DRAFT

Version 5: 12/20/2007

Based on Final Security Rules

HIPAA COW

SECURITY NETWORKING GROUP

PORTABLE MEDIA WHITE PAPER

Disclaimer

This Portable Media White Paper is Copyright Ó 2007 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This document is provided “as is” without any express or implied warranty. This document is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. HIPAA COW has not yet addressed all state pre-emption issues related to this Portable Media White Paper. Therefore, this form may need to be modified in order to comply with Wisconsin law.

Table of Contents

I. Introduction 2

A. What is Portable Media? 2

B. Why Develop a Portable Media Protocol/Policy? 2

C. Objectives of Establishing a Protocol for Securing Portable Media 5

D. Applicable HIPAA Security Rule Standards 5

II. Definitions 5

III. What Needs to be Included in a Portable Media Security Plan 6

A. Identification of Portable Media 6

B. Source and Security of Portable Media 8

C. Portable Media Loss 11

D. Portable Media Loss Contact Process and Information 11

E. Media/Public Relations 12

F. Related Organizational Policies 12

G. Securing/Encrypting/Password Protection 13

H. Law Enforcement/Government Agency Contact Information 13

References and Resources 14

APPENDIX I 15

Portable Media Inventory 15

APPENDIX II 16

PORTABLE MEDIA LOSS REPORTING FORM 16

APPENDIX III 18

Sample Procedure for Document Password Protection 18

Note: This information has been developed to address information systems (IS) portable media use and management as a separate issue. It is important that the organization’s IS portable media processes can be carried out as an integrated element of ongoing security for organizational data, and as a component of organizational operations.

I.  Introduction

A.  What is Portable Media?

Portable Media, for the purposes of this paper, is defined to include any device or media which are easily portable or transported from place to place by an individual. Examples include but are not limited to:

·  Computer laptops, tablets and other portable computers

·  Personal Digital Assistant(s) (PDA) (e.g. Palm OS®, Windows CE ® based devices)

·  Flash, Universal Serial Bus (USB) or “thumb” drives

·  MP3 players (e.g. iPod®)

·  BlackBerry ® and similar devices

·  Cell phones, mobile phones, pagers and similar devices used for or capable of sending/receiving text messages and/or e-mail messages

·  Portable hard disk drives

·  Zip disks, CDs, DVDs, Optical Disks, Diskettes, Magnetic Tape and similar media

·  Portable dictation devices, whether digital or analog

·  Digital cameras, whether still or video, Cell phones, BlackBerry ® and similar devices capable of taking and/or storing digital images, whether still or motion, Analog cameras and film contained therein. Note: Each organization will be responsible for establishing separate policies for creation, maintenance, use, storage and overall management of images acquired through these devices. This whitepaper is not the venue for these policies.

Use of data on such portable media may include but not be limited to:

·  Transportation

·  Transmission

·  Backup/archiving

·  Use at another location, off campus from the source

·  Use on another workstation on or off campus

·  Data capture and storage relative to patient care

B.  Why Develop a Portable Media Protocol/Policy?

Healthcare and Business practices today are, to an ever expanding level, taking the employee outside of the realm of the “secure” organizational buildings and network. This raises the risks and stakes of potential loss or theft of PHI or other organizationally sensitive information.

A variety of headlines in recent past have brought to our attention the challenges organizations have in relation to securing portable media, particularly laptops. Examples taken from the media around the time of authoring this white paper include the following. Particular note should be taken that security practices organizations have preached against for several years are not followed in many of these incidents.

Austin, Texas, police are investigating after security cameras captured video of the thief carrying out a laptop and a projector from a Seton Family of Hospitals office.

http://www.informationweek.com/showArticle.jhtml?articleID=197008711

Health Care Firm Recovers Stolen Laptop

“The data on the Dell laptop was encrypted and password-protected, according to a statement from William Beaumont Hospital in Royal Oak. But the car theft, which occurred Aug. 5 in Detroit, caused particular concern among hospital officials, because the affected employee's ID access code and password were written on a piece of paper that was taped to the inside of the stolen PC.”

