Data Security Considerations for Research



Similar documents
IRB Month Investigator Meeting April 2014

HIPAA Privacy and Information Security Management Briefing

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

HIPAA ephi Security Guidance for Researchers

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

HIPAA and Clinical Research

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

What is Covered by HIPAA at VCU?

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

HIPAA Compliance: Are you prepared for the new regulatory changes?

Statement of Policy. Reason for Policy

Iowa Health Information Network (IHIN) Security Incident Response Plan

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Compliance for Students

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

OCR UPDATE Breach Notification Rule & Business Associates (BA)

Overview of the HIPAA Security Rule

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

OCR/HHS HIPAA/HITECH Audit Preparation

Lessons Learned from HIPAA Audits

University of Cincinnati Limited HIPAA Glossary

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

IRB Policy for Security and Integrity of Human Research Data

The Impact of HIPAA and HITECH

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Information Privacy and Security Program Title:

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

What s New with HIPAA? Policy and Enforcement Update

New HIPAA regulations require action. Are you in compliance?

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

HIPAA 101: Privacy and Security Basics

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

2014 Core Training 1

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA Compliance Evaluation Report

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance

Presented by Jack Kolk President ACR 2 Solutions, Inc.

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

Security standards PCI-DSS, HIPAA, FISMA, ISO End Point Corporation, Jon Jensen,

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

HIPAA and HITECH Compliance for Cloud Applications

Table of Contents INTRODUCTION AND PURPOSE 1

The Basics of HIPAA Privacy and Security and HITECH

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Nine Network Considerations in the New HIPAA Landscape

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches

HIPAA: Bigger and More Annoying

Business Associate Agreement

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

HIPAA Privacy & Security White Paper

HIPAA Compliance Annual Mandatory Education

When HHS Calls, Will Your Plan Be HIPAA Compliant?

HIPAA Compliance Guide

Jeff M. Bauman, Psy.D. P.A. and Associates FLORIDA-HIPAA PRIVACY NOTICE FORM

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

Security Compliance, Vendor Questions, a Word on Encryption

HIPAA Training for Staff and Volunteers

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule

Transcription:

Data Security Considerations for Research Institutional Review Board Annual Education May 8, 2012 1 PRIVACY vs. SECURITY What s the Difference?: PRIVACY Refers to WHAT is protected Health information about an individual and the determination of WHO is permitted to use, disclose, or access the information SECURITY Refers to HOW private information is safeguarded Insuring privacy by controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss and assuring it is available when and where it is needed. 2 Protected Health Information (PHI) Protected Health Information is any information that : is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse"; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual All information whether maintained in electronic, paper or oral format 3 1

HITECH Act (ARRA) Health Information Technology for Economic and Clinical Health New Federal Breach Notification Law Effective Sept 2009 Applies to all electronic unsecured PHI Requires immediate notification to the Federal Government if more than 500 individuals effected Annual notification if less that 500 individuals effected Requires notification to a major media outlet Breach will be listed on a public website Requires individual notification to patients Criminal penalties - apply to individual or employee of a covered entity Encryption is a safe harbor for breach of data 4 September 2009 March 2012 409 reports involving over 500 records/individuals 6 2

Impact of HITECH Act on research activities: The primary implication for researchers is to ensure their research incorporates necessary safeguards when using health information. When possible, the investigator should implement measures that render the data into a form that no longer qualifies as unsecured PHI. Data in this form obviates the need for notification if a breach occurs. Methods recognized in the HITECH Act for achieving this purpose include: de identification: once data has been de identified in accordance with the HIPAA Privacy Rule, it no longer qualifies as PHI; encryption of data with processes meeting National Institute of Standards and Technology (NIST) criteria is considered by the HITECH Act to render the data secured; destruction of media on which PHI is stored following the standards in the HITECH Act. 7 9 3

Key HIPAA Terms for Researchers Business Associate Agreement Use Sharing within the Organization Disclosure Sharing outside the organization Data Use Agreement / Limited Data Set Coded Data Waiver / Authorization De identified without 18 identifiers Password does not = Encryption 10 Why should research data be de identified? De identified health information is not considered to be PHI and therefore, subject to the HIPAA Security Rule reporting requirements if a privacy/security breach occurs. 11 18 identifiers as defined by the HIPAA Privacy Rule: 1. Name 2. Geographic Location (including city, state, zip) 3. Elements of Dates 4. Telephone Number 5. Fax Number 6. E mail Address 7. Social Security Number 8. Medical Record or Prescription Numbers 9. Health Plan Beneficiary Number 10. Account Number 11. Certificate/license Number 12. VIN and Serial Numbers, License Plate Number 13. Device identifiers, serial numbers 14. Web URLs 15. IP Address Numbers 16. Biometric Identifiers (finger prints) 17. Full face, comparable photo images 18. Unique Identifying numbers 12 4

De identified vs. Coded Data Coded data contains an assigned code so even though the information has been stripped of identifiers, the health information can be linked back to the individual by members of the research team. De identified data Stripped data with no code. It cannot be linked back to the individual. A re identification code can be assigned to a de identified dataset by a covered entity; however, members of the research team may not have the access to the means/method of re identification. In the case where the research team has access to the reidentification means/method, the data is not considered to be deidentified. 13 Business Associate Business Associate a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Business Associate 45 CFR 160.103. Claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and pricing. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. Is an agreement needed? Is this a business associate? Who can sign agreement? Who had a record of BAA s at my organization? Also in Security Rule & Definition revised by HITECH 14 Fundamentals of Information Security Confidentiality Keeping data out of unauthorized hands Integrity Preventing data from changing in unknown, unwanted ways Availability Ensuring data are accessible when expected 15 5

What is Risk? A vague and general term. Speaking generically Likelihood of occurrence x Impact if occurred = RISK Business Risks help organizations focus in on the corresponding Technical Risks. 16 Business Risks Examples Theft of confidential information could result in financial or medical harm Financial and insurance data have higher impact costs to institution and patient if lost, stolen or otherwise compromised. Theft of research data could lead to theft of intellectual property Plenty of examples of advanced persistent threats targeting world class institutions for espionage. Major impact to researcher. 17 Business Risks Examples Internal user mistake of data set can lead to loss of data. If integrity research data is unknowingly manipulated, months or years of effort could be lost. Crash of system hosting data set can lead to significant loss of time, or research The availability of systems is becoming more important for furthering research. 18 6

Not all Risks owned by the same group 19 Data Flows in many ways and each of these ways can induce risk. 20 Risk Management Overview 21 7

Before We Start Firewalls are not a silver bullet inside and outside the firewall are misleading. Firewalls must allow traffic through. Web (as we will see) is primary example 22 Use Case 1: Use of mobile device to store/transmit PHI/PII Technical Risks Loss of laptop/ mobile device with PHI Hard to be called technical but accounts for 52% of reportable breaches from 2009 2012. #1 biggest risk on today for PHI Poor password management exposes PHI Sticky note with laptop password; physical access Client device with PHI hacked Can occur through multiple methods including: Drive By Downloads Clickjacking Email contains PHI and stored on laptop 23 Use Case 1: Use of mobile device to store/transmit PHI/PII Solutions Full Disk Encryption! OCR specifically states it wants to push this agenda for all systems that contain/process/transmit PHI. An encrypted lost device means no breach. Windows: BitLocker, PGP, GuardianEdge Macintosh: FileVault2 (OSX Lion only), PGP Anti Virus Symantec, Sophos, Microsoft Security Essentials Host Based Intrusion Prevention Symantec SEP Proper use of Passwords Try Password Vaults (KeePass, or PasswordSafe, both free) 24 8

Use Case 2: Sharing PHI via the Web Technical Risks Loss of unencrypted data to Internet due to lack of access control Google search engines & caching Information stolen in transit No encryption = easily sniffed traffic Vulnerable services on server exposed to Internet Allow for exploitation; both web and web application #2 biggest risk on the Internet today in regards to PHI 25 Use Case 2: Sharing PHI via the Web Solutions Encrypt data & transmission protocols: Leverage SSL encryption for HTTPS Leverage AES encryption for flat files when sharing, to ensure end to end encryption Enforce Access Control Minimize number of users on the system Re certify access privileges on scheduled basis Enable access logging and audit trails! BIG OCR point. Enable audit logs showing access to PHI. Review, and demonstrate you are reviewing, audit logs 26 Use Case 2: Sharing PHI via the Web Solutions (round 2) Physical security! Locked in an office is not security. Servers should be in server rooms with badge readers, video cameras, and access logs. Otherwise it must be full disk encrypted (in essence the same security level as desktop) Remember, theft is #1 problem. Theft from offices is very common Security aware system administration If running a server you should know security basics. www.sans.org/reading_room @ columbia, https://skillsatcolumbia.skillport.com/skillportfe/main.action 27 9

Use Case 3: Use of the Cloud for Storage Technical Risks Unencrypted data on cloud Publically available data are viewable (public Google/Yahoo calendars) Data are viewable by cloud service providers (Dropbox) Cloud encryption solutions does not encrypt from cloud eyes If the cloud provider encrypts the data, they hold the key to decrypting. Free providers use your data for data mining, part of the EULA (Google does this) Regulatory issues of non approved disclosures (BAA) 28 Use Case 3: Use of the Cloud for Storage Solutions Either 1) establish Business Associate Agreement, or Legal document that extends HIPAA compliance to vendor Required by HIPAA/HITECH, even if BA only stores and doesn t access. 2) encrypt all data resident on cloud with key not available to cloud provider The KEY is key. Use Private cloud services with appropriate contracts 29 General Solutions and Observations "General" Researcher Autonomy Categories of Interest Tier 1 Tier 2 Tier 3 Description Self Managed Assets Hosted Solutions Fully Managed Environment Repurposed server installed in office, Some cloud services, "Shared" data High Performance Computing centers, Examples Central IT, Highly Managed Cloud isolated lab/cluster environment center space, "Renting" servers Solutions Research Control Absolute Fair More "bueacracy" Technical Expertise Required for All Some Minimal proper management Oversight Minimal Some Highest Upfront Costs Low Variable Highest Efficiency savings Minimal Fair Highest Data Archival Responsibility Researcher Researcher Service Provider Potential bundled Services for "free" None Data Center (huge costs), Network Services, potentially server administration Data Center, Auditing/Log Management, Access Control, Change Control, Network services. Potentially app and database administration Potential Data Risks 30 10

Password Reminders All devices (cell phones, laptops, USB drives etc.) must have a password Do not share your password Do not log on to a computer and then allow someone else to do their work Log off application before leaving the area btw, passwords of 123456 or qwerty or trustno1 are in the top 10 passwords. 31 What Is My Role in Protecting Medical Information? Good Security Standards follow the 90 / 10 Rule: 10% of security safeguards are technical 90% of security safeguards rely on the computer user ( YOU ) to adhere to good computing practices Example: The lock on the door is the 10%. You remembering to lock, check to see if it is closed, ensuring others do not prop the door open, keeping controls of keys is the 90%. 10% security is worthless without YOU Discover NYPH Interfaces Clinical Data Warehouse Transfers 2007 08 HIPAA Inventory Meetings with Senior Leaders System/App Inventory IRB An example of how CUMC executes it s Risk Management Program Assess Interview Sponsors Interview System Custodians Perform Vulnerability Scans Report Identify Risks Define Impact Make Remediation Recommendations Remediate One Year Review Cycle Assist in Planning Review Responses Certify Implementation 33 11

Just to drive home the point OCR really is serious about encryption 34 Questions? 36 12

Erik Decker Assistant Director, Information Security Columbia University Medical Center ed2513@columbia.edu Karen Pagliaro-Meyer Privacy Officer Columbia University Medical Center kpagliaro@columbia.edu FOR ADDITIONAL INFORMATION: http://privacyruleandresearch.nih.gov 37 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information