Latest Technologies, Industry Trends & Best Practices

In the World of Mobile Messaging Applications, there are NO Privacy Guarantees

On Thursday 8 May 2014, the Federal Trade Commission (FTC) settled charges with mobile messaging application maker Snapchat. As the Wall Street Journal article reports, the gist of the alleged infractions (which were neither admitted nor denied by Snapchat) all relate to misleading consumers in one of three ways:

1. “By telling them (consumers) that messages would disappear.”
2. “Misrepresenting its (Snapchat’s) data collection practices.”
3. That Snapchat “didn’t adequately protect users’ personal data.”

I am not a lawyer, nor do I want to comment directly on the misfortunes of Snapchat who have now been ordered to implement a new comprehensive security program and agree to 20 years of monitoring by the FTC (an eternity in the technological world). I only bring this situation up as discussion points about, 1) what a technology company can and cannot guarantee users, and 2) what users of technology should look for in an application provider.

Working for technology companies for the last 25 years, I have seen many amazing changes occur in rapid fashion. We have gone from completely locked down proprietary systems where no Internet existed, to today’s cloud-based unified communications, where a 7-year-old can operate a smartphone to access an application that is maintained halfway around the world. As technology becomes more invasive in our lives, privacy issues are bound to increase exponentially. Perhaps part of the allure of today’s secure messaging trend is a direct backlash against broadcast technology, which has been so popular during the last few years. There seems to be a tug & pull between several technology trends: broadcast media vs. directed media; permanent vs. ephemeral content; data collection in order to serve up targeted online ads vs. temporary communication; contextual based communication vs. non-contextual communication; paid vs. free applications, and finally privacy vs. public disclosure. 

I cannot help but feel sorrow for a technology company that builds and launches (often for free) a great product that satisfies the needs of the vast majority of their users, but still gets slammed by the small minority, who complain to the Federal Government (in this case the FTC). Keep in mind, these users chose to use the product in the first place! The take away may be that technology companies need “full disclosure” of what their applications can and cannot do (explained in layman’s terms), and in addition they need to be up front with any information they gather on their users. The old adage that “nothing is free” may apply here. After all, how could Snapchat provide a product for free with no strings attached?  How could anyone for that matter? Perhaps users should look to technology companies that charge small fees for usage of their applications, but also fully disclose the application’s capabilities and limitations as well as if/how they handle customer information.

For instance, is making a claim that content will disappear guaranteed 100% of the time even a viable promise? Most people know that if you want to capture a screen on an Apple iPhone you push down on the “Hold Button” and while holding it down, you push down the “Home Button.” Most any message, or photo, sent to an iPhone user is susceptible to being copied and kept. Even if a technology company creates a product where the normal “screen capture” as described above does not work – what is to stop the recipient of a message whose content is meant by the sender to be private, from using a digital camera or secondary smartphone and taking a picture, or movie, of the screen and making it public? My point is there are myriad ways for the recipient of any form of media to copy and keep what is sent to them. There are even 3rd party programs specializing in thwarting “disappearing” messages and images.

Let’s assume in a professional business environment/setting the recipient and sender’s goals are aligned. In other words, the sender and receiver both want the text, photo, and/or video to disappear once they have reviewed it. If this is true, then most smartphone applications that promise privacy will be able to deliver. It is in the event that both senders’ and recipients’ goals are not aligned that we need to prepare for. What users need to know is that there is no 100% guarantee that text, images, and/or videos will disappear as intended by the sender, especially if the recipient’s goals are opposing or immoral. No technology vendor will be able to anticipate and prevent every unintended consequence of the use of their technology. Common sense by users should prevail.

In regards to what technology users should look for in an application provider, I would start with the belief that users of technology and those that create technology are partners. Partnerships will only be viable if there is a foundation of kindness, respect and honesty. So how does one determine if a technology company is a viable partner? Begin by excluding any companies that have proven they are not reliable partners. Review potential partners’ privacy policies and ensure that they adhere to it and that you agree with it. 

Another strength of the technology revolution is that users of technology have choices – they can vote with their feet, e.g., move to another application. In addition, and as mentioned above, nothing is free, so perhaps look for a technology provider/partner that charges as reasonable fee and clearly states in their privacy policy realistic expectations. For example, if you are looking for a secure messaging technology provider, ensure that their Privacy Policy states that all content on both servers and devices (smartphones) is encrypted to a certain level, encrypted during transmission through SSL, but that the vendor cannot guarantee content is not abused by recipients of that application. By being upfront and honest, the user knows the technology company’s privacy status and is well aware of what they are signing up for. 

Lastly, look for a technology provider who promises their sole source of funding is from the proceeds derived from sales by users of their technology and that they never share information with any 3rd parties at any time. They may charge users a small fee to use the application, but these days a small fee seems well worth the privacy it may buy. Just ask Snapchat.

HIPAA in the Contact Center: PHI and Encryption

To ensure that your organization and your clients are acting in accordance with the HIPAA Security Rule as it relates to ENCRYPTION of ePHI, I did some extensive research and found a resource written by the American Medical Association titled “HIPAA Security Rule: Frequently asked questions regarding encryption of personal health information.” The document addresses a number of questions among physicians and other health care professionals as well as other HIPAA-covered entities and business associates. Consider the below points as it relates to your usage of ePHI: 

To Begin with, What Information Should You Encrypt?

Any systems and individual files containing PHI/ePHI should be encrypted. Examples include electronic medical records, claims payment appeals, scanned images, emails containing ePHI, etc.

Emails containing ePHI. If you or your clients (physicians) correspond with health insurers or other health care professionals via email and those emails contain ePHI, then you could be accused of failing to protect ePHI for which you are responsible.

Encrypt all devices containing ePHI. Passwords are not enough, especially in the event that a hard drive was removed from a laptop containing ePHI. All devices that contain ePHI, including laptops, PCs, smartphones and tablets, need encryption technology, preferably “whole disk encryption” technology.

If ePHI is accessed via the Internet, encrypt those sessions. Since data that is published on the Internet is available to the public, you need to check with your Web service provider to ensure that any PHI that travels across the Internet is protected by secure sockets layer (SSL) or similar technology.

Encrypt any other remote access sessions. If you have a situation in which physicians/staff connect to the home office remotely to read email or access other resources containing ePHI, then this access may constitute a vulnerability to unauthorized snooping. It is important that these sessions be conducted using encrypted tunnels, or VPNS.

What Happens If a Security Breach Occurs at an Organization That Uses Encryption Technology?

If the ePHI is stored and transmitted in encrypted form, then you do not need to notify patients. This only applies to HIPAA-covered entities and business associates that use encryption technologies that render ePHI unusable, unreadable, or indecipherable to unauthorized individuals.

How do Startel’s Solutions Help Organizations Protect ePHI?

Businesses that handle sensitive information are not only morally obligated to protect sensitive, private and personal information of their clients; they are legally obligated to do so. Startel’s Encrypted Email Service enables compliance with HIPAA by utilizing Secure/Multipurpose Internet Mail Extensions (S/MIME) encryption protocol. This protocol converts email messages from a readable plaintext format to a scrambled cipher text format. Only the recipient using the private key that matches the public key used to encrypt the email message can decipher the message. If someone intercepts the message without access to the private key the email message would appear only as garbled text.

The private and public keys are the means for both encoding and decoding email messages. Essentially the unique private/public key acts as a distinctive digital signature bound to a particular email address.

In addition, the Startel Encrypted Email Service is encoded utilizing the Advanced Encryption Standard (AES) 128 Bit block size. This level of cryptography ensures security is maintained for all encrypted messages. Any attempt to “break” an encrypted message secured at 128 Bit encoding would take billions of years to try every possible combination.

Users of Startel’s Encrypted Email Service have peace of mind knowing that their messages remain secure and private during transmission and storage.

In my third blog post of this topic, I will address how Startel’s Secure Messaging application handles ePHI and specifically, how it complies with HIPAA.

Source: http://www.ama-assn.org/resources/doc/psa/hipaa-phi-encryption.pdf

HIPAA In the Contact Center

The buzz surrounding HIPAA in contact centers is getting louder, and with good reason: As of September 23, 2013, healthcare providers, health plans, other HIPAA covered entities and their business associates must comply with the new Privacy and Security requirements. Those who fail to comply by the deadline or experience breaches in customer data security may face with substantial fines and penalties.

This blog post will be one of several regarding HIPAA, and what we (software vendors and users) must do to comply with it. To ensure we all have a basic and common understanding of HIPAA, this first blog post will address some general definitions, including how Startel and our customers are designated per HIPPA and how the Privacy and Security Rules apply to us.

HIPAA Overview
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. These Rules help to protect the privacy of individual’s health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.

Before we can discuss the HIPAA Privacy Rule and HIPAA Security Rule, we must mention who these Rules apply to.

Covered Entities and Business Associates
The HIPAA Rules apply to both covered entities and business associates:

Covered Entity (CE)
: CEs are basically any person, business, or government entity that furnishes, bills, or receives payment for health care in the normal course of business. Examples include physicians, hospitals, pharmacies, health care clearinghouses (billing services) and health plans/insurers.

Business Associate (BA)
: A business associate is a person or organization that performs a function on behalf of a covered entity. Examples of a BA include software vendors (such as Startel), third-party billing companies, claims processors, collections agencies, and outsourced contact centers. BAs must also agree to the privacy and data security requirements of HIPAA. A business associate could be a contact center outsourcer that handles calls for a covered entity or a collection agency working on their behalf.

Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.

The Standards for Privacy of Individually Identifiable Health Information, also known as the Privacy Rule, establishes a set of national standards that protects individuals’ health information – called “protected health information (PHI)”. PHI is “any health information that is individually identifiable”. Examples include an individual’s name, date of birth, social security number, address, as well as health status and payment/billing information. The Privacy Rule addresses the use and disclosure of PHI whether in written, oral, or electronic format by covered entities. It also sets standards for individuals’ privacy rights to understand and control how their health information is used.

The Security Standards for the Protection of Electronic Protected Health Information, or the Security Rule, is a national set of security standards for protecting certain health information that is held or transferred in electronic form (ePHI). The Security Rule addresses the technical and non-technical safeguards that covered entities must put in place to secure individuals’ ePHI. Technical safeguards include access control, audit controls, integrity controls and transmission security. Each of these technical safeguards can be addressed with software solutions, including encryption technology and secure messaging.  

In March 2013, the long-awaited Omnibus Rule made the most sweeping changes since the HIPAA Privacy and Security Rules were first implemented. The new rule expands the definition of a business associate to include “any downstream subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate.” Business associates and their subcontractors who have access to PHI are directly liable for compliance with the HIPAA Privacy and Security Rules. In addition, among the changes is an enhanced opportunity for the Office for Civil Rights to enforce compliance.

Why am I sharing all of this information to you and why is it important? Since both Startel and our customers (telephone answering services and contact centers) are considered business associates we are therefore:
•    Required to comply with the Rules’ requirements, including the Obnibus Rule, to protect the Privacy and Security of PHI. We have until September 2013 to become compliant.
•    Directly liable for compliance with certain provisions of the HIPAA Rules. Penalties can be civil or criminal and may cost thousands of dollars and possibly imprisonment.

In my next blog post, I will address how Startel’s solutions address a pressing topic area: Encryption of PHI/ePHI, and specifically, what information/devices must be encrypted to ensure HIPAA compliance.

Source: http://www.hhs.gov/

Request More Information