Mobile Devices Pose Additional Risk to Violating HIPAA Regulations

By: Helen Hadley, CEO & Founder of VantagePoint Healthcare Advisors and Michelle Syc, CISSP, C|EH, CRISC, CISA

Introduction

 

Mobile devices have impacted the way in which healthcare organizations do business. Laptops, tablets, netbooks, iPads, smart phones, Blackberries, and other handheld devices are now a staple in the healthcare industry. There has been a number of Electronic Protected Health Information (EPHI) security incidents related to the use of handheld devices. According to www.privacyrights.org, a whopping 58% of breaches in the medical field from 2010 to present were the result of the loss of portable electronic devices. True, there are replacement costs of lost or stolen portable devices, but we've entered an era where the information contained on the mobile devices is worth more than the device itself. And, it's that information that could cause your practice to wind up on the Department of Health and Human Service's "wall of shame." 

 

HIPAA & Mobile Devices

 

HIPAA's Security Rule outlines control standards for systems that maintain Protected Health Information (PHI). This rule extends to mobile devices as well. The pillars of data security still remain the same: confidentiality, integrity, availability, authentication, and non-repudiation. What changes with the addition of mobile devices in the healthcare industry is how those pillars are applied to the technology. These five important concepts are defined here:

 

Confidentiality: ensuring that information is not disclosed to unauthorized individuals. A breach of confidentiality occurs if an unknown individual calls a doctor's office, asks for a patient's health information and is given that information. On mobile devices, a patient's name is sometimes "texted" to a physician by an employee. Anyone picking up the device would have unauthorized access to this information.

 

Integrity: protecting patient information from being created, changed, or deleted without proper authority. A breach of integrity occurs if an employee deletes a patient's health record (either intentionally or unintentionally). This type of breach mostly occurs via the usage of mobile devices (i.e. the mobile device is a vector for creating this breach). For example, an office manager who uses a laptop to login to the EMR system and change data that he/she otherwise shouldn't have access to would be considered a breach.

 

Availability: Authorized users need reliable and timely access to data for their job functions. Availability issues can arise if a patient's allergy history is unavailable to a doctor prior to a surgical procedure is being performed. An example is a doctor's tablet or mobile device that isn't syncing with the EMR software as a result of the server failure that the EMR application resides on.

 

Authentication: Ensures that the individual accessing the patient information is who he claims to be. An authentication breach can occur if a doctor uses another doctor's user name and password to sign into an electronic medical records system. On mobile devices, an authentication breach would occur if a doctor cannot remember his/her tablet password and uses the nurse's tablet password instead. 


 Non-repudiation: Non-repudiation is best defined in the context of transmitting messages. In other words, after an email is sent, one party cannot deny having sent the email and the other party cannot deny having received the email. Non-repudiation data security issues aren't specific to mobile device technology. The mobile device is simply a tool used to transmit information over communications networks. Non- repudiation errors are transmission errors that occur independently of the technology being used to transmit data.

 

The majority of these risks can be mitigated by instituting a training program focusing on information security. The HIPAA Security Final Rule requires security training for all workforce members. Also required by HIPAA's Security Rule is the documentation of a risk assessment. The risk assessment is a process whereby an organization identifies threats for negative events (such as a data breach), the likelihood those threats will turn into realities, and the mitigating factors to thwart the realities from happening. Since the introduction of handheld portable devices adds a number of open access points for potential EPHI data breaches, it is especially important for organizations using handhelds to perform the risk assessment.

 

Another corrective control is the creation and documentation of an incident response plan. Rather than wait until a breach occurs (and it will occur), an incident response plan will ensure an orderly response to the breach. Not only is this a requirement of HIPAA, but recent breaches outside of the healthcare industry have demonstrated how important it is to handle a security breach in a planned and proactive way.

 

Particularly important for healthcare organizations, using mobile devices, is understanding that commercial mobile applications are still immature. Robust mobile security strategies for mobile devices are not yet a reality. Keep this in mind when placing mobile devices in the hands of your users and connecting them directly to patient information.

 

The future will likely bring enhanced security for mobile devices via endpoint protection, user training and incident response strategies. 
 

