The Challenge of Managing Portable Devices
Transcript of The Challenge of Managing Portable Devices
© Copyright 2009 American Health Information Management Association. All rights reserved.
The Challenge of Managing Portable Devices
Webinar April 21, 2009
Practical Tools for Seminar Learning
Disclaimer
AHIMA 2009 HIM Webinar Series i
The American Health Information Management Association makes no representation or guarantee with respect to the contents herein and specifically disclaims any implied guarantee of suitability for any specific purpose. AHIMA has no liability or responsibility to any person or entity with respect to any loss or damage caused by the use of this audio seminar, including but not limited to any loss of revenue, interruption of service, loss of business, or indirect damages resulting from the use of this program. AHIMA makes no guarantee that the use of this program will prevent differences of opinion or disputes with Medicare or other third party payers as to the amount that will be paid to providers of service. As a provider of continuing education the American Health Information Management Association (AHIMA) must assure balance, independence, objectivity and scientific rigor in all of its endeavors. AHIMA is solely responsible for control of program objectives and content and the selection of presenters. All speakers and planning committee members are expected to disclose to the audience: (1) any significant financial interest or other relationships with the manufacturer(s) or provider(s) of any commercial product(s) or services(s) discussed in an educational presentation; (2) any significant financial interest or other relationship with any companies providing commercial support for the activity; and (3) if the presentation will include discussion of investigational or unlabeled uses of a product. The intent of this requirement is not to prevent a speaker with commercial affiliations from presenting, but rather to provide the participants with information from which they may make their own judgments. This seminar's faculty have made no such disclosures.
Faculty
AHIMA 2009 HIM Webinar Series ii
John Parmigiani, MS, BES
John Parmigiani is president of John C. Parmigiani & Associates, LLC, a consulting firm in Ellicott City, MD, focused on helping healthcare organizations become compliant with healthcare regulations and move toward e-health. Mr. Parmigiani has over 35 years experience in information systems management. As former director of enterprise standards for the Health Care Financing Administration (now CMS), he was chairman of the government-wide HIPAA Administrative Simplification Security and Electronic Signature Standards Implementation Team that created the Security Rule, and was a member of the federal committee that oversaw the development and implementation of the HIPAA Transactions and Code Sets and the Privacy Rule.
Table of Contents
AHIMA 2009 HIM Webinar Series
Disclaimer ..................................................................................................................... i Faculty ......................................................................................................................... ii Presentation Overview .................................................................................................... 1 Session Objectives ...................................................................................................... 1-2 Regulatory Drivers Regulatory Drivers: Privacy & Security .................................................................. 3 Common Security Requirements .......................................................................... 3 CMS Guidance of Dec. 2006 ................................................................................ 4 Legal Basis for “Keeping Up with Technology” ....................................................... 4 Laptops/Mobile Devices/Remote Access Mobile Computing Devices .................................................................................. 5 Benefits of Mobility ............................................................................................. 6 From a Vendor Ad .............................................................................................. 6 Polling Question #1 ............................................................................................ 7 Handheld Vulnerabilities ...................................................................................... 7 Media Players ..................................................................................................... 8 Wireless Concerns .............................................................................................. 8 Data Losses/Leakages Types of Risk to Data.......................................................................................... 9 Healthcare Data Is At Risk .................................................................................. 10 Sources of Data Leakage .................................................................................... 10 Common Paths for Data Exposure ....................................................................... 11 Data Breach Costs & Impacts Data Breaches Are Common! .............................................................................. 12 Some Recent Healthcare Security Breaches (2008) .......................................... 12-13 The Cost of Data Loss ........................................................................................ 13 Data Breach Costs ............................................................................................. 14 Remediation Is More Expensive than Prevention .................................................. 14 Recent Data Breach Costs Are Shown to Be Astronomical and Long-lasting ............ 15 Government Enforcement on the Rise ............................................................ 15-16 Other Adverse Impacts ................................................................................. 16-17 Avoiding the Problem ......................................................................................... 