Information Technology Update

Similar documents
HIPAA Federal Security Rule H I P A A

EXHIBIT A. - HIPAA Security Assessment Template -

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

HIPAA Compliance Checklist

HIPAA Security and Privacy Policies & Procedures

NMHC HIPAA Security Training Version

Healthcare Privacy and Security:

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

University of Pittsburgh Security Assessment Questionnaire (v1.7)

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

SHS Annual Information Privacy and Security Training

Checklist: Credit Union Information Security and Privacy Policies

Identity Theft Prevention Policy

Information Technology Standards

These rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.

UTAH VALLEY UNIVERSITY Policies and Procedures

HIPAA Security Checklist

HIPAA Security Checklist

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

SECURITY & PRIVACY DOCUMENTATION

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA FOR BROKERS. revised 10/17

Security and Privacy Breach Notification

Annual Report on the Status of the Information Security Program

A Security Risk Analysis is More Than Meaningful Use

HIPAA Security Rule Policy Map

Media Protection Program

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Computing Policies / Procedures

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

Department of Public Health O F S A N F R A N C I S C O

Data Security Policy for Research Projects

Employee Security Awareness Training Program

Acceptable Use Policy

HIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

POLICY 8200 NETWORK SECURITY

Data Backup and Contingency Planning Procedure

Physical Safeguards Policy July 19, 2016

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

Red Flags/Identity Theft Prevention Policy: Purpose

Lakeshore Technical College Official Policy

Apex Information Security Policy

HIPAA Security Manual

Regulation P & GLBA Training

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

University of Mississippi Medical Center Data Use Agreement Protected Health Information

Writer Corporation. Data Protection Policy

Information Security Management Criteria for Our Business Partners

Department of Public Health O F S A N F R A N C I S C O

Start the Security Walkthrough

HIPAA and HIPAA Compliance with PHI/PII in Research

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Texas Health Resources

Support for the HIPAA Security Rule

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

II.C.4. Policy: Southeastern Technical College Computer Use

Subject: University Information Technology Resource Security Policy: OUTDATED

efolder White Paper: HIPAA Compliance

North Carolina Health Information Exchange Authority. User Access Policy for NC HealthConnex

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

GM Information Security Controls

Information Security Policy

7.16 INFORMATION TECHNOLOGY SECURITY

Corporate Policy. Revision Change Date Originator Description Rev Erick Edstrom Initial

Physical and Environmental Security Standards

Information Technology General Control Review

HIPAA Privacy and Security Training Program

LifeWays Operating Procedures

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Security Policies and Procedures Principles and Practices

Louisiana State University System

ACCEPTABLE USE OF HCHD INTERNET AND SYSTEM

University of North Texas System Administration Identity Theft Prevention Program

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Summary Analysis: The Final HIPAA Security Rule

HMIS (HOMELESS MANAGEMENT INFORMATION SYSTEM) SECURITY AWARENESS TRAINING. Created By:

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

HIPAA and Social Media and other PHI Safeguards. Presented by the UAMS HIPAA Office August 2016 William Dobbins

DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY

Virginia Commonwealth University School of Medicine Information Security Standard

Vendor Security Questionnaire

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

Mobile Working Policy

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

UNIVERSITY OF WISCONSIN MADISON POLICY AND PROCEDURE

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

Altius IT Policy Collection Compliance and Standards Matrix

HIPAA Assessment. Prepared For: ABC Medical Center Prepared By: Compliance Department

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Transcription:

Information Technology Update HIPAA SECURITY RULE Faculty and Staff Training University of South Carolina USC Specialty Clinics

HIPAA Security Rule Agenda What is the HIPAA Security Rule Authority Definition Scope Requirements Administrative Physical Technical Individual Responsibilities Education Security consciousness Reporting Sanctions

Information Technology Security National Institute of Standards and Technology NIST SP 800-70: Security Configuration Checklists Program for IT Products. High Security: A High Security Environment is at high risk of attack or data exposure, and therefore security takes precedence over usability. This environment encompasses computers that are usually limited in their functionality to specific specialized purposes. They may contain highly confidential information (e.g. personnel records, medical records, financial information) or perform vital organizational functions (e.g. accounting, payroll processing, web servers, and firewalls).

