Harbor Regional Center Service Provider Training July 27, 2015 Information Security & Electronic Document Management Systems

Transcription

1 Harbor Regional Center Service Provider Training July 27, 2015 Information Security & Electronic Document Management Systems 1 1

2 INFORMATION SECURITY 2 Judy Wada Chief Financial Officer The protection of sensitive information and information systems from unauthorized access 2

3 Compliance of Federal/State Laws Federal HIPAA Health Insurance Portability and Accountability Act HITECH Health Information Technology for Economic and Clinical Health State WIC4514 Civil Code Section

4 Personally Identifiable Information (PII) Any information about an individual maintained by an agency, including: 1) any information that can be used to distinguish or trace an individual s identity, such as name, social security number, date and place of birth, mother s maiden name, or biometric records; and 2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information 4 4

5 Protected Health Information (PHI) Individually identifiable health information is information, including demographic data, that relates to: the individual s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, the individual's identity or for which there is a reasonable basis to believe it can be used to identify the individual. 5 5

6 18 Individual Identifiers 1. Names 2. All geographical identifiers smaller than a state 3. Dates (other than year) directly related to an individual 4. Phone numbers 5. Fax numbers 6. addresses 6 6

7 18 Individual Identifiers (cont d) 7. Social Security numbers 8. Medical record numbers 9. Health insurance beneficiary numbers 10.Account numbers 11.Certificate/license numbers 12.Vehicle identifiers and serial numbers, including license plate numbers 7 7

8 18 Individual Identifiers (cont d) 13. Device identifiers and serial numbers 14. Web Uniform Resource Locators (URLs) 15. Internet Protocol (IP) address numbers 16. Biometric identifiers, including finger, retinal and voice prints 17. Full face photographic images 18. Any other unique identifying number, characteristic, or code 8 8

9 PHYSICAL SECURITY 9 9

10 Facility Access Limit physical access to facilities where sensitive data is housed Control access on a need to know basis only Records must be stored in a locked cabinet or drawer Never share codes, passwords, ID cards, or keys Do not leave documents unsecured on desks, at printers, copiers and fax machines Fax machines in private area Properly destroy physical records and electronic equipment/media Shred immediately or use shred containers 10 10

11 Out and About Be aware of your surroundings Be careful in places where your conversation may be overheard (including telephone conversations) Do not label files/electronic devices as company devices Keep files/electronic devices within reach Do not work on confidential information in public places Do not leave files/electronic devices in automobiles Keep files/devices out of sight Use caution connecting to public WiFi 11 11

12 Employees & Policies 12 Train employees of their responsibilities in protecting sensitive information Policies and Procedures Document Retention Policy Confidentiality Agreements Terminated employees Disable and delete accounts, change password 12

13 DD Community Tips 13 Lists should have the minimum necessary information (i.e., Client Rosters, Sign In Sheets) Decrease the use of checks and migrate to electronic payments Redact sensitive information Do not share information or photos of clients in social media postings without express permission from client 13

14 14 Passwords Do not share passwords or user IDs 9 15 characters At least 1 special character Upper and lower case Number Force changes every days Do not use the same password for all systems, especially for encrypted files Don t give out WiFi network passwords to visitors Do not use default passwords 14

15 DATA SECURITY 15 David Bourdeau Director of Information Technology 15

16 /Web Security Definitions: Malware Delivered through and websites Steal personal and financial information Zombie, Ransomware Viruses Phishing scams Attempt to get financial and personal data SPAM 16 16

17 /Web Security 17 17

18 /Web Security 18 Encrypt Encrypt Attachments SPAM Don't open unsolicited , especially attachments Opt out of unwanted lists Anti virus / Malware protection software 18

19 /Web Security Cloud Based Systems Office365 HIPAA Compliant Privacy Encryption / Anti virus/malware / SPAM filtering Potentially free for 501(3)c Non Profits Google Mail / Google Apps HIPAA Compliant with Google apps Less Privacy Scan, track, sell information gathered about you and your e mail activity Encryption only with 3 rd party software 19 19

20 Smartphones & Mobile Devices Passcode protect Encryption Apple: activates upon putting in passcode Android: 2 step process All business/client information stored on the device must be encrypted Auto lock timeout set: max 5 minutes Stolen or lost device Report to employer Disposal/recycle or replace All sensitive information must be removed Close applications on your smartphone and computer 20 20

21 Workstations Maintain security patches Microsoft s Patch Tuesday (2 nd Tuesday of the Month) Be on latest supported Operating Systems Update individual software from manufacturer website or update software Encrypt hard drives containing sensitive data Anti virus / Malware Protection Restricted/confidential information stored on mobile computing devices

22 Workstations Delete old data, especially sensitive information Delete "temporary" files on your computer. These include file attachments opened in and download files. If these files contain restricted/confidential information, they should be immediately removed or encrypted

23 File Sharing 23 Box.com Office365 One drive for business Google Apps / Drive Dropbox.com Does NOT have HIPAA audit controls Not natively compliant to HIPAA/HITECH Sookasa 23

24 Systems/Network Security Copiers Hard disk drives Printers Change network default password WiFi Wireless Networks Ask to be configured with WPA2 Commercial grade Remote access VPN Technologies GoToMeeting WebEx 24 24

25 Encryption Servers File Server shares containing sensitive data Database Tables containing sensitive data Least privilege Only necessary access for job function 25 25

26 WHAT TO DO IF THERE IS A BREACH? 26 Colleen Mock Director of Community Services 26

27 Notification Requirements 27 What is a Breach? An impermissible use or disclosure that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk or financial, reputational, or other harm to the affected individual. 27

28 Notification Requirements 28 We are required to report privacy breaches and security incidents involving paper and other formats. Any loss or theft of personal, sensitive, or confidential information in any format, including but not limited to flash drives, cell phones, computers, and laptops Contact your HRC Counselor and Nancy Spiegel, HRC s Privacy Officer 28

29 Notification Requirements 29 You will need to provide the following information: 1. Date the incident occurred 2. Date the incident was detected 3. Address and type of location (car, office) 4. Description of the incident (what and how it happened) 5. Media/device type (if applicable) 6. Was portable storable device encrypted (if applicable) 29

30 Notification Requirements (cont d) 7. If local law enforcement was notified, include name of the agency, report number and the name, telephone number and badge number of the officer taking the report 8. Costs associated with resolving this incident (i.e., equipment, mailing of privacy notices, etc.) 9. If the incident involved personally identifiable information: a) What type of information b) Number of individuals affected 10. Corrective actions taken to prevent future occurrences, estimated costs and date to implement 30 30

31 ELECTRONIC DOCUMENT MANAGEMENT SYSTEMS (DM) 31 Alex Wilson Wilson Tech 31

32 32 Dave Bourdeau Colleen Mock Nancy Spiegel Judy Wada Alex Wilson Bradford Bach ca.com 32

33 Harbor Regional Center Service Provider Training July 27, 2015 Information Security & Electronic Document Management Systems Risk Assessments Healthit.gov Security Risk Assessment Video professionals/security risk assessment videos NIST Special Publication Revision 1: An introductory resource guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. FCC Small Biz Cyber Planner Tool Password Policy examples policy.html FjAEahUKEwj5oPCv_dvGAhXBG6YKHcfrBC4&url=http%3A%2F%2Fwww.altiusit.com%2Ffiles%2Fpolicies %2FAltiusITPasswordPolicy.doc&ei=obalVbnMJ8G3mAXH15PwAg&usg=AFQjCNFLkZFAU7n8dSno2RIO8n fllzx g&sig2=ycth4lsqc4bvuss1lvobeg&bvm=bv ,d.dgy Encryption Providers Barracuda Symantec Trend Micro McAfee Encrypt Attachments Winzip, 7zip, Winrar Gmail How to easily encrypt with Virtru for free: Gmail, Hotmail, Outlook, Yahoo How to easily encrypt , Gmail, Hotmail, Outlook, Yahoo; Virtru is free, protects your digital privacy, and is so super easy to use. $2.50/mo plugins for chrome and Firefox open source free donate Smartphone Android to encrypt your android phone and why you might wantto/ Cloud e mail Non Profit Organization Resources Significantly reduced costs on software and information technology. File Sharing Box.com us/articles/ Box HIPAA and HITECH Overviewand FAQs Microsoft Office

34 Harbor Regional Center Service Provider Training July 27, 2015 Information Security & Electronic Document Management Systems Google Drive / Google Apps mplementation_guide.pdf google apps hipaa compliance least secure appsdocs/ Dropbox to maintain hipaa compliance with dropbox and box/ is not hipaa compliant/ your cloud tos/ 34

35 Information Security and EDMS 7/27/2015 1

36 Presentation Purpose Discuss how document management (DM) makes securing your documents easier. Examine some different approaches to document management using technology. Review ways document management can increase profits by reducing costs and increasing revenue. 2

37 Document Organization A document placed in the wrong folder is as good as gone. With full-text Optical Character Recognition (OCR) a document is never lost. A lost document is a security risk. You can t accidentally leave a document in a document management system laying around. Keeping your documents organized in a document management means you always know where they are. Easily purge documents that you are no longer required to keep. 3

38 Document Access File rooms and file cabinets are all or nothing. Document management allows access to be controlled down to the word. Grant access without the ability to destroy. Finely tailor access so that users have access to some information, but not unnecessary PHI or PII. Documents never have to leave the repository, so you can avoid the stolen laptop scenario. 4

39 Document Auditing With paper, or files in Windows, there s no way to tell who s doing what with your documents. DM auditing provides a complete record of the chain of custody for a document once it has entered the system. Failed access audits can expose potential malfeasance. 5

40 Document Backup You can t back up paper. Backing up documents stored in a document management system is simple and automated. Disaster recovery to ensure business continuity. 6

41 DM in Windows Get a scanner. Set up a file share. Require everyone to have a user account. Limit access to the share. Set up and enforce a document taxonomy. Set up backup. 7

42 DM with OneDrive for Business Some scanners can scan directly to OneDrive (e.g. Web Connect from Brother). Access anywhere. HIPAA standards compliant. Provides auditing. 8

43 DM with Laserfiche Granular security. Auditing. Automation. Easy scanning. Easy back-up with disaster recovery. HIPAA compliant. Access anywhere. 9

44 Improve Your Business The information you manage is fundamental to the processes that run your business. Audits are greatly simplified with document management. Make sure you are billing on time. 10

45 My Offer Are you interested in simplifying your document security and want to see how business improvements could help pay for the investment? Give me a half-hour of your time with the people in your organization who understand your business processes. I will give you a demo customized to your specific needs. 11