Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
2017
Spring
ConventionPrivacy Protection
Written Information
Security Plan (WISP)
Layla D’Emilia, Esq.
CEU Credit1
Please scan IN at the start of
class
Please scan OUT at the end of
class
You must attend the entire
session to earn your credit(s) for
this class
Introduction
Layla D’Emilia
Indigo Consulting, Compliance, and Training, LLC
References:
http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf
http://www.mass.gov/ocabr/docs/idtheft/compliance-checklist.pdf
http://www.mass.gov/ocabr/docs/idtheft/sec-plan-smallbiz-guide.pdf
https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93h
Consumer Reports
Background
201 CMR 17.00 sets forth the regulatory scheme of the underlying M.G.L. c.
93H Security Breaches
Each business is required by Massachusetts law to evaluate security risks
and solutions in relation to the size, scope and nature of the business and
the attendant risks of unauthorized access to or use of personal information
This regulation establishes minimum standards to be met in connection with
the safeguarding of personal information contained in both paper and
electronic records.
The objectives of this regulation are to insure the security and confidentiality
of customer information in a manner fully consistent with industry standards;
protect against anticipated threats or hazards to the security or integrity of
such information; and protect against unauthorized access to or use of
such information that may result in substantial harm or inconvenience to
any consumer.
Purpose of a WISP
Ensure the security and confidentiality of personal information;
Protect against any anticipated threats or hazards to the security or
integrity of such information
Protect against unauthorized access to or use of such information in a
manner that creates a substantial risk of identity theft or fraud.
Scope of a WISP
In formulating and implementing the WISP,
(1) identify reasonably foreseeable internal and external risks to the security,
confidentiality, and/or integrity of any electronic, paper or other records
containing personal information;
(2) assess the likelihood and potential damage of these threats, taking into
consideration the sensitivity of the personal information;
(3) evaluate the sufficiency of existing policies, procedures, customer information
systems, and other safeguards in place to control risks;
(4) design and implement a WISP that puts safeguards in place to minimize those
risks, consistent with the requirements of 201 CMR 17.00; and
(5) regularly monitor the effectiveness of those safeguards.
Proper Procedures
In your written security plan designate a ‘data security coordinator’ who will:
Initial implementation of the WISP;
Training employees;
Regular testing of the WISP’s safeguards;
Evaluate the ability of third party service providers to implement and maintain appropriate security measures for the personal information to which you have permitted them access, consistent with 201 CMR 17.00; and requiring such third party service providers by contract to implement and maintain appropriate security measures.
Reviewing the scope of the security measures in the WISP at least annually, or whenever there is a material change in your business practices that may implicate the security or integrity of records containing personal information.
Conduct an annual training session for all owners, managers, employees and independent contractors, including temporary and contract employees who have access to personal information on the elements of the WISP.
All attendees at such training sessions are required to certify their attendance at the training, and their familiarity with the firm’s requirements for ensuring the protection of personal information.
Combatting Internal Risks
A copy of the WISP MUST be given to each employee who shall acknowledge receipt
If you haven’t done a WISP before and are just distributing a WISP for the first time YOU MUST retrain all employees of the provisions
Any employment contracts should be amended
Amount of personal information (PI) collected shall be limited to those persons reasonably required to know the info to accomplish the legitimate business purpose
Access to records containing PI shall be limited to those reasonably required to know the info
Electronic access to user ID after multiple unsuccessful attempts to gain access must be blocked
Combatting Internal Risks
Security measures must be reviewed annually OR whenever there is a
material change in your business practice that may implicate the security
or integrity of your records containing PI
Terminated employees must return ALL records containing PI, in any form –
stored on laptops, tablets, files etc..
Current ee’s user ID’s and passwords must be changed periodically
Access to PI should be restricted to active users and active accounts only
Ee’s should be encouraged to report any unauthorized or suspicious use of
patient info
Do not let ee’s keep open files on their desks when they are not at their
desks
At the end of the day Files should be secured in a locked cabinet, secure
storage area
Combatting Internal Risks
Access to electronic PI shall be limited to those ee’s having a unique log in
ID and re – log in shall be required when a computer has been inactive for
more than a few mins
Visitors access MUST be restricted to one entry point for each building
where PI is stored and visitors shall be required to show a PHOTO ID, sign in
and wear a visible GUEST badge.
Visitors shall not be permitted to visit unescorted any area within your premises
that contain PI
Paper or electronic records containing PI shall be disposed of only in the
manner it complies with MGL c. 93I (Dispositions and Destruction of records)
Combatting External Risks
Reasonable up to date firewall protection and operating system security patches installed on all systems processing PI
Reasonable up to date versions of system security agent software which MUST include malware protection and up to date patches and virus definitions, installed on all systems processing PI
All PI stored on laptops or other portable devices must be encrypted and all records and files transmitted across public networks or wirelessly MUST be encrypted
All computer systems MUST be monitored for unauthorized use of or access to PI
There MUST be a secure user authentication protocols in place:
Protocols for control over user IDs
Secure method for of selecting passwords or unique identifiers
Control of data security passwords to ensure that passwords are kept in a location
Medical Identity Theft/Breaches
http://www.consumerreports.org/medical-identity-theft/medical-identity-theft/
There were an estimated 481,657 new cases of medical identity theft reported between 2013 and 2014 – An increase of almost 22% (Ponemon Institute)
Detecting Medical Identity Theft is more difficult than financial fraud and easier to hide for longer periods of time
A few ways to talk to your patients so that they are aware and safeguard their medical privacy
Tell them to check their explanation of benefits
Carefully read all health insurer and provider correspondence for accuracy and for bills of service that you don’t recognize
Review credit reports for unfamiliar debts
Don’t post news of upcoming surgeries
Medical Identity Theft/Breaches
Almost half of the medical identity theft occurs when a family member
takes a relatives health insurance card OR another ID – or when people
knowingly share their health info or IDs with someone they know
The Ponemon Institute did a survey and found that 10% of victims of
medical identity theft was the result of a healthcare provider or insurer data
breach
12 % were tricked into giving up personal info via a fake email or phony
website
BUT 47% said their Medical ID theft was perpetrated by a relative or
someone they knew
Some shared willingly and they call this ‘friendly fraud’
Effects of Medical Identity Theft
Costs victims
Time, Money ($$) and Aggravation
A 2016 report from Javelin Strategy & Researh found that an average
identity fraud victim spent only $55 to resolve a financial account problem
in 2015 BUT
65% of the medical identity theft victims surveyed by Ponemon said they
spent an average of $13,500 to pay healthcare bills run up in their name, to
recover their health insurance and to pay lawyer’s fees
It took an average of more than 3 months to even detect the fraud and more
than 200 hours to undo the mess
Detecting Medical Identity Theft
Read your medical and insurance statements regularly and completely
Check the name of the provider, date of service, and service provided
If you see a mistake – call your health plan and report the problem
Other signs of theft include:
A bill for medical services you didn’t receive
A call from a debt collector about a medical debt you don’t owe
Medical collection notices on your credit report
A notice from your health plan saying you reached your benefit limit
A denial of insurance b/c your medical records show a condition you don’t
have
Correcting Mistakes in a medical
record
Get copies of your medical record and check for errors (federal law gives
you right to inspect)
Get accounting disclosures – ask health plan and medical provider for a
copy of the accounting of disclosures (this disclosure should list who got
copies of your records from the provider - law allows for 1 free copy every
12 months)
Accounting disclosure details
what medical info the provider sent
When it sent the info
Who got the info
Why the info was sent
Correcting Mistakes in a medical
record
Ask for corrections
Write to your health and medical providers and explain which info is not accurate
Send copies of docs that support your position
Include a copy of med record and circle disputed items
Ask provider to correct or delete error
Send letter certified mail with return receipt for your records
The health plan or medical provider that made mistake must change info and inform labs, and other health care providers and anyone else that might have gotten wrong info – if the health or medical provider won’t make changes ask to include a statement of your dispute in the record.
Protecting your medical information
Be wary if someone is offering ‘free’ health services or products but requires you to provide your health ID
Medical identity thieves pretend to work for an insurance company, doctor’s office, clinic or pharmacy to try to trick folks into revealing sensitive information
Don’t share medical or insurance info by phone or email unless you initiated the contact and know who you are dealing with
Keep paper and electronic medical records in a safe place
Shred outdated health info forms, prescriptions, and physician statements and labels from prescription bottles before you throw them out
Before anyone provides any PI to a website they should find out why it’s needed, how it will be kept safe, whether it will be shared and with whom
Read the Privacy Policy statements
If you do decide to share look for a lock icon on browser’s status bar OR A URL that begins “https:” the s is for SECURE
Health Care Breaches
Mass Attorney General has indicated that even having a WISP is not enough to comply with the Mass Data Security Regulations
The AG’s message is having a plan on paper isn’t enough alone – you must also have day to day practices that are in compliance
Types of data breaches that have occurred
Lost and Stolen - Emory healthcare in GA revealed that it lost 10 computer disks containing patient social security numbers for about 315K surgical patients
Hacker Attacks - The Utah Dept of Technology published a breach of a server that housed Medicaid claims of 780K patients – suspected hackers out of Eastern Europe were able to circumvent the security system of the server were data was stored
Malicious Insiders - The South Carolina Dept of HHS revealed a major Medicaid data breach affecting the protected health info of > 228K Medicaid beneficiaries – they discovered an employee, since terminated, transferred spreadsheets with PI to a personal email account
Causes of Data Breaches
Mobile Devices – loss of laptops, computers, hard drives, back up tapes or
other portable media containing PI (list some Examples)
Malicious insiders – on the rise and pose a serious security threat to sensitive
information – individuals are abusing their privileges and have caused
security breaches and failures (Examples)
Inadvertent postings at websites and other disclosures- careless handling of
PI particularly of SS #s are often exposed in postal mailings – data may be
posted on websites where it is accessible to those who are not intended to
have access
Cloud computing risks – increased flexibility and efficiency is afforded by
cloud environments – however this also increases risks because it usually a
third party vendor offsite
General Overview of Legal
Requirements
HIPAA Privacy Rule and Security Rule
HITECH – The Federal Data Breach Notification Law
Individual State Data Breach Notification laws – 46 states have all enacted
legislation that require notification of individuals whose PI may have been
affected by a security breach
CA was first state to enact
Mass and Nevada have expanded their notification laws requiring substantial
security measures –
Mass requires any firm conducting business with state residents to develop a comprehensive information security program – encryption, adopt a risk based approach to ensuring security, and protect against data leakage.
Nevada – has taken the additional step of requiring holders of credit card and PI in a acomputer info system to comply with professional standards promulgated by the Payment card industry council – businesses are required to encrypt all transmissions of PI
Questions?
CEU Credits Reminder
Please scan OUT as you
leave
If you are staying in this
classroom for the next
session you must have your
badge scanned OUT for this
session and scanned IN for
the next session
Thank you!
Mark & Paul