Lewis Creek Systems, LLC E-mail, Texting, & Mobile Device Hazards Protecting the Organization from HIPAA Breaches and Ransomware Attacks Jim Sheldon-Dean Director of Compliance Services Lewis Creek Systems, LLC www.lewiscreeksystems.com December 27, 2016 © Copyright 2016 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 802-425-3839

HIPAA Privacy, Security, and Breach Rules Privacy Rule Establishes Rights of Individuals, including confidentiality, access Controls on Uses and Disclosures, including protecting confidentiality of Protected Health Information (PHI) Security Rule Works with the Privacy Rule to protect electronic PHI Requires Risk Analysis to identify and plan the mitigation of risks Breach Notification Rule Breaches must be reported to US Department of Health and Human Services, and the affected individuals An improper use of insecure e-mail or texting may be a breach The focus of the discussion today is on the HIPAA Privacy, Security and Breach Notification Rules, which are the foundation of the most visible part of HIPAA, the controls on how information is to be used, disclosed, and protected. The Privacy Rule has been enforceable since 2003 and establishes the framework of the relationship between individuals about whom there is some health information, and the organizations that hold that information. It says what the individual’s rights are for things such as getting copies of records, or asking for corrections in the records, as well as what are the organizations’ responsibilities to manage the uses and disclosures of that information appropriately. That means there are several policies in place for managing that relationship, and its rights and obligations. The Security Rule has been enforceable since 2005 and works with the Privacy Rule to establish the appropriate safeguards to put in place to protect electronic health information. The rule is very flexible and requires that the organization conduct a Risk Analysis to identify and mitigate any areas of significant risk to the confidentiality, integrity, and availability of health information. The HIPAA Breach Notification Rule has been enforceable since February of 2010 and requires that reportable breaches of information be reported to the individuals affected as well as the US Department of Health and Human Services (HHS), and sometimes the press. It can be very expensive, damaging, and painful to suffer a breach and its reporting, so it is essential to not improperly use or disclose any health information, or it could be a reportable breach. There are examples of what NOT to do on the HHS Web site where they post all the breaches that affect 500 or more individuals – the so-called “Wall of Shame.” These breaches clearly show that the number one cause of a large breach, by number of incidents, is loss or theft of laptops and portable electronic devices. The data makes it clear that this is the number one most likely security incident that can happen, so it is especially important to be vigilant when it comes to these devices. © Copyright 2016 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 802-425-3839

E-mail, Texting, and Security E-mail and texts are inherently insecure HIPAA Security Rule requires consideration of encryption of stored and transmitted PHI Risk Analysis indicates Professional communications with PHI must be encrypted over the Internet and at rest on portable devices Consumer-grade, plain Yahoo mail, g-mail, texting, etc., are all insecure means of communication and their use may be considered a breach when used professionally with PHI Technologies for securing communications are readily available today; use encrypted attachments or secure services HHS Guidance says plain E-mail with patients is fine Patients have Privacy Rule rights to choose communications method Evaluate the risks, discuss with the individual, and document Guidance says nothing about Texting; may apply same logic to Texting © Copyright 2016 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 802-425-3839

Three Issues with Texting It’s a Privacy thing: Patients may not appreciate the risks of loss of privacy HIPAA requires you to try to meet patient preferences for communication method It’s a new technology and people will not understand it fully for quite some time Professional communications with PHI MUST be protected per risk analysis It’s a Medical Records thing: Documentation is key to health care Regular texting doesn’t provide a paper trail of conversations and contacts If it’s part of patient care, it must be documented properly It’s a Patient Safety thing: Triage of incoming messages is essential Regular texting doesn’t automatically route to the most appropriate individual Texts may arrive at all hours, 24/7 and may include a variety of information and situations, including emergencies Texting with patients must be managed to protect patients and provide appropriate service © Copyright 2016 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 802-425-3839

Four Kinds of Communications Personal Uses, with no PHI Business Purposes, with no PHI May use unencrypted communications, plain texting, e-mail Business or Professional Purposes, with PHI Don’t include a patient’s name or other identifiable PHI in an e-mail message to someone outside of the organization unless it is secured Must use secure communications & storage, for example, for texting: WhatsApp is now secure, end-to-end, with no persistent storage WickrMe free secure texting App for iOS and android Communications with Patients May use insecure communications with patients if they request it Must use an integrated communications strategy, more than simply plain e-mail or plain texting, for example: OhMD – http://www.ohmd.com Pingmd – http://www.pingmd.com © Copyright 2016 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 802-425-3839

Laptops, Portable Devices, and Texting Physically secure devices when they’re not in use Don’t share use of your device with others Don’t mix personal and business or patient information Laptops and mobile devices must be password protected and encrypted if they provide access to PHI or if PHI is retained on the device Do not include any PHI in any regular text or e-mail messages for professional purposes Do not take patient photos on personal mobile devices If working in a public place, screen must face away from onlookers Follow guidelines when working remotely If you need to use a laptop or other portable device, such as an iPad or tablet, or even a smart phone, there are a few things to remember: Make sure it is not easily stolen when not in use. Keep it hidden if you can, locked up if you can. Whatever you use as a portable device, don’t share it with others if it has PHI on it, and keep your personal information separated from any patient information. You don’t want to accidentally show a picture of a patient when you’re showing off your vacation pictures. Laptops and devices should be password protected no matter what, and encrypted if there is any PHI retained on the device, or if the device provides access to patient information systems. Do not include PHI in any text messages and do not take any patient photos with mobile devices. Make sure to follow guidelines when working remotely, and make sure you remember all the rules. Especially today, if you work in a public area, you should expect that your screen with be photographed and harvested by passers-by. Watch your back. © Copyright 2016 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 802-425-3839

Preventing Ransomware Attacks Malware designed to deny access to your systems and PHI Encrypts data & systems; Ransom (in Bitcoin) is demanded for release Most Ransomware attacks are initiated by opening attachments, visiting infected Web sites, or clicking links that launch an attack YOU are the first line of defense for privacy and security You MUST be suspicious of ANY attachments or links in messages Verify sending address, usual message format from sender Is the message (and attachments or links) expected? If you are not sure, PICK UP THE PHONE BEFORE you go on Be suspicious and alert! Attackers may make the message look legitimate If you see any suspicious system activity, speak up! If you have questions speak with your manager, Compliance, or IT © Copyright 2016 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 802-425-3839

Lewis Creek Systems, LLC Thank you! Any Questions? Be sure to check with your compliance and IT managers to implement all your required policies and procedures for e-mail, texting, and portable devices For additional training resources and a schedule of upcoming seminars and Webinars, please visit http://www.lewiscreeksystems.com/upcoming_public_seminars.html For additional information, or if you would like to have customized training resources developed and delivered for your organization, please contact: Jim Sheldon-Dean Lewis Creek Systems, LLC jim@lewiscreeksystems.com www.lewiscreeksystems.com © Copyright 2016 Lewis Creek Systems, LLC All Rights Reserved jim@lewiscreeksystems.com www.lewiscreeksystems.com 802-425-3839