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002765

HIPAA Compliance Strategies

2006's 10 Biggest Health Care Security Breaches

Reprinted from the December 2006 issue of REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

A summary of 10 events from 2006 is summarized in the following link. These include misplaced CDs containing patient information and theft of a laptop from a Veteran’s Affairs employee’s home.

http://www.aishealth.com/Compliance/Hipaa/RPP_2006_Security_Breaches.html

Sick Kids doctor loses data on 3,300 patients

“Six weeks after Ontario's privacy commissioner ordered the Hospital for Sick Children not to remove electronic health records from the hospital, a doctor lost an external hard drive containing such records at the country's busiest airport.

The physician, who was traveling to a medical conference, packed the external hard drive so he could work while away. Though airport security was notified and a search conducted, it was never recovered.”

Aug 31, 2007 04:30 AM MEGAN OGILVIE HEALTH REPORTER

http://www.thestar.com/living/article/251904

Beyond laptops and compact disks (CD), portable media have become ubiquitous in the workplace, whether provided by the employer, or brought to the workplace by the employee. In the past 3 years, USB memory flash drives have fallen in price from approximately $100 for 128 kilobytes of storage to less than $20 for 2-4 gigabytes of storage. Such devices are frequently provided as “gifts” at conferences.

Use of these devices is as easy as plugging them into an available USB port on any computer in the work setting and copying files and other data representations to this locally installed device. Organizations are typically reluctant to disable the USB ports, as they are commonly used for the installation of devices such as bar code readers, local printers and other devices. Additionally, these ports may be used during the course of conducting business, such as software installation and making backups. The corporate and personal prevalence of laptops, replacing traditional workstations in many cases is a growing trend. This is particularly seen with providers that have offices in multiple locations and require the convenience of portability. Further, staff, executives and consultants have come to depend on portable media in the daily performance of their responsibilities.

Organizations need to establish a policy on Portable Media and educate their staff on the appropriate use of Portable Media. Part of this policy and education needs to be that personally provided Portable Media needs to follow the corporate standards for security and confidentiality, including the right of the organization to install security guards on all such media.

Key references related to Portable Media include:

  1. An Introductory Resource Guide for implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST Special Publication 800-66, http://csrc.nist.gov/publications/nistpubs/800-66/SP800-66.pdf , accessed April 2007.
  2. HIPAA Security Guidance, Department of Health and Human Services, USA, http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf , accessed April 2007.
  3. Managing Sensitive Electronic Information (SEI), A Security Policy Template developed by the Mobile Memory Task Force of the NCHICA Privacy and Security Officials Workgroup on Portable Devices and Removable Media, August 6, 2007, http://www.nchica.org/HIPAAResources/Samples/Portal.asp , accessed October 15, 2007.

C.  Objectives of Establishing a Protocol for Securing Portable Media

The objectives of securing Portable Media are driven from the basics of securing all media containing electronic protected health information (ePHI). The challenge afforded when addressing portable media in particular focuses on:

i.  Providing the organization with a framework within which portable media may be securely used in the workplace.

ii.  To minimize possible adverse outcomes from loss or theft of devices containing ePHI, or other protected information, particularly when such data is unsecured.

iii.  To establish within an organization, an understanding of the opportunity and responsibility of appropriate use of portable media and to establish the basis of education related to the use of such devices.

iv.  To outline for organizations options for and guidelines related to appropriately securing ePHI stored on portable media.

v.  To protect the public image and credibility of the organization, in relation to adverse effects of loss of ePHI on portable media.

vi.  Determine the organizational position related to portable media that is personally owned or otherwise not provided specifically by the organization for business purposes.

Each organization will need to determine appropriate Portable Media guidelines and practices appropriate to its needs.