THE FOLLOWING STEPS ARE RECOMMENDED FOR MANAGING THE USE OF MOBILE DEVICES IN YOUR PRACTICE:
  1. Develop guidelines (The Do's & Don'ts regarding use of mobile devices). Examples:
    a. Employees are not permitted to use mobile devices to transmit any patient information.
    b. Mobile devices used by providers must be those provided by the practice; not those used for personal use.
     
  2. Develop a mobile device policy. What can be transmitted via mobile devices and who can transmit information should be covered, and
     
  3. Develop a disciplinary policy. Identify and publish a policy where you are able to identify situations that will require remediation. Include how you will discipline the individual(s) and the instances that will result in termination. 

 
Social Media Risks

 

Social media refers to interactive dialogue that takes place via the use of web-based and mobile technologies. The total number of Facebook users to date has exceeded 500 million, more than the population of the entire United States. While individuals have embraced these technologies to their benefit, organizations are struggling between ignoring them completely, or giving full access and hoping that employees do not harm the entity's reputation. What's the best strategy?

 

Somewhere along the way, we got the idea of blocking users from websites that "shouldn't" be accessed at work. Understand that--

 

Legitimate networking does occur. Many organizations now have their own Facebook, Linkedin, or other social media web pages that customers use for inquiries or real time advertising. Many important networking connections are made on sites like Linkedin.

 

People get news from social media sources. Forget watching the news, social media is the way more people are beginning to access pertinent information in real-time fashion. President Obama recently launched the first ever Twitter Town Hall in July of 2011 to address information about jobs and the economy. When legitimate political information is being disseminated via these sites, it becomes a much tougher argument to restrict them.

 

You can't block them all. Blocking one social media site will simply re-direct traffic to another. To date, there is a list of over 400 social networking sites; multiply that by the number of individuals in your organization and that's a lot of blocking to monitor.

 

People will find a way around. Technically, it's very easy to get around products that block certain sites. Users can simply type an IP address into the URL bar instead of the site name (69.171.228.14 for Facebook instead of Facebook.com). Even if organizations have successfully blocked IP addresses, and website names properly, a user can connect to a proxy server to get to the blocked website.

 

Defining "appropriate" material is a slippery slope. Does your organization inspect all employee bags as they enter the office for the morning? Sound absurd? Then why attempt to inspect the traffic going to and from employee's computers for "appropriateness?" One person's definition of appropriateness may be very different from another's. Remember: appropriate and illegal are two different things. It may be inappropriate to walk around an office with a swimsuit magazine, but it is not illegal. Similarly, blocking traffic to illegal or malicious material is an easy argument. Attempting to block any more than illegal or malicious traffic is debatable, and may be something better addressed by the Human Resources Department.

 

Think about the message you send to your employees. Employees who are peeking into Facebook periodically throughout the day or at lunch time are probably the same individuals who are monitoring and responding to work emails outside the traditional 8-5 workday. If the organization's culture encourages short/immediate response time for email, you could be sending mixed messages. 

 

Allowing employees onto social media sites without guidance is not a strategy either. The risks include:

  1. Reputational Harm: Employees can do reputational damage to your organization with one simple post.
     
  2. Malware and Viruses: Links on these sites can also invite viruses in through the firewall.
     
  3. Data Leakage: Company secrets can be placed on the electronic bulletin board for all to see.
  4. Productivity Loss: Individual productivity could suffer and quality of work may be impacted. 

An organization's HIPAA Privacy Policies & Procedures as well as internal HIPAA training programs should already address how employees are expected to handle PHI. Whether PHI is on paper, in electronic form, or verbal, the rules are still the same as those mandated in 2003. The HIPAA Privacy Rule protects "all individually identifiable health information held or transmitted by a covered entity...in any form or media..."

 

However, common sense in how information is shared outside the workforce continues to be an issue. Social networking has compounded the problem as it has become a very common method for communication. People using social networking sites forget who is reading, whose friends have access to their pages, and how public the information can become.

 

While malicious disclosures do occur, unintentional disclosures occur more frequently. For example, one individual mentioned to her Facebook friend, quite innocently: "I saw your daughter today and she looked great!" The daughter had no intention of her mother knowing that she had been seen by the physician.

 

There are those individuals who love to share "juicy" information, such as this twitter post: "GUESS WHO JUST WALKED INTO MY OFFICE??? (celebrity name redacted). And, you will never guess why he's here!!"

