Privacy & Information Security Tackling Trends & Threats - PDF document

Privacy & Information Security Tackling Trends & Threats December 12, 2014 Norma A. Chitvanni RHIT, CHPS nchitvan@bidmc.harvard.edu Agenda  Omnibus Rule Pay Out of Pocket 2013  Mobile clinical equipment  Email security  Training & Education  Keep Information Private (KIP)  Phishing  Business Associates  OCR Audits  Information Security and Privacy committee  You Know Me Video 1

Omnibus-Pay out of Pocket  Restriction for pay out of pocket for services  Challenging process  May be for partial services  Different from self pay  Ensure no release to insurance company  Payment, at time of service or later  Request each time Mobile Clinical Equipment  Stolen ultrasound machine  Patients notified  Locator device  Patient information stored on the machine  Reported breach to OCR  Formed a task force  Policy development  Education 2

Secure Transmission of Email  Send Secure-encryption of emails Use # Secure before subject  Proof Point system  Monitoring of emails  Feedback to staff  Friendly encryption message-PFAC  Transport Layer Security Connection  Secure File Transfer for large files Training & Education Information Security & Privacy  Annual Mandatory education  Includes test and attestation  New Employee Orientation, IS&P training  Learning Management System (LMS)  Monitoring of completion of training  Corrective Action modules  Keep Information Private (KIP) Annual Awareness Campaign 3

KIP Awareness Campaign  Posters  Tent Cards for cafeteria tables  Labels on food containers  Handouts  Plasma screen displays  Focus on Phishing  Logo 4

5

Phishing  Focus on Phishing Used props during the campaign to boost awareness  Handouts-Phishing –FAQ’s  Bowl of Swedish Fish & Gold Fish  Raffle/ drawing for box of Swedish Fish  Fishing rods-Melissa and Doug  Campaign video Business Associate Agreements  New Omnibus Requirements Effective date March 26, 2013 Compliance date September 23, 2013  Existing BAAs could continue to operate for a one year period from the compliance date (September 22, 2014)  Perform BAA audits/ reviews 6

OCR Audit 169 Items 78 Security 81 Privacy 10 Breach Performed mock audit on the Privacy and Breach items. Readiness Binder and electronic folder Annual review / check the OCR website Information Security & Privacy Committee (IS&P)  Consists of 32 members  Meets Monthly  Addresses IS&P issues  Approves Policies  Discuss Breaches  Creates Policies  Identifies issues, creates task force  Reports back to IS&P  Reports to Management Compliance Audit & Risk Com.  Reports to Board Compliance Audit and Risk Com. 7

“You Know Me” Video  Patient Family Advisory Committee  Sent to all workforce  Included in our New Employee Orientation  Introduced our Information Security and Privacy Intranet site  Award winning-MaHIMA-Team Excellence Award 2013  New England Society for Healthcare communications-Silver Lamplighter Award  Video 8