17 Tools, Techniques, & Best Practices Enterprise-wide Management Solution ................................................................. 18 Data-Centric vs. Device-Centric ........................................................................... 19 Required Oversight ............................................................................................ 19 It’s 9:00 – Do You Know Where Your Data Is? ..................................................... 20 Mobile Devices .................................................................................................. 20 Mobile Security Policy ........................................................................................ 21 Training ............................................................................................................ 21 Communicating an Awareness of the Risks: ......................................................... 22
(CONTINUED)
Table of Contents
AHIMA 2009 HIM Webinar Series
Policies and Procedures Training ......................................................................... 22 Polling Question #2 ........................................................................................... 23 Mobile Device Security Best Practices ............................................................. 23-24 If there has been a loss ..................................................................................... 24 Physical Controls ............................................................................................... 25 Device Inventory ............................................................................................... 25 Back Up Log for Devices .................................................................................... 26 Travel Checklist ................................................................................................. 26 Technology Solutions ......................................................................................... 27 Security Controls ............................................................................................... 27 Emerging Authentication Safeguards on Mobile Devices ........................................ 28 Security Controls ............................................................................................... 28 Some helpful Tips to Prevent Mobile Loss ............................................................ 29 Data Loss Prevention Techniques ........................................................................ 29 Encryption: Preventing Unauthorized Access ........................................................ 30 Encryption ................................................................................................... 30-31 Comprehensive Data Security with Encryption ...................................................... 31 Mobile Device Security ....................................................................................... 32 Network Security? ............................................................................................. 32 Wireless Best Practices ...................................................................................... 33
Resource/Reference List ..................................................................................... 33 Conclusions In Conclusion ............................................................................................... 34-35
Audience Questions ....................................................................................................... 35 Thank You! .................................................................................................................. 36 Audio Seminar Discussion .............................................................................................. 36 Become an AHIMA Member Today ! ................................................................................ 37 Audio Seminar Information Online .................................................................................. 37 Upcoming Audio Seminars ............................................................................................ 38 AHIMA Distance Education online courses ....................................................................... 38 Thank You/Evaluation Form and CE Certificate (Web Address) .......................................... 39 Appendix .................................................................................................................. 40 Resource/Reference List ....................................................................................... 41 CE Certificate Instructions
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 1
Notes/Comments/Questions
Presentation Overview
Session ObjectivesFederal and State Regulatory RequirementsRecent Losses and ImpactsTools, Techniques, and Best PracticesConclusionsQuestions and Answers
1
HIM Webinar
2
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 2
Notes/Comments/Questions
Session Objectives
Understand the regulatory dictates for protecting mobile sensitive dataBeing aware of the financial and adverse impacts to operations and reputation of your organization from lost dataLearn what steps to take to mitigate risk and the resulting liability of lost data and mobile devicesExamine best practices to guard against loss of sensitive and patient data in an increasingly mobile healthcare environment
3
HIM Webinar
4
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 3
Notes/Comments/Questions
Regulatory Drivers: Privacy & Security (Not just HIPAA)
USAHIPAA/HITECHFERPA21 CFR Part 1142 CFR Part 2PCIGLBASOXFISMAId theft: CA SB 1386 + 43 other states (Data Protection Acts) + DC, Puerto Rico /CA AB 1298- healthcare information-also AR & DE; paper added in some (MA)FTC Red Flags RuleJCAHONCQAOMB/NIST/CMS directives & guidance
InternationalEU Data Protection DirectiveJapanese Data Protection Law Canadian PIPEDABasel II
Laws, regulations, draft bills, and accreditation practices related to information security are many and growing.
