Compliance A primer. Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation.

Similar documents
Putting It All Together:

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Data Compromise Notice Procedure Summary and Guide

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Information Technology Standards

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Security and Privacy Breach Notification

HIPAA FOR BROKERS. revised 10/17

HIPAA Federal Security Rule H I P A A

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Employee Security Awareness Training Program

Lesson Three: False Claims Act and Health Insurance Portability and Accountability Act (HIPAA)

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

Red Flags Program. Purpose

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

Red Flag Policy and Identity Theft Prevention Program

Cybersecurity in Higher Ed

Subject: University Information Technology Resource Security Policy: OUTDATED

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

HIPAA Compliance Checklist

HIPAA and HIPAA Compliance with PHI/PII in Research

Table of Contents. PCI Information Security Policy

HIPAA Security and Privacy Policies & Procedures

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

01.0 Policy Responsibilities and Oversight

Data Backup and Contingency Planning Procedure

University of North Texas System Administration Identity Theft Prevention Program

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

The Honest Advantage

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

Policy. Policy Information. Purpose. Scope. Background

What is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

UTAH VALLEY UNIVERSITY Policies and Procedures

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

HIPAA Privacy and Security Training Program

FLORIDA S PREHOSPITAL EMERGENCY MEDICAL SERVICES TRACKING & REPORTING SYSTEM

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Department of Public Health O F S A N F R A N C I S C O

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

University of Wisconsin-Madison Policy and Procedure

Overview of Presentation

Why you MUST protect your customer data

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

North Carolina Health Information Exchange Authority. User Access Policy for NC HealthConnex

Internet, , Social Networking, Mobile Device, and Electronic Communication Policy

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Federal Breach Notification Decision Tree and Tools

Guide: HIPPA Compliance. Corporate HIPAA Compliance Guide. Privacy, productivity and remote access. gotomypc.com

University Policies and Procedures ELECTRONIC MAIL POLICY

UCOP ITS Systemwide CISO Office Systemwide IT Policy

ISSP Network Security Plan

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Privacy Breach Policy

Protecting Your Gear, Your Work & Cal Poly

Virginia Commonwealth University School of Medicine Information Security Standard

HMIS (HOMELESS MANAGEMENT INFORMATION SYSTEM) SECURITY AWARENESS TRAINING. Created By:

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Implementing an Audit Program for HIPAA Compliance

IDENTITY THEFT PREVENTION Policy Statement

Document No.: VCSATSP Restricted Data Protection Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Protection Policy

Red Flags/Identity Theft Prevention Policy: Purpose

HIPAA-HITECH: Privacy & Security Updates for 2015

Beam Technologies Inc. Privacy Policy

Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)

Information Privacy and Security Training 2016 for Instructors and Students. Authored by: Office of HIPAA Administration

EXHIBIT A. - HIPAA Security Assessment Template -

HIPAA Regulatory Compliance

Department of Public Health O F S A N F R A N C I S C O

Virginia Commonwealth University School of Medicine Information Security Standard

Mobile Device policy Frequently Asked Questions April 2016

Data Protection Policy

University of Sunderland Business Assurance PCI Security Policy

HIPAA Security Manual

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Acceptable Use Policy

Let s get started with the module Ensuring the Security of your Clients Data.

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

GM Information Security Controls

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Payment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard

Identity Theft Prevention Policy

STOCKTON UNIVERSITY PROCEDURE DEFINITIONS

Enterprise Income Verification (EIV) System User Access Authorization Form

Information Classification & Protection Policy

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

DETAILED POLICY STATEMENT

Housecall Privacy Statement Statement Date: 01/01/2007. Most recent update 09/18/2009

[Utility Name] Identity Theft Prevention Program

Access to University Data Policy

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information

Transcription:

