2011 security refresher information security. agenda hipaa update encryption overview mobile phones...
Post on 25-Dec-2015
216 Views
Preview:
TRANSCRIPT
2011 SECURITY REFRESHER
Information Security
Agenda
HIPAA UpdateEncryption OverviewMobile Phones and TabletsCamerasUSB DrivesE-mailing Patient InformationFile SharingSocial Media
HIPAA Update
• HIPAA compliance penalties were increased in July, 2010 under the HITECH Act
• New Notification Requirements:1) Civil monetary penalties significantly increased ($100-$50,000
per violation up to $1.5m/yr)
2) Unwarranted disclosure of PHI can result in criminal prosecution and imprisonment
3) A security breach resulting in compromised PHI must be disclosed to each individual within 60 days of discovery
4) If more than 500 patients are impacted, the event must be reported to the media and HHS within 60 days of discovery*
5) State Attorney Generals empowered to pursue HIPAA Violations
*If <500 patients are impacted, covered entity may notify HHS of such breaches on an annual basis
Recent Fines for HIPPA Breaches
• $1m settlement with MGH in Feb 2011 (employee left a folder on a subway containing information on HIV/AIDS status of 192 patients)
• $4.5m fine against Cignet Health in Feb 2011, a Maryland insurance company, based on HIPAA violations and failure to cooperate with OCR’s investigation (insurer failed to provide 41 patients with their medical records within 30 day time-frame plus failure to respond to OCR request for documents)
• In Feb 2011, the New York municipal hospital system notified 1.7 million patients of the theft of electronic files containing PHI from the truck of a records-management service vendor
$350 million estimated cost for patient notification, setting up a call center and providing credit reporting estimate
• In April 2011, the Philadelphia Family Planning Council informed 70,000 clients of a HIPPA breach stemming from a stolen unencrypted flash drive
State Law Enforcement
April 28, 2010, A former UCLA Healthcare System surgeon has been sentenced to four months in prison
Illegally read private electronic medical records of Immediate Supervisor Co-Workers Celebrities
Read records 3 weeks after formally terminated
Privacy or Confidentiality
From Internet Security presentation at WICS by Whit Diffie
Encryption
Now is the time for all good men...
sd84$2*q} 59(o32nvt- =gf]|@l^...
Decryption
Encryption
Now is the time for all good men...
Mobile Phones and Tablets
Mobile Phones and Tablets that connect to WUSM e-mail systems •Must be password/pin protected•Must support device encryption•Must support remote wipe
If your mobile device is lost or stolen you should•Notify Information Security and Privacy Offices•Notify your Division IT Administrator – they will remote wipe the device then contact the carrier to kill service
Never text patient identifiers via text messaging or paging•Call me @ xxx-xxxx•Subject is ready in Room xx
Innocent Enough Picture
Let’s Try Picasa
GPS Info
Google Earth got the Campsite
USB Drives
You may store patient or confidential information only on USB drives that have encryption enabled or the files are encrypted.
Enable Encryption means when the drive is attached to a machine that it asks you for a password before allowing you to access the information.
Even if the device is encrypted notify the Information Security Office if it is lost or stolen.
When is it okay to e-mail patient information
•Within Medical School and Hospital e-mail systems e.g. psychiatry.wustl.edu to dom.wustl.edu or bjc.org•If the file is encrypted e.g. password protected excel spreadsheet•Signed patient consent to interact via e-mail
Phishing Example
File Sharing/Cloud Computing
Only store patient information on approved Medical School Servers
Google Docs/Microsoft 365 No BAA to allow storage of patient information Do not put patient information in calendars e.g. Google
Calendar
Use WUSTL Dropbox for file transfers or University SharePoint sites for collaboration Note: The other Dropbox service allows their
administrators to review the unencrypted information.
Doximity
Blogging/Twitter
The End
Questions/Comments
top related