Survey: Healthcare Orgs Not Taking Mobile Security Seriously Enough | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Survey: Healthcare Orgs Not Taking Mobile Security Seriously Enough

October 25, 2016
by Rajiv Leventhal
| Reprints

More than half (56 percent) of healthcare professionals believe their organization could be doing more to educate employees on Health Insurance Portability and Accountability Act (HIPAA) compliance and the rules around sharing protected health information (PHI), according to a survey from security and compliance company Scrypt, Inc.

More than three quarters (78 percent) of healthcare professionals use mobile messaging at work, yet when asked if policies existed within their organization relating to the use of mobile messaging specifically, over half (52 percent) of respondents answered ‘no’ or ‘not sure’, according to the survey’s data. And, of those who have sent PHI via mobile messaging, 70 percent confess to having done so using a non-secure application, such as iMessage, WhatsApp or their device’s native messaging client.

As such, more than half of survey respondents believe their organization could be doing more to educate employees on HIPAA compliance and the rules around sharing protected health information. Despite these revelations, the vast majority (80 percent) of respondents consider their own knowledge of HIPAA compliance to be good or very good, which would suggest people have more faith in themselves, than others, or their employer.

Human error was cited as the leading cause of healthcare data breaches in 2015, which should serve to remind organizations that people are frequently the biggest vulnerability in the security equation. This considered, it is worrying that many organizations may be falling short when it comes to promoting best practices in line with HIPAA compliance and cyber security more generally, the surveyors concluded.

Other key survey findings include:

  • 65 percent of those who use a mobile device at work also use the same device for personal use.
  • More than half (52 percent) respondents say they have free reign over the applications they download and use at work.
  • Only a quarter of those who use mobile messaging at work use a secure solution.
  • One in five (17 percent) have sent or received PHI via mobile message, with names (24 percent), telephone numbers (19 percent) and email addresses (13 percent) the commonly shared identifiers.
  • 96 percent use at least one security measure to protect their device, however of those, one in five (18 percent) use one method only, most commonly passcode or PIN protection.

“We understand the challenges healthcare providers face when it comes to managing and exchanging PHI,” said Scrypt, Inc. CEO, Aleks Szymanski. “In an industry as closely regulated as healthcare, where the margin for error is minimal. It is essential that organizations invest not only in the best HIPAA-secure technology, but also in instilling a culture of security through appropriate training and education.”

2018 Raleigh Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

September 27 - 28, 2018 | Raleigh


/news-item/privacy/survey-healthcare-orgs-not-taking-security-compliance-seriously-enough
/news-item/privacy/house-passes-bill-align-hipaa-42-cfr-part-2

House Passes Bill to Align HIPAA, 42 CFR Part 2

June 22, 2018
by David Raths
| Reprints
Clinicians would be able to access entire patient record, including information about substance use disorders

The U.S. House of Representatives recently passed a bill designed to align 42 CFR Part 2 with HIPAA for the purposes of health care treatment, payment, and operations. One goal of the change is so that care can be better coordinated and providers can have appropriate access to all of a patient’s medical record, including information about substance use disorders.

“Doctors must have the whole picture on a patient’s medical history in order to safely and effectively treat that patient,” said U.S. Rep. Markwayne Mullin (R-OK), sponsor of the bill, in a prepared statement. “This includes any history of substance use disorder. The Overdose Prevention and Patient Safety Act will update the decades-old, outdated law, known as 42 CFR Part 2, which keeps mental health records separate from other health records.  H.R. 6082 will modernize how doctors access their patients’ health records by streamlining 42 CFR Part 2 with current Health Insurance Portability and Accountability Act (HIPAA) regulations. 

Earl Blumenauer (D-OR) co-sponsored the legislation.

“It is encouraging that members of Congress recognize the importance of aligning the treatment of substance use disorder (SUD) records with how all other medical and behavioral health records are managed,” said Pamela Greenberg, president and CEO of the Association for Behavioral Health and Wellness, in a statement. “Clinicians need access to a patient’s full medical history, including substance use disorder records, to assess risks and adequately care for a patient. Our members contend that Part 2 is one of the biggest – if not the biggest – barrier to fighting the opioid crisis.”

ABHW is a health plan association working to improve access and quality of care for mental health and substance use disorders.

 

 

 

 

More From Healthcare Informatics

/article/privacy/one-consultant-s-take-gdpr-and-how-it-raises-stakes-us-healthcare-organizations

One Consultant’s Take on GDPR and How It Raises the Stakes for U.S. Healthcare Organizations

April 23, 2018
by Heather Landi
| Reprints
Click To View Gallery

The General Data Protection Regulation (GDPR), Europe’s new framework for data protection laws, is set to go into effect in one month, and the new regulation has far-reaching implications for organizations worldwide that collect personal information about European Union residents. In the U.S., physicians and healthcare providers will be facing new laws regarding the safeguarding of Personally Identifiable Information (PII) for EU patients.

