April 23, 2014
Must score 89% or above.
If you score below 89%, we will be contacting you
to go over the material individually.
What is it?
Electronic Protected Health Information
There are 18 specific types of identifiers covered as part of electronic protected health information, including patient
names, addresses (if more specific than the state of residence), dates related to the individual, phone/fax numbers, Social
Security numbers, email addresses, fingerprints or photographic images, claim numbers, health plan numbers, license numbers, web or IP addresses, device serial numbers, etc.
Rule of thumb is: personally identifiable information (PII) that is created, or received by a health care provider, health plan or health care clearing house and relates to past, present, or future physical or mental health conditions of an individual; the
provision of health care to the individual; or past, present, or future payment for health care to an individual.
For Ohio workers’ compensation, the guidelines are a bit
different and are outlined as part of the BWC’s Sensitive Data Policy, available in the MCO Resources folder for all MCO
employees. See the grid (3.2) for details.
Criminals will attempt to pose as an individual who should have access (such as a coworker, patient, or vendor) in order to extract information or gain access to systems or facilities.
This becomes more of a consideration post-merger, as employees won’t know everyone in the organization.
Examples:
Someone embroiders “OBM” on a polo, gets entry to the office, and takes printed jobs from the copier that include SSNs for use in ID theft.
You get a call from “IT” stating that you need to visit a website to install a program update, but this program actually captures everything that you type, including passwords, and relays them to the criminals.
A “relative” calls in and requests information about the treatment of an injured worker.
You should verify any requests for information or access through channels known prior to the request.
For instance, call a member of IT at their internal extension and ask them to verify the copier service call, software installation, etc.
Calling a number provided by the person requesting the information is not
sufficient.
Information should only be discussed or disseminated on a need-to-know basis.
Under no circumstances should you share details about a specific individual’s case or treatment with other employees unless it is necessary to perform the services we
provide.
Be particularly careful with social media.
Could photos taken in the workplace contain information about an injured worker, for
instance?
Don’t be an idiot.
Basic security practices
AntiVirus/AntiSpyware – active subscription
Firewall – OS default or purchased
Automatic Updates (Windows, Adobe, Java, etc.)
Do not save any passwords related to
company network access (VPN or Remote Desktop)
Exercise caution when online. Do not
attempt to install any unfamiliar programs.
Home wireless networks must use a
passphrase with WPA/WPA2 encryption.
Can you send encrypted emails from a smart phone?
This is now possible using subject tags.
Force Encryption equivalent:
*Confidential: Claim Number 07-823xxx
Bypass Encryption equivalent:
*Nonsensitive: Educational Presentation on TBI
Please note that texting is not considered a
secure method of transmission. You should
never text sensitive data/ePHI.
Ultimately, it is your responsibility to protect company information that may be retrieved via and stored on a mobile device.
We currently require a lock screen with password for remote e-mail access.
This is good practice in general.
Any lost or stolen device should be immediately reported to IT.
Outside of normal business hours, call (216) 468-0452.
This same procedure applies to any equipment used
to access company computing resources or facilities,
including key fobs/access cards/badges, laptops, etc.
DO NOT under any circumstances send an unencrypted e- mail containing ePHI to any external address. This
includes your own personal accounts with Yahoo!, Gmail, etc.
Avoid the use of these public messaging systems (webmail, Facebook, WhatsApp, etc.) for any work-related
correspondence.
Do not use public terminals to access company systems.
Do not use your work e-mail address to sign up for social media accounts or other offers unrelated to the
workplace.
Post-merger, this will include LinkedIn.
Double or triple check the recipients before sending an e- mail or fax, especially if you added them through
autocomplete. There may be similarly named people in
your recent contacts of which you may not be aware.
A common technique for gaining access to accounts is phishing.
Example: You may receive an e-mail claiming to be your bank with a link to verify a transaction, but the link goes to chase.co (or chase.com.ru) instead of chase.com.
Spear phishing may include personal information
gleaned from public sales-related mailing lists or
hand-compiled.
These threats can
come in as seemingly harmless documents such as PDFs and may actually come from known sources.
You should always verify unexpected attachments through other means, such as by phone, before
opening.
Can arrive through e-mail attachments or from suspicious websites.
Runs under your own account, meaning that it doesn’t need administrator rights to install and has access to all of the same files and folders that you do.
A new approach in the last year is to encrypt all documents found on the local machine, shared drives, and even other network locations it can discover and encrypt them with a key known only to the criminals.
Users are given a short window (2 to 3 days) to pay a ransom of about $300 to
$1000 to get the key to decrypt these files before the attackers delete the key and the documents are lost for good.
Backups are useful only if the files on the backups are prior to the infection;
otherwise, they will also be encrypted.
You are responsible for authorizing access to files and folders and for requesting changes to an employee’s current role assignment based on changing job
duties.
The employee is not allowed to request access for themselves.
Must be logged by the supervisor in the help desk as an Access Auth/Deauth request.
On termination, you are responsible for reviewing the terminated employee’s e-mail to determine if any
items need to be addressed or saved.
Should be completed within two weeks of termination.
The entire database can be archived if required on
encrypted media at the supervisor’s request if absolutely
necessary. Our new archiving solution makes this less
necessary.
Access to the building is to be limited to contractors, vendors and visitors to whom the company knows or can vet. Each guest will be required to sign in and fill out a form.
Your door code is unique to you and should never be shared with any other person, employee or not,
under any circumstance.
Building keys and fobs should not be loaned to
anyone, and any lost or stolen keys must be reported immediately to the Privacy Officer.
Any unknown guests must be left in the hallway until their name and purpose for their visit has been
verified and they are cleared to enter.
All doors must remain locked at all times. Do not
“temporarily” leave a door unlocked, even if you
intend to return in “just a moment.”
What is a security incident?
Evidence of virus, trojan, worm, malware, or other malicious code activity, either through explicit alerts from protection software or through suspicious or unusual system behavior
Denial of service attacks or other intrusion alerts, often reported by protection software
Any realized or attempted unauthorized access to systems, files, and data
Hardware or data theft
Illegal activity or ethics violations
Intentional sabotage to computer systems, websites, or other data
Data misuse or unauthorized disclosure
Infliction of physical damage on computing equipment
Disruption of service
When a breach of Protected Health Information (PHI) is
discovered or is thought to have happened
What does the employee need to do?
Tell your immediate supervisor, the Privacy Officer (Megan), and the Security Officer (Ted) immediately.
What does the supervisor need to do?
Communicate with Ted regarding the existence of the potential security risk
Contact Megan in the event of suspected illegal activity
What does IT do?
They will perform an initial assessment and log it in the Help Desk application as a Security Risk
Senior management will be copied if business operations are affected
Will perform mitigation and remediation steps,
logging the outcome in the Help Desk
What are our notification requirements?
Based on several assessment factors
The nature and extent of PHI involved
The unauthorized person that received the information
Whether or not the data was actually viewed or if the opportunity merely existed
The extent to which the risk was mitigated
If the assessment doesn’t indicate a low risk of compromised data, the following must be done under HIPAA:
Individual notification
Media notification
Notification to the Secretary of breaches of unsecured PHI (HHS) within different timeframes based on the number of individuals involved (>= or <
500)
HB 104 in Ohio also has reporting requirements based on the
expectation that a real or suspected breach may cause identify theft or fraud for specific data types
name and federal (SSN/Tax ID/EIN)
state (Driver’s License or other state ID)
