mobile device security
Post on 31-Oct-2014
84 Views
Preview:
DESCRIPTION
TRANSCRIPT
Mobile Device Security Wednesday, August 27, 2014
Disclaimer: Nothing that we are sharing is intended as legally binding or prescrip7ve advice. This presenta7on is a synthesis of publically available informa7on and best prac7ces.
The HIPAA Privacy Rule establishes na6onal standards to protect individuals’ medical records and other personal health informa6on and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transac6ons electronically. The Rule requires appropriate safeguards to protect the privacy of personal health informa6on, and sets limits and condi6ons on the uses and disclosures that may be made of such informa6on without pa6ent authoriza6on. The Rule also gives pa6ents rights over their health informa6on, including rights to examine and obtain a copy of their health records, and to request correc6ons.
HIPAA Privacy Rule
The HIPAA Security Rule establishes na6onal standards to protect individuals’ electronic personal health informa6on that is created, received, used, or maintained by a covered en6ty. The Security Rule requires appropriate administra6ve, physical and technical safeguards to ensure the confiden6ality, integrity, and security of electronic protected health informa6on.
HIPAA Security Rule
Department of Health and Human Services
hGp://www.healthit.gov/providers-‐professionals/your-‐mobile-‐device-‐and-‐health-‐informa6on-‐privacy-‐and-‐security
What is a mobile device?
• Laptop Computer • Smart Phones
• USB Thumb Drives
• External Hard Drives • Tablet Computers
• E-‐Readers • Others?
You, Your Organiza6on, and Your Mobile Devices
• Does your organiza6on have a mobile device use policy? • Does your organiza6on allow you to use your personally owned mobile device for
work? • Do you know who your organiza6on's Privacy Officer and Security Officer are? • Does your organiza6on require you to register your mobile device with the
organiza6on? • Does your organiza6on have a Virtual Private Network (VPN) that allows you to
access, receive, or transmit health informa6on securely with your mobile device? • Does your organiza6on have a policy about storing health informa6on on your
mobile device? • Does your organiza6on require you to backup health informa6on from your mobile
device to a secure server? • Does your organiza6on require you to enable remote wiping and/or remote
disabling on your mobile device? • Does your organiza6on offer mobile device privacy and security awareness and
training?
What Are Some Risks to Know About Before Using a Mobile Device for
Pa6ent Care?
• Lost Device • Stolen Device • Inadvertent download of virus or other malware
• Uninten6onal disclosure to unauthorized users when sharing devices with friend/family
• Unsecure Wi-‐fi
What Are Some Ac6vi6es That Make Mobile Devices Vulnerable?
• So^ware Downloads • Visi6ng Malicious Websites
• Direct AGack Through the Communica6on Network
• Physical AGack
What Are Some Common Sources of Threats to Mobile Devices or the PHI
on them?
• Botnet Operators • Cybercriminals
• Hackers
Other Topics and Risks to Consider
• Device Ownership • BYOD vs. Organiza6on Provided
• Loca6on When Using Your Mobile Device • Home vs. Hospital vs. Public Places (ie: coffee shop)
• Communica6ng with Pa6ents • Portals vs. Calls vs. Texts
• Bluetooth Capabili6es • Accessing Your EHR and HIE
• VPN Tunnels
• What Do I Do With My Old Devices?
How Can You Protect and Secure ePHI When Using a Mobile Device?
• Use a password or other user authen6ca6on • Install and enable encryp6on so^ware • Install and ac6vate remote wiping and/or remote disabling
• Disable and/or do not install or use file sharing applica6ons
• Install and enable a firewall • Install and enable security so^ware • Keep your security so^ware up to date • Research mobile applica6ons before downloading
What if I Suspect a Breach?
Breach No9fica9on Rule
The HIPAA Breach No6fica6on Rule, 45 CFR §§ 164.400-‐414, requires HIPAA covered en66es and their business associates to provide no6fica6on following a breach of unsecured protected health informa6on. Similar breach no6fica6on provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to sec6on 13407 of the HITECH Act.
Department of Health and Human Services Informa6onal Video
Helpful Links and Website Sources
Q & A
Sarah.Bajsta@quirkhealthcare.com
Shawna.Matonis@quirkhealthcare.com
Dan.Holleran@quirkhealthcare.com
top related