Compliance A primer Surveys indicate that 80% of the spend on IT security technology is driven by the need to comply with regulatory legislation. The growth in the sharing of sensitive data combined with the increased use of computing technology has fuelled concerns over the security, integrity and ownership of sensitive data. These concerns have led to the rise of many regulatory bodies around the world. Some bodies regulate specific industry sectors (HIPAA), some regulate specific processes (SOX) and some regulate the general use of data regardless of its specific use (Data Protection Act, Information Commissioner s Office). Regardless of the specific focus of the regulatory bodies they all share similar remits. To recommend the use of best practices for the handling of sensitive data To safeguard the privacy of sensitive data, in whatever format it exists in To protect the interests of the data owner, be they corporate or personal To penalise organizations that fail to comply with regulations Regulatory bodies do not focus solely on data handling in an IT specific world; in fact the only constant in all of the regulations is the data itself. Data can take many formats, electronic, hard copy, verbal, and most compliance standards relate to data in all of these formats. We should not just think of data in just its IT or electronic format. When explaining how Celestix helps organizations to comply with regulatory compliance we must be very clear on exactly what we do to help the organization. We must not talk in too general terms for the risk of sounding inexperienced or unfamiliar with the core content. We must also be cautious not to oversell our capability in supporting organizations in the drive to comply. There are many regulatory bodies and it is not practical to reference all of them in this document. Instead we will focus on the three most common and widely understood regulatory codes of conduct. It should be assumed that all regulatory bodies will issue guidelines that are similar in nature to those outlined in this document.

PCI DSS - Payment Card Industry (PCI) Data Security Standard The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks. The PCI Security Standards Council (PCI SSC) website (www.pcisecuritystandards.org) contains a number of additional resources Below is a high-level overview of the 12 PCI DSS requirements. The PCI DSS security requirements apply to all system components. In the context of PCI DSS, system components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. System components also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. The cardholder data environment is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are

not limited to the following: web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (for example, Internet) applications. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need to know To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. Requirement 8: Assign a unique ID to each person with computer access Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. 8.1 Assign all users a unique ID before allowing them to access system components or cardholder data. 8.2 In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric 8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (For example, remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.) Note: Two-factor authentication requires that two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication. 8.4 Render all passwords unreadable during transmission and storage on all system components using strong cryptography. 8.5 Ensure proper user identification and authentication management for non-consumer users and administrators on all system components

8.5.1 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. 8.5.2 Verify user identity before performing password resets. 8.5.3 Set passwords for first-time use and resets to a unique value for each user and change immediately after the first use. 8.5.4 Immediately revoke access for any terminated users. 8.5.5 Remove/disable inactive user accounts at least every 90 days. 8.5.6 Enable accounts used by vendors for remote access only during the time period needed. Monitor vendor remote access accounts when in use. 8.5.7 Communicate authentication procedures and policies to all users who have access to cardholder data. 8.5.8 Do not use group, shared, or generic accounts and passwords, or other authentication methods. 8.5.9 Change user passwords at least every 90 days. 8.5.10 Require a minimum password length of at least seven characters. 8.5.11 Use passwords containing both numeric and alphabetic characters. 8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used. 8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts. 8.5.14 Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID. 8.5.15 If a session has been idle for more than 15 minutes, require the user to reauthenticate to re-activate the terminal or session. 8.5.16 Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users.

Restrict user direct access or queries to databases to database administrators. 10.2.4 Verify invalid logical access attempts are logged. 10.2.5 Verify use of identification and authentication mechanisms is logged. 12.3.2 Verify that the usage policies require that all technology use be authenticated with user ID and password or other authentication item (for example, token). 12.3.3 Verify that the usage policies require a list of all devices and personnel authorized to use the devices. HIPAA - The Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that specifies administrative simplification provisions that: Protect the privacy of patient information Provide for electronic and physical security of patient health information Require minimum necessary use and disclosure Specify patient rights to approve the access and use of their medical information Apply to individuals as well as institutions Unauthorized access includes the inappropriate review or viewing of patient medical information without a direct need for diagnosis, treatment or other lawful use Licensed facilities, like UCSF Medical Center, are required to report incidents of unauthorized access, use, or disclosure of PHI to the California Department of Public Health, and to the affected patient within 5 business days after breach detection When you suspect or know of a breach you must report it to the Privacy Office immediately Medical Center employees must also submit an Incident Report In addition to HIPAA, there are other federal laws which govern the release of information, mandate that information be protected, and in some cases require that individuals be granted certain rights relative to control of and access of their information. The Medicare Conditions of Participation require that hospitals promote each patient s rights, including privacy (42 CFR Section 482.13). The Federal Trade Commission (FTC) charged with protecting consumers requires banking and other industries to implement red flag standards (12 CFR Part 681) to detect and prevent identity theft related to customer and service accounts. These red flag rules extend to Health Care Institutions.

The Family Education Rights and Privacy Act (FERPA) governs the protection of education records which include student health records (20 USC 1232g). HIPAA specifically exempts individually identifiable health information in education records. As FERPA records are exempt from HIPAA, all releases from education records must be in accordance with FERPA regulations. Federal Department of Health and Human Services (HHS) as well as multiple federal agencies require the protection of the privacy and confidentiality of participants in research clinical trials. Confidentiality of Medical Information Act (CMIA) (Civil Code Section 56 et seq.) requires that: Confidentiality of Medical Information be protected and establishes protections against disclosures of Individually Identifiable Medical Information Institutions notify California residents of breaches of electronic social security number, access codes to financial accounts, medical, and insurance information Healthcare institutions implement safeguards to protect the privacy and confidentiality of Medical Information Civil Code Sections 1785.11.2, 1798.29, 1798.82 and Health & Safety Code Section 130200 Health & Safety Code Section 1280.15 mandates that licensed clinics and health facilities report to both the Department of Public Health and the affected patient(s) any unlawful or unauthorized access to, or use or disclosure of, a patient s Medical Information no later than 5 calendar days after the breach is detected. Lanterman-Petris-Short (LPS) (Welfare and Institutions Code Section 5328 et seq.) provides special confidentiality protections for medical records containing mental health or development disabilities information. Title 22, California Code of Regulations, Section 70707(b)(8), requires acute care hospitals to protect patient rights to the confidential treatment of all information related to their care and stay at the hospital. HIPAA Criminal Penalties $50,000 - $1,500,000 fines Imprisonment up to 10 years HIPAA Civil Penalties $100 - $25,000 / year fines More fines if multiple year violations State Laws Fines and penalties apply to individuals as well as health care providers, up to a maximum of $250,000; may impact your professional license

Imprisonment up to 10 years UCSF corrective and disciplinary actions Up to and including loss of privileges and termination of employment Who Uses PHI? Anyone who works with or may view health, financial, or confidential information with HIPAA protected health identifiers Everyone who uses a computer or electronic device which stores and/or transmits information The following workforce members: All Medical Center staff Faculty Group Practice staff Schools of Medicine, Nursing, Dentistry: staff and faculty Campus staff who work in clinical areas Administrative staff with access to PHI Volunteers Students who work with patients Researchers and staff investigators Accounting and payroll staff Almost EVERYONE, at one time or another Examples of Privacy Breaches Talking in public areas, talking too loudly, talking to the wrong person Lost/stolen or improperly disposed of paper, mail, films, notebooks Lost/stolen laptops, PDAs, cell phones, media devices (video and audio recordings) Lost/stolen zip disks, CDs, flash drives, memory drives Hacking of unprotected computer systems Email or faxes sent to the wrong address, wrong person, or wrong number User not logging off of computer systems, allowing others to access their computer or system Computer Security Create a strong password and do not share your username or password with anyone Log off your computer terminal when you are done, or even if you walk away for a few moments A physician is very busy and asks you to log into the clinical information system using his user ID and password to retrieve some patient reports. What should you do?

1998 Data Protection Act The data protection act is enforced in the UK by the Information Commissioner s Office (ICO) which can levy penalties of up to $800,000 per data breach on any organization, regardless of vertical sector. Instances of breach are regularly publicised by the ICO and are widely referenceable online and in the press. The DPA concentrates on data breach pertaining to personal data PHI, account records, educational records etc. What needs to be protected by information security arrangements? 10. It is important to understand that the requirements of the Data Protection Act go beyond the way information is stored or transmitted. The seventh data protection principle relates to the security of every aspect of your processing of personal data. 11. So the security measures you put in place should seek to ensure that: only authorised people can access, alter, disclose or destroy personal data; those people only act within the scope of their authority; and if personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any damage or distress to the individuals concerned.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback