1 / 34

Privacy

Privacy. Marilyn Prosch , Ph.D., CIPP Arizona State University W.P. Carey School of Business Department of Information Systems Member AICPA/CICA Privacy Task Force. IS PRIVACY REALLY ALL THAT BIG OF A PROBLEM?. Data Breaches: Where is the Horse?.

bela
Download Presentation

Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy Marilyn Prosch, Ph.D., CIPP Arizona State University W.P. Carey School of Business Department of Information Systems Member AICPA/CICA Privacy Task Force

  2. IS PRIVACY REALLY ALL THAT BIG OF A PROBLEM?

  3. Data Breaches: Where is the Horse? Some of the reported incidents that have recently occurred.

  4. Univ. of Pittsburgh, Med. Center Manhattan Veteran's Affairs Medical Center & New York Harbor Health Care System Beaumont Hospital St. Rita's Medical Center Swedish Medical Center Univ. Calif. Irvine Medical Center Sisters of St. Francis Health Services via Advanced Receivables Strategy Baystate Medical Center DCH Health Systems Baylor Health Care System Inc. Mercy Medical Center Cedars-Sinai Medical Center Group Health Cooperative Health Care System Southwest Medical Association Johns Hopkins Hospital Allina Hospitals and Clinics CBIZ Medical Management Professionals Prudential Financial Inc. Wuesthoff Medical Center Northeast Orthopaedics DePaul Medical Center Beacon Medical Services Massachusetts General Hospital Seton Healthcare Network University of Pittsburgh Medical Center Christus Health Care Kaiser Medical Center St. Anthony Central Hospital McAlester Clinic & Veteran's Affairs Medical Center Bue Cross/Blue Shield Akron Children's Hospital Highland Hospital Emory University Hospital, Emory Crawford Long Hospital, Grady Memorial Hospital, Geisinger Health System, Williamson Medical Center via Electronic Registry Systems Back and Joint Institute of Texas Cleveland Clinic Gulf Coast Medical Center Jacobs Neurological Institute Erlanger Health System Westerly Hospital Parkland Memorial Hospital Deaconess Hospital CVS Pharmacies Palo Alto Medical Foundation WellPoint's Anthem Blue Cross Blue Shield Health Resources, Inc. Moses Cone Hospital Kanawha-Charleston Health Dept. South County Hospital Kaiser Permanente Colorado Harris County Hospital Providence Alaska Medical Center Concord Hospital Swedish Urology Group Stevens Hospital via billing company Med Data Intermountain Health Care Gundersen Lutheran Medical Center Catskill Regional Medical Center New Hampshire Dept. of HS St. Mary's Hospital, MD WorkCare Orem North Carolina Dept. of HHS St. Vincent Hospital Womancare Inc. Sky Lakes Medical Center via Verus Inc Mary Washington Hospital Wellpoint's Empire Blue Cross/ Blue Shield NY Grady Memorial Hospital Segal Group of New York via web site of Vermont agency New Hampshire's Lakes Region General Hospital Peninsula Orthopaedic Associates Healing Hands Chiropractic Georgia Dept. of Community Health

  5. Some of the causes! A Blackberry containing patient information was stolen from the hospital. The Blackberry contained an email message that included patient information, such as Social Security numbers, dates of birth and medical histories. 3,200 people affected Laptop stolen from an employee's car. 14,000 people affected Laptop stolen from an employee's car. 9,300 people affected Office broken into and computer stolen. Unknown people affected Office broken into and laptop stolen. 1,000 people affected Tapes stolen while in transit. 100,000 people affected Paper-based records left on a train by an employee. 56 people affected Child welfare worker’s records ended up with a local TV station. The files, which included names, Social Security numbers, contact information and details on child abuse investigations, reportedly were left behind when a DHS worker was evicted from a rent house. Paper based records stolen from an employee's car. 242 people affected Records posted on the Internet. The records appeared on a Web site visvabpo.com, which was a defunct company in India. 1,000 people affected Documents, such as labels from prescription bottles and old prescriptions, in unsecured dumpsters. Unknown people affected A woman was fired for allegedly spying. The employee had access to company files. 431 people affected Medical records were improperly disposed of when left in a dumpster behind the office.

  6. 21st Century Challenge Getting the Horse Back in the Barn

  7. What is Privacy?

  8. PRIVACY: AICPA/CICA Definition • PRIVACY encompasses the rights and obligations of individuals and organizations with respect to the… • Collection • Use • Disclosure, and • Retention …of personal information.