5
Common Security Requirements
The many standards associated with security/privacy have a strong commonality of features:• Protect confidentiality of sensitive data at rest
and in transit• Restrict data access on need-to-know basis• Authentication/Access Controls/Audit Controls• Assure data integrity• Business continuity- system/data availability• Network protection• Security management process
• Administrative, Physical, Technical safeguard areas
The HIPAA Security Rule covers all of these requirements, socompliance with it also brings serendipity compliance with other
regulations!6
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 4
Notes/Comments/Questions
CMS Guidance of Dec. 2006
Guidelines/best practices to augment the HIPPA Security Rule• Mobile devices and removable media
that contain ePHI• Remote access to ePHI
Not a regulation but… ”CMS may rely upon this guidance in determining whether or not the actions of a covered entity are reasonable and appropriate for safeguarding the confidentiality, integrity, and availability of ePHI, and it may be given deference in any administrative hearing pursuant to 45 C.F.R. section 160.508 (c)(1), the HIPAA Enforcement Rule”
7
Legal Basis for “Keeping Up with Technology”
The T.J. Hooper caseNew Jersey coast (1928) – storm comes up,tug loses barge, and cargo of coalPlaintiff: Barge owner – captain was negligent because he had no weather radio, which was relatively new but was seeing widespread use even though not mandatedDefendant: Tug captain – didn’t have the resources ($) to have a weather radioDecision (1932): Judge Learned Hand –Barge owner wins Rationale: to avoid negligence, keep up with technological innovations – they set the “standard of care” in the industry
8
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 5
Notes/Comments/Questions
HIM Webinar
9
Mobile Computing Devices
LaptopsTabletsPocket PC PDAsiPAQ BlackBerrySmartphonesPicture PhonesThumb DrivesEtc.
What else? More being created as we speak!! 10
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 6
Notes/Comments/Questions
Benefits of Mobility
Laptops and other point of care devices make it much easier to record clinical data and to transmit the data back to the office for billing and other purposes or within and outside of the organization for patient treatment
It also makes it much easier for your staff to carry very large volumes of patient information with them to the patient’s home and to their home and
It provides an environment for ubiquitous access
BUT…This also creates the possibility of having all of that information lost or stolen.
11
EVERY 53 SECONDS A LAPTOP IS STOLEN!It’s not a matter of IF, it’s a matter of WHEN!
Answer these questions: Do your employees have confidential or sensitive data stored on their PCs and laptops? Do you believe some users write down PC login passwords on sticky notes, notebooks or PDAs? When employees or contractors leave the company are you always assured of the immediate return of every computer?
From a Vendor Ad
12
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 7
Notes/Comments/Questions
Polling Question #1
Has anyone in the audience experienced the loss of a portable device containing PHI?
a) Yesb) Noc) Don’t know
13
Handheld Vulnerabilities
14
Man-in-the-middle
Trojan Horses
VirusesDigital Camera
SD Card
Bluetooth
Device Databases
Unapproved Applications
WiFi
IrDA “Beaming” Port
14
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 8
Notes/Comments/Questions
Media Players
>80 GB of storage• Not just music/video• Not easy to encrypt• Only basic (rudimentary) logon
15
Wireless Concerns
RisksUnsecured wireless networks• Home• Airports• Hotels• Coffee shops• Libraries• Hospital waiting rooms and public areas
16
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 9
Notes/Comments/Questions
HIM Webinar
17
Types of Risk to Data
Content Risk• Level of sensitivity from most confidential to not
confidential
User Risk• Insider• Outsiders
• Known (Business Associates – need to contractually bind)• Strangers
How• When being processed as part of a system• When being transmitted• When being copied from one format to another• When being stored
18
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 10
Notes/Comments/Questions
Healthcare Data Is At Risk
Healthcare information exchange via EMR / PHR / EHR portals are becoming priorities; growth and push toward information sharing (HIEs)As data becomes easier to access and share it also becomes more exposedWhat is the risk?• Identity theft• Medical ID theft• Financial fraud• Medical history becoming a commodity - converted to “credit”
and “applicant” data• Bad PR! No one wants a security breach to become front page
news!
Basic security such as passwords is not enough19
Sources of Data Leakage
PHI Loss• Potential harm to patient
• Identity theft – credit card/financial• Medical identity theft
Insider (75%)• Sensitive data not protected• Malicious handling/theft• Takes sensitive data on mobile device which is then lost
or stolen
Outsider• Malicious break-in and theft either physically or through
network• 65% of terrorist attacks are targeted at businesses not
governments 20
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 11
Notes/Comments/Questions
Common Paths for Data Exposure
Corporate e-mailWeb 2.0 postings• Twitter, Facebook, MySpace (Social Media)
Webmail communicationsFile Transfer Protocols (FTP), Instant Messaging (IM), Peer-to-Peer (P2P) and other network file transfer mechanismsUSB and removable storage mediaUnsecured business partner/business associate communications
21
HIM Webinar
22
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 12
Notes/Comments/Questions
Data Breaches Are Common!
