Mobile Device Security  Wednesday,  August  27,  2014  

Disclaimer:  Nothing  that  we  are  sharing  is  intended  as  legally  binding  or  prescrip7ve  advice.  This  presenta7on  is  a  synthesis  of  publically  available  informa7on  and  best  prac7ces.  

The  HIPAA  Privacy  Rule  establishes  na6onal  standards  to  protect  individuals’  medical  records  and  other  personal  health  informa6on  and  applies  to  health  plans,  health  care  clearinghouses,  and  those  health  care  providers  that  conduct  certain  health  care  transac6ons  electronically.    The  Rule  requires  appropriate  safeguards  to  protect  the  privacy  of  personal  health  informa6on,  and  sets  limits  and  condi6ons  on  the  uses  and  disclosures  that  may  be  made  of  such  informa6on  without  pa6ent  authoriza6on.  The  Rule  also  gives  pa6ents  rights  over  their  health  informa6on,  including  rights  to  examine  and  obtain  a  copy  of  their  health  records,  and  to  request  correc6ons.  

HIPAA  Privacy  Rule  

The  HIPAA  Security  Rule  establishes  na6onal  standards  to  protect  individuals’  electronic  personal  health  informa6on  that  is  created,  received,  used,  or  maintained  by  a  covered  en6ty.  The  Security  Rule  requires  appropriate  administra6ve,  physical  and  technical  safeguards  to  ensure  the  confiden6ality,  integrity,  and  security  of  electronic  protected  health  informa6on.    

HIPAA  Security  Rule  

Department  of  Health  and  Human  Services  

hGp://www.healthit.gov/providers-­‐professionals/your-­‐mobile-­‐device-­‐and-­‐health-­‐informa6on-­‐privacy-­‐and-­‐security  

What  is  a  mobile  device?  

•  Laptop  Computer  •  Smart  Phones  

•  USB  Thumb  Drives  

•  External  Hard  Drives  •  Tablet  Computers  

•  E-­‐Readers  •  Others?  

You,  Your  Organiza6on,  and  Your  Mobile  Devices  

•  Does  your  organiza6on  have  a  mobile  device  use  policy?  •  Does  your  organiza6on  allow  you  to  use  your  personally  owned  mobile  device  for  

work?  •  Do  you  know  who  your  organiza6on's  Privacy  Officer  and  Security  Officer  are?  •  Does  your  organiza6on  require  you  to  register  your  mobile  device  with  the  

organiza6on?  •  Does  your  organiza6on  have  a  Virtual  Private  Network  (VPN)  that  allows  you  to  

access,  receive,  or  transmit  health  informa6on  securely  with  your  mobile  device?  •  Does  your  organiza6on  have  a  policy  about  storing  health  informa6on  on  your  

mobile  device?  •  Does  your  organiza6on  require  you  to  backup  health  informa6on  from  your  mobile  

device  to  a  secure  server?  •  Does  your  organiza6on  require  you  to  enable  remote  wiping  and/or  remote  

disabling  on  your  mobile  device?  •  Does  your  organiza6on  offer  mobile  device  privacy  and  security  awareness  and  

training?  

What  Are  Some  Risks  to  Know  About  Before  Using  a  Mobile  Device  for  

Pa6ent  Care?  

•  Lost  Device  •  Stolen  Device  •  Inadvertent  download  of  virus  or  other  malware  

•  Uninten6onal  disclosure  to  unauthorized  users  when  sharing  devices  with  friend/family  

•  Unsecure  Wi-­‐fi  

What  Are  Some  Ac6vi6es  That  Make  Mobile  Devices  Vulnerable?  

•  So^ware  Downloads  •  Visi6ng  Malicious  Websites  

•  Direct  AGack  Through  the  Communica6on  Network  

•  Physical  AGack  

What  Are  Some  Common  Sources  of  Threats  to  Mobile  Devices  or  the  PHI  

on  them?  

•  Botnet  Operators  •  Cybercriminals  

•  Hackers  

Other  Topics  and  Risks  to  Consider  

•  Device  Ownership  •  BYOD  vs.  Organiza6on  Provided  

•  Loca6on  When  Using  Your  Mobile  Device  •  Home  vs.  Hospital  vs.  Public  Places  (ie:  coffee  shop)  

•  Communica6ng  with  Pa6ents  •  Portals  vs.  Calls  vs.  Texts  

•  Bluetooth  Capabili6es  •  Accessing  Your  EHR  and  HIE  

•  VPN  Tunnels  

•  What  Do  I  Do  With  My  Old  Devices?  

How  Can  You  Protect  and  Secure  ePHI  When  Using  a  Mobile  Device?  

•  Use  a  password  or  other  user  authen6ca6on  •  Install  and  enable  encryp6on  so^ware  •  Install  and  ac6vate  remote  wiping  and/or  remote  disabling  

•  Disable  and/or  do  not  install  or  use  file  sharing  applica6ons  

•  Install  and  enable  a  firewall  •  Install  and  enable  security  so^ware  •  Keep  your  security  so^ware  up  to  date  •  Research  mobile  applica6ons  before  downloading  

What  if  I  Suspect  a  Breach?  

 Breach  No9fica9on  Rule  

   The  HIPAA  Breach  No6fica6on  Rule,  45  CFR  §§  164.400-­‐414,  requires  HIPAA  covered  en66es  and  their  business  associates  to  provide  no6fica6on  following  a  breach  of  unsecured  protected  health  informa6on.  Similar  breach  no6fica6on  provisions  implemented  and  enforced  by  the  Federal  Trade  Commission  (FTC),  apply  to  vendors  of  personal  health  records  and  their  third  party  service  providers,  pursuant  to  sec6on  13407  of  the  HITECH  Act.  

Department  of  Health  and  Human  Services  Informa6onal  Video  

Helpful  Links  and  Website  Sources  

Q  &  A  

Sarah.Bajsta@quirkhealthcare.com  

Shawna.Matonis@quirkhealthcare.com  

Dan.Holleran@quirkhealthcare.com