technology, and social media use in healthcare. what could

PLACEHOLDER FOR INFORMATION SECURITY LEVEL

Technology, and Social Media Use in Healthcare. What Could Go Wrong?

Moira Wertheimer, Esq., RN, CPHRM, FASHRM Healthcare Risk Management Product Lead

PLACEHOLDER FOR INFORMATION SECURITY LEVEL PLACEHOLDER FOR INFORMATION SECURITY LEVEL

Discuss social media/technology uses in healthcare Identify potential patient confidentiality issues arising with technology

and social media use in healthcare Describe general safety and security issues associated with technology

and social media use in healthcare Discuss risk reduction strategies and policy considerations to mitigate

potential liability exposures associated with technology and social media use in healthcare

Objectives

2


Who Uses Social Media And Technology?...... Practically Everybody!

3 Source: Pew Research Center, Social Media Fact Sheet (June 12, 2019)

Technology access: 96% of Americans own a cellphone 81% own a smart phone 75% own a desktop/laptop

Social media: 50% of consumers research healthcare providers online, starting

with the health system website 40% of consumers make healthcare decisions using information

found on social media 19% of smartphone uses have at least one “health related” app

on their phone 2/3 of physicians use social media for professional purposes Only 1/3 of healthcare organizations have social media use

guidelines


Healthcare Consumers Use the Internet

4 Source: Kyruus: 2019 Patient Access Journey Report


Patient Engagement

– Provide healthcare education to the community – Driving healthcare consumers to organization/practice websites and landing pages for up-to-date

information – Marketing innovative clinical services – Tool to improve patient satisfaction scores – Increase patient access to their health information through patient portals

Electronic Health Records (EHRs) Professional networking/collaboration Research recruitment Communicate with patients directly Artificial Intelligence (AI) Medical Devices

How Does Healthcare Use Social Media And Technology?

5


What Are The Risks With Using Social Media And Technology In Healthcare?

• Protecting patient confidentiality

• Maintaining professionalism

• Not adhering to standards of care

• Practicing medicine without a license

• Competency using the technology

6


Social Media: Friend Or Foe?

7

Web-based/mobile technology turns what used to be private conversations into interactive dialogue that can be accessed by public


Professionalism - Online Postings

8


Professionalism: Risk Management Strategies

• Maintain separate professional/personal social media presence • Convey accurate information • Avoid online profanity, intoxication, discriminatory language • Avoid commenting negatively on patients • Utilize privacy settings

• Control who can post information about you • Don’t “friend” patients • “Google” yourself periodically • “Pause” before posting • Avoid inadvertently creating a provider-patient relationship

• Communicate electronically with established patients only, after obtaining consent

Source: Annals of Internal Medicine, “Online Medical Professionalism: Patient and Public Relationships: Policy Statement From the American College of Physicians and the Federation of State Medical Boards (2013).

9


Protecting Patient Confidentiality

• HIPAA/State privacy laws apply to all protected health information (PHI) • Verbal • Written • Electronic

• Applies to Communication WITH patients and ABOUT patients • Use de-identified information when reviewing cases • Avoid social media postings referring to a patient

• Even if no “PHI” posted

• Encryption

• Dispose of PHI in a HIPAA compliant manner

10


HIPAA: Data Breaches

• U.S. Health and Human Services posts all breaches affecting >/= 500 individuals on a public web-site

• Between 2009-2018: 2,546 data breaches • 189,945,874 healthcare records

• More than 80% of physicians experienced a cyberattack in 2017

• Average cost= $6.5 million • $429/per record

11 Source: IBM Ponemon Institute 2019 Cost of Data Breach Report


How Do Breaches Happen? Malicious:

• Hacking • Phishing • Pretexting • Ransomware • “Inside” unauthorized access • Theft • Exploiting system vulnerabilities • Unprotected data stored on servers • Use of stolen credentials

Non-compliance: • Failing to log off when leaving workstation • Unauthorized viewing/access to PHI • Sharing passwords • Improper disposal of PHI • Loss/theft of mobile devices • Not updating security patches • Human error

