Mobile Technology in Health Care

Presenter: Susan Clarke, BSc, Health Care Information Security and Privacy Practitioner

Wednesday, September 14, 2016

1:00 to 2:00 PM MDT • 11:00 to 12:00 PM AKDT • 9:00 to 10:00 AM HST

HTS, a department of Mountain-Pacific Quality

Health Foundation

1

Thank you for spending your valuable time with us today.

This webinar will be recorded for your convenience. A copy of today’s presentation and the webinar

recording will be available on our website. A link to these resources will be emailed to you following the webinar.

All phones will be muted during the presentation and unmuted during the Q&A session. Computer users can use the chat box to ask questions which will be answered at the end of the presentation.

We would greatly appreciate your providing us feedback by completing the survey at the end of the webinar today.

2

Closed captioning will appear under today’s presentation. To see more lines of captioned text, click the small arrow below.

3

Mountain-Pacific holds the Centers for Medicare & Medicaid Services (CMS) Quality Innovation Network-Quality Improvement Organization (QIN-QIO) contract for the states of Montana, Wyoming, Alaska and Hawaii, providing quality improvement assistance.

HTS, a department of Mountain-Pacific, has assisted 1480 providers and 50 Critical Access Hospitals to reach Meaningful Use. We also assist healthcare facilities with utilizing Health Information Technology (HIT) to improve health care, quality, efficiency and outcomes.

4

• HealthInsight holds the Centers for Medicare & Medicaid Services (CMS)

Quality Innovation Network Quality Improvement Organization (QIN-QIO)

contract for Nevada, New Mexico, Oregon and Utah; and also holds the

CMS end-stage renal disease (ESRD) contract for Networks 16 and 18,

serving Alaska, Idaho, Montana, Oregon, Washington and Southern

California.

• As a Regional Extension Center (REC), HealthInsight has assisted 1,976

providers and 30 critical access hospitals in Nevada and Utah adopt

electronic health record (EHR) technology. The REC also assisted more

than 1,400 providers in meeting Meaningful Use Stage 1.

The presenter is not an attorney and the information provided is the

presenter(s)’ opinion and should not be taken as legal advice. The

information is presented for informational purposes only.

Compliance with regulations can involve legal subject matter with serious

consequences. The information contained in the webinar(s) and related

materials (including, but not limited to, recordings, handouts, and

presentation documents) is not intended to constitute legal advice or the

rendering of legal, consulting or other professional services of any kind.

Users of the webinar(s) and webinar materials should not in any manner

rely upon or construe the information as legal, or other professional advice.

Users should seek the services of a competent legal or other professional

before acting, or failing to act, based upon the information contained in the

webinar(s) in order to ascertain what is may be best for the users individual

needs.

6

Susan Clarke, BSc, Health Care Information

Security and Privacy Practitioner

7

• BA: Business Associate

• CE: Covered Entity

• CEHRT: Certified Electronic Health Record Technology

• CEO: Chief Executive Officer

• CIO: Chief Information Officer

• CMS: Centers for Medicare and Medicaid Services

• EHR: Electronic Health Record

• ePHI: Electronic Protected Health Information

• HHS: Department of Health and Human Services

• HIPAA: Health Insurance Portability and Accountability Act

• HIT: Health Information Technology

• IT: Information Technology

8

• MDM: Mobile Device Management

• NIST: National Institute of Standards and Technology

• OCR: Office for Civil Rights

• ONC: Office of the National Coordinator

• PHI: Protected Health Information

• SP: Special Publication

• SRA: Security Risk Analysis

9

Definitions and statistics

Advantages of mobile technology

Threats to mobile devices and types of threats

Take Away’s

Mobile Device Management

Culture of Compliance including security risk analysis

10

Mobile apps are software programs that run on smartphones and other mobile communication devices. They can also be accessories that attach to a smartphone or other mobile communication devices, or a combination of accessories and software.

Mobile apps span a wide range of health functions. While many mobile apps carry minimal risk, those that can pose a greater risk to patients will require FDA review.

What’s regulated, what’s not regulated... http://www.fda.gov/MedicalDevices/DigitalHealth/MobileMedicalApplications/ucm368743.htm

11

“Stolen personal information can have negative financial impacts, but stolen medical information cuts to the very core of personal privacy. Medical identity theft already costs billions of dollars each year, and altered medical information can put a person’s health at risk through misdiagnosis, delayed treatment or incorrect prescriptions. Yet, the use of mobile devices to store, access, and transmit electronic health care records is outpacing the privacy and security protections on those devices.”

12

https://nccoe.nist.gov/projects/use_cases/health_it/ehr_on_mobile_devices

In 2014 mobile users surpassed desktop users.

64% of adults in U.S. own a Smartphone.

55% of email is now opened on a mobile device.

87% of millennials (18-34) report never separating from their mobile devices.

Wearable usage has jumped 57% from 2014.

95% of business associate (HIPAA) security incidents attributed to lost or stolen devices.

13

Booming market, affordable, convenient and can handle it all (phone, camera, internet, etc).

Portable, they fit anywhere, pocket, purse, lab coat.

Larger displays, phone screens have increased in size and scalable.

