Operating in a regulated industry, like healthcare, adds a layer of complexity to many things – including mobility. While enterprises in other industries may be concerned about security – health-related organisations and their business associates are obliged by law to conform to detailed rules around storing and sharing sensitive data.
Download this white paper to discover how healthcare organisations are able to remain compliant and enable mobile workers, and learn how your business can do the same.
ENABLING MOBILE USERS AND STAYING COMPLIANT How Healthcare Organizations Manage Both ?r BlackBerry 0 © Q Enabling Mobile Users and Staying Compliant: How Healthcare Organizations Manage Both Enabling Mobile Users and Stayin Compliant: How Healthcare Organizations Manage Both Operating in a regulated industry, like healthcare, adds a layer of complexity to many things - including mobility. While enterprises in other industries may be concerned about security - health-related organizations and their business associates are obliged by law to conform to detailed rules around storing and sharing sensitive data. h the U.S., conforming got a little tougher in the fall of 2013, when changes to the Health Insurance Portability and Accountability Act (HIPAA) were implemented. These updates enhance a patient's privacy protections, provide individuals with new rights to their health information, and strengthen the government's ability to enforce the law. In particular, they "expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to the Department of Health and Human Services (HHS) have involved business associates."1 Enabling Mobile Users and Staying Compliant: How Healthcare Organizations Manage Both Two High-Profile HIPAA Violations Penalties for noncompliance are stiff, topping out at $1.5 million per violation. In the last 3 years, there have been over 70,000 HIPAA violation complaints.2 These new rules add to an already complexgovernance structure, as healthcare workers store and share more and more sensitive nformation on mobile devices. Those devices are often now BYOD (Bring Your Own Device) - smartphones and tablets staff own personally and bring for use at work. While some accounts suggest BYOD has widely penetrated the healthcare world (as much as 85% by 2012 according to one study), the reality is that what users can do with those devices at work varies greatly.3 And that's because healthcare providers are struggling to enable collaboration and efficient workflows yet still complywith regulations. It's a tricky balance. On one hand, management understands that nformation must flow between the physicians and administrative staff it needs to reach. On the other, they're well aware of the fact that handled inadequately, these simple exchanges may result in million-dollar fines. According to one industry insider, "Most hospitals are grossly noncompliant. All clinical staff and most administrative staff are just doing what they can to get things done.. .sharing information and not having any sort of an audit trail is really problematic. That is a HITECH violation and a HIPAA violation." He adds that some hospitals are putting the liability on employees if they share data externally, with warnings that pop up before they send emai attachments or share files - some even requiring the sender to click on a box saying they accept the risks.4 n 1. In 2009,57 hard drives containing Blue Cross members' unencrypted information, including names, Social Security numbers, diagnosis codes, dates of birth and health plan identification numbers were stolen. While the initial fine was $1.5M, Blue Cross has subsequently spent a reported $17 million on investigation, notification and mitigation steps. A portion of that amount - $6 million -went toward data encryption. "The main push is for the peace of mind of our members," Blue Cross spokeswoman Mary Danielson said, according to the Chattanooga Times Free Press. "That's why we engaged in the additional expense of encryption."5 2. In 2012, the Alaska Department of Health and Social Services (DHSS) paid $1.7M after a USB hard drive possibly containing electronic protected health information (ePHI) of Medicaid beneficiaries was stolen from the vehicle of a DHSS employee. Investigators found evidence that DHSS did not have adequate policies and procedures in place to safeguard ePHI. Further, the evidence indicated that "DHSS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule."6 The world is not perfect, and breaches are still going to happen. What we're going to look at is, have you done everything you reasonably can do to prevent breaches? Enabling Mobile Users and Staying Compliant: How Healthcare Organizations Manage Both How HIPAA's chief enforcer sees it: "In many respects, HIPAA compliance and enforcement is a lot like high school math. It's all about showing yourwork. It's all about showing you have comprehensive policies and procedures in place and are treating it as an ongoing, iving process. Compliance is continual, not done once and set aside when nconvenient. The world is not perfect, and breaches are still going to happen. What we're going to look at is, have you done everything you reasonably can do to prevent breaches?" - Leon Rodriguez, Director, Office for Civil Rights, U.S. Department of Health and Human Service2 Government bodies provide a number of resources to help healthcare organizations get and stay compliant with HIPAA requirements. But it's still an incredibly complex and time-consuming task, and one that carries on indefinitely, as new legislation emerges, and new technology enters the workplace. Compliance will always be a human challenge - but there are technica solutions designed specifically to help regulated industries tackle the issues. What the government tells healthcare providers The HHS provides guidance for healthcare organizations, like the recommendations below, but many still struggle to interpret the rules and putthem into action. 1. Decide Decide whether mobile devices will be used to access, receive, transmit, or store patients' health information or used as part of your organization's internal networks or systems (e.g. your EHR system). 2. Assess Consider how mobile devices affect the risks (threats and vulnerabilities) to the health information your organization holds. 3. Identify Identify your organization's mobile device risk management strategy, including privacy and security safeguards. 4. Develop, Document, and Implement Develop, document, and implement the organization's mobile device policies and procedures to safeguard health information. 5. Train Conduct mobile device privacy and security awareness and training for providers and professionals.7 Enabling Mobile Users and Staying Compliant: How Healthcare Organizations Manage Both How BlackBerry supports healthcare compliance Gold Level EMM: Specifically designed for high-security organizations and users Securing the device Let's start with the end user and work ourway back. As we've seen, BYOD has made its mark on healthcare. Staff are using their own devices for a range of activities from simple internet access to using applications to update health records on the fly. BYOD isn't going away. For users on iOS and Android™ devices, BlackBerry® offers Secure Workspace, a containerization, application-wrapping and secure connectivity option that brings healthcare organizations a higher level of control and security.8 > Users get convenient, unobtrusive, secure access to corporate email, calendar, contacts, notes and tasks through a single application. > They can access a secure Work Browser, so they can safely browse internal pages (intranet) and web pages from right within the Secure Workspace. > They can tap into Documents To Go to create, view and edit work documents, with the formatting and features they're used to on their desktop computers. > Approved apps that medical staff need for work are accessible in the Secure Workspace, too. > Outside the Secure Workspace, healthcare workers can carry on using the device for their personal lives, knowing their work data is kept separate and secure. Some users and use cases require the ultimate security. BlackBerry® 10 devices enable it. With BlackBerry® Balance™ technology, personal and work apps and information are kept separate, from the operating system on up. The Workspace is fully encrypted and secured, so IT can protect all sensitive content and applications, while usersgetthe most out of theirsmartphone for their personal use. Gartner calls BlackBerry Balance "the best example of the separation of corporate data from personal data while retaining a strong user experience." Gartner Magic Quadrant Report on MDM, 20139 > Data Leak Prevention (DLP) is built right in, so users can't accidentally copy and paste work data into personal channels, ike social media apps. > The apps staff need can be pushed right to the work space on their smartphone or made available through a corporate app storefront. > Still, organizations have the option to deploy a corporate-only use model where device features and capabilities, ncluding social media feeds and public application access, can be turned off. Enabling Mobile Users and Staying Compliant: How Healthcare Organizations Manage Both Protecting data in transit The proven BlackBerry security model, which is now accessible to iOS and Android devices too, gives healthcare providers 'always-on', AES-encrypted access to systems behind the firewall, through a single outbound port, so they don't have to worry about people stealing data out of the air.10 Hardware-Specific Solution i Point Solution i Wireless Cloud SSO Server Network Wireless BlackBerry Network Infrastructure Point Solutions i MDM Server Email Gateway SSO Server VPN Server BlackBerry Enterprise Service 10 I ~ ? Multiple components to manage and multiple potential points of failure Integrated security with BlackBerry: Complete Control. One Partner. End-to-End Solution ? Reporting and monitoring - critical for compliance With BlackBerry dashboard reporting capabilities, IT administrators in healthcare have immediate access to a unified dashboard of key metrics across their entire mobile deployment, and can drill down into more detail to take immediate action, or export data for further analysis. These areas include: > Device activations > Device last contact time > Device compliance state > Devices by platform > Devices by carriers > Top five applications deployed > Top five mobile devices Managing it all: BES10 BlackBerry® Enterprise Service 10 (BES10) is a unified platform for managing multiple operating systems and device types, applications and content. BES10 makes it simple to manage corporate and BYOD devices from a single management console. Healthcare organizations can perfectly balance end user and enterprise needs without compromise, by seamlessly separating work and personal content across all managed devices while preserving the native user experience. A single, secure, multi-platform, VPN-less connectivity model ensures you can effectively deliver the content and apps employees need to be more productive and better equipped to serve customers.10 Backed by industry leading global support services, BES10 offers a seamless, scalable and cost effective way for you to truly mobilize your business. To find out more and to sign up for a FREE 60 day BES10 trial, head to blackberry.com/business11 EZ PASS Free perpetual BES10 licenses for all existing BlackBerry and other MDM licenses. Limited time offer.1 Learn more at blackberry.com/ezpass 'Available at: http://www.hhs.gov/news/press/2013pres/01/20130117b.html 2 Available at: resource.onlinetech.com/hipaa-in-a-hitech-world-hipaa-violations-on-the-rise-according-to-director- of-ocr/ 3 Available at: http://www.computerworld.eom/s/article/9224595/85_of_hospitals_embracing_BYOD_survey_ shows?pageNumber=l%20 4 Available at: http://blogs.wsj.com/riskandcompliance/2013/09/26/hospitals-allowing-byod-face-complications-with- new-hipaa-rule/ 6 Available at: www.fiercehealthpayer.com/story/blue-cross-fined-15m-hipaa-violation-adding-breachs-17m- cost/2012-03-14 6 Available at: http://www.hhs.gov/news/press/2012pres/06/20120626a.html 7 Available at: http://www.healthit.gov/providers-professionals/five-steps-organizations-can-take-manage-mobile- devices-used-health-care-pro 8 Gold level EM M provides the management and control feature set for BlackBerry 10 devices previously known as EM M Regulated, and also covers the containerization option for iOS and Android management known as Secure Work Space for iOS and Android. Gold level EMM is available with BESlOvlO.l and later. 9 Available at: http://ca.blackberry.com/campaigns/gartner-magic-quadrant-mdm.html 10 Single outbound port/VPN-less secure connectivity is available for BlackBerry OS devices when managed through BES5and for BlackBerry 10 devices when managed through BES10. For iOS and Android devices, secure connectivity is enabled in the Secure Work Space with Gold level EMM. 1160-day Free Trial Offer: Limited time offer; subject to change. Limit 1 per customer. Trial starts upon activation and is limited to 50 Silver licenses for BlackBerry devices and 50 Gold licenses with Secure Work Space for iOSand Android. Following trial, customer must purchase service to continue use of product. Not available in all countries. A trial system can be upgraded to a production system at any time by adding a production key purchased or acquired from an authorized reseller. When a system is upgraded to production, the trial licenses will no longer be available. 12 Between now and January 31,2015. Additional Terms and Conditions will apply. ::= BlackBerry iarkof Cisco Systems, Inc. le or endorse this brochui 3thercountries. iOS is =) 2014 BlackBerry. All rights re ind/or used in the U.S. and col