2011 security refresher information security. agenda hipaa update encryption overview mobile phones...
TRANSCRIPT
![Page 1: 2011 SECURITY REFRESHER Information Security. Agenda HIPAA Update Encryption Overview Mobile Phones and Tablets Cameras USB Drives E-mailing Patient Information](https://reader033.vdocument.in/reader033/viewer/2022051416/56649e035503460f94aef153/html5/thumbnails/1.jpg)
2011 SECURITY REFRESHER
Information Security
![Page 2: 2011 SECURITY REFRESHER Information Security. Agenda HIPAA Update Encryption Overview Mobile Phones and Tablets Cameras USB Drives E-mailing Patient Information](https://reader033.vdocument.in/reader033/viewer/2022051416/56649e035503460f94aef153/html5/thumbnails/2.jpg)
Agenda
HIPAA UpdateEncryption OverviewMobile Phones and TabletsCamerasUSB DrivesE-mailing Patient InformationFile SharingSocial Media
![Page 3: 2011 SECURITY REFRESHER Information Security. Agenda HIPAA Update Encryption Overview Mobile Phones and Tablets Cameras USB Drives E-mailing Patient Information](https://reader033.vdocument.in/reader033/viewer/2022051416/56649e035503460f94aef153/html5/thumbnails/3.jpg)
HIPAA Update
• HIPAA compliance penalties were increased in July, 2010 under the HITECH Act
• New Notification Requirements:1) Civil monetary penalties significantly increased ($100-$50,000
per violation up to $1.5m/yr)
2) Unwarranted disclosure of PHI can result in criminal prosecution and imprisonment
3) A security breach resulting in compromised PHI must be disclosed to each individual within 60 days of discovery
4) If more than 500 patients are impacted, the event must be reported to the media and HHS within 60 days of discovery*
5) State Attorney Generals empowered to pursue HIPAA Violations
*If <500 patients are impacted, covered entity may notify HHS of such breaches on an annual basis
![Page 4: 2011 SECURITY REFRESHER Information Security. Agenda HIPAA Update Encryption Overview Mobile Phones and Tablets Cameras USB Drives E-mailing Patient Information](https://reader033.vdocument.in/reader033/viewer/2022051416/56649e035503460f94aef153/html5/thumbnails/4.jpg)
Recent Fines for HIPPA Breaches
• $1m settlement with MGH in Feb 2011 (employee left a folder on a subway containing information on HIV/AIDS status of 192 patients)
• $4.5m fine against Cignet Health in Feb 2011, a Maryland insurance company, based on HIPAA violations and failure to cooperate with OCR’s investigation (insurer failed to provide 41 patients with their medical records within 30 day time-frame plus failure to respond to OCR request for documents)
• In Feb 2011, the New York municipal hospital system notified 1.7 million patients of the theft of electronic files containing PHI from the truck of a records-management service vendor
$350 million estimated cost for patient notification, setting up a call center and providing credit reporting estimate
• In April 2011, the Philadelphia Family Planning Council informed 70,000 clients of a HIPPA breach stemming from a stolen unencrypted flash drive
![Page 5: 2011 SECURITY REFRESHER Information Security. Agenda HIPAA Update Encryption Overview Mobile Phones and Tablets Cameras USB Drives E-mailing Patient Information](https://reader033.vdocument.in/reader033/viewer/2022051416/56649e035503460f94aef153/html5/thumbnails/5.jpg)
State Law Enforcement
April 28, 2010, A former UCLA Healthcare System surgeon has been sentenced to four months in prison
Illegally read private electronic medical records of Immediate Supervisor Co-Workers Celebrities
Read records 3 weeks after formally terminated
![Page 6: 2011 SECURITY REFRESHER Information Security. Agenda HIPAA Update Encryption Overview Mobile Phones and Tablets Cameras USB Drives E-mailing Patient Information](https://reader033.vdocument.in/reader033/viewer/2022051416/56649e035503460f94aef153/html5/thumbnails/6.jpg)
Privacy or Confidentiality
From Internet Security presentation at WICS by Whit Diffie
![Page 7: 2011 SECURITY REFRESHER Information Security. Agenda HIPAA Update Encryption Overview Mobile Phones and Tablets Cameras USB Drives E-mailing Patient Information](https://reader033.vdocument.in/reader033/viewer/2022051416/56649e035503460f94aef153/html5/thumbnails/7.jpg)
Encryption
Now is the time for all good men...
sd84$2*q} 59(o32nvt- =gf]|@l^...
Decryption
Encryption
Now is the time for all good men...
![Page 8: 2011 SECURITY REFRESHER Information Security. Agenda HIPAA Update Encryption Overview Mobile Phones and Tablets Cameras USB Drives E-mailing Patient Information](https://reader033.vdocument.in/reader033/viewer/2022051416/56649e035503460f94aef153/html5/thumbnails/8.jpg)
Mobile Phones and Tablets
Mobile Phones and Tablets that connect to WUSM e-mail systems •Must be password/pin protected•Must support device encryption•Must support remote wipe
If your mobile device is lost or stolen you should•Notify Information Security and Privacy Offices•Notify your Division IT Administrator – they will remote wipe the device then contact the carrier to kill service
Never text patient identifiers via text messaging or paging•Call me @ xxx-xxxx•Subject is ready in Room xx
![Page 9: 2011 SECURITY REFRESHER Information Security. Agenda HIPAA Update Encryption Overview Mobile Phones and Tablets Cameras USB Drives E-mailing Patient Information](https://reader033.vdocument.in/reader033/viewer/2022051416/56649e035503460f94aef153/html5/thumbnails/9.jpg)
Innocent Enough Picture
![Page 10: 2011 SECURITY REFRESHER Information Security. Agenda HIPAA Update Encryption Overview Mobile Phones and Tablets Cameras USB Drives E-mailing Patient Information](https://reader033.vdocument.in/reader033/viewer/2022051416/56649e035503460f94aef153/html5/thumbnails/10.jpg)
Let’s Try Picasa
GPS Info
![Page 11: 2011 SECURITY REFRESHER Information Security. Agenda HIPAA Update Encryption Overview Mobile Phones and Tablets Cameras USB Drives E-mailing Patient Information](https://reader033.vdocument.in/reader033/viewer/2022051416/56649e035503460f94aef153/html5/thumbnails/11.jpg)
Google Earth got the Campsite
![Page 12: 2011 SECURITY REFRESHER Information Security. Agenda HIPAA Update Encryption Overview Mobile Phones and Tablets Cameras USB Drives E-mailing Patient Information](https://reader033.vdocument.in/reader033/viewer/2022051416/56649e035503460f94aef153/html5/thumbnails/12.jpg)
USB Drives
You may store patient or confidential information only on USB drives that have encryption enabled or the files are encrypted.
Enable Encryption means when the drive is attached to a machine that it asks you for a password before allowing you to access the information.
Even if the device is encrypted notify the Information Security Office if it is lost or stolen.
![Page 13: 2011 SECURITY REFRESHER Information Security. Agenda HIPAA Update Encryption Overview Mobile Phones and Tablets Cameras USB Drives E-mailing Patient Information](https://reader033.vdocument.in/reader033/viewer/2022051416/56649e035503460f94aef153/html5/thumbnails/13.jpg)
When is it okay to e-mail patient information
•Within Medical School and Hospital e-mail systems e.g. psychiatry.wustl.edu to dom.wustl.edu or bjc.org•If the file is encrypted e.g. password protected excel spreadsheet•Signed patient consent to interact via e-mail
![Page 14: 2011 SECURITY REFRESHER Information Security. Agenda HIPAA Update Encryption Overview Mobile Phones and Tablets Cameras USB Drives E-mailing Patient Information](https://reader033.vdocument.in/reader033/viewer/2022051416/56649e035503460f94aef153/html5/thumbnails/14.jpg)
Phishing Example
![Page 15: 2011 SECURITY REFRESHER Information Security. Agenda HIPAA Update Encryption Overview Mobile Phones and Tablets Cameras USB Drives E-mailing Patient Information](https://reader033.vdocument.in/reader033/viewer/2022051416/56649e035503460f94aef153/html5/thumbnails/15.jpg)
File Sharing/Cloud Computing
Only store patient information on approved Medical School Servers
Google Docs/Microsoft 365 No BAA to allow storage of patient information Do not put patient information in calendars e.g. Google
Calendar
Use WUSTL Dropbox for file transfers or University SharePoint sites for collaboration Note: The other Dropbox service allows their
administrators to review the unencrypted information.
![Page 16: 2011 SECURITY REFRESHER Information Security. Agenda HIPAA Update Encryption Overview Mobile Phones and Tablets Cameras USB Drives E-mailing Patient Information](https://reader033.vdocument.in/reader033/viewer/2022051416/56649e035503460f94aef153/html5/thumbnails/16.jpg)
Doximity
![Page 17: 2011 SECURITY REFRESHER Information Security. Agenda HIPAA Update Encryption Overview Mobile Phones and Tablets Cameras USB Drives E-mailing Patient Information](https://reader033.vdocument.in/reader033/viewer/2022051416/56649e035503460f94aef153/html5/thumbnails/17.jpg)
Blogging/Twitter
![Page 18: 2011 SECURITY REFRESHER Information Security. Agenda HIPAA Update Encryption Overview Mobile Phones and Tablets Cameras USB Drives E-mailing Patient Information](https://reader033.vdocument.in/reader033/viewer/2022051416/56649e035503460f94aef153/html5/thumbnails/18.jpg)
The End
Questions/Comments