BCBSA Advanced Privacy –Security Training NES-503 - PowerPoint PPT Presentation

bcbsa advanced privacy security training nes 503 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
BCBSA Advanced Privacy –Security Training NES-503 PowerPoint Presentation
Download Presentation
BCBSA Advanced Privacy –Security Training NES-503

play fullscreen
1 / 72
BCBSA Advanced Privacy –Security Training NES-503
307 Views
Download Presentation
allegra-kirk
Download Presentation

BCBSA Advanced Privacy –Security Training NES-503

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. BCBSA Advanced Privacy –Security Training NES-503

  2. Required Training On-The-Job Training provided by your manager or supervisor, or their designate General Privacy-Security Online Training Module (Blue Learning Center course NES-502) Advanced Privacy and Information Security Classroom Workshop (Blue Learning Center course NES-503) Privacy and Information Security Acknowledgement / Certification Form (NES-503F) If you handle Personal Health Information (PHI) or Personal Identifiable Information (PII), you will need to be certified by completing the following required training: 2

  3. Increase training and awareness of Protected Health Information (PHI) and Personal Identifiable Information (PII) including the policies, procedures and best practices that safeguard member data and protect BCBSA from future incidents. Course Purpose

  4. Define PHI and PII Explain why it is important to protect PHI and PII Identify potential threats to PHI-PII Review current and new policies and procedures Review next steps Course Objectives

  5. Vendors/Partners Plans Government Law Firms Consulting Firms Understanding the PHI Schematic • Approximately one-third of our workforce currently either receive, share and/or access PHI-PII, based on a PHI-PII inventory completed earlier this year.

  6. Relates to past, present or future health condition, and the provision of health care or payment. Identifies, or can be used to identify, an individual. Created or received by a healthcare provider, health plan, healthcare clearinghouse or a business associate of one of these Transmitted or maintained in any form. Includes simple demographic information about an individual if it started out as PHI. What is PHI (Protected Health Information)?

  7. Names All geographic subdivisions smaller than a state, including: street address, city, county, precinct ZIP code and equivalent geocodes, except for the initial three digits of a zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people All elements of dates (except year) for dates directly related to an individual, including: birth date, date of service, admission/discharge dates, date of death and all ages over 89 Telephone numbers Fax numbers E-mail addresses Social Security numbers Medical record numbers Health plan identification numbers Account numbers Certificate/license numbers Vehicle identification numbers Device identifiers and serial numbers Web URLs IP addresses Biometric identifiers, including finger and voice prints Full face photographic images Any other unique identifying number, characteristic, or code What are PHI Data Elements? • To be fully DE-IDENTIFIED (no longer PHI), all data elements must be removed, OR a qualified statistician’s opinion obtained stating it is de-identified. • HIPAA requires that use of only MINIMUM NECESSARY amount of PHI for any authorized purpose.

  8. What is Personally Identifiable Information (PII)? • PII is defined by various state laws and is usually Name in combination with any of the following: • SSN • Account Number • Credit/Debit Card Number • Some states include additional data elements, e.g., Passwords/PINs, Driver’s License numbers • Note that Provider Tax ID Numbers (TINs), which can be a Social Security Number, must be treated as PII and de-identified whenever possible • Like HIPAA for PHI, these state laws require notification to individuals in the event of a breach of PII

  9. Privacy Versus Security Privacy Individuals’ right for protection of their personal info Defines permissible uses and disclosures Applies to all PHI - including paper and verbal forms April 2003 Security Refers to how information is protected both at rest and in transit Requires administrative, physical and technical safeguards Applies specifically to ePHI (electronic PHI) Flexible and evolving April 2005 HITECH Act: February 2009

  10. Everyone: BCBSA Officers Executive & Managing Directors Directors & Managers Employees Contingent staff Business Associates How do you use PHI and PII? Who is Responsible for PHI?

  11. Why Should We Care About Privacy and Security of Personal Info? Data Breachis a release of “unsecured” PHI or PII or other sensitive information to an unauthorized entity or an insecure environment, whether intentional or unintentional. Notification required within 60 days to affected individuals, HHS and sometimes local news media

  12. What is Secured PHI? • Health & Human Services (HHS) Considers PHI “Secured” if: • Data is encrypted (made unreadable) using approved encryption software • Data is properly destroyed when no longer needed, both in electronic and paper formats • Data is no longer PHI if properly de-identified

  13. Data Breach Exceptions Unintentional acquisition, access, or use of PHI made by an employee/representative of a covered entity or business associate in “good faith” and within the scope of employment (and such information is not further acquired, accessed, used or disclosed) Inadvertent disclosure by an individual authorized to access PHI to another individual similarly situated at the same covered entity or business associate (as long as the PHI is not further used or disclosed)

  14. Examples of How Breaches Could Occur Failure to encrypt data Using weak passwords (Password1) Unencrypted computer assets lost, stolen or compromised Malicious software (malware) Sensitive information on publicly-accessible computers Sensitive information left on paperunattended

  15. Security concerns take on many forms: Human error by workforce members, business associates, Plans and Partners “I knew that only gender and age were needed for a quote, but since it takes too much time to purge other PHI, it was just easier to send it all.” “I assumed that as long as the CD was encrypted, it was okay to install the data unencrypted on my home computer so I could finish my project.” “I suspected that the individual I transmitted PHI to did not have a legitimate business need, but because they work for BCBSA, I assumed it was ok to share the information.” Insider fraud by workforce members, business associates, Plans and Partners Outsider compromise of data to perpetrate identity theft and fraud Causes of Data Breaches

  16. According to the Privacy Rights Clearinghouse, in 2009, there were 252 reported security incidents within the United States From 2005 to mid-2010, over 500 million sensitive records were breached Data Breach Incidents

  17. Stolen Computer Hard Drives (Oct. 2009): A total of 57 computer hard drives were stolen from a Blue Cross and Blue Shield Plan’s training facility. The hard drives were not encrypted and contained the personal data of 500,000 customers in 32 states, including names, ID numbers, dates-of-birth; and, in a number of cases, social security numbers. Laptop and Document Theft (June 2008): A Blue Cross and Blue Shield Plan’s employee laptop computer and hard copy documents in the possession of the employee were stolen from the trunk of her car.  The computer was encrypted; therefore, this data was not breached.  However, the hard copy documents contained the PHI of two FEP members' data. The Plan was required to offer identity theft protection services to the impacted members. EOBs Mailed to Wrong Addresses (July 2008): 200,000 benefit letters containing personal and health information were sent to the wrong addresses. The letters included the patient's name and ID number, provider name, and the amounts charged and owed. Some of the letters also contained the patient's Social Security numbers. Examples of BCBS Data Breach Incidents

  18. Summary • Risk Mitigation • PHI-PII Encrypted • Access Tightly Controlled • Workforce Trained-Certified • Activity Monitored/Controlled • Impacts of Data Loss • Damage to the Blue Brand • Potential Loss of OPM or Plan Support • Regulatory/Legal Exposure • Unplanned Costs • Avenues of Data Loss Exposures • Individuals with Access to PHI-PII • Collecting/Using More PHI-PII Than Necessary • Using PHI-PII Outside the Office • Data Copied to Mobile Media (CD, DVD, USB, Backup Tapes) • Laptops Compromised / Non-BCBSA Computers • Data Transmitted Outside BCBSA • Server, Database, Application Vulnerabilities • Printouts with PHI-PII Left Unprotected / Human Error

  19. Please complete the exam and move to the next section

  20. Section 2Security Threats 20

  21. According to the Javelin Strategy and Research report for 2009: Approximately 11 million Americans affected by identity-theft in 2009, up 12% from 2008. This follows a 22% increase from 2007. $54 billion cost to American businesses and individuals in 2009. American fraud resolution time per victim is 21 hours, and the consumer out-of-pocket cost was $373 in 2009. Cyber-Theft Organizations use e-mail “phishing” and hacking to obtain personal information: The Carder Planet network Boasts 7,000 members; run by a dozen individuals. Marketplace for millions of stolen accounts. Charge a few dollars to hundreds of dollars for accounts. Security Threats – Overview

  22. Intrusion Detection/Prevention: In a typical month, between 10 to 20 million network events are blocked. Top three detected events: (1) Pre-Attack Scans to probe for weaknesses; (2) Denial of Service scans to try and overwhelm devices; and (3) Unauthorized access attempts. Security Threats – Hackers & Malware

  23. Internet E-mail: In a typical month, 30 to 50 million SPAM e-mails are blocked (e.g., 96% of all incoming e-mail). In addition to SPAM, policy filtering eliminates additional undesirable email. The e-mail gateway servers also block between 1,000 to 6,000 viruses per month. Microsoft Gateway Online Protection For Exchange is utilized. Security Threats – E-mail

  24. Your computer can become infected with malicious software (malware) simply by clicking on links or forms contained withine-mail, or by visiting infected or inappropriate websites In 2010, BCBSA hired a third party security company to evaluate how users would react to a typical social engineering exploit. The third party consultant, acting as a Help Desk technician, sente-mails and placed telephone calls to some BCBSA users (from outside BCBSA) that appeared to be coming from inside BCBSA. BCBSA users were then asked to click on links to install IT software or to login to a BCBSA “look-a-like” website The bad news was that approximately half of the targeted individuals clicked on the e-mail link The good news was that several individuals called the BCBSA Help Desk, and IT technicians responded quickly to investigate the incident Security Threats – Malicious Software

  25. Remember that BCBSA IT technician staff will never ask you to click on links or forms to install IT software or system patches, nor will they ask you to provide your password or to login to a website You can protect BCBSA computers and PHI-PII by reporting to the BCBSA Help Desk e-mails or telephone calls received that ask you to: Install software Login into websites Visit external websites Provide personal or company information According to the most recent Data Breach Investigations Report (DBIR), malicious software is one of the most frequently used attacks by unauthorized outsiders to gain access to personal sensitive information Therefore, we need your help! Security Threats – Social Engineering

  26. Summary of Data Breach Investigations Report (DBIR) for 2009: Security Threats – Malicious Software (Malware)

  27. Summary of HHS-reported breaches, from 9/9/09 thru 1/18/10: 15 states reporting incidents involving 500 or more individuals Health & Human Services (HHS) – Complete Source, Inc.

  28. Please complete the exam and move to the next section 28

  29. Section 3BCBSA Security Policies

  30. Information Security Policy Groups: Group #1: Information Access and Acceptable Use Group #2: Technology Related Policies Group #3: Information Security Governance Location of Security Policies: BlueWeb / BCBSA / Human Resources / BCBSA Policies and Procedures Manual / Chapter 8 Information Security http://blueweb.bcbs.com/blueweb/Leaf?docId=14703 BCBSA Information Security Policies

  31. Definition of Terms Information Access Policy Technology Assets and Usage Policy PHI-PII Acceptable Use Policy Internet Acceptable Use Policy E-Mail Acceptable Use Policy Remote Access Security Policy Group #1: Information Access & Acceptable Use

  32. Authorization for access to PHI-PII must be approved bya Division Vice President Access to PHI-PII must reviewed at least semi-annually Access to systems must be modified when a workforce member’s needs change or as a result of a change in their role or job within Separation of duties must be maintained. For example, individuals approving access must not also be administrators. Information Access Policy

  33. Privacy-Security Request Form http://blueweb.bcbs.com/blueweb/Leaf?docId=14703

  34. Privacy-Security Request Form (continued)

  35. BCBSA technology assets are to be used for business purposes, and must protected from loss or misuse, and returned upon termination Only software approved for use may be utilized, and only authorized IT Service Delivery personnel may install software or hardware Non-BCBSA technology assets (for example, non-BCBSA laptops) may not be connected to the BCBSA Local Area Network BCBSA-licensed software may not be installed on non-BCBSA technology assets Technology Assets and Usage Policy