Source: Verizon, Protected Health Information Data Breach Report (2019) 12


HIPAA Fines

• Tier 1 (no knowledge of violation): $100 to $50,000 per violation; capped at $25,000 per year

• Tier 2 (reasonable cause): $1,000 to $50,000 per violation; capped at $100,000 per year

• Tier 3 (willful neglect, corrected): $10,000 to $50,000 per violation: capped at $250,000 per year

• Tier 4 (willful neglect, not corrected): $50,000 per violation; capped at $1.5 million per year

13


Breach Prevention Risk Management Strategies

• Disk/device encryption

• Use anti-virus software

• Update security patches

• Centralized distribution of devices to employees

• Maintain paper records in restricted access/locked areas

Source: Verizon, Protected Health Information Data Breach Report

• Dispose of all PHI properly • Pulverize • Shred • Demagnetize • Erase

• Routine monitoring/auditing of medical record access

• Establish resiliency to combat ransomware attacks

• DON’T click on that link!!!

14


Emailing/Texting With Patients: Risk Management Strategies

• Develop an internal policy • Delineate workflows

• Utilize patient portals when available

• Obtain patient informed consent

• Encryption • What if patient wants the PHI sent unencrypted?

• Manage “response time” expectations

• Emergency response

15


Online Reviews

16

• For Healthcare Experiences • Patients and Families • Organizations

• Issues • Reliability • Credibility • Insight

• Managing Reviews

• Responding to Negative Social Media Ratings


Responding to Negative Social Media

17

Posting a response that acknowledges patient violates state and federal confidentiality regulations (e.g. HIPAA) • Options:

— Ignore the post, if generally benign — Respond with generic statement that explains

practice/organization privacy rules — If patient identifies themselves, consider contacting off-

line to discuss and to remove post — Contact local law enforcement immediately if

posting is threat against specific individual


Professional Networking

• Understand how the technology works

• Protect patient confidentiality • Use de-identified patient information

• Maintain professionalism

• Avoid inadvertently establishing a provider-patient relationship

• Maintain professional boundaries

• Keep personal and professional social networking separate

• Disclose conflicts of interest

• Disclose that views are personal and not those of the employer organization

18


Develop A Social Media Policy

• Size of organization/practice does not matter • New employee orientation/ongoing staff

education • Include physicians (employed,

independent contractors, locums) • Include agency staff

• Enforce policy consistently • Employees sign confidentiality agreements • Designate who will monitor social media use

and content • Utilize disclaimers

• Policy should include prohibitions on: • Sharing of patient information

• No photos • No ranting

• Interacting with patients on personal social media sites

• Using organization name, image, etc.…. In personal social media postings

• Answering questions/providing medical advice on social media sites

• Emailing/texting unencrypted PHI • Responding to negative online postings

• Avoid policies seeking to regulate employees' personal use of social media in ways that could be considered violating free speech.

19


Technology – Too Much Of A Good Thing?

20


Mobile Devices

• Know where the device is at all times!

• Don’t store PHI on the device

• Encrypt all devices • Maintain security updates • Utilize remote wipe capabilities

• Don’t use wi-fi “hotspots” • Disable Bluetooth when not using

• Password protect the device

• Don’t share the password!

• Change the password frequently

• Use complex passwords (8 characters and

4 data types- upper, lower, numeric,

symbol/character)

• Consider adopting a BYOD policy

Source: mHealth Intelligence: The Impact of BYOD on Healthcare Providers and Hospitals 21


Types of Cyberattacks

22

• Phishing Attack • Malicious Disclosure • Theft of Protected Health Information (PHI) • Breach of Confidentiality • Hacking • Ransomware • All of the Above


Effects of Cyber Attacks on Healthcare

23

• Clinical Interruption

• Business Interruption

• Organization Reputation Damage


Phishing

• Affects large and small organizations • Most commonly found in emails, texts, social media, and

sometimes phone calls • 10% of phishing emails make it through spam blockers • Exploits the recipient • Fridays and Mondays are biggest “phishing days”

