Transcript
[Transcript] Episode 429: Clearing Up Misconceptions About BYOD Device Security
Evan Dumas
You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co host, Evan Dumas.
Liath Dalton
And I’m Liath Dalton, and we are Person Centered Tech.
Liath Dalton
This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and Electronic Health Record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user, go to therapynotes.com and use promo code PCT.
Evan Dumas
Hello and welcome to Episode 429: Clearing Up Misconceptions About BYOD Device Security.
Liath Dalton
Indeed. And this is a topic that was kind of precipitated by the fact that these misconceptions come up often and understandably so, and they’re ones Evan gets a front row of seat to when performing HIPAA security risk analyses for practices and that we encounter in our Group Practice Office Hours, direct support and consultation sessions as well.
Liath Dalton
So we thought, let’s take the opportunity to equip folks with a good understanding of what is applicable when it comes to personal device use, and basically when that falls within the practice’s scope of HIPAA responsibility.
Liath Dalton
And also, we’re going to tack on a little bit about some misconceptions around practice owned device security and HIPAA responsibilities as well. It’s not as big a portion, but there, there are a couple applicable pieces too. So essentially, let’s start with when device security matters and when it is something that the practice needs to be managing. When is that applicable Evan?
Liath Dalton
Yeah, when it handles PHI.
Liath Dalton
And what do we mean by handle?
Evan Dumas
Yes, well, there’s the details. So handling PHI is, is where common misconception comes up. Handling for most folks think, oh, it’s files on the desktop, it’s using it to write letters. Ah, but handling PHI is also checking your email in a web browser. It’s also logging on to your EHR to do some notes from an app or a browser. Handling PHI is using your computer to make Voice Over IP calls, or using your phone to make Voice Over IP calls.
Evan Dumas
Handling it just means using your device to interact with it in any way. So it can be even as simple as just checking your email or looking at your calendar that has PHI on it.
Liath Dalton
Exactly. So basically, that broadens the scope of when HIPAA’s device security standards that are applicable to devices that handle or touch PHI are present, beyond what we might think of, oh, if the device is just storing on itself, on its hard drive, Protected Health Information.
Liath Dalton
But that’s really useful to understand the broadness of when it applies, because then we know that any device that comes into any contact with client info needs to have these basic security measures in place. And one thing we’ll often see is that a practice will have kind of a basic device security policy of “Only put client information in HIPAA appropriate apps and services,” which is great. It’s excellent, but in and of itself, is not sufficient for for managing device security.
Liath Dalton
And you know, like, don’t have a weak password and don’t share your device that the handles PHI with other folks.
Liath Dalton
But the device security measures that need to be in place on any device that touches PHI go above and beyond that, and we are kind of managing the present security risks to client info, to PHI, through a combination of security measures and behavioral measures, and policy and procedures. So it’s a multi-layered, multi-prong approach that the kind of combination of all those measures is what provides the security and therefore the peace of mind as well, that’s important.
Evan Dumas
No.
Liath Dalton
So while it is very beneficial to be having the kind of primary way that your practice manages Protected Health Information be to keep it in HIPAA appropriate systems where you have a HIPAA Business Associate Agreement in place, and where that business associate is managing a lot of the security requirements for safeguarding that info, it’s also necessary to ensure that the devices that access those systems and ferry Protected Health Information between systems, which usually entails downloading to the device itself, are managed.
Liath Dalton
In fact, if you read the fine print of Terms of Service with HIPAA Business Associates, those terms of service agreements will have sections outlining kind of where their security responsibilities begin and end, and where yours as the user, as the customer, begin and and as well, and that that includes for for customers the responsibility of making sure that the devices that they use to access those systems and the safeguarding of login credentials and using secure network connections, those are all beyond the control of the business associate, and are pieces that need to be managed by the customer, by the HIPAA covered entity, right?
Liath Dalton
So that piece is really where the the biggest misconception comes up, is that if you’re just using those HIPAA friendly cloud services, have your BAAs in place and have some common sense policies around good security behaviors, that that’s sufficient.
Liath Dalton
And what we really want to see is that you’ve got a comprehensive way of managing device security, as device security is the tool that you’re using to access all these more important systems, and that you’ve documented that you have that security in place. Because Evan, what is the beautiful thing about having devices secured according to the technical security requirements under HIPAA, and having that documented as such?
Evan Dumas
Yeah, it’s a wonderful thing called Safe Harbor that you’ll find in other industries. And the term Safe Harbor, capital S, capital H, means that those devices can be lost, stolen, otherwise unaccounted for, and you don’t have to file a breach report. You have done your due diligence. It is effectively a brick in someone else’s hands, and you can sleep easy knowing that no one who has that device will have access to your data.
Liath Dalton
Exactly.
Liath Dalton
And part of the reason that this is so important is that in the event of a potential breach, so a security incident, (which, theft or loss of a device that has been used to touch PHI or handle PHI constitutes a security incident) the onus is on the HIPAA covered entity to prove that no potential breach occurred.
Liath Dalton
Now, the challenge here, if you no longer have physical possession of a device is that it becomes pretty impossible to forensically prove that that device didn’t have PHI on it, or that if the device were accessed, that someone couldn’t then access systems that contained PHI that that device had been previously used to access. So that’s why, in terms of policies and procedures and documentation for the HIPAA regulators, just having a policy that you don’t store anything on a hard drive isn’t sufficient, because that’s not preventing against all of the potential threats, and it’s something that if you no longer have the device you you can’t really prove one way or another.
Liath Dalton
So that’s why we really want to have that Safe Harbor in place. And if you meet the requirements for Safe Harbor under HIPAA that also covers you in terms of state data breach laws, which are less talked about in this space, but basically, every state has data breach laws for customer information, and those apply to every business that handles customer, sensitive customer information and identifying information, whether they are a HIPAA covered entity or not.
Liath Dalton
So it’s one of those great twofer solutions of, if you manage the HIPAA compliance requirements and have Safe Harbor in place there, you’ve also got Safe Harbor in terms of state data breach laws too.
Liath Dalton
So what’s the takeaway? Make sure that all devices, both practice owned and personally owned, but used for any practice purposes, have the necessary measures in place that qualify for Safe Harbor and that you’ve got it documented as such, and then that just frees up a lot of capacity to manage other things in your practice that are far more compelling and intriguing than having to worry about these pieces, or just have the risk that comes from not having intentionally and sufficiently address them.
Liath Dalton
Now, Evan, a question that we often get is, how difficult is it to actually manage implementing these necessary security measures, and is it expensive, do I have to buy extra software, etc?
Evan Dumas
Generally, not. So, generally, it’s pretty inexpensive, because the recommendations we make are for, you know, antivirus programs that are free, that just do antivirus, and then, heck, the built in one on Windows PCs is great.
Evan Dumas
Yeah.
Evan Dumas
Now, the only cost that I’ve seen associated with this is the rare instance that the PC is old and does not, needs an upgrade to Windows Pro to get bitlocker. Whereas modern ones will do device encryption if you have a little Microsoft account on it, which is pretty rad, and a great place to save the password up in the cloud too. So in general, it’s pretty darn free and only takes an afternoon. So that’s that’s lovely.
Liath Dalton
Indeed, and do check out the show notes for a link to more information about the PCT resources and robust system that supports practices in managing all of these aspects of device security for both practice owned and personally owned devices.
Liath Dalton
I want to be clear that managing them does not the only way to do it is not through using the the resources and kind of system that we’ve put together for it. We just put that together to make it as easy and streamlined as possible for practices.
Liath Dalton
So whether you utilize our resources for it or source that elsewhere, like, if you’re really good at finding YouTube videos that are robust and, I mean, you can put together your own way of doing it.
Evan Dumas
Yeah.
Liath Dalton
But I guess I would say I have yet to see a practice that has opted to go that route when when faced with what it actually entails. That’s not to say that it is not feasible by by any means, though, but we do have resources to support you if that is something that is of appeal.
Liath Dalton
So hopefully this has been useful in terms of just knowing where the scope of responsibility and liability begins and ends when it comes to devices. Maybe it’s broadened it a bit for you, and therefore created a few action items, but we hope it’s been helpful. Thanks for joining us, and we’ll chat to you next time.
Evan Dumas
Yeah, talk to you next time, everybody.
Liath Dalton
This has been Group Practice Tech you can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast, or click podcast on the menu bar.
Your Hosts:
PCT’s Director Liath Dalton
Senior Consultant Evan Dumas
Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.
In our latest episode, we’re discussing the scope of responsibility and liability for device security in group practice.
We cover what handling PHI means; device security measures for devices that touch PHI; a multi-prong approach to device security; Safe Harbor requirements; the benefits of having Safe Harbor in place; Safe Harbor and state data breach laws; the cost of implementing Safe Harbor on all devices.
Resources are available for all Group Practice Tech listeners below:
Therapy Notes proudly sponsors Group Practice Tech!
TherapyNotes is a behavioral health EMR/EHR that helps you securely manage records, book appointments, write notes, bill, and more. We recommend it for use by mental health professionals. Learn more about TherapyNotes and use code “PCT” to get two months of free software.
*Please note that this offer only applies to brand-new TherapyNotes customers
Resources for Listeners
Resources & further information
PCT Resources:
- PCT article: Easy Steps to Ensure Safe Harbor: Implementing Technical Security Measures
- PCT podcast episode: Episode 332: To BYOD or Not to BYOD
- Group Practice Care Premium
- weekly (live & recorded) direct support & consultation service, Group Practice Office Hours
- + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing and documenting all personally owned & practice-provided devices (for *all* team members at no per-person cost)
- + assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing and documenting Remote Workspaces (for *all* team members at no per-person cost) + more
- HIPAA Risk Analysis & Risk Mitigation Planning service for mental health group practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You’ll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks.
Group Practices
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.
Solo Practitioners
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.