  36. When PHI-PII must be utilized, only the minimum necessary may be collected, stored or transmitted One-time or ongoing export of PHI-PII outside of BCBSA is prohibited unless its release is approved by a Division Vice President Data must be encrypted in transit and when stored on laptops and removable media PHI-PII must be de-identified for IT development & prototypes PHI-PII Acceptable Use Policy

  37. Release of PHI-PII Request Form http://blueweb.bcbs.com/blueweb/Leaf?docId=14703

  38. Release of PHI-PII Request Form (continued)

  39. Access to websites which contain offensive or disruptive content is prohibited BCBSA business practices and work environment information must not be posted on personal or social networking sites BCBSA reserves the right to block access to inappropriate sites, as well as personal e-mail and social networking Use of Instant Messaging and Peer-to-Peer networks such as Skype, Limewire and Kazaa over the Internet is prohibited BCBSA management reserves the right to monitor workforce member activity without prior knowledge of the workforce member Internet Acceptable Use Policy

  40. BCBSA reserves the right to block attachments addressed to personal-type e-mail addresses The use of the List Management System (LMS) to transmit PHI-PII is prohibited While limited personal use of BCBSA e-mail is permitted, workforce members are expected to use e-mail in a professional and courteous manner E-Mail Acceptable Use Policy

  41. All requests for remote access must be approved Formal telecommuting arrangements involving set-days-per-week must be approved by a Division Vice President and Human Resources Workforce members must protect BCBSA-issued equipment from loss, and not allow use by others Remote users must ensure that unauthorized viewing of PHI, PII or other BCBSA sensitive or proprietary information does not occur Remote Access Security

  42. Application For Remote Access http://blueweb.bcbs.com/information_technology/attachments/IT_COMM_2009/IT_CSP_RemoteAccessRequestForm.pdf

  43. All employees who transmit sensitive information such as protected health information (PHI) or other Personally Identifiable Information (PII) as part of their job responsibilities must do so using the BCBSA LAN (J, H or I drive directories, BCBSA e-mail system, BCBSA printers) The storage or transmission of PHI or PII through any other means is a violation of BCBSA policies, unless an exception is approved via the BCBSA Privacy-Security Request Form Under no condition should PHI, PII or other BCBSA-sensitive data be stored on non-BCBSA equipment Policy 352: Telecommuting Arrangements

  44. Password and Userid Policy File Shares Policy Transmission Security Policy Removable Media Policy IT Equipment and Data Disposal Policy Vulnerability Management & Malicious Software Policy Information Security Audit & Logging Policy Policy Group #2: Technology Related Policies

  45. Each workforce member must utilize a unique userid/password Passwords must not be divulged, and must never be displayed or stored in files unless access is restrictedand the file encrypted Passwords must not be dictionary words unless brokenup with numbers or symbols: Excellent : JaJwuth9, Dywtdlt1 Good : Wednes#day, Tuesd$ay Poor : Password1 or September1 Passwords will expire once every 90-days IT Local Admin, Service and Application accounts require15-character passwords, with knowledge by only a small number of individuals Password and Userid Policy

  46. Peer Pressure

  47. Access to PHI-PII or other BCBSA sensitive and proprietary information within Application or Group File Shares (for example, J: and I: drives) must be limited Under no condition, may PHI-PII or other BCBSA sensitive information be stored on the G: drive While workforce members may create directories and sub-directories within existing file shares, only authorized IT Service Delivery workforce members may create or modify file shares BCBSA file shares may not be utilized for music, personal photos, illegal or inappropriate content File Shares Policy

  48. Protect Information

  49. One-time or ongoing export of PHI-PII outside of BCBSA is prohibited unless its release is approved by a Division Vice President The transmission of PHI or PII over open networks such as the Internet must be encrypted Communication sessions for new IT applications containing PHI-PII, as well as for major upgrades for existing applications with PHI-PII, must utilize session encryption Transmission Security Policy

  50. Securing E-mail Example