Liveblogging from Fall into IT!

Don’t miss our liveblogging from Online Tech’s Fall into IT seminar event, with presentations starting at 10 AM ET!

Agenda:

10 AM ET – The Impact of Compliance, Tatiana Melnik

Tatiana touched on the regulatory framework for compliance includes federal laws and context (types of information and targeted constituency). Various state laws also address SSN, drivers licenses, protection of healthcare, record-keeping and data destruction. International laws also apply. Texas also has a new law that regulates what and when a company has to report to other states as well.

Multi-compliance is another trend seen in certain organizations, specifically software vendors moving into healthcare, banks with direct access to PHI (protected health information), healthcare organizations that process payments subject to PCI, HIPAA and five of the FTC Act Laws. One of the most important aspects of compliance is employee training; informing employees of how to handle sensitive information is key to preventing data breaches.

The results of non-compliance can be costly. Tatiana gave a case study of the Sony breach in 2011 – after they sued George Hotz, a hacker, Anonymous launched a DDoS attack and stole data that was unencrypted. More than 100 million users were affected, with SSNs, passwords, birth dates and credit card information stolen. The cost of repair was up to $171 million in May 2012.

The point is, data breaches are very costly to address, and can include employee overtime, productivity loss, investigation costs, data breach notices, credit monitoring services, internal investigation cost, lawsuits and more.

According to a Ponemon Institute study in 2011, the highest cost per record was at $214. While many class actions are dismissed due to the lack of standing/ability to prove your record was stolen, many companies have to spend to defend. The FTC, Federal Trade Commission, has brought actions against Google, Facebook, Microsoft and Wyndham Hotels in June. Wyndham had suffered three network breaches within two years due to security negligence. They were charged with failure to institute a robust information security program, as well as ‘unfair and deceptive practices’ due to their claims made in their privacy policy.

In addition to the FTC, the State Attorneys’ General can bring their own lawsuits against companies in the event of a data breach. Under HITECH, AG’s can pursue healthcare-related data breaches. One example is Accretive Health, a debt collection company that misused patient data – the result was they were banned from Minnesota by the AG.

When you’re no longer in compliance, one major impact is the loss of trust by customers. A company can get insurance – cyber liability insurance can defray costs of breaches. Another way is to only take on the amount of liability that is necessary – reading contracts is key to knowing your responsibilities. Take a look at your privacy policies to ensure you can live up to the claims your company has made. Look to organizations like NIST for guidelines, and train your staff. Enforcing policies and procedures as well as auditing for compliance can help you prove due diligence.

11 AM ET – BYOD: From Concept to Reality, Kirk Larson

Kirk is the Vice President and CIO of Children’s Hospital Central California. The hospital is a pediatric hospital located in Central Valley, and is one of the 10 largest children’s hospital in the U.S. They run Dell, Cisco, VMware, and have 5 PB of data and 10,000 network elements.

In 2011, they went live with CPOE, nursing documentation and their digital transfer from paper records. The fundamental change in delivering care changed the requirements for content delivery and issued/number of devices.

Three major security areas include security concerns around mobile devices, number of clinics and users and resource effectiveness (how to best leverage resources available). One question that came up with BYOD includes multiple device preferences. Another is the fact that different apps work differently with different devices. When looking at medical imaging, a tablet is ideal, but it may not work for all purposes. Different workflows is another issue – those that only need to view data may use a tablet, but those that enter data may not want to use a tablet due to typing difficulties. Safeguarding and network security are also issues – sensitive information should never stay on the devices.

Their solution was to leverage the existing VDI (Virtual Desktop Infrastructure). In order to view VDI, users have to install VMware on any device. The client allows you to access a Windows-based environment on any device, including iPads or Androids.

The hospital also developed policies with input from end users for their current BYOD environment. One question was, to what extent does IT provide support? Policy examples include the fact that ITS supports device connections to VDI, and not the device itself. Infectious control is another consideration and the current policies for devices that enter and leave the hospital currently apply to the devices.

What were physician concerns? One concern was, what should be on the image? Internet or email? The hospital had to decide which items were critical to end users and what to include in the VDI environment. The physicians also expected to be able to bring any device in from home and have it work.

Some customer support considerations include multiple device preferences per user. For applications, some considerations included what type of users should be accessing VDI, including exempt/non-exempt employees. For infrastructure, considerations included potential spikes in number of VDI sessions, potential decrease in number of purchased devices, and how best to leverage VDI.

Security considerations included allowing user-purchased devices on network – they responded by partitioning the existing network or creating a separate network. Ensuring that data is always saved on the VDI, and not the device itself is one way to maintain data security.

Some things to think about includes supporting a multitude of devices; setting ground rules on what to support (only connectivity to virtual image, not other personal device issues); consider scalability and the increasing number of sessions; and securing data. The advantage of using VMware means data was never on the device at all. While there are upfront costs, there may be additional costs to support VDI on the backend, including updates.

VMware view client also allows for roaming profiles, meaning if one person logs in using one device in one location, they can go to another device located elsewhere and be logged into the same session. This is a simple client that can be downloaded through VMware.

12:15 – Pocket Healthcare: Promise and Challenges of Mobile Health, Predrag (Pedja)Klasnja

In a situation where a patient has a heart attack and needs to monitor his heartbeat, there are mobile apps that provide monitoring. The system can also detect and alert the closest hospital of a potential heart attack.

Why are mobile phones a promising platform for delivering health services? Ubiquity – more than 85% of Americans have mobile phones. As of February of this year, 50% of all phones sold in the U.S. are smartphones, which means they have extended capabilities.

The way people use phones are very personal – meaning they use calendars and store personal information on them, and they are normally always with them. This means mobile phones are the best way to reach people in order to deliver health services, and paves the way for mobile apps in the healthcare industry.

Mobile apps can help you track health information, monitoring glucose levels and tracking physical activity. An app, UbiFit, can detect when you’re running, biking or on any exercise machine, and it can send the information to a journal on your phone. A visual representation can tell you what type of activity and whether or not you’ve reached your fitness goals for the week. An app for improving diabetes management, MAHI, can track when tracking glucose, as well as a voice recording to allow them to log their activity.

Mobile health apps can also help extend the reach of the healthcare team. They can use apps to monitor chronic heart failure remotely with EKG to track when patients need care before they need to go to the emergency room. This app actually limited the number of emergency room visits, which can also significantly lower healthcare costs and improve patient care.

Automated feedback is another use of mobile health apps. Patients can use an app to report how they’re feeling; for example, if they have anxiety issues, the app can walk them through relaxation practices.

Even games can be leveraged via mobile phones to help them manage their health more effectively. One game app was developed to help people understand their diabetes and learn more about the condition. The advantage of games is the ability to communicate and educate patients about their health via a time-efficient method that can be integrated into their everyday lives.

For the future of mobile health, one area is the notion of ‘just-in-time’ interventions, monitoring and detecting problems early. Sensing context is another aspect – finding out more about the patient’s environment in a more meaningful way can help develop solutions and models about the things that shape human behavior. Integration with clinical workflows is one area that needs a lot of future work. Summarizing and making sense of the data that gets collected is important in order to make it meaningful. Determining who is monitoring and using the data is another question.