technology, and social media use in healthcare. what could
TRANSCRIPT
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Technology, and Social Media Use in Healthcare. What Could Go Wrong?
Moira Wertheimer, Esq., RN, CPHRM, FASHRM Healthcare Risk Management Product Lead
PLACEHOLDER FOR INFORMATION SECURITY LEVEL PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Discuss social media/technology uses in healthcare Identify potential patient confidentiality issues arising with technology
and social media use in healthcare Describe general safety and security issues associated with technology
and social media use in healthcare Discuss risk reduction strategies and policy considerations to mitigate
potential liability exposures associated with technology and social media use in healthcare
Objectives
2
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Who Uses Social Media And Technology?...... Practically Everybody!
3 Source: Pew Research Center, Social Media Fact Sheet (June 12, 2019)
Technology access: 96% of Americans own a cellphone 81% own a smart phone 75% own a desktop/laptop
Social media: 50% of consumers research healthcare providers online, starting
with the health system website 40% of consumers make healthcare decisions using information
found on social media 19% of smartphone uses have at least one “health related” app
on their phone 2/3 of physicians use social media for professional purposes Only 1/3 of healthcare organizations have social media use
guidelines
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Healthcare Consumers Use the Internet
4 Source: Kyruus: 2019 Patient Access Journey Report
PLACEHOLDER FOR INFORMATION SECURITY LEVEL PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Patient Engagement
– Provide healthcare education to the community – Driving healthcare consumers to organization/practice websites and landing pages for up-to-date
information – Marketing innovative clinical services – Tool to improve patient satisfaction scores – Increase patient access to their health information through patient portals
Electronic Health Records (EHRs) Professional networking/collaboration Research recruitment Communicate with patients directly Artificial Intelligence (AI) Medical Devices
How Does Healthcare Use Social Media And Technology?
5
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
What Are The Risks With Using Social Media And Technology In Healthcare?
• Protecting patient confidentiality
• Maintaining professionalism
• Not adhering to standards of care
• Practicing medicine without a license
• Competency using the technology
6
PLACEHOLDER FOR INFORMATION SECURITY LEVEL PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Social Media: Friend Or Foe?
7
Web-based/mobile technology turns what used to be private conversations into interactive dialogue that can be accessed by public
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Professionalism: Risk Management Strategies
• Maintain separate professional/personal social media presence • Convey accurate information • Avoid online profanity, intoxication, discriminatory language • Avoid commenting negatively on patients • Utilize privacy settings
• Control who can post information about you • Don’t “friend” patients • “Google” yourself periodically • “Pause” before posting • Avoid inadvertently creating a provider-patient relationship
• Communicate electronically with established patients only, after obtaining consent
Source: Annals of Internal Medicine, “Online Medical Professionalism: Patient and Public Relationships: Policy Statement From the American College of Physicians and the Federation of State Medical Boards (2013).
