1

SECURITY ISSUES AND SOLUTIONS RELATING TO SOCIAL MEDIA IN

HEALTH INFORMATION EXHANGE

Angel Hoffman, RN, MSNPhyllis A. Patrick, MBA, FACHE, CHC

HIPAA Summit West

October 5, 2010

2

Agenda• Introduction - The Social Media Revolution• Social Media in Health Care• Privacy and Security Issues• Social Media and Health Information

Exchange• Risk Areas and Security Issues With hie and

Social Media• Strategies and Solutions for Achieving

Security in Social Media Use

3

“One trouble with trouble is that it usually starts out like fun.”

Author unknown

4

The Social Media Revolution

“Is Social Media a Fad or

the Biggest Shift since the Industrial Revolution?”

http://www.youtube.com/watch?v=lFZ0z5Fm-Ng

5

Evolution of Social Media

•Who are the players?

•Generational differences:Generation Z ( Provide Too Much Info, Invitations, Dating)Millenniums or Generation Y (Work Place)Baby Boomers and Generation XTraditionalists (Newest Group To Join)

6

Social Media in Health Care

• Keeping Medical Information Confidential?• How Does the Industry Protect It?• What Do We Want As Consumers?• What If A Patient’s Picture or Medical History

Is Posted?• Compare What Is Posted With the 18

Identifiers?

7

Corporate Uses• Marketing

- Advertising- Patient Relations- Newer Method of Connecting Companies to Consumers

• Human Resources- Recruitment- New Hires- Informal Background Checks (e.g. Facebook)

8

Privacy and Security Issues

• Breaches and Breach Notification Requirement

• Risk of Exposure To Patient• Risks to Organization• Education• Organizational Policies• Sanctions

9

What Employers Need to Know

• Know Your Employees (Generational Differences)

• Attitudes of Work Force (Social Mores)• Method of Communication (Technology Tool)• Responsibility to the Public• Importance of Social Media and Sanctions

Policies• Consequences for Loosely Distributed

Policies (Financial and Reputational Losses)

10

Legal Implications and Risks

• Confidentiality• Breach of PHI (e.g. Pictures of Patients

Without Authorization)• Loss of Proprietary Information/Trade

Secrets

11

Social Media Strategies• Culture• Code of Conduct• Acceptable and Unacceptable Behavior• Policies• Sanctions

Note: Multiple Examples Affecting Employees and Their Companies Currently in the News

12

Social Media and Ethics

Technology is Here To Stay So…• How Do We Deal With It As A Society?• What Ethical Issues Have Arisen?• Just Because Something May Be Deemed

Legal, Doesn’t Mean It Is Ethical…• Social Media + Ethics = A Social Dilemma

and Need For Balance. x

13

Health Information Exchange Involves

• Contents of Email

• Access to Information

• Storage of Information

• Exchange of Information

14

Social Media and Health Information Exchange

• Purpose of HIE: to advance the delivery of patient-focused health care across a delivery network by collaboratively leveraging information technology and clinical data exchange.

• Goal: to provide the infrastructure so that patient information can be securely and appropriately shared electronically between health care providers where and when it is needed

• Effective HIE: requires that the Security CIA standard be met (Confidentiality, Integrity, Availability)

• HIE is integrated with Meaningful Use Criteria (HIPAA/HITECH)

Status of Health Information Exchange

• HIE sustainability gaining ground• New challenges emerging related to federal

policy and governance of HIEs• Functionality among HIEs and the ability to meet

Meaningful Use criteria increasing• Patient engagement, time and attention

increasing, with patients gaining access control (opt-in/opt-out)

• Complexities of security and privacy addressed through HIE initiatives, including patient control of access to their information

15

HIE and “hie”• HIE: “the activity of secure health data exchange

between two authorized and consenting trading partners (a data supplier and a data receiver). Third parties may be involved as facilitators operating between the data supplier and the data receiver, and/or as storing, transmitting, or receiving data on behalf of a data receiver.” (HIMSS)

• hie: Health Care Communications between patients and providers, providers and providers, patients/providers and insurance companies, patients and community organizations, etc. Exchange and movement of health information in an increasingly information-centric environment. 16

Risk Scenarios & Security Issues• E-prescribing

• Patient Portals, Including Direct

• Communications with Providers

• Provider Portals

• Alerts to Providers

• Alerts to Patients

• Consultation/Referral Services

• Results Delivery (Tests, Imaging) 17

Risk Scenarios & Security Issues• Partners/Vendors without HIPAA

Responsibilities

• Public Health Surveillance Systems

• Syndromic Surveillance Systems

• Public Health Emergencies

• Bioterrorism Events

• Patient Consent Issues18

Patient Consent Issues

Recognize that advanced technologies thatwould enable patients to specify whichspecific portions of their records could beaccessed by a particular organization arenot yet ready for implementation.

19

Devising A Security Strategy that fits Your Use of SOCIAL MEDIA

Keep in mind…..“Growing research suggests that many security vulnerabilities are not failures of technology, but failures at the human resources and leadership level.”

