do it right. do it well. - starchapter · responding to negative social media posting a response...
TRANSCRIPT
New England Regional Healthcare Risk Management Conference
Do IT Right. Do IT Well.
Managing Social Media & Cyber Risks
Moira Wertheimer, Esq., RN, CPHRM, FASHRM
Vice President, Risk Management Group
AWAC Services Company, Member Company of Allied World
Pauline Barry, BSN, MPS, CPHRM, CPPS, DFASHRM
Assistant Vice President, Risk Management Group
AWAC Services Company, Member Company of Allied World
Disclaimer
This presentation is not intended to be and should not be
used as a substitute for legal or medical advice. Rather it is
intended to provide general risk management information
only. This presentation may contain time sensitive
information. Legal or medical advice should be obtained
from qualified counsel to address specific facts and
circumstances and to ensure compliance with applicable laws
and standards. This presentation may not be reproduced or
redistributed without the prior written consent of Allied
World.
3
OBJECTIVES
• Define cybersecurity and summarize the journey of social media to-date.
• Describe how to use social media to maximize the patient -provider relationship.
• Discuss litigation risks associated with social media use and cyber breaches.
• Identify risk strategies to avoid common cybersecurity pitfalls associated with social media use.
4
Social Media
Legal
Ethics
Compliance
E-Engagement
Our Hypothesis:
5
What is E-Engagement?
6
Connecting with patients and families through:
• Social Media
• Secure Messaging Platforms
• Patient Portals
• Other Emerging Health Related Technologies
WHY?
• Improved Patient Outcomes
• Higher Patient Experience Scores
• Lower Costs
• Improved Transition of Care
How Do We Get There?
E-Engagement
I
II
III
IV
7
Focus I
E-ENGAGEMENT
SOCIAL MEDIA
II
III
IV
8
I. Social Media
• Educating Healthcare Consumers
• Directing Consumers to their Websites and
Landing Pages for Up-to-Date Information
• Marketing Innovative Services
• Publishing Recent Research
9
Social Media Role in Healthcare and
Patient Engagement
• Posting Case Information, Photos and Outcomes (with
permission)
• Sharing Patient Reviews and Testimonial
• Providing Customer Support and Offerings
• Healthcare Advice
10
Focus II
E-ENGAGEMENT
SOCIAL MEDIA
LEGAL
III
IV
11
II. Legal
•Privacy and Disclosure Regulations
• HIPAA
• State Confidentiality Regulations
•Liability Concerns
• Content Ownership
• False Advertising
• Intellectual Property Infringement
• Unauthorized Activity
• Regulatory Compliance
• Disclaimers 12
Cases/Lessons Learned
• Talbot v. Desert View Care Center (328 Idaho 517, (2014))
Appeal for unemployment benefits denied after
Idaho State Supreme Court ruled that employee
Facebook rant about a patient violated his employer’s
social media policy.
• Case Against Walgreen Pharmacist Leads to $1.4 Million
HIPAA Award
Walgreen Co. pharmacist shared confidential medical
information about a customer who once dated her
husband.
13
Professionalism- Photographs
14
Learning from Litigation
• Discovery – Social Media Postings
― Proof of Agency Relationship
― False Advertising/Negligent Misrepresentation
― Damages
• Staff Education and Training
15
Focus III
E-ENGAGEMENT
SOCIAL
MEDIA
LEGAL
ETHICS
IV
16
III. Ethics
• Access to Private Information
• Access by Others to Individual’s Personal Health
Information
• Posting False Information
• Boundary Issues
• Fraudulent Practices
17
Focus IV
E-ENGAGEMENT
SOCIAL
MEDIA
LEGAL
ETHICS
COMPLIANCE
18
III. Compliance
19
Risk Analysis
• Privacy
• Security
Monitoring
• Audits
• Access Verification
― Staff
― Vendors and Other Business Associates
• Appropriate Marketing
• Shared Messaging
Social Media Tips for Employees
20
• “Be Real”
• Protect the Patient
• Respect Sensitive Information
• Uphold Job Performance
• Understand Violations of Use
• Pause Before You Post
• Respect the Brand
Source: Social Media Tip Sheet for Sutter Health Network Employees, https://www.sutterhealth.org/pdf/social-media-policy/sutter-health-social-media-tip-sheet-2016.pdf
Online Reviews
• For Healthcare Experiences
― Patients and Families
― Organizations
• Issues
― Reliability
― Credibility
― Insight
• Managing Reviews
― Responding to Negative Social Media Ratings
21
Responding to Negative Social Media
Posting a response that acknowledges patient is in
violation of state and federal regulations (e.g. HIPAA)
• Options:
― Ignore the post, if generally benign
― Respond with generic statement that explains
practice/organization privacy rules
― If patient identifies themselves, consider
contacting off-line to discuss and to remove post
― Contact local law enforcement immediately if
posting is threat against specific individual
AWAC Services Advisory “Responding to Negative Social Media,”
22
Effects of Cyber Attacks on Healthcare
23
• Clinical Interruption
• Business Interruption
• Organization Reputation Damage
• IT understands technology, but do they appreciate
clinical needs – that no interruptions can occur?
Internal Risks
• Phishing Attack
• Malicious Disclosure
• Theft of Protected Health Information (PHI)
• Breach of Confidentiality
• Hacking
• Sabotage
24
FDA Guidance
Cybersecurity Bill of Materials
• Software and hardware components susceptible
to vulnerabilities
• Resource for device users to respond to
potential threats
• Tiers of devices related to cybersecurity risk
― Higher risk – implanted device
― Standard risk – devices with software
25
HHS and OCR Guidance
• Cyber Security Guidance Material
― Insight into how to respond to a cyber-related
security incident
• Cyber Security Checklist and Infographic
― Steps in response to a cyber-related security
incident
• Ransomware Guidance
― Understanding and responding to the threat of
ransomware
• OCR Cyber Awareness Newsletters
― Knowledge of security threats
― Potential security measures
― Reducing ePHI breaches 26
Risk Reduction Strategy 101
Staff Education and Training
• Staff = GREATEST vulnerability
• WHY?
― Organization Failure: Password Requirements, Strength, and
Frequency
― Phishing Attacks
― Clicking Malicious Links
― Opening and Responding to Emails from Unknown Senders
― Being Careless With/Sharing Passwords
― NOT Encrypting Mobile Devices
― Not Reporting Violations
― Information Posted Can (and Will) be Used Against Them
― Not Knowing the Cybersecurity Response Plan 27
Bring Your Own Device – Strategies
• Develop/Implement a BYOD Policy
― Ensure employees acknowledge in writing
• Use of Two-Factor Authentication
• Maintain Separate Personal and Professional Devices
― E-Discovery
― HIPAA
28
Mitigating Cybersecurity Risks
• ENCRYPTION – EVERY Device
• “Bring Your Own Device” [BYOD] Policy
• Device and Media Control Policy
• Passwords
• Access Control
• Defense in Depth
• Staff Education and Awareness
• Incident Response Plan with Breach Notification
• Drills/Audits
29
Final Thoughts
Social Media is Here to Stay
Cybersecurity is EVERYONE’s Responsibility
• Perform Risk Assessments
• Drill Incidents/Response
• Limit Data Available to Vendors
• Require Demonstration of Vendor’s Security Systems
• Encourage Appropriate Social Media Use
30
Conclusion
31
E-Engagement: Is constantly evolving
and requires ongoing organizational
investment and education.
Social Media + Legal + Ethics + Compliance=
Resources
• InfoArmor “Protecting Your Privacy: Best Practices for
Mobile, Social and Search Settings” www.infoarmor.com
• AHIMA “Social Media + Healthcare”
http://library.ahima.org/doc?oid=103686#.W- Gh0jaWw2w
• Mayo Clinic Social Media Policy
https://sharing.mayoclinic.org/guidelines/for-mayo-clinic-
employees/
• Sutter Health Social Media Policy
https://www.sutterhealth.org/pdf/social-media-
policy/sutter-health-social-media-policy-2016.pdf
32
Resources
33
• FDA In Brief, October 2018
https://www.fda.gov/NewsEvents/Newsroom/FDAInBrief/ucm
623624.htm
• Health & Human Services, Office of Civil Rights, Cyber
Security Guidance Material https://www.hhs.gov/hipaa/for-
professionals/security/guidance/cybersecurity/index.html
• Federation of State Medical Boards: Model Policy Guidelines
for the Appropriate Use of Social Media and Social Networking
in Medical Practice http://www.fsmb.org/pdf/pub-social-
media-guidelines.pdf
Contact Information
Moira Wertheimer, Esq., RN, CPHRM, FASHRM
Vice President, Risk Management Group
AWAC Services Company, Member Company of Allied World
Pauline Barry, BSN, MPS, CPHRM, CPPS< DFASHRM
Assistant Vice President, Risk Management Group
AWAC Services Company, Member Company of Allied World