  9. Rights and Obligations

  10. What is the relationship between privacy and security?

  11. Security, as it relates to privacy • Security of processes and technologies is a necessary, but not sufficient, condition of privacy

  12. Why should systems professors/practioners care about data protection and privacy?

  13. Last week – Virginia Prescription Monitoring Program drug database hacked • Data hijackers deleted records on more than 8 million patients and replaced the site's homepage with a ransom note demanding $10 million for the return of the records. • The database of prescriptions had been bundled into an encrypted, password-protected file and payment of the ransom would result in the password to decrypt. • Their backups seem to have gone missing, too. http://voices.washingtonpost.com/securityfix/2009/05/hackers_break_into_virginia_he.html?wprss=securityfix

  14. Reasons • With enterprise systems, personal information (PI) is commingled with accounting transactions • Much PI is part of accounting transaction data • Data has value and that “value” can be an asset or a liability • Good internal controls are a mechanism for protecting all “assets”

  15. What is GAPP?

  16. WHAT IS GAPP? • Generally Accepted Privacy Principles • Developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) to help guide organizations in implementing, sustaining, and auditing privacy programs.

  17. AICPA/CICA Generally Accepted Privacy Principles • Available for free download and use • 10 Principles of privacy and 66 criteria, (soon to have an additional 8 criteria with the new exposure draft is finished with the review process) • http://infotech.aicpa.org/Resources/Privacy/

  18. Management:The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures. Notice: The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed. Choice and Consent: The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, retention, and disclosure of personal information. 4. Collection: The entity collects personal information only for the purposes identified in the notice. 5. Use and Retention: The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes. What are the Principles?

  19. 6. Access: The entity provides individuals with access to their personal information for review and update. 7. Disclosure: The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual. 8. Security for Privacy: The entity protects personal information against unauthorized access (both physical and logical). 9. Quality: The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice. 10. Monitoring and Enforcement: The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes. What are the Principles?

  20. COMPONENTS OF GAPP Consistency ofCommitments With Privacy Policies and Procedures Infrastructure and Systems Management

  21. Why has the AICPA/CICA issued an update to GAPP in the form of an exposure draft?

  22. Continuous improvement of GAPP • Major changes • Modification of 2 criteria • 8 new criteria

  23. What is the Global Privacy Standard?

  24. Global Privacy Standard • Final version of the GPS was formally in the United Kingdom, on November 3, 2006, at the 28th International Data Protection Commissioners Conference • Championed and developed by Commissioner Ann Cavoukian, Ontario • 10 Principles

  25. What are these new red flag rules that are in the news?

  26. New Red Flag Rules – effective may 1, 2009: Postponed until 8/1/2009 • Require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts. Originally effective May 1, 2009. • The program can be different, depending on the organization’s size and complexity. • Thus, a small physician practice might have a much different program than a large hospital. • Programs should include four basic points/steps, which could be covered under one or multiple policies.  http://www.hinshawlaw.com/health-care-identity-theft-prevention-programs-and-red-flags-rules-compliance-03-10-2009/

  27. 4 Required Steps • Identify Common Red Flags • Detect Red Flags • Responses to Red Flags • Program Execution and Updates http://www.hinshawlaw.com/health-care-identity-theft-prevention-programs-and-red-flags-rules-compliance-03-10-2009/

  28. What is the relationship of privacy and other more traditional areas of AIS, Audit, and assurance

  29. The primary link to these 3 areas is • effective internal controls! • GAPP provides tangible criteria that can be audited and about which assurances can be made.

  30. 3 Tricks to getting horses back in the barn & keeping them there • Teach your horse that you are in control over him/her. • Corporate Culture towards the use and management of personal information will likely have to change. Who owns and controls the data? • Make it dang hard for the horse to do the wrong thing. • Implement privacy enhancing policies, procedures, and controls. • Ride a lot! • Test the use and management of your data frequently.

  31. What are some research opportunities?

  32. Implications for CA/CM Research • Descriptive research: • What are companies actually doing? • Are they aware of the issues? • If so, how are they handling these issues? • Are they using some kind of data masking during these processes? • Normative research: How can we build privacy protection into processes? • Data tagging and masking • Data replication (logging) • Security around possession and handling • Data life and destruction techniques (poison pills)

  33. Further Questions? • marilyn.prosch@asu.edu • twitter.com/ProfofPrivacy

More Related