GDPR was adopted in April 2016 and will be fully enforced on May 25, 2018 by the UK Information Commissioner’s Office (ICO). GDPR is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. According to many experts, the regulatory framework pertains to any organization that handles EU data, whether that organization is in the EU or not. The entire regulation can be accessed here, the EU GDPR website's frequently asked questions page can be found here and a breakdown of key changes can be found here.

Moving forward, U.S. healthcare organizations will need to safeguard EU patients’ data based on the GDPR in addition to the Health Insurance Portability and Accountability Act (HIPAA) regulation and other U.S. regulations. The GDPR will affect when and how a healthcare provider must report breaches, and fundamentally changes how personal and sensitive data can be used, processed, managed, stored, deleted and disclosed.

According to the website of the Spiceworks virtual IT community, in a nutshell, “the regulations affect how companies must handle personal user data commonly tracked online. This includes IP addresses, geographic locations, names, home or work addresses, gender, and a wide range of more sensitive information such as health status, political affiliation, religion, and ethnicity, among other things.”

What’s more, the GDPR imposes stiff fines on data controllers and processors for non-compliance, up to 4 percent of the organization’s global annual revenue or 20 million euros, whichever is higher. According to the EU GDPR website, this is the maximum fine that can be imposed for the most serious infringements, such as not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines—a company can be fined 2 percent of global annual revenue for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors—meaning “cloud” will not be exempt from GDPR enforcement, according to the EU GDPR website.

According to the Spiceworks virtual IT community, the following are some, but not all, of the provisions organizations collecting or processing any personal data on EU residents must comply with if they want to avoid the risk of incurring potentially large financial penalties:

Privacy by design — Organizations that collect personal data on EU residents can only store and process data when it's absolutely necessary. Additionally, they need to limit access to this personal data on a “need to know” basis.

Consent — Under GDPR, individuals must explicitly opt in to allowing organizations to collect personal data by default. Additionally, an individual's consent can be removed at any time.

Right to access — Organizations must provide an individual residing in the EU with access to the personal data gathered about them upon request.

Breach notification — Under the regulation, in the event of a data breach, organizations must provide notification to affected parties within 72 hours.

Right to erasure — Sometimes called the right to be forgotten, organizations must honor requests to erase personal user data when asked to do so.

Data portability — Organizations must provide a way for individuals to transmit or move data collected on them from one data collector or data processor to another. 

Data protection officers —Organizations that process large sums of GDPR data must assign a data protection officer (DPO).

John Barchie, a security consultant and senior fellow at Phoenix-based Arrakis Consulting, recently spoke with Healthcare Informatics’ associate editor Heather Landi to drill down further into the implications of the GDPR regulation for U.S. healthcare organizations and what steps organizations should be taking now to be compliant with GDPR. Below are excerpts of that interview, edited for length.

What are some of the key requirements of GDPR, and what do healthcare organization leaders need to know about the regulatory framework?

This is a disruptive regulation and it will require organizations to get their legal departments involved. Once it’s understood, it’s fairly straightforward. Healthcare organizations should already be fairly compliant with what GDPR is asking for. If an organization is strongly HIPAA compliant, then it will be much easier for them to absorb GDPR; if they have been going off HIPAA for a while, then GDPR is going to come as a shock.

There are some major categories that they need to be aware of—one is the concept of consent, and then the right to access. When we say the right to access, we mean the data subject’s right to access their own data. And then there is the data subject’s ‘right to be forgotten,’ and the data subject’s right to have their data portable. Then, there are the obligations of the processor and the controller—the controller is the one who is collecting the data from the data subject, and the processor is the one processing that data. If you give your data to a health system, that health system might have a sub-contractor that is processing the data. So, the health system would be the controller and the sub-contractor would be the processor. The controller and processor must have something built in called privacy by design.

The regulation requires a new role to be created called the data protection officer. In terms of HIPAA, it’s similar to the chief privacy officer, but it’s a different concept. The chief privacy officer is responsible for determining when data should legitimately be released. The purpose of the data protection officer is to ensure that the data that is processed in a legal manner for the regulation. This role is a requirement if you’re going to be GDPR compliant.

There also are implications with regard to breach notification. In the U.S., we’re used to providing breach notification after our investigation, and with GDPR, you’ll need to inform the supervisory authority within 72 hours of identifying that a breach has occurred.

What steps should healthcare organizations be taking now to be GDPR-compliant?

