So we've talked about why we need HIPPA. We've talked about what HIPPA does, the two rules of HIPPA, the privacy and the security rule. Now we're going to talk about the how and with how we're gonna focus specifically on the security rule,
because again the security rule considers or requires that we have safeguards in place.
And we've already talked about the idea of a layered defense or defence in depth. And I can't stress the importance of defence in depth. And if you look back at notorious security breaches again, whether they're related to help information or personally identifiable information or financial information,
what you'll find in many instances
is that the security team put too heavy focus on technical controls, perhaps, or administrative controls or physical controls, and didn't have a balanced, layered response. So what we want to do is we want to focus on all three physical, administrative and technical. So as we move forward,
what do we think about as far as physical controls? What's included under this category?
What are we looking at? So first piece controlled the facility who comes in and out all right, so in many organizations, that's that could be tricky because we have to allow our patients to come and go freely. But we do also have to provide some sort of monitoring
or some sort of mechanism
to keep the general public out of restricted areas. So we've gotta be able to limit that physical access. A lot of times when you, for instance, go into a hospital, you'll notice there's frequently a security guard.
But also certain of the more sensitive areas are behind locked doors, and you have to have certain access, whether it's a bad sh wipe or
be escorted in. So we need some form off manner to restrict the physical physical access
just to the sensitive areas workstation in device security. And this is getting more and more difficult each day because what we're finding is many environments have, for instance, laptops or other forms off Elektronik equipment that's meant to be portable.
Many doctors, offices, you know, the physicians come from room to room, and they have ipads now
or some other tablet device. For a physician that's on call. There's a big benefit for them to take this, uh, this sort of equipment home so that if a patient calls during off hours, they're able to access the medical record.
But again, we have to be very careful when we allow this electronic equipment toe, leave our office
even with when it's with an entitled individual or unauthorized individual. You know, I live here in the D C area, and we've had instances where officials from certain government agencies that will remain nameless have left tablet devices or laptops on the subway,
you know, So again we're still liable even in the event of an accident or a mistake. So we have two very strictly controlled this access to these workstations and our devices. So how do we do that? Well, again, we have to show due care and diligence.
It doesn't mean that the mechanisms we put in place
It never does. And it would be absurd to insinuate you could do anything that's foolproof. But what we have to do is we have to do what's right. We have to do what standard we have to do, what's mandated so in relation to that. First of all, we have policies and procedures in place,
and those policy should specifically address
how work stations and other forms of electronic media are to be accessed. These policies should indicate what compliance looks like,
what non compliance looks like, as well as any repercussions for being in noncompliance or for failing to maintain compliance with these devices. Acceptable use policies. For instance, If you have a laptop and you take it home, can you use it for personal purposes?
Well, I can assure you that I don't want someone with a laptop that has helped care information
to be surfing the Internet at home,
right? What sort of physical security controls must there be maintained on these devices as they travel with our providers? Or with salespeople are representatives that have this access?
We also need policies and procedures in place regarding the health care information in all of its various forms. And again we talked about while it's being transferred. What about being removed from the office? We just talked about that. Something that sometimes is overlooked is how this information
must be disposed off.
You know it's not enough to want something up and throw it in the trash can, and we all know that we look to really the only way to make sure that these remnants can't be used, that no information can be discerned from media that's been removed or media that's been used
destroy the media. So we shred the papers and the documents once we no longer need them. We look at for magnetic media. We made decals hard drives or we may incinerate them or physically shred the hard drive devices. However, we have mandated in our policy,
we need to make sure that are sensitive information
even in the event that we're done with it. When we're ready to dispose of that information, we don't just wash your hands and say We're done here. We have to make sure that it's disposed of in a secure manner. And again, a lot of this is just good practical information for any type of environment that's gonna be storing sensitive information.
I was reading an article
about one of the parades in New York City when the New York Giants had won the Super Bowl. And of course, they come right down through the heart of the city for the parade and their big homecoming and welcoming. And there's a lot of confetti. Well, if you think about what confetti
is made out of. Usually it's made out of shredded paper,
and there was an article about all the financial information that was recovered simply from sweeping up the streets and the confetti that was there and how some of it was even hardly shredded. And it was easy to discern some of this information,
and I know that seems far fetched, but it's really not. This is what's actually happening,
and once again, I am liable as a provider or an associate to protect this information again. Our goal here is to protect information
in any means that it's stored, but certainly are Elektronik pH. I, making sure that our media is secured now from physical security, we move on to administrative security, and you can really sum up administrative controls or safe cards,
policies, procedure standards, guidelines,
training, auditing. All of those words really come back around to administrative control. So some of the ways that we provide administrative safeguards and restrict access to this information, and I've got a list of some ways that we can put administrative controls in place
so simply having a security management process
and when we talk about security management. We could also talk about security, governance, and the two are actually different. But they both indicate a top down
control of security. Basically, when we talk about security governance, we have buy in from the very top levels of the organization, and they determine our security, proper posture, our general approach to security. What are tolerances are,
and they're usually getting those drivers directly from laws and mandates like hip hop.
Then we move into security management. This is more the functional managers that figure out how to meet the government's standards set up by senior management. I hope that makes sense. But the bottom line ultimately, is that our management needs to lead in the realm of security.
They need to put the proper processes, policies, procedures in place.
And in this case, we have to specifically have a security management,
you know, for so long, we've talked about whether its application development, for instance, does it work. Is it secure?
Well, we can no longer ask those to a separate questions. We have to start saying, Does it work securely or it doesn't work at all?
And that's true for all of our processes. Whatever those processes are. It's not enough to put something in place that works. It has to work securely and again that comes straight from management.
So what is the security management process come back to? Just like we talked about earlier risk management?
And ultimately, really, if you talk about security, all security is is managing risks and risk management consist of those elements we talked about earlier. Risk assessment. Identify your assets and figure out what there were.
Risk analysis. Look at your threats and vulnerabilities. What's your potential for loss?
Risk mitigation? How can we, in a cost effective manner,
mitigate the risk so that they fall within our tolerance level?
That's what security is. So we need a process in place where we assess,
analyze and respond to risks.
The other element of this also those that we keep in mind that risks air never one time events. It's not like, Well, let me reward that risk Management is not a one time event. As in I don't sit down, analyze for risk in a mitigation strategy, and I'm done. That was exhausting, right?
We are always looking at new risks, and we talked about earlier
as part of the security rules. We have to stay up to date. We have two reasonably anticipate new risks on the horizon, So this is an ongoing profit.
Now. We also need to respond by having specific security personnel in place and one of the questions I always like to ask, You know, group when I'm training, who is responsible for security,
who's responsible for the security of an organization? And the answer I get most often is everyone
that's actually not true.
Senior management is responsible for the security of an organization.
Now people say what you know. I've always heard everyone's responsible. Don't I have responsibilities? Yes, Senior management is responsible for setting the policies and procedures in place. My responsibility as an employee is to follow the policies and procedures as set out by senior management
and really think about that. Ultimately, if there's a breach confidentiality of data,
I just answer the phone.
I'm not getting, you know, the fine Under HIPPA. I'm not held liable. So when we think about who's at fault, think in terms of liability, okay, so it comes down to senior management.
The other thing to think about in relation to this issue is
if I say everyone's responsible,
what I'm really saying is no one's responsible.
So, for instance, I've got a classroom of 30 people, and I say You're all responsible for making sure the lights and the projector get turned off the end of class.
We all leave and nobody turns off the lights or the projector. I come in the next morning, the lights in the projector of burnout.
Who's really responsible for that?
Well, it's the instructor. I'm probably the one that's gonna be winding up being responsible.
So when I say everyone is, there's no one to blame. There's no Oneto audit. And again, this really isn't so much about blame. It's about ensuring what needs to happen happens. So what we want to do is senior management's. We want to make sure that there is a particular and well specified security official in place,
somebody who's skilled and knowledgeable in risk assessment,
as well as the current threats that would exist in the world of protected health care information or protected health information.
Their job is gonna be to figure out what those policies should be to develop those policies, to implement him and make sure that their audit next information access management.
So the privacy rules again states that we have to limit the disclosure of protected health information
to the minimum necessary. Now we'll talk about that idea of minimum necessary that's coming up on the next slide or two. So ultimately, you know, how can I make sure that only the bare minimum of information is accessible?
The more that I have accessible to, the more people,
the greater the vulnerability I have. So we want to limit that. I also need access control procedures in place and buy access control. What we do with access control is we try our best to limit what a subject can do with an object.
So I a user can access a file that would be the object, so that's access control. But we also have to think about processes. Were systems being subjects as well? So we need a comprehensive strategy in place for all subjects. We need to make sure,
uh, would you talk about that access control, that we have a way of validating that subjects identity
and making sure that they're authorized to access what's being authorized now workforce training and management. So once again, this comes from having the proper policies and procedures written. We train our work force on those policies and procedures,
and then we audit to ensure compliance with those policies and procedures.
And then we offer retraining is necessary. And that's really the management piece. It's not enough to put policies in place. We have to make sure being followed.
So that guy's hand in hand also with evaluation.