Transcript Columbia University Medical Center

HIPAA Privacy and Security
Management Update
Karen Pagliaro-Meyer
Soumitra Sengupta
Privacy Officer
Information Security Officer
[email protected]
[email protected]
(212) 305-7315
(212) 305-7035
January 28, 2008
1
HIPAA: PRIVACY vs. SECURITY
What’s the Difference?
PRIVACY
Refers to WHAT is protected — Health information about an
individual and the determination of WHO is permitted to use,
disclose, or access the information
SECURITY
Refers to HOW private information is safeguarded—Insuring
privacy by controlling access to information and protecting it
from inappropriate disclosure and accidental or intentional
destruction or loss
2
HIPAA Privacy and Security Update
Privacy Update
Security Update
1. Policy & Procedure Update 1. Policy & Procedure Update
2. HIPAA Staff Education
2. HIPAA & SSN Asset Identification
3.
3. Other Security Information
Business Associate
Agreements
3
Why do we care about HIPAA?
Privacy Breaches
 George Clooney
Information Security
 V.A. Hospital lost hard drive with patient
medical and physician information
Identity Theft
 Social Security Notification Act
4
1.
Privacy Policy and Procedure Update
• Notice of Privacy Practices
• Notice – English and Spanish
• Acknowledgement form
• Posters
•Release of patient information
•Privacy and Security Audit tools
•Reporting Privacy Breach Allegation
5
6
7
8
9
10
2.
Staff Education
Current Privacy and Security Education
– New Hire Staff Education
– On-line HIPAA Education (Professional Staff)
– HIPAA for Researchers (RASCAL)
Additional Education Planned
– Quarterly HIPAA Training for managers (refresher and new hire)
– Quarterly HIPAA Training for staff (refresher)
– Quarterly Email reminders / alerts
– Department specific – as requested
– Web Site
11
3.
Business Associate
Definition: A person or organization:
• who is not a member of your staff;
• And not another healthcare provider,
• receives, uses, or discloses protected health
information (patient information);
• in connection with providing any of the
following services to or for your practice
12
3.
Who is a Business Associate?
Examples include:
• billing
• accounting
• claims processing or administration
• accreditation
• call service management
• administrative
• quality assurance
• data aggregation
• data processing or analysis
• consulting
• transcription services
• financial services
• utilization review
• management
• design or manage an electronic records system
13
HIPAA Information Security Recap
Confidentiality
• Prevent unauthorized access or release of EPHI
• Prevent abuse of access (identity theft, gossip)
Integrity
• Prevent unauthorized changes to EPHI
Availability
• Prevent service disruption due to malicious or
accidental actions, or natural disasters.
14
Regulation specification
Administrative Safeguards
•
•
•
•
Policies and Procedures
Responsibility
Awareness and Training
Incident Processing, Sanctions
Physical Safeguards
• Workstation Use and Security
• Facility Access Control
• Device and Media Control
Technical Safeguards
• Access Control
• Audit Control
• Encryption and Integrity control
15
Policies and Procedures
Information Security Mgmt
Process
 Information Access Mgmt &
Control
 General Info Security
Info Sec: Audit and Evaluation
Workstation Use and Security
Workforce Security Clearance,
Term and Auth
Info Sec: Backup, Device &
Media Control
Info Sec: Facility Access Control
& Security
Info Sec: Disaster Contingency
& Recovery Plan
Info Sec: Security Incident
Procedure
Information Security Best Practices
16
Responsibility action items
Information Asset Owner responsibility
– Risk Assessment and management
– Implementation of Security Controls
• Access, Authorization, Termination
– Audit and evaluation
– Disaster Contingency and Recovery Plan
– Additional information in Policy documents
17
Responsibility action items
Manager responsibility
– Workforce Clearance, Termination and Authorization
– Facilities access to sensitive information assets
– Education, security reminders, sanctions
End User responsibility
– “Acceptable Use”
– Safe practices
– Sensitivity towards patient privacy
18
Consequences of Security Failure
• Disruption of Patient Care
• Increased cost to the institution
• Legal liability and lawsuits
• Negative Publicity
• Identity theft (monetary loss, credit fraud)
• Disciplinary action
19
Types of Security Failure
Intentional Attacks
– Malicious Software (Bots, Spyware)
– Theft of copyrighted material (Torrent, Limewire, Emule, etc.)
– Stolen Passwords (Keyloggers, Trojans)
– Impostors e-mailing to infect and steal info (Phishing)
– Abuse of privilege (Employee/VIP clinical data)
…and an important development…
20
Privacy & Security Concerns
Risk to Clinical Information
• Loss of Laptops, USB/flash drives,
CD/DVD, Blackberry/Palm, etc.
• Failure to safeguard equipment
• Physically locked / secured ?
• Password protected ?
• Encrypted ?
Eg. Kingston DataTraveler Secure Privacy Edition
USB Flash drive
21
Types of Security Failure
Employee Carelessness
– Sharing Passwords
– Not signing off systems
– Downloading and executing unknown software
– Sending EPHI outside the institution without encryption
– Losing PDA and Laptop in transit
– Pursuing risky behavior – Improper web surfing, and instant
messaging
– Not questioning, reporting, or challenging suspicious or
improper behavior
22
Methods to Protect against Failures
• Do not abuse clinical access privilege, report if you
observe an abuse (if necessary, anonymously)
• Do not be responsible for another person’s abuse by
neglecting to sign off, this negligence may easily lead to
your suspension and termination
• Do not copy, duplicate, or move EPHI without a proper
authorization
• Do not email EPHI without encryption to addresses
outside the institution
24
Methods to Protect against Failures
Strictly follow principles of ‘Minimum necessary’ and
‘Need-to-know’ for all accesses– the 3 fundamental
missions of the institution are Care, Education and
Research.
Challenge improper behavior, question suspicious
behavior, report violations and security problems to
proper authorities – email to [email protected] or
[email protected] or call Privacy Office (1212-305-7315) or call CUMC IT Helpdesk (1-212-305HELP)
Communicate with colleagues and staff about secure and
ethical behavior
25
HIPAA & SSN Asset Identification Project
• Identify electronic storage of patient information and of
any SSN (patient, provider, employee)
• Storage includes
– Applications, Databases, Files.
– Application/Database/File servers, Workstations/PC/Laptops,
USB/Flash devices, CD/DVDs, Home computers
• Started on 12/7 by Bob Sideli, CIO, CUMC (cc to
Chairs). So far:
– 43% of departments / centers have responded
– 83 assets with Social Security Numbers
– 70 assets with Protected Health Information
26
Information Systems Security
Application/database/file store Information: List all Applications/databases/file stores for which the Department
is responsible. Repeat this information for each application/dabase/file store, one in each worksheet. Protected Health
Information (PHI) is any patient related information including name, DOB, SSN, address, diagnosis, treatment, etc.
When in doubt - report
Enter Application
(Database/File Store) Name:
Does it contain
Protected Health Information?
Does it contain
Social Security Number?
Brief description of application
(Database/File Store) and its use:
Name of Individual responsible for
Application/Database/File Store)
Title:
UNI:
Phone:
Email:
Works in…
YES
YES
NO
Don’t' Know
NO
Don’t Know
Columbia Dept (Specify name below)
CUbhis
Third party vendor (Specify name below)
27
New York State SSN Laws
• Information Security Breach and Notification Act
– December 2005
– If… Breach of Personally Identifiable Information
• SSN
• Credit Card
• Driver’s License
– Then… Notify consumers, NY State, consumer reporting
agencies
– Loss of 100s of thousands for notification and credit report help
– Penalties
28
New York State SSN Laws
• Social Security Number Protection Law
–
–
–
–
–
–
–
December 2007
Recognizes SSN to be primary identifier for identity theft
Illegal to communicate to general public
Access cards, tags, etc. may not have SSN
SSN may not be transmitted over Internet without encryption
SSN may not be used as password
SSN may not be printed on envelopes with see-through
windows
– Penalties
• Identification of SSN assets is the first step towards
reducing the risk of violating laws.
29
30
31