The first thing is, you need to read the regulations; there are 99 articles within the regulation. The biggest thing organizations can do right now is go over their consent forms and evaluate how they collect the data. And then, on the back end, they need to actually diagram out how their data is processed. With regard to their consent form, that’s going to involve the legal department, as there are new requirements above and beyond what they are used to providing for HIPAA. And on the back end, on the clinical side, they really need to take inventory of where their data is and where it is processed. By that I mean, writing it down and having diagrams and data flows; all the things a regulator is going to look for when they come in and start asking questions.

The fact is, GDPR will be disruptive, and if organizations are starting now they are not likely, in my opinion, to be compliant by May 25. If you’re not going to be compliant May 25, you need to show a willingness to comply. To show that willingness to comply, organizations should, at the very least, have their consent forms ready to go by May 25. Organizations also should know who their supervisory authority is (Article 51 of GDPR). They also should have taken inventory of all the uses and data processes. They should know, in writing, where is that data in the organization and who are we sub-contracting that data out to? The contracts with those sub-contractors also need to be updated. The goal is, if they have a working plan and even if they are only 60 percent done on the working plan when May 25 rolls around, they are probably in good shape, because they have a working plan and they are showing what’s known as a willingness to comply.

At an organization level, who should be involved in this work?

From an executive point of view, this should be a board-level item that the board discusses in a regular meeting and there should be board minutes as to how they intend to address GDPR. The executive steering committee should provide direction on how they intend to address GDPR. A program manager might need to be assigned the task of breaking out the project. The CIO should definitely be involved, as well as the CISO (chief information security officer). The head of customer service also should be involved, and, obviously, the organization’s chief privacy officer. Within IT, there has to be an understanding of where the data is and how it’s being processed. The database administrator, or the system administrator, will need to be involved. It’s not a one- or two-man show and it’s not just something IT does. There’s a lot that IT can’t do because it has to do with privacy and how information is released and handled. But, there is the technical piece that IT needs to do, such as the ‘right to be forgotten,’ that’s a big deal from an IT perspective.

What are the implications for health IT leaders specifically?

With regard to the data subject rights, the biggest one is the ‘right to be forgotten,’ which is a provision that says a data subject has the right to insist on the total and complete erasure of their data. If a data subject doesn’t want to do business with you, you should not be processing their data anymore. And that’s a technical challenge, as, technically, if you’re in a database, you’re in the database forever. With the ‘right to be forgotten,’ there needs to be a mechanism where an organization can guarantee that data is not being processed. That’s a tough row to hoe, especially for healthcare organizations or companies if they use that healthcare data as part of their research, as now that piece of research has been taken away from you, and that is the data subject’s right to say I’m not doing business with you, and by default, you’re not allowed to use my data anymore. That whole concept is foreign to healthcare organizations.

The key is, compliance officers at healthcare organizations need to read up on the regulations as GDPR changes the way organizations handle people’s data. It will be disruptive and already is disruptive to healthcare organizations that are in the middle of all this work.


Related Insights For: Privacy

/news-item/privacy/onc-names-kathryn-marchesini-chief-privacy-officer

ONC Names Kathryn Marchesini as Chief Privacy Officer

January 10, 2018
by Rajiv Leventhal
| Reprints

The Office of the National Coordinator for Health IT (ONC) has named Kathryn Marchesini as the federal agency’s chief privacy officer.

Marchesini, who has been working for the federal government since 2010, actually served as ONC’s acting chief privacy officer in 2014 prior to Lucia Savage being appointed permanently. According to an email that Don Rucker, M.D., National Coordinator for Health IT, sent to ONC staffers today, Marchesini “brings to her new role a wealth of experience as a senior advisor and deputy director for privacy at ONC where she advised staff and stakeholders about privacy and security implications surrounding electronic health information, technology, and health research.”

Deven McGraw was the deputy director of health information policy at the Department of Health & Human Services (HHS)’ Office for Civil Rights (OCR), a position she left in October. She had also been filling in as ONC chief privacy officer following Savage’s departure from the agency early in 2017.

Rucker noted that Marchesini has worked with the National Institutes of Health (NIH), and other federal agencies, “to provide strategic direction and substantive expertise at the intersection of privacy and security law, technology, and healthcare.” In her seven years at HHS, she served as deputy director for privacy, where she led ONC’s privacy team and helped with federal policy, guidance, and education initiatives addressing emerging health IT privacy and security-related issues, according to Rucker’s email.

Before joining HHS in 2010, Marchesini was a strategy and technology consultant at two global management consulting firms where she helped clients bridge the gap between business requirements, technology, and law.

There had been talk that ONC would have to eliminate the Chief Privacy Office in the aftermath of President Trump’s 2018 proposed budget, which at the time called for a $22 million cut to ONC funding. But Rucker has said since then that ONC will work together with OCR to support privacy functions.

See more on Privacy