New England Regional Healthcare Risk Management Conference

Do IT Right. Do IT Well.

Managing Social Media & Cyber Risks

Moira Wertheimer, Esq., RN, CPHRM, FASHRM

Vice President, Risk Management Group

AWAC Services Company, Member Company of Allied World

Pauline Barry, BSN, MPS, CPHRM, CPPS, DFASHRM

Assistant Vice President, Risk Management Group

AWAC Services Company, Member Company of Allied World

Disclaimer

This presentation is not intended to be and should not be

used as a substitute for legal or medical advice. Rather it is

intended to provide general risk management information

only. This presentation may contain time sensitive

information. Legal or medical advice should be obtained

from qualified counsel to address specific facts and

circumstances and to ensure compliance with applicable laws

and standards. This presentation may not be reproduced or

redistributed without the prior written consent of Allied

World.

3

OBJECTIVES

• Define cybersecurity and summarize the journey of social media to-date.

• Describe how to use social media to maximize the patient -provider relationship.

• Discuss litigation risks associated with social media use and cyber breaches.

• Identify risk strategies to avoid common cybersecurity pitfalls associated with social media use.

4

Social Media

Legal

Ethics

Compliance

E-Engagement

Our Hypothesis:

5

What is E-Engagement?

6

Connecting with patients and families through:

• Social Media

• Secure Messaging Platforms

• Patient Portals

• Other Emerging Health Related Technologies

WHY?

• Improved Patient Outcomes

• Higher Patient Experience Scores

• Lower Costs

• Improved Transition of Care

How Do We Get There?

E-Engagement

I

II

III

IV

7

Focus I

E-ENGAGEMENT

SOCIAL MEDIA

II

III

IV

8

I. Social Media

• Educating Healthcare Consumers

• Directing Consumers to their Websites and

Landing Pages for Up-to-Date Information

• Marketing Innovative Services

• Publishing Recent Research

9

Social Media Role in Healthcare and

Patient Engagement

• Posting Case Information, Photos and Outcomes (with

permission)

• Sharing Patient Reviews and Testimonial

• Providing Customer Support and Offerings

• Healthcare Advice

10

Focus II

E-ENGAGEMENT

SOCIAL MEDIA

LEGAL

III

IV

11

II. Legal

•Privacy and Disclosure Regulations

• HIPAA

• State Confidentiality Regulations

•Liability Concerns

• Content Ownership

• False Advertising

• Intellectual Property Infringement

• Unauthorized Activity

• Regulatory Compliance

• Disclaimers 12

Cases/Lessons Learned

• Talbot v. Desert View Care Center (328 Idaho 517, (2014))

Appeal for unemployment benefits denied after

Idaho State Supreme Court ruled that employee

Facebook rant about a patient violated his employer’s

social media policy.

• Case Against Walgreen Pharmacist Leads to $1.4 Million

HIPAA Award

Walgreen Co. pharmacist shared confidential medical

information about a customer who once dated her

husband.

13

Professionalism- Photographs

14

Learning from Litigation

• Discovery – Social Media Postings

― Proof of Agency Relationship

― False Advertising/Negligent Misrepresentation

― Damages

• Staff Education and Training

15

Focus III

E-ENGAGEMENT

SOCIAL

MEDIA

LEGAL

ETHICS

IV

16

III. Ethics

• Access to Private Information

• Access by Others to Individual’s Personal Health

Information

• Posting False Information

• Boundary Issues

• Fraudulent Practices

17

Focus IV

E-ENGAGEMENT

SOCIAL

MEDIA

LEGAL

ETHICS

COMPLIANCE

18

III. Compliance

19

Risk Analysis

• Privacy

• Security

Monitoring

• Audits

• Access Verification

― Staff

― Vendors and Other Business Associates

• Appropriate Marketing

• Shared Messaging

Social Media Tips for Employees

20

• “Be Real”

• Protect the Patient

• Respect Sensitive Information

• Uphold Job Performance

• Understand Violations of Use

• Pause Before You Post

• Respect the Brand

Source: Social Media Tip Sheet for Sutter Health Network Employees, https://www.sutterhealth.org/pdf/social-media-policy/sutter-health-social-media-tip-sheet-2016.pdf

Online Reviews

• For Healthcare Experiences

― Patients and Families

― Organizations

• Issues

― Reliability

― Credibility

― Insight

• Managing Reviews

― Responding to Negative Social Media Ratings

21

Responding to Negative Social Media

Posting a response that acknowledges patient is in

violation of state and federal regulations (e.g. HIPAA)

• Options:

― Ignore the post, if generally benign

― Respond with generic statement that explains

practice/organization privacy rules

― If patient identifies themselves, consider

contacting off-line to discuss and to remove post

― Contact local law enforcement immediately if

posting is threat against specific individual

AWAC Services Advisory “Responding to Negative Social Media,”

22

Effects of Cyber Attacks on Healthcare

23

• Clinical Interruption

• Business Interruption

• Organization Reputation Damage

• IT understands technology, but do they appreciate

clinical needs – that no interruptions can occur?

Internal Risks

• Phishing Attack

• Malicious Disclosure

• Theft of Protected Health Information (PHI)

• Breach of Confidentiality

• Hacking

• Sabotage

24

FDA Guidance

Cybersecurity Bill of Materials

• Software and hardware components susceptible

to vulnerabilities

• Resource for device users to respond to

potential threats

• Tiers of devices related to cybersecurity risk

― Higher risk – implanted device

― Standard risk – devices with software

25

HHS and OCR Guidance

• Cyber Security Guidance Material

― Insight into how to respond to a cyber-related

security incident

• Cyber Security Checklist and Infographic

― Steps in response to a cyber-related security

incident

• Ransomware Guidance

― Understanding and responding to the threat of

ransomware

• OCR Cyber Awareness Newsletters

― Knowledge of security threats

― Potential security measures

― Reducing ePHI breaches 26

Risk Reduction Strategy 101

Staff Education and Training

• Staff = GREATEST vulnerability

• WHY?

― Organization Failure: Password Requirements, Strength, and

Frequency

― Phishing Attacks

― Clicking Malicious Links

― Opening and Responding to Emails from Unknown Senders

― Being Careless With/Sharing Passwords

― NOT Encrypting Mobile Devices

― Not Reporting Violations

― Information Posted Can (and Will) be Used Against Them

― Not Knowing the Cybersecurity Response Plan 27

Bring Your Own Device – Strategies

• Develop/Implement a BYOD Policy

― Ensure employees acknowledge in writing

• Use of Two-Factor Authentication

• Maintain Separate Personal and Professional Devices

― E-Discovery

― HIPAA

28

Mitigating Cybersecurity Risks

• ENCRYPTION – EVERY Device

• “Bring Your Own Device” [BYOD] Policy

• Device and Media Control Policy

• Passwords

• Access Control

• Defense in Depth

• Staff Education and Awareness

• Incident Response Plan with Breach Notification

• Drills/Audits

29

Final Thoughts

Social Media is Here to Stay

Cybersecurity is EVERYONE’s Responsibility

• Perform Risk Assessments

• Drill Incidents/Response

• Limit Data Available to Vendors

• Require Demonstration of Vendor’s Security Systems

• Encourage Appropriate Social Media Use

30

Conclusion

31

E-Engagement: Is constantly evolving

and requires ongoing organizational

investment and education.

Social Media + Legal + Ethics + Compliance=

Resources

• InfoArmor “Protecting Your Privacy: Best Practices for

Mobile, Social and Search Settings” www.infoarmor.com

• AHIMA “Social Media + Healthcare”

http://library.ahima.org/doc?oid=103686#.W- Gh0jaWw2w

• Mayo Clinic Social Media Policy

https://sharing.mayoclinic.org/guidelines/for-mayo-clinic-

employees/

• Sutter Health Social Media Policy

https://www.sutterhealth.org/pdf/social-media-

policy/sutter-health-social-media-policy-2016.pdf

32

Resources

33

• FDA In Brief, October 2018

https://www.fda.gov/NewsEvents/Newsroom/FDAInBrief/ucm

623624.htm

• Health & Human Services, Office of Civil Rights, Cyber

Security Guidance Material https://www.hhs.gov/hipaa/for-

professionals/security/guidance/cybersecurity/index.html

• Federation of State Medical Boards: Model Policy Guidelines

for the Appropriate Use of Social Media and Social Networking

in Medical Practice http://www.fsmb.org/pdf/pub-social-

media-guidelines.pdf

Contact Information

Moira Wertheimer, Esq., RN, CPHRM, FASHRM

Vice President, Risk Management Group

AWAC Services Company, Member Company of Allied World

Moira.Wertheimer@awacservices.com

Pauline Barry, BSN, MPS, CPHRM, CPPS< DFASHRM

Assistant Vice President, Risk Management Group

AWAC Services Company, Member Company of Allied World

Pauline.Barry@awacservices.com