white paper: contingency planning

DRAFT Version 5: 12/20/2007

Based on Final Security Rules

HIPAA COWSECURITY NETWORKING GROUPPORTABLE MEDIA WHITE PAPER

DisclaimerThis Portable Media White Paper is Copyright Ó 2007 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This document is provided “as is” without any express or implied warranty. This document is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. HIPAA COW has not yet addressed all state pre-emption issues related to this Portable Media White Paper. Therefore, this form may need to be modified in order to comply with Wisconsin law.

Table of ContentsI. Introduction.............................................................................................................................2

A. What is Portable Media?......................................................................................................2B. Why Develop a Portable Media Protocol/Policy?...............................................................2C. Objectives of Establishing a Protocol for Securing Portable Media...................................5D. Applicable HIPAA Security Rule Standards.......................................................................5

II. Definitions..............................................................................................................................5III. What Needs to be Included in a Portable Media Security Plan..............................................6

A. Identification of Portable Media..........................................................................................6B. Source and Security of Portable Media...............................................................................8C. Portable Media Loss..........................................................................................................11D. Portable Media Loss Contact Process and Information.....................................................11E. Media/Public Relations......................................................................................................12F. Related Organizational Policies.........................................................................................12G. Securing/Encrypting/Password Protection........................................................................13H. Law Enforcement/Government Agency Contact Information..........................................13References and Resources.........................................................................................................14

APPENDIX I.................................................................................................................................15PORTABLE MEDIA INVENTORY............................................................................................15APPENDIX II................................................................................................................................16PORTABLE MEDIA LOSS REPORTING FORM......................................................................16APPENDIX III...............................................................................................................................18SAMPLE PROCEDURE FOR DOCUMENT PASSWORD PROTECTION.......................18

Note: This information has been developed to address information systems (IS) portable media use and management as a separate issue. It is important that the organization’s IS portable media processes can be carried out as an integrated element of ongoing security for organizational data, and as a component of organizational operations.

_____________________________________________________________________________ Ó Copyright 2007 HIPAA COW 1



I. Introduction

A. What is Portable Media? Portable Media, for the purposes of this paper, is defined to include any device or media which are easily portable or transported from place to place by an individual. Examples include but are not limited to:

Computer laptops, tablets and other portable computers Personal Digital Assistant(s) (PDA) (e.g. Palm OS®, Windows CE ® based devices) Flash, Universal Serial Bus (USB) or “thumb” drives MP3 players (e.g. iPod®) BlackBerry ® and similar devices Cell phones, mobile phones, pagers and similar devices used for or capable of

sending/receiving text messages and/or e-mail messages Portable hard disk drives Zip disks, CDs, DVDs, Optical Disks, Diskettes, Magnetic Tape and similar media Portable dictation devices, whether digital or analog Digital cameras, whether still or video, Cell phones, BlackBerry ® and similar

devices capable of taking and/or storing digital images, whether still or motion, Analog cameras and film contained therein. Note: Each organization will be responsible for establishing separate policies for creation, maintenance, use, storage and overall management of images acquired through these devices. This whitepaper is not the venue for these policies.

Use of data on such portable media may include but not be limited to:

Transportation Transmission Backup/archiving Use at another location, off campus from the source Use on another workstation on or off campus Data capture and storage relative to patient care

B. Why Develop a Portable Media Protocol/Policy? Healthcare and Business practices today are, to an ever expanding level, taking the employee outside of the realm of the “secure” organizational buildings and network. This raises the risks and stakes of potential loss or theft of PHI or other organizationally sensitive information. A variety of headlines in recent past have brought to our attention the challenges organizations have in relation to securing portable media, particularly laptops. Examples taken from the media around the time of authoring this white paper include the following.




Particular note should be taken that security practices organizations have preached against for several years are not followed in many of these incidents.

Austin, Texas, police are investigating after security cameras captured video of the thief carrying out a laptop and a projector from a Seton Family of Hospitals office.

http://www.informationweek.com/showArticle.jhtml?articleID=197008711

Health Care Firm Recovers Stolen Laptop “The data on the Dell laptop was encrypted and password-protected, according to a statement from William Beaumont Hospital in Royal Oak. But the car theft, which occurred Aug. 5 in Detroit, caused particular concern among hospital officials, because the affected employee's ID access code and password were written on a piece of paper that was taped to the inside of the stolen PC.”

