dialogues in healthcare - the rozovsky group · add-on rfid readers could potentially be used to...

Dialogues in Healthcare © 2013 All Rights Reserved

Dialogues In Healthcare

STRATEGIES FOR EFFECTIVE COMMUNICATION

Volume 7, Number 03 March 2013

The Social Media Singularity

by Joshua I. Rozovsky, MS

Technology futurists and fans of science fiction have long predicted an age of so-called “technological singularity” – a time when human and machine capabilities merge. Whether it enables a form of super-intelligence, or blurs the line between what it means to be human versus machine – every new technological revolution has some predicting that the singularity is about to, or has happened. Could the Internet act as a giant “super-brain”? Could people eventually have their memories downloaded to a computer or robot – changing what it means to be alive – or dead? Previous editions of Dialogues in Healthcare have focused on the evolution of social media1, mobile technologies2, and services in the “cloud” that provide software and information via remote datacenters and Internet.3 The increasing integration of these technologies have highlighted the fact that controlling information is becoming both more difficult – and more critical. Several technologies have emerged that raise the spectre of technological singularity being closer than ever before. Many of these technologies have already been released to the public, or are scheduled to be released – and are likely to be encountered in healthcare organizations. The emergence of these technologies are likely to force changes in policies and procedures as well as changes in technical and operational security measures.

A Publication of The Rozovsky Group, Inc./RMS

Fay A. Rozovsky, JD, MPH Editor

POWERED BY ONEBEACON PROFESSIONAL INSURANCE - PAGE 2


The New Tech - 2013. Apple’s cloud-based voice recognition service called Siri. Google’s competing service called Voice Search. Voice recognition and transcription to text and email. Increasing use of Internet-based telephones and “virtual telephones.” Skype video conferencing. Wearable computers. Heads-up displays. Sensors embedded in clothing. Short range “personal area networks.” Digital currency systems to replace wallets. GPS reporting. Facebook, Twitter, and a host of other social media services. This list is not extensive – and it does note define any “new” services in the technology sector – a sector where “new” is often defined in hours instead of days, weeks, months or years. What has changed is that these disparate services have recently become more integrated – more connected to one another than they were previously:

Apple Updates and Social Media. Updates to Apple’s operating systems on its mobile devices (iPods, iPhones and iPads) and the Mountain Lion desktop operating system allow users to directly post pictures, and use Siri to easily update Facebook and Twitter.4

Address Book Integration. The linking of Facebook, Twitter and the Apple Address Book means that users now can see photographs of their contacts – retrieved “behind the scenes” – based on that person’s contact information – even if the person is not necessarily a “friend.”

The universal Avatar (picture) becomes a sort of universal “avatar” – an online persona used to identify a person photographically across multiple disparate Internet properties. There are services to create such universal avatars – such as Gravatar (now owned by the Wordpress blogging platform5) – but the Apple integration is largely automatic instead of requiring a user to create an account specifically to make their “avatar” available.

Enhanced Metadata in Messages and Photos. Using the onboard GPS and other sensors, posts on Facebook and other social media taken with cellphones and many other digital cameras can include user-identifying data and location. Such embedded data is often called “metadata” or “data about data” and may not be easily accessible to the end-user who remains unaware of the full extent of the information they are sharing with others.

Skype-Facebook Integration. Skype is now a preferred service for video chatting on Facebook, a service that permanently keeps records of all communications between users. Indeed, at the time of publication,



Facebook does not currently allow deletion of old conversation, only “hiding them.” At the same time – other emails or text messages sent through the service may not appear – ending up in a semi-hidden folder similar to a “spam box.” Meanwhile – text messages not sent through the service can been collected by Facebook as well if sent via the same mobile device – although Facebook denied it used this capability when interviewed in February 2012.6

Facebook Email Aliases and Facebook Home. Many users are choosing to share their Facebook email address instead of their traditional business or home email address. Facebook seeks to become an integrated “communications portal” – for video, text messaging, address books, calendar services, email, and mobile devices. Integration with the Apple mobile operating system is not the only method being used – Facebook has now released a modification to Google’s Android operating system entitled “Facebook Home” that makes it even easier for users to share information on the service.7

Personal Information is Easier to Uncover. Facial recognition and data mining technology is also becoming more “democratized” – more available to end-users and smaller entities, making it increasingly difficult to hide information online. This is also making breaches of previously redacted or non-sensitive data more dangerous; what was once innocuous can now potentially be linked or “aggregated” with other seemingly-innocuous data to create a complete picture. If the aggregate information had been breached by one entity, it would have constituted a breach of protected health, financial, personal, or security information.

Facebook, Google, Amazon, and other services’ tracking and data mining algorithms are arguably so complete that it may be very difficult to protect, hide or keep private anything online. It is also easier to find previously hidden information. Facebook’s Graph Search is an example of this newest search technology – integrating Microsoft’s Bing search engine, Facebook’s own data and other third-party sources to allow users to “find more of what [they’re] looking for on Facebook and discover fun connections between people, places and things.”8

More Advanced Tracking Techniques. Mobile users may be tracked by physical location, the electronic serial number on their phone, their IP address on the Internet, the serial number from their camera, their facial or voice patterns, or other characteristics – developers seek to exploit patterns and new techniques to enable more sophisticated tracking. This tracking may be used for everything from marketing to building road-traffic maps and providing data to emergency services.



Traditional websites may track users via Facebook integration, Google Analytics, Amazon’s A3 or other services – meaning user’s likes, tastes, shopping habits and more can be tracked not just within one website, but everywhere online and in the “real world.”

Acquisitions Driving Integration of Formerly-Disparate Services. Acquisitions are forming a basis for much of the integration. The photo-sharing and filtering service Instagram was acquired by Facebook in April 2012.9 The Flickr photo-sharing service was acquired by Yahoo in 2005 and in 2011 contained more than 6 billion publicly-accessible images, with 518 million uploaded in 2012 alone10. Youtube became a property of Google in 200611, Google purchased the ZAGAT reviews service in 201112. Microsoft Corporation purchased Dutch-based Skype in 2011 as well13.

Increased Device Capabilities and Speed. New physical technologies are also pushing the envelope – smartphones and tablets are faster than a year ago. They have greater Internet connectivity speed and options. Screen resolution has increased to the point that some medical applications are now approved for viewing on these devices. Other mobile devices are smaller – and have longer battery life than before and contain additional radios to allow for a “wallet free existence.”

Google Wallet, NFC and the Digital Wallet. The smartphone or tablet may be used to provide payment instead of carrying a credit card, check, or cash. There are many apps that can work with capable mobile devices to provide this functionality, including the Google service called “wallet.”14 Some airlines and security services even accept the carrying of the device instead of a boarding pass or form of identification. This may use a barcode (QR Code) displayed on screen, or radio communication (RFID or Near Field Communication).

Capable mobile devices or third-party accessories can also be used to “read” or receive such identification or payment data. Considering that many driver’s licenses, passports, credit cards and medical insurance identification cards contain RFID chips – smartphones with integrated or add-on RFID readers could potentially be used to steal financial, personal, or insurance information from people within range. A mobile device with malware onboard could even be used to steal credit card or passport data from its owner if the mobile device is within range of that person’s passport, credit cards, or driver’s license.

Wearable Electronics and Eavesdropping. Another technology that is not “new” but had previously been relegated to specialist applications are wearable sensors, cameras, and heads-up display devices.



With the introduction of Google Glass15 – anybody could be wearing, recording, and collecting information on others – anywhere and anytime. Imagine if Google Glass, combined with facial-recognition software, connected to Facebook, Twitter, or Flickr could provide identification in real-time of everybody in a waiting room, unbeknownst to anybody except the wearer of the Google Glass?

The January 2012 Issue of Dialogues in Healthcare addressed the issue of “tape recording” disclosure and consent conversations – and the possibility that providers or patients may be surreptitiously recorded16. A mobile device such as a smartphone or music player is a capable audio-video surveillance device whichm, when connected to the Internet, has an infinite recording duration.

This is not theoretical – HealthcareIT News reported in July 2012 on a new app that is designed to provide a HIPAA-compliant secure recording and storage software to enable “fact checking” about what may have been said during a conversation.17 Beyond such purpose-built medical communications software, open source technology encourages third parties to make plugins and other software to connect these sorts of data stores and devices together and expand their capabilities – often at no cost to the end-user. Medical Device – Mobile Device Integration. Consider = that some wearable and “add on” electronics are not designed to only collect data on the world around the user, but about the user – medical devices that use smartphones as a display or control, or use the smartphone to communicate the data with others. These include everything from wifi-enabled bathroom weight scales, to glucometers and blood pressure cuffs. Such devices may not always be sold as “medical devices” but as “novelty or educational” items – but the distinction may not always be clear for patients, and could even lead to resentment that a provider is “old fashioned” for not embracing or supporting the use of a non-FDA-approved device. Communicating to patients the reasons why a particular device or app is recommended by the provider over another becomes and important aspect of the patient encounter – and requires a technically-knowledgeable provider.

Open Source Technology and Third-Party Add-Ons. The risks associated with a single technology or software application cannot be assessed in a vacuum – the software and technology need to be considered as if they will be connected to other technologies. The capabilities may be expanded far beyond those that even the product developer may have envisioned.



Open-source software encourages “anybody” to tinker and modify the software to make it better, or create derivative products. The open-source movement has now moved into physical devices – the “open source hardware” and “maker” movements shun patents and encourage the sharing of plans and ideas online.

Increasing Development and Use of Smart Device Malware. Malware, including viruses, Trojans, and worms have long been a concern for users of desktop computers and email. It has become increasingly worrisome for users of social media and mobile devices. Facebook and Twitter have become frequent targets of attackers seeking to take over accounts and send spam, ads, or additional malware that appears to originate from the user or organization that was attacked.18 Indeed, at the time of publication, a major outbreak of the “Stelware” Trojan targeting Android phones was being reported. The malware attacks the device and the user’s associated desktop computer; the group responsible is a known organized crime group.19 The integration between social media apps and mobile devices means that a malware application spread via social media could potentially be used to access traditional targets such as the address book and email but also the user’s GPS, camera, microphone, and financial, identification, and medical information stored onboard. This is particularly frightening as apps exist to control user’s home appliances, lighting, medical devices, security and surveillance systems, banking and more. Many of these apps are not secured by anything other than the 4-digit passcode or swipe pattern used to unlock the screen. A smartphone or tablet could become not only the vehicle for identity theft, but become an enabler for physical robbery, assault, or worse. Security researcher and pilot Hugo Teso recently claimed that an infected Android device could even be used to potentially hijack commercial aircraft navigation systems.20

Legal, Regulatory and Social Considerations. While the technologies described are coming together to create new risks for patients, providers, and healthcare organizations – there are also changes in the legal, regulatory and social landscapes that must be included in any risk management assessment and strategy-building.



Use of Non-secure Transmission Methods for PHI. Much of the concern over electronic health records has involved privacy and security. The meaningful use phase two criteria and standards have included minimum levels of encryption.21

It is with some irony then that the Final Rule on HIPAA released in January 2013, includes a provision that allows a patient to request that a copy of his or her record be transmitted via unencrypted email.22 To what extent should providers inform patients about the risks of their information being provided in this way? Email is the equivalent of a digital postcard – readable by anyone who has access to the computers that resend the message along its route.23

Email and text messaging24 are so insecure that the government has argued in criminal cases that no warrant is needed to read them – although this position has been challenged by the Courts.25 Indeed the IRS handbook states that “…e-mails and other transmissions generally lose their reasonable expectation of privacy and thus their Fourth Amendment protection once they have been sent from an individual’s computer.”26

What if the email address is at Facebook or another social media site or email alias service? Does this change the user-perceived level of security?

The End of “Traditional” Contact Information. Similar considerations exist when patients supply other contact information that is non-traditional including Facebook accounts, Twitter handles, a Google-based telephone number, Skype address, text-only telephone number, or iCloud username. First of all, does the provider have the capability to use that contact information. Second of all, how will such contacts be documented?

Like some of the technical trends discussed - this is also not a theoretical possibility. In low income areas or amongst patients for whom cellular and landline service has become cost-prohibitive, providers are being supplied with contact information – or even being contacted via – free Internet services that make use of mobile devices or public computers without cellular or traditional landline connectivity.

The caller may connect to a public wi-fi network and be using a Google “virtual” telephone account, Apple iMessage service, Facebook account, or other “free” Internet telephony service. Providers may not even realize that the means by which the patient is contacting them is not a traditional telephone system in the case of some “virtual phones” until attempts are made to call back using a traditional landline.

911 emergency systems are attempting to deal with this issue due to possibility of routing calls to the incorrect dispatch center, or sending



emergency services to the wrong address. This has been a challenge for several years with VOIP (Internet-based) home telephones.27 Meanwhile, the “enhanced” 911 system (E-911) collects additional location data from telephones. The Phase 2 criteria for E-911 required 95% of phones to be location-identifying by 200528. The next generation of 911 services being rolled out includes the ability to send and receive text messages and MMS – an extension to the SMS text messaging system that includes the ability to send and receive video and photos. These new capabilities recognize the changing way people use their mobile devices.29

Do Not Track Requests. There are additional privacy considerations as well: “do not track” is a proposed extension to the HTTP protocol that passes information to and from websites that enables users to opt out of the information collection services offered by the site, or third party analytical services. What some may not realize is that the do not track feature now included in many web browsers does not prevent tracking. It simply sends a message to websites “requesting” that they not track the user.30

Furthermore, apps downloaded to a smartphone do not necessarily follow the same rules – and may not always disclose what other information they collect – whether it includes the user’s address book, physical location, or other apps they have downloaded.

App to App Information Sharing. As noted previously, apps may also share information with other apps. This means that a user storing information in a chat application may in effect be “sharing” that data with an application that they use for strictly work-related purposes.

While Apple’s App Store and Google’s Android marketplace screen apps for malware or abuse, incidents have been reported where app developers collected or shared information beyond that which was approved.31

Strategies for Addressing Emerging Technical Risks. Too often risk management personnel, and often IT / IS (information services) administrators are perceived as being the voice of “no.” What appears to be a promising technology or program to executives, physicians, or patients could be an enormous organizational, technical, reputational, and financial risk but those pushing for implementation do not have the same information that keeps the risk managers and technical staff “up at night.”



Often patients, providers, and others will bring their own devices into the organization – a practice called BYOD (Bring Your Own Device). Whether it is intentionally connected to the organizational network infrastructure or simply carried into the facility, the device may, like a fomite carrying a pathogen, bring risk with its mere presence. Banning devices is easier said than done. Indeed, such policies often existed when cellphones first started sporting cameras. Today, it is difficult to find any cellular device or even laptop without a camera – making implementation of such a policy difficult at best. There are a number of strategies to help bridge the technology use and application gap among risk managers, technical personnel, executives, providers, and patients. These strategies may help to reduce the risks associated with these new technologies and include the following:

1. Educate senior leadership and providers on emerging technologies. Build a culture of technical awareness from leadership on down. Recognize that many people are early adopters of new “tech” while others may not appreciate what was “science fiction” is a reality that can be readily purchased online or in the local “big box” retailer. Consider regular “technology updates” on emerging technologies – medical and consumer – that could impact the organization. Use these updates as an opportunity to address changes in policies and procedures that may be needed. Ensure that leadership realizes that “banning” technologies is not a long-term solution.

2. Develop a plan for unexpected technologies or uses.

Ensure that frontline personnel have a procedure whereby risk management and / or technical staff can provide advice that is consistent, timely, and technically and legally correct. Whether it is a BYOD (Bring your own device) scenario – where a provider or other staff member requests access to the organization’s network or facilities using a non-approved device - or a patient providing an online phone number instead of a “traditional” phone number, frontline personnel need to be able to communicate to patients or others what means of communication are preferred, why, and what alternatives are available.

3. Avoid “Firewall-Centric Thinking.” Recognize that newer technologies evade the protections traditionally offered by firewalls. Recognize that smartphones and mobile devices are easily able to connect simultaneously to personal computers, Wifi and wired networks, and cellular services and circumvent traditional firewall systems. Only one unauthorized cellphone or tablet can undermine an entire organizational security system. It is critical that organizations continue to use firewalls internally to compartmentalize different levels of



data and access – but recognize that firewalls are only one part of a multilayered security system.

4. Implement Device Management for all Organizational Devices and BYOD Users. Require users of personally-owned devices (BYOD) to agree in writing to the organization’s device management policy – and allow their devices to be managed by the organization’s IT/IS security system. Such a system may include Apple’s Device Management service, Microsoft Exchange, or third-party software. These systems can be used to enforce minimum passwords and allow remote wipe or deletion. Device management can block unauthorized apps that could be used to bypass security measures or are associated with inappropriate workplace behavior.

5. Recognize that Effective Encryption is Time-Limited. Recognize that while encryption technology can be implemented via

device management, and is a “safe harbor” under the final HIPAA rule – its effectiveness is time limited. Understand that all encryption is “crackable” given enough time and computing power. Given the increase in computer processing power and the rise of illegal supercomputer networks called “botnets” today’s industry-standard encryption may be easily broken in a few years. Ensure that encryption methods comply with current industry standards, such as those recommended by the National Institute for Standards (NIST).

6. Form a Multi-Disciplinary “Futurist” Committee that Represents

Experts and Stakeholders. Consider bringing together organizational stakeholders including providers, patients, IT/IS, and risk management personnel to review emerging technologies that may impact the organization. Ask the committee to follow an enterprise risk management (ERM) approach to advise on what controls the organization should implement. These may include technical controls such as firewalls or educational controls, such as conducting a seminar on “staying safe on social media”.

7. Monitor Technical Trends and Threats.

Monitor continuously the latest in technical trends and threats. Such monitoring does not require necessarily a technical background but rather a creative mind and an interest in technology. Follow alerts from organizations such as SANS’ Internet Storm Center,32 Homeland Security Computer Emergency Readiness Team (CERT)33, the Carnegie-Mellon CERT Coordination Center34 and the International Association of Privacy Professionals. 35



8. Communicate Technical Threats to Stakeholders. Share information with all stakeholders in the organization promptly whenever a credible threat is detected. Consider the example of a “phishing” email: an email purporting to be from the organization is sent to patients, or an email or text message is sent to staff, claiming to be from the IT department. Consider educating patients and staff on recognizing such scams, and means by which they can verify the veracity of communications received.

9. Review Web-Based and Physical Privacy Disclosures. Review contracts with website hosting firms and subsidiaries, and ensure that the privacy policies stated on the website and in the organization “match” with actual data collection practices, and regulations. Does the website comply with “do not track” requests? Document who collects, and has access to user-tracking information.

10. Review Data Destruction and Remote Wipe Capabilities.

Recognize that like encryption, remote wiping is not a solution for all device-loss scenarios. Remote wiping is a valuable technique used to limit the potential damage when a device is lost or stolen; a signal is sent out that commands the phone, tablet, or computer to delete itself. Recognize that wiping mobile devices not only fails to delete data sent to other devices but the wiping process is in some cases reversible. Special recovery software can recover deleted photos and other data. Consider prohibiting access to internal networks by those devices that lack hardware encryption keys or cannot utilize irreversible wipe methods.36 Ensure that users who consent to device management of their personally owned devices recognize that device deletion and destruction may be ordered by IT / IS personnel due to a reported loss or theft of the device. Develop policies and procedures for follow-up on device loss / theft reports to ensure that the wipe or destroy signals are sent promptly after a report is made.

11. Consider Technical Measures to Reduce Risk Exposures.

To reduce the threat of new, unauthorized technologies consider providing organization-controlled viable alternatives such as providing free wifi in the waiting room – while using passive measures to attenuate cellular signals. This allows the organization to have some control over user access to the Internet in that situation. Use an egress firewall / filter to block certain types of traffic – such as video or VOIP – or access to pornographic or abusive websites. Ensure that such public wifi systems are segregated from internal networks and contain appropriate disclaimer and user agreements.



12. Provide Patients With Secure Communications Alternatives. Deploy secure communications methods for patients and families that are viable, user-friendly, accessible and compatible with patient-owned devices. Ensure that users are educated (See Sample Tool) on how to use the secure website or app and why this is preferred over other free consumer-level technologies such as email or social media. Recognize that PHR modules for some certified EHR systems include secure communications portals for patients. Ensure that the system deployed is audited regularly by external security firms and that necessary policies and procedures and implemented – including e-Discovery requirements.

13. Comply with e-Discovery Requirements in Social Media, SMS, App and Website-Based Communications. Work with IT/IS personnel and outside vendors to ensure that all communications over “alternative” communications technologies and archived in compliance with State and Federal e-Discovery rules. Ensure that the archive system includes a means to record actions including post deletion and user account blocking.

14. Avoid Deployment of Harmful or Illegal Countermeasures. Work with technical experts to ensure that devices such as jammers or overly-restrictive firewalls do not create additional harm or liabilities. Devices such as jammers are illegal – and could block legitimate communications and disrupt medical devices.37 Overly-restrictive firewalls may prevent providers and administrators from detecting and assessing threats made on social media against the organization.

Conclusion. Controls and countermeasures of any type are always in an “arms race” against new risk-presenting technologies. As technologies advance, countermeasures are developed – until new technologies arrive that circumvent the countermeasures, et cetera. In the rapidly-changing world of technical singularity, communication is essential to control and manage new and evolving risks. Engage patients, providers, and the community in a dialogue to transform social media and mobile technologies into tools that promote high-quality, efficient, and effective care.



DDIALOGUES IN IALOGUES IN HHEALTHCAREEALTHCARE is a publication of The Rozovsky Group, Inc./RMS. This publication is not intended to be

and should not be used as a substitute for specific legal advice. For additional information on technology management and controls, please contact us. Contact Information: The Rozovsky Group, Inc./RMS, 272 Duncaster Road, Bloomfield, CT 06002. Tel: (860) 242-1302.



Sample Tool

Alternate Communications Technologies and ABC Healthcare Group

This tool is designed to be used in conjunction with in-service educational programming. Recognize that many EHR systems include a module to allow for secure messaging with providers and patients. This may be integrated into the PHR module. Consider using posters in reception areas and exam rooms. Ensure the sign is behind tamper-resistant glass or plastic or is electronic. An attacker could place a sticker over the secure website address or QR code and redirect patients to a fake or fraudulent website if such a poster is not protected.

Do You Tweet? Are you on Facebook?

Want to Send us a Message?

We’re on Facebook and Twitter too! We make our Facebook page available to you and encourage you to “like us” to get the latest health information from our care providers. If you want to get in touch with us though, we encourage you to use our secure website. Although Facebook and Twitter are fun, they are not secure for sharing private health information. We have built a special secure website at www.abchealthcare.net where you can send and receive messages from your care providers. You can access the secure message page by scanning this QR code with your smartphone. Please always make sure you look for the lock symbol in your browser to make sure your connection is encrypted – meaning no one can read your message while it travels between your computers and ours. If you have any questions, please pick up a copy of our complimentary guide “staying healthy – online and off” in the waiting room.



1 Rozovsky, Fay. “Of Facebook, FMLA, and Employee Dishonesty.” February 2013. TRG e-News. 2 Rozovsky, Joshua. “Invasion of the Apps.” April 2012. TRG e-News. 3 Rozovsky, Fay and Rozovsky, Joshua. “Risk Managing Cloud Computing.” December 2009. TRG e-News. 4 Constine, Josh. “Apple Gives Facebook Deep Integration Into iOS 6 With Siri, Sharing, App Store, API.” Techcrunch – an AOL Site. June 11, 2012. http://techcrunch.com/2012/06/11/facebook-apple-wwdc/ 5 Gravatar.com – A Globally Recgnized Avatar. Automattic, Inc. www.gravatar.com 6 Flyn, Cal and Henry, Robin. “Apps Spy on Phone Messages.” February 26, 2012. The Sunday Times. http://www.thesundaytimes.co.uk/sto/news/uk_news/Tech/article878365.ece 7 Levy, Steven. “Mark Zuckerberg on Facebook Home, Money, and the Future of Communication.” April 4, 2013. WIRED Magazine. http://www.wired.com/magazine/2013/04/facebookqa/ 8 Facebook.com. https://www.facebook.com/about/graphsearch 9 Id. Supra. 10 Michel, Franck. “How Many Photos are Uploaded to Flickr every day, month, year?” Flickr Blog of Franck Michel, Flickr.com - http://www.flickr.com/photos/franckmichel/6855169886/ 11 “Google To Acquire YouTube for $1.65 Billion in Stock.” October 9, 2006. Google News Announcements. http://googlepress.blogspot.com/2006/10/google-to-acquire-youtube-for-165_09.html 12 “Google Just Got ZAGAT Rated!” September 8, 2011. Google News Announcements. http://googleblog.blogspot.com/2011/09/google-just-got-zagat-rated.html 13 Bright, Peter. “Microsoft Buys Skype for $8.5 Billion. Why, Exactly?” May 10, 2011. WIRED Magazine. http://www.wired.com/business/2011/05/microsoft-buys-skype-2/ 14 “Google Wallet.” http://www.google.com/wallet/ 15 “Welcome to a World Through Glass.” Google Inc. http://www.google.com/glass/start/what-it-does/ 16 Rozovsky, Fay. “Beware the Tape Recorded Disclosure Discussion.” January 2012. TRG e-News. 17 Wickland, Eric. “New smartphone app targets clinical miscommunication.” July 6, 2012. HealthcareIT News. http://www.healthcareitnews.com/news/new-smartphone-app-targets-clinical-miscommunication 18 Henry, Paul. “Social Media as the Top Malware Delivery Vehicle: How to Protect Your Network.” Presentation to North American CACS. Information Systems Audit and Control Association. May 2012. http://www.isaca.org/Education/Upcoming-Events/Documents/2012-NACACS-Presentations/424-nac2012.pdf 19 “Android Malware: Breaking New Ground and Old Taboos.” F-Secure. April 8, 2013. http://www.f-secure.com/weblog/archives/00002539.html 20 Greenberg, Andy. “Researcher Says He's Found Hackable Flaws In Airplanes' Navigation Systems.” April 10, 2013. Forbes Magazine. http://www.forbes.com/sites/andygreenberg/2013/04/10/researcher-says-hes-found-hackable-flaws-in-airplanes-navigation-systems/?utm_campaign=forbestwittersf&utm_source=twitter&utm_medium=social 21 “Stage 2 Eligible Professional Meaningful Use Core Measures – Measure 9 of 17.” Center for Medicare and Medicaid Services, EHR Incentive Program. October 2012. http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/downloads/Stage2_EPCore_9_ProtectElectronicHealthInfo.pdf 22 “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule.” January 25, 2013. Federal Register 78(17): 5566- 5702. 23 For more information on the revised HIPAA – HITECH regulations and the unencrypted email provision, please see Rozovsky, Fay. “The Final HIPAA – HITECH Regulations: Making the Business Case for ERM.” January 2013. TRG e-News. Also see, Rozovsky, Fay. ““Are You Sure You Want Me to Email Your PHI?” January 2013. Dialogues in Healthcare. 24 Wesller, Nathan Freed. “New Documents Suggest IRS Reads Emails Without a Warrant.” April 10, 2013. ACLU FreeFuture Blog. http://www.aclu.org/blog/technology-and-liberty-national-security/new-documents-suggest-irs-reads-emails-without-warrant 25 McCullagh, Declan. “IRS claims it can read your e-mail without a warrant.” April 10, 2013. CNET News. http://news.cnet.com/8301-13578_3-57578839-38/irs-claims-it-can-read-your-e-mail-without-a-warrant/ 26 Id. 27 “VoIP and 911 Service.” Federal Communications Commission. http://www.fcc.gov/guides/voip-and-911-service 28 “Sprint, Alltel, USC fined for missed e911 deadline.” August 31, 2007. FierceWireless. http://www.fiercewireless.com/story/sprint-alltel-usc-fined-missed-e911-deadline/2007-08-31



29 “Chairman Genachowski Announces Commitments to Accelerate Text-to-911.” December 6, 2012. Federal Communications Commission. http://www.fcc.gov/document/chairman-genachowski-announces-commitments-accelerate-text-911 30 “Tracking Protection Working Group.” W3C (World Wide Web Consortium). http://www.w3.org/2011/tracking-protection/ 31 Perlroth, Nicole and Bilton, Nick. “Mobile Apps Take Data without Permission.” February 15, 2012. New York Times. http://bits.blogs.nytimes.com/2012/02/15/google-and-mobile-apps-take-data-books-without-permission/ 32 SANS Institute – Internet Storm Center. https://isc.sans.edu 33 US Department of Homeland Security - US-CERT. http://www.us-cert.gov 34 Carnegie Mellon – Software Engineering Institute – CERT Coordination Center. http://www.cert.org 35 International Association of Privacy Professionals. http://www.privacy.org/ 36 Honan, Mat. “Break Out a Hammer: You’ll Never Believe the Data ‘Wiped’ Smartphones Store.” April 1, 2013. WIRED Magazine. http://www.wired.com/gadgetlab/2013/04/smartphone-data-trail/all/ 37 “Jamming Prohibition.” Federal Communications Commission. Updated as of April 9, 2013. http://www.fcc.gov/encyclopedia/jammer-enforcement