Cloud-based File Sharing: Privacy and Security Tutorial Institutional Compliance Office July 2013

Transcription

1 Clud-based File Sharing: Privacy and Security Tutrial Institutinal Cmpliance Office July 2013

2 Patient Data in the Clud Prtecting patient privacy is ne f MD Andersn s greatest respnsibilities Technlgies like Bx.cm make it easier than ever t inadvertently disclse patient data It is very imprtant t treat patient data and ther sensitive data n Bx.cm the same way yu wuld treat it if it was n paper r n netwrk strage

3 HIPAA Privacy and Security HIPAA s Privacy Rule applies t MD Andersn. It is a set f specifically defined privacy rights with respect t patient privacy. It discusses a type f health infrmatin that is created r used by entities like MD Andersn and that des r reasnably culd identify the individual t which it relates. This is called Prtected Health Infrmatin (PHI). PHI = Health Infrmatin + Identifying Infrmatin

4 PHI Identifiers Types f Identifying Infrmatin Names; All gegraphic subdivisins smaller than a State, including street address, city, cunty, precinct, zip cde, and their equivalent gecdes All elements f dates (except year) fr dates directly related t an individual, including birth date, admissin date, discharge date, treatment date, diagnsis date, date f death; and all ages ver 89 Telephne numbers; Fax numbers; addresses; Scial security numbers; Medical recrd numbers; Health plan beneficiary numbers; Accunt numbers; Certificate/license numbers; Vehicle identifiers and serial numbers, including license plate numbers; Device identifiers and serial numbers; Web Universal Resurce Lcatrs (URLs); Internet Prtcl (IP) address numbers; Bimetric identifiers, including finger and vice prints; Full face phtgraphic images and any cmparable images; and Any ther unique identifying number, characteristic, r cde (such as study ID number), except that cdes assigned slely fr de-identificatin purpses are nt identifiers if the cde t re-identificatin is never linked t any ther identifier assciated with an individual, and never disclsed t anyne but the persn wh assigned it. Surce: 45 C.F.R

5 Security Plicy Highlights HIPAA security standards and thers are mapped t ur infrmatin security plicies and prcedures, including UTMDACC #ADM0335 (Infrmatin Security Office Plicy fr the Use and Prtectin f Infrmatin Resurces). This plicy tells us: Nt t frward r archive institutinal t external repsitries (e.g., Ggle Dcs, iclud, gmail, etc.) T encrypt s leaving ur netwrk that cntain electrnic PHI (ephi) Nt t share passwrds t infrmatin systems T use encrypted mbile devices cntaining institutinal data Only peple wh are authrized (fr treatment, payment, healthcare peratins, r with the IRB s r patient s cnsent) t access PHI may d s These rules apply equally t clud-based file share activities!

6 Be Vigilant When Sharing Files The speed and ease at which data can be shared amng cllabratrs can lead t unintended cnsequences, such as breaches f PHI: Kentucky Public Emplyee Health Insurance Plan a misdirected affected 676 patients Stanfrd Hspital a spreadsheet psted nline affected 20,000 patients Bth were reprted t the Department f Health and Human Services Office fr Civil Rights (OCR) Dn t let MD Andersn becme an OCR statistic!

7 Risk Assess File Sharing Activities Avid unauthrized disclsures f PHI and ther sensitive data via file shares. Practively assess the risks: WHO is using the MD Andersn file share (senders and cllabratrs)? Are the cllabratrs authrized t view the PHI? WHY is PHI being shared? WHAT is being shared (are yu sending PHI)? WHAT will the cllabratr be able t d with the data? WHAT kind f access are yu prviding the cllabratr? WHERE will the cllabratr take the data? WHEN will cllabratr access be terminated? Remember: treat yur electrnic files cntaining PHI like yu wuld the medical recrd. Dn t share with anyne wh is nt authrized t see it!

8 Risk Assess File Sharing Activities Hw d yu knw if smene is authrized t view PHI? A persn prbably is authrized if: Sharing is fr treatment, payment, r health care peratins purpses and it is necessary fr the persn t view the PHI in rder t perfrm his/her legitimate jb functin at MD Andersn (but remember, keep PHI disclsure t the minimum necessary, except fr treatment purpses); Sharing is fr research purpses, and the infrmed cnsent and authrizatin dcument states that the persn is allwed t view PHI; Sharing is fr research purpses, and the IRB has granted a waiver permitting the persn t view PHI; r The patient signed a HIPAA authrizatin allwing this persn t view their PHI. When in dubt, call the ICO fr assistance.

9 File Share Breach Prcedure In the event f a pssible unauthrized disclsure f PHI via the file share, yu shuld: Cntact the Institutinal Cmpliance Office (ICO) immediately Determine: What kind f PHI was placed in the file share (e.g., patient names, cntact infrmatin, MRNs, dates f service r diagnsis) Hw many patients ptentially were affected Hw many c-users/cllabratrs likely received the data cntained within the file and wh these peple are Whether/t what extent the ICO can recnstruct the PHI that was n the medium (e.g., are there ther cpies f the data)

10 Cnduct a Risk Assessment Cnduct a risk assessment f yur file share activities. Dcument, r have yur team lead dcument, the answers t the file share questins in the fllwing slides. Safeguarding institutinal data is a shared respnsibility. The cntrls must fllw the data!

11 Risk Assess File Sharing Activities Infrmatin Access Management (45 CFR (a)(4)) Are there dcumented jb descriptins that accurately reflect assigned duties and respnsibilities fr file sharing? Are file sharing duties segregated (i.e. determining necessity, type, and amunt vs. uplading, dwnlading)? Are these duties separated s that nly the minimum necessary ephi is accessed/ shared in the clud? Des management regularly review the list f access authrizatins (including remte access authrizatins) t file share applicatins? Wrkfrce Member Security (45 CFR (a)(3)) D prcedures exist fr btaining apprpriate sign-ffs t grant r terminate file share access? Are there separate prcedures fr vluntary terminatin (retirement, prmtin) vs. invluntary terminatin (terminatin fr cause, etc.)? Surces: NIST Rev. 1, An Intrductry Resurce Guide fr Implementing the Health Prtability and Accuntability Act (HIPAA) Security Rule; NIST SP ; Security Guide fr Intercnnecting Infrmatin Technlgy Systems.

12 Risk Assess File Sharing Activities Security Awareness and Training (45 CFR (a)(5)) Are wrkfrce members aware that access attempts are mnitred? Have wrkfrce members received and reviewed UTMDACC Institutinal Plicy #ADM0335 and the relevant patient privacy plicies (e.g., ##ADM0396, 0401, 1050)? D wrkfrce members understand the cnsequences f nn-cmpliance? Security Incident Prcedures (45 CFR (a)(6)) Has the department analyzed what risks particular t file sharing are likely t cmprmise patient and ther sensitive institutinal data and tailred their cntrls t thse risks? Is there a prcedure in place fr reprting incidents regarding file sharing? Surces: NIST Rev. 1, An Intrductry Resurce Guide fr Implementing the Health Prtability and Accuntability Act (HIPAA) Security Rule; NIST SP ; Security Guide fr Intercnnecting Infrmatin Technlgy Systems.

13 Risk Assess File Sharing Activities Device and Media Cntrls (45 CFR (d)(1)) What data is maintained by the department, and where? Is it n remvable media (CDs, thumb drives)? What are the ptins/csts fr destrying data n hardware? D plicies and prcedures already exist regarding reuse f electrnic media (hardware and sftware)? Is ne individual respnsible fr crdinating the dispsal f data and the reuse f the hardware and sftware? Are wrkfrce members apprpriately trained n security risks when using hardware and sftware? If electrnic media can be remved frm the department, can it/is it tracked? Surce: NIST Rev. 1, An Intrductry Resurce Guide fr Implementing the Health Prtability and Accuntability Act (HIPAA) Security Rule.

14 Security Cntrls Access Cntrls (45 CFR (a)(1)) What degree f access is granted t the data (e.g., read-nly, read and write, dwnlad/exprt)? Is access/activity within a system traceable t a single user? Wh manages the access cntrl prcedure? Have new wrkfrce members been given prper instructins fr prtecting data when file sharing? Are there prcedures fr remving and, if apprpriate, mdifying access authrizatins fr existing users? Are rules enfrced t remve access by staff wh n lnger have need t access the data within the systems? Are the data at rest encrypted? Surce: NIST Rev. 1, An Intrductry Resurce Guide fr Implementing the Health Prtability and Accuntability Act (HIPAA) Security Rule.

15 Security Cntrls Audit Cntrls (45 CFR (b)) What systems, applicatins, r prcesses within the department make ephi and ther sensitive institutinal data vulnerable t breach? What activities shuld be audited (e.g., creatin, reading, updating, and/r deleting recrds)? What shuld the audit recrd include (e.g., user ID, event type/date/time)? Wh is respnsible fr the audit prcess? Hw ften will audits take place? Hw will exceptin reprts r lgs be reviewed? Hw will management be ntified regarding suspect activity? Surce: NIST Rev. 1, An Intrductry Resurce Guide fr Implementing the Health Prtability and Accuntability Act (HIPAA) Security Rule.

16 Questins? If yu have any questins abut yur planned use f Bx.cm r abut any f the security cntrls and questins mentined in the previus slides, please cntact: The Department f Infrmatin Security The Institutinal Cmpliance Office

17 Reprting Cmpliance Cncerns It is every Wrkfrce Member s respnsibility t reprt a vilatin r ptential vilatin. T discuss r reprt cmpliance cncerns, cntact: The Chief Cmpliance Officer via the page peratr, The Institutinal Cmpliance Office The Fraud & Abuse Htline The Privacy Htline T reprt suspected fraud, waste, and abuse invlving state resurces, call the State Auditr s Office Htline,

18