2011 SECURITY REFRESHER

Information Security

Agenda

HIPAA UpdateEncryption OverviewMobile Phones and TabletsCamerasUSB DrivesE-mailing Patient InformationFile SharingSocial Media

HIPAA Update

• HIPAA compliance penalties were increased in July, 2010 under the HITECH Act

• New Notification Requirements:1) Civil monetary penalties significantly increased ($100-$50,000

per violation up to $1.5m/yr)

2) Unwarranted disclosure of PHI can result in criminal prosecution and imprisonment

3) A security breach resulting in compromised PHI must be disclosed to each individual within 60 days of discovery

4) If more than 500 patients are impacted, the event must be reported to the media and HHS within 60 days of discovery*

5) State Attorney Generals empowered to pursue HIPAA Violations

*If <500 patients are impacted, covered entity may notify HHS of such breaches on an annual basis

Recent Fines for HIPPA Breaches

• $1m settlement with MGH in Feb 2011 (employee left a folder on a subway containing information on HIV/AIDS status of 192 patients)

• $4.5m fine against Cignet Health in Feb 2011, a Maryland insurance company, based on HIPAA violations and failure to cooperate with OCR’s investigation (insurer failed to provide 41 patients with their medical records within 30 day time-frame plus failure to respond to OCR request for documents)

• In Feb 2011, the New York municipal hospital system notified 1.7 million patients of the theft of electronic files containing PHI from the truck of a records-management service vendor

$350 million estimated cost for patient notification, setting up a call center and providing credit reporting estimate

• In April 2011, the Philadelphia Family Planning Council informed 70,000 clients of a HIPPA breach stemming from a stolen unencrypted flash drive

State Law Enforcement

April 28, 2010, A former UCLA Healthcare System surgeon has been sentenced to four months in prison

Illegally read private electronic medical records of Immediate Supervisor Co-Workers Celebrities

Read records 3 weeks after formally terminated

Privacy or Confidentiality

From Internet Security presentation at WICS by Whit Diffie

Encryption

Now is the time for all good men...

sd84$2*q} 59(o32nvt- =gf]|@l^...

Decryption

Encryption

Now is the time for all good men...

Mobile Phones and Tablets

Mobile Phones and Tablets that connect to WUSM e-mail systems •Must be password/pin protected•Must support device encryption•Must support remote wipe

If your mobile device is lost or stolen you should•Notify Information Security and Privacy Offices•Notify your Division IT Administrator – they will remote wipe the device then contact the carrier to kill service

Never text patient identifiers via text messaging or paging•Call me @ xxx-xxxx•Subject is ready in Room xx

Innocent Enough Picture

Let’s Try Picasa

GPS Info

Google Earth got the Campsite

USB Drives

You may store patient or confidential information only on USB drives that have encryption enabled or the files are encrypted.

Enable Encryption means when the drive is attached to a machine that it asks you for a password before allowing you to access the information.

Even if the device is encrypted notify the Information Security Office if it is lost or stolen.

E-Mail

When is it okay to e-mail patient information

•Within Medical School and Hospital e-mail systems e.g. psychiatry.wustl.edu to dom.wustl.edu or bjc.org•If the file is encrypted e.g. password protected excel spreadsheet•Signed patient consent to interact via e-mail

Phishing Example

File Sharing/Cloud Computing

Only store patient information on approved Medical School Servers

Google Docs/Microsoft 365 No BAA to allow storage of patient information Do not put patient information in calendars e.g. Google

Calendar

Use WUSTL Dropbox for file transfers or University SharePoint sites for collaboration Note: The other Dropbox service allows their

administrators to review the unencrypted information.

Doximity

Blogging/Twitter

The End

Questions/Comments