A Panel Discussion 1

Transcription

1 A Panel Discussion 1

2 Adam Greene, Partner Co-Chair, Health Information Practice Davis Wright Tremaine JT Moser Compliance Director Corporate Compliance/Privacy Wake Forest University Wake Forest Baptist Medical Center Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine 2

3 What are some of the people risk areas? BYOD Cloud computing Other What are possible solutions? 3

4 Bring your own device or bring your own disaster

5 5

6 Percentage of Americans who use their personal mobile device for work: 81% Percentage who allow others to borrow their devices: 46% Percentage who store work passwords on their phones: 35% Percentage who haven't activated their auto-lock feature: 37% Current smartphone users across the globe: 1 billion Increase in number of smartphone users per year globally: 42% Smartphones and tablets sold in 2012: 821 million Projected sales of smartphones and tablets in 2013: 1.2 billion Percentage of devices shipped last year without a wired port: 50% From Leapfrog website article BYOD Stats: What Business Leaders Need To Know Right Now. March 2013 attributing the statistics to Gartner, Ovum, IBM, Vertic, Flurry, Magic Software, Motorola and Harris Poll. 6

7 Percentage of workers who say their organization has not yet implemented a BYOD policy: 66% Amount of BYOD activity that is going unmanaged: 80% Increase in employee productivity when using mobile apps: 45% Increase in mobile device malware detection across all platforms in one year: 155% Number of Android and ios devices activated on 12/25/12: 17.4 million Personal mobile devices expected to be in use by 2020: 10 billion From Leapfrog website article BYOD Stats: What Business Leaders Need To Know Right Now. March 2013 attributing the statistics to Gartner, Ovum, IBM, Vertic, Flurry, Magic Software, Motorola and Harris Poll. 7

8 Roughly 1/3 of employees use their own smartphones for work activities in 2015 Expected to increase to 60% by 2020 Cyber liability insurance provides more protection for business Mobile Application and Mobile Information Management merge to Enterprise Mobility Management Increased instances of CYOD/BYOD Split billing BYOD: What to expect in 2015, ITProPortal, by Abby Perkins, 1/24/15 8

9 1. Create Thy Policy Before Procuring Technology 2. Seek The Flocks Devices 3. Enrollment Shall Be Simple 4. Thou Shalt Configure Devices Over the Air 5. Thy Users Demand Self-Service 6. Hold Sacred Personal Information 7. Part the Seas of Corporate and Personal Data 8. Manage Thy Data Usage 9. Monitor Thy Flock Herd Automatically 10. Drink from the Fountain of ROI 9

10 10

11 Benefits: Consumerization of IT has been reported to bring increased efficiency and productivity Provides increased flexibility to employees Decreases infrastructure/device costs Improved employee/physician morale Increased availability of staff 11

12 12

13 Risks of BYOD Violation of privacy and other laws by individuals who have sensitive information on personal devices Security risks from devices attaching to your network 13

14 Risks of BYOD Monitoring use of the device - and telling employees you are going to do so Litigation holds on personal devices 14

15 Leakage of proprietary information Text messages are particularly risky Off boarding of employees Lost/Stolen devices Sharing of device by family members 15

16 Support challenges 16

17 Uploading to icloud, Dropbox, etc. 17

18 Uploading to icloud, Dropbox, etc. 18

19 Auto back-up to a cloud account IPhone/IPad Android devices Microsoft Surface Pro Windows 365 Windows 8 Do you have confidence that your employees know how to use these features Personal devices Company owned devices Do you have an approved vendor and process for Cloud issues? 19

20 Use of personal devices for work Overtime for non-exempt employees How do you track this? How do you control this? 20

21 Employees using the personal device for personal reasons while at work 21

22 Employee Off boarding: Data on Departure Why would an employee want your data when they leave? Physician takes patient list when leaving Researcher takes research data Administrator takes strategic plan Researcher sends details of exciting new discovery to his/her former med school buddy IT staffer takes architecture details, or administrator password What is your process to monitor high risk employees/data before they leave? What is managements and Human Resources role in off boarding and is it mandated? 22

23 What about how employees handle sensitive information on paper? Do you make paper destruction a big issue in your training? Do you mandate shredding? Do you keep paper data out of the trash (unsecured waste stream)? Training Environmental Services to be your lookout for paper in the trash instead of in the shred bins When people leave and clean out their drawers where does all the paper end up? Centralized printing? 23

24 What is your culture as far as performance management and sanctions related to information protection? Are the IT and Privacy policies linked to make sure you cover all types of issues in your HR policies? What role doe IT Security and the Privacy Office play in recommending policies or sanctions? 24

25 25

26 2013 Ponemon Institute/Symantec Study: Over 50% surveyed corporate information to personal s 41% do so weekly 1/3 of your employees load your documents to their personal Dropbox account 50% of employees who left keep employer s IP; 40% plan to use it in their new job Many believe IP belongs to the employee NDAs don t make a big difference 26

27 Work/life balance issues with employees always being available. Where is your mobile device when you go to sleep? 27

28 Policies No Expectation of Privacy for Employee Require Use of Passwords Require Use of Screensavers Require Use of Screen Locks Prohibit Upload to Cloud Purchase Mobile Device Management software Require Immediate Notice of Lost, Stolen, Misplaced Phones Employee Signed Agreement/Acknowledgement Condition of private device access to network 28

29 Legal Approaches Litigation Hold Policy Require access to device and home computers, etc. that may have entity records of interest Prohibit destruction of affected records Acceptable Use Limits Texting of Orders Joint Commission Storing of ephi on device Encryption 29

30 Limit apps loaded on device Set up Safe App store for employees 30

31 70% of users carry 3 or more devices 26% of users carry 2 devices 4% of users only carry 1 device 31

32 70% would give up alcohol 63% would give up chocolate 55% would give up caffeine 54% would give up exercise 33% would give up sex (seriously?) 22% would give up their toothbrush 21% would give up shoes 20% would give up their computer TeleNav survey 32

33 Questions? 33