Add to collection(s) Add to saved
  1. Science
  2. Health Science

White Paper: Contingency Planning

advertisement 
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
HIPAA COW
SECURITY NETWORKING GROUP
PORTABLE MEDIA WHITE PAPER
Disclaimer
This Portable Media White Paper is Copyright  2007 by the HIPAA Collaborative of Wisconsin
(“HIPAA COW”). It may be freely redistributed in its entirety provided that this copyright notice is
not removed. It may not be sold for profit or used in commercial documents without the written
permission of the copyright holder. This document is provided “as is” without any express or
implied warranty. This document is for educational purposes only and does not constitute legal
advice. If you require legal advice, you should consult with an attorney. HIPAA COW has not yet
addressed all state pre-emption issues related to this Portable Media White Paper. Therefore, this
form may need to be modified in order to comply with Wisconsin law.
Table of Contents
I.
Introduction ............................................................................................................................ 2
What is Portable Media? ..................................................................................................... 2
Why Develop a Portable Media Protocol/Policy? .............................................................. 2
Objectives of Establishing a Protocol for Securing Portable Media................................... 5
Applicable HIPAA Security Rule Standards ...................................................................... 5
II. Definitions.............................................................................................................................. 5
III. What Needs to be Included in a Portable Media Security Plan ............................................. 6
A. Identification of Portable Media ......................................................................................... 6
B. Source and Security of Portable Media .............................................................................. 8
C. Portable Media Loss ......................................................................................................... 11
D. Portable Media Loss Contact Process and Information .................................................... 11
E. Media/Public Relations ..................................................................................................... 12
F. Related Organizational Policies ........................................................................................ 12
G. Securing/Encrypting/Password Protection........................................................................ 13
H. Law Enforcement/Government Agency Contact Information .......................................... 13
References and Resources......................................................................................................... 14
APPENDIX I ................................................................................................................................ 15
PORTABLE MEDIA INVENTORY ........................................................................................... 15
APPENDIX II ............................................................................................................................... 16
PORTABLE MEDIA LOSS REPORTING FORM ..................................................................... 16
APPENDIX III .............................................................................................................................. 18
SAMPLE PROCEDURE FOR DOCUMENT PASSWORD PROTECTION ............................. 18
A.
B.
C.
D.
Note: This information has been developed to address information systems (IS) portable
media use and management as a separate issue. It is important that the organization’s IS
portable media processes can be carried out as an integrated element of ongoing security for
organizational data, and as a component of organizational operations.
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
1
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
I. Introduction
A. What is Portable Media?
Portable Media, for the purposes of this paper, is defined to include any device or media
which are easily portable or transported from place to place by an individual. Examples
include but are not limited to:










Computer laptops, tablets and other portable computers
Personal Digital Assistant(s) (PDA) (e.g. Palm OS®, Windows CE ® based devices)
Flash, Universal Serial Bus (USB) or “thumb” drives
MP3 players (e.g. iPod®)
BlackBerry ® and similar devices
Cell phones, mobile phones, pagers and similar devices used for or capable of
sending/receiving text messages and/or e-mail messages
Portable hard disk drives
Zip disks, CDs, DVDs, Optical Disks, Diskettes, Magnetic Tape and similar media
Portable dictation devices, whether digital or analog
Digital cameras, whether still or video, Cell phones, BlackBerry ® and similar
devices capable of taking and/or storing digital images, whether still or motion,
Analog cameras and film contained therein. Note: Each organization will be
responsible for establishing separate policies for creation, maintenance, use, storage
and overall management of images acquired through these devices. This whitepaper
is not the venue for these policies.
Use of data on such portable media may include but not be limited to:






