Cyber Security, Privacy - PowerPoint PPT Presentation

1 / 50

About This Presentation

Title:

Cyber Security, Privacy

Description:

1. Cyber Security, Privacy & HIPAA. Brenda Cuccherini, Ph.D., MPH ... 'Old habit of mind is one of the toughest things to get away from in the world. ... – PowerPoint PPT presentation

Number of Views:681

Avg rating:3.0/5.0

Slides: 51

Provided by: brendacucc2

Category:

more less

Transcript and Presenter's Notes

Title: Cyber Security, Privacy

1
Cyber Security, Privacy HIPAA

Brenda Cuccherini, Ph.D., MPH
VA Office of Research Development Fall 2006

2
A New Mind Set

Old habit of mind is one of the toughest things
to get away from in the world. It transmits
itself like physical form and features
Mark Twain
A Connecticut Yankee in King Authors Court

3
VHA Privacy

VHA privacy program is complex
VHA must comply with 6 statutes that govern
collection, maintenance release of information

4
Privacy Related Statutes

HIPAA
Privacy Act of 1974
FOIA
VA Claims Confidentiality
Confidentiality of Drug Abuse, Alcoholism
Alcohol Abuse, HIV, and Sickle Cell Anemia
Medical Records
Confidentiality of Healthcare Quality Assurance
Review Records

HIPAA Title II The Privacy Rule
(45 CFR 160 and 164)

6
HIPAA Topics To Be Covered

HIPAA the Common Rule
HIPAA Identifiers
Limited Data Sets
Business Associate Agreements
De-identification
Waiver of Authorization
VA HHS Differences

7
HIPAA the Privacy Rule

Title I Health Care Access, Portability,
Renewability
Title II Preventing Healthcare Fraud Abuse
Administrative Simplification Medical Liability
Reform
Privacy Rule,
Transactions,
Security
Enforcement)

8
HIPAA The Common Rule

Represent 2 different but not contradictory
regulations
Many terms similar but not alike
IRB must make 2 separate determinations when
reviewing approving applicable research

9
HIPAA IdentifiersRemove to De-identify for
HIPAA

(1) Names
(2) All geographic subdivisions smaller than a
state, except
for the initial three digits of the zip
code if the
geographic unit formed by combining all zip
codes with
the same three initial digits contains more
than
20,000 people
(3) All elements of dates except year and all
ages over 89
(4) Telephone numbers
(5) Fax numbers
(6) E-mail addresses
(7) Social security numbers
(8) Medical record numbers

10
HIPAA Identifiers (Cont.)

(9) Health plan beneficiary numbers
(10) Account numbers
(11) Certificate or license numbers
(12) Vehicle identifiers and license plate
numbers
(13) Device identifiers and serial numbers
(14) URLs
(15) IP addresses
(16) Biometric identifiers
Full-face photographs and any comparable
images

11
HIPAA Identifiers (Cont.)

Any other unique identifying number,
characteristic
or code, unless otherwise permitted by
the Privacy
Rule for re-identification
Scrambled SSNs
Initials
Last four digits of SSN
Employee numbers
Etc.
(19) A caveat HIPAA also states that the
entity does not have actual
knowledge that the remaining
information could be used alone
or in combination with other
information to identify an individual
who is the subject of the information
If you can strip all 18 identifiers, it still may
not be de-identified

12
Applicability of Identifiers

HIPAA identifiers apply to
The individual
The individuals relatives
The individuals employers
The individuals household members

13
Whats De-identified?

If some one tells you data is de-identified, ask
them how they define it!
Definition of de-identified
All HIPAA identifiers must be removed, plus The
entity must have no knowledge the caveat from
the last slide and
It meets the Common Rule definition of
de-identified

14
Limited Data Sets

Does not require a HIPPA authorization or waiver
of authorization
Only allowed for research , public health, or
health care operations
Requires a DUA
May contain identifiable information such as
scrambled SSNs, are still PHI
May still be human subjects research

15
Limited Data Set (Cont.)

Excludes certain direct identifiers
Excluded identifiers apply to
The individual,
The individuals relatives
The individuals employers
The individuals household members
May contain
City, state, ZIP code,
Elements of a date other numbers,
Characteristics or codes not listed as direct
identifiers

