© 2013 Bitglass CONFIDENTIAL DO NOT DISTRIBUTE
BYOD and HIPAA Friends or Foes?
Welcome – Logistics
• Download the slides for today’s program by clicking the
attachment button on your screen
• Also, the question button allows you may type your
questions. We’ll look at those questions at the end of the
program and answer as many as we can
• During the webinar we may ask you, the audience, a
question. Please use the vote button to log in your answer
• This webinar will be available immediately after the
presentation at BrightTalk
Today’s Speakers
Sarah E. Swank, Esq.
Principal, Health Law Group
Rich Campagna
VP, Products & Marketing
Today’s Agenda
• Introduction
• HIPAA/HITECH and BYOD
• Practical Solutions for Health Care Providers
• Bitglass Solution
Introduction
Clinicians collecting data at
bedside via mobile
81%% of healthcare providers
supporting BYOD
0%
10%
20%
30%
40%
50%
2013
2014
BYOD use is exploding…
But so are the fines…
FINED: $1,500,000
HIPAA and HITECH
The History of HIPAA
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Standard Transactions
• Privacy Rule
• Security Rule
Health Information Technology for Economic and Clinical Health
(HITECH)
• Meaningful Use
• New Regulations - September 23, 2013
• Proactive Auditing
• State Attorney General Actions
• Criminal Actions
Overview of New HIPAA Regulations
• Business associates
• Enforcement
• Electronic access
• Marketing
• Fundraising
• No sale of PHI
• Right to request restrictions
Impermissible uses and disclosures of protected health information
Lack of safeguards of protected health information
Lack of patient access to their protected health information
Uses or disclosures of more than the minimum necessary protected health information
Lack of administrative safeguards of electronic protected health information
Most Frequent OCR Complaints
The Cost of Non-compliance
11
HIPAA/HITECH Enforcement
• Mass general employee, who had taken patient files
home, left the folders on the subway train and they were
never recovered
• Investigation initiated after media reports of incident and a
complaint from an individual whose PHI was lost
• Settled with OCR through Resolution Agreement and
Corrective Action Plan
12
HIPAA/HITECH Enforcement
Mass General Settlement
$1 million resolution amount
Corrective Action Plan
Internal monitor
Hospice of North Idaho
The Hospice of North Idaho
• Fine: $50,000
• Breach: Unencrypted
laptop computer stolen
containing ePHI of 441
patients
• Findings:
• Had not conducted a risk
analysis to safeguard ePHI
• No policies or procedures to
address mobile device
security as required by the
HIPAA Security Rule
Breach Notifications
• Covered entities and business associates must provide
notification of breaches of unsecured protected health
information
PHI is unsecured if it is NOT:
• Encrypted
• Destroyed
New Technologies, New Focus
1. Recent enforcement focus on mobile
1. Lack of policies and procedures directly addressing mobile
- Tracking
- Authentication
- Security (including, encryption)
1. Problem across all sizes and types of entities
1. Check out the “Wall of Shame”www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
Practical Solutions
• Who owns the devices?
• Are personal devices registered?
• Secure information exchange (HTTPS, VPN, etc)
• Back up PHI on servers
• Remote wipe of data
• Policy and procedures
• Training
Mobile Devices
Culture of Compliance
Compliance involves active engagement of
leadership within an organization
A successful compliance program includes:
• Employee training
• Vigilant implementation of policies and procedures
• Regular internal audits
• Prompt action plan to respond to incidents.
• Analyze, evaluate, and correct potential risk areas
Protect Data
1. Encrypt data anywhere it
goes
2. Enforce application access
controls
3. Control, filter, encrypt and
monitor email
4. Forbid storing data on mobile
devices
5. Wipe data immediately if lost
or stolen
6. Implement DLP: network,
email, web, systems, mobile
7. Use application delivery
framework
Gov’t Recommendations: Five steps to manage mobile devices
STEP 1: Decide
STEP 2: Assess
STEP 3: Identify
STEP 4: Develop, Document, and Implement
STEP 5: Train
Bitglass
Security & Compliance DLP, Clientless Selective Wipe, Access
Control, Passcode & Encryption Enforcement
Audit & Visibility Audit Logs, Suspicious Activity Alerts, etc.
Deploy in Minutes Lightweight, Easy-to-deploy
Mobility Anywhere, any device; mobile and laptop
Transparency Native experience for employees
Privacy No capture of personal data
Bitglass BYOD Security
Meets Staff Expectations
Solves IT Pain Points
Case Study
Large Hospital Chain
• Challenge: HIPAA Compliance with Mobile
• Environment: MSFT Exchange and BYOD
• Why Bitglass?
- DLP and Data Tracking Extend to BYOD
- Does not invade user privacy
- Works with or without MDM (multiple affiliations)
- Bitglass team responsiveness to evolving needs
Questions?
Rich Campagna
Bitglass
Campbell, CA
(408) 203-7090
@bitglass
Sarah E. Swank
OBER | KALER
Washington, DC
(202) 326-5003
@swanksarah
Top Related