3/26/2013

1

North Carolina Health Information Management

AssociationFebruary 20, 2013

Chris Apgar, CISSP

Mobile Device Management – Risky

Business in Healthcare

•HIPAA/HITECH & Mobile Devices

• Breaches – Federal and State Law Implications

• Text Messaging & PHI – Is it Legal?

• Importance of a Risk Analysis

• The Mobile Health Revolution – Privacy and Security Implications

Agenda

•HITECH included breach notification requirements now defined in the omnibus privacy, security, enforcement and breach notification rule

• If mobile devices are lost or stolen and ePHI is not encrypted – breach of unsecure PHI

• Texting ePHI, if intercepted, also represents a breach of unsecure PHI

HIPAA/HITECH & Mobile Devices

3/26/2013

2

•Mobile devices – passwords required per the HIPAA Security Rule

• This means passwords need to be activated, strong, regularly changed and not reused for several password change iterations

• The benefits of multi-factor authentication in reducing risk

• Remember auto logoff

HIPAA/HITECH & Mobile Devices

• 49% of adult Americans own a smartphone

• 60% of Americans making > $75 K own one

• 60% of Americans ages 18 to 35 own one

• iPhone (35%); Android (24%); Blackberry (24%)

• Pew Internet & American Life Project, 7/2011

The Rise of the Smart Phone

• 90% of smartphone owners used it to access e-mail or the Internet

• 25% do most of their online activities on their smartphone

• The Pew Internet & American Life Project (July 2011)

The Rise of the Smart Phone

3/26/2013

3

• Tablets are replacing PCs:

• 77% of tablet owners use their tablets for activities previously done on their laptop/ desktop

• 35% of tablet owners use their desktop less

• 32% of tablet owners use their laptop less

• Why? (1) Easy to carry (31%); (2) Easy to interface (21%); (3) Quick start-up (15%)

• Nielsen Study (May 2011)

The Rise of the Tablet

•Decisions – how will mobile devices be used in your workplace:

• Ban use (unrealistic)

• Require they be company owned (lowest risk by may not be realistic)

• Bring your own device (BYOD) with mobile device management (MDM) software and policies

Mobile Device Use

•Decisions – how will mobile devices be used in your workplace (continued):

• BYOD with sandbox and software (not always user friendly)

• BYOD with mobility management software and policies (may leave PHI stored on device)

• BYOD with policies (difficult to enforce)

• BYOD with no controls (highest risk)

Mobile Device Use

3/26/2013

4

•Allowed use of BYOD increases employee satisfaction and productivity:

• 78% of surveyed employees believe that BYOD superior company provided device (Six Degrees Group Oct. 2011)

• BYOD eliminates need to carry multiple devices

Mobile Device Use Benefits

•Perceived decreased costs for companies that elect to adopt BYOD practice

•Citrix use – realized 20% cost savings over three years and drop in desktop support requests and incident reports (Computer Business Review Online Dec. 2011)

•Thin client (such as Citrix) reduces likelihood of stored PHI

Mobile Device Use Benefits

• Information Governance:

• Litigation Hold compliance

•Record retention

•Record destruction

•Confidentiality

•Regulatory:

•GLBA, HIPAA and other laws requiring information security controls

Mobile Device Key Risk Areas

3/26/2013

5

• Information security:

• Required encryption

• Breach notification

• Employee privacy

• Stored Communications Act

• Computer trespass

• Wage & hour compliance

• IP and Trade Secret protection

Mobile Device Key Risk Areas

•Top causes of PHI and other sensitive data loss:

• Lost or stolen devices/media (31%)

• Hackers (23%)

• Web 2.0 and file sharing (21%)

• Unsecured mobile devices/media (13%)

• E-mail misrouted (6%)

•BYOD are carried more frequently and lost or stolen more frequently than company supplied laptops

Mobile Device & Data Loss

•80% of CIOs believe BYOD use increases company vulnerability to attack (Ovum Study 11/2010)

•46% increase in development of mobile device malicious software between 2009 and 2010 (McAfee 2/2011)

•No vetting of apps submitted to Android Play Store

•10% of apps store passwords in clear text (Via Forensics Study 8/2011)

Mobile Device & System Security

3/26/2013

6

•BYOD and company issued mobile device backups to personally owned devices such as iTunes backup

•Personal use of cloud-based that includes PHI such as iCloud, iMessage, Dropbox, Google Docs, SugarSync

•Use of remote access tools exposing PHI such as Splashtop and LogMeIn

Mobile Device General Risks

•Difficult to enforce information security, especially without use of MDM tools

•Potential personal property issues:

•Data difficult to access for security incident investigations

•Data difficult to access if litigation hold required

•May not be able to recover sensitive data upon termination

BYOD Specific Risks

•HIPAA and HITECH do not prohibit use of text messaging to send and receive ePHI from a mobile device

•HITECH requires individual and OCR notification if text messaging is unencrypted and messages intercepted

• Texting ePHI represents a risk to covered entities and business associates

• Risk should be assessed as part of required risk analysis

Text Messaging & PHI – Is it Legal?

3/26/2013

7

• HIPAA and HITECH do not specifically require encryption of text messages or mobile devices• HIPAA requires risks associated with ePHI

stored on and transmitted to and from mobile devices be assessed and mitigated if the risk is deemed significant• Don’t forget Meaningful Use Stage 2• The bottom line – does your organization

believe text messaging represents a risk sufficient to prohibit texting ePHI or is the risk considered acceptable• Documentation is critical

Text Messaging & PHI – Is it Legal?

•All covered entities required to periodically conduct risk analyses since April 2005 and many do not

•Business associates required by statute to conduct periodic risk analyses since February 2010

•OCR will enforcing business associate compliance very soon

•State attorneys general already are

Importance of a Risk Analysis

•Risk analysis represents the proactive process that is the foundation of your security program

•A through risk analysis should include assessment of mobile device use (especially BYOD)

•The required risk analysis needs to address more than just technology

•Risks associated with mobile devices can be high

Importance of a Risk Analysis

3/26/2013

8

• Breaches becoming more and more common; many are preventable

• Interception of text messages likely to increase

• Stored text messages and voice mail that include ePHI represent a risk

•More breaches related to workforce carelessness or lack of training

•Need to account for and mitigate risks or document why a risk will not be mitigated

Importance of a Risk Analysis

• Limit BYOD and mobile device use to defined and controlled categories of employees and contractors

•Require company configuration of mobile devices (company owned) and prohibit employees and contractors from disabling or modifying

•Restrict company resources that can be accessed remotely (e.g., e-mail, calendar and contacts only)

Risk Mitigation

•Require:

• Encryption of data stored on mobile devices and portable media

• Password protection (strong passwords, periodic changes, etc.)

• Maximum password attempts

• Inactivity timer/auto-logoff

• Remote wipe capability (all – company owned; selective – BYOD)

• Anti-malware protection

Risk Mitigation

3/26/2013

9

•Consider multi-factor authentication

•Restrict storage of company data –BYOD (e.g., only e-mail without attachments, calendar entries and contact cards)

•BYOD subject to all company policies

• Inform employees and contractors BYOD will be monitored when connected to the company network

Risk Mitigation

• Inform employees and contractors BYOD and associated passwords will be inspected upon reasonable request for company investigations if personally owned mobile devices used for business/clinical purposes

•Be prepared to provide a company owned mobile device if employees or contractors are required to use mobile devices and do not agree to device inspection

Risk Mitigation

•Require employees and contractors immediately report lost or stolen device

•Obtain and document employee and contractors’ agreement to remote wipe in the event of loss, theft, or termination

•Add inspection of BYOD to exit interview procedures.

•Robust training is critical

Risk Mitigation

3/26/2013

10

•Policies required by HIPAA Privacy and Security Rules

•OCR “Culture of Compliance” – robust policies and procedures including employee and contractor training

• Includes development and implementation of mobile device and portable media policies and procedures

•Don’t forget sanctions

Risk Mitigation – Policies & Procedures

• Include the following elements in employee/contractor mobile device use agreement (BYOD & company owned):

• Agree to remote wipe

• Agree to company monitoring when connected to company network

• Agree to device inspection – incident investigation & legal hold

Mobile Device Agreement

•Mobile device use agreement (BYOD & company owned; continued):

• Agree to hold company harmless if device is damaged and/or if personal data is viewed

• Company will configure and install security software

Mobile Device Agreement

3/26/2013

11

•Mobile device use agreement (BYOD & company owned; continued):

• Employee/contractor won’t modify or delete configuration/security software

• Immediately report if device lost or stolen

• Limit storage of company data on device

• Acknowledge company policies and procedures apply to device use

Mobile Device Agreement

•Significant increase in the use of Internet and mobile devices for personal health purposes

• Patient portals

• Health plan claims access and wellness

• Mobile device health applications (e.g., prescription management, diabetes management, personal medical record storage, etc.)

Increase in Consumerism

•New health care delivery models

•Medical in-home visits and treatment

•Assistive living devices

•ACO and state equivalents

• Patient portals

• Remote diagnostics and patient e-communication

• Telemedicine

• Patients can and will share PHI –covered entities not responsible for personal decisions

Increase in Consumerism

3/26/2013

12

•HIPAA Security Rule requires protection of ePHI when used, disclosed, stored or transmitted

•Storage of ePHI on mobile devices represents another security environment to protect

•Encryption of mobile devices used to store ePHI no longer addressable given related risks

Regulations & Mobile Devices: A final word

Summary and Q&A

Chris Apgar, CISSP

CEO & President