Transportation
Transmission
Backup/archiving
Use at another location, off campus from the source
Use on another workstation on or off campus
Data capture and storage relative to patient care
B. Why Develop a Portable Media Protocol/Policy?
Healthcare and Business practices today are, to an ever expanding level, taking the
employee outside of the realm of the “secure” organizational buildings and network.
This raises the risks and stakes of potential loss or theft of PHI or other organizationally
sensitive information.
A variety of headlines in recent past have brought to our attention the challenges
organizations have in relation to securing portable media, particularly laptops. Examples
taken from the media around the time of authoring this white paper include the following.
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
2
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
Particular note should be taken that security practices organizations have preached
against for several years are not followed in many of these incidents.
Austin, Texas, police are investigating after security cameras
captured video of the thief carrying out a laptop and a projector from
a Seton Family of Hospitals office.
http://www.informationweek.com/showArticle.jhtml?articleID=197008711
Health Care Firm Recovers Stolen Laptop
“The data on the Dell laptop was encrypted and password-protected, according
to a statement from William Beaumont Hospital in Royal Oak. But the car theft,
which occurred Aug. 5 in Detroit, caused particular concern among hospital
officials, because the affected employee's ID access code and password were
written on a piece of paper that was taped to the inside of the stolen PC.”
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId
=9002765
HIPAA Compliance Strategies
2006's 10 Biggest Health Care Security Breaches
Reprinted from the December 2006 issue of REPORT ON PATIENT PRIVACY, the
industry's most practical source of news on HIPAA patient privacy provisions.
A summary of 10 events from 2006 is summarized in the following link. These include
misplaced CDs containing patient information and theft of a laptop from a Veteran’s
Affairs employee’s home.
http://www.aishealth.com/Compliance/Hipaa/RPP_2006_Security_Breaches.html
Sick Kids doctor loses data on 3,300 patients
“Six weeks after Ontario's privacy commissioner ordered the Hospital for Sick Children
not to remove electronic health records from the hospital, a doctor lost an external hard
drive containing such records at the country's busiest airport.
The physician, who was traveling to a medical conference, packed the external hard drive
so he could work while away. Though airport security was notified and a search
conducted, it was never recovered.”
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
3
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
Aug 31, 2007 04:30 AM MEGAN OGILVIE HEALTH REPORTER
http://www.thestar.com/living/article/251904
Beyond laptops and compact disks (CD), portable media have become ubiquitous in the
workplace, whether provided by the employer, or brought to the workplace by the
employee. In the past 3 years, USB memory flash drives have fallen in price from
approximately $100 for 128 kilobytes of storage to less than $20 for 2-4 gigabytes of
storage. Such devices are frequently provided as “gifts” at conferences.
Use of these devices is as easy as plugging them into an available USB port on any
computer in the work setting and copying files and other data representations to this
locally installed device. Organizations are typically reluctant to disable the USB ports, as
they are commonly used for the installation of devices such as bar code readers, local
printers and other devices. Additionally, these ports may be used during the course of
conducting business, such as software installation and making backups. The corporate
and personal prevalence of laptops, replacing traditional workstations in many cases is a
growing trend. This is particularly seen with providers that have offices in multiple
locations and require the convenience of portability. Further, staff, executives and
consultants have come to depend on portable media in the daily performance of their
responsibilities.
Organizations need to establish a policy on Portable Media and educate their staff on the
appropriate use of Portable Media. Part of this policy and education needs to be that
personally provided Portable Media needs to follow the corporate standards for security
and confidentiality, including the right of the organization to install security guards on all
such media.
Key references related to Portable Media include:
1. An Introductory Resource Guide for implementing the Health Insurance
Portability and Accountability Act (HIPAA) Security Rule, NIST Special
Publication 800-66, http://csrc.nist.gov/publications/nistpubs/800-66/SP80066.pdf , accessed April 2007.
2. HIPAA Security Guidance, Department of Health and Human Services, USA,
http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemo
teUseFinal122806.pdf , accessed April 2007.
3. Managing Sensitive Electronic Information (SEI), A Security Policy Template
developed by the Mobile Memory Task Force of the NCHICA Privacy and
Security Officials Workgroup on Portable Devices and Removable Media, August
6, 2007, http://www.nchica.org/HIPAAResources/Samples/Portal.asp , accessed
October 15, 2007.
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
4
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
C. Objectives of Establishing a Protocol for Securing Portable Media
The objectives of securing Portable Media are driven from the basics of securing all
media containing electronic protected health information (ePHI). The challenge afforded
when addressing portable media in particular focuses on:
i. Providing the organization with a framework within which portable media may be
securely used in the workplace.
