User Responsibility and Meaningful Use

00:00

Welcome back, you cyber clowns of compliance. And this is less than 1.5 of the implementing a HIPPA compliance program for leadership series. And this lesson is on the most hated. I mean, sorry. I mean favorite entity in our network. Our users hands down the biggest reason why we and I t have a job

00:16

because we haven't figured out how to fix our users. Instead, we have to fix the carnage or user clowns have created

00:21

in our once peaceful and serene network. So if you're ready, let's get our clown noses on.

00:27

So in today's lecture, we're gonna quit clowning around and trainer and users about their responsibilities with pH I e. P. H. I know firewall can protect an organization from employees sharing a file or telling a friend about a procedure they assisted with end users will always be your strongest control way better than any firewall you'll ever deploy.

00:44

But also they're going to be the your organization's biggest security vulnerability for not diligent about training your end users

00:50

and adopting into the core values of your organization, the governing principles of privacy. We look closer at the individual's rights regarding their health information so we can balance the individual's rights and consent around health information privacy with the rights of a covered entity and specifically, what? A user of the network healthcare provider in your hospital?

01:08

What are their responsibilities to protect the confidentiality, integrity and availability of protected health information?

01:14

And then we will review a sample user PH. I training program that you might initiated your hospitals CSO or Chief privacy officer.

01:23

So I want to take a different approach to our end users and P. H. I, one of the health care organizations that support is a security consultant and virtual sea. So while they recently had a clean desk review by an outside third party security auditor, this hospital still had paper or physical patient records and locked file cabinets across their campus.

01:38

But there were several instances where the keys to those locked file cabinets were sitting right on top of the cabinets.

01:44

That makes a lot of sense. Nurses and health care providers while they were using complex passwords. So that's great when accessing the organization's electronic health record system, their HR. But many of the networks users while they're writing their passwords on sticky notes and putting those notes under their keyboards. Well, it's not too hard to find

02:00

and access somebody's protected health records with that kind of physical security in place.

02:05

And in several instances where either access to file cabinets or their servers and computers were e P h. I will. Those areas were protected by security key cards. Well, that's great. But when users were letting tailgaters, friends or even there are auditors who pretending to be with the hospital staff

02:21

well, thes people were letting tailgaters, letting them right in behind them using their key card.

02:24

The point is that you can have the best video camera system and key card access system, the security technical controls in place, but it will always come down to the users to follow security policy and to use those controls effectively. Therefore, your users or your strongest lengthen the security chain or your weakest

02:40

every safeguard you implement. To protect pH. I needs to have an employee acceptable use policy

02:46

stating the organization's acceptable use behavior. You as a leader in your hip, a program you need to understand your hip of security and privacy controls and the underlying human element for each of them, which are your greatest risks.

02:59

So let's break this down for your compliance clowns, your health care, professional and new use and share ph I in your day to day patient care experience. So what types of data do we need to care about? Well, it breaks down like this from the HIPPA privacy rule perspective. Health information is any identifiable health information that is transmitted in any format, such as on paper on the computer,

03:17

even over the telephone between you and the patient. Any format in any way,

03:22

well, that identifiable health information must be kept private from the hippest security rule perspective. Well, the security rule on Lee cares about pH. I that has maintained an Elektronik format. So the security rule aims to protect electronic health records. And the privacy rule aims to protect the privacy of pH. I in any format. And there's another type of data

03:40

called individually identifiable health information, a k A. Personally identifiable information, or P I

03:47

and P II includes demographic data like your full name, your parents name, date of birth, place of birth, your Social Security number. So data that identifies you personally as an individual, but maybe doesn't include medical information like you have a sore throat. Well, that's P II. And the health care industry has an even cooler term of data.

04:05

A type of data they call de identified data

04:08

well, that is someone's P II, but they've taken 18 specific data fields and have redacted them in a certain way, making the subject unidentifiable. So it's PH I and P II in any format. E, p, h, I and G, P II and electronic format. This really cool data called De identified data and well, that's the stuff that are

04:28

users on a day in and day out basis need to protect

04:30

and work with on a daily basis.

