Professional Documents
Culture Documents
Managing Byod and Security: Strategic Insight For Health IT Leaders
Managing Byod and Security: Strategic Insight For Health IT Leaders
Managing Byod and Security: Strategic Insight For Health IT Leaders
+pulse
Strategic insight for health IT leaders
COVER STORY:
MANAGING BYOD
AND SECURITY
Penn Medicine outlines its approach to
network security in the age of consumerization.
02 T
he Tangled Web: BYOD and HIPAA
03 Health
Care Ripe for Near Field
Communication Technology
11 C
reating HIPAA Compliance in Stage 2
15 B
uilding HIPAA Compliance, Patient
Privacy Investment Business Cases
Editors Letter
investigative activities, federal fines, possible civil litiga-
The Tangled Web: tion and overall harm to a health care providers reputa-
BYOD and HIPAA tion are potentially staggering.
Thats becoming more and more evident as the HIPAA
omnibus rule goes into effect in late September. The new
regulation not only brings stronger, more specific pri-
vacy and security requirements to health care providers
THE BRING-YOUR-OWN-DEVICE, also known as BYOD or con- and their business-associate partners, but it also trips
sumerization, era is upon us. CIOs familiar with BYOD off a new system of audits. Even if your facility hasnt
security weve interviewed at HIMSS and the PHI Pro- experienced a data breach, HIPAA auditors may drop by
tection Network tell us that theres no way to stop it, you for an in-depth review of your patient data protection
can only contain it. If youre lucky. strategies.
While presenting the risks of alloying BYOD to se- One piece of the HIPAA rule has yet to be established:
nior hospital leadership dont forget the biggest risk of What percentage of the fines the patient who reported
+ HOME
all: Inaction or an outright ban. Employees will use their HIPAA violations to federal government will receive,
smartphones to text each other about patient care mat- sort of a whistleblower reward. Rest assured, that piece
+ EDITORS LETTER ters, which probably wont amount to HIPAA-compliant of HIPAAs update for the digital age should be incentive
practices. Theyll email patient data to each other. Phy- enough to get senior leadership buy-in for IT security
+ HEALTH CARE RIPE
FOR NEAR FIELD sicians will set up rogue wireless access points to sup- and a more HIPAA-compliant technology infrastruc-
COMMUNICATION port devices they bring in, opening up your network to ture. n
TECHNOLOGY
unsavory outside entities who cannot believe their good
+ MANAGING BYOD fortune in finding a backdoor to financial and medical
AND SECURITY
identity theft. Don Fluckinger
+ CREATING HIPAA Without policies to enforce and security software to News director, SearchHealthIT.com
COMPLIANCE IN monitor devices, lock down the network, encrypt data
STAGE 2
and remotely wipe lost or stolen devices, the cost of
+ BUILDING HIPAA inaction could very well be a data breach in your com-
COMPLIANCE, PATIENT panys near future. The costs of a data breach including
PRIVACY INVESTMENT
BUSINESS CASES detection, remediation, support for patients harmed and
HEALTH IT TRENDS
NFCs Interoperability Play
Health Care Ripe The nonprofit Continuas stake in the technology stems
for Near Field from its mission to develop plug and play interopera-
bilityusing existing industry standards such as NFC
Communication Technology and HL7guidelines and certifications that enable med-
NEAR FIELD COMMUNICATION technology (NFC)a low- ical-grade and personal health devices to port data to
power, peer-to-peer data transport technology perhaps EHRs, personal health records and health information ex-
most famously illustrated in Samsung Galaxy smart- changes. Continua has been working on an interoperabil-
+ HOME
phone commercials where users tap phones together to ity certification using NFC for two years, Parker said, and
pass music playlists and videos to each otherhas much in April 2013 plans to issue guidelines for implementing
+ EDITORS LETTER potential in health cares future. At least thats what the its tenets in health care.
NFC Forum industry group is betting on, as smartphone Parker pointed out that NFC can not only be used to
+ HEALTH CARE RIPE
FOR NEAR FIELD tap-to-authenticate features could be part of mobile send small packets of data (53KB to 128 KB), but also can
COMMUNICATION health devices, as well as potentially part of validating be used to unlock Bluetooth channels for sending larger
TECHNOLOGY
health care providers when they interact with health IT quantities of data or even a stream over time, such as a
+ MANAGING BYOD systems. timed electrocardiogram strip.