Security By Collaboration: Social Media & Security, 1105 Government Information Group

20

Strategies and Solutions: Social Media in “hie”

• PoliciesExpectations and Boundaries for WorkforceOperational Guidelines for Social Media Workers and Others

• Patient and Provider Portals• Health Care Consumer Focus• Encryption• Cloud Computing• Software Solutions• Patient Advocacy

21

Social Media/Networking Best Practices Checklist

Have you conducted a reality check? Is your organization taking ownership of what’s happening with social networking? Is your primary interest how to restrict the use of social media or how to enable it?Does your organization recognize that social networking is about COMMUNICATION, not the individuals who participate?Does your organization view social media as a highlyeffective information gateway?Have you asked your workforce: how can our organization take advantage of the benefits of social media and avoid the pitfalls? 22

Checklist (Cont’d)Does your organization recognize that to embrace social media technology is a risk-based decision, not a technology- based decision?Have you developed a strong business case, supported at the appropriate level for each department/functional area, considering the organization’s Mission/Vision/Values, possible threats, technical capabilities, and potential benefits?Does your IT organization understand that the goal should not be to say “No” to social media, but to follow good security guidance,” with effective and appropriate information assurance security and privacy controls?

23

Checklist (Cont’d)Does your organization have a policy addressing Social Media? Does the policy reflect the viewpoints and needs of various stakeholders (e.g. patient care, research, education constituents)?How does the policy support the Mission/Vision/Values of your organization?How does the policy affect your relationship with business partners and vendors/contractors?How do you conduct training on the appropriate use of Social Media (at work and off work)? Are you including the appropriate use of SM in an updated, more effective, overall Security and Privacy Awareness Training Program?

24

Checklist (Cont’d)How will you capture the social media traffic, audit, analyze, and use it for security and privacy investigations, as appropriate?Have you reviewed Regulatory Notice 10-06 from FINRA to determine its applicability to your organization and how you might use the recommendations to strengthen your Social Media program? (Note: FINRA provides guidance on the responsibilities of companies to supervise the use of social networking sites.)How does your organization plan to use social media to generate new strategies, engage and learn?Remember that a good policy is just the start. You still have lots of work to do.

25

Best Practices: PoliciesVanderbilt University Medical Center:

Social Media Policy

•Includes contributions from a wide range of individuals and stakeholders, with varying interests and requirements•Represents effective collaboration and governance processes across the organization•Includes recognition of the power of social media to engage patients and enhance communication, while also including risk recognition •Provides parameters for faculty and staff that work to protect them, VUMC’s brand and reputation, and the privacy of patients

26

Best Practice? New Patient Consent

The Markle Foundation’s “blue button” model for offeringpatients easy access to their records via secure websitesmay hold promise.

Patient Consent is “not solely an interoperability problem to be solved based on technical specifications”. Clear policies and policy requirements are needed.CMS assumes that “standardized consumer preferences will be electronically exchanged across heterogeneous entities, integrated into various applications and workflows, and that subsequent changes in permissions will be propagated among data-sharing partners, automatically limiting the use of that data at remote sites. In essence, the assumption is that the consumer’s preferences go with the consumer’s data as it flows from entity to entity, and become the rules for re use every place they appear subsequently. Although this sounds logical in the abstract, it is not a practical experience today. “Consumers receive care across a broad range of providers at varying stages of technology adoption and use.”

27

Where Are We Going?

[When patients] “…participate more actively in the processof medical care, we can create a new healthcare systemwith higher quality services, better outcomes, lower costs,fewer medical mistakes, and happier, healthier patients. Wemust make this the new gold standard of healthcare qualityand the ultimate goal of all our improvement efforts.”

Not better hospitals. Not better physician practices. Not more sophisticated electronic medical systems. Happier, healthier patients.

—Charles Safran

28

29

Questions

Tools and Resources

Tom Ferguson, MD, “e-Patients: How They Can Help Us Heal HealthCare”, e-Patient Scholars Working Group

Chris Boudreaux, “Analysis of Social Media Policies:Lessons and Best Practices” (socialmediagovernance.com)

David Blumenthal, M.D., M.P.P. and Marilyn Tavenner, R.N., M.H.A.,“The Meaningful Use Regulation for Electronic Health Records”, NEJM,July 13, 2010

e-Health Initiative, “The State of Health Information Exchange in 2010:Connecting the Nation to Achieve Meaningful Use: A Report Based onthe Results of the eHealth Initiative’s 2010 Annual Survey of HealthInformation Exchange” (ehealthinitiative.org)

30

More Tools and ResourcesAli S. Khan, MD, MPH, Aaron Fleischauer, PhD, Julie Casani, MD andSamuel L. Groseclose, DVM, “The Next Public Health Revolution:Public Health Information Fusion and Social Networks”, AmericanJournal of Public Health, July, 2010

The Markle Foundation, “Advancing Health in a Connected World:'Meaningful Use' of Electronic Health Records”, January, 2010

“Social Media Web Sites: Guidance on Blogs and Social NetworkingWeb Sites”, Regulatory Notice 10-06, Financial Industry RegulatoryAuthority (FINRA), January, 2010

“Guidelines for Secure Use of Social Media by Federal Departmentsand Agencies,” Information Security and Identity ManagementCommittee (ISIMC) Network and Infrastructure Security Subcommittee(NISSC) Web 2.0 Security Working Group (W20SWG), September, 2009

31

32

Angel HoffmanAngel@aphccompliance.

com412-559-6703

Phyllis A. PatrickPhyllis@aphccompliance.

com914-696-3622