9
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Protecting Patient Confidentiality
• HIPAA/State privacy laws apply to all protected health information (PHI) • Verbal • Written • Electronic
• Applies to Communication WITH patients and ABOUT patients • Use de-identified information when reviewing cases • Avoid social media postings referring to a patient
• Even if no “PHI” posted
• Encryption
• Dispose of PHI in a HIPAA compliant manner
10
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
HIPAA: Data Breaches
• U.S. Health and Human Services posts all breaches affecting >/= 500 individuals on a public web-site
• Between 2009-2018: 2,546 data breaches • 189,945,874 healthcare records
• More than 80% of physicians experienced a cyberattack in 2017
• Average cost= $6.5 million • $429/per record
11 Source: IBM Ponemon Institute 2019 Cost of Data Breach Report
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
How Do Breaches Happen? Malicious:
• Hacking • Phishing • Pretexting • Ransomware • “Inside” unauthorized access • Theft • Exploiting system vulnerabilities • Unprotected data stored on servers • Use of stolen credentials
Non-compliance: • Failing to log off when leaving workstation • Unauthorized viewing/access to PHI • Sharing passwords • Improper disposal of PHI • Loss/theft of mobile devices • Not updating security patches • Human error
Source: Verizon, Protected Health Information Data Breach Report (2019) 12
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
HIPAA Fines
• Tier 1 (no knowledge of violation): $100 to $50,000 per violation; capped at $25,000 per year
• Tier 2 (reasonable cause): $1,000 to $50,000 per violation; capped at $100,000 per year
• Tier 3 (willful neglect, corrected): $10,000 to $50,000 per violation: capped at $250,000 per year
• Tier 4 (willful neglect, not corrected): $50,000 per violation; capped at $1.5 million per year
13
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Breach Prevention Risk Management Strategies
• Disk/device encryption
• Use anti-virus software
• Update security patches
• Centralized distribution of devices to employees
• Maintain paper records in restricted access/locked areas
Source: Verizon, Protected Health Information Data Breach Report
• Dispose of all PHI properly • Pulverize • Shred • Demagnetize • Erase
• Routine monitoring/auditing of medical record access
• Establish resiliency to combat ransomware attacks
• DON’T click on that link!!!
14
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Emailing/Texting With Patients: Risk Management Strategies
• Develop an internal policy • Delineate workflows
• Utilize patient portals when available
• Obtain patient informed consent
• Encryption • What if patient wants the PHI sent unencrypted?
• Manage “response time” expectations
• Emergency response
15
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Online Reviews
16
• For Healthcare Experiences • Patients and Families • Organizations
• Issues • Reliability • Credibility • Insight
• Managing Reviews
• Responding to Negative Social Media Ratings
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Responding to Negative Social Media
17
Posting a response that acknowledges patient violates state and federal confidentiality regulations (e.g. HIPAA) • Options:
— Ignore the post, if generally benign — Respond with generic statement that explains
practice/organization privacy rules — If patient identifies themselves, consider contacting off-
line to discuss and to remove post — Contact local law enforcement immediately if
posting is threat against specific individual
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Professional Networking
• Understand how the technology works
• Protect patient confidentiality • Use de-identified patient information
• Maintain professionalism
• Avoid inadvertently establishing a provider-patient relationship
• Maintain professional boundaries
• Keep personal and professional social networking separate
• Disclose conflicts of interest
• Disclose that views are personal and not those of the employer organization
18
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Develop A Social Media Policy
• Size of organization/practice does not matter • New employee orientation/ongoing staff
education • Include physicians (employed,
independent contractors, locums) • Include agency staff
• Enforce policy consistently • Employees sign confidentiality agreements • Designate who will monitor social media use
and content • Utilize disclaimers
• Policy should include prohibitions on: • Sharing of patient information
• No photos • No ranting
• Interacting with patients on personal social media sites
• Using organization name, image, etc.…. In personal social media postings
• Answering questions/providing medical advice on social media sites
• Emailing/texting unencrypted PHI • Responding to negative online postings
• Avoid policies seeking to regulate employees' personal use of social media in ways that could be considered violating free speech.
19
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Mobile Devices
• Know where the device is at all times!
• Don’t store PHI on the device
• Encrypt all devices • Maintain security updates • Utilize remote wipe capabilities
• Don’t use wi-fi “hotspots” • Disable Bluetooth when not using
• Password protect the device
• Don’t share the password!
• Change the password frequently
• Use complex passwords (8 characters and
4 data types- upper, lower, numeric,
symbol/character)
• Consider adopting a BYOD policy
Source: mHealth Intelligence: The Impact of BYOD on Healthcare Providers and Hospitals 21
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Types of Cyberattacks
22
• Phishing Attack • Malicious Disclosure • Theft of Protected Health Information (PHI) • Breach of Confidentiality • Hacking • Ransomware • All of the Above
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Effects of Cyber Attacks on Healthcare
23
• Clinical Interruption
• Business Interruption
• Organization Reputation Damage
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Phishing
• Affects large and small organizations • Most commonly found in emails, texts, social media, and
sometimes phone calls • 10% of phishing emails make it through spam blockers • Exploits the recipient • Fridays and Mondays are biggest “phishing days”
• 9AM and 1PM
• Receive email from “recognized” sender, disguised as: • Bill / invoice (15.9 percent) • Email delivery failure (15.3 percent) • Legal / law enforcement (13.2 percent) • Scanned document (11.5 percent) • Package delivery (3.9 percent)
24 Symantec's 2018 Internet Security Threat Report
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Don’t Let the “PHISH” Bite
• Employee training/drills
• In the emails, look for: • Misspelled words • Grammatical errors • Inspect all URL’s– look for re-directing
• Hover your cursor over link, does it look right? • Don’t provide sensitive information • Utilize spam detection programs • Use multi-factor identification • Use only “HTTPS” protected sites
25
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Ransomware Attacks
• Uses a type of malicious software designed to block access to a computer system until a sum of money is paid
• 40% of ransomware attacks occur through phishing • Healthcare is a victim in 12.8% of ransomware attacks • Average downtime for the organization is 12 days • Average ransomware payment= $41,000
26 Source: Coveware:Q3 Ransomware Marketplace Report (2018)
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
We Had A Ransomware Attack: Now What?
• Train employees to recognize a ransomware attack early • Time is of the essence
• Disconnect/power down affected devices/computers • Label affected devices
• End all administrator sessions • Change administrator credentials • Change all user passwords • Securing access takes priority over initiating a restore • Conduct full threat assessment once situation resolved
27
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Summary: Mitigating TECHNOLOGY Risks
28
• ENCRYPTION – EVERY Device
• Device and Media Control Policy
• Passwords
• Access Control
• Staff Education and Awareness
• Incident Response Plan with Breach Notification
• Drills/Audits
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
What is Next?: Artificial Intelligence (AI)
• Risks: • False positives/negatives • Systems errors • Unexplainable results • New skill requirements for
providers • Systems vulnerable to
cyberattacks • Current laws/standards not
designed with AI in mind
29
• Benefits: • Assistance with case triaging • Enhanced image scanning • Faster disease detection • Supported decision-making • Patient
appointment/treatment tracking
• Automatic tumor tracking
Source: Medical Economics: “AI can help avoid malpractice lawsuits, but risks may emerge.” (3/4/19).
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Summary: Risk Management Tips for Social Media and Technology
• Create social media/device usage policies and procedures
• Encrypt, encrypt, encrypt
• Staff education and training
• Understand risks and benefits of technologies used
• Comply with federal and state confidentiality laws
• Adhere to HIPAA Breach Notification process
• Use strong passwords
• Don’t post about patients on social media
30
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Resources
31
• Annals of Internal Medicine, “Online Medical Professionalism: Patient and Public Relationships: Policy Statement From the American College of Physicians and the Federation of State Medical Boards (2013).
• AHIMA “Social Media + Healthcare” http://library.ahima.org/doc?oid=103686#.W- Gh0jaWw2w
• Verizon, Protected Health Information Data Breach Report (2019)
• Mayo Clinic Social Media Policy https://sharing.mayoclinic.org/guidelines/for-mayo-clinic- employees/
PLACEHOLDER FOR INFORMATION SECURITY LEVEL
Resources
32
• FDA In Brief, October 2018 https://www.fda.gov/NewsEvents/Newsroom/FDAInBrief/ucm 623624.htm
• Health & Human Services, Office of Civil Rights, Cyber Security Guidance Material https://www.hhs.gov/hipaa/for- professionals/security/guidance/cybersecurity/index.html
• Federation of State Medical Boards: Model Policy Guidelines for the Appropriate Use of Social Media and Social Networking in Medical Practice http://www.fsmb.org/pdf/pub-social- media-guidelines.pdf