AND SECURITY
A coalition of more than 170 manufacturers, app de- Looking at smartphones enabled with NFC, [we want
+ CREATING HIPAA velopers and other interested parties, the NFC Forum to] collect information with a tap-and-go architecture,
COMPLIANCE IN announced it will form several special interest groups Parker told SearchHealthIT. He used the example of an
STAGE 2
(SIGs) to promote NFC implementation in consumer NFC-enabled blood-pressure cuff: So I can take my
+ BUILDING HIPAA electronics, health care, the financial services and pay- blood pressure, tap the pressure monitor with my phone,
COMPLIANCE, PATIENT ment market, retail and transportation. collect that data and send it on to my personal health re-
PRIVACY INVESTMENT
BUSINESS CASES Health care is a target market, said Chuck Parker, cord or to, perhaps, my physician on the back end.
+ BUILDING HIPAA
COMPLIANCE, PATIENT
PRIVACY INVESTMENT
BUSINESS CASES
+ CREATING HIPAA
being forced to be more efficient as healthcare reform Data, speaking about
who is responsible for
COMPLIANCE IN goes on. I think this is going to be part of the answer. protecting patient data
STAGE 2
ED RICKS, vice president of information services and CIO of Beaufort Memorial Hospital, during a presentation
+ BUILDING HIPAA in an interview at HIMSS 2013 on why his hospital is holding off on partnering with an HIE. at the PHI Protection
COMPLIANCE, PATIENT
While he feels it will become an important piece of the IT puzzle soon, there are still too Network Forum in
PRIVACY INVESTMENT
BUSINESS CASES many unknowns to make a major investment. Cambridge, Mass.
+ BUILDING HIPAA
COMPLIANCE, PATIENT
The goal is not just EHR certification and compliance.
PRIVACY INVESTMENT
BUSINESS CASES
It is mitigated risk in a continually volatile environment.
n Identify and prioritize implementations. n Test and retest compliance procedures and readiness,
and tinker where necessary.
n Research. Youll know the solution that works best for
you only by examining all the possibilities. n I nvestigate customization opportunities that further
prepare your team for ongoing compliance.
n onsider the upsides of an upfront spend. No one
C
wants to pay fines and be faced with a lawsuit because a Making your compliance team part of the solution
backup disk or laptop was compromised. means they wont part of the problem. Consult them
early and often. n
n rain the workforce on new security measures. Your
T
security is only as good as your least-informed team MICHAEL FREDERICK is president and CEO of The Frederick
member. Group.
+ HOME
+ EDITORS LETTER
+ MANAGING BYOD
AND SECURITY
+ CREATING HIPAA
COMPLIANCE IN
STAGE 2
+ BUILDING HIPAA
COMPLIANCE, PATIENT
PRIVACY INVESTMENT
BUSINESS CASES
+ CREATING HIPAA
n Dont focus on financials. Patient care and the overall n Frame the argument well. Debunk logical fallacies that
COMPLIANCE IN mission statement of the hospital puts revenue lower senior leadership might believe, such as HIPAA is a cost
STAGE 2
on the totem pole than it would be in, for example, a fi- center by saying something like this: If it werent for
+ BUILDING HIPAA nancial institution. Focus on how privacy and security HIPAA, would we throw privacy investment in the trash
COMPLIANCE, PATIENT investments will improve patient care and build trust be- and forget about patient trust? Explain that information
PRIVACY INVESTMENT
BUSINESS CASES tween the community and your organization. velocity throughout the enterprise doesnt necessarily
+ BUILDING HIPAA nExplain financial protections gained from new busi- nQuantify risk by showing what happened to other
COMPLIANCE, PATIENT ness associate agreements. Market research on data hospitals. Depending on whose research is cited, Holmes
PRIVACY INVESTMENT
BUSINESS CASES breaches from multiple firms shows business associates said, each data breach costs a hospital $200 to $250 per