Agenda Protecting Health Information BRONSON HEALTHCARE GROUP INFORMATION TECHNOLOGY SECURITY ENGINEERING MICHAEL SMITH Personal device usage with sensitive data Mobile devices and BYOD Secure messaging Corporate security measures / breach prevention Enterprise security systems User education and security awareness Questions Posttest Objectives Describe concerns with the use of personal devices in the exchange of patient health information. Explain security measures used to prevent security breaches related to health information. List initiatives to increase healthcare workers awareness of security concerns. BYOD - Personal Devices BYOD - Personal Devices BYOD Bring Your Own Device. Organizational approach to allow and support personal devices in the corporate environment. Gartner Inc. predicts that almost 40% of organizations will rely exclusively on BYOD in 2016, and 85 percent will have some kind of BYOD program in place by 2020. BYOD hardware comprised of smartphones, tablet PCs and notebooks. Device population typically consists of Google Android smartphones, Apple iphones / ipads, Blackberry devices and Microsoft Windows smartphones. 1
BYOD Driving Forces BYOD - Challenges Allows customers a wide choice of device selection as opposed to company provided / approved devices. Substantial cost savings to organizations that do not provide mobile devices to user populations. Takes advantage of newer devices and cutting edge features. Giving users a choice in device selection which promotes a much higher adoption rate and user satisfaction. High risk approach due to limited control of devices by Information Technology. Difficulties balancing security and ease of use. Ongoing support issues due to a lack of consistency and conformity on devices. Personally installed apps or utilities can compromise the integrity of a device s security. Mobile device carriers each have proprietary releases of (Android) operating systems which creates functionality and encryption issues. Mobile Device Management Mobile Device Management MDM Mobile Device Management. Security software used to monitor, manage and secure mobile devices that are deployed across multiple service providers and operating systems. Policies applied on personal devices to address security issues without being overly intrusive or hindering the user experience. Corporate provided apps are housed in a secure location that is segregated from the rest of the phone. Provides near-instant remote wipe capabilities to remove all data from a lost or stolen device. Encrypts the entire device requiring a passcode to decrypt and access data. Secure Messaging Secure Messaging Breaches can occur when PHI is sent in an unencrypted manner or to the wrong recipient. Once PHI is sent the owner loses control of but maintains responsibility for it. Secure Messaging solutions provide a HIPAA compliant method for sending and receiving PHI between mobile devices. Encrypts text messages, pictures, videos and office documents. Stores sensitive data in an encrypted, password protected and segregated area of the device referred to as a container or locker. Messages can be revoked / returned to sender without requiring recipient approval. 2
Protected Health Information Protected Health Information Medical records are worth much more than that of any other stolen personal data on the black market. The average cost of a data breach for a lost or stolen record is $158. Healthcare organizations have an average cost of $360 per record. Stolen data can include names, social security numbers, birth dates, policy numbers, diagnosis codes, prescription histories and billing information. Data is used to commit Medicare fraud, illegally file false claims and obtain drugs or medical equipment to be resold for large profits. Privacy and security firms found that unplanned downtime at healthcare organizations may cost an average of $7,900 a minute. 61% of healthcare organizations reported some form of security incident in 2015. These security events cost U.S. hospitals an estimated $1.6 billion each year. Data Loss Prevention (DLP) A system for ensuring end users do not send PHI or financial information outside the corporate network. Antivirus, Antimalware Detects, blocks or quarantines malicious / unwanted infections. Sandboxing Executes untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites without risking harm to the corporate network. Content Filtering Filters, records and secures both regular and encrypted internet traffic. Intrusion Prevention System (IPS) monitors a network for malicious activities such as security threats or policy violations. Security Information and Event Management (SIEM) Provides real-time analysis of security alerts generated by hardware and applications. Removable media encryption Encrypted USB storage devices (thumb drives) requiring complex password to decrypt and access data. Virtual Private Networks (VPN) Secure solution for remote access to corporate network resources. Full Disk Encryption (FDE) Protects all data stored on laptops, desktops, phones and tablets with secure encryption. 3
User Awareness and Training User Awareness and Training Require annual review and signature of Acceptable Use and Electronic Communication Policies by end user population. New hire orientation introduces and reinforces security practices and end user responsibility for new employees. Security handbooks available at numerous locations and events as well as electronically. Single point of contact to report ALL security-related incidents or questions (IT Support Center). Minimum working requirements for end users to include annual coursework and training with safeguarding, transmitting and managing PHI and financial data. Security awareness training use mock scenarios to test user awareness. The results can be used for counseling, raising awareness and training. Questions What is your organization doing to protect PHI on mobile devices? What other initiatives could your organization take to raise security awareness? Questions? 4
Posttest All of the following are challenges with the use of personal devices in healthcare except: A) Obtaining technical Support B) Cost savings to the organization C) Personal apps compromising security D) Limited control of devices 5