• 9AM and 1PM

• Receive email from “recognized” sender, disguised as: • Bill / invoice (15.9 percent) • Email delivery failure (15.3 percent) • Legal / law enforcement (13.2 percent) • Scanned document (11.5 percent) • Package delivery (3.9 percent)

24 Symantec's 2018 Internet Security Threat Report


Don’t Let the “PHISH” Bite

• Employee training/drills

• In the emails, look for: • Misspelled words • Grammatical errors • Inspect all URL’s– look for re-directing

• Hover your cursor over link, does it look right? • Don’t provide sensitive information • Utilize spam detection programs • Use multi-factor identification • Use only “HTTPS” protected sites

25


Ransomware Attacks

• Uses a type of malicious software designed to block access to a computer system until a sum of money is paid

• 40% of ransomware attacks occur through phishing • Healthcare is a victim in 12.8% of ransomware attacks • Average downtime for the organization is 12 days • Average ransomware payment= $41,000

26 Source: Coveware:Q3 Ransomware Marketplace Report (2018)


We Had A Ransomware Attack: Now What?

• Train employees to recognize a ransomware attack early • Time is of the essence

• Disconnect/power down affected devices/computers • Label affected devices

• End all administrator sessions • Change administrator credentials • Change all user passwords • Securing access takes priority over initiating a restore • Conduct full threat assessment once situation resolved

27


Summary: Mitigating TECHNOLOGY Risks

28

• ENCRYPTION – EVERY Device

• Device and Media Control Policy

• Passwords

• Access Control

• Staff Education and Awareness

• Incident Response Plan with Breach Notification

• Drills/Audits


What is Next?: Artificial Intelligence (AI)

• Risks: • False positives/negatives • Systems errors • Unexplainable results • New skill requirements for

providers • Systems vulnerable to

cyberattacks • Current laws/standards not

designed with AI in mind

29

• Benefits: • Assistance with case triaging • Enhanced image scanning • Faster disease detection • Supported decision-making • Patient

appointment/treatment tracking

• Automatic tumor tracking

Source: Medical Economics: “AI can help avoid malpractice lawsuits, but risks may emerge.” (3/4/19).


Summary: Risk Management Tips for Social Media and Technology

• Create social media/device usage policies and procedures

• Encrypt, encrypt, encrypt

• Staff education and training

• Understand risks and benefits of technologies used

• Comply with federal and state confidentiality laws

• Adhere to HIPAA Breach Notification process

• Use strong passwords

• Don’t post about patients on social media

30


Resources

31

• Annals of Internal Medicine, “Online Medical Professionalism: Patient and Public Relationships: Policy Statement From the American College of Physicians and the Federation of State Medical Boards (2013).

• AHIMA “Social Media + Healthcare” http://library.ahima.org/doc?oid=103686#.W- Gh0jaWw2w

• Verizon, Protected Health Information Data Breach Report (2019)

• Mayo Clinic Social Media Policy https://sharing.mayoclinic.org/guidelines/for-mayo-clinic- employees/

http://library.ahima.org/doc?oid=103686&.W-

https://sharing.mayoclinic.org/guidelines/for-mayo-clinic-employees/


Resources

32

• FDA In Brief, October 2018 https://www.fda.gov/NewsEvents/Newsroom/FDAInBrief/ucm 623624.htm

• Health & Human Services, Office of Civil Rights, Cyber Security Guidance Material https://www.hhs.gov/hipaa/for- professionals/security/guidance/cybersecurity/index.html

• Federation of State Medical Boards: Model Policy Guidelines for the Appropriate Use of Social Media and Social Networking in Medical Practice http://www.fsmb.org/pdf/pub-social- media-guidelines.pdf

https://www.fda.gov/NewsEvents/Newsroom/FDAInBrief/ucm623624.htm

https://www.fda.gov/NewsEvents/Newsroom/FDAInBrief/ucm623624.htm

https://www.hhs.gov/hipaa/for-

http://www.fsmb.org/pdf/pub-social-media-guidelines.pdf

http://www.fsmb.org/pdf/pub-social-media-guidelines.pdf

PLACEHOLDER FOR INFORMATION SECURITY LEVEL 33

Questions?

technology, and social media use in healthcare. what could

Documents