16
Limited Data Sets Direct Identifiers

(1) Names
(2) Postal address other than town, city, state,
and ZIP code
(3) Telephone numbers
(4) Fax numbers
(5) SSNs
(6) Medical Record number
(7) Health plan beneficiary numbers
(8) Account numbers

17
Limited Data Set Direct Identifiers (Cont.)

(9) Certificate/license numbers
(10) Vehicle identifiers and serial numbers
including license plate numbers
(11) Device identifiers serial numbers
(12) Web universal resource locators (URLs)
(13) Internet protocol (IP) address
(14) Biometric identifiers, including
fingerprints
voice prints
(15) Full-face photographic images and any
comparable images

18
Business Associate Agreements

Business Associate An individual or entity who
on behalf of VHA
Performs or assists in performing functions or
activities involving the use or disclosure of PHI
or
Provides certain services to VHA which include
use or disclosure of PHI by VHA.
Activities must be related to treatment, payment,
or health care operations

19
Business Associate Agreements

BAAs required for
Any person or entity meeting the definition of
Business Associate
BAAs not required for research or research
sponsors
Research is not a function or activity regulated
by HIPAA (treatment, payment, or health care
operations)

20
Waiver of Authorization

IRB or Privacy Board (PB) may approve
Full waiver of authorization
Partial waiver of authorization
Alteration of the disclosure
IRB or Privacy Board
Must make specific determination prior to
approving waiver
Must document specific findings

21
Required Determinations 3 Criteria

1. The use or disclosure of PHI involves no more
than a minimal risk to the individual based on
at least the presence of the following elements
An adequate plan to Protect the identifiers from
improper use disclosure
An adequate plan to destroy the identifiers at
the earliest opportunity consistent with the
conduct of the research unless there is health
or research justification for retaining them or
retention or the retention is required by law
and
Adequate written assurance that the PHI will not
be reused or disclosed to any other person or
entity, except as required by law, for authorized
oversight of the research study, or for other
research for which the use of disclosure of PHI
would be permitted by this subpart

22
Required Determinations 3 Criteria (Cont.)

2. The research could not practicably be
conducted without the waiver
3. The research could not practicably be
conducted without access to and use of the
protected health information

23
Required Documentation

Name of IRB or PB date approved
Statement IRB or PB determined the alteration or
waiver of authorization, in whole or in part,
satisfies the 3 criteria in the Rule
A brief description of the PHI for which use or
access has been determined to be necessary
A statement that the alteration or waiver of
authorization has been reviewed and approved
under either normal or expedited review
procedures, and
Signature of the chair or other member, as
designated by the chair, of the IRB or PB, as
applicable.

24
Investigators Responsibility

Include all necessary information in the
submission to the IRB or PB
Request use of the minimal necessary information
to conduct the research
Use of data consistent with the protocol
No re-use or sharing of data without approvals

25
How Does VHA Differ from HHS

Preparatory To Research
Authorization Elements
Accounting for Disclosures
Data Use Agreements

26
Prepatory to Reach

VHA Handbook 1605.1 states that contacting
research subjects or conducting pilot studies are
not Prepatory to Research activities
HHS states that the Prepatory to Research
provisions allow an investigator to use PHI to
contact prospective research subjects

27
HIPAA Authorization

VHA requirements differ from HHSs
A description of the information to be used or
disclosed AND specifically identify HIV, Sickle
cell anemia, drug and/or alcohol abuse treatment
information

28
Accounting for disclosure

Not so much a difference but a clarification
VHA research is conducted inside a single covered
entity MOST research does not involve
disclosure, only use of PHI

29
Data Use Agreements

VHA and HHS requires DUA for use of limited data
sets only
ORD policy will additionally require a DUA for
anytime you transfer data within VHA for research
purposes

Privacy Act of 1974

An American has no sense of privacy.
He does not know what it means.
There is no such thing in the country.
George Bernard Shaw

32
Privacy Act of 1974

Purpose To balance the governments need to
maintain information about individuals with the
rights of individuals to be protected against
unwarranted invasions of their privacy
Background Watergate era and Congress concerned
with
Curbing illegal surveillance investigations
Potential abuses presented by governments
increasing use of computers to store retrieve
personal data

33
Privacy Act Objectives

Restrict disclosure of personally identifiable
records by agencies
Grant individuals
Increased rights of access to agency records
The right to seek amendment of agency records
Establish code of fair information practices for
agencies

34
A Privacy Act Requirement

Agencies that maintain a system of records "shall
promulgate rules, in accordance with notice and
comment rulemaking
Systems of Records (SOR) A group of records
under agency control from which information is
retrieved by the name of the individual or by
some identifying number, symbol, or other
identifying particular assigned to the
individual.

