Transcript
Evan
Hello and welcome to episode 402: HIPAA considerations for smart watches.
Liath
Indeed! and this is a new podcast topic for us though. Of course is directly related to device security and making sure that we’re. Managing device usage in a HIPAA appropriate way. That’s safeguarding client info that we are frequently discussing but what prompted this is that of course use of smart watches has really proliferated over the last. Little while and they offer a lot of really useful functionality I’m a big fan of my own. Ah, but we got a couple questions in our group practice office hours direct support and consultation service context related to smart watch security and asking. What do we need to be aware of when it comes to our staff members usage of smart watches if those smartwatches are paired with a device that’s used for practice work. Do we need to put specific settings in place on it. Do we need to have them registering their smartwatch as a b I o d device and if so um, what would that process entail and how would we modify the form and we thought oh this is a a great topic to be. Addressing. So essentially we’ll we’ll start with the first fact which is that smart watches while little powerful supercomputers in their own right are not at the same scale as the super computers in our smartphones and that means of course they have less less functionality than the smartphones. But also that there is less configurability. In terms of the security measures that safeguard the information on Smartwatch So That limitation means that it is not possible to implement all of the technical security measures that would make a device appropriate for a primary use application of being involved and in practice work or handling client info.
Evan
Yeah.
Liath
So it’s not something that is going to be hardened and registered as a personal device for for practice work use. However, that doesn’t mean that they cannot be used or paired with devices. like smartphones that are BYOD registered devices. It does mean that if they are paired with any practice use devices that there are some. Considerations for how to manage notifications. Um on the device that they are paired with and for implementing some security measures on the smartwatch itself. So.
Liath
Evan what’s kind of the the primary way that smart watches could expose client info or or create a HIPAA issue?
Evan
Yeah, it’s the feature smart watches to notify you when either some ah paired app says hey something’s happened like you’ve gotten a call or a text message or have an appointment reminder coming up.
Liath
Exactly and if the contents of that notification include any identifiers then that notification content qualifies as protected health info meaning it’s within the hipposcope and we. We need to safeguard it and put reasonable and appropriate safeguards in place to keep it from um, being disclosed to someone who doesn’t need to know that information and while ah, a smartwatch is something that is going to be attached. To the body of the the person using it. So There’s a different kind of surface area of risk exposure than there is with a smartphone or a laptop That’s more likely to be left behind and and Lost, and a certain amount of security that comes just from having it on the user’s person and attached to them. It doesn’t completely remove all of the security considerations because depending on the contents of a notification that pop up in your. Proximity to others they potentially could see the contents of it or if your smart watch is lost but still paired with your device that gets those notifications that include client info and therefore that. Information is popping up on the watch when it’s not in the user’s possession and ability to safeguard that would be Problematic. So now that we’ve kind of set the the scene for what the potential issues are what do you do about it.
The primary thing is going to be to ensure that smart watches are whether it’s an Android or an Apple watch are using a passcode that they are not just left in an unlocked state now. Apple watches require that if you are using the Apple pay feature. But if you aren’t using the Apple pay feature and don’t have it enabled on your Apple watch. It’s not a required feature. So regardless of. Whether you use Apple pay or not if you’re an Apple watch user or have team members who are want to ensure that the pass code requirement for unlocking the smartwatch is enabled and there’s a parallel for that for Android Smart watches as well being able to have a lock screen and a passcode so put that put that in place. Um, and then there are a couple additional security measure features that are important to take note of and Evan’s going to describe to us. The one for Apple watches. That’s really noteworthy.
Evan
Oh yeah, so on Apple washes. You first want to turn on find my device or find my ah ah no device actually so that’s what it does is. It’s a feature that ties into the the Gps of it and whatnot and across all your Apple devices.
Evan
Even go to a website to find where they are sort of broadcasts it now what this does is when that’s turned on and it’s tied your your phones tied to your watch. You have the chance then if your Apple watch is lost or stolen that they would ah any potential person to come across your watch would need your Apple Id and password to change any settings on it to have access to any information to like turn off find my watch or reset it or or things like that it sort of locks it down which is super handy because say if you lose it. You don’t want anyone who has access to it to do these things so turning on the find my watch and this is actually just a new feature that came out this January of all things it seems like would have been around. But yeah as you say the security landscape is changing quite a bit for these devices that it’s.
Evan
Now enabled so make sure your phone and watch are updated. The latest ios of course and they do that automatically generally especially watches do. But then that’s super handy to control it from afar.
Liath
Indeed and the other piece that’s important is having the wrist detection enabled which means that as soon as the watch is removed from the user’s wrist. It locks. Automatically So if it came off and ah the user wasn’t aware even it would still be locked down such that.
Evan
You can.
Liath
Whoever may pick it up or maybe even pulled it off. You know where good. Let’s use extreme extreme ah examples here. They would not be able to unlock it and therefore wouldn’t be able to get to any of the notifications that that device we’re receiving. Um. And the the other piece of the security settings is that the there’s a activation lock um, which I think is part of what Evan is talking about related to the the find my watch feature.
Evan
Yep yep, that’s the name.
Liath
So then it it requires the user’s Apple Dot id and password to unpair to a race or to reactivate the the Apple watch so activation lock is important wrist detection should be enabled um and then the next piece of it which is is going to kind of vary a bit practice by practice depending on what services your practice uses. Ah so like what’s your email program. What is your. Phone system if you’re using a wape app do any of the services that you use specifically make an app for Apple watches or Android watches most do not like there isn’t even a a Gmail app for Apple watches and you can still get notifications that you have received a Gmail email that appear on an Apple watch but that’s because of the pairing with an iphone. Um that has Google Workspace and and gmail installed on it and is getting notifications. Um, most of the the services that practices that are utilizing for handling client info and therefore which would be in the practices Security Circle. Don’t have apps for smart Watches. So the considerations for how to safeguard client info are really related to the contents of notifications that the services that you do use. What the contents of those notifications are um if they are being paired or if they’re being neared from a smartphone that receives them and so what I recommend is if you have any team members who do use smartwatches and want to have it. It paired with a a practice own device is that you as leadership test out um, pairing a registered and and hardened smartphone with a smartwatch and seeing what the notification contents are.
