Sharon Finney from Adventist Health System in Winter Park, Florida prepared an excellent presentation at the 2010 NIST HIPAA conference. She shared her experience in developing and implementing a comprehensive, risk-based policy at her organization.
Sharon talked about the creation of a corporate policy and standard of conduct for social media. In order to be successful in creating these documents you must have executive buy-in from an “executive sponsor”. This sponsor is typically a VP of Marketing or PR.
Sharon recommends assembling a team that includes representatives from legal, HR, compliance, data security, and IT departments to help shape and implement the social media policies. She recommends the following steps:
Create a policy on social media – define scope of use such as who has legitimate business reasons (marketing, HR, communications, training, outreach, etc).
Create a standard of conduct manual so that employees know how they should conduct themselves online. Ensure that proper disclaimers are placed. Look at HP, IBM, Microsoft standards of conduct as a goods start.
Watch out for exceptions to policies. If you grant too many exceptions the exceptions become the rule. Create a tedious exception policy to discourage exceptions.
Define your organization’s risk tolerance.
Define sanctions for non-compliance and ensure employees know them.
Create a plan for monitoring including who will be doing the monitoring, what is being monitored, and the frequency of monitoring.
Create a quarterly audit policy trickled down to department heads to ensure that they review how their direct reports spend time online.
Clearly define what employees should and should not do (Adventist has about 36 points).
Create a policy on monitoring and enforce it. Setup alerts for certain conditions.
Implement DLP (Data Loss Prevention) technologies to prevent critical data (like PHI) from leaving your network.
You should also create an incident response plan that includes all the appropriate parties. Ensuring that all employees are properly trained and understand the policy and standards is the key to success.
Christina Heide, JD recently presented at the 2010 NIST HIPAA conference and provided a presentation about the how breach notification works. She reiterated that breach notification applies to unsecured PHI, which means protected health information not secured by encryption or properly destroyed.
Howard Schmidt, Obama administration's cyber security czar, prepared a fantastic presentation about the four guiding principles of his cyber security plan:
Deterrence is a primary factor in preventing cyber security threats. Applying strong protectionlike two factor authentication, one time passwords, smart cards, and implementing standard data protection systems were mentioned.
Resilience is the ability to recover from an attack. Designing systems that are able to recover from an attack is paramount to national security, and especially protected health information (PHI). It was noted (in a different part) of the NIST Conference that doctors relying on Health information systems (HIT) need to ensure that a disaster recovery and backup plan is in place and is tested regularly. A doctor’s office or a hospital would be nearly impossible to operate if access to PHI is not available after moving entirely to electronic medical records.
Privacy is important to the White House. It’s clear that legislation and the regulations that follow have privacy in mind. An good example is the Breach Notification law written into section 13402 in the HITECH ACt, part of the American Recovery and Reinvestment Act of 2009 (ARRA). The HITECH Act specifically provides safe harbors in case of a breach of encrypted PHI. The government is clearly incentivizing the use of data encryption to protect privacy.
Partnerships with private industry were mentioned as well, although not in too much detail. Perhaps the White House wants to make sure that whatever steps they put in place have transparency to the public and the private industry.
In order to help the government and private industry standardize on a risk management process NIST created the RMF - Risk Management Framework. The framework into 6 steps:
Categorize the information systems
Select security controls
Implement security controls
Access security controls
Authorize information systems
Monitor security controls
At the 2010 NIST HIPAA Security Conference presentation, Pat Toth, a computer scientist working for NIST , discussed the importance of the integrating risk management and security into your enterprise computing environment. Security is often thought of as an after-the-fact process that becomes important after IT systems and applications are deployed. Toth pointed out that our perception of security’s role needs to change in order to protect the our healthcare information systems.
The HIPAA security rule specifically requires that a risk assessment be performed on IT systems that contain PHI (protected health information). Rather than creating the assessment from scratch the RMF is a great place to start your research and perhaps implement the steps recommended by NIST to secure your HIT systems.
.
The RMF is of particular importance for helping to obtain a safe harbor from penalties in the HIPAA security rule, particularly when deciding to implement (or not implement) technologies like data encryption. For example: if you decide that encryption is not needed in your environment and an incident happens where PHI is breached you will need to show the reason behind your decisions to HHS OCR (U.S Department of Health and Human Services, Office of Civil Rights).
We will be tweeting live from the NIST HIPAA security conference on 5/11 and 5/12. If you use twitter we will be using the #NISTHIPAA hashtag. To see our tweets you can go to search.twitter.com and search for #NISTHIPAA after 9:30 am. You can also follow @experiordata
Big day today in the software security space. PGP Corporation and GuardianEdge Technologies (both competitors in the whole disk encryption market) have been acquired by Symantec Corporation. The acquisition provides much-needed applications to Symantec's industry-leading security software stack.
Symantec has seen competitors such as CheckPoint, Sophos, and McAfee acquire key encryption technology platforms like Pointsec, Utimaco, and Safeboot. They will now have a strong whole disk encryption story, as well as solutions for file and e-mail encryption.
The GuardianEdge Technologies (GE) acquisition will provide Symantec with direct access to GE's large base of government customers. Certainly GE has a client base in the commercial sector as well. There is clearly some overlap between PGP and GE products. Both provide a lot of value to the end users in terms of security features.
Healthcare organizations that are looking to comply with the HITECH Act and protect PHI using encryption will be very pleased. Symantec has a significant market share in endpoint security products and those customers that need to deploy encryption will be happy to entrust the Symantec brand to their organization.
The government is naming names! Today the Office of Civil Rights, part of the Department of Health and Human Services, did what they they said all along that they will do – post the names of covered entities AND business associates who are involved in data breaches. The somewhat lengthly list provides an insight into the organizations involved in breaches of unsecured protected health information (PHI).
Protected Health Information (PHI) is a term used widely in HIPAA. PHI is information that can identify and individual, such as name, address, social security number, and clinical information about the individual. Part of the American Recovery and Reinvestment Act (ARRA) called the HITECH Act, section 13402, specifically requires a covered entity or business associate to notify HHS and the mass media of breaches of uprotected PHI involving more than 500 records. PHI that is encrypted is considered protected and, therefore, provides a safe harbor against breach notification.
Among those involved in the data breaches are hospitals, clinics, dentists, insurance companies, private medical practices (though it’s unclear as to why their names are being withheld), universities, state governments, and several Blue Cross Blue shield organizations.
More importantly, business associates – which are essentially service providers to covered entities – are not only listed but are named. Most of them are IT services providers to covered entities.
Data at rest appears to be the most common form of breach, most likely a result of lost laptops, backup tapes, and a seemingly missing server.
Data encryption provides a safe harbor against breach notification and should be implemented in places where PHI is stored.
Beginning on February 18, HHS will have the legal authority to enforce the breach notification laws set forth last year as part of section 13402 of the HITECH Act, within the American Recovery & Reinvestment Act (ARRA). The penalties can now be up to $1.5 million and require media notification in cases where 500 or more records are breached. Business associates, as well as covered entities, must now comply with the HITECH Act breach notification rule (which essentially makes modifications to the HIPAA Security Rule).
Perform an extensive security review and indentify where electronic protected health information (PHI or ePHI) resides on your IT systems.
Create a plan on protecting PHI.
Data encryption provides a safe harbor from breach notification. Determine where PHI can be encrypted.
Identify public facing extranet portals and web applications that can allow access to PHI.
Identify databases that hold PHI.
Execute the plan
Implement data encryption where practical.
For databases, implement a database security product to monitor database requests and protect from intrusion.
For web apps, implement a web application security product to protect from cross-site scripting and various attacks to access databases to PHI.
Protect endpoints such as laptops, tablets, etc with data at rest encryption by implementing whole disk encryption,
Experior Data helps customers plan and execute data security assessments and technology implementation for healthcare. Our proprietary Technical Security Audit includes a personalized review of your IT systems and well as a vulnerability scan of all your network components.
PGP Corporation announced an update to its products line. PGP now supports Red Hat & Ubuntu Linux, Mac OSX Snow Leopard, and Boot Camp on Mac OSX computers. In addition, PGP has updated its whole disk encryption technology to include a Hybrid Cryptographic Optimizer (HCO) technology to deliver faster run times for PGP Whole Disk Encryption.
Customers can now use PGP Universal Server to centrally manage encryption for their multi-platform environment. A single web-based user interface can be used to manage encryption end points using Microsoft Windows, Apple Mac, Red Hat Linux, and Ubuntu Linux. PGP is the only encryption vendor that delivers encryption solutions across multiple platforms. Multi-platform support is especially important with the popularity of netbooks, and the forthcoming Apple tablet device, which is reported to be using the Mac OSX operating system.
PGP also added functionality for e-mail encryption in Microsoft Outlook. Using Microsoft Outlook users can now click “sign and encrypt” buttons to automatically encrypt emails.
Experior Data is a PGP SILVER Partner and helps organizations implement data encryption solutions.
More information about these new releases is available on the PGP web site.
In the coming months healthcare IT administrators will see many products come to market that claim to solve the compliance issues of safeguarding unsecured protected health information (PHI). A bit of caution and understanding of the issues is required here:
- Whole disk encryption is clearly needed for mobile devices
- Whole disk encryption protects data when computers are TURNED OFF. This means that while you’re using the laptop the data is in use, and is not encrypted.
- Additional levels of data protection is needed to protected the data while computers are in use. For example, critical data files should be encrypted automatically regardless of whether the computer is turned on or off. Whole disk encryption does not do this.
- Files containing PHI that are transferred on a network need to be encrypted. Whole disk encryption does not do this.
- What about e-mails containing PHI? More importantly, what about those that use Microsoft Outlook and store data in archive (.pst) files?
So why is whole disk encryption not enough? What happens if a worm invades your computer and transfers documents of a certain file type to a remote location. Whole disk encryption will not help you in this situation.
It’s important for any encryption solution to not only encrypt the hard drive but also to encrypted files on the hard drive so that they remain encrypted while the computer is on.
Copyright 2009 - Experior Data Security and Encryption - No parts of the content herein may be copied or reproduced without permission www.experiordata.comwww.arra13402.com
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=3a0266f6-3270-43a7-9d5d-72d3000b6dd6)