35
System of Records Content

Category of individuals covered by the system
Categories of records in the system
Purpose of the records
Routine uses of records
Storage (storage medium)
Retrievability (name, numbers or identifier)

36
SORs and Research

34VA12 -- Veteran, Patient, Employee, and
Volunteer Research and Development Project
Records
121VA19 -- National Patient Databases - VA

37
SORs Impact on Research

All release/disclosure of information must be
consistent with the SOR and routine uses
Investigators can not release information to
non-VA investigators or institutions unless
Written permissions/authorization from individual
or
Permission of the USH
Release of information is through the Privacy
Office

38
Privacy Issues Resources

VHA Privacy Officer Stephania Putt
Local privacy officer
VHA privacy program
http//vaww.vhaco.va.gov/privacy/
Links to all Federal statutes, regulations,
policies including security policies
Privacy Fact Sheets

Cybersecurity

To err is human and to blame it on a computer
is even more so.
Robert Orben
Magician and Comedy Writer

41
Reporting of Security Incidents

OMB requires reporting of an incident within 1
hour of discovery to US-CERT
US-CERT US Computer Emergency Readiness Team is
the operational arm of National Cyber Security
Division (NCSD), Department of Homeland Security
(DHS).
Suspected and confirmed breaches must be reported

42
How to Report Security Incidents

Immediately report to
Supervisor
ISO
Privacy Officer
Others (Your facility may require reporting to
other facility administrators)
ISO will report it to the VA-Security Operations
Center (VA-SOC)
Privacy Officer will enter it into the Privacy
Violations Tracking System (PVTS)
VA-SOC will notify US-CERT key VHA/VA officials

43
It is VA policy that

VA information may not reside on non-VA systems
or devices unless specifically authorized by VA
guidance/policy
Federal Information Security Management Act of
2002 (FISMA) Federal Security requirements apply
to when contractors or other organizations on
behalf of an agency possess or use Federal
information
You must obtain authorization to remove
confidential Privacy Act protected information
Approved protocol
Consult with supervisors/obtain permission
Consult with supervisor and ISO to ensure that
the data is properly encrypted and password
protected in accordance with VA policy
Secretarys memo June.6, 2006

44
VA policy on Government Laptops or Other Equipment

Updated property pass
Updated virus protection
House protect it from
Environmental threats hazards
Unauthorized access, use, or removal
Laptops, external hard drives, or other storage
devices must be under lock key when not in your
immediate vicinity if it
Contains sensitive/protected information (VAPI)
or
Software to access VA private networks

45
VA Policy on Protection of Data

Data system backups or copies
Same confidentiality classification as originals
Laptops portable media must NOT contain the
only copy of the data
VAPI stored on computers or other storage media
outside VA facilities must be encrypted per VA
approved protection mechanisms
Password or other authentication information
Do not store on remote systems unless encrypted
Data can not be transmitted by remote access
without VA-approved protection mechanisms

46
Investigators Responsibilities

Protocols contain sufficient information on
security issues
Who uses information
How it will be stored and secured
Who has copies where
Will it remain within VA if not, will all data
be returned to VA if not why
Disposition of the data after protocol completed)
Allowing access only to authorized individuals

47
Investigators Responsibilities (Cont.)

Safeguarding laptops, portable drives, flash
drives, and other medium
Ensuring all contracts, DUAs, and BAAs contain
required language
Encrypting/password protecting all sensitive data

48
Policy Documents

VA Directive 6504 Waiver of requirements
Granted only by the VA Chief Information Officer
in CO
Waiver request only from an Administration Head,
Assistant Secretary, or other key official
Majority of IT security documents being
redrafted on a very fast track

49
Finding Policies