Nevada, that percentage is about 38%. Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
HIPAA VIOLATIONS - THE SCARY TRUTH First and foremost - HIPAA violations happen, at an alarming rate! HIPAA Violations - Tableau Public Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
HIPAA VIOLATIONS - THE SCARY TRUTH The costs of a HIPAA violation should not be ignored! July 2015: $218,400 settlement with St. Elizabeth s Medical Center for using an internet-based document sharing application to store documents containing PHI Dec. 2014: $150,000 settlement with Anchorage Community Mental Health Services for malware compromising the security of its information technology resources Aug. 2014: $1,215,780 settlement with Affinity Health Plan, Inc. for failing to erase data contained in copier hard drives after returning them to a leasing agency Jan. 2013: $50,000 fine paid by The Hospice of North Idaho due to stolen laptop with unencrypted data. This case involved fewer than 500 patients View more examples at: www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/
HIPAA VIOLATIONS - THE SCARY TRUTH Keep in mind You are liable for anything your employees do that violates HIPAA. Even stolen property is your responsibility While you may have a HIPAA compliant email/cloud storage provider, that does not mean your data is protected in transit! You are even responsible for the actions of the vendors you work with When in doubt, assume it is your responsibility!!
QUIZ TIME!!! Scenario 1 Jane the social worker conducts home visits on a regular basis with youth clients. During these home visits she uses a laptop to teach certain skills. This laptop is also used to store individual client data. Jane was visiting three different clients one day and only needed the laptop for one of them. She left her laptop in her locked vehicle while visiting the first client. During the visit, Jane s vehicle was stolen. Did Jane violate HIPAA guidelines?
YES OR NO? Yes - client data was stored on the laptop and the theft of the device means the data has been compromised. No - the theft of the laptop was not Jane s fault and she took reasonable precautions to protect the data. Maybe?
QUIZ TIME!!! Scenario 2 John the social worker asks an IT company to come in and work on his broken computer located in his private practice. John is satisfied with the work the company has done and needs no ongoing IT maintenance. Six months later, John gets a notice of a HIPAA complaint - apparently the IT company stole information about a high-profile client from his computer and published it online. Did John violate HIPAA guidelines?
YES OR NO? Yes - John is responsible for all actions on the part of outside vendors. No - the theft and publishing is the vendor's fault, not his. Maybe?
QUIZ TIME!!! Scenario 2 Sally the social worker shares ephi with a team member working with a family. This data is shared via cloud storage in which a BAA is in place. Sally is informed by her IT manager that some of the data was intercepted via malware when she uploaded the data. Is Sally in violation of HIPAA guidelines?
YES OR NO? Yes - It is Sally s responsibility if her data was intercepted during upload, even if her computer was protected. No - the data was uploaded to a cloud service in which a BAA was in place. Maybe?
Train You to Fight 3
WHAT CAN YOU DO TO SECURE ephi? Note: We are going over the basics Consider talking to someone if you need help or are unsure: IT Professionals ISP Security Consultant
PROTECTING YOUR DATA - THE OFFICE Hardware Ensure hardware is somewhere safe and clean Backups are a must Software Ensure all software is updated regularly Network Ensure your network is protected and secured Personnel (Including Vendors) Ensure BAA is signed where applicable Request data security plan Site Protect hardware with surge protectors Use correct plugs Organization Audit your data security plan Continuously inspect and improve where needed
PROTECTING YOUR DATA - IN THE FIELD Hardware (laptops) Protect from damage Password protect and encrypt Software Update all software regularly Network Don t use public, unsecured WIFI networks without taking steps to secure your system Personnel Ensure all staff is trained and using passwords and encryption Site Make sure your mobile hardware is safe from the elements Be aware of the dangers of power surges Organization Plan and audit regularly
PROTECTING YOUR DATA - IN THE CLOUD Email Provider Ensure use of HIPAA compliant email service Encrypt all emails with client data Cloud Operations HIPAA Compliant Cloud storage Encrypt files Personnel Ensure all staff is trained and using passwords and encryption Organization BAA with Cloud provider a must Understand what is done with your data at every stage
PASSWORDS - THE FINER DETAILS Password vs. Passphrase Password = a word that you select as a code to open or unlock your computer, server, website, etc. Passwords typically don t have spaces Can be real words, fictional words, or any combination of both Example: AshleyISAwesome2015 Passphrase = like a password but much longer and contains spaces Can become closer to an encryption key than a password in terms of security May be known phrase or made up
PASSWORDS - THE FINER DETAILS When to use a passphrase For your computer login For your password database or password manager software Encryption When to use passwords On websites
PASSWORDS - THE FINER DETAILS How to select a password - from our friends at Microsoft! Is at least eight characters long. Does not contain your username, real name, or company name. Does not contain a complete word (use spaces if you are using a dictionary word) Is significantly different from previous passwords. Contains characters from each of the following four categories: uppercase letters, lowercase letters, numbers, and symbols found on the keyboard Source: http://windows.microsoft.com/en-us/windows-vista/tips-for-creating-a-strong-password
PASSWORDS - THE FINER DETAILS How to select a passphrase - from Micah Lee Avoid phrases from pop culture (To Be Or not to BE that is THE question) Consider Diceware Ensure the length of your passphrase is adequate. 1 word out of list of 7,776 words = 1 in 7,766 chance of guessing 2 words = 1 in 60,466,176 chance of guessing 7 words = 1 in 1,719,070,799,748,422,591,028,658,176 chance of guessing - it would take 27 million years to guess this! 7 random words is ideal Source: https://firstlook.org/theintercept/2015/03/26/passphrases-can-memorize-attackers-cant-guess/
UPDATES - THE FINER DETAILS Software updates aren t fun, especially when you run many different types of software on your machine. However, updates are essential as they often contain security patches based on new threats or discovered vulnerabilities. Long story short, update often.