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002765

HIPAA Compliance Strategies2006's 10 Biggest Health Care Security BreachesReprinted from the December 2006 issue of REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

A summary of 10 events from 2006 is summarized in the following link. These include misplaced CDs containing patient information and theft of a laptop from a Veteran’s Affairs employee’s home.

http://www.aishealth.com/Compliance/Hipaa/RPP_2006_Security_Breaches.html

Sick Kids doctor loses data on 3,300 patients “Six weeks after Ontario's privacy commissioner ordered the Hospital for Sick Children not to remove electronic health records from the hospital, a doctor lost an external hard drive containing such records at the country's busiest airport.The physician, who was traveling to a medical conference, packed the external hard drive so he could work while away. Though airport security was notified and a search conducted, it was never recovered.”


http://www.aishealth.com/Compliance/Hipaa/RPP_2006_Security_Breaches.html

http://www.aishealth.com/Products/RPP.html



http://www.informationweek.com/showArticle.jhtml?articleID=197008711



Aug 31, 2007 04:30 AM MEGAN OGILVIE HEALTH REPORTER http://www.thestar.com/living/article/251904

Beyond laptops and compact disks (CD), portable media have become ubiquitous in the workplace, whether provided by the employer, or brought to the workplace by the employee. In the past 3 years, USB memory flash drives have fallen in price from approximately $100 for 128 kilobytes of storage to less than $20 for 2-4 gigabytes of storage. Such devices are frequently provided as “gifts” at conferences.

Use of these devices is as easy as plugging them into an available USB port on any computer in the work setting and copying files and other data representations to this locally installed device. Organizations are typically reluctant to disable the USB ports, as they are commonly used for the installation of devices such as bar code readers, local printers and other devices. Additionally, these ports may be used during the course of conducting business, such as software installation and making backups. The corporate and personal prevalence of laptops, replacing traditional workstations in many cases is a growing trend. This is particularly seen with providers that have offices in multiple locations and require the convenience of portability. Further, staff, executives and consultants have come to depend on portable media in the daily performance of their responsibilities.

Organizations need to establish a policy on Portable Media and educate their staff on the appropriate use of Portable Media. Part of this policy and education needs to be that personally provided Portable Media needs to follow the corporate standards for security and confidentiality, including the right of the organization to install security guards on all such media.

Key references related to Portable Media include:

1. An Introductory Resource Guide for implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST Special Publication 800-66, http://csrc.nist.gov/publications/nistpubs/800-66/SP800-66.pdf , accessed April 2007.

2. HIPAA Security Guidance , Department of Health and Human Services, USA, http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf , accessed April 2007.

3. Managing Sensitive Electronic Information (SEI), A Security Policy Template developed by the Mobile Memory Task Force of the NCHICA Privacy and Security Officials Workgroup on Portable Devices and Removable Media, August 6, 2007, http://www.nchica.org/HIPAAResources/Samples/Portal.asp , accessed October 15, 2007.


http://www.nchica.org/HIPAAResources/Samples/Portal.asp

http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf


http://csrc.nist.gov/publications/nistpubs/800-66/SP800-66.pdf


http://www.thestar.com/living/article/251904

http://www.thestar.com/opinion/columnists/94578



C. Objectives of Establishing a Protocol for Securing Portable Media The objectives of securing Portable Media are driven from the basics of securing all media containing electronic protected health information (ePHI). The challenge afforded when addressing portable media in particular focuses on:

i. Providing the organization with a framework within which portable media may be securely used in the workplace.

ii. To minimize possible adverse outcomes from loss or theft of devices containing ePHI, or other protected information, particularly when such data is unsecured.

iii. To establish within an organization, an understanding of the opportunity and responsibility of appropriate use of portable media and to establish the basis of education related to the use of such devices.

iv. To outline for organizations options for and guidelines related to appropriately securing ePHI stored on portable media.

v. To protect the public image and credibility of the organization, in relation to adverse effects of loss of ePHI on portable media.

vi. Determine the organizational position related to portable media that is personally owned or otherwise not provided specifically by the organization for business purposes.

Each organization will need to determine appropriate Portable Media guidelines and practices appropriate to its needs.

