Evan

Welcome to episode 4 ah 3 device safe harbor why it’s essential for your practice.

 

liath

It is so essential and we’re going to be talking through why it’s essential how easy it is to obtain and what the process for that. Looks like what some supportive resources available. To assist you in your practice with getting that in place. Um, so let’s let’s dive in and all I’ll start with a little bit of what prompted us to address device security yet again in this podcast is because device security continues to be 1 of the largest areas of risk exposure for practices and their ability to safeguard ph I and to not have. Stressful security incident investigations needlessly and basically what safe harbor ah under HIPAA’s breach notification rule consists of in a nutshell is that if you have safe harbor. In place on any devices that are used to handle or access ph I in the event that one of those devices is lost or stolen your security incident investigation is super short and sweet because you have.

 

Evan

Exactly.

 

liath

Safe Harbor Under HIPAA’s breach notification rule which means that the P I that was either on the device itself or that it been accessed from the device is secured PH I It’s not going to be. Decipherable or usable in any way. Um by anyone whose hands that device falls into if it’s lost or Stolen. Um and a breach is only a breach if it’s unsecured PHI.

 

liath

So, we want to secure it We want to make sure that you don’t have to go through the the process of trying to identify all the Ph I that may have been on it who what clients that belong to notifying them. Um and then filing a breach report.. It’s also outside of these purely formal or not purely formal but these formal compliance requirements is just necessary to have these measures in place. They’re common sense measures technical security measures.

 

liath

To make those devices safe and appropriate for handling client info and it’s a win win because really, there are security measures that should be in place on any device that we’re using for personal or work purposes anyway, because we want to be safeguarding our own personal and business and financial information. So there’s no con in a pro and con evaluation list of going through the the process to get safe harbor in place now Evan what is the first item of the 10 technical security measures that are necessary to have in in place on a device that’s that’s touching PHI and kind of the cornerstone one for safe harbor.

 

Evan

Oh yeah, yeah, and this is the one that when I often bring up to folks during risk analyses. They’re like I didn’t even know that exists or what is that and it’s called full device encryption and what it means is that. When your computer is at rest. So Usually that means shut down that all of its data is cobbledgook is encrypted if you ripped out the hard drive or plugged into it. No one could get access into it and and in fact, no one could good access if they didn’t have your password which speaks to some other. Ah, requirements of safe Harbor but that full device encryption called file Vol Tono Mac and bit locker on a Pc or device encryption sometimes is necessary.

 

liath

Exactly and that is the the main item of the technical security measures that provides for safe harbor under the breach notification rule. But as Evan just alluded to there are. Other measures that need to be in place to keep the full device encryption actually doing what it’s supposed to and and fulfilling its purpose. So those consist of having a strong and unique pass code or password. What unlocks the encryption and um, because of course your encryption is only as strong as the encryption key so it doesn’t work to have a have. Full device encryption in place but have the encryption key be 1 2 3 4 or password or something that would easily be guessed or hacked or cracked right? So that’s one of the other necessary technical security measures is a strong unique passcode and then as as Evans said the full device encryption is only enabled when the device is in a locked state. Um, and so one of the other technical security measure requirements is having the device set to auto lock and log out on the minimum amount of time now there are 7 other really important technical security measures to have in place on a device to make it safe and appropriate for handling Ph I Especially for accessing cloud-based systems that contain p I Um but those aren’t as impactful when we’re talking purely about safe Harbor in the event of the device being lost or stolen and and falling into someone else’s hands and ah a question and a issue that comes up so frequently.

 

liath

And that we see is that in the modern practice context most practices are primarily utilizing and reliant on Cloud based services. So Using. Online systems like your practice management or EHR Um Google Workspace Vope services, etc to handle all of the client info that you are responsible for safeguarding. And that’s wonderful and that does really go a long ways towards reducing risk exposure and also outsourcing to your HIPAA business associates some of the more challenging aspects of HIPAA compliance which is absolutely wonderful. However, um, it can lead to a false sense of security as it relates to devices and a thought of well that. Device itself isn’t the primary location for client info. It’s just the the tool that provides the mechanism for me to log in to a system where that that data lives so there isn’t as much risk present. For for that device itself provided I don’t say logged in to those online accounts. However, even for a practice that is as we like to say sassy meaning software as a service or saas. Saas based um, there are multiple ways that ph I ends up locally on a device Evan can you share with some of the most common ones are.

 

Evan

Oh yeah, usually it’s incidental like someone will download a Pdf from 1 source to upload it to some other place and then they’ll forget to delete it or maybe some caches on your browser will retain. Ah, either login information or fields that you’ve filled in or temporary files your download history even sometimes e hr pages have ph I in the names and so your your browsing history will have ph I in it. It all depends on how the system is set up. But it can show up in bits and pieces here and there on your machine.

 

liath

Exactly which can mean that even if um, your primary policy and way of of a storing client info is in a cloud based system that doesn’t mean that there is no. Client info that by default doesn’t mean that there’s no client info on the device itself which means that if it is lost or stolen then you’re in the predicament of not having physical access to the device and trying to determine if a breach occurred and how to do breach notification to potentially impact it lions and file a breach report which no fun. Ah.