Data breaches are almost always caused by human error
Over 20% of the US population have had their personal information lost or stolen already by 2007*
* Estimated to be at 90% by 2010> by Gartner
23
Some Recent Healthcare Security Breaches (2008)…
Palo Alto Medical Foundation (Santa Cruz, CA) – laptop (1K persons affected)Horizon BC/BS – laptop (300K)Lifeblood (TN) – Laptop (300+K)HealthNet Federal Services – (100+K)BC/BS Western New York – laptop (40K)Dental Network (NH) – web (75K)WellPoint (IN) – (120+K)WellCare Health Pans (GA) – (71K)Staten Island University Hospital – (88K)
24
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 13
Notes/Comments/Questions
Some Recent Healthcare Security Breaches (2008)
University of Utah Hospitals and Clinics – stolen tapes (2.2 M)Florida Agency for Healthcare Administration – (55K)HealthNet – laptop (5K)Fallon Community Health Plan – computer (4K)Wake County Emergency Services – laptop (5K)University of Minnesota – flash drive (3.1K)Memorial Hospital (IN) – laptop (4+K)University Health Care (UT) – laptops (4.8K)Etc. …
25
The Cost of Data Loss
2008
• Avg. total cost/breach all industries*$13.8M (large corporations/organizations)$202/recordavg. cost of a healthcare breach was $282/record
• Small organizations (physician practice): ~$350K**
• Current economic environment will spur even greater losses:December 2008 report issued by the Identity Theft Resource Center, an advocacy group based in San Diego, predicted increased numbers of incidents, with more sophisticated schemes targeting unemployed people, consumers with poor credit, and homeowners facing foreclosure
*Ponemon Institute**FBI and Computer Security Institute 26
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 14
Notes/Comments/Questions
Data Breach Costs
84% of all organizations have suffered at least one breach in last 12 months *
>250 M consumer records compromised since January, 2005 *
Average cost per record to remediate a breach in 2009 was $202 (but a healthcare breach was $282/)**; Forrester (2008) warns a breach in 2009 could cost $305/record (discovery, notification, lost productivity, fines, legal fees, lost business, etc.
*Privacy Rights Clearinghouse** Ponemon Research
27
Remediation Is More Expensive than Prevention…
Notification Letter
$1.50-2.00 per individual
Fines / Penalties
$1000-$250,000 per incident
Call Center
Credit monitoring
$60 per person
$10 to $31 per call
Legal Fees
$10,000+
Loss of consumer confidence
Priceless*Source: Estimates based on various news media reports
An ounce of prevention really is cheaper than a pound of cure!
28
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 15
Notes/Comments/Questions
Recent Data Breach Costs Are Shown to Be Astronomical and Long-lasting!
• TJX, BJ’s & PETCO must submit to biennial outside security audits for 20 years and submit copies of assessments including training materials to FTC; TJX data loss currently estimated at $296M and counting; additionally, BJ’s was hit with $13M in private lawsuits
• Florida – companies fined $1,000/day ($50,000/month after 30 days) for every day they fail to disclose a data breach
• Montana – failure to disclose a privacy violation: $10,000
• Etc., etc.