D. Applicable HIPAA Security Rule Standards i. Health Insurance Reform Security Standards 68 FR 8334.ii. Preamble to the Security Standards: Final Rule, Federal Register, Vol. 68, No. 34,

Thursday, February 20, 2003, p. 8361. iii. Organizations should establish and publish a disclaimer that all data and information

contained on portable media are provided the same due diligence and protection as all protected health information, regardless of source. Information that is not PHI is afforded the appropriate level of protection as other organizationally sensitive or confidential data and information (e.g. financial).

II. Definitions

A. Portable Media – Please reference list on Page 2 of this document.

B. Encryption of Data: The process of altering or obscuring, data to prevent its being viewed, through the use of keys.

From: The Columbia Encyclopedia, Sixth Edition | Date: 2007 http://www.encyclopedia.com/doc/1E1-dataencr.html




data encryption the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient.

C. Password Protection of Data : Establishing a password assigned to a specific document or file, preventing read or write access without the password.

Another approach to “securing” individual Microsoft documents (e.g. Word documents, Excel documents) is to apply the Microsoft provided “password” protection to these documents. These passwords may be applied at various levels, allowing some users to “read” but not “edit” documents. Users are cautioned in undertaking this approach, as the selection of document specific passwords is at the discretion of individual uses, may not comply with organizational policies on password standards and may be easily forgotten. Historically, forgetting a Microsoft document password effectively left the document permanently “secured”, there are now a variety of tools available that may be used to help reacquire the forgotten password. As with the above encryption discussion, listing of these various solutions is prohibited again due to the dynamic nature of the industry.

D. ePHI : Electronic Protected Health Information

E. Loss Incident : An event in which a portable media device is lost or stolen.

F. Disclosure Incident : A loss incident during which ePHI or other protected or proprietary information that was not appropriately secured is released.

III. What Needs to be Included in a Portable Media Security Plan

When developing a Portable Media Security Plan/Policy, a recommended approach is to assess the various device types, various data classifications (e.g. audio, images, textual), various users of Portable Media Security Plan/Policy, as well as data types (e.g. clinical, financial) and structure the organizational policy around these defined elements. Attention should be made to the various portable media that are involved, based in part on the various working environments, staff involved, and other organization specific circumstances.

Also identify which critical systems, if not all systems, are supported at alternate sites. Are there resources available to support all systems, or only critical ones? Test the sites to verify they support the systems (with backed-up data), should your main facilities be down on an ongoing basis.

A. Identification of Portable Media

This section will address business needs where portable media have become a natural and critical part of the work environment. In each case, organizations need to assess the




impact of initial device cost, cost of securing and managing devices, risk of use/loss, cost of not providing and associated challenges of self provided portable media devices.

i. Overview and Work Environments

1. Mobile Work Environment: Organizations, such as durable medical equipment sales and support, visiting nurse associations, providers functioning in on-call roles while traveling on business or personal time and home health agencies, frequently establish a mobile office for their staff, providing them with a cellular phone, BlackBerry ® or similar device, as well as a laptop. The combination of these devices is literally a portable office, removed from the relative security of an organization’s network. Additionally, executives and managers who frequently spend the majority of their business day in meetings frequently find it necessary to take work home. In all cases, various elements of PHI or organizationally sensitive data are part of the environment. Devices provided to enable this mobile work force need to be appropriately protected, including passwords and encryption of data. Additionally, it may be prudent to have all such devices returned to the corporate offices on a “regular basis” to ensure appropriate levels of security are maintained/refreshed, and where appropriate, having locally stored data “backed up” on the organizational network.

2. Executive Work Environment : A hybrid instance of the Mobile Work Environment exists with executives that have “home” offices, however are frequently traveling on business, whether locally (e.g. clinic to clinic, clinic to hospital) or nationally. This travel may include the presentation of papers at conferences, where the presentation is stored on the same device as the quality initiative spreadsheet currently being developed by this executive. Laptops and portable memory media used by these individuals, in the office one day and on the road the next, need to have an easily employed encryption methodology incorporated in them. Additionally, good business practice supports backing up the portable media on a regular basis.

3. Transportation/Storage of data on physical media : Data are frequently transported outside of the organizational internal security measures to support daily business operations and compliance with business recovery/continuance policies. Examples include disaster preparedness initiatives and delivery of data to third party organizations other than via the Internet. Such “transportation and storage” may be via laptops, USB memory drives and a large variety of media (e.g. tape, CD/DVDs, etc.) for storage of data.

4. Dynamic Media as Medical Record: At an ever increasing rate, various new types of “medical documentation” user interface devices are being adapted in both the ambulatory and inpatient settings. These include but are not limited to:a. Handheld devices for physician dictation or e-prescribing, leveraging

portability of PDA devices




b. Recording of visual images (still or motion) on cell phones and digital cameras, including the memory cards on which these images are stored, which may be removed from the camera to transport the images to another system.

c. Expanding patient to provider communication via web based services and e-mail which may occur across BlackBerry ® or similar devices or PDAs.

These devices are typically structured to “synchronize” locally saved data with the organizational network. Care should be taken to ensure that, in addition to appropriate local encryption levels, these devices successfully “synchronize” PHI in a timely manner with local network services, making this data available to all those accessing the Electronic Health Record from other devices.

5. Maintaining/Updating Historical Data Storage Media : While somewhat outside the scope of portable media, it should be noted that there is an organizational exposure risk driven by the dynamics of data storage media evolution. In the time frame of 25 years, the IT industry has gone from reel tape through a variety of cartridge tapes, multiple sizes/density of diskettes and numerous optical (e.g. CD, DVD) storage media. Long term storage of data on these media may require transition of archives from media to media as technology changes and devices to “read” the media become unavailable. Additionally, the systems which may read these data stores may no longer be available or supported. Many of these media, contain PHI, which may need to be accessed in establishing offsite disaster recovery services. Organizational steps to establish such offsite storage of data in this manner, for purposes of business continuance or generalized “backup”, should include ensuring that the organization maintains the ability to read these media and that such media are secured and/or the contained data is encrypted.

B. Source and Security of Portable Media

The following are provided as discussions regarding the source of and security related to various portable media. Organizations should assess the need for establishing policies on the use of portable media based on position roles within the organization. Roles not so identified for use of portable media should require prior authorization for the use of such media from an individual within the organization such as the Information Security Officer. Such policy should apply to devices that are provided wither by the organization or personally.

i. Organizationally Provided Portable Media : The previous section established the business need for the use of portable media. Each organization needs to assess these business needs individually and assess the need to provide portable media. With some media (e.g. laptop computers, backup data media sent off site), the ability to control or manage the media is relatively apparent. For example, purchases of




laptops and related capital items may by policy and practice, require sign off by information services. Further, such devices assigned to staff may be required to be connected to the network to update security software and update network based data storage. Such activities may be monitored through the organizational network. Certainly with backup media, the creation of this media, particularly for large organization databases (e.g. electronic health record systems, laboratory information systems, and hospital information systems) Information Services, as creator of such system backups, serves as a control point. Additionally, extracts of such large scale databases for purposes of reporting and data warehousing, should be managed through authorized staff and procedures to safeguard and backup such extracts as appropriate. In some cases, such control and management is more difficult (e.g. locally stored budget documents, employee reviews, patient specific locally stored research databases, and data stored on PDAs and USB memory sticks). In these instances, policy should dictate audits and compliance. In all cases, as with other capital items, media classified as an asset should be tagged and monitored as such. It is the opinion of the authors of this paper that, particularly for smaller to medium sized organizations, it is not practical to “manage” use of USB memory devices, and other such personal items (e.g. cell phones) through IS based process. Rather these devices should be subject to policy based control supported by random audits.

ii. Personally Provided Portable Media: The market space has literally become littered with inexpensive portable media. This includes but is not limited to CDs, DVDs, and portable hard disk drives (HDD), with many of these replacing the earlier magnetic media of diskettes and related devices. USB or “thumb drives” have reached a price point where they are literally being given away at various professional settings, and even laptops are approaching price points around $500. Recognizing that absolute control over these devices, particularly given ever constrained budget resources as well as staff time, the following are offered as guidelines on allowing, and managing these “personally provided” portable media in the work place.

iii. Securing Portable Media: As part of an organizational policy related to appropriate use of portable media, whether personally or organizationally provided, the following is recommended as components to include: Users of such portable media (e.g. PDA, USB drives, etc. as described earlier) for the storage of PHI, or other sensitive information should:

1. Encrypt all such devices or at a minimum all such files that contain these types of sensitive information. Appendix III is provided as a sample procedure in applying document specific passwords. a. There are a variety of “standards” related to encryption, including Data

Encryption Standard (DES), adopted by the United States, Secured Sockets Layer (SSL), a commonly employed encryption methodology associated with




the Internet, and other commercially available solutions such as Pretty Good Privacy (PGP). This is not intended as a recommendation of these approaches, not as an inclusive list, but merely a brief introduction to some readily applied encryption approaches. Regardless of the tool used, encryption is fundamentally applying a known “key” to “scramble” the bits that make up data elements. This “scrambling” is held until access by an authorized recipient/user is undertaken by applying the appropriate “key” to “unscramble” the bits to their original order, revealing the original message.

b. Many of the portable media addressed in this document employ their own methods of encrypting the data contained within the portable media. For example, many USB Flash Drives incorporate a “security” tool, allowing the user to “encrypt” the contents of the drive. Adoption of a standardized approach to data encryption within an organization is encouraged as one means of protecting the contents of portable media. Individual users may also apply their own encryption schemes. While effectively securing a device, this independent approach effectively excludes the organizations’ IT services from assisting in recovering data encrypted and having the “key” lost or forgotten.

c. The dynamics of this security/encryption industry prevent establishing a “preferred list” of possible solutions to the encryption challenge. The reader and organizations considering using encryption for portable media are encouraged to research and select a tool that best integrates with other security measures (e.g. laptops, e-mail) of the organization.

d. It should be noted that, to the knowledge of the authors, devices such as digital cameras and digital video cameras do not inherently provide data encryption capabilities incorporated with the device. Data acquired through the use of these devices should be downloaded to a media where encryption capabilities are available and applied and the source data on the camera deleted in a timely manner to prevent unauthorized access. Procedural steps should be defined and implemented organizationally to either:

i. Incorporate patient identifiers in each image or

ii. Download images to patient chart if electronic or

iii. Print for inclusion in paper chart after affixing appropriate patient identifier to image after images for each patient are acquired and then deleting all images from the camera, thereby eliminating the potential of intermixing images from multiple patients.

2. Ensure that a network based backup of all such data is completed on a regular basis to protect against the loss of data and to ensure an audit trail of data contained on these devices in the event of a loss.

3. Submit these devices on demand for the purposes of conducting audits of the security/encryption that is in place on these devices.




4. In the event of termination, submit all such devices that are personally owned for removal of organizationally sensitive/protected data and return all organizationally provided devices and media. In the case of CD/DVD media that was personally provided, all such media should be returned to [Healthcare Organization].

5. Ensure that all files. Or media (e.g. CD, DVD) containing PHI or other organizationally sensitive data be destroyed in compliance with [Healthcare Organization’s] policy on destruction of such data/media.

iv. Portable Computer Inventory - The authors recommend the establishment and use of an inventory list to identify organizationally provided portable media for reference in the event of loss or theft of such devices, or termination of the employee to whom such devices were assigned. Appendix I is provided as an example of such an inventory list.

C. Portable Media Loss

In the event of the loss of a portable media device, the [Healthcare Organization] should take the following actions:i. Activate the [Healthcare Organization’s] loss disclosure process and associated

paperwork. (Reference HIPAA Collaborative of Wisconsin Contingency Planning Policy http://hipaacow.org/Docs/SecurityGrid/DataManagement8.doc )

ii. “Externally” discovered disclosure report form sample report form (Reference HIPAA Collaborative of Wisconsin Security Incident Response Policy http://hipaacow.org/Docs/SecurityGrid/secincidentresponse807112005.doc )

iii. Assess the protected health information potential loss related to the reported media loss. Keep in mind that timely communication with those impacted, or believed to have been impacted, helps to maintain a strong relationship with these people.

iv. Initiate patient and/or employee notification procedures. (Reference HIPAA Collaborative of Wisconsin Security Incident Response Policy http://www.hipaacow.org/Docs/SecurityGrid/secincidentresponse807112005.doc ).

D. Portable Media Loss Contact Process and Information

Members of the IS Solutions Center shall be contacted immediately once the loss of a portable device has occurred. The following information should be provided at the time of contact:i. A Brief Description of the loss, including device, device information content, status

of security on the deviceii. Location date and time of the loss.iii. Phone numbers for IS Support Team, Security Officer, Privacy Officer.

1. Identification of Immediate Support Requirements (e.g. for BlackBerry ® devices, these may be “disabled” through local network controls). (Reference


http://www.hipaacow.org/Docs/SecurityGrid/secincidentresponse807112005.doc

http://hipaacow.org/Docs/SecurityGrid/secincidentresponse807112005.doc

http://hipaacow.org/Docs/SecurityGrid/DataManagement8.doc



HIPAA Collaborative of Wisconsin Security Incident Response Policy http://www.hipaacow.org/Docs/SecurityGrid/secincidentresponse807112005.doc ).

A sample Portable Media Loss tracking sheet is provided in Appendix II.

E. Media/Public Relations

Organizations should refer to their own media relations/public relations protocols related to discovery and reporting of loss of portable media and possible disclosure of PHI. i. The organization’s designated media relations contact should serve as a liaison

between the organization and the news media (or a single point of contact for the news media). This will eliminate the need to involve the Information Services and HIPAA Security Teams, allowing them to assess the scope of the loss or disclosure. The IS leader, Privacy Officer or Security Officer should be prepared to share information with the media relations contact. Key considerations when working with the media relations contact person or the news media include:1. Ensuring that the contact has a clear understanding of the technical issues so that

they may communicate effectively and accurately with the press. False or misleading information may ultimately cause more damage to the organization’s reputation.

2. Contacting the organization’s legal counsel if unsure of legal issues.3. Establishing a single point of contact (if no official media relations contact person

exists) when working with the news media to ensure that all inquiries and statements are coordinated.

4. Keeping the level of technical detail low – do not provide attackers with information.

5. Being as accurate as possible.6. Avoiding speculation.7. Ensuring that any details about the incident that may be used as evidence are not

disclosed without the approval of investigative agencies.8. Contacting the Privacy Officer, Security Officer, Chief Information Officer and/or

HIS Director should information released to media (need to) contain patient specific information to ensure required authorizations are in place prior to the release.

F. Related Organizational Policies

It is appropriate to note that any attempt to establish a policy related to control of portable media should be undertaken in conjunction with other organizational policies and procedures on the following topics.


http://www.hipaacow.org/Docs/SecurityGrid/secincidentresponse807112005.doc



i. Appropriate use of electronic communications and related equipment, including language, either in this policy or a related document, that discusses sanctions for breech of appropriate use or other related IT or protected health information policies.

ii. Destruction of media, including portable and back up media.iii. Operating System and related software patch management, virus protection updates,

spyware detection and resolution updates.iv. Remote access, including impact of remote access as an alternative to use of portable

media, or the use of portable media as an alternative to remote access. v. Authentication and/or password procedures, which may be addressed in electronic

communications and access.

G. Securing/Encrypting/Password Protection

The dynamics of this industry prohibit effectively listing or maintaining possible commercial solutions. Readers and those who are preparing to establish policies for their organizations should perform an independent search and review of current vendors providing and supporting software encryption options for various portable media. The reader is again referred to a draft procedure on applying passwords to specific documents provided in Appendix III. (Reference HIPAA Collaborative of Wisconsin Security Incident Response Policy)

H. Law Enforcement/Government Agency Contact Information

In the event of the loss of any such media, organizations should consider contacting any or all of the following agencies to report loss of portable computers and or disclosure of ePHI.

AgencyPolice DepartmentSheriff’s DepartmentState PatrolState’s Department of Health and Family Services or equivalent state government officeOffice for Civil RightsFederal Bureau of InvestigationU.S. Secret Service




References and Resources

An Introductory Resource Guide for implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST Special Publication 800-66, http://csrc.nist.gov/publications/nistpubs/800-66/SP800-66.pdf , accessed April 2007.

HIPAA Security Guidance , Department of Health and Human Services, USA, http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf , accessed April 2007.

Managing Sensitive Electronic Information (SEI), A Security Policy Template developed by the Mobile Memory Task Force of the NCHICA Privacy and Security Officials Workgroup on Portable Devices and Removable Media, August 6, 2007, http://www.nchica.org/HIPAAResources/Samples/Portal.asp , accessed October 15, 2007.

Authored by: HIPAA COW Security Networking Group


http://www.nchica.org/HIPAAResources/Samples/Portal.asp






APPENDIX IPORTABLE MEDIA INVENTORY

Device Asset Tag No.

Device Serial No.

Device Description

Employee Name

Employee ID Number

Department Date Assigned

Date Returned

Dates of Audit

It may be appropriate to access when these devices, depending on device type, were last scanned for virus/spy ware and/or connected to the organizational network for the purpose of scanning or upgrading such virus protection software in the case of laptops.




APPENDIX IIPORTABLE MEDIA LOSS REPORTING FORM

Portable Media Loss Reporting Form1

Incident Detector’s Information:Name: Date/Time Detected:Title: Location:Phone/Contact Info: System/Application:

INCIDENT SUMMARYType of Incident Detected:

Theft Unauthorized Use/Disclosure

Loss Other:

Description of Incident:

TYPE OF DEVICE Laptop, Tablet and other portable

computers BlackBerry®

PDA Cell phones, mobile phones and alphanumeric pagers

USB or “Thumb Drive” Portable Dictation Device Zip disks, CD, DVD, optical disks,

magnetic tape and similar media Digital Camera

MP3 Players (e.g. iPod®) Portable/removable Hard Disk DrivesINCIDENT NOTIFICATION

IS Leadership Public Affairs Security Incident Response Team Legal Counsel Administration Other: Law Enforcement

ACTIONS (Include Start & Stop Times)Identification Measures (Incident Verified, Assessed, Options Evaluated):

1 This form has been developed as a working tool for assessment and improvement activities; it is intended for internal use only_____________________________________________________________________________ Ó Copyright 2007 HIPAA COW 16



PORTABLE DEVICE CONTENT:

SECURITY MEASURES EMPLOYED ON DEVICE:

FOLLOW-UPReview By (Organization to determine):

Security Officer IS Department/Team Other:

Recommended Actions Carried Out:

Initial Report Completed By:Follow-Up Completed By:




APPENDIX IIISAMPLE PROCEDURE FOR DOCUMENT PASSWORD PROTECTION

PROCEDURE #:

SUBJECT: PASSWORD PROTECTING FILES DOWNLOADED OR WRITTEN TO REMOVABLE MEDIA (USB Drive, or Optical Disk)

PROFICIENCY: ALL [HEALTHCARE ORGANIZATION] PC USERS

PROCEDURE:

[HEALTHCARE ORGANIZATION] Password Protection Documentation

Excel, Word, Access, & Powerpoint Files

1. Open the FILE that you wish to save onto portable media. 2. Attach your portable media to the computer, or load a CD/DVD into the appropriate

drive. 3. Click on the word “FILE” in the upper left corner of the toolbar. Then select “SAVE

AS”. The window seen below will open.4. Select the appropriate drive letter for portable media drive as the Save In location.




5. Type in the file name.

6. Click on the word “TOOLS” in the upper right corner of the Save As window. 7. Select “General Options”.




7. Type a password in the “Password to open” box. Be sure that the password is at least 8 characters long. Click “OK”.

8. You may be prompted to re-enter the password.

9. Click on Save.10. When you, or anyone, tries to open the file you saved, they will be prompted for the

password. The file cannot be opened without the Password. Do not share this password with anyone, unless they are authorized to access the file according to [ORGANIZATION’s] access policies.




All Other Files (Using WinZip)

1. To password protect all other files, you need to use an application called WinZip. To run this program, click on your “START” button in the lower left corner of your screen. Select WinZip.

2. The following window will open.




2. Click on the “NEW” button in the upper left corner of the window. A New Archive window will open.

3. Click on the down arrow by “SAVE IN” and select “3 ½ Floppy A” or appropriate drive letter for USB (removable ) drive.

4. Name the file anything you wish.




5. Click “OK” and the next window will open.

6. Click the “Encrypt added files” checkbox. You now need to browse to or find the file(s) that you want to put on the portable media. Then click the “ADD” button

7. The following caution box will appear. Click the “OK” button.




8. You will be prompted to enter the password. Be sure that it is at least 8 characters in length.

9. You will also need to re-enter the Password for confirmation. 10. Check the “Mask Password” box. Then click “OK”.

11. Select “File” and then “Close”_____________________________________________________________________________ Ó Copyright 2007 HIPAA COW 24

white paper: contingency planning

Documents