 

liath

As you can certainly imagine so and the appropriate thing to do and this is what the HIPAA Regulators want to see in place and it’s also just good. Good common sense is that any device that touches client info or Health care. Information has these reasonable technical security measures technical safeguards in place and then that basically obviates these big big Risks. And makes it so that in the unfortunate event that you have a device that’s been used for any practice work or to handle client info gets lost or stolen that you have um, a nice contained process for dealing with that. Don’t have to navigate breach reporting and notifying impacted clients and then the worst of what you’re looking at in such a situation is just that. Ah, you know a device needs to be replaced. That’s Far far better than the alternative and the really fantastic thing is that having the technical security measures in place that are necessary for safe harbor. Is not something that is out of reach requires massive technical expertise or is expensive Evan how much does it cost someone to go through the process to put the technical security measures. Needed for safe harbor in place on their device.

 

Evan

Oh yeah, well if you use our system. It’s ninety nine a month but the best part is that’s for the whole practice. So your whole practice pays $99 a month. It’s not per person. So if you have 2 staff or you have 200 staff ah, $99 will cover everybody for a little tutorials documentation coursework on how not non ce coursework I have to say on how to secure your devices.

 

liath

Um, yes, but the the part that goes with that is does it actually cost anything for the technical security measures themselves now.

 

Evan

Oh no, no no does not no generally not ah the few exceptions are some old Pcs don’t have built-in full device encryption so you have to upgrade to windows pro other ones have this thing called device encryption where you just click a button and it’s lovely. Um, but beyond that. Ah you know Antivirues are free full device encryption is free on max and easy and so no HIPAA doesn’t want you shelling out cash to to scare your devices they you know there’s you should be able to do that without that so it doesn’t cost anything.

 

liath

Great. So there really is no cost barrier and in in our view. There doesn’t need to be a technical um comfort or Expertise barrier either.

 

liath

Because and that and that is part of why we created our resources and system for practices to and be able to to manage this is because we know you know identifying First what the technical security measures Need to be and then how to do them ah implement and configure them across all the various device types that are likely present in your practice. That’s that’s more than most practice leaders. Want to take on themselves. Um, but that’s something that we have those handy step by step device picked specific tutorials that walk folks through exactly how to configure things show you what? what buttons to Click and ah how how to make sure that things are are set up so that that device is is safe for Handling PH I and that you’ve got safe Harbor in place and I should should mention again that it’s important to note that the device security standards under the HIPAA security rule and related to. Safe Harbor Under Hipa’s breach notification Rule. Don’t change for practice owned versus personally owned devices. The documentation process changes a little bit um between practice own and personally owned devices but the technical measures don’t change and the tutorials also don’t change so it is something that is really easy to attain and and having place and just a very vital safeguard both for. Client information and for your businesses kind of strength and and sustainability too because having an issue arise where a device didn’t have safe harbor um, can. And and having it go missing or or be stolen can really easily lead to a situation in which a breach has occurred and a large breach ah in a group practice has ah has occurred. And so we want to avoid that because the implications for a practice of having something that constitutes a large breach which is 500 or more individuals information being being impacted is significant. So. We are always enthusiastic about the kind of low hanging fruit pieces where a practice can can be proactive and manage the compliance requirements in practice and just enjoy thePeace of mind that goes along with that. So as Evan said we do have a robust system of resources to support you on that if you would like to make use of those for for your practice. Um. and and I want to say that actually having those measures in place is part of every covered entity’s responsibilities in terms of their business associated agreement and terms of service. With their HIPAA business associate cloud service providers because they will make it clear in their terms of service and sometimes in the b a as well that there are these areas of vulnerability that can impact the security. Of client info in their systems that they don’t have the ability to control that are the user’s responsibility to manage and those are primarily related to keeping your logging credentials safe but also to be using a. Safe device. That’s not going to introduce a vulnerability to the system or that doesn’t have like a a key logger installed on it where then it’s um, able to copy and see basically every little bit of info that gets entered into one of your

HIPAA friendly cloud systems. So it’s just a ah win-win and we want to make sure that any misconceptions that if your practice only uses cloud based systems and doesn’t um. Rely on storing client files locally on computer hard drives or external hard drives that device security risks aren’t present and that there aren’t um, you know requirements for how you manage. Device security that are applicable to your your practice if if you have 1 takeaway from from this podcast episode. We want it to be that any and every device that is used to touch client info in any way. Just needs to be hardened and have these reasonable measures in place and beyond that it’s not. Fortunately, it’s not Rocket Science it’s not expensive. It’s not that time consumptive either. So if you don’t yet have a safe harbor in place for. All devices through used for for practice work put that on your to do list for 2024 and and knock that out all right I think we’ve waxed on enough about device security for for one day

 

Evan

Yeah, and exactly.

 

liath

So stay tuned for next time and thanks for joining us.

 

Evan

Yeah, see you next time. Everybody.