Location, directions to appointments, wearable devices provide real time analytics.

Apps are plentiful and can be customized.

14

Information and time management

Health record maintenance and access

Communications and consulting

Reference and information gathering

Patient management and monitoring

Clinical decision-making

Medical education and training

15

Source=http://www.ncbi.nlm.nih.gov/pmc/articles/PMC4029126/

Easy to steal, misplace, damage.

For 12 hour shift device may need recharging.

Data security, authentication controls, able to remote and automatic lock and wipe, encryption, policy and procedure.

Potential HIPAA violations.

Patient’s awareness of risks for their device.

BYOD—consider full implications of allowing corporate data to be accessed on personal devices. Convenience clashes with security.

16

Application Based: vulnerable apps, malware, spyware and privacy threats.

Web Based: phishing scams, drive by downloads, browser exploits.

Network Based: man in the middle, sniffing traffic, eavesdropping.

Physical Based: lost or stolen devices.

17

18

https://nccoe.nist.gov/sites/default/files/library/fact-sheets/hit-ehr-fact-sheet.pdf

https://nccoe.nist.gov/projects/use_cases/health_it/ehr_on_mobile_devices

Create a formal device policy that educates staff of security risks and best practice to safeguard health information.

Implement Mobile Device Management as part of device risk management strategy.

Plan on hackers gaining access, lost or stolen devices, and know how to react quickly.

Think security by design, know risks before deciding on use.

Allowed in the cloud. Potential for data leakage, syncing data between devices.

19

No 1 rule is to have proper password protection, encryption and ENFORCEMENT!

Keep software up to date.

Don’t use ePHI apps when on an unfamiliar network.

Disable bluetooth when not in use.

Smart phones are getting smarter.

Have a BYOD policy in place, by ignoring the problem may lead to attack and as result regulatory or reputational threats.

20

Lock screen passcodes, encryption, secure message platform.

Ability to wipe or lock device, geofencing

Application control if outside app is tainted by malicious code. Possible partition dedicated work-personal use on device.

Reporting, real-time device status (dashboard), user information, log-in attempts and compliance with policies.

Make sure you plan for, devices need to be configured. User and device self-registration

21

22

Internet of

Medical

Things

Mobile

Devices

HIPAA

Heath care providers and professionals using mobile

devices in their work must comply with HIPAA Privacy and

Security Rules to protect and secure health information.

23

IoT=Internet of Things

IoT=Internet of Medical Things

NIST Cybersecurity Practice Guide,

Special Publication 1800-1: "Securing

Electronic Health Records on Mobile

Devices"

Protect the privacy of patient information

Provide for electronic and physical security of patient health information

Require “minimum necessary” use and disclosure

Specify patient rights to approve the access and use of their medical information

Prevents health care fraud and abuse

Simplifies billing and other transactions, reducing health care administrative costs

24

Insider threat is becoming one of the largest threats to organizations and some cyberattacks may be insider-driven. Although all insider threats are not malicious or intentional, the effect of these threats can be damaging to your organization. Safeguards are often more psychology than technology

According to a survey recently conducted by Accenture and HFS Research, 69% of organization representatives surveyed had experienced an insider attempt or success at data theft or corruption.

IMPORTANT: Conduct mobile device awareness and ongoing training.

25

Source=Privacy-List listserv, operated by the Office for Civil Rights (OCR)

26

HIPAA Security Rule requires CE and BAs security measures:

Have written policies and standards of conduct.

Designated Compliance Officer.

Effective training and education.

Effective lines of communication.

Enforcement of standards through disciplinary guidelines (publicized & enforced).

Internal monitoring and auditing.

Response and corrective action plan for offenses.

Conduct regular risk analysis.

27

Why? Required for HIPAA Covered Entities:

164.308 Administrative safeguards • Risk Analysis (required)

• Risk Management (required)

How? Conduct a Risk Analysis defined by 45 CFR § 164.308(a)(1)(ii)(A) as, “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the CE or BA”

28

When? HTS recommend conducting security risk analysis yearly or performed as new technology or critical business operations within your organization change.

Where?

HTS offers Security Risk Analysis: http://mpqhf.com/corporate/health-and-technology-services/hipaa-privacy-and-security/

ONC offers a free SRA tools at: https://www.healthit.gov/providers-professionals/security-risk-assessment-tool

29

30

A parting thought…

Please always remember that checking the

box for compliance is important, and

protecting patients and their health records

is even more important.

Thanks for your valuable time today.

31

www.gotohts.org

32

Privacy rule: http://www.hhs.gov/hipaa/for-professionals/privacy/

Security rule:

http://www.hhs.gov/hipaa/for-professionals/security/

Business Associate:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.html

Breach Notification Rule:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html

33

Thought of a question after today’s presentation? Please don’t hesitate to contact HTS.

Also…please take just a few minutes to fill out a short survey at the end of our webinar today – we value your comments!

Prepared and presented by:

Susan Clarke, BSc, Health Care Information Security and Privacy

Practitioner

HTS, a department of Mountain-Pacific Quality Health Foundation

www.gotohts.com

(cell) 307-248-8179

sclarke@mpqhf.org

34