04:33

So now we can get to the rial care and feeding of pH. I from an individual's personal responsibility perspective, our job and hippest security is to protect patient records that have P. H I. R P I, and any format. Unless the information sharing is permitted by the hip of privacy and security rules, or when the individual has

04:50

consented and gives permission to access record or records

04:54

within a specific scope and a specific timeline, the laws will always lean towards the rights of the individual. With two exceptions, the individual not be granted access to psychotherapy, notes or records and medical artifacts that are being compiled with a reasonable anticipation for use in a criminal or civil proceeding.

05:12

So this is the day in the life of a health care professional

05:15

who is part of a delivering amazing patient. Care also needs to provide the same level of exceptionalism to the care and feeding of pH I.

05:23

So if the slide looks familiar, well, you saw three slides ago, but for now we're gonna pivot from identifying the safeguards toe, actually applying those safeguards to our users.

05:32

So rather than break all of this down now, we're gonna be covering each of these components in their very own lecture. But I want to give you an example of a question and auditor might ask you as a leader implementing a hippo program, does your workforce training address topics such as not sharing passwords with each other or writing passwords down and leaving them in open areas? So for now,

05:50

no matter what training method do you use to empower your employees with

05:54

ph. I experts say that with any learning people really won't retain it unless they hear it or see it three times. So security awareness training is not a sprint, but a marathon repetitive in multiple formats until it becomes like the knowledge managers and lectures on critical thinking teach you. First you have the data, then it becomes information. And then finally, for the student,

06:13

it becomes knowledge.

06:15

So the key components of an employee training program are rooted on three key elements that are the responsibility of the employees and two elements that air that your responsibility is their leader. And security user training needs to be rooted on a firm foundation of understanding user responsibility regarding patient privacy and PH I from that.

06:33

What is the user responsibility regarding the organization's acceptable use policy when handling PH. I

06:39

in patient records in and out of your organization and across your organization to partners via your business associate agreements, And then you have to have courses in your clown college regarding risk and awareness of all various social engineering methods, hackers and threat agents used to extract valuable pH I

06:57

from email phishing attacks to phishing attacks over the telephone

07:00

where the threat agent pretends to be your manager of I T. And starts asking for your passwords to tailgating through your physical security. All of it. Then you're what you're going to perform our social engineering testing exercises by performing your own internal email, phishing attacks against your own employees, your own phishing attacks, email, click bait,

07:18

even your own physical clean desk reviews, looking for any open and available patient information,

07:24

UN employee desks or ways to access their computers. And then you repeat this over and over. Always diligent being the end goal is that security and enforcing patient privacy has now become a core element of the corporate culture and in the organization's DNA.

07:40

We can't get a degree, a clown, college and administrative juggling arts without passing a few exams. So let's get this quiz question started.

07:46

What PH. I does. The HIPPA privacy will protect and what Ph. I does the hip a security will protect and for extra credit and a backup clown nose in case another bozo punches you in the face. What is de identified? Data So hit Pause. Make a note of your answers. Refresh your clown makeup because you know what, getting punched in the face. Well, it kind of hurts,

08:03

but it makes you look like you're crying all the time, so it resume

08:07

and we'll review our answers.

08:09

So the HIPAA privacy rule protects individually identifiable information in any form, including written paper records and telephone conversations. The security world protects E. P. H I Onley and focuses big time on the technical controls to do so and for the clown nose. Extra credit de identified data

08:26

is data has had enough of the 18 fields of data redacted.

08:31

So when someone views the record while identifying the individuals not possible. So nice work, you cyber clowns. Great job.

08:39

So in today's lecture, we talked about user responsibility and understanding what our role is to protect ph I and having an understanding of what the patient rights are to access and disclose their records. Maybe we could start protecting pH. I now and trained others to follow in our footsteps, and we reviewed employee training and social engineering testing.

08:56

In our next lecture. We're gonna define what our data breaches and what our legal obligations are

09:00

under HIPPA to notify individuals, the press and the U. S. Department of Health and Human services and their clown nosy secretary.