HIPAA Health Insurance Portability and Accountability Act of 1996 Title II Preventing Health Care Fraud and Abuse Administrative Simplification Medical Liability Reform Electronic Data Interchange Security Administrative Safeguards Physical Safeguards Technical Safeguards Privacy

What is the Security Rule Legislation designed to protect the confidentiality, integrity, and availability of electronic protected health information (ephi). Deadline for compliance April 20 th, 2005. Comprised of three main categories of standards pertaining to the administrative, physical, and technical aspects of ephi Applies to the security and integrity of electronically created, stored, transmitted, received, or manipulated personal health information.

Bottom Line: What is the Security Rule We must assure that systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability. We must protect information commensurate with the level of risk and magnitude of harm resulting from loss, misuse, unauthorized access, or modification.

Definitions Confidentiality: the property that data or information is not made available or disclosed to unauthorized persons or processes. Must protect against unauthorized Access Uses Disclosures

Definitions Integrity: the property that data or information has not been altered or destroyed in an unauthorized manner. Must protect against improper destruction or alteration of data Must provide appropriate backup in the event of a threat, hazard, or natural disaster

Definitions Availability: the property that data or information is accessible and usable upon demand by an authorized person. Must provide for ready availability to authorized personnel Must guard against threats and hazards that may deny access to data or render the data unavailable when needed. Must provide appropriate backup in the event of a threat, hazard, or natural disaster Must provide appropriate disaster recovery and business continuity plans for departmental operations involving ephi.

What Constitutes PHI Eighteen Identifiers Name Address -- street address, city, county, zip code (more than 3 digits) or other geographic codes Dates directly related to patient Telephone Number Fax Number email addresses Social Security Number Medical Record Number Health Plan Beneficiary Number Account Number Certificate/License Number Any vehicle or device serial number Web URL, Internet Protocol (IP) Address Finger or voice prints Photographic images Any other unique identifying number, characteristic, or code (whether generally available in the public realm or not) Age greater than 89 (due to the 90 year old and over population is relatively small)

Definitions continued ephi: data in an electronic format that contains any of the 18 identifiers This may include but is not limited to the following: Data stored on the network, internet, or intranet Data stored on a personal computer, tablet or smart phone, etc. Data stored on USB keys, memory cards, external hard drives, CDs, DVDs, digital cameras/camcorders, etc. Data stored on your HOME computer Data utilized for research

Administrative Safeguards Administrative Safeguards Administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect ephi and to manage the conduct of the covered entity s workforce in relation to the protection of that information. Bottom Line: University Specialty Clinics has adopted policies and procedures to control access to ephi. Each employee, faculty member, resident, student and volunteer must be familiar with these policies and procedures at the institution and departmental levels.

Administrative - Access Access to ephi is granted only to authorized individuals with a need to know. SOM computer equipment should only be used for authorized purposes in the pursuit of accomplishing your specific duties. Installation of software without prior approval is prohibited. Disclosure of ephi via electronic means is strictly forbidden without appropriate authorization. Do not use computer equipment to engage in any activity that is in violation of the SOM/USC policies and procedures or is illegal under local, state, federal, or international law.

Administrative - Access USCSOM will monitor logon attempts to the network. Access to the SOM network will be monitored. Inappropriate logon attempts should be reported to the respective departmental level security designee. All USCSOM computer systems are subject to audit.

Administrative - Access All computers should be manually locked, logged off of or shut down when left unattended even for a short period of time. All laptop computers must employ whole-drive encryption. Desktop computers which are located in vulnerable locations must be whole-drive encrypted and physically secured as appropriate.

Administrative - Access You must access University Specialty Clinics information utilizing YOUR username and password NO PASSWORD SHARING. You are personally responsible for access to any information utilizing your password. You are subject to disciplinary action if information is accessed inappropriately utilizing your user credentials (user id and password).

Administrative Passwords Your user id and password are critical to ephi security. Maintain your password in a secure and confidential manner DO NOT keep an unsecured paper record of your passwords. DO NOT post your password in open view e.g. on your monitor. DO NOT share your password with anyone. DO NOT use the same passwords for USCSOM and your personal accounts. DO NOT include passwords in automated logon processes. DO NOT use weak passwords.

Administrative Passwords Passwords must be changed every 90 days. Passwords should be changed whenever there is a question of compromise. Strong passwords must be utilized. A minimum of 8 characters in length Should contain a component from each of the 4 following categories Upper case Lower case Numerals Keyboard symbols

Administrative Passwords Strong Password Examples: I like to play with computers 2! Using the first letter of each word yields Iltpwc2! I wish these silly passwords would go away! Using the first letter of each word and a $ symbol yields I$wtsPwga! Use a passphrase instead of a password.

Administrative Access Termination and/or transfer procedures Administrative directors are responsible for informing the appropriate IT administrator of changes in an employee s employment status. Upon termination of employment all USCSOM network and PC access is terminated. All ephi and computer equipment (laptops, tablets, etc.) should be retrieved. The use of a prior employee s user-ids and passwords is strictly forbidden. Generic user-ids are strictly forbidden.

Administrative Remote Access All ephi stored or accessed remotely must be maintained under the same security guidelines as for data accessed within the USCSOM network proper. This applies to home equipment and Internet-based storage of data. All ephi should be kept in such a fashion as to be inaccessible to family members or other unauthorized individuals. Stored data should be appropriately encrypted.

Administrative Malicious Software Pirated software, viruses, worms, Trojans, spyware, and file sharing software e.g. Kazaa All software installed on USCSOM equipment must be approved by the department chairperson, administrative director or their designee typically the department level security officer. Installation of software on USCSOM computers must be in compliance with USC software policy and applicable licensing agreements. Installation of personal software or software downloaded from the Internet is prohibited unless specifically approved by OIT.

Administrative Malicious Software Approved anti-virus software must be installed and kept current on: All USC computer systems. Home equipment utilized to access the USCSOM network. Never disable anti-virus software. Suspicious software should be brought to the attention of the IT technical support personnel immediately.

Administrative Malicious Software Emails with attachments should not be opened if: The sender is unknown to you You were not expecting the attachment The attachment is suspicious in any way Do not open non-business related email attachments or suspicious web URLs Do not open file attachments or URLs sent via instant messaging.

Administrative Backup and Recovery A system must be in place to ensure recovery from any damage to computer equipment or data within a reasonable time period based on the criticality of function. Each department must determine and document data criticality, sensitivity, and vulnerabilities. Each department must devise and document a backup, disaster recovery, and business continuity plan. Backup data must be stored in an off-site location. Backup data must be maintained with the same level of security as the original data.

Administrative Incident Reporting All known and suspected security violations must be reported. Security incidents should be reported to the departmental Administrative Director or their designee. SOM IT personnel should be contacted immediately to initiate the appropriate investigative processes and to mitigate against any data loss. Security incidents must be fully documented to include time/date, personnel involved, cause, mitigation, and preventive measures.

Information Technology Security Administrative Assessments Site surveys will be required On an annual basis to reassess compliance, risks, and vulnerabilities. When a new type of threat emerges Backup, disaster recovery, and business continuity procedures must be reviewed and tested to determine their adequacy. Any changes or additions to departmental electronic assets (hardware, software, server, or endpoint devices) must be made in conjunction with SOM IT personnel and after performance of a proper risk assessment.

Physical Safeguards Physical Safeguards the security measures to protect a covered entity s electronic health information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. Bottom Line: Electronic assets must be protected from physical damage and theft.

Physical Media and Devices All electronic devices containing ephi should be secured behind locked doors or otherwise physically secured All applicable SOM electronic media containing ephi should be marked as confidential and properly encrypted.

Physical Media and Devices Special security consideration should be given to portable devices (laptops, smartphones, digital cameras, digital camcorders, external hard drives, CDs, DVDs, USB flash drives, and memory cards) to protect against damage and theft. At no time should PHI be stored on any mobile device unless the data is properly encrypted.

Physical Media and Devices Private Health Information must never be stored on mobile computing devices or storage media unless the following minimum requirements are met: Power-on or boot passwords are utilized. Auto logoff or password protected screen savers Encryption of stored data by acceptable encryption software approved by the IT Security Officer or designee e.g. Bitlocker, AxCrypt, FileVault.

Information Technology Security Physical Facilities and HIPAA 164.310 Physical safeguards. A covered entity must, in accordance with 164.306: Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.

Information Technology Security Physical Facilities and HIPAA 164.310 Physical safeguards. A covered entity must, in accordance with 164.306: Access control and validation procedures (Addressable). Implement procedures to control and validate a person s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).

Physical File Servers File Servers and other mass storage devices must be installed in access-controlled areas to prevent damage, theft, and access to unauthorized personnel. These areas must provide appropriate levels of protection against fire, water, and other environmental hazards such as extreme temperatures and power outages/surges.

Physical Workstations Workstations must be positioned so as to avoid viewing by unauthorized personnel. Use privacy screens where applicable. Use automatic password protected screen savers. Lock, logoff or shut down workstations when not attended. Workstation access should be controlled based on job requirements.

Physical Network Additions to or alterations of the USCSOM network is strictly prohibited. This includes: Physical connections via wired or fiber optic means Wireless connections Configuration changes Addition of routers, switches, or hubs (includes wireless routers). All wireless network communications require proper security protocols and encryption technology managed by the USCSOM Office of Information Technology.

Physical Information Disposal Disposal of electronic data must be done in such a fashion as to ensure continued protection of ephi. Magnetic media must be erased with a degaussing device or approved software designed to overwrite each sector of the disk. This must be done prior to disposal or reuse. CDs and DVDs must be broken, shredded, or otherwise defaced prior to being discarded. All media containing ephi must be disposed of in compliance with the SOM Electronic Data Disposal Policy.

Physical Information Transfer Hard drives sent to vendors outside the USCSOM for data recovery or for warranty repairs require a Business Associate Agreement between USC Specialty Clinics and the specified vendor. The process must be coordinated through the Office of Information Technology.

Physical Information Disposal Special attention should be given to copiers and other multifunction devices which contain internal data storage. Such devices with internal storage must be properly disposed of when taken out of service, leasing contracts are retired, or equipment is updated or replaced. All such devices containing ephi must be disposed of in compliance with the SOM Electronic Data Disposal Policy.

Technical Technical Safeguards the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. Bottom Line: Technological solutions are required to protect ephi where applicable. Examples include data encryption and secure data transfer over the network.

Technical Network All wireless network communications require proper security protocols and encryption technology. Wireless networking must be configured and managed by the USCSOM Office of Information Technology. All electronic transmission of ephi must be appropriately encrypted.

Technical Network Private Health Information residing on any form of electronic media or computing device must be encrypted if stored or taken off-site e.g. Backup CDs, DVDs, external Hard Drives, etc. Encryption must be achieved through software approved by the SOM IT Department Security Officer or designee, e.g. Bitlocker, AxCrypt, FileVault.

Information Technology Update Summary Change is painful but necessary Paradigm shift in IT philosophy for USCSOM Provide a re-designed IT infrastructure that will enable us to embrace future technological development Provide for the security of the USCSOM s valued electronic assets Provide a tremendous opportunity to enhance patient care, collaborative research, and teaching

Information Technology Update Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback