ONC Mobile Devices Roundtable: Panel 3


Uploaded by USGOVHHS on 20.03.2012

Transcript:
We're about to start the third panel focusing on real world mobile device privacy practice
strategies and technologies. The moderator for this parent is Mr. David
Holtzman with U.S. department of health and human services office for civil rights.
He joined the health information privacy team at OCR in December 2005.
He's currently working in the development and enforcement of the HIPAA security role.
works in collaboration for larger privacy security mobile device and put on today's
event. Prior to joining HHS, Mr. holtzman was privacy
security officer for Kaiser Permanente's mid Atlantic region responsible for implementing
and directing the continuing compliance with HIPAA security and privacy rules ladies and
gentlemen, please welcome David Holtzman.
[Applause]
>> Thank you, Katherine. I'm very glad to be here and thank the ONC
for inviting us to participate and partner in this important discussion.
At this time I would like into invite our panelists -- invite our o panelists to come
up on to the stage. Sharon finN, who is the data security officer
for ad inventorytis health system in Orlando, Florida.
Dr. James French O who is a hospitallist in health informat cyst with triad hospital.
Carol HERZIG with university of Alabama health system and served as their chief information
security officer. Adam Keller with incites of Pennsylvania,
the informatics Jack of all trades. Mickey TRIBATHY of the Massachusetts electronic
health collaborative where he is the CEO and Mickey can better describe the wonderful activities
at his organization leads him and makes change in.
So at this time, I would like to turn to our panel and give -- panel and give them a minute
to introduce themselves and describe -- give us more information about the organization.
Sharon.
>> Thank you. As David said my name is Sharon finally, corporate
data officer for ad inventorytis health system, one of the largest health systems in the United
States. We cover ten states, 44 hospital facilities,
approximately 300 physician practices urgent care centers, home health, DME and a long
term acute care. We have about 65,000 employees in our environment
and support operations for over 12,000 physician, office staff as well as contingent of other
third party users in our environment. The environment we have worked in for the
last at least at the time I have been there the last four years, amazing to me that we
have been utilizing mobile devices in healthcare for a long time.
They're all over our o hospitals and clinical care units today.
But there are devices that the organization has held and own and bought and purchased
and secured. As we move forward to look at how we integrate
mobile devices into our environment we were taking the same approach that we have taken
to every other technology we look at in our environment today.
So as we looked at them we look at them from a risk-based perspective and said how are
people going to use them? Will it reside on the device?
How mobile will it be? How is it transported from one device to other
devices so we provided the same risk assessment that we have to any technology we have implemented.
And as a result of that, we separated this into several categories.
The first is that we have defined our user population who wants to use these devices
into to two categories. A category of users in the clinical care continuum
and to treat patients and bring their own devices in.
Then we have more a business user that wants to use it.
So our executives want to bring it in and they want to use it like their laptop.
Those are two distinct use cases in the environment and two different sets of data that those
users access. Your executive users have a tendency to lean
more toward end structure data in the environment and your clinicians generally lean more towards
the structured data in electronic health records and other systems that are used to treat the
patient. As we look at that, we categorize devices
into permly own od devices versus devices that we will purchase and buy and own ourselves.
We have taken basically two independent strategies with that, for the devices that we will own,
we will control them the say we have any other mobile device or any other device that we
plea agreement in our environment. For those devices personally owned, we are
taking right now a container based approach how we deliver to the mobile device so we
look being able to deliver a set of services to an individual that has a device and we
dope really want to care what that device. We want to secure data and deliver to it the
device when the user needs it. And I think those are the perform things and
strategies around what we have initially done in adoption of mobile technology at high level.
>> Thank you, Sharon. Dr. French.
>> Hi. I'm James French, I'm a hospitallist.
I'm working at mercy medical center, used to work for Moses health in Greensboro, North
Carolina. We had a problem with our healthcare system.
We had 800 to 1,000 med staff, our hospitallist program has 45 physicians, 50 to 100 missions
a day and we had to keel with sub specialists under constraints of length of stay and cost
per case. We needed to improve communication.
The med staff had everything from devices purchased by hospital to devices that were
personal. The med staff some would be on the email system,
some wouldn't be. Some said I use a rotary phone, that's what
I use. Some of them had the latest and greatest smart
phone it was a nightmare. We had to convey admissions, transmissions,
discharges death queries every day to the primary care docs, we had to track down the
sub specialists to find out things about patient to get them to the hospital efficiently.
And the end of the day, we developed a secure encrypted private texting network among providers
that we think help and tied that into an online scheduling program that we have had success
with. But this is the kind of healthcare communication
needs that as a physician, this is what I see.
We have been using pagers since 1970, and pagers are not working any more.
Now we have the ability with the smart phones for a new world of physician communication.
I'm excited to be part of that.
>> Thank you, Dr. French. Terrell.
>> Thank you. I'm Terrell HERZIG, information officer from
the university of Alabama Birmingham health some to give you an idea of what UAB specializes
in, we're an academic medical center. Not sure if you have really come towns how
we have a lot of things going on here. Basically we have a couple of hospitals we
admit more than 42,000 individuals and last years we saw more than 1.1 million patients
addition to seeing patients an offering the best in care we have the mission of training
new physicians and clinical staff in addition that we also are very active in research,
by that I mean we're one of the top research sponsored hospitals so we have a lot of different
missions which certainly interest in mobile devices are expressed each and every day.
Our facility does have programs where we equip devices and provide them to our faculty but
we also are seeing not only the need for devices such as tablets and must be used in patient
care. And we also have an express interest by our
research community to use these devices on the front lines to collect important research
data. Couple that
>> as a result they have a need to access information from a host of different locations.
Combine all that with today's healthcare expansion and the fact that we're moving away from physical
containers like hospitals and going mobile with our patient care.
As a result of that we need to be mobile with our information.
What Sharon was talking earlier our strategies focus on managing data being device agnostic
because there's always a new device down the road and as a result we need to be able to
look at how that information will be used, what the need to gain access to that information
is going to entail and we build use cases around that.
As a result if we keep data in the data center and provide same access back to the clinician
or physician, then we put our organization with less risk.
We look at different ways to protect it, back in 2005 when we started doing risk assessments
that everyone should be doing. As a result of that we identify mobile devices
as one of our top ten concerns. We have been working on it ever since.
So we want to adopt these device, we want to make sure they can be of use to our community
but at the same time protect that patient information and make sure we do not result
in a loss of data.
>> Thank you, Terrell. You bring a difference perspective from your
vantage point. Can you tell us about that?
>> Yeah. I work for quality insights of Pennsylvania,
part of West Virginia medical institute. We also the reasonable extension center for
Pennsylvania as well as Delaware and subcontracting West Virginia for meaningful use to participate
as the REC to help physicians as they transition to electronic medical records.
role in particular, I focus on privacy and security so helping practices meet that privacy
security requirement for meaningful use. Which is conducting security risk assessment
and implementing updates to address those risks.
I'm out there every Davie sitting practices throughout Pennsylvania in rural urban settings,
mostly small to medium size practice, everything from one physician office to 15 or 16 practice.
I kind of see the whole gamut of adoption of this technology that's a lot of adoption
in mobile technology by providers and larger providers.
It's along the same thing that people talked already.
There's a lot of adoption of technology and often it's the doctor gets a smart phone or
an iPad and wants to try to start using it. And it's kind of I'll say a free for all at
that point. Actually looking at the security risk has
not even occurred to many physicians and practices. When I sought to do security risk assessment
many practices had never performed a risk assessment before.
And often there's a bit of a hurdle to get past complacency, the idea that while there's
no patient information on my device on my smart phone or lab top or tablet, I don't
have to worry about the security. One great challenge with -- that I have seen
with small providers is simply education and awareness.
Helping them understand that different use cases where protected help information ends
up on your device, this could include information outside the electronic medical record system
including text messages. Many answering services send text messages
to physicians to notify them. This will include patient name, phone number,
symptom information. Other documents that maybe stored on laptops
or tablets. Email sending and receiving email, those are
downloaded to your device. So with the risk assessment we need to go
outside the electronic medical record system and look at use cases.
What I'll do with them and s talk about use cases, what controls are in place, often they
have a passcode on smart phone or password on laptop.
And they'll have antivirus in place and may delete text messages when done with them.
As far as recommending additional controls, I found a lot of great value on the NIST documents,
special publication 800-53, including things like Weightlifting software so you know what
software is on that device an you have done your due diligence.
Encryption VPN, authentication, things like that.
So as I mention, with my security risk assessment I would say about half is education, the other
is documenting security risks. And so that's one of the great challenges
for the small prokers face is understanding what are reasonable and appropriate security
controls.
>> Thank you very much, Adam. You bring a different perspective in your
practice. >> Good afternoon, I'm Nick (inaudible) from
the Massachusetts health collaborative. We're a non-profit organization focusing on
implementation services related to health and implementation technologies her and HEI
to improve community health which is our non-profit mission.
We have work with a large number of physicians, we're the regional extension center of New
Hampshire confusing since we're Massachusetts health collaborative but we work as a contractor
like Adam's organization in other states so we're in New York, Massachusetts, home state,
and Rhode Island. And our head quarts are in the Massachusetts
medical society which we have strong aiation. We also have an office in New Hampshire an
providence, Rhode Island. We're working with 17 to 1800 physicians right
now on meaningful use optimization both as REC formally part of the REC program as well
as for private engagements, though work is largely the same.
I would echo almost everything Adam said in terms of what we experience, working down
at the bottom of the food chain in terms of small practice, we don't work with that many
practices over 4 or 5 clinicians in the practice. One slight difference between Adam and I comparing
notes before, at least with the practices we're working with in New England, amazingly
enough, smart phone penetration isn't that high yet among practices, so most part it's
laptops. So I'll turn the Adam to talk about the experience
with smart phones and things there but I would almost echo everything he said in terms of
what we're encountering on the ground with respect to laptops and mobile devices.
>> Thank you very much, Mickey. So the object of this panel for the next hour,
hour 15 minutes is to engage in a conversation in how to discuss the use and protection of
mobile device in healthcare and specifically in actual medical practices.
Like to invite those of you who are on the -- who are attending in person as well as
those of you who are through webcast, please submit questions to us, we're -- the panel
is interested in hearing from you and answering your questions and bringing issues that so
far haven't been explored. The discussions, practices, and recommendations
that some I have already been handed a stack of questions.
The discussion of practices in the activities that the experts here are going to describe
have not been evaluated by the office for civil compliance with the HIPAA privacy or
security rules or represent guidance by the department of health and human services.
I have done my disclaimer. So Sharon, how does your organization integrate
different mobile devices into your enterprise setting?
>> Hospital systems today whether probably small or large, most hospital provide some
public Internet access. There are lobbies for patient areas so patients
bring their own devices in. When these devices emerge that's what happens.
They brought them in. And put them on the public network but what
we're seeing is more and more physicians coming in with these devices, then we started seeing
some employees coming in with these devices and with this smart phones and iPads androids
that are out there today. And as we saw this evolvening our public network
space we provide in our facility, we started looking at what they were doing.
With republican they using them for fun or doing Facebook an those things or are they
actually using them to work out of our environment or do productive things or recreational use.
What we saw, the user population was continuing to evolve into using these devices for more
of that blended culture that we have today which is where you move between work and personal
life. You it with this device in your hand.
We started interviewing clinicians and physicians and talking to them how they were using these
devices. As our vendors that supply electronic health
record systems and clinical systems also are evolving at the time an developing applications
and mechanisms to deliver applications to these particular form factors.
So we kind of marred with that evolution and when our vendors came together and able to
provide us the mechanisms that connectivity, we created in our environment a segmented
network for physicians. That's a quality service network when physicians
come to our facilities they connect their personal device to that network.
. It's not the public network.
They have to register the device with us so we know who they are.
At that point higher level of service on that net work than just in our public area.
We're also able to drive the same user experience that they have when they're remote, when they're
out of the office. So it feels like they're connecting the Internet
and coming into accessing the clinical applications they have available to them.
Already from home computer or other remote devices they have.
So that's with we started. Then we progress to look at what about these
employees that are carrying around blackberries and other devices that we corporately owned.
And given. What we found when we polled the users, they
didn't want to carry devices. They didn't work like their smart phone or
whatever they purchased. Majority of people wanted to use their own
device. So then we began to look at now how do we
deliver the services that those users need and deliver them securely to those devices.
We chose the technology that would allow us to do that.
As a result we migrated 70 to 80% of corporately owned blackberries and other devices to personally
owned. And deliver services to those an allow them
to use them in our network environment, they can connect public wireless or use 3G 4G service,
we provide repeaters in our facilities to use that.
So now what we're looking at is how do we increase those services to those devices.
You give them a little bit and then they're going to figure out way to use it or something
they can do better, stronger and faster with it.
So we created some task forces and things to allow us to collect feedback from critical
users groups using these devices. And use that to also had fuel how to build
continuing relationships with our vendors an these device manufacturers so that we start
to bridge that gap. And progress down the path of being able to
deliver what they need to do their work.
>> Thank you, Sharon. Material in your setting, another large setting
but unique challenges. Share how your organization integrates different
mobile choices?
>> Absolutely. As alluded to earlier, we have got everything
from medical students coming in with about every device imaginable.
If it's there we see it presented to us with request to hook up to our network.
Our approach is to develop for use cases to see what these devices will need to interface
with, what data they need. It runs the gamut, anything from simple phone
to be used for keeping up with other individuals with communicating with other physicians to
I need access to some resource out on network device.
So what we do is we put together a group of physicians not unlike Sharon's practice to
identify case, document them and that gave us a set of baseline controls that we need
to implement depending on what the use of the device is.
I think one thing that's critical to note is that's devices are consumer device, they
done necessarily have security built when a user presents them.
We have an obligation as part of our organization to protect that health organization.
There's a fine line not just from the risk perspective but if if you take a device and
supporting these types of devices in your environment.
So what we have tried to do evaluate how those devices will be used and put controls in place.
As a result of that we have done what Sharon's group have actively done, you can't directly
connect to our network unless you bring the device in, we can make sure that the controls
fit for what the different types of cases are.
We have a stratefied wireless environment. Liar Sharon's environment.
We have public WiFi. That's generally open to individuals for their
general use as well as our patients. We don't allow access back to the environment
from that particular segment but we have different internal wireless network to allow you to
interface and I through clinicians to come to our medical care systems with wireless
devices we worked with them to put in place. In light of that, some of the things that
we're looking at now, we have questions, of course ab texting, everybody is interested
in texting today. We have a communication system for paging
and things like that where we have a active interest in physician communications and ability
to move away from pagers an more toward these smart devices so forth security controls we
have in place, help that quite a bit. Our primary means of access into our system
is we want to keep the data in the data center. We don't want data moving directly to the
device. We feel like we can keep data off the device
an to the data center, it's lost it's much less risk to the organization.
But also then makes everything more efficient to get back to the the hands of the physician
or staff member. So we have two key ways which we bring people
in if they're outside the network it's through VPN or SITRIX.
We require two factor authentication. One of our good wins here lately from a security
perspective is traditionally everybody hated the little DUNGLE for two factor awe thencation
because it was something else to carry. With the mobile device we can actually push
that control out on the mobile device and make it part of that two factor authentication.
When that went live at UAB we offered about a week to do a swap out with our clinical
staff to bring in your old hardware, we swap them for software versions on mobile devices.
We haven't stopped converting yet. We only advertised once and we continue to
have a whole flood of walk ins every day and I'm proud of that.
Because it increases security and use an ability of people to dual purpose these devices.
>> Thank you, Terrell, for that comprehensive answer.
Mickey, your perspective is completely different. You don't service just one organization you
service hundreds. Can you tell us how you help these smaller
practices clinics integrate mobile devices in the environment?
>> Sure. O we encouraged mobile devices from the very
beginning though these are small practices our recommendation was always that they had
-- they use tablets. Your favorite laptop tablet, we were us a
encouraging putting them into the hands of clinics and we still think that's the right
strategy because they do then use it. And then a great form of adoption to be able
to use it off site and go into hospitals as Sharon was describing and have as much of
that seamless experience as possible so there's really using the full benefit of the technology.
That said, there are -- we have become acutely aware and highly sensitive to the risks that
are brought forth by that, not by any experience any practice had but by experience ourselves
have had. A year ago we had a breech ourselves we're
consultants and we perform implementation services for practice practice consultants
had a laptop stolen when the car was parked in the city.
And that laptop was not encrypted at the time. We were ironically enough in the process of
evaluating cription solutions but the laptop was stolen before we decided on a solution
an had deployed it. Our initial thought was that that all we do,
we don't normally have a full medical record on our o EHR, our laptops as consultants but
one thing we do is help practices with data migration from there's almost typically there are certain
amount of rejection in the automated process. So what we do is help practice remediate though
rejection and delete the information, try to do that as much as possible in the office.
And then to the extent stuff -- there's stuff to accomplish in the office put it on the
the device, take care of it, off site, delete all files.
So our initial expectation is there's not that many records thereon, and it's only demographic
information so no big deal. We had a fresh back up of it and low and behold
discovered that there were a few patient record thereon, namely 14,475 individual records
that shocked all of us. So lesson number 1, more on your laptop than
you real ease even when in the position of trying to teach others which is the position
we're in. It was not clinical information per se but
it was PHI, absolutely PHI. So we wept through a -- went through a huge
effort to go through and then the forensic analysis, the remediation process, and what
we have to do to respond and federal approximate state law as well as what the go forward path
was with respect to our own administrative process, physical and technical safeguards.
Then use that as a lesson learned for the practices.
can couple of practices we try to inculcate, A, don't for a minute think there's no PHI
on your mobile device. Don't for a minute think that's the case.
Because you have all sorts of other stuff there if you're doing scanning, document management
stuff there's always residual there despite what the vendor may claim.
There's many cases we find that clinics want to save stuff locally to work with it at home.
In that case they may know they're not supposed to do it but it happens anyway.
In other cases it's there but they have no idea.
They don't know it's wrong or -- either don't know it's wrong or have no idea.
So those are certainly our experience. The other part of it was related to do you
know who has access to your information and what they're doing with it.
In our case those practices were the victims of a consulting organization who came in and
they didn't have a full appreciation of what we were doing.
Certainly in the electronic world so much happens under the radar.
Certainly if we're going to walk out of o the practice with 14,000 paper record someone
would have noticed that. But the fact that it was on our laptop an
everyone was doing the right thing, we have this incident, certainly a lesson learned
and one lessen we give to practices is you need a complete assessment which is like the
security assessment but more from a business perspective and understand who is in your
practice, what they're doing and whatty they're taking away.
It has to be more than administrative safeguard so we have full needless to say full encryption
on our mobile devices and that's what we're telling they really need as well, full encryption,
whole disc encryption because they have every administrative safeguard in the world but
something will happen at some time and in our case, if that laptop is encrypted we wouldn't
be in the situation we found ourselves in. The best we can do turns out for practices
and helping them get the message is describe or experience so this was an experience that
I wrote column for the his talk blog that appear misdemeanor the New York Times so o
I got a fair amount of circulation. So we describe the experience to the practice
but also how much it cost us so it ended up costing $300,000 to do the full remediation
of this incident, the 14,000 records, we ended up having to send patient notification, legal
work, forensic nailsis, -- analysis, we're a small organization, $300,000, we didn't
get fined by OCR T state government or anything. That was just our cost plus about 600 hours
of staff time to do the full remediation an figure it out.
And if all the other stuff doesn't get the practices attention, that almost always gets
the attention. So that's almost our best tool we have to
convince practices to think more seriously ab where they are.
>> Thank you very much. Dr. French, does your organization provide
your physicians and -- both staff or hospitallist physician or referring physicians with devices
or do you allow your physicians to bring their own devices on to your network?
>> We've tried both ways. The problem with hand held devices is initially
driving a car designed specifically for a mechanic, not necessarily a driver.
I have three or four boxes at home full of hand held devices bought for me by the hospital
that I never used ever. What's great about Sharon and Terrell in their
remarks is we're trying to adapt systems to real life experiences of physicians and healthcare
practitioners using these devices we provide a subsidy for the physicians, we not purchase
devices specifically for the physicians. This is much better than actually buying devices
we found. We have to make this work.
And physicians have to be motivated to use them.
Physicians will do something if it meets one of three cry o tieria.
If it make Morris money, saves time or improves patient care.
If it meets all three criteria physician also do it spontaneously.
They won't have to be prompted. If it meets zero they will only do it if you
threaten to fire them. So you have to use a system that will adapt
to whatever they're carrying. And the hospital purchased device we found
didn't seem to work out.
>> Thank you. Adam, your experience is probably a little
bit different. How do you advise your clients on bringing
in devices whether they're provided by the organization or brought in under a bring your
own device policy. .
>> I see both out there. As Dr. French mentioned, these devices often
meet the criteria. Practitioners bringing in and adopting them
because they enhanceant to take care of the patient.
I just guide them through the thought process of -- doing the security risk assessment,
thinking about difference scenarios you're using your device for, how that ends up storing
protected health information on your device or accessing protected health information
and what are reasonable appropriate security controls to protect that information.
By adopting these technologies there will always be additional risk.
We can't remove the risk. What we can do is we can reduce it to an acceptable
level. Some of the things that I often advise them
with is to go through that process, do it in a thought-out manner, start with policy,
don't jump to the technical solution, define what is appropriate use for these devices
whether it be laptop, smart phones or tablets. Are you permitted to take them off site, if
so, what additional protections are in place. Is personal use acceptable on them?
If so, how are we safeguarding our health information.
Is it permissible to install other pieces of soft wafer on -- software on the device.
Once you develop the policy an ensure you're enforcing them, I see a lot of policies on
paper that don't hold any water as far as governing behavior.
Once you have done that, you can look at what are the technical safeguards because as Mickey
mentioned you can have policies in the world but someone will lose that laptop and there
will be protected health information on it. You can almost guarantee it.
So then you look at the next layer which is the technical safeguards, and the greatest
one there you probably heard a hundred times today but encryption.
If your devices are leaving the practice, it's hard to understand why you wouldn't encrypt
a device. When I talk to office managers an physicians
and thing, often they're not familiar with something like full disc encryption.
How does that work? We get into a discussion about full disc encryption
and specific of that. You have to be careful with that, not all encryption is equal.
As many know a certain popular tablet, there's hardware encryption but there's ways around
it. How valuable is that encryption, even if it
is a 256 bit encryption. So we have to look at that.
With the smart phone, the consumer products we're starting to get there.
I don't think they're there yet. There's a few that have always supported full
disc encryption but they're playing catch up with that.
If you are familiar with the NSA project fish bowl many heard about at the RSA conference
recently, they were looking for a consumer device that natively supported all of their
encryption and security requirements and they couldn't find one.
I believe they ended up selecting the android due to open architecture and were able to
compliment that with their own in house capabilities. So we're not there as far as encryption but
we're getting there.
>> Sharon, could you briefly describe some of the technology that maybe available for
mobile Devries management solutions?
>> I'm from the south so we done briefly describe anything.
We have looked at multiple mobile management device strategies, from placing an agent on
a device to container based or what we call sand boxed approaches.
Which is more what you see traditionally in this space.
If you have an iPhone you have multiple applications loaded on that iPhone, for the most part those
are little sand boxes. You can operate within that application, whatever
you do in there and when you close it, it's gone.
The issue around I think mobile devices is what Terrell alluded to with this concept
of the device or the data center versus leaving on the device.
When does the device become dangerous to me or a security risk, only when it has the data
on it. So what we did something we really actually
started applying in our lab top world. In house.
We have thousands and thousands of laptops in our environment.
Some we put on cart, some on rough books or things, these rugged devices made for healthcare.
And standard laptops most carry around. We started looking at encryption like most
people, around devices. As we look for the use cases that we had in
the environment a lot of clinical ones didn't have clinical data on them.
They were being used as conduits to get access to the data to use the application.
They western creatinger storing anything locally. So what we did is create a strategy that said
we're locking those devices down. We done allow anything to be stored on the
local hard drive, it has no access to network share, no Microsoft products on I. we put
readers on there to read documents if they need to.
That device is for that use case. That's how we'll secure it.
For the ones that are mobile like mine, I can score data locally, I have materials on
it with me, that's fully whole disc encrypted and had appropriate security controls on it.
We took the same approach and said if it's a device that we're only going to deliver
service to or place activation on, we take a lot of management if we're allowed to enter
the network and allow data to be stored locally, at that point we began looking at available
solutions out there to take full control of that device.
I still think there's issues around if that's a personal device.
If someone finds a form that says yes I understand, I give you permission, wipe this if it's lost.
But when time the do that it could be a difference scenario.
We look at what vendors provide in their environments and they do provide security controls implemented
for these tools that are for devices but they're device-specific.
If up to go something that isn't desize specific and control multiple devices in the environment
you have to look at a third party software solution and there are multiple ones that
are out there that you can review that are good and have come a long way.
>> Thank you.
>> Dr. French, do you have an IT staff that is dedicated to assisting your organization
in the physicians that you support? If so, how do you keep your IT staff up to
date on the never ening parade? Like the ones in your closet.
>> We have an IT staff, who else would we yell at.
No, we were just really physicians are really dumb when it comes to IT in general so if
we didn't have an IT staff the thing would shut down in about a day.
Keeping everything updated, because of what we did which is having people use their own
smart phones predominantly for communication, we eliminated a lot of got to update software,
new units, we took that out of the evasion. The only thing we update is our texting platform
which we have designed. We had a hand helping design for the healthcare
for our environment. They have been helpful, IT is helpful in pointing
out potential pitfalls making sure we're in compliance an secure.
But the whole idea is to get away from anything to cause a snag in the operation.
>> Thank you. Mickey, I know your organization is primarily
IT professionals. How do you keep your work force on the edge
with the new devices?
>> We're not mostly IT, we have IT professionals so even better.
So we do have IT professionals on staff who keep up with technology but we also live within
larger domain, the Massachusetts medical society is a pretty complex organization itself, they
own the New England jury room of medicine, they have tense of thousands of members so
we have the benefit of leveraging the knowledge and expertise that resides there.
Otherwise, we would be it would be more difficult, we were just a small non-profit consulting
firm and also in the position of advising practices I would feel comfortable in that
situation.
>> A viewer from the web has asked earlier you went into NIST and authentication.
Can you go into more detail about what kind of authentication you use on mobile devices?
>> I don't know I can quote the NIST documents verbatim but I can talk about general best
practices as far as identification. One thing I see a lot is complacency around
the idea of that, the password protects all. I see organizations that haven't put thought
unto pass word policies. So we get weak pass words like 1, 2, 3, 4,
one the word password raise your hand if I named your password so far.
So I mean, we definitely want to layer our approach and not just rely on that password.
I do really like the idea of two tacktor identification especially remote access.
When we come off the Internet that exposes us to additional risk.
So some things like Iing if who it was, it was Terrell mentioned, an app for for the
second factor identification as opposed to -- those are coming more popular especially
with web-based applications. I would also encourage vendors and people
looking at solutions to look at certificate based authentication.
That is a strong form authentication ab you can awe then case the -- authenticate the
device as well as the person, and that would help a lot especially for web based applications.
>> Thank you very much. We have gotten several questions regarding
texting. So I'm going to survey folks, short answer.
Questions are essentially, do your facilities have policies regarding and use of devices
to transmit electronic health information via text.
What about policies of photographing? With personal cell phones?
>> I'll take this one first. Yes, we do.
Have policies around the use around SMS text messaging for our employees.
Our policy is that at this time it is not a secure method to be used to transmit confidential
or patient-specific information. It is capable of being used notification system
or alerting system to allow someone to call back.
And have a commission. A join commission came out an stated that
texting of orders was not permitted. There was no way, two issues.
First, no way to verify the person sending that order is the physician actually holing
that phone. That's no way that the receiving clinician
can verify that. Secondly, there was no way to get that information
into the medical record. And because there's an electronic piece of
the order process has to reside in the medical record.
So that was their two issues around SMS text messaging.
So that's our policy regarding that. Other piece of the question.
>> Use of the smart phone for photographs.
>> We had incidence -- incidents around this. We consider that as they can have a pocket
camera or iPhone or cell phone with with them. There is no way to control that.
There's no mechanism that you can put in place where I get an alert every time someone take
as picture. So we educate our employees that taking photographs
of patients or family members or in our facilities is not appropriate and not to be done.
If we determine that an employee has violated that, then we have a sanction policy in place
and we do sanction employees for violations at those types of things because I think really,
that's a point where there's invasion of privacy of another person to do that.
So we take that very seriously.
>> Dr. French, you come at this from a difference direction and you were describing earlier
in our conversation how the use of the camera phone is very important to your physicians.
>> We allow texting of patient information because the platform is security and encrypted.
We do not allow people to text orders for same reasons Sharon brought up but we take
it a step further. We have work rules you are mandated to text.
When I patient comes to the hospital, you are mandated to text the primary care physician
with the name, date of birth and they have been admitted and look in the EMR for the
H and P. When they're discharged, same thing.
If they die, same thing. Text the primary care physician.
We think that's a really important piece to continue as far as photographs, absolutely.
If the patient approved. It's a good way because encrypted, good way
to get the information out o, not just photographs. We can attach EKGs, films, or soon attach
documents. I see this as a big step forward to getting
rid of the pager. So it is important in our practice.
>> Thank you very much.
>> I have a follow-up to that. I wholeheartedly agree with Dr. French that
text messaging is an integral part of the work flow in the clinical world today.
I believe there are secure ways of being able to utilize that in a work flow and many more
technologies have emerged around communications that will bring that more tightly together.
As we have tried to eliminate the number of devices that our physicians have on their
belt every morning when they get up, I don't know if you have seen a nurse lately on a
floor, walking around, but I feel like I need to put a back grace on and give them something
the hold themselves up from all the devices they have strapped on them.
I think that's what unified communications an is going to -- is scratching the surface,
being able to deliver that in a secure fashion and it's something we're investigating as
well as how we continue to deliver that.
>> Thank you.
>> David, if I can elaborate on that. A minute or two.
Same statement Sharon and Dr. French are making, for texting of orders, absolutely not.
I think the directives are clear on that. I think organizations are going to increasingly
want to use text. I know our research based community wants
to set up a rapport with today's modern users and texting as a way of actually gathering
research data and things like that, following up patient care there's potential there.
Our organization is approaching it from careful process, we're looking at tools to integrate
into the process that are secure, epicrypted and can work with -- you done have to put
PHI an text message to have an effective text. We're integrating secure products with our
existing communications product.
>> If we can differentiate between SMS texting just overall messaging.
Dr. French, correct me if I'm wrong, the solution in place it's a messaging platform.
And I think that's a good point or area to differentiate because there are certain risks
with straight SMS texting versus the encrypting -- encrypted solution that we're discussing
here.
>> Thank you. That's a very important distinction.
David, one other comment. one thing that concerns me with the topic
is one biggest enemy of security is and perhaps the biggest enemy is convenience more than
anything else. Not that people are intentionally violating
because they want to violate it, it's because they're trying to do their jobs and they have
a set of tools that make things incredibly convenient, that's becoming more and more
the case with difference technologies in place. Any time we try to have top-down policies,
that tell people you can't do the thing that's convenient I worry about what really happens
on the ground. So at least our approach I know it's simplistic
example because we done do the wide range of things that clinics are doing in a complex
hospital, but was to really rethink our strategy and work from the bottom up, ask the front
line people how do you do your day to day life, how do I integrate a set of tools that
as much as possible can keep your work as convenient as possible so you can get your
job done and I'm going to talk to a clinician yesterday who is an emergency department clinician
that takes hundreds of photos, hundreds of photos on his iPhone.
First he had a question I didn't have the answer to.
Is a photo without identifying information on it PHI?
(inaudible) has yes. Dr. French says no.
This physician didn't know and he said he wasn't sure how much he cared.
He's an emergency room doc, he gets patient permission, he take it is picture of a rash,
sends it to the dermatologist, gets an answer back an feels like I did the right thing.
I did absolutely the right thing. How other examples do we have of that thing
and how do you prevent it is a real challenge that will be getting a bigger challenge.
>> I'll respond to a couple of comments, I think one key critical thing you mention,
he got the patient's per mission. That is the key differentiating factor there.
If the patient gives you permission to the same way he could have said I want to consult
with this other physicians, let me have them come in and look at you, same thing using
a photo to do it. I think it's the ones we're concerned about
in the prohibiting factors of policies, is to ensure that our employees are aware that
that can potentially be a violation of someone's privacy if you done get permission.
There is a use for photographing of things in a clinical setting.
Wound care San excellent example to measure how well a wouldn't is healing over time and
we have cameras we provide to clinical staff that that's what they do, that's loaded into
medical record and delete the camera itself. I don't want to minimize the impact of using
photographic materials and devices in clinical set bug it's using improperly an ensuring
the patient is aware of exactly what is being done.
>> That deals with privacy but not security aspect.
The other angle that makes it I think difficult when we -- in dealing with small practice
physicians as they're trying to make this transition is they're coming from the fax
world a lot and with faxes, they don't meet any of the standard we talked about.
So the very reason you said you won't allow someone to text is you could not apply that
same logic to a fax but people were faxing hundreds an thousands of time as day in their
practice so it's difficult for people to make the mind shift of wait a minute, I can do
it on fax but not on the mobile device? That's not going to work.
I'll go back to faxing or more likely just do it on the mobile device.
>> This conversation certainly has shown us some areas we need further discussion ab securing
information not just in storage but in transmission. And what the patient authorization covers
and extent to which we can protect the information and our responsibilities.
Terrell, as we integrate more mobile devices into intraorganizations of all sizes and scope,
there are a number of security provisions that would be considered.
There should be perhaps some access logging, how do we prepare for contingencies like a
catastrophic event or down time of cellular system or EHR that it is accessing into.
>> Good question, from resen experience with the tornadoes, we have went by long period
of time in Alabama without the cellular infrastructure, because it was damaged.
It depend more on devices but we have to plan high availability and use of those systems,
within our healthcare facility we have long sense been planning, we build in high availability
format. Along those ends the device we have in medical
care with patients an biomed device we haven't talked much about this morning we look for
technology to allow us to use internal wireless infrastructure as well as cellular infrastructure
in order to deliver high availability.
>> Thank you, Terrell. Adam, how do you help smaller practices, in
clinic, evaluate cost versus the risk. In adaptmogbill technologies.
>> The approach to taking security risk assessment is -- I'm focusing a little more on helping
them understand risk. I'll suggest certain controls to put in place
but ultimately you have to Lee to it them to determine what is reasonable and appropriate,
what the cost benefit is. I have started using Mickey's experience in
some of my risk assessments, I'll let them know, you know what, if you have a large breech
here is what can can happen. It's not just OCR fining you, it is notifying,
for example, if you have a copy of a thousand patients on your lab top.
Photographying a thousand patients and tracking them down, putting your name in the media.
It's legal costs for determining what requirements are, not just for HIPAA but also state level
so I try to help them understand that part of the cost benefit scenario and then once
you talk about that, if you look at $100 to encrypt a lab top, that really puts that into
perspective.
>> Thank you. With the remaining few minutes we have left
a couple of questions from the web. Sharon -- interesting questions from the web.
Sharon, briefly, how do you handle videos from patients to providers for diagnosis medical
advice? A use case would be people who are viewing
-- who are using the emergency room visit, -- I'm sorry, people being transported to
the emergency room and the emergency medical technicians, use a video link to advise the
physicians. Also another question, do you keep or store
the video?
>> It depends because we operate across ten states.
We also have to consider state law as well as federal mandates from a perspective what
we retain and don't retain. If it is germane and important to treatment
of patient we retain it in our secure medical record system.
Generally with most video feeds that we receive, those are generated by the EMS company that's
their video feed to us: So they store it, not us.
We're just a viewer or participant of that. And that is how we would handle it.
If we provided our own video up links to our EMS, then I would think yes we would probably
store it for some period of time but at some point we roll those off depening what the
retention requirements would be.
>> Thank you. Does anybody else on the panel have anything
to add to that, are they involved in that use case as well?
Thank you last question, speaker's prerogative. one of the challenges we have been seeing
at OCR is when an organization allows non--- physicians and other healthcare professionals
who are not -- referring physicians or not admitting practitioners in the practice.
To gain access to the the system. How do you manage physical and logical security
of business devices from those who don't normally access your system?
>> We proprovide broad level access to -- level of access to broad spectrum of users in our
environment. When we provide access to a any physician,
whether referring or admitting they have to go through a process to obtain that access
so we put them through a credentialing process to retain those credentials.
In that instance we would not provide them level access that would allow them to store
or retain any data on the device they were accessing it from.
They would only have view access or some type of access into access the information and
nothing would remain on the device itself. So I wouldn't worry about securing their device
per se, then in the event that we also have a process that we use in our environment,
a dormant account rewhere we go through any account that hasn't been used in 120 days
is disabled. Then the physician would have to if didn't
use their account in that time have to contact us and have this credential reset so we go
through a re-authorization process. But as far as this having to secure the actual
device, that's something I want to try to stay away from with that user population.
>> Terrell, you're chomping at the bit.
>> I was going to elaborate, similar concept from Sharon was talking about except we have
a master portal by having physicians sign up for.
We have that signup process, we can give them access credentials, we give them two factor
authentication to give in, their staff as well when they need access to it.
And then they identified patients you want to follow and things like that. They're signed
up as well and when they access portal over links then.
So if their device supports the environment, their device would work as expected.
But other than that, if they're in a facility with a device, it would be treated just like
any other public device, no special access or anything through the portal environment.
>> Adam or Mickey, your provisioning the providers that are trying to gain access to these systems.
How do you assist your clients in these roaming networks of hospitals they're trying to gain
access to?
>> The thought process I was going through, with the hospital, the hospital will deal
with that. , that's one particular use case, so the hospital
will deal with that. I get a little bit more confuse concern about the practice who wants
to allow referring physician in and short cuts to allow that, given they done live in
an enterprise typically, now it maybe there's a barrier that they would never allow that,
go to my PC or any of these software systems, I couldn't mention the brand.
They certainly I think are in an environment to try many, many solutions to figure out
how to do that because's convenient, not realizing that it's probably not secure.
Not that all work because vendors have been put in some protections.
But sometime stuff happens and stuff gets through and perhaps they -- it's not -- the
environment isn't as secure as was thought. So they're able to use things that aren't
secure as they need to be. So I think at least I think that's the biggest
concern overall how to approach that access.
>> I'll build on that, one scenario I do see, especially as gets into practices with the
few more physicians, they'll put in their own solution for getting access to their computer.
They'll use a different remote desktop, each physician will use a different remote desktop
program and do their own thing. So look at that use case an come one a solution
an standardize it. Any time you open something like that you
look to open up risk. But look at visibility.
How do we review and monitor access to the system.
Some of the Web-based remoat desktop system generates alerts every time you log in.
Or at least review the log in reports. On one side we have preventive controls we
also want visibility and awareness.
>> Thank you very much. This has been a great conversation.
Our time is almost run but we want to squeeze in one more question that we received from
a reviewer. Dr. French, earlier you made reference to
encrypting text messages. The viewer writes they are looking for ways
to do this. How is this accomplished?
>> I can't speak to the actual encryption process, we bought an application that is
-- comes encrypted. As far as controlling access and controlling
people outside the system that do get these messages, all self-delete, so you set the
time period, then it deletes on its own. But all I know for sure is that the encryption
has passed our IT people and it's -- I look like an idiot but so many bit episubscription
I can't remember an it seems to pass muster.
>> Thank you very much. I'd like to thank all of our Panelists today.
-- panelists today. They have done a wonful job answering questions
off the cuff and thank you for sharing your knowledge was.
Thanks to Sharon finy, Dr. James French, Taylor HERZIG, Adam cellar and Mickey tripATHY.
Joy will come Um and give a few closing remarks. Thank you for your attendance and participation
today.