Thank you all for your input. This is a good set of information to provide to the CSO.
Thanks, Shane Buchholz Systems Analyst II - Remedy I.S. Business Operations Samaritan Health Services From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Logan, Kelly Sent: Tuesday, July 26, 2011 11:48 AM To: arslist@ARSLIST.ORG Subject: Re: Ticket data content issues (Healthcare Industry) ** Lee is right, a disclaimer to inform users will help protect the company from responsibility for user actions. I would recommend as well: 1. Disallow guest logins 2. Change the Demo user default password. 3. Use multi-tenancy to segregate data (if you have users without HIPAA clearance). 4. Set business policy to only put HIPAA-sensitive data certain fields (for example, only in Work Info, and default to internal, you could also add a HIPAA type of Work Info entry). 5. Consider any reporting to be sure those fields are not exposed. 6. Consider using Remedy Encryption to encrypt communications to and from the server. I'm sure there's more, but I have to run to a meeting. :^) Kelly Logan, Sr. Systems Administrator (Remedy), GMS ProQuest | 789 E. Eisenhower Parkway, P.O. Box 1346 | Ann Arbor MI 48106-1346 USA | 734.997.4777 kelly.lo...@proquest.com<mailto:kelly.lo...@proquest.com> www.proquest.com ProQuest...Start here. 2010 InformationWeek 500 Top Innovator P Please consider the environment before printing this email. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender, and delete the message from your computer. From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Lee Cullom Sent: Saturday, July 23, 2011 2:02 PM To: arslist@ARSLIST.ORG Subject: Re: Ticket data content issues (Healthcare Industry) ** Shane, Someone from HCA should be on this list who could answer in greater detail, but... at one time, they had customized Remedy to include some legalese that was presented to the Remedy user upon logging in related to Patient sensitive information. In addition, I believe there were certain categorizations that would trigger an additional audit record, because those categorizations were related to Patient Sensitive information. Finally, in asset management, there were fines associated with patient sensitive information being left on an asset on disposal, so there was workflow that would remind the user of that during the disposal process. There may be more... and I may have forgotten a few things here and there. But that was the gist of them I believe... Lee Lee Cullom | Northcraft Analytics IT Metrics Specialist | Business Intelligence for ITSM 678-438-7244 | lee.cul...@northcraftanalytics.com<mailto:lee.cul...@northcraftanalytics.com> [cid:image001.jpg@01CC50FB.787B1F50]<http://www.linkedin.com/in/leecullom>[cid:image002.jpg@01CC50FB.787B1F50]<http://twitter.com/#!/NorthcraftIT> http://www.northcraftanalytics.com<http://www.northcraftanalytics.com/> Click on "View Demo" to see the product in action From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Shane Buchholz Sent: Friday, July 22, 2011 12:09 PM To: arslist@ARSLIST.ORG Subject: Ticket data content issues (Healthcare Industry) ** I have had a request from our security officer to find out if there are any specific security concerns we should be aware of in relation to processing Incident tickets in a healthcare environment. I think he is specifically looking at the Summary, Notes and Work Info data that could be entered by the Service Desk or any of the Technicians/Analysts. If anyone from the healthcare industry has some insight they could share I would appreciate it. I apologize for not being able to be detailed in the request, but this was presented to me as a hypothetical so I don't have much to go on. ARS 7.5 ITSