HELLO! I am Ashley Hall

Similar documents
SENDING HIPAA COMPLIANT S 101

Why Lawyers? Why Now?

DSHS CA Security For Providers

Network Security for End Users in Health Care

HIPAA ephi Security Guidance for Researchers

My Docs Online HIPAA Compliance

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

C.T. Hellmuth & Associates, Inc.

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

HIPAA Requirements for Data Security

HIPAA: Bigger and More Annoying

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

National Cyber Security Month 2015: Daily Security Awareness Tips

Research Information Security Guideline

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

Overview of the HIPAA Security Rule

Must score 89% or above. If you score below 89%, we will be contacting you to go over the material individually.

Cyber Security Best Practices

HIPAA Training for Staff and Volunteers

BSHSI Security Awareness Training

School of Nursing Research Seminar. Data Security in The Academic Health Center. Presented By Jon Harper AHC Information Systems

Have you ever accessed

Preparing for the HIPAA Security Rule

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL

HIPAA Privacy & Security White Paper

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

HIPAA Training for Hospice Staff and Volunteers

HIPAA Security Training Manual

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

HIPAA Compliance Guide

Internet threats: steps to security for your small business

Data Security Basics: Helping You Protect You

INFORMATION SECURITY FOR YOUR AGENCY

Management and Storage of Sensitive Information UH Information Security Team (InfoSec)

HIPAA Compliance Guide

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

What s New with HIPAA? Policy and Enforcement Update

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

HIPAA Security. assistance with implementation of the. security standards. This series aims to

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

HIPAA COMPLIANCE AND

efolder White Paper: HIPAA Compliance

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS

Healthcare Compliance Solutions

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

How To Protect Your Health Care From Being Hacked

Contents. Instructions for Using Online HIPAA Security Plan Generation Tool

Protecting Privacy & Security in the Health Care Setting

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Can Your Diocese Afford to Fail a HIPAA Audit?

Cyber Security Awareness

Encrypting Personal Health Information on Mobile Devices

Datto Compliance 101 1

HIPAA Training Part III. Health Insurance Portability and Accountability Act

How To Understand The Health Insurance Portability And Accountability Act (Hipaa)

Data Security Considerations for Research

Information Security It s Everyone s Responsibility

Security Is Everyone s Concern:

Cyber Security Awareness

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Malware & Botnets. Botnets

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

The CIO s Guide to HIPAA Compliant Text Messaging

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

HIPAA Requirements and Mobile Apps

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule

Assessing Your HIPAA Compliance Risk

Stable and Secure Network Infrastructure Benchmarks

SECURING YOUR REMOTE DESKTOP CONNECTION

Cyber Security: Beginners Guide to Firewalls

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Healthcare Compliance Solutions

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household

RFG Secure FTP. Web Interface

HIPAA MYTHS: DON T ALWAYS BELIEVE WHAT YOU HEAR. Chris Apgar, CISSP

Montclair State University. HIPAA Security Policy

HIPAA Security COMPLIANCE Checklist For Employers

Potential Liability for HIPAA Violations: A Primer

HIPAA and Health Information Privacy and Security

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Six Steps Healthcare Organizations Can Take to Secure PHI on Mobile Devices

HIPAA Security Overview of the Regulations

The 2014 Bitglass Healthcare Breach Report

How-To Guide: Cyber Security. Content Provided by

Keeping Data Safe. Patients, Research Subjects, and You

Desktop and Laptop Security Policy

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide

THE SECURITY OF HOSTED EXCHANGE FOR SMBs

Transcription:

HELLO! I am Ashley Hall You can reach me at ashleyh@hscnv.com

Social Work in the 21 st Century: Practicing Efficiently and Ethically in Today s Digital Landscape

ABOUT ME BSW, MSW Data Analyst & Human Services Consultant Passion for Data (weird, I know!)

Introduction 1

Technology... is a queer thing. It brings you great gifts with one hand, and it stabs you in the back with the other. ~C.P. Snow

Step 1: Scare the pants off of you! Overview of HIPAA as related to electronic data Overview of tech being used today and how it can be exploited Consequences of unsecured e-data WORKSHOP INTRODUCTION

WORKSHOP INTRODUCTION Step 2: Train you to fight How to use tech safely Safe and secure tech options

WORKSHOP INTRODUCTION Step 3: Use Tech Efficiently What can we use tech for? What are our options? Tech examples

Scare the Pants off of You 2

HIPAA & e-data

WHAT IS PHI? PHI, or Protected Health Information is individually identifiable health information that: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual. Source: www.hhs.gov

WHAT IS e-phi? e-phi, or electronic protected health information, is any PHI that is stored via electronic media.

HIPAA has a definition for that too! Electronic Media is: (1) Electronic storage material on which data is or may be recorded electronically, including, for example, devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; (2) Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet or intranet, leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission. Source: www.hhs.gov WHAT IS ELECTRONIC MEDIA?

PHI is identifiable health information TO SUM UP e-phi is identifiable health information that is stored via electronic media Electronic media is any data that is stored electronically (even copies of paper files) and/or is transmitted electronically (typically via an intranet, the internet, or private networks, etc.)

QUIZ TIME!!! Scenario 1 Jane the social worker has a paper file with case notes and identifiable health information on it. She needs to send it to a colleague who is taking over her case. She decides to just fax that data over. She puts the papers into the fax machine and hits the start button. Has Jane transmitted e-phi?

YES OR NO? Yes - the act of faxing a document automatically creates e-phi No - a fax does not create e-phi Maybe??

Does your office lease one of these? YES OR NO?

QUIZ TIME!!! Scenario 2 John the social worker scans copies of paper intake forms that he receives from clients. He stores these scans on his local computer and backs them up on an external hard drive. Is John storing e-phi?

YES OR NO? Yes - John has created e-phi No - since the forms that were scanned were paper forms, the definition of e- PHI does not apply

Agencies/Practitioners must: HIPAA AND e-phi SECURITY Ensure the confidentiality, integrity, and availability of all e-phi they create, receive, maintain or transmit; Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and Ensure compliance by their workforce

WHAT TECHNOLOGY IS USED IN SOCIAL WORK PRACTICE? Agencies/Practitioners use: Office desktops/laptops/copiers/scanners Field laptop Computers Mobile devices (including cell phones and tablets) Cloud servers/services Technology provided or maintained by outside vendors Any others?

VULNERABILITIES IN TECHNOLOGY - THE OFFICE Hardware Damage Theft Leasing Software Outdated Nonexistent Network Unprotected No specified guest access Personnel (Including Vendors) Inadequate security process Inadequate security awareness Site Hazards for hardware Unreliable power source Organization Lack of audits Lack of plans

VULNERABILITIES IN TECHNOLOGY - IN THE FIELD Hardware (laptops) Damage Theft Leasing Software Outdated Nonexistent Network Unsecured (public) WIFI Inadequate training Personnel Inadequate security process Inadequate security awareness Site Hazards for hardware Unreliable power source Organization Lack of audits Lack of plans

VULNERABILITIES IN TECHNOLOGY - IN THE CLOUD Email Provider Not HIPAA compliant Unencrypted emails Cloud Operations Free = not HIPAA compliant Uploading or downloading unencrypted data Personnel Inadequate security process Inadequate security awareness Organization BAA with cloud provider? Understanding of what cloud provider does with data it houses

QUICK DEFINITION - BAA So what is a BAA? A business associate agreement (BAA) is a contract between you and any vendor that has access to the PHI that you maintain. The contract protects PHI by ensuring that your business associates are in compliance with HIPAA

VULNERABILITIES IN TECHNOLOGY - OUTSIDE VENDORS A few notes on outside vendors An outside vendor is anyone who has access to, views, modifies, or analyzes client data These can be: consultants, email service providers, IT companies, computer repair services, etc. If an outside vendor has access to PHI, a BAA needs to be signed, no exceptions

VULNERABILITIES IN TECHNOLOGY - OUTSIDE VENDORS Relationship Not HIPAA Compliant No BAA in place Inadequate Policy/Practice No audit of policy/practices done Security/Disaster Plan No security/disaster plan Security/disaster plan inadequate Communication Security Vendors send unencrypted data Vendors access cloud data via unsecured devices

VULNERABILITIES IN TECHNOLOGY - OUTSIDE VENDORS How prevalent is the problem of vendor HIPAA violations? According to HHS breach report, about 28% of data violations happened with a BAA present between 2009 and today. In Nevada, that percentage is about 38%. Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

HIPAA VIOLATIONS - THE SCARY TRUTH First and foremost - HIPAA violations happen, at an alarming rate! HIPAA Violations - Tableau Public Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

HIPAA VIOLATIONS - THE SCARY TRUTH The costs of a HIPAA violation should not be ignored! July 2015: $218,400 settlement with St. Elizabeth s Medical Center for using an internet-based document sharing application to store documents containing PHI Dec. 2014: $150,000 settlement with Anchorage Community Mental Health Services for malware compromising the security of its information technology resources Aug. 2014: $1,215,780 settlement with Affinity Health Plan, Inc. for failing to erase data contained in copier hard drives after returning them to a leasing agency Jan. 2013: $50,000 fine paid by The Hospice of North Idaho due to stolen laptop with unencrypted data. This case involved fewer than 500 patients View more examples at: www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/

HIPAA VIOLATIONS - THE SCARY TRUTH Keep in mind You are liable for anything your employees do that violates HIPAA. Even stolen property is your responsibility While you may have a HIPAA compliant email/cloud storage provider, that does not mean your data is protected in transit! You are even responsible for the actions of the vendors you work with When in doubt, assume it is your responsibility!!

QUIZ TIME!!! Scenario 1 Jane the social worker conducts home visits on a regular basis with youth clients. During these home visits she uses a laptop to teach certain skills. This laptop is also used to store individual client data. Jane was visiting three different clients one day and only needed the laptop for one of them. She left her laptop in her locked vehicle while visiting the first client. During the visit, Jane s vehicle was stolen. Did Jane violate HIPAA guidelines?

YES OR NO? Yes - client data was stored on the laptop and the theft of the device means the data has been compromised. No - the theft of the laptop was not Jane s fault and she took reasonable precautions to protect the data. Maybe?

QUIZ TIME!!! Scenario 2 John the social worker asks an IT company to come in and work on his broken computer located in his private practice. John is satisfied with the work the company has done and needs no ongoing IT maintenance. Six months later, John gets a notice of a HIPAA complaint - apparently the IT company stole information about a high-profile client from his computer and published it online. Did John violate HIPAA guidelines?

YES OR NO? Yes - John is responsible for all actions on the part of outside vendors. No - the theft and publishing is the vendor's fault, not his. Maybe?

QUIZ TIME!!! Scenario 2 Sally the social worker shares ephi with a team member working with a family. This data is shared via cloud storage in which a BAA is in place. Sally is informed by her IT manager that some of the data was intercepted via malware when she uploaded the data. Is Sally in violation of HIPAA guidelines?

YES OR NO? Yes - It is Sally s responsibility if her data was intercepted during upload, even if her computer was protected. No - the data was uploaded to a cloud service in which a BAA was in place. Maybe?

Train You to Fight 3

WHAT CAN YOU DO TO SECURE ephi? Note: We are going over the basics Consider talking to someone if you need help or are unsure: IT Professionals ISP Security Consultant

PROTECTING YOUR DATA - THE OFFICE Hardware Ensure hardware is somewhere safe and clean Backups are a must Software Ensure all software is updated regularly Network Ensure your network is protected and secured Personnel (Including Vendors) Ensure BAA is signed where applicable Request data security plan Site Protect hardware with surge protectors Use correct plugs Organization Audit your data security plan Continuously inspect and improve where needed

PROTECTING YOUR DATA - IN THE FIELD Hardware (laptops) Protect from damage Password protect and encrypt Software Update all software regularly Network Don t use public, unsecured WIFI networks without taking steps to secure your system Personnel Ensure all staff is trained and using passwords and encryption Site Make sure your mobile hardware is safe from the elements Be aware of the dangers of power surges Organization Plan and audit regularly

PROTECTING YOUR DATA - IN THE CLOUD Email Provider Ensure use of HIPAA compliant email service Encrypt all emails with client data Cloud Operations HIPAA Compliant Cloud storage Encrypt files Personnel Ensure all staff is trained and using passwords and encryption Organization BAA with Cloud provider a must Understand what is done with your data at every stage

PASSWORDS - THE FINER DETAILS Password vs. Passphrase Password = a word that you select as a code to open or unlock your computer, server, website, etc. Passwords typically don t have spaces Can be real words, fictional words, or any combination of both Example: AshleyISAwesome2015 Passphrase = like a password but much longer and contains spaces Can become closer to an encryption key than a password in terms of security May be known phrase or made up

PASSWORDS - THE FINER DETAILS When to use a passphrase For your computer login For your password database or password manager software Encryption When to use passwords On websites

PASSWORDS - THE FINER DETAILS How to select a password - from our friends at Microsoft! Is at least eight characters long. Does not contain your username, real name, or company name. Does not contain a complete word (use spaces if you are using a dictionary word) Is significantly different from previous passwords. Contains characters from each of the following four categories: uppercase letters, lowercase letters, numbers, and symbols found on the keyboard Source: http://windows.microsoft.com/en-us/windows-vista/tips-for-creating-a-strong-password

PASSWORDS - THE FINER DETAILS How to select a passphrase - from Micah Lee Avoid phrases from pop culture (To Be Or not to BE that is THE question) Consider Diceware Ensure the length of your passphrase is adequate. 1 word out of list of 7,776 words = 1 in 7,766 chance of guessing 2 words = 1 in 60,466,176 chance of guessing 7 words = 1 in 1,719,070,799,748,422,591,028,658,176 chance of guessing - it would take 27 million years to guess this! 7 random words is ideal Source: https://firstlook.org/theintercept/2015/03/26/passphrases-can-memorize-attackers-cant-guess/

UPDATES - THE FINER DETAILS Software updates aren t fun, especially when you run many different types of software on your machine. However, updates are essential as they often contain security patches based on new threats or discovered vulnerabilities. Long story short, update often.

BACKING UP - THE FINER DETAILS All data should be backed up at least twice Local backups are important to avoid problems like corrupted files or databases These can be stored on the same device as the original data, but in a special backup folder Backup folders should also be backed up in a separate location, such as the cloud, and external hard drive, or another computer in a different building I prefer to back up in the cloud AND on an external device Make sure backed up data is encrypted and password protected!

BAA S - THE FINER DETAILS Red Flags If your business associate has never heard of HIPAA or a BAA, consider training or additional steps to ensure protection of PHI If your business associate does not have a BAA for you to sign, consider asking for copies of data security plans and policies It is always a good idea to have your own BAA!

PUBLIC WIFI - THE FINER DETAILS Public WIFI is always a risk - but there are ways that you can use this necessary tool safely Turn off sharing on your computer Enable your firewall Use HTTPS and SSL where possible Use a Virtual Private Network Paid service Takes some time and effort to setup and could require software and licensing When in doubt, don t use public wifi for accessing or uploading secured data Turn off WIFI when you aren t using it When in doubt, just don t do it.

ENCRYPTION - THE FINER DETAILS Encryption does not have to be scary or complicated! Encryption protects files from unauthorized access such as a stolen computer, but also from someone stealing your data in transit (i.e., when an email is sent or when a file is uploaded to the cloud. You can encrypt for free, either with free software or extensions - this typically requires a password created by you and shared with the recipient of your email/files and typically requires the recipient to have an extension or be directed to a secure location to download the file Or you can pay for services that handle the encryption and email/cloud storage security for you

Use Technology Efficiently and Safely 4

USING TECHNOLOGY IN YOUR PRACTICE Yes, technology is vulnerable, and yes, security can be complicated. But technology can make life easier for. You Your staff and your clients

USING TECHNOLOGY IN YOUR PRACTICE So what can technology be used for in social work? Client data management and workload/workforce data management Financial data management Communication Project/program management Collaboration - internal and external

USING TECHNOLOGY IN YOUR PRACTICE And where do we find tech to help with these tasks? Outside Vendors Easy and managed by professionals Typically includes some sort of reporting Not for everyone - expense Homegrown Solutions If you hire someone to develop software, keep up on it! Don t get swept up by fancy products - basic software can sometimes do the same job Out-of-the-box solutions Database software Case management software

USING TECHNOLOGY IN YOUR PRACTICE So what are some examples of software that can be used? Training Lynda.com Youtube! Survey software SuveyMonkey Qualtrics Google Forms Collaboration Google Apps Trello - online collaboration tool JoinMe Organizational EventBrite - event planning and attendee management Social Media - marketing and event planning/organizing Tableau Public - communicating data Out-of-the-box solutions Zengine - database software FAMcare - case management software Microsoft Products (Access, Excel)

USING TECHNOLOGY IN YOUR PRACTICE And which common software options are safe for ephi? Google Apps - only paid service and only after signing a BAA Dropbox - Not HIPAA Compliant but can be if used in conjunction with outside software Sookasa, BoxCryptor, Vivo, Cloudfogger Paubox Microsoft OneDrive - HIPAA compliant with BAA Box - HIPAA compliant with BAA icloud - Does not offer BAA REMEMBER! Even with HIPAA compliant storage or collaboration options, you still have to take steps to encrypt files for transmission and storage. Consider software such as BoxCryptor and others to help with this task.

USING TECHNOLOGY IN YOUR PRACTICE HIPAA compliant email and cloud storage with encryption in the background? YES PLEASE! HIPAA Compliant email with seamless encryption This incoming email was seamlessly encrypted by Paubox Learn about Paubox today HIPAA compliant cloud storage with 256-bit AES (Advanced Encryption Standard) encryption at rest and in transit No extra software - send and received emails, upload files to the cloud, all without any additional steps Can be used as a wrap-around service if you are already using business email platforms like Microsoft Exchange, Office 365 & Google apps

USING TECHNOLOGY IN YOUR PRACTICE Cloud and communication services make possible or enhance: File sharing and storage Collaboration and communication Organization and productivity Client interactions

USING TECHNOLOGY IN YOUR PRACTICE Technology Examples In these brief videos you will see the following tech options being used: Cloud applications Online meeting software Collaboration software

USING TECHNOLOGY IN YOUR PRACTICE - GOOGLE APPS Google Apps: http://youtube.com/v/ee7c8e-qnjy

USING TECHNOLOGY IN YOUR PRACTICE JOIN ME Join Me: http://youtube.com/v/mjwdrrljnt4

USING TECHNOLOGY IN YOUR PRACTICE - TRELLO Trello: http://youtube.com/v/xwiuniolf4s

WRAPPING IT UP I hope I didn t scare you too badly The threat is real Data breaches cost money Just because you are a small agency, does not make you immune to cyber dangers I hope you gained useful insight into tools you can use to protect e-phi Planning and foresight can help Adequate policies and training are a must When in doubt, seek consultation I hope that you are now aware of ways in which technology can be our friend Technology is an amazing thing It can streamline and speed up our work It can eliminate time and space limitations

You cannot endow even the best machine with initiative; the jolliest steam-roller will not plant flowers. ~Walter Lippmann

THANKS! Any questions? You can find me at ashleyh@hscnv.com

CREDITS Special thanks to all the people who made and released these awesome resources for free: Presentation template by SlidesCarnival Photographs by Unsplash

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information