Do any of them include identifiers and and therefore become ah a hipaa or confidentiality issue if so then we still have a couple options one but for iphones is that you can on a granular level meaning app by app. Control the notifications and androids. There is something pretty analogous to that though it varies more than with iphones because there’s a lot of for variation between within the Android platform. Um, but but. If you discover that a notification that’s being mirrored from an iphone to an Apple watch is you know, potentially HIPAA problematic then you can just disable the notification. Um. For that particular app. It doesn’t mean that you have to disable all notifications for for all apps and so that’s a way that information can be safeguarded and we can prevent there from being ah a potential breach that is a result of this this pairing. Um. And so I do do want to emphasize that if you have team members that are using smartwatches paired with either practice provided devices or their personal devices that are used for practice work that you go ahead and just do a little testing to see what the notification contents are for the practice provided services and how those appear and then take the necessary steps to make sure that those are controlled to an acceptable point and you know for if you are a practice that uses Spruce Health for example for your phone service and secure messaging Spruce Health notifications by default do not include any identifiers specifically because um, you know it’s a service created for Health care Providers. And they’re aware that that could be problematic so that that is something that you can and will find across a number of different apps that are for services that are specifically for Health care providers. All of this is basically to say it. That smart watches can be a great tool for productivity and and and efficiency and part of what makes them such a useful tool in that way is the ah in in my own experience is the ability to. Tell if a notification regarding something merits your giving it your attention or not right? So We don’t want to say oh it is just strictly Forbidden under any circumstances for someone to use a smartwatch paired with one of their practice work devices because it can be a great tool. The security risks can be managed but like everything it takes Intentionality. It takes testing ah with the rest of the sort of services and and systems in your practices. Ah, Tech stack. So that you can know the particulars for for you and then just take some reasonable steps to to safeguard that and those aren’t ah onerous, Um, but it is important that that be the process that is gone through.
Liath
Because you know it’s easy to imagine a scenario in which if a smartphone that is used for practice work and has all the notifications for all the practices systems being. Mirrored to a smart watch and that smartwatch gets lost but there’s no w risk detection enabled.. There’s no passcode on it that um if it falls into someone’s hands there Absolutely could be a breach and, you know, not a pleasant process of having to manage that so we just want to prevent that but it’s a totally feasible and and reasonable thing to do and honestly those measures are really good for protecting the individual user as well. Not just Client info um protecting all of the personal you know, private and financial information of the smartwatch user is also worth its merit. So just like just like we frame the BYOD process as having value. Not only to the the clients whom um it it impacts but to the device user who is going through that process that carries it over to smartwatches as well.
Evan
Exactly.
Liath
So We hope you hope you found that is that helpful. Maybe it’s something that’s already been on your mind or in the back of your mind a little wondering about this and if it’s something that that needs to be tended to or not and if so we hope. Hope that this was helpful and we will see you good folks next time.
Evan
Yeah, see you next time. Everybody.
Your Hosts
PCT’s Director, Liath, and Senior Consultant, Evan.
Welcome solo and group practice owners! We are Liath Dalton and Evan Dumas, your co-hosts of Group Practice Tech.
In this episode, we’re covering what you need to know about HIPAA and your smartwatch.
We discuss common questions we get from group practice leaders about smartwatches; the limitations of smartwatch security; whether smartwatches should be included as BYOD registered devices; potential issues with smartwatch notifications; and security measures to put in place for Apple Watches and Android smartwatches.
Resources are available for all Group Practice Tech listeners below:
Therapy Notes proudly sponsors Group Practice Tech!
TherapyNotes is a behavioral health EMR/EHR that helps you securely manage records, book appointments, write notes, bill, and more. We recommend it for use by mental health professionals. Learn more about TherapyNotes and use code “PCT” to get two months of free software.
*Please note that this offer only applies to brand-new TherapyNotes customers
Resources for Listeners
Resources:
- From Apple: Apple Watch System Security
- From Apple: Apple Watch Notification Settings — See “Customize Your Apple Watch Notification Settings” and “Keeping Notifications Private” sections in particular
- Google Pixel Watch: How to Enable/Modify/Disable Screen Lock
- Google Pixel Watch: Notification Settings
- From Samsung: Set a Security Lock on Your Samsung Smart Watch
- From Samsung: Manage Notifications on Your Samsung Smart Watch
PCT Resources:
- Group Practice Care Premium
- weekly (live & recorded) direct support & consultation service, Group Practice Office Hours
- + assignable staff HIPAA Security Awareness: Bring Your Own Device training + access to Device Security Center with step-by-step device-specific tutorials & registration forms for securing documenting personal & practice-provided devices (for *all* team members at no per-person cost)
- + assignable staff HIPAA Security Awareness: Remote Workspaces training for all team members + access to Remote Workspace Center with step-by-step tutorials & registration forms for securing documenting Remote Workspaces(for *all* team members at no per-person cost) + more
- HIPAA Risk Analysis & Risk Mitigation Planning service for mental health group practices — care for your practice using our supportive, shame-free risk analysis and mitigation planning service. You’ll have your Risk Analysis done within 2 hours, performed by a PCT consultant, using a tool built specifically for mental health group practice, and a mitigation checklist to help you reduce your risks.
Group Practices
Get more information about how PCT can help you reach HIPAA compliance while optimizing and streamlining your practice.