BACKING UP - THE FINER DETAILS All data should be backed up at least twice Local backups are important to avoid problems like corrupted files or databases These can be stored on the same device as the original data, but in a special backup folder Backup folders should also be backed up in a separate location, such as the cloud, and external hard drive, or another computer in a different building I prefer to back up in the cloud AND on an external device Make sure backed up data is encrypted and password protected!
BAA S - THE FINER DETAILS Red Flags If your business associate has never heard of HIPAA or a BAA, consider training or additional steps to ensure protection of PHI If your business associate does not have a BAA for you to sign, consider asking for copies of data security plans and policies It is always a good idea to have your own BAA!
PUBLIC WIFI - THE FINER DETAILS Public WIFI is always a risk - but there are ways that you can use this necessary tool safely Turn off sharing on your computer Enable your firewall Use HTTPS and SSL where possible Use a Virtual Private Network Paid service Takes some time and effort to setup and could require software and licensing When in doubt, don t use public wifi for accessing or uploading secured data Turn off WIFI when you aren t using it When in doubt, just don t do it.
ENCRYPTION - THE FINER DETAILS Encryption does not have to be scary or complicated! Encryption protects files from unauthorized access such as a stolen computer, but also from someone stealing your data in transit (i.e., when an email is sent or when a file is uploaded to the cloud. You can encrypt for free, either with free software or extensions - this typically requires a password created by you and shared with the recipient of your email/files and typically requires the recipient to have an extension or be directed to a secure location to download the file Or you can pay for services that handle the encryption and email/cloud storage security for you
Use Technology Efficiently and Safely 4
USING TECHNOLOGY IN YOUR PRACTICE Yes, technology is vulnerable, and yes, security can be complicated. But technology can make life easier for. You Your staff and your clients
USING TECHNOLOGY IN YOUR PRACTICE So what can technology be used for in social work? Client data management and workload/workforce data management Financial data management Communication Project/program management Collaboration - internal and external
USING TECHNOLOGY IN YOUR PRACTICE And where do we find tech to help with these tasks? Outside Vendors Easy and managed by professionals Typically includes some sort of reporting Not for everyone - expense Homegrown Solutions If you hire someone to develop software, keep up on it! Don t get swept up by fancy products - basic software can sometimes do the same job Out-of-the-box solutions Database software Case management software
USING TECHNOLOGY IN YOUR PRACTICE So what are some examples of software that can be used? Training Lynda.com Youtube! Survey software SuveyMonkey Qualtrics Google Forms Collaboration Google Apps Trello - online collaboration tool JoinMe Organizational EventBrite - event planning and attendee management Social Media - marketing and event planning/organizing Tableau Public - communicating data Out-of-the-box solutions Zengine - database software FAMcare - case management software Microsoft Products (Access, Excel)
USING TECHNOLOGY IN YOUR PRACTICE And which common software options are safe for ephi? Google Apps - only paid service and only after signing a BAA Dropbox - Not HIPAA Compliant but can be if used in conjunction with outside software Sookasa, BoxCryptor, Vivo, Cloudfogger Paubox Microsoft OneDrive - HIPAA compliant with BAA Box - HIPAA compliant with BAA icloud - Does not offer BAA REMEMBER! Even with HIPAA compliant storage or collaboration options, you still have to take steps to encrypt files for transmission and storage. Consider software such as BoxCryptor and others to help with this task.
USING TECHNOLOGY IN YOUR PRACTICE HIPAA compliant email and cloud storage with encryption in the background? YES PLEASE! HIPAA Compliant email with seamless encryption This incoming email was seamlessly encrypted by Paubox Learn about Paubox today HIPAA compliant cloud storage with 256-bit AES (Advanced Encryption Standard) encryption at rest and in transit No extra software - send and received emails, upload files to the cloud, all without any additional steps Can be used as a wrap-around service if you are already using business email platforms like Microsoft Exchange, Office 365 & Google apps
USING TECHNOLOGY IN YOUR PRACTICE Cloud and communication services make possible or enhance: File sharing and storage Collaboration and communication Organization and productivity Client interactions
USING TECHNOLOGY IN YOUR PRACTICE Technology Examples In these brief videos you will see the following tech options being used: Cloud applications Online meeting software Collaboration software
USING TECHNOLOGY IN YOUR PRACTICE - GOOGLE APPS Google Apps: http://youtube.com/v/ee7c8e-qnjy
USING TECHNOLOGY IN YOUR PRACTICE JOIN ME Join Me: http://youtube.com/v/mjwdrrljnt4
USING TECHNOLOGY IN YOUR PRACTICE - TRELLO Trello: http://youtube.com/v/xwiuniolf4s
WRAPPING IT UP I hope I didn t scare you too badly The threat is real Data breaches cost money Just because you are a small agency, does not make you immune to cyber dangers I hope you gained useful insight into tools you can use to protect e-phi Planning and foresight can help Adequate policies and training are a must When in doubt, seek consultation I hope that you are now aware of ways in which technology can be our friend Technology is an amazing thing It can streamline and speed up our work It can eliminate time and space limitations
You cannot endow even the best machine with initiative; the jolliest steam-roller will not plant flowers. ~Walter Lippmann
THANKS! Any questions? You can find me at ashleyh@hscnv.com
CREDITS Special thanks to all the people who made and released these awesome resources for free: Presentation template by SlidesCarnival Photographs by Unsplash