Standard text messaging (mobile devices) Secure text messaging (mobile devices) Paging Instant messaging (Google Hangouts, Skype, etc.

Size: px

Start display at page:

Download "Standard text messaging (mobile devices) Secure text messaging (mobile devices) Paging Instant messaging (Google Hangouts, Skype, etc."

Naomi Phillips
5 years ago
Views:

1 Adam Nichol Information Security Officer/Systems Analyst

org Holly Schlenvogt, MSH, CPM Privacy and Security Consultant /

com Scott Vaughan, MIS Network Supervisor Sauk Prairie

org 2 Standard text messaging (mobile devices) Secure text

1 1 Adam Nichol Information Security Officer/Systems Analyst Hospital Sisters Health System Holly Schlenvogt, MSH, CPM Privacy and Security Consultant / Owner HRT Consulting, LLC hschlenv@hrt-consulting.com Scott Vaughan, MIS Network Supervisor Sauk Prairie Healthcare Scott.Vaughan@SaukPrairieHealthcare.org 2 Standard text messaging (mobile devices) Secure text messaging (mobile devices) Paging Instant messaging (Google Hangouts, Skype, etc.) 3 1

Ease of use: Majority of people own smart phones so everyone has access to texting Great for casual non-emergent communications Standard Short Message Service (SMS) texting does not need a data

2 Ease of use: Majority of people own smart phones so everyone has access to texting Great for casual non-emergent communications Standard Short Message Service (SMS) texting does not need a data connection Uses radio frequencies to send messages Can also use an Internet connection to transmit messages This acts like an instant message connection 4 Might not know who is sending the message Messages might get ignored Unsecure: Standard text messages are not encrypted Not easily auditable, especially if personal devices are used for work purposes Real-Time only goes so far Unable to tell if recipient received or even read message 5 Secure Information is encrypted in both transit and at rest Auditable Can be tracked to show when messages are sent, delivered and read Able to see actual messages sent Authorization Ability to control who has access and have the ability to turn that access off (i.e. terminations) Great for Bring-Your-Own-Device (BYOD) devices 6 2

Cost Initial cost of setting everything up

buy-in Choose a product/vendor that is a

tech filled world there is no use for them

3 Cost Initial cost of setting everything up (e.g. servers, setup time, etc.) Monthly cost Depending on vendor and organization size it could be between $5 to $30 per device or per user Training Depending on the size of your organization training could be a slow process 7 Business buy-in Top down approach Provider buy-in Choose a product/vendor that is a good fit for your organization 8 In todays tech filled world there is no use for them Not secure (in transmission or at rest) Uses radio frequencies to send messages Unreliable Inability to know if your message went through Unable to audit 9 3

Mailbox Storage On-premise, cloud, or hybrid If cloud, stored in USA only?

Does it encrypt the message if it detects PHI?

Audit capabilities Permit generic email addresses? How do you audit them?

4 Mailbox Storage On-premise, cloud, or hybrid If cloud, stored in USA only? Using message content filter Sending all messages through it? Does it encrypt the message if it detects PHI? Using Archiving 10 Backups Is the data encrypted? Audit capabilities Permit generic addresses? How do you audit them? Delegation 11 Different types of IM Corporate More secure Can be hosted on-premise or cloud Auditability Archive Public Less secure Store in the cloud (but where???) No administration 12 4

Should this be considered a breach of unsecured PHI? Are breach of unsecured PHI notifications required?

5 Breach or Not a Breach of Unsecured PHI? That is a great question! 13 with PHI sent to a correct recipient who is authorized to receive the PHI The sender mistakenly did not encrypt it Should this be considered a breach? Should this be considered a breach of unsecured PHI? Are breach of unsecured PHI notifications required? 14 Means the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the Privacy Rule which compromises the security or privacy of the PHI and is presumed to be a breach unless the organization or BA, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors: 15 5

1.The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of reidentification; 2.

The extent to which the risk to the protected health information has been mitigated 16 What about unencrypted texts? What about unencrypted instant messages?

6 1.The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of reidentification; 2.The unauthorized person who used the protected health information or to the disclosure was made; 3.Whether the protected health information was actually acquired or viewed; and 4.The extent to which the risk to the protected health information has been mitigated 16 What about unencrypted texts? What about unencrypted instant messages? What if the unencrypted s, text, or instant message is not done within an organization owned system? Office for Civil Rights (OCR) reflections 17 First part of the definition of a Business Associate: Person or business/vendor s staff members are not members of the organization s Workforce and: creates, receives, maintains, and/or transmits protected health information (PHI) on behalf of the organization What does this mean? 18 6

Have BAAs in place with the following before using it

transmit the emails): Email vendors Email encryption

Use organizationally purchased IMs Prior to purchasing,

transmitting PHI, obtain a BAA 20 Cell / smart phones

7 Have BAAs in place with the following before using it (unless they do not create, receive, maintain, or transmit the s): vendors encryption vendors Validate vendor privacy and security controls 19 Use organizationally purchased IMs Prior to purchasing, find out: Where is PHI stored? How secure are transmissions? Validate vendor privacy and security controls Prior to transmitting PHI, obtain a BAA 20 Cell / smart phones Phone carriers Transmitting PHI in texts Storing of texts Texting platforms Validate vendor privacy and security controls BAA 21 7

Ask yourself: Where is the PHI stored? On the device? User s phone carrier service Backup service too? Who has a contract with these storage providers?

Is a Mobile Device Management (MDM) used? Require agreements be signed? 22 When may PHI be sent? Verify appropriate authorizations are in place When may be sent internally and / or externally?

8 Ask yourself: Where is the PHI stored? On the device? User s phone carrier service Backup service too? Who has a contract with these storage providers? Hint it is not your organization Will the PHI be secure on their devices? How will we get the PHI back or verify it is no longer on their device or stored anywhere after termination? Is a Mobile Device Management (MDM) used? Require agreements be signed? 22 When may PHI be sent? Verify appropriate authorizations are in place When may be sent internally and / or externally? Who may send PHI? Be careful to use the correct address / number Program them Double check before sending 23 What systems / applications must be used when PHI is sent? Purchased by organization Personally downloaded? Whose devices may be used? Company owned BYOD? If yes, have BYOD policies in place MDM requirements How to secure devices Onsite Remote use 24 8

Only use organizationally approved systems / applications and devices May not use others unless

the technologies 25 Resolution Agreements Fines For the organization For users Corrective action

communications utilized when conducting your security risk analyses Ask users what applications

9 Only use organizationally approved systems / applications and devices May not use others unless approved by Security Officer / IT leadership and Privacy Officer The policies Appropriate use of the technologies 25 Resolution Agreements Fines For the organization For users Corrective action plans OCR enforcement Civil penalties Criminal penalties 26 Remember to include electronic communications utilized when conducting your security risk analyses Ask users what applications they are using and want to use to send electronic communications You never know what they may tell you! 27 9

10 28 Adam Nichol Information Security Officer/Systems Analyst Hospital Sisters Health System Holly Schlenvogt, MSH, CPM Privacy and Security Consultant / Owner HRT Consulting, LLC hschlenv@hrt-consulting.com Scott Vaughan, MIS Network Supervisor Sauk Prairie Healthcare Scott.Vaughan@SaukPrairieHealthcare.org 29 10

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Update on HIPAA Administration and Enforcement Marissa Gordon-Nguyen, JD, MPH October 7, 2016 Updates Policy Development Breaches Enforcement Audit 2 POLICY DEVELOPMENT RECENTLY PUBLISHED: RIGHT OF ACCESS,