Upload
wendy-ricard
View
213
Download
0
Embed Size (px)
Citation preview
Invasion of Smart Phones in Clinical AreasChrissy KyakPrivacy OfficerUniversity of Maryland Upper Chesapeake Health
Personal Mobile Device Use in a Clinical Setting
Many hospitals and health care providers are struggling with what to do about employees and their use of mobile devices in the workplace What is our organization’s position on Bring
Your Own Device or “BYOD” Do you have a policy that speaks to whether
the organization allows use of personal devices Does HIPAA allow the use of personal devices
to transmit or store PHI?
Mobile Devices and Protected Health Information What does the law say about mobile devices? There is nothing in HIPAA that states that it is not
permissible to use a personal device to transmit patient information, however, the HIPAA Security Rule is clear that patient information must be protected and used securely by a covered entity, “whether at rest, in use, or in transmission.” The problem:
Who owns the phone or portable device and how can a covered entity enforce proper security on the
device if they don’t own it?
Common conversations regarding mobile devices
Common Feedback Response
“Our phones on the unit are so outdated. They break, they aren’t efficient, and they are three times the size of my cell phone. I can use my cell to text and don’t have to use number keys to text docs. . . It’s so much faster.”
What does your policy regarding mobile devices state?Do you have a policy?Are you texting PHI? If so, you may be putting patient information at risk. Remember, your service provider for your personal phone regularly backs up your phone in a cloud storage environment – this storage is not secured
“I don’t want to carry around more than one phone – why can’t I just use my personal cell phone?”
Newer cell phones have encryption features, but older models may not. Encryption is often not turned on by a person, because they are unaware that the feature exists
Common Feedback Response“If I need to text a doctor information about a patient, it’s no different than calling the doctor. “
Texting and phone calls are two very different modes of communication with very different levels of risk. When you text anything from a mobile device that does not have appropriate security, the information is stored electronically in your phone’s cloud storage
“I’m under a lot of pressure to treat patients quickly . . . It’s just easier to text other docs and nurses when I need to tell them something. Maybe the hospital should look into purchasing us better technology.”
While convenience may be tempting, fines for HIPAA Security violations have jumped from $50,000 to $1.5 million in the last year. Most of the fines given by the Office of Civil Rights involve Security Rule violations and PHI that was discovered on the internet unsecured
“I told our IT Department that I was using my mobile phone to text, and they said that they wanted me to give them rights to my device so that they can wipe it if it gets lost or stolen. I don’t think I want to give them this right. It’s my device.”
It may be your device, but if you are texting PHI, it’s the organization’s patient information. You are putting the organization at risk if the device is lost or stolen and you don’t report it. In order to use your device, there are tradeoffs so that information can be safeguarded
Coming up with a Position on Use of
Smartphones in Your Organization
Use of Smartphones: Many organization are aware that
employees in clinical areas are using their personal mobile device to communicate information regarding their patients but are they dealing with the issue?
Pretending like the issue doesn’t exist can cost your organization
Steps to Compliance Does your organization have a mobile
device policy? What is your organization’s position Is your organization willing to support a
BYOD culture? Do you know who your organization’s
Privacy & Security officers are if you have questions regarding BYOD?
Are you training your employees on what your organizational position is?
Does your organization use a Virtual Private Network or “VPN?”
A VPN is a way for employees to securely enter the network and work remotely in a secure environment
This allows employees to Text securely Access patient information securely Email securely
Steps to Compliance
Understand what can put a patient’s information at riskThere are risks that many don’t think of when we talk about mobile devices:
Device gets lost – is the employee reporting the loss to their employer, even if the phone belongs to the employee
Devices can be stolen – is your IT department enforcing wiping capabilities on personal smart phones in the event they are lost or stolen?
Is the employee’s phone password protected? You would be surprised to know how many people do not have passwords on their phone
Depending on the type of device, malware and viruses are a potential threat that can be introduced into the workplace
Do your employees understand that using a “free wifi” service when outside of work is dangerous and can expose any PHI on their device to potential theft or loss?
Simple steps for each employee to take to help their organization achieve compliance
Step 1: Use a password or other user authentication method
Authentication is the process of verifying the identity of a user
Mobile devices can be configured to require a password, PIN or passcode to gain access
If an unauthorized user attempts to gain access and doesn’t have the right password or PIN, mobile devices can activate screen locking to disallow any more attempts to gain access to the device
Step 2: Install and enable encryption
Encryption protects health information stored and sent by mobile devices
Mobile devices often have built-in encryption that can be activated or encryption can be purchased for a device
Find out what your organization’s encryption capabilities are and if they offer encryption for a personal device
Step 3: Install and activate remote wiping and/or remote disabling Remote wiping enables you to erase
data on a mobile device remotely. This can permanently delete date stored on a lost or stolen mobile device
Remote disabling enables you to lock your device until it is recovered
Step 4: Disable and do not install or use file sharing applications File sharing is software or a system that
allows Internet users to connect to each other and trade computer files
But file sharing can also enable unauthorized users to access your laptop, handheld device or phone without your knowledge
By disabling or not using file sharing applications, you reduce a known risk to data on your mobile device
Step 5. Install and enable a firewall
A personal firewall on a mobile device can protect against unauthorized connections
Firewalls intercept incoming and outgoing connection attempts and block or permit them based on a set of rules
Step 6. Install and enable security software
Security software can be installed to protect against malicious applications, viruses, spyware, and malware-based attacks
Step 7. Keep your security software up to date
When you regularly update your security software
You have the latest tools to prevent unauthorized access to health information on or through your mobile device
Step 8: Research mobile applications (apps) before downloading
A mobile app is a software program that performs one or more specific functions
Before you download and install an app on your mobile device, verify that the app will perform only functions you approve of – not sure if the app is ok? Ask your IT Department
Use known websites or other trusted sources that you know will give reputable reviews of the app
Step 9. Maintain physical control
The benefits of mobile devices - portability, small size, and convenience . . . these are also their challenges for protecting and securing health information
Mobile devices are easily lost or stolen There is also a risk of unauthorized use and
disclosure of patient health information You can limit an unauthorized users’ access,
tampering or theft of your mobile device when you physically secure the device
Step 10. Use adequate security to send or receive health information over public Wi-Fi networks
Public Wi-Fi networks are so tempting to use because, of course, they are free
But, they can be an easy way for unauthorized users to intercept information
You can protect and secure health information by not sending or receiving it when connected to a public Wi-Fi network, unless you use secure, encrypted connections
Step 11. Delete all stored health information before discarding or reusing the mobile device
When you use software tools that thoroughly delete (or wipe) data stored on a mobile device before discarding or reusing the device, you can protect and secure health information from unauthorized access
HHS OCR has issued guidance that discusses the proper steps to take to remove health information and other sensitive data stored on your mobile device before you dispose or reuse the device
Unsure how to make sure your device is sufficiently wiped when you get a new device? Ask you IT Department for help!