health technology services...presentation documents) is not intended to constitute legal advice or...
TRANSCRIPT
Mobile Technology in Health Care
Presenter: Susan Clarke, BSc, Health Care Information Security and Privacy Practitioner
Wednesday, September 14, 2016
1:00 to 2:00 PM MDT • 11:00 to 12:00 PM AKDT • 9:00 to 10:00 AM HST
HTS, a department of Mountain-Pacific Quality
Health Foundation
1
Thank you for spending your valuable time with us today.
This webinar will be recorded for your convenience. A copy of today’s presentation and the webinar
recording will be available on our website. A link to these resources will be emailed to you following the webinar.
All phones will be muted during the presentation and unmuted during the Q&A session. Computer users can use the chat box to ask questions which will be answered at the end of the presentation.
We would greatly appreciate your providing us feedback by completing the survey at the end of the webinar today.
2
Closed captioning will appear under today’s presentation. To see more lines of captioned text, click the small arrow below.
3
Mountain-Pacific holds the Centers for Medicare & Medicaid Services (CMS) Quality Innovation Network-Quality Improvement Organization (QIN-QIO) contract for the states of Montana, Wyoming, Alaska and Hawaii, providing quality improvement assistance.
HTS, a department of Mountain-Pacific, has assisted 1480 providers and 50 Critical Access Hospitals to reach Meaningful Use. We also assist healthcare facilities with utilizing Health Information Technology (HIT) to improve health care, quality, efficiency and outcomes.
4
• HealthInsight holds the Centers for Medicare & Medicaid Services (CMS)
Quality Innovation Network Quality Improvement Organization (QIN-QIO)
contract for Nevada, New Mexico, Oregon and Utah; and also holds the
CMS end-stage renal disease (ESRD) contract for Networks 16 and 18,
serving Alaska, Idaho, Montana, Oregon, Washington and Southern
California.
• As a Regional Extension Center (REC), HealthInsight has assisted 1,976
providers and 30 critical access hospitals in Nevada and Utah adopt
electronic health record (EHR) technology. The REC also assisted more
than 1,400 providers in meeting Meaningful Use Stage 1.
The presenter is not an attorney and the information provided is the
presenter(s)’ opinion and should not be taken as legal advice. The
information is presented for informational purposes only.
Compliance with regulations can involve legal subject matter with serious
consequences. The information contained in the webinar(s) and related
materials (including, but not limited to, recordings, handouts, and
presentation documents) is not intended to constitute legal advice or the
rendering of legal, consulting or other professional services of any kind.
Users of the webinar(s) and webinar materials should not in any manner
rely upon or construe the information as legal, or other professional advice.
Users should seek the services of a competent legal or other professional
before acting, or failing to act, based upon the information contained in the
webinar(s) in order to ascertain what is may be best for the users individual
needs.
6
Susan Clarke, BSc, Health Care Information
Security and Privacy Practitioner
7
• BA: Business Associate
• CE: Covered Entity
• CEHRT: Certified Electronic Health Record Technology
• CEO: Chief Executive Officer
• CIO: Chief Information Officer
• CMS: Centers for Medicare and Medicaid Services
• EHR: Electronic Health Record
• ePHI: Electronic Protected Health Information
• HHS: Department of Health and Human Services
• HIPAA: Health Insurance Portability and Accountability Act
• HIT: Health Information Technology
• IT: Information Technology
8
• MDM: Mobile Device Management
• NIST: National Institute of Standards and Technology
• OCR: Office for Civil Rights
• ONC: Office of the National Coordinator
• PHI: Protected Health Information
• SP: Special Publication
• SRA: Security Risk Analysis
9
Definitions and statistics
Advantages of mobile technology
Threats to mobile devices and types of threats
Take Away’s
Mobile Device Management
Culture of Compliance including security risk analysis
10
Mobile apps are software programs that run on smartphones and other mobile communication devices. They can also be accessories that attach to a smartphone or other mobile communication devices, or a combination of accessories and software.
Mobile apps span a wide range of health functions. While many mobile apps carry minimal risk, those that can pose a greater risk to patients will require FDA review.
What’s regulated, what’s not regulated... http://www.fda.gov/MedicalDevices/DigitalHealth/MobileMedicalApplications/ucm368743.htm
11
“Stolen personal information can have negative financial impacts, but stolen medical information cuts to the very core of personal privacy. Medical identity theft already costs billions of dollars each year, and altered medical information can put a person’s health at risk through misdiagnosis, delayed treatment or incorrect prescriptions. Yet, the use of mobile devices to store, access, and transmit electronic health care records is outpacing the privacy and security protections on those devices.”
12
https://nccoe.nist.gov/projects/use_cases/health_it/ehr_on_mobile_devices
In 2014 mobile users surpassed desktop users.
64% of adults in U.S. own a Smartphone.
55% of email is now opened on a mobile device.
87% of millennials (18-34) report never separating from their mobile devices.
Wearable usage has jumped 57% from 2014.
95% of business associate (HIPAA) security incidents attributed to lost or stolen devices.
13
Booming market, affordable, convenient and can handle it all (phone, camera, internet, etc).
Portable, they fit anywhere, pocket, purse, lab coat.
Larger displays, phone screens have increased in size and scalable.
Location, directions to appointments, wearable devices provide real time analytics.
Apps are plentiful and can be customized.
14
Information and time management
Health record maintenance and access
Communications and consulting
Reference and information gathering
Patient management and monitoring
Clinical decision-making
Medical education and training
15
Source=http://www.ncbi.nlm.nih.gov/pmc/articles/PMC4029126/
Easy to steal, misplace, damage.
For 12 hour shift device may need recharging.
Data security, authentication controls, able to remote and automatic lock and wipe, encryption, policy and procedure.
Potential HIPAA violations.
Patient’s awareness of risks for their device.
BYOD—consider full implications of allowing corporate data to be accessed on personal devices. Convenience clashes with security.
16
Application Based: vulnerable apps, malware, spyware and privacy threats.
Web Based: phishing scams, drive by downloads, browser exploits.
Network Based: man in the middle, sniffing traffic, eavesdropping.
Physical Based: lost or stolen devices.
17
18
https://nccoe.nist.gov/sites/default/files/library/fact-sheets/hit-ehr-fact-sheet.pdf
https://nccoe.nist.gov/projects/use_cases/health_it/ehr_on_mobile_devices
Create a formal device policy that educates staff of security risks and best practice to safeguard health information.
Implement Mobile Device Management as part of device risk management strategy.
Plan on hackers gaining access, lost or stolen devices, and know how to react quickly.
Think security by design, know risks before deciding on use.
Allowed in the cloud. Potential for data leakage, syncing data between devices.
19
No 1 rule is to have proper password protection, encryption and ENFORCEMENT!
Keep software up to date.
Don’t use ePHI apps when on an unfamiliar network.
Disable bluetooth when not in use.
Smart phones are getting smarter.
Have a BYOD policy in place, by ignoring the problem may lead to attack and as result regulatory or reputational threats.
20
Lock screen passcodes, encryption, secure message platform.
Ability to wipe or lock device, geofencing
Application control if outside app is tainted by malicious code. Possible partition dedicated work-personal use on device.
Reporting, real-time device status (dashboard), user information, log-in attempts and compliance with policies.
Make sure you plan for, devices need to be configured. User and device self-registration
21
22
Internet of
Medical
Things
Mobile
Devices
HIPAA
Heath care providers and professionals using mobile
devices in their work must comply with HIPAA Privacy and
Security Rules to protect and secure health information.
23
IoT=Internet of Things
IoT=Internet of Medical Things
NIST Cybersecurity Practice Guide,
Special Publication 1800-1: "Securing
Electronic Health Records on Mobile
Devices"
Protect the privacy of patient information
Provide for electronic and physical security of patient health information
Require “minimum necessary” use and disclosure
Specify patient rights to approve the access and use of their medical information
Prevents health care fraud and abuse
Simplifies billing and other transactions, reducing health care administrative costs
24
Insider threat is becoming one of the largest threats to organizations and some cyberattacks may be insider-driven. Although all insider threats are not malicious or intentional, the effect of these threats can be damaging to your organization. Safeguards are often more psychology than technology
According to a survey recently conducted by Accenture and HFS Research, 69% of organization representatives surveyed had experienced an insider attempt or success at data theft or corruption.
IMPORTANT: Conduct mobile device awareness and ongoing training.
25
Source=Privacy-List listserv, operated by the Office for Civil Rights (OCR)
26
HIPAA Security Rule requires CE and BAs security measures:
Have written policies and standards of conduct.
Designated Compliance Officer.
Effective training and education.
Effective lines of communication.
Enforcement of standards through disciplinary guidelines (publicized & enforced).
Internal monitoring and auditing.
Response and corrective action plan for offenses.
Conduct regular risk analysis.
27
Why? Required for HIPAA Covered Entities:
164.308 Administrative safeguards • Risk Analysis (required)
• Risk Management (required)
How? Conduct a Risk Analysis defined by 45 CFR § 164.308(a)(1)(ii)(A) as, “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the CE or BA”
28
When? HTS recommend conducting security risk analysis yearly or performed as new technology or critical business operations within your organization change.
Where?
HTS offers Security Risk Analysis: http://mpqhf.com/corporate/health-and-technology-services/hipaa-privacy-and-security/
ONC offers a free SRA tools at: https://www.healthit.gov/providers-professionals/security-risk-assessment-tool
29
30
A parting thought…
Please always remember that checking the
box for compliance is important, and
protecting patients and their health records
is even more important.
Thanks for your valuable time today.
31
www.gotohts.org
32
Privacy rule: http://www.hhs.gov/hipaa/for-professionals/privacy/
Security rule:
http://www.hhs.gov/hipaa/for-professionals/security/
Business Associate:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html
Breach Notification Rule:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html
33
Thought of a question after today’s presentation? Please don’t hesitate to contact HTS.
Also…please take just a few minutes to fill out a short survey at the end of our webinar today – we value your comments!
Prepared and presented by:
Susan Clarke, BSc, Health Care Information Security and Privacy
Practitioner
HTS, a department of Mountain-Pacific Quality Health Foundation
www.gotohts.com
(cell) 307-248-8179
34