D.  Applicable HIPAA Security Rule Standards

i.  Health Insurance Reform Security Standards 68 FR 8334.

ii.  Preamble to the Security Standards: Final Rule, Federal Register, Vol. 68, No. 34, Thursday, February 20, 2003, p. 8361.

iii.  Organizations should establish and publish a disclaimer that all data and information contained on portable media are provided the same due diligence and protection as all protected health information, regardless of source. Information that is not PHI is afforded the appropriate level of protection as other organizationally sensitive or confidential data and information (e.g. financial).

II.  Definitions

A.  Portable Media – Please reference list on Page 2 of this document.

B.  Encryption of Data: The process of altering or obscuring, data to prevent its being viewed, through the use of keys.

From: The Columbia Encyclopedia, Sixth Edition | Date: 2007 http://www.encyclopedia.com/doc/1E1-dataencr.html

data encryption the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient.

C.  Password Protection of Data: Establishing a password assigned to a specific document or file, preventing read or write access without the password.

Another approach to “securing” individual Microsoft documents (e.g. Word documents, Excel documents) is to apply the Microsoft provided “password” protection to these documents. These passwords may be applied at various levels, allowing some users to “read” but not “edit” documents. Users are cautioned in undertaking this approach, as the selection of document specific passwords is at the discretion of individual uses, may not comply with organizational policies on password standards and may be easily forgotten. Historically, forgetting a Microsoft document password effectively left the document permanently “secured”, there are now a variety of tools available that may be used to help reacquire the forgotten password. As with the above encryption discussion, listing of these various solutions is prohibited again due to the dynamic nature of the industry.

D.  ePHI: Electronic Protected Health Information

E.  Loss Incident: An event in which a portable media device is lost or stolen.

F.  Disclosure Incident: A loss incident during which ePHI or other protected or proprietary information that was not appropriately secured is released.

III.  What Needs to be Included in a Portable Media Security Plan

When developing a Portable Media Security Plan/Policy, a recommended approach is to assess the various device types, various data classifications (e.g. audio, images, textual), various users of Portable Media Security Plan/Policy, as well as data types (e.g. clinical, financial) and structure the organizational policy around these defined elements. Attention should be made to the various portable media that are involved, based in part on the various working environments, staff involved, and other organization specific circumstances.

Also identify which critical systems, if not all systems, are supported at alternate sites. Are there resources available to support all systems, or only critical ones? Test the sites to verify they support the systems (with backed-up data), should your main facilities be down on an ongoing basis.

A.  Identification of Portable Media

This section will address business needs where portable media have become a natural and critical part of the work environment. In each case, organizations need to assess the impact of initial device cost, cost of securing and managing devices, risk of use/loss, cost of not providing and associated challenges of self provided portable media devices.

i.  Overview and Work Environments

1.  Mobile Work Environment: Organizations, such as durable medical equipment sales and support, visiting nurse associations, providers functioning in on-call roles while traveling on business or personal time and home health agencies, frequently establish a mobile office for their staff, providing them with a cellular phone, BlackBerry ® or similar device, as well as a laptop. The combination of these devices is literally a portable office, removed from the relative security of an organization’s network. Additionally, executives and managers who frequently spend the majority of their business day in meetings frequently find it necessary to take work home. In all cases, various elements of PHI or organizationally sensitive data are part of the environment. Devices provided to enable this mobile work force need to be appropriately protected, including passwords and encryption of data. Additionally, it may be prudent to have all such devices returned to the corporate offices on a “regular basis” to ensure appropriate levels of security are maintained/refreshed, and where appropriate, having locally stored data “backed up” on the organizational network.

2.  Executive Work Environment: A hybrid instance of the Mobile Work Environment exists with executives that have “home” offices, however are frequently traveling on business, whether locally (e.g. clinic to clinic, clinic to hospital) or nationally. This travel may include the presentation of papers at conferences, where the presentation is stored on the same device as the quality initiative spreadsheet currently being developed by this executive. Laptops and portable memory media used by these individuals, in the office one day and on the road the next, need to have an easily employed encryption methodology incorporated in them. Additionally, good business practice supports backing up the portable media on a regular basis.