Dealing with Sensitive Data: Helping You Protect You

Similar documents
Dealing with Sensitive Data: Helping You Protect You

Dealing with Sensi.ve Data: Helping You Protect You

HIPAA and HIPAA Compliance with PHI/PII in Research

University of Mississippi Medical Center Data Use Agreement Protected Health Information

HIPAA Federal Security Rule H I P A A

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

HIPAA & Privacy Compliance Update

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

The Relationship Between HIPAA Compliance and Business Associates

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

HIPAA 101: What All Doctors NEED To Know

The simplified guide to. HIPAA compliance

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

HIPAA and Research Contracts JILL RAINES, ASSISTANT GENERAL COUNSEL AND UNIVERSITY PRIVACY OFFICIAL

HIPAA Privacy and Security Training Program

Putting It All Together:

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

Mobile Application Privacy Policy

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

efolder White Paper: HIPAA Compliance

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

What is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS

Information Technology Standards

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Data Compromise Notice Procedure Summary and Guide

CYBERSECURITY: STAYING ONE STEP AHEAD DANIEL D. WHITEHOUSE, ESQ. WHITEHOUSE & COOPER, PLLC

HIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016

and Privacy HIPAA-Compliance Checklist

Beam Technologies Inc. Privacy Policy


HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

HIPAA-HITECH: Privacy & Security Updates for 2015

Information Privacy and Security Training 2016 for Instructors and Students. Authored by: Office of HIPAA Administration

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

ENCRYPTED . Copyright UT Health 1

[DATA SYSTEM]: Privacy and Security October 2013

PCI Compliance. What is it? Who uses it? Why is it important?

Policy and Procedure: SDM Guidance for HIPAA Business Associates

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

PULSE TAKING THE PHYSICIAN S

Document Cloud (including Adobe Sign) Additional Terms of Use. Last updated June 5, Replaces all prior versions.

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Effective Strategies for Managing Cybersecurity Risks

HIPAA / HITECH Overview of Capabilities and Protected Health Information

Cloud Communications for Healthcare

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

HIPAA Compliance Checklist

01.0 Policy Responsibilities and Oversight

HIPAA Compliance & Privacy What You Need to Know Now

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

Village Software. Security Assessment Report

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

HIPAA Security and Privacy Policies & Procedures

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

HIPAA FOR BROKERS. revised 10/17

The HIPAA Omnibus Rule

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

1.2 Participant means a third party who interacts with the Services as a result of that party s relationship with or connection to you.

UNIVERSITY OF WISCONSIN MADISON POLICY AND PROCEDURE

DeMystifying Data Breaches and Information Security Compliance

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Lesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA)

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

The ABCs of HIPAA Security

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

University of Wisconsin-Madison Policy and Procedure

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

The HITECH Act. 5 things you can do Right Now to pave the road to compliance. 1. Secure PHI in motion.

Employee Security Awareness Training Program

HMIS (HOMELESS MANAGEMENT INFORMATION SYSTEM) SECURITY AWARENESS TRAINING. Created By:

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

EXAMPLE 3-JOINT PRIVACY AND SECURITY CHECKLIST

Information Technology Update

Security Overview. Joseph Balberde North Country Community Mental Health Information Technology Director

Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

HIPAA COMPLIANCE AND

Electronic Communication of Personal Health Information

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Red Flags/Identity Theft Prevention Policy: Purpose

HIPAA Security and Research VALERIE GOLDEN, HIPAA SECURITY OFFICER

ecare Vault, Inc. Privacy Policy

Information Governance, the Next Evolution of Privacy and Security

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Information Privacy and Security Training Authored by: Office of HIPAA Administration

HIPAA & RESEARCH DATA SECURITY FOR BU RESEARCHERS CHARLES RIVER CAMPUS. November 14, 2017

mhealth SECURITY: STATS AND SOLUTIONS

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

Media Protection Program

Data Backup and Contingency Planning Procedure

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

Transcription:

Dealing with Sensitive Data: Helping You Protect You

Why the Focus on Data Security? Because some data collection and use is federally regulated, and data security is a core regulatory component. Ignoring it can: Get you: Fined Fired Criminally Prosecuted Impact your ability to get future funding, and dramatically delay your work Leave you fighting for your very identity

What We ll Cover Data, Sensitive Vs. Not Data Regulations what you can and can t do (PHI) Safe Harbor and Other Protections Acceptable Use of Sensitive Data Common Areas of Risk Common Threats Protecting Yourself Knowing Your Environment Educating Yourself Who Can Help? Questions?