ii. To minimize possible adverse outcomes from loss or theft of devices containing
ePHI, or other protected information, particularly when such data is unsecured.
iii. To establish within an organization, an understanding of the opportunity and
responsibility of appropriate use of portable media and to establish the basis of
education related to the use of such devices.
iv. To outline for organizations options for and guidelines related to appropriately
securing ePHI stored on portable media.
v. To protect the public image and credibility of the organization, in relation to adverse
effects of loss of ePHI on portable media.
vi. Determine the organizational position related to portable media that is personally
owned or otherwise not provided specifically by the organization for business
purposes.
Each organization will need to determine appropriate Portable Media guidelines and
practices appropriate to its needs.
D. Applicable HIPAA Security Rule Standards
i. Health Insurance Reform Security Standards 68 FR 8334.
ii. Preamble to the Security Standards: Final Rule, Federal Register, Vol. 68, No. 34,
Thursday, February 20, 2003, p. 8361.
iii. Organizations should establish and publish a disclaimer that all data and information
contained on portable media are provided the same due diligence and protection as all
protected health information, regardless of source. Information that is not PHI is
afforded the appropriate level of protection as other organizationally sensitive or
confidential data and information (e.g. financial).
II. Definitions
A. Portable Media – Please reference list on Page 2 of this document.
B. Encryption of Data: The process of altering or obscuring, data to prevent its being
viewed, through the use of keys.
From: The Columbia Encyclopedia, Sixth Edition | Date: 2007
http://www.encyclopedia.com/doc/1E1-dataencr.html
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
5
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
data encryption the process of scrambling stored or transmitted information so that it is
unintelligible until it is unscrambled by the intended recipient.
C. Password Protection of Data: Establishing a password assigned to a specific document or
file, preventing read or write access without the password.
Another approach to “securing” individual Microsoft documents (e.g. Word documents,
Excel documents) is to apply the Microsoft provided “password” protection to these
documents. These passwords may be applied at various levels, allowing some users to
“read” but not “edit” documents. Users are cautioned in undertaking this approach, as the
selection of document specific passwords is at the discretion of individual uses, may not
comply with organizational policies on password standards and may be easily forgotten.
Historically, forgetting a Microsoft document password effectively left the document
permanently “secured”, there are now a variety of tools available that may be used to help
reacquire the forgotten password. As with the above encryption discussion, listing of
these various solutions is prohibited again due to the dynamic nature of the industry.
D. ePHI: Electronic Protected Health Information
E. Loss Incident: An event in which a portable media device is lost or stolen.
F. Disclosure Incident: A loss incident during which ePHI or other protected or proprietary
information that was not appropriately secured is released.
III. What Needs to be Included in a Portable Media Security Plan
When developing a Portable Media Security Plan/Policy, a recommended approach is to
assess the various device types, various data classifications (e.g. audio, images, textual),
various users of Portable Media Security Plan/Policy, as well as data types (e.g. clinical,
financial) and structure the organizational policy around these defined elements. Attention
should be made to the various portable media that are involved, based in part on the various
working environments, staff involved, and other organization specific circumstances.
Also identify which critical systems, if not all systems, are supported at alternate sites. Are
there resources available to support all systems, or only critical ones? Test the sites to verify
they support the systems (with backed-up data), should your main facilities be down on an
ongoing basis.
A. Identification of Portable Media
This section will address business needs where portable media have become a natural and
critical part of the work environment. In each case, organizations need to assess the
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
6
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
impact of initial device cost, cost of securing and managing devices, risk of use/loss, cost
of not providing and associated challenges of self provided portable media devices.
i. Overview and Work Environments
1. Mobile Work Environment: Organizations, such as durable medical equipment
sales and support, visiting nurse associations, providers functioning in on-call
roles while traveling on business or personal time and home health agencies,
frequently establish a mobile office for their staff, providing them with a cellular
phone, BlackBerry ® or similar device, as well as a laptop. The combination of
these devices is literally a portable office, removed from the relative security of an
organization’s network. Additionally, executives and managers who frequently
spend the majority of their business day in meetings frequently find it necessary
to take work home. In all cases, various elements of PHI or organizationally
sensitive data are part of the environment. Devices provided to enable this mobile
work force need to be appropriately protected, including passwords and
encryption of data. Additionally, it may be prudent to have all such devices
returned to the corporate offices on a “regular basis” to ensure appropriate levels
of security are maintained/refreshed, and where appropriate, having locally stored
data “backed up” on the organizational network.
2. Executive Work Environment: A hybrid instance of the Mobile Work
Environment exists with executives that have “home” offices, however are
frequently traveling on business, whether locally (e.g. clinic to clinic, clinic to
hospital) or nationally. This travel may include the presentation of papers at
conferences, where the presentation is stored on the same device as the quality
initiative spreadsheet currently being developed by this executive. Laptops and
portable memory media used by these individuals, in the office one day and on
the road the next, need to have an easily employed encryption methodology
incorporated in them. Additionally, good business practice supports backing up
the portable media on a regular basis.
3. Transportation/Storage of data on physical media: Data are frequently transported
outside of the organizational internal security measures to support daily business
operations and compliance with business recovery/continuance policies.
Examples include disaster preparedness initiatives and delivery of data to third
party organizations other than via the Internet. Such “transportation and storage”
may be via laptops, USB memory drives and a large variety of media (e.g. tape,
CD/DVDs, etc.) for storage of data.
4. Dynamic Media as Medical Record: At an ever increasing rate, various new types
of “medical documentation” user interface devices are being adapted in both the
ambulatory and inpatient settings. These include but are not limited to:
a. Handheld devices for physician dictation or e-prescribing, leveraging
portability of PDA devices
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
7
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
b. Recording of visual images (still or motion) on cell phones and digital
cameras, including the memory cards on which these images are stored, which
may be removed from the camera to transport the images to another system.
c. Expanding patient to provider communication via web based services and email which may occur across BlackBerry ® or similar devices or PDAs.
These devices are typically structured to “synchronize” locally saved data
with the organizational network. Care should be taken to ensure that, in
addition to appropriate local encryption levels, these devices successfully
“synchronize” PHI in a timely manner with local network services, making
this data available to all those accessing the Electronic Health Record from
other devices.
5. Maintaining/Updating Historical Data Storage Media: While somewhat outside
the scope of portable media, it should be noted that there is an organizational
exposure risk driven by the dynamics of data storage media evolution. In the time
frame of 25 years, the IT industry has gone from reel tape through a variety of
cartridge tapes, multiple sizes/density of diskettes and numerous optical (e.g. CD,
DVD) storage media. Long term storage of data on these media may require
transition of archives from media to media as technology changes and devices to
“read” the media become unavailable. Additionally, the systems which may read
these data stores may no longer be available or supported. Many of these media,
contain PHI, which may need to be accessed in establishing offsite disaster
recovery services. Organizational steps to establish such offsite storage of data in
this manner, for purposes of business continuance or generalized “backup”,
should include ensuring that the organization maintains the ability to read these
media and that such media are secured and/or the contained data is encrypted.
B. Source and Security of Portable Media
The following are provided as discussions regarding the source of and security related to
various portable media. Organizations should assess the need for establishing policies on
the use of portable media based on position roles within the organization. Roles not so
identified for use of portable media should require prior authorization for the use of such
media from an individual within the organization such as the Information Security
Officer. Such policy should apply to devices that are provided wither by the organization
or personally.
i. Organizationally Provided Portable Media: The previous section established the
business need for the use of portable media. Each organization needs to assess these
business needs individually and assess the need to provide portable media. With
some media (e.g. laptop computers, backup data media sent off site), the ability to
control or manage the media is relatively apparent. For example, purchases of
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
8
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
laptops and related capital items may by policy and practice, require sign off by
information services. Further, such devices assigned to staff may be required to be
connected to the network to update security software and update network based data
storage. Such activities may be monitored through the organizational network.
Certainly with backup media, the creation of this media, particularly for large
organization databases (e.g. electronic health record systems, laboratory information
systems, and hospital information systems) Information Services, as creator of such
system backups, serves as a control point. Additionally, extracts of such large scale
databases for purposes of reporting and data warehousing, should be managed
through authorized staff and procedures to safeguard and backup such extracts as
appropriate. In some cases, such control and management is more difficult (e.g.
locally stored budget documents, employee reviews, patient specific locally stored
research databases, and data stored on PDAs and USB memory sticks). In these
instances, policy should dictate audits and compliance. In all cases, as with other
capital items, media classified as an asset should be tagged and monitored as such.
It is the opinion of the authors of this paper that, particularly for smaller to medium
sized organizations, it is not practical to “manage” use of USB memory devices, and
other such personal items (e.g. cell phones) through IS based process. Rather these
devices should be subject to policy based control supported by random audits.
ii. Personally Provided Portable Media: The market space has literally become littered
with inexpensive portable media. This includes but is not limited to CDs, DVDs, and
portable hard disk drives (HDD), with many of these replacing the earlier magnetic
media of diskettes and related devices. USB or “thumb drives” have reached a price
point where they are literally being given away at various professional settings, and
even laptops are approaching price points around $500. Recognizing that absolute
control over these devices, particularly given ever constrained budget resources as
well as staff time, the following are offered as guidelines on allowing, and managing
these “personally provided” portable media in the work place.
iii. Securing Portable Media: As part of an organizational policy related to appropriate
use of portable media, whether personally or organizationally provided, the
following is recommended as components to include: Users of such portable media
(e.g. PDA, USB drives, etc. as described earlier) for the storage of PHI, or other
sensitive information should:
1. Encrypt all such devices or at a minimum all such files that contain these types of
sensitive information. Appendix III is provided as a sample procedure in
applying document specific passwords.
a. There are a variety of “standards” related to encryption, including Data
Encryption Standard (DES), adopted by the United States, Secured Sockets
Layer (SSL), a commonly employed encryption methodology associated with
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
9
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
the Internet, and other commercially available solutions such as Pretty Good
Privacy (PGP). This is not intended as a recommendation of these
approaches, not as an inclusive list, but merely a brief introduction to some
readily applied encryption approaches. Regardless of the tool used,
encryption is fundamentally applying a known “key” to “scramble” the bits
that make up data elements. This “scrambling” is held until access by an
authorized recipient/user is undertaken by applying the appropriate “key” to
“unscramble” the bits to their original order, revealing the original message.
b. Many of the portable media addressed in this document employ their own
methods of encrypting the data contained within the portable media. For
example, many USB Flash Drives incorporate a “security” tool, allowing the
user to “encrypt” the contents of the drive. Adoption of a standardized
approach to data encryption within an organization is encouraged as one
means of protecting the contents of portable media. Individual users may also
apply their own encryption schemes. While effectively securing a device, this
independent approach effectively excludes the organizations’ IT services from
assisting in recovering data encrypted and having the “key” lost or forgotten.
c. The dynamics of this security/encryption industry prevent establishing a
“preferred list” of possible solutions to the encryption challenge. The reader
and organizations considering using encryption for portable media are
encouraged to research and select a tool that best integrates with other security
measures (e.g. laptops, e-mail) of the organization.
d. It should be noted that, to the knowledge of the authors, devices such as
digital cameras and digital video cameras do not inherently provide data
encryption capabilities incorporated with the device. Data acquired through
the use of these devices should be downloaded to a media where encryption
capabilities are available and applied and the source data on the camera
deleted in a timely manner to prevent unauthorized access. Procedural steps
should be defined and implemented organizationally to either:
i.
Incorporate patient identifiers in each image or
ii.
Download images to patient chart if electronic or
iii.
Print for inclusion in paper chart after affixing appropriate patient
identifier to image after images for each patient are acquired and then
deleting all images from the camera, thereby eliminating the potential of
intermixing images from multiple patients.
2. Ensure that a network based backup of all such data is completed on a regular
basis to protect against the loss of data and to ensure an audit trail of data
contained on these devices in the event of a loss.
3. Submit these devices on demand for the purposes of conducting audits of the
security/encryption that is in place on these devices.
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
10
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
4. In the event of termination, submit all such devices that are personally owned for
removal of organizationally sensitive/protected data and return all
organizationally provided devices and media. In the case of CD/DVD media that
was personally provided, all such media should be returned to [Healthcare
Organization].
5. Ensure that all files. Or media (e.g. CD, DVD) containing PHI or other
organizationally sensitive data be destroyed in compliance with [Healthcare
Organization’s] policy on destruction of such data/media.
iv. Portable Computer Inventory - The authors recommend the establishment and use of
an inventory list to identify organizationally provided portable media for reference in
the event of loss or theft of such devices, or termination of the employee to whom
such devices were assigned. Appendix I is provided as an example of such an
inventory list.
C. Portable Media Loss
In the event of the loss of a portable media device, the [Healthcare Organization] should
take the following actions:
i. Activate the [Healthcare Organization’s] loss disclosure process and associated
paperwork. (Reference HIPAA Collaborative of Wisconsin Contingency Planning
Policy http://hipaacow.org/Docs/SecurityGrid/DataManagement8.doc )
ii. “Externally” discovered disclosure report form sample report form (Reference
HIPAA Collaborative of Wisconsin Security Incident Response Policy
http://hipaacow.org/Docs/SecurityGrid/secincidentresponse807112005.doc )
iii. Assess the protected health information potential loss related to the reported media
loss. Keep in mind that timely communication with those impacted, or believed to
have been impacted, helps to maintain a strong relationship with these people.
iv. Initiate patient and/or employee notification procedures. (Reference HIPAA
Collaborative
of
Wisconsin
Security
Incident
Response
Policy
http://www.hipaacow.org/Docs/SecurityGrid/secincidentresponse807112005.doc ).
D. Portable Media Loss Contact Process and Information
Members of the IS Solutions Center shall be contacted immediately once the loss of a
portable device has occurred. The following information should be provided at the time
of contact:
i. A Brief Description of the loss, including device, device information content, status
of security on the device
ii. Location date and time of the loss.
iii. Phone numbers for IS Support Team, Security Officer, Privacy Officer.
1. Identification of Immediate Support Requirements (e.g. for BlackBerry ®
devices, these may be “disabled” through local network controls). (Reference
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
11
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
HIPAA Collaborative of Wisconsin Security Incident Response Policy
http://www.hipaacow.org/Docs/SecurityGrid/secincidentresponse807112005.doc ).
A sample Portable Media Loss tracking sheet is provided in Appendix II.
E. Media/Public Relations
Organizations should refer to their own media relations/public relations protocols related
to discovery and reporting of loss of portable media and possible disclosure of PHI.
i. The organization’s designated media relations contact should serve as a liaison
between the organization and the news media (or a single point of contact for the
news media). This will eliminate the need to involve the Information Services and
HIPAA Security Teams, allowing them to assess the scope of the loss or disclosure.
The IS leader, Privacy Officer or Security Officer should be prepared to share
information with the media relations contact. Key considerations when working with
the media relations contact person or the news media include:
1. Ensuring that the contact has a clear understanding of the technical issues so that
they may communicate effectively and accurately with the press. False or
misleading information may ultimately cause more damage to the organization’s
reputation.
2. Contacting the organization’s legal counsel if unsure of legal issues.
3. Establishing a single point of contact (if no official media relations contact person
exists) when working with the news media to ensure that all inquiries and
statements are coordinated.
4. Keeping the level of technical detail low – do not provide attackers with
information.
5. Being as accurate as possible.
6. Avoiding speculation.
7. Ensuring that any details about the incident that may be used as evidence are not
disclosed without the approval of investigative agencies.
8. Contacting the Privacy Officer, Security Officer, Chief Information Officer and/or
HIS Director should information released to media (need to) contain patient
specific information to ensure required authorizations are in place prior to the
release.
F. Related Organizational Policies
It is appropriate to note that any attempt to establish a policy related to control of portable
media should be undertaken in conjunction with other organizational policies and
procedures on the following topics.
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
12
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
i. Appropriate use of electronic communications and related equipment, including
language, either in this policy or a related document, that discusses sanctions for
breech of appropriate use or other related IT or protected health information policies.
ii. Destruction of media, including portable and back up media.
iii. Operating System and related software patch management, virus protection updates,
spyware detection and resolution updates.
iv. Remote access, including impact of remote access as an alternative to use of portable
media, or the use of portable media as an alternative to remote access.
v. Authentication and/or password procedures, which may be addressed in electronic
communications and access.
G. Securing/Encrypting/Password Protection
The dynamics of this industry prohibit effectively listing or maintaining possible
commercial solutions. Readers and those who are preparing to establish policies for their
organizations should perform an independent search and review of current vendors
providing and supporting software encryption options for various portable media. The
reader is again referred to a draft procedure on applying passwords to specific documents
provided in Appendix III. (Reference HIPAA Collaborative of Wisconsin Security
Incident Response Policy)
H. Law Enforcement/Government Agency Contact Information
In the event of the loss of any such media, organizations should consider contacting any
or all of the following agencies to report loss of portable computers and or disclosure of
ePHI.
Agency
Police Department
Sheriff’s Department
State Patrol
State’s Department of Health and Family
Services or equivalent state government
office
Office for Civil Rights
Federal Bureau of Investigation
U.S. Secret Service
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
13
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
References and Resources



An Introductory Resource Guide for implementing the Health Insurance Portability and
Accountability Act (HIPAA) Security Rule, NIST Special Publication 800-66,
http://csrc.nist.gov/publications/nistpubs/800-66/SP800-66.pdf , accessed April 2007.
HIPAA Security Guidance, Department of Health and Human Services, USA,
http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFi
nal122806.pdf , accessed April 2007.
Managing Sensitive Electronic Information (SEI), A Security Policy Template developed
by the Mobile Memory Task Force of the NCHICA Privacy and Security Officials
Workgroup on Portable Devices and Removable Media, August 6, 2007,
http://www.nchica.org/HIPAAResources/Samples/Portal.asp , accessed October 15,
2007.
Authored by:
 HIPAA COW Security Networking Group
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
14
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
APPENDIX I
PORTABLE MEDIA INVENTORY
Device
Asset Tag
No.
Device
Serial No.
Device
Employee
Description Name
Employee
ID Number
Department
Date
Assigned
Date
Returned
Dates of
Audit
It may be appropriate to access when these devices, depending on device type, were last scanned for virus/spy ware and/or connected
to the organizational network for the purpose of scanning or upgrading such virus protection software in the case of laptops.
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
15
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
APPENDIX II
PORTABLE MEDIA LOSS REPORTING FORM
Portable Media Loss Reporting Form1
Incident Detector’s Information:
Name:
Title:
Phone/Contact Info:
Date/Time Detected:
Location:
System/Application:
INCIDENT SUMMARY
Type of Incident Detected:
 Theft
 Loss
Description of Incident:


Unauthorized Use/Disclosure
Other:


TYPE OF DEVICE





Laptop, Tablet and other portable
computers
PDA

BlackBerry®

USB or “Thumb Drive”
Zip disks, CD, DVD, optical disks,
magnetic tape and similar media
MP3 Players (e.g. iPod®)


Cell phones, mobile phones and alphanumeric
pagers
Portable Dictation Device
Digital Camera

Portable/removable Hard Disk Drives
INCIDENT NOTIFICATION




IS Leadership
Security Incident Response Team
Administration
Law Enforcement



Public Affairs
Legal Counsel
Other:

ACTIONS (Include Start & Stop Times)
Identification Measures (Incident Verified, Assessed, Options Evaluated):
1
This form has been developed as a working tool for assessment and improvement activities; it is intended for
internal use only
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
16
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
PORTABLE DEVICE CONTENT:
SECURITY MEASURES EMPLOYED ON DEVICE:
FOLLOW-UP
Review By (Organization to
 Security Officer
determine):
 Other:
Recommended Actions Carried Out:

IS Department/Team
Initial Report Completed By:
Follow-Up Completed By:
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
17
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
APPENDIX III
SAMPLE PROCEDURE FOR DOCUMENT PASSWORD PROTECTION
PROCEDURE #:
SUBJECT:
PASSWORD PROTECTING FILES DOWNLOADED OR WRITTEN
TO REMOVABLE MEDIA (USB Drive, or Optical Disk)
PROFICIENCY:
ALL [HEALTHCARE ORGANIZATION] PC USERS
PROCEDURE:
[HEALTHCARE ORGANIZATION] Password Protection Documentation
Excel, Word, Access, & Powerpoint Files
1. Open the FILE that you wish to save onto portable media.
2. Attach your portable media to the computer, or load a CD/DVD into the appropriate
drive.
3. Click on the word “FILE” in the upper left corner of the toolbar. Then select “SAVE
AS”. The window seen below will open.
4. Select the appropriate drive letter for portable media drive as the Save In location.
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
18
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
5. Type in the file
name.
6. Click on the word “TOOLS” in the upper right corner of the Save As window.
7. Select “General Options”.
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
19
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
7. Type a password in the “Password to open” box. Be sure that the password is at least 8
characters long. Click “OK”.
8. You may be prompted to re-enter the password.
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
20
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
9. Click on Save.
10. When you, or anyone, tries to open the file you saved, they will be prompted for the
password. The file cannot be opened without the Password. Do not share this password
with anyone, unless they are authorized to access the file according to
[ORGANIZATION’s] access policies.
All Other Files (Using WinZip)
1. To password protect all other files, you need to use an application called WinZip. To run
this program, click on your “START” button in the lower left corner of your screen.
Select WinZip.
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
21
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
2. The following window will open.
2. Click on the “NEW” button in the upper left corner of the window. A New Archive
window will open.
3. Click on the down arrow by “SAVE IN” and select “3 ½ Floppy A” or appropriate drive
letter for USB (removable ) drive.
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
22
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
4. Name the file anything you wish.
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
23
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
5. Click “OK” and the next window will open.
6. Click the “Encrypt added files” checkbox. You now need to browse to or find the file(s) that
you want to put on the portable media. Then click the “ADD” button
7. The following caution box will appear. Click the “OK” button.
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
24
DRAFT
Version 5: 12/20/2007
Based on Final Security Rules
8. You will be prompted to enter the password. Be sure that it is at least 8 characters in
length.
9. You will also need to re-enter the Password for confirmation.
10. Check the “Mask Password” box. Then click “OK”.
11. Select “File” and then “Close”
_____________________________________________________________________________
 Copyright 2007 HIPAA COW
25
Related documents
OUR LADY OF GUADALUPE CHURCH
OUR LADY OF GUADALUPE CHURCH
OMJC Signal, INC INVITES APPLICATIONS FOR THE POSITON OF
OMJC Signal, INC INVITES APPLICATIONS FOR THE POSITON OF
Attachment A – Item Categories
Attachment A – Item Categories
Thermobotics Presentation
Thermobotics Presentation
Mp3 Speaker - Norton College Creative Arts Faculty
Mp3 Speaker - Norton College Creative Arts Faculty
6 word list- portx - Jefferson School District
6 word list- portx - Jefferson School District
Ann Marie Durkin, CEO, Shasta
Ann Marie Durkin, CEO, Shasta
Download
advertisement