Download Sponsored by: US Department of Housing and

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
page
69
page
70
Document related concepts

Data vault modeling wikipedia , lookup

Information security wikipedia , lookup

Business intelligence wikipedia , lookup

Internet privacy wikipedia , lookup

Computer security wikipedia , lookup

Do Not Track legislation wikipedia , lookup

Privacy International wikipedia , lookup

Information privacy law wikipedia , lookup

Transcript 
HMIS 101: MODULE 4
In-Depth Security and Privacy
SPONSORED BY: U.S. DEPARTMENT OF HOUSING AND
URBAN DEVELOPMENT
HMIS System Administrator Training Series
Partners
2




Jeff Ward, Abt Associates, Inc.
Kat Freeman, The Cloudburst Group
Natalie Matthews, Abt Associates, Inc.
Chris Pitcher, The Cloudburst Group
Purpose
3

Provide HMIS System Administrators, end users, CoC
representatives, consumers, and federal, state, and
local partners with a basic understanding of:
 In-Depth
Privacy and Security
Webinar Format
4





This training is part of a series of trainings that will
provide new staff with the basic information
needed to operate or participate in an HMIS
It is anticipated that this series of trainings will be
offered quarterly
This training is anticipated to last 90 minutes
Presenters will walk through presentation material
Audience members are “muted” due to the high
number of participants
Submitting Questions
5


All follow-up questions should be submitted to the
Ask the Expert function on www.hmis.info
If you have multiple questions, we recommend
compiling them into a single submission to Ask the
Expert with a reference to the HMIS 101: Module 4
training
Webinar Materials & Evaluation
6



Quick follow up survey will be emailed out after the
webinar
The webinar will be recorded, and all materials will
be posted to HMIS.info
During webinar, we’ll be asking you a few questions
as well
Overview of Training Series
7

HMIS 101 Modules III, IV and V:
 Module
III: In-Depth Data Standards
 Module IV: In-Depth Security and Privacy
 Module V: Data Quality Standard and Compliance
Plans

HMIS 201:
 HMIS
Budgeting and Staffing
 PIT and HIC
 Best Practice Highlights/ Use of Technology
Who are You?
8
A.
B.
C.
D.
E.
F.
HMIS System Administrator
HMIS Data Entry staff/Program staff
CoC staff
Technical Assistance provider/Trainer
HMIS Vendor
Other
How would you rate your knowledge
of HMIS Privacy and Security?




A. Not knowledgeable
B. Somewhat knowledgeable
C. Knowledgeable
D. Expert
HMIS Privacy and Security




Privacy is the control over the extent, timing, and
circumstances of sharing oneself (physically, behaviorally, or
intellectually) with others.
Confidentiality pertains to the treatment of information
that an individual has disclosed in a relationship of trust and
with the expectation that it will not be divulged to others
without permission in ways that are inconsistent with the
understanding of the original disclosure.
Security is the means of ensuring that data is kept safe from
corruption and that access to it is suitably controlled.
2004 Technical Standards set forth expectations for privacy
and security for HMIS
HMIS Privacy and Security


Two tiers: required baseline standards and additional
recommended protocols;
Applies to all agencies and programs that record, use, or
process Protected Personal Information (PPI) for an HMIS
including:





Continuum of Care (CoC)
Homeless service provider
HMIS host or administrator, etc.
Employees, volunteers, affiliates, contractors, and associates
are covered by the privacy standards of the agencies they
deal with; and
Privacy and security standards apply to all agenciesregardless of funding source- who use the HMIS.
12
Introduction to Privacy
Privacy Standards Framework

Personal Protected Information (PPI)




Includes name, SSN, program entry/exit, zip code of last
permanent address, system/program ID, and program type
Allow for reasonable, responsible data disclosures
Derived from principles of fair information practices
Borrowed from Health Insurance Portability and
Accountability Act (HIPAA)
Privacy Requirements

Privacy Standards:
 Protect
client personal information from unauthorized
disclosure
 Seven components:
 Collection limitations
 Data quality
 Purpose and use limitations
 Openness
 Access and Correction
 Accountability
Collection Limitations



•
Only collect information that is appropriate for
the purposes that the information is obtained or
when required by law
Use lawful and fair means to collect it
When appropriate, collect data with knowledge
or consent of the client
Post sign; infer consent for collection
–
Must post a sign at intake desk (or comparable location) that explains
generally the reasons for collecting this information.
Collection Limitations – Other Stuff You Can Do
Restrict collection of personal data, other than
required HMIS data elements
 Require written client consents
 Obtain oral or written consent from the
individual or a third party

Data Quality

Data must be relevant to the purpose for which it is
to be used
To extent necessary for those purposes, data
should be accurate, complete, and timely
 Must develop and implement plan for disposal
of Personal Protected Information

Purpose and Use Limitations





Notice must specify purposes for PPI collections
and must describe all uses/disclosures
A program may use/disclosure PPI only if allowed
by the standard and described in the privacy
notice
Notice may infer consent for described uses/
disclosures and for compatible uses/ disclosures
All uses/disclosures are permissive (except first
party request or required by law)
Uses/disclosures not specified in notice need
written consent of the individual or legal
requirement
Allowable Uses/Disclosures
Provide and coordinate services
 Payment or reimbursement
 Administrative functions
 Create de-identified PPI
 Required by law
 Avert serious threat to health/safety
 Academic research (written agreement
required)
 Law Enforcement

Purpose and Use Limitation – Other
stuff you can do
Seek oral or written consent for use/disclosure
 Agree to client requested restrictions on
use/disclosure
 Limit use/disclosure to those in notice and
necessary (not compatible) purposes
 Keep an audit trail for disclosures
 Make audit trails available to the client, if
requested
 Limit disclosures to minimum necessary

Openness



Be open with agencies, client’s, and other parties
about how you protect client information from
unethical use
You must post a sign about your Privacy policies
(called a Privacy Notice) and your Privacy policies
must be available to anyone who requests them –
including clients and the media.
If your agency has a web page, you must post your
Privacy Notice on your web page. This is true about
individual agencies as well as any web pages
associated with your HMIS.
Openness – Other Stuff You Can Do

Provide a simplified copy of your Privacy
Notice to clients at the time of data collection.
 you
may need to have copies of your
Privacy Notice in more than one language

Provide advance notice on changes to your
Privacy Policy and Notice, how you might
enforce those changes, and ask for public
comments.
Access and Correction
Must allow individual to inspect and have a
copy of his/her PPI
 Must offer to explain PPI
 Must consider request to correct inaccurate or
incomplete PPI
 May deny access to some info
 Must explain denials

Access and Correction – Other stuff
you can do
Allow appeal of denial of access or correction
 Limit grounds for denial of access
 Allow a statement of disagreement
 Provide written explanation for denial

Accountability


Must establish procedure for accepting and
considering complaints about privacy and security
policies and practices
Must require all staff members to sign a
confidentiality agreement (acknowledging receipt
of and pledging to comply with the privacy notice)
Accountability-Other Stuff You Can Do




Require formal privacy training
Regularly audit privacy compliance
Establish an appeals process for privacy policy
complaints and denials of access and correction
rights
Designate chief privacy officer
HMIS and HIPAA
27



Health Insurance Portability and Accountability Act
(HIPAA) privacy rules take precedence over HMIS
Privacy Standards
HIPAA covered entities are required to meet HIPAA
baseline privacy requirements not HMIS
Most programs are not covered by HIPAA: To learn
more go to http://www.hhs.gov/ocr/hipaa/
HMIS and Other Privacy Laws
28



Programs must comply with more stringent federal,
state and local confidentiality laws; and
If a conflict exists between state law and the HMIS
an official legal opinion on the matter should be
prepared by the state’s Attorney General and
submitted to HUD’s General Counsel for Review.
Domestic Violence Victim Service Providers are
prohibited from entering data into HMIS and legal
service providers are not to enter confidential client
notes into HMIS.
HMIS Consent Models
29

Inferred Consent:
 Baseline
Requirement; and
 Client’s consent to release information is inferred from
the privacy posting.

Implied/Informed Consent:
 Verbal

or physical consent is required.
Written Consent:

Client must sign a release of information (ROI).
Levels of Consent
30


Consent to use data within an agency for program
or agency operations.
Consent to share additional information across
programs to coordinate case management and
service delivery.
Privacy Summary
31


Privacy refers to the safeguarding of protected
personal information in the HMIS from open view,
sharing or inappropriate use
Protected Personal Information (PPI) is any
information that might identify a specific individual
or that might be manipulated or linked with other
information to identify a specific individual
Baseline Privacy Standards
32





Must comply with other federal, state, and local
confidentiality law
Must comply with limits to data collection (relevant,
appropriate, lawful, specified in privacy notice)
Must have written privacy policy - and post it on
your web site
Must post sign at intake or comparable location
with general reasons for collection and reference
to privacy policy
May infer consent for uses in the posted sign and
written privacy policy
How Much Do You Know?

(T/F) Privacy policies are not meant to restrict the use and
disclosure of data.





The purpose of privacy is to protect the client’s
information from:
A. Unauthorized access
B. Unauthorized disclosure
C. Law Enforcement
D. All of the Above
35
Introduction to Security
Defining Security
36


Security refers to the protection of client personal
protected information and sensitive program
information from unauthorized access, use or
modification.
All workstations, desktops, laptops, and servers that
connect to a network that accesses or directly
accesses the HMIS must comply with the baseline
security requirements.
3 P’s of Security Management

Products: Physical security
Door locks
 Intrusion-detection systems
 Physical firewalls


People: Personnel security
Those who implement and properly use security products to
protect data
 Those who collect, input, or otherwise have access to data


Procedures: Organizational security

Plans and policies established to ensure that people
correctly use products and access data
Security Requirements
38


System security provisions apply to all the systems
where Personal Protected Information (PPI) is stored,
including, but not limited to, networks, desktops,
laptops, mini-computers, mainframes and servers
Security has three categories:
 System
Security
 Software Application Security
 Hard Copy Security
System Security Requirements
39

User authentication









Limited multiple access
Virus protection with auto-update
Firewalls - individual workstation or network
Encryption - transmission
Public access controls
Location control
Backup and disaster recovery
System monitoring
Secure disposal
User Authentication
40


Every user accessing the HMIS system must have a
unique username and password.
Passwords must:
Include at least one number and one letter;
 Be at least 8 characters long;
 Not be based on user’s name, organization, or software;
and
 Not be based on common words.





Good: [Na$car#39]
Bad: bobclark99
Terrible: hmis
Passphrases:

Great: I1ik3C@k3 (I Like Cake)
User Authentication (cont.)
41





All computers used to access HMIS data must
require user authentication (e.g.,
username/passwords).
Logging on to the HMIS computer alone is not
sufficient.
IDs and Passwords for the HMIS software should be
different than the workstation ID and Password
IDs and Passwords should not be stored or
displayed in any publicly accessible location.
HMIS IDs and Passwords must not be shared.
WHAT DO I JUST SAY??????
Strong password
Keep it secret
Multiple Access
43


An individual user must NOT be allowed access to
the HMIS from multiple workstations on the network
at the same time.
An individual user must NOT be allowed to log onto
the local network from more than one location at a
time.
System Level Virus Protection
44

All computers accessing HMIS (including remote and
VPN users) must have anti-virus software installed
and updated regularly that automatically scans files.
Old Anti-Virus Software = No Anti-Virus Software
Firewalls
45
Image found at: http://www.integration1.com.au/pages/default.cfm?page_id=21925
Public Access
46


HMIS that use public forums for data
collection/reporting must have additional security to
limit access using Public Key Infrastructure (PKI) or
through IP filtering.
Translation: Any Web-based HMIS accessed over
the Internet, needs digital certificates installed on
all browsers on all computers accessing the HMIS
(PKI) or an extranet to limit access based on IP
address.
What is Public Key Infrastructure?
47





Each user is issued a private key to encrypt
messages and a public key to decode messages;
Private key is kept secret and known only to user;
Public key uses a digital certificate to authenticate
the identity of the user;
Digital certificates must be issued by a recognized
Certificate Authority; and
Secure socket layer “SSL” encryption does not meet
the baseline PKI requirements.
PKI: Public Key Infrastructure
48

Options for implementing PKI:
 Self
issued certificate authority-Example: Microsoft
Certification Authority;
 Third party certificate authority Example: Verisign or
Thawte;
 USB token; or

Alternative to PKI: Limiting access to HMIS through
IP filtering.
IP Addresses
49




Everything on the internet (servers, desktops,
blackberries) is assigned an internet protocol (IP)
address;
The internet uses IP addresses to move information
from one place to another;
An IP address looks like this: 10.141.215.223; and
Firewalls block suspicious IP addresses from
accessing your computer.
Physical Access/Location
50

Access to workstations must be controlled and
monitored.
 Options:

locked offices, privacy screens, etc.
Access to servers must be controlled to a greater
degree.
 Options:
locked cabinet or cage; secure facilities.
Backup and Disaster Recovery
51

All HMIS data must be regularly backed up and
stored in a secure off-site location:
 Backup
your data and applications;
 Save them to tape;
 Test the tapes;
 A Backup tape laying next to a server won’t help if the
server room catches fire!; and
 Alternatively, consider secure network-based offsite
backup solutions.
Secure Disposal
52

Tapes, disks and hard drives must be properly
formatted and erased before disposal.
 At
least two erasure passes (three or more is
recommended).

Free and commercial software is available to
prepare old workstation hard drives, tapes, and
floppies before discarding.
System Monitoring



Most security breaches are carried out by
authorized users of client record systems
All systems including central servers must be
monitored and “routinely” reviewed by staff
Monitoring decisions:
 Who
monitors?;
 What is normal and what is abnormal usage and
access?;
 How do I access the information?; and
 What variables to monitor?
System Monitoring (cont.)
54

What variables to monitor:
 Logon
success/failure;
 Account management;
 Policy changes;
 Privilege use;
 Process tracking;
 System events; and
 Connection attempts (IP and port).
Software Application Security



User Authentication
Electronic Data Transmission
Electronic Data Storage
User Authentication
56





Like the workstation, the software used to access
HMIS data should require user authentication (e.g.,
username/passwords).
Logging on to the HMIS computer alone is not
sufficient.
IDs and Passwords for the HMIS software should be
different than the workstation ID and Password
IDs and Passwords should not be stored or
displayed in any publicly accessible location.
HMIS IDs and Passwords must not be shared.
Data Transmission Encryption
57

Two options
 128
bit encryption over the wire; and
 Secure
Socket Layer (SSL): A communications protocol used
to secure all sensitive data. SSL is normally described as
wrapping an encrypted envelope around message
transmissions over the Internet.
 Secure
direct connections.
 Virtual
Private Network (VPN)
Electronic Data Storage

All HMIS data that are electrically transmitted over
the internet must be encrypted
 Encryption
is the conversion of plain text into encrypted
data (code)
 Encryption is used to protect a client’s sensitive personal
information from unauthorized viewing
 John
Smith = 7Heuvvaj94naa@Tivn(f4Rnkin^43gn
Hard Copy Security

Applicable to any paper or other hard copy containing
PPI that is generated by, or for, the HMIS
Intake forms
 Consent forms
 Reports


Must supervise hard copies at all times when in a public
area.



Includes intake areas
When staff are not present, hard copies must be
secured
Must not be stored or displayed in any publically
accessible location
How Much Do You Know?
Which is the weakest
password?



$3cur1ty1$G00d#4U
Kfreeman*1
*7Fr8!yWzh

(T/F) The three categories of security are system security,
software application security and hard copy.
62
Security Best Practices
HMIS Security Best Practices
63

HMIS users
 Unique
username and password
 Signed receipt of privacy notice

HMIS computers and networks
 Secure
location
 Workstation username and password
 Virus protection with automatic update
 Locking password protected screen saver
 Individual or network firewall
 Public Key Infrastructure (PKI) to prevent unauthorized
access
Best Practices (cont…)
64






Designate a Chief Security Officer to implement and
oversee security measures
Staff computers in public areas used to collect and
store HMIS data at all times
Enable password protected automatic screen savers
when workstation is not in use
Automatically log users off the system after a period of
inactivity
Require regular changing of passwords and encourage
creation of strong passwords
Use a bonded vendor to destroy HMIS data
User Training (Strongly Recommended)
65

Although not a baseline requirement, all users should participate in:
 Data and Technical Standards Training
 Participation and Data Collection Requirements; and
 Privacy and Security Protocols to Protect Client Data.
 Software training
 How to enter, edit, change, and delete data; and
 User and computer security requirements.
 Ethics and privacy training
 Consent protocol and privacy protocols; and
 How to interview clients in a sensitive manner.
 User groups are strongly encouraged to develop peer support
opportunities
Key Security Points
66







Applies to all machines accessing or storing HMIS data;
All computers must have virus protection;
All servers or computers directly accessing the internet
must be protected by a firewall;
Web-based HMIS must use PKI or IP filtering to limit
public access to data;
Physical access to computers and servers must be
restricted;
Regular back-up and storage of HMIS data; and
Regular monitoring of HMIS at the system level.
Security Resources
67

National Institute of Standards and Technology
Computer and Security Resource Center


Carnegie Mellon/CERT: Connecting to the Internet


http://www.cert.org/tech_tips/
National Institutes of Health Center for Information
Technology Security Site


http://www.cert.org/tech_tips/before_you_plug_in.html
CERT Implementation Tips for Servers and Networks


http://csrc.ncsl.nist.gov
http://www.alw.nih.gov/Security/security.html
Forum of Incident Response and Security Reform

http://first.org
Resources
68

HUD Homeless Data Exchange (HDX):
http://www.hudhdx.info/
HMIS.info:
www.hmis.info
 HUD Homelessness Resource Exchange:
www.hudhre.info

How would you rate your knowledge
of HMIS Privacy and Security?




A. Not knowledgeable
B. Somewhat knowledgeable
C. Knowledgeable
D. Expert
70
Thank you!
Related documents
Lecture 6
Lecture 6
No Slide Title
No Slide Title
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
Computer Science 9616a, Fall 2011 Project Description Your project
Computer Science 9616a, Fall 2011 Project Description Your project
Brian O - Omega Dental Group
Brian O - Omega Dental Group
Misc. Privacy Topics (concluding)
Misc. Privacy Topics (concluding)
Computer Science 9616b, Fall 2016 Project Description Your project
Computer Science 9616b, Fall 2016 Project Description Your project
Lecture for Chapter 2.3 (Fall 09)
Lecture for Chapter 2.3 (Fall 09)
Privacy Statement - Handprints and Footsteps
Privacy Statement - Handprints and Footsteps
hippa - Lowell Chiropractic and Health
hippa - Lowell Chiropractic and Health