29
Government Enforcement on the Rise
Providence Settlement –OCR’s first “Resolution Agreement”What went wrong: • ePHI that was not encrypted or otherwise properly
safeguarded was lost or stolen• Backup tapes, optical disks, and laptops, all containing
unencrypted ePHI were removed from Providence premises and left unattended
• Media and laptops comprising ePHI for over 386,000 patients was lost
• Management lapses • Providence had an encryption policy but it was not
followed or enforced• Employees were allowed to take home media with ePHI
despite a policy to the contrary and with full knowledge of IT and managers over a long period of time
30
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 16
Notes/Comments/Questions
Government Enforcement on the Rise
Providence Settlement – OCR’s first “Resolution Agreement”: $$ + …Corrective Action Plan:• Physical safeguards governing the off-site:
• storage of backup media containing ePHI• Transportation of backup media
• Physical safeguards governing the physical security of portable devices containing ePHI
• Technical safeguards regarding encryption:• Of backup media containing ePHI• Of portable devices containing ePHI
• Other technical safeguards regarding• Backup media• Portable devices
31
Other Adverse Impacts
Potential Harm to Patients• Identity Theft/Medical Identity Theft
• According to the FTC, identity theft is the fastest-growing crime in the US– Affected more than 10 million Americans in 2008– Gartner study in 2006 estimated that there is a new victim every 2+ seconds
• Credit Card/Financial Fraud• Black Market Price Ranges
(2008 Symantec Internet Security Threat Report Trends)– Full set of identity information: $10 - $150– Stolen credit card: $.05 - $5
• Patient safety• Lawsuits
• The federal courts have consistently ruled that HIPAA does not create a private cause of action. A violation of HIPAA may lead to a complaint with the Office of Civil Rights, but it does not give the individual the right to sue the provider.
• Although HIPAA does not provide a means to sue providers for disclosures of PHI, state laws do provide ways to sue providers.
32
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 17
Notes/Comments/Questions
Other Adverse Impacts
Bad PR• Regardless of the circumstances, the public perception will
be that the agency “doesn’t care” about privacy. This perception can undermine patients’ confidence in your agency, which can lead them to other providers.
• Public relations problem may be a long term issue.
Financial Losses• Civil penalties, lawyers’ fees, civil litigation, loss of business
due to harm to corporate goodwill, costs of responding to a breach, costs of remediation, etc., all add up very quickly.
• Loss of a $1,000 laptop containing ePHI can quickly escalate into five or six figures in losses.
• Cleaning up a data breach can cost up to 15 times per record as much as implementing strong encryption (at least 128 bit AES) according to Gartner.
33
Avoiding the Problem
The best way to avoid this kind of liability is to prevent the losses from happening.
You cannot prevent every potential problem, but taking reasonable measures can eliminate a great deal of the problems.
Having appropriate safeguards in place, can reduce the risks and provide concrete evidence that you are concerned about patient privacy.
34
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 18
Notes/Comments/Questions
HIM Webinar
35
Enterprise-wide Management Solution
Cross-platform device support for various client typesConfiguration managementDevice monitoring• When was last time an application was accessed• Software installation (version) and distribution• Inventory and asset control – scans to alert any changes in
hardware and software• Remote control – to diagnose and correct faults• What devices are deployed, where, by whom, what’s
installed on them, access rights and authorization privileges• Enable monitoring, when connected to the network, to
ensure compliance with corporate policies
36
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 19
Notes/Comments/Questions
Data-Centric vs. Device-Centric
Sensitivity of data determines the protectionData classificationAccess controlInformation Rights Management• Tying access rights and authorization
privileges to the data
37
Required Oversight
Ownership challenges• Company owned and issued• Personally owned
Inventory• What devices are in use?• What information is being stored?
Accountability• Physical security• Lost or stolen devices
38
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 20
Notes/Comments/Questions
It’s 9:00 –Do You Know Where Your Data Is?
Where is sensitive data stored?• Network storage• Distributed storage• Workstations• Mobile systems
How is the data moving (transmitted)?• Mobile systems• Webmail• IM• USB• CDROM
Each of these should be covered by policies
Especially now with e‐Discovery: need to know where it is
and be able to retrieve it quickly
39
Mobile Devices
You need to know:What mobile devices exist in your organization?Who has them and what are their privileges?What software exists on them?What data is allowed on them?What data is actually on them?Has that data been backed up?Was that data protected from unauthorized access?
“You can’t manage what you can’t measure!” – Peter Drucker
40
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 21
Notes/Comments/Questions
Mobile Security Policy
Who, What, Where, When: “rules of engagement”• Establish rules for data ownership
(regardless of who owns the device)
Access requirements/Authorization privilegesAcceptable usage (mobile devices belong to the organization not the user; what data and files can be downloaded/ leave organization; remote connection standards)Required security measures and practices (password protection, anti-virus and firewall, encrypt sensitive data/files, enable device lock-down and kill)Processes for training, audit, and enforcement
41
Training
Educate staff about• Threats• Being aware when working in public• Responsibilities to protect corporate assets
TrainDon’t just tell them what to do,Show them how!
42
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 22
Notes/Comments/Questions
Communicating an Awareness of the Risks: Posters from the Univ. of Minnesota Academic Health Center
43
Policies and Procedures Training
Employees need to be constantly reminded of the company’s policies and procedures, the risks to the company for violations, and the risks to the employees for violations.
Employees when first trained might follow policies and procedures, but over time they can become lax.
NOTE: Sanctions and training are two very important parts of preventing a lost or stolen laptop, or any other security breach.
Your personnel are the weakest link in your security. Employees failing to follow policies and procedures are the biggest single source of security breaches.
44
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 23
Notes/Comments/Questions
Polling Question #2
Do you have formal mobile security policies in place and have you trained your staff on their use?
a) Yesb) Noc) Don’t know
45
Mobile Device Security Best Practices
Need to balance security with usability
Delete unnecessary information (only what is needed for the day’s activity on the device)
Do not use shared devices for ePHI (hotel computers or fax machines)
Have an incident response plan – notification as soon as possible after loss
Disable any functionality you don’t need (disable Bluetooth discoverable mode, turn off 802.11 wireless when not in use)
46
(Continued)
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 24
Notes/Comments/Questions
Mobile Device Security Best Practices
Need to balance security with usability
Encrypt sensitive information whenever possible
Sanitize obsolete mobile devices
Contractually bind business associates and make adherence to your corporate “rules of engagement” mandatory
47
If there has been a loss…
Once determined:• Report theft or disclosure• Can the laptop access your company network?• Can an individual use the laptop to access any web
based software or your office clinical software? (In other words, are there any stored passwords?)
• Do you need to take steps to ensure the laptop is not used to access your office computers?
• Tracing• Device reset• Remote kill
The ARRA, the Red Flags Rule, and numerous state data protection laws require a formal breach notification process to be in place.
48
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 25
Notes/Comments/Questions
Physical Controls
Cable locksLaptop alarmsDon’t leave unattended or in carsChecklists
49
Device Inventory
Keep original receipts at officeKeep copy of receipts if traveling• “Travel” means whenever device is removed from office
Make, model, serial number
Owner User Data Content
Used with permission of Margret\A Consulting, LLC 50
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 26
Notes/Comments/Questions
Back Up Log for Devices
Date/Time Full System Back Up
File Back Up Copy Sent to:
• Back up system and files on regular basis in accordance with company policy
• Back up files prior to any travel• When off site, send copy of files created or modified during
day to office as another backup
Used with permission of Margret\A Consulting, LLC 51
Travel Checklist
Device:
Precaution
Device has hard tattoo
Locks, keys, and cables are available
Strong password or other authentication for system access, application access, and file access as needed
Tracking and recovery software applied
Remote data protection applied
Device shut off, not in standby mode
Appropriate back up performed
Copy made and carried on portable storage device
Verified by: Date:
• Perform this check each time mobile device is removed from office• Instill accountability for device by leaving copy at company
Used with permission of Margret\A Consulting, LLC 52
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 27
Notes/Comments/Questions
Technology Solutions
Your policies and procedures are designed to prevent the theft or loss of a laptop. There are other steps you can consider to secure the laptop. There are also technologies you can use so that if a laptop is lost or stolen the information will be harder to retrieve.
53
Security Controls
Access ControlGaining physical access usually means complete control of the information stored on the devicePower-on password (protected at root level between BIOS and Operating System), password protected screen savers, auto logoffStronger authentication – use two-factor to restrict access • Pick one from each of Three Types of Factors
something you know - name, pin, user id, password, phrase
something you have - token, card, key, badgesomething you are - biometrics- fingerprint,
hand print, voice scan, iris scan, retina scan, palm vein scan 54
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 28
Notes/Comments/Questions
Emerging Authentication Safeguards on Mobile Devices
Smartphones with fingerprint readersDevices that can process handwritten signatures (entered with a stylus)Devices that can process voiceprints (entered by speaking a phrase over a smartphone)
Note: May still want to complement biometric with a password for cases when the biometric becomes unusable
55
Security Controls
Viruses and other malicious codeAntivirus software• Automatic updates
Some antivirus solutions won’t run on certain handheld devicesEven if a handheld is not affected by a virus, it can carry and transmit a virus
Adware and spyware detectionPersonal firewallsRegular patching
56
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 29
Notes/Comments/Questions
Some Helpful Tips to Prevent Mobile Loss
Password protect sensitive documents
Tracking and recovery products
Automatic backups to a secure web serverDon’t allow or minimize data kept on laptop or mobile device• Keep identity theft information off
(SSN, DOB, etc.)
Back-up data regularlyAutomatic log-off
57
Data Loss Prevention Techniques
Scan databases containing:• Patient demographic data• Patient health data
• Diagnostic and procedure codes• Inputs from RIS and PAC systems
• Patient financial dataPrevent any of the above from outgoing to unauthorized usersAudit to confirm access by the authorized recipients – business associates and other covered entities
58
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 30
Notes/Comments/Questions
Encryption: Preventing Unauthorized Access
HIPAA does not require providers to encrypt patient data - it is an addressable standardEncrypting EPHI on laptops and other portable devices can provide additional security, if lostMost experts agree data thieves are far more likely to obtain information by stealing hard-drives etc., (data at rest) instead of trying to intercept information in transit (data in motion)
But…OCR specifically required Providence to include policies and procedures regarding technical safeguards governing the use of Encryption
59
Encryption
Encryption software is becoming more and more accessible both from a cost and use standpointSome states have passed laws requiring encryption of customer personal information. Other states are considering similar legislation.Many of the state security breach notification laws provide an exception for data that is encrypted (safe harbor). Some states require encryption as well as encryption key management policies – designed to prevent decryption in the event person obtains data and encryption key.And… HITECH Act of ARRA: Says that any unsecured PHI must be made “unusable, unreadable, or indecipherable” to unauthorized individuals by a technology standard – sounds like “encryption” 60
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 31
Notes/Comments/Questions
Encryption
For data at rest• Laptops
• Built-in to Windows XP/Vista• File/Folder-based• Full disk
• Databases• Handheld devices- removable memory• Encryption of stored data (at least AES 128 bit)
For data in transit• Secure web connections• Virtual private networks (VPN)• Wireless networks• P2P file sharing
• File-level encryption is essential61
Requirement Preferred Solution
Encryption of all data on the main hard disk Full-disk encryption is the only solution that addresses this requirement
Encryption of all data on removable media Full-disk encryption is the preferred methodConsider other methods when sharing encrypted information on removable media
Encryption of data files, folders or containers
File, folder, container encryption
Protection from internal threats in media sharing environments
Encryption of granular data objects - disk partitions, containers, folders and files
Prevention of data leakage to removable media
Disk access controlsAutomatic ‘forced’ encryption of the media or files written to the media
Prevention of data leakage to the network or via e-mail
File encryption by file type and application association
Comprehensive Data Security with Encryption
62
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 32
Notes/Comments/Questions
Mobile Device Security
Ensure that you can• Implement software that will automatically
“clear data” for devices that are lost or stolen• Securely wipe obsolete/no longer in use
devices• Control the software loaded on them• Enforce device locking• Identify any additional access the devices can
apply to your internal network
63
Network Security?
64
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 33
Notes/Comments/Questions
Wireless Best Practices
Use secure networks• Private networks• Remote access via VPN• Web portals using SSL• Periodic scans (portable wireless scanner –
“stumbler” to find access points and ad hoc (peer-to-peer)nodes
• Have Intrusion Protection Systems/Intrusion Detection Systems (IPS/IDS) on servers that interface with portable devices
65
Resource/Reference List
• DRAFT Guide to Enterprise Telework and Remote Access Security: NIST SP 800-46 Rev. 1 www.csrc.nist.gov/publications/drafts/800-46Rev1/Draft-SP800-46r1.pdf
• User's Guide to Securing External Devices for Telework and Remote Access: NIST SP 800-114 www.csrc.nist.gov/publications/nistpubs/800-114/SP800-114.pdf
• Guide to Storage Encryption Technologies for End User Devices: NIST SP 800-111 www.csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf
• CMS Security Guidance for Remote Use www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf
66
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 34
Notes/Comments/Questions
HIM Webinar
67
In Conclusion…
Laptops and other mobile devices provide increased flexibility and efficiencies for caregivers at the point of care but with these benefits come inherent possibilities for data lossData loss can have adverse financial and operational impacts on the healthcare organization in the form of fines and penalties, both at the federal and state levels, and bad public relationsData loss can have impacts on patients in terms of patient safety and identity theft for financial and medical fraudBest approach is to prevent data loss rather than trying to do damage control after the fact
68
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 35
Notes/Comments/Questions
In Conclusion…
There are numerous, easily-applied tools and techniques to prevent the loss of sensitive data on mobile devices, but they must be practiced in conjunction with implementable policies, continuous staff training, communicated sanctions, and contractual protections through enforceable Business Associate AgreementsCompliance is a continuous processIn today’s environment, healthcare organizations should always be “audit ready”
69
Audience Questions
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 36
Notes/Comments/Questions
HIM Webinar
Audio Seminar Discussion
Following today’s live seminarAvailable to AHIMA members at
www.AHIMA.org“Members Only” Communities of Practice (CoP)
AHIMA Member ID number and password required
Join the e-HIM Community from your Personal Page. Look under Community Discussions for the Audio Seminar Forum
You will be able to:• discuss seminar topics • network with other AHIMA members • enhance your learning experience
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 37
Notes/Comments/Questions
Become an AHIMA Member Today!
To learn more about
becoming a member
of AHIMA, please visit our website
at www.ahima.org/membership
to join now!
AHIMA Audio Seminars and Webinars
Visit our Web site http://campus.AHIMA.orgfor information on the 2009 seminar schedule. While online, you can also register for seminars and webinars or order CDs, MP3s, and webcasts of past seminars.
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 38
Notes/Comments/Questions
Upcoming Webinars
The Intersections between E-Prescribing and HIMMay 19, 2009
The Legal Health Record and E-Discovery: Where You Need to BeJune 9, 2009
Auditing for Privacy and Security ComplianceJune 23, 2009
AHIMA Distance Education
Anyone interested in learning more about e-HIM® should consider one of AHIMA’s web-based training courses.
For more information visit http://campus.ahima.org
The Challenge of Managing Portable Devices
AHIMA 2009 HIM Webinar Series 39
Notes/Comments/Questions
Thank you for joining us today!
Remember − visit the AHIMA Audio Seminars/Webinars Web site to complete your evaluation form and receive your CE Certificate online at:
http://campus.ahima.org/audio/2009seminars.html
Each person seeking CE credit must complete the sign-in form and evaluation in order to view and print their CE certificate.
Certificates will be awarded for AHIMA CEUs.
Appendix
AHIMA 2009 HIM Webinar Series 40
Resource/Reference List ....................................................................................... 41 CE Certificate Instructions
Appendix
AHIMA 2009 HIM Webinar Series 41
Resource/Reference List www.csrc.nist.gov/publications/drafts/800-46Rev1/Draft-SP800-46r1.pdf
www.csrc.nist.gov/publications/nistpubs/800-114/SP800-114.pdf
www.csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf
www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf
To receive your
CE Certificate
Please go to the AHIMA Web site
http://campus.ahima.org/audio/2009seminars.html click on the link to
“Sign In and Complete Online Evaluation” listed for this webinar.
You will be automatically linked to the
CE certificate for this webinar after completing the evaluation.
Each participant expecting to receive continuing education credit must complete the online evaluation and sign-in information after the webinar, in order to view
and print the CE certificate.