Mr. Clay: Most experts in health care compliance seem to agree that awareness training that personalizes the confidentiality and security issues is critical to the process you describe. You seem to have neatly outlined a viable set of action plans or processes. Of course the lack of final regulations on Security Standards takes some of the wind out of your sails as well as the recently proposed modifications to the Privacy Standards -- all of which make managers who are cognizant of the process feel like they don't want to invest much time until the HIPAA ground is firm under their feet for fear of the time being sunk, and unrecoverable.
I co-chair our regional WEDi-SNIP education efforts for the mid-Atlantic and would urge you to look into the local WEDi-SNIP groups that may be organizing interdisciplinary collaborative efforts in your region. Large and small providers in our region express many of the same concerns you do, although your issues seem very clearly defined. The market seems full of a variety of vendors with any of a variety of tool kits, assessment protocols, train the trainer and other varying training tools. Most of these interesting and often impressive tools would be pretty ineffective without significant corporate culture awareness, change, buy-in -- as underscored in your question. Sadly, statistics show that the highest security risks are -- in a recent webcast conducted by Tom Hanks and Bill Braithwaite Mr. Hanks recently quote an 80% stat for risks of internal breaches (conversations, responding with too much info in response to inadequate subpoenas or other seemingly legitimate public or quasi public requests for info, sharing info with spouses or employers improperly...) and with the vast minority of security risks being from third party hackers or interceptors. Valuable approaches to your situation I have seen include starting with basic awareness training that is lively, interactive and role-based -- not one size fits all. Creative bottom up adjuncts include screen pops at log in time with a HIPAA pledge that must be acknowledged before access to a system is allowed (with back up reporting capability so administrators and managers can confirm system users, etc.), automatic screen savers with reminders and awareness cartoons or other semi-humorous approaches are valuable as well. Further, engaging workforce in more fun approaches: challenges or contests for "clean desk" situations (at one large provider's centralized business office, employees designed the "get the HIPAA hippo off your desk" program -- I'm not trying to make light of the issue, just suggest an employee fashioned solution to allowed employees to take a stake in the outcome of their HIPAA compliance program), engaging creative employees in designing posters or other practical application oriented materials - posting HIPAA milestones achieved and other success stories for your intranet, are some other approaches that are valuable. There are a number of upcoming compliance oriented seminars, conventions and workshops over the next few months that I'd be happy to provide you with information on offline) and a HIPAA Privacy Policy Advisory Group meeting sponsored by WEDi in Baltimore next week (4/16)-- open to the public. The advantage of any of these for a large institutional provider like yourself is the opportunity to see multiple solutions at once and hear payers and providers challenge vendors about the viability of their solutions. I am assuming you are not in the mid-Atlantic region - because if you were it would be my privilege to invite you to speak or lead a workshop at an upcoming educational conference. Beginning in June we are introducing a "best practices"/"best idea" feature to our provider meetings to encourage the real in the trenches experts like yourself to share challenges, solutions and challenge the vendors to work with you on your real issues. I would urge you to try and link to one of my counterpart in your part of the world if you would find this helpful -- and am happy to help any way I can. Leslie Bender, Esq. Member, Mid Atlantic Regional Health Initiative ---------- Original Message ---------------------------------- From: "Clay III, Roy G. (MCLNO)" <[EMAIL PROTECTED]> Date: Tue, 9 Apr 2002 13:22:13 -0500 >We are a large public university medical system with nine hospitals and >10,000 employees. We are also working on policies to address this. We have >received numerous requests to share PHI over the internet from public health >agencies. What we have established in the interim is that no PHI may >traverse an open circuit (i.e. a circuit whose access is not controlled by >our Information Security department) unencrypted. The standard for open >circuit encryption is PKI. We send some lab values via Secure FTP and HIV >data that is being sent via S-MIME. This is just a stopgap measure to >prevent more holes from being created. > >As we see it the approach must be comprehensive. It starts with a >non-disclosure policies that is signed by all employees. Next, a strong user >management policy must be in place to insure that the system is configured >to allow only the access a person needs to do their job. You must also have >an information classification policy. We are looking at having four levels, >one for public information like promotional and marketing material, one for >internal operations information (e.g. JCAHO preparation), one for sensitive >data which would include PHI and HR information and one for extremely >sensitive data such as HIV status and mental health. All classifications >except for public would include a need to know requirement. The email policy >should contain a clause that any email containing sensitive or extremely >sensitive data must be encrypted using S-MIME. Finally an appropriate use >policy describes the types of system uses that are forbidden. All policies >include sanctions which fit the disciplinary approach of the organization. > >We feel that these four policies give managers the tools they need to act >upon any disclosure or risk of disclosure. But the managers and staff need >training. Managers and staff need the training in the importance of >confidentiality and security. Additionally, managers need training in how to >deal with behavior that breaches confidentiality. The non-disclosure policy >covers everyone, even the housekeeper who overhears something in the hall. >The classification policy tells you when to use which security precautions >and need-to-know. The email policy provides information on how it is used >with regard to sensitive or extremely sensitive information. The appropriate >use policy addresses the internal user abusing their privileges. > >The pitfalls we see are numerous. The quality of manager varies greatly >throughout the organization as does the quality of the employee. We even >have department heads who question the need for confidentiality and security >at all. So even if good policies are in place, it is no guarantee they will >be enforced consistently. Just getting people to attend the training >sessions is a challenge. We are performing IDS and vulnerability scans. Logs >are still reviewed manually and we are investigating automated tools to >perform this function more frequently and more widely than is done now. > >We are still wrestling with these and other details but this appears to be >the simplest and most comprehensive approach. I'd be interested in anyone's >comments > >Roy G. Clay, III >HIPAA Security Project Coordinator >Health Care Services Division >Phone: (504) 568-6130 >Email: [EMAIL PROTECTED] > > >-----Original Message----- >From: Chris Riley [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, April 09, 2002 7:13 AM >To: [EMAIL PROTECTED] >Cc: [EMAIL PROTECTED] >Subject: Re: Securing E-mail > > >Bob, >The FBI 2001 Computer Crime and Security Survey says that over 40% of >organizational computer security incidences came from inside the >organization so it is probably not a good assumption that security >controls can be more lax on a internal network. Plain vanilla email >does nothing to address the confidentially and integrity issues you've >pointed out so adopting some control for protecting PHI is a prudent >idea. One simple way to protect confidentiality and integrity is >through encryption although the management of the encryption keys can be >extremely complex based on the size of the organization. Other >approaches included the use of a PKI such as a secure web-based email >system. > >As I see it, the real issue is whether or not email can be used at all >with PHI. Email follows a discretionary access control model which >means I can share any information I have access to at my discretion and >so there are really no controls in place to ensure confidentially. > >I would be very interested to hear others opinions and approaches on >this topic. > >-- >Chris Riley, CISSP >Information Tool Designers Inc. >Secure Virtual Office Solutions >http://aegis.info-tools.com/ > > > >********************************************************************** >To be removed from this list, go to: >http://snip.wedi.org/unsubscribe.cfm?list=privacy >and enter your email address. > >********************************************************************** >To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy >and enter your email address. > > ________________________________________________________________ Sent via the WebMail system at mail.theroi.com ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