 

In Lake Geneva, Wisconsin in 2009, nurses were accused of photographing patients and posting the photographs on Facebook. In 2008, employees of the University of New Mexico Hospital were fired for posting pictures of patients to MySpace.

 

And in June of this year, The Hospital of Saint Raphael, in New Haven, Connecticut fired three employees and disciplined four others after a photo was taken of a dead teen with a camera phone.

 

Lastly, some individuals still don't understand that posting information about their employer just might not be in their best interest. "I hate my boss. She made me work overtime. I plan on leaving the door unlocked when I leave. Or, maybe I will just spike her lunch tomorrow -- HAHA". Or, "I keep taking calls from bill collectors. Guess the company is going down. Anyone know of jobs for me?" While these types of comments are not HIPAA disclosures, they certainly could do harm to individuals' and companies' reputations.

 

Organizations can be held liable for certain disclosures with significant fines imposed for violations.

 

On the flip side, many hospitals and practices now have social networking sites of their own where patients may interact or share information. These sites are another form of marketing and are used to attract new patients. Clear, strict policies must be instituted if you permit providers to interact with patients via these sites. A disclaimer or notice should be posted informing patients that if they publish their own PHI it would constitute a waiver of any protection under HIPAA.

 

Professionals (physicians, nurses, etc.) who create their own personal pages must be careful with whom they allow as "friends". If patients become "friends", then the line is crossed and HIPAA rules may apply. 

 

How should you manage the use of social networking by employees? 

  1. Establish clear and concise social media policies and procedures.
  2. Upon employment, have one-on-one discussions with employees about the topic. Handing them the policy to read is insufficient. The employee should acknowledge in writing that (s)he has read and understands the policy.
  3. Conduct regular training sessions in the organization.
  4. Post signs/posters, etc... that remind employees of your policy. Publish security reminders to employees in newsletter, e-mails, paycheck inserts, etc.
  5. Ensure that you regularly conduct HIPAA Privacy sessions. 
WE RECOMMEND THE FOLLOWING STEPS BE TAKEN IN YOUR
PRACTICE OR ORGANIZATION:  
  1. Develop guidelines (The Do's & Don'ts regarding use of social networking sites). Examples:

    a. Do not post any information about patients to your personal networking sites
    b. Information posted to our practice Facebook page must first be approved by the Privacy Officer
     
  2. Develop a social media policy. Expectations of behavior in the virtual world should be no different than those in the physical world.
     
  3. Acknowledge that social media is new and, with that, a great learning experience for everyone. Educate employees through regularly scheduled training meetings on appropriate use of social media that will not be detrimental to the practice.
     
  4. Develop a disciplinary policy. Identify and publish a policy where you are able to identify situations that will require remediation. Include how you will discipline the individual(s) and the instances that will result in termination. 

 
Summary

 

Embracing the functionality of new technology and methods of communication must include identifying, navigating, and learning how to protect ourselves, our patients and our employers. New technology enhances our efficiency and effectiveness, but should not be implemented without first identifying possible vulnerabilities. Similarly, social media enhances our ability to reach our customers in different and possibly more effective ways, but we still must be mindful of the information we convey. Remember that once data is breached:

  1. The information that was disclosed NEVER goes away. 
  2. It is there for the world to see, FOREVER

FDA Guidance

 

On July 19, 2011 the FDA issued guidance outlining how it will oversee mobile medical applications used on mobile devices. The draft guidance will clarify the type of mobile apps to which the FDA will apply regulatory authority. The draft approach calls for oversight of mobile apps that present the greatest risk to patients. We will have to watch closely for further information. 


 

*    *    *    *    *  

About the authors:

 

Michelle Syc works as an ethical hacker, assisting clients in identifying and assessing information systems related risks as well as implementing strategies to mitigate those risks. She specializes in helping healthcare organizations develop compliance strategies in response HIPAA Security regulations.

 

Helen Hadley has been assisting clients with HIPAA Privacy training, Privacy Officer training, and implementation of privacy policies since 2003. 

 

 

 
  

VantagePoint is an informational news article series produced by VantagePoint Healthcare Advisors.
With each edition we strive to bring vital information
to the healthcare industry on topics of policy, finance, compliance and business management.

 

Visit our website or call 203-288-6860 and learn more about how our team of industry experts can benefit your practice or organization.

 


© 2015 VantagePoint Healthcare Advisors. All Rights Reserved.