Key Takeaways What data must be protected? What tools and behaviors can help? Why data security has become so important to the University, to the School, and hopefully, to YOU

The Basics What is Data? Dictionary.com says it is Facts and statistics collected together for reference or analysis. Data can be gathered/created for any number of purposes business, research, education, etc. What you can do with the data you create/collect depends on what data you re gathering and why.

All Data is Not Equal The Government bases its data protection regulations on three classes of data: Highly Sensitive Data Confidential Data Public Data The regulations apply to the Highly Sensitive class, which is comprised of: PHI: Protected Health Information PII: Personally Identifiable Information

PHI In-depth Protected Health Information is information, including demographic data, that relates to: the individual s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. 13 This individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number). (HHS.gov)

What are the Regulations? Data use regulations are in place at both the State and Federal levels via the following: Health Insurance Portability and Accountability Act (HIPAA, 1996), Privacy (2003) and Security (2006) NY State SSN Breach Act (2004) The Health Information Technology for Economic and Clinical Health (HITECH, 2009) Under the health-related acts, healthcare providers, health plans, and healthcare clearing houses (aka Covered Entities ) must act to protect the privacy and security of health information.

Why Do We Care? As part of the CUMC campus, Mailman is automatically considered part of the Covered Entity to which the regulations apply. Even though we are not technically a healthcare provider, plan, or clearing house. The HITECH act provides for significant financial penalties in the event of a leak of PHI. In the case of negligence or intent, even criminal prosecution is on the table.

HITECH in Action Hospital To Pay Millions After Embarrassing Data Breach Put Patient Info On Google! (Business Insider, May 14) New York-Presbyterian, Columbia to pay largest HIPAA settlement: $4.8 million! (Modern Healthcare, May 14) Server mishap results in largest HIPAA fine to date! (FierceHealthIT, May 14)

We Are Under Attack Russian Hackers acted to aid Trump in Election, CIA says (NYT 12/09/16) Massive Malvertising Campaing Hits MSN and Yahoo (Databreach Today 12/16) Hackers Steal $31M from Russia s Central Bank (Databreach Today 12/16)

So How do You Stay Out of Trouble? Know and follow the data regulations what you can and can t do Avoid using sensitive data Understand that YOUR behavior can be either your biggest protection or your biggest risk Be paranoid

The Regulations The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights. At the same time, the Privacy Rule permits the disclosure of health information needed for patient care and other important purposes. A guiding principle of the Privacy Rule is the Minimum Necessary standard, which says that Covered Entities and their Business Associates must make all reasonable efforts to limit disclosures of PHI to the minimum amount necessary to accomplish the intended purpose.

The Regulations (cont d) The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information. HITECH promotes the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. (HHS.gov)

Practical Application: PHI Use in Research You can use PHI for Research under these circumstances: Written Authorization: A covered entity may disclose protected health information provided that the individual who is the subject of the information (or the individual s personal representative) authorizes it in writing; and W/Out Written Authorization: Documented Institutional Review Board (IRB) or Privacy Board Approval. (See Your IRB)

PHI Use (cont d) Preparatory to Research: Representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol, that the researcher will not remove any protected health information from the covered entity, and representation that protected health information for which access is sought is necessary for the research purpose. This provision might be used, for example, to design a research study or to assess the feasibility of conducting a study.

PHI Use (cont d) Research on PHI of Decedents. Representations from the researcher that the use or disclosure being sought is solely for research on the protected health information of decedents, that the PHI being sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is being sought.

PHI Use (cont d) Limited Data Sets with a Data Use Agreement. A data use agreement entered into by both the covered entity and the researcher, pursuant to which the covered entity may disclose a limited data set to the researcher for research, public health, or health care operations. A limited data set excludes specified direct identifiers of the individual or of relatives, employers, or household members of the individual.

PHI Use (cont d) Transition Provisions. Under the Privacy Rule, a covered entity may use and disclose protected health information that was created or received for research, either before or after the applicable compliance date, if the covered entity obtained any one of the following prior to April 14, 2003: An authorization or other express legal permission from an individual to use or disclose protected health information for the research; The informed consent of the individual to participate in the research;

PHI Use (cont d) A waiver of authorization approved by either an IRB or a privacy board (in accordance with 45 CFR 164.512(i)(1)(i)); or A waiver of informed consent by an IRB in accordance with the Common Rule or an exception under FDA s human subject protection regulations at 21 CFR 50.24. (HHS.gov)

Caution Written Authorization: Make sure you use an approved subject authorization form. Consult with your Sponsored Project Office (SPA) or Institutional Review Board (IRB) on the protocols for receiving subject consent. Limited Data Set with Data Use Agreement: Regulatory requirements for Data Use Agreements are very specific. Need to work with SPA representatives to get the Data Use Agreement reviewed and approved before the data is received.

Know and follow the data regulations what you can and can t do Avoid using sensitive data Shift the liability to someone else Understand that YOUR behavior can be either your biggest protection or your biggest risk Be paranoid So How do You Stay Out of Trouble?

Avoid Sensitive Data Ask yourself, can you accomplish your goal without using regulated data? De-Identify regulated data to make it unregulated. Take the sensitive information out.

Identifiable Elements 1. Names 2. Geographic subdivisions smaller than state (3 digits of some zip codes are okay) 3. All elements of dates (except year) for dates directly related to an individual 4. Telephone numbers 5. Facsimile numbers 6. Electronic mail addresses 7. Social security numbers 8. Medical record numbers 9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers, including license plates 13. Device identifiers and serial numbers 14. Web URLs 15. IP addresses 16. Biometric identifiers, including fingerprints and voiceprints 17. Full-face photographic images and any comparable images 18. Other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification

So How do You Stay Out of Trouble? Know and follow the data regulations what you can and can t do Avoid using sensitive data Shift the liability to someone else Understand that YOUR behavior can be either your biggest protection or your biggest risk Be paranoid

The Business Associate The HIPAA Privacy Rule says that business associates subcontractors, vendors, etc. that create, use, or disclose PHI to perform or assist in the functions of a Covered Entity have to meet HIPAA Requirements or be liable The Business Associate Agreement for patient related data (signed between a covered entity and a service provider) says that the service provider is operating to HIPAA standards and accepts liability in the event it discloses PHI illegally Shift as much of the work related to the collection, analysis, storage of ephi to the business associate to decrease your own liability HHS.gov

So How do You Stay Out of Trouble? Know and follow the data regulations what you can and can t do Avoid using sensitive data Shift the liability to someone else Understand that YOUR behavior is your biggest risk Be paranoid

Know Your Weak Spots You have four main areas of vulnerability: YOU: Weak passwords or password sharing, falling for scams, going cheap or free, being lazy, etc. Hardware: Phones, laptops, desktops, servers, tablets, etc. and issues related to set-up and maintenance Software: Who are you trusting? Enterprise package, custom application, open source (or not) database, downloaded app? Environment: Physical security of your data? Where is your equipment

Know the Threats OCR Website, 12/2016

Protect Your Devices Password Protect all your devices with strong passwords Change every 90 days use password safe software Set your devices to auto-lock after a period of inactivity (15 minutes or less) Physically secure your devices and/or environment Protect your devices with anti-virus Enable firewalls Purchase apps only from reputable vendors; disable settings option to download apps from unknown sources Run as a standard user not administrator Avoid file sharing software Keep software up-to-date

Encrypt, Encrypt, Encrypt Encryption gives CUMC Safe Harbor so it is REQUIRED for all laptops and portable devices; desktop machines must be encrypted if they hold sensitive data CUMC-approved encryption software includes: Bitlocker with PBA (Windows) and Filevault 2 (Mac) You can use Bitlocker and Filevault to encrypt USB drives, external hard drives, SD cards, etc. Encryption keys should ALWAYS be stored in your O drive that way it is secure, but you can access it from anywhere, anytime

Keep a Clean House Don t keep data around that you don t need Wipe old data from computer hard drives you want to dispose of or repurpose Destroy old media before discarding it (Cds, Dvds, backup tapes, USBs). The School has media shredders at ARB and 600 buildings for this purpose Delete old e-mail; back-up critical e-mail to the O drive Keep all the data you DO need on the P or O drives, not locally on your machine or portable devices Consider ALL your data, not just the data you ve collected while at Mailman

Beware Phishers Never click on a link or open an attachment in an unsolicited e-mail --.pdfs are most common culprits Never provide credentials over the phone, no matter who they say they are Do not EVER share your credentials with a colleague or friend

Make Use of Existing Secure Resources The School provides free secure data storage: O drives hold personal work data (1 GB to start, more available on request) P drives hold project data accessible by one or many CUMC IT provides Exchange e-mail accounts for all workrelated e-mail as well as a Sharepoint server for secure project collaboration If you need your own servers, outsource to a CUMC ITcertified secure server or host; If you must have your own, get them CUMC Certified via the System Certification Program: http://cumc.columbia.edu/it

make use of existing secure resources (cont d.) Use secure texting apps: imessage is default encrypted, but Allo and Facebook messenger are not. Signal is open source encrypted texting app, WhatsApp is another. If you don t change passwords because you forget them, use a password manager, i.e., KeePass or 1Password Use HTTPS Everywhere Use a browser that guarantees private browsing, like TOR. Incognito mode does not block your browsing from the browser vendor, employer or ISP Use DuckDuckGo for sensitive searches NYT, November 2016 Protect Your Digital Life in 7 Easy steps

and Avoid Insecure Ones Do not use third party e-mail providers, such s like Google, Hotmail, Yahoo, etc., for work Replace DropBox with SpiderOak or other cloud service that has a BAA with CUMC for filesharing Do not used any data storage resources for sensitive data that are not certified compliant by CUMC IT Security (You may also need a BAA.)

and Use only Secure Databases: MS Access is user-friendly and cheap, but it should never be used for sensitive data. (Microsoft itself does not recommend it for sensitive data.) It s a file-based database engine, which means your data is stored in a file that theoretically all users can access. Experts have demonstrated that a determined user can simply copy the database file on portable media, take it off site, and with a little skill access the data. My SQL or SQL Server are more secure, because you actually have to access native files on the server to break in. Standard users don t have access to those files; it requires a much more sophisticated hack

Use the Principle of Least Privilege in All Things That an individual, program or system process is not granted any more access privileges than are necessary to perform the task.

Budget for Data Security If your project requires a server or custom software application, provide the appropriate resources to support it: Hardware: Use trained system administrators and computer technicians to support your equipment; Insist on device hardening and patching/maintenance Environmental: House your equipment in compliant data centers Data Collection and Management: Hire data experts who know how to gather, store, analyze, and archive your sensitive data

Budget for Data Security (2) Software: Hire knowledgeable programmers who code to official NIST data security standards You are ultimately going to pay anyway, either to build and maintain the system properly at the beginning, or to fix the system after it is assessed by CUMC IT Security and found wanting. It is MUCH cheaper and faster to build it correctly than to repair it!

Educate Yourself Administrators/owners of applications and servers must take technical data security training, but you can take it, too. Visit the Data Security & Me section of the Mailman IT Website for details. Attend CUMC s annual HIPAA/HITECH presentation. It is announced by e-mail. You can also watch the latest one online at the Mailman IT site.

Know and Abide by Our Policies There are three policy tiers that govern our work for the School: The University Administrative Policy Library section Computing & Technology CUMC s IT Policies, Procedures and Guidelines Mailman School s Key Guidelines & Policies Links to all can be found in Policy Central on the Mailman IT Website.

Who Can Help? CUMC Help Desk (5 Help) CUMC IT Security (5 Help) CUMC Privacy: http://www.cumc.columbia.edu/hipaa IRB: http://www.cumc.columbia.edu/dept/irb SPA: http://spa.columbia.edu es2222@cumc.columbia.edu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback