We are a large public university medical system with nine hospitals and 10,000 employees. We are also working on policies to address this. We have received numerous requests to share PHI over the internet from public health agencies. What we have established in the interim is that no PHI may traverse an open circuit (i.e. a circuit whose access is not controlled by our Information Security department) unencrypted. The standard for open circuit encryption is PKI. We send some lab values via Secure FTP and HIV data that is being sent via S-MIME. This is just a stopgap measure to prevent more holes from being created.
As we see it the approach must be comprehensive. It starts with a non-disclosure policies that is signed by all employees. Next, a strong user management policy must be in place to insure that the system is configured to allow only the access a person needs to do their job. You must also have an information classification policy. We are looking at having four levels, one for public information like promotional and marketing material, one for internal operations information (e.g. JCAHO preparation), one for sensitive data which would include PHI and HR information and one for extremely sensitive data such as HIV status and mental health. All classifications except for public would include a need to know requirement. The email policy should contain a clause that any email containing sensitive or extremely sensitive data must be encrypted using S-MIME. Finally an appropriate use policy describes the types of system uses that are forbidden. All policies include sanctions which fit the disciplinary approach of the organization. We feel that these four policies give managers the tools they need to act upon any disclosure or risk of disclosure. But the managers and staff need training. Managers and staff need the training in the importance of confidentiality and security. Additionally, managers need training in how to deal with behavior that breaches confidentiality. The non-disclosure policy covers everyone, even the housekeeper who overhears something in the hall. The classification policy tells you when to use which security precautions and need-to-know. The email policy provides information on how it is used with regard to sensitive or extremely sensitive information. The appropriate use policy addresses the internal user abusing their privileges. The pitfalls we see are numerous. The quality of manager varies greatly throughout the organization as does the quality of the employee. We even have department heads who question the need for confidentiality and security at all. So even if good policies are in place, it is no guarantee they will be enforced consistently. Just getting people to attend the training sessions is a challenge. We are performing IDS and vulnerability scans. Logs are still reviewed manually and we are investigating automated tools to perform this function more frequently and more widely than is done now. We are still wrestling with these and other details but this appears to be the simplest and most comprehensive approach. I'd be interested in anyone's comments Roy G. Clay, III HIPAA Security Project Coordinator Health Care Services Division Phone: (504) 568-6130 Email: [EMAIL PROTECTED] -----Original Message----- From: Chris Riley [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 7:13 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Securing E-mail Bob, The FBI 2001 Computer Crime and Security Survey says that over 40% of organizational computer security incidences came from inside the organization so it is probably not a good assumption that security controls can be more lax on a internal network. Plain vanilla email does nothing to address the confidentially and integrity issues you've pointed out so adopting some control for protecting PHI is a prudent idea. One simple way to protect confidentiality and integrity is through encryption although the management of the encryption keys can be extremely complex based on the size of the organization. Other approaches included the use of a PKI such as a secure web-based email system. As I see it, the real issue is whether or not email can be used at all with PHI. Email follows a discretionary access control model which means I can share any information I have access to at my discretion and so there are really no controls in place to ensure confidentially. I would be very interested to hear others opinions and approaches on this topic. -- Chris Riley, CISSP Information Tool Designers Inc. Secure Virtual Office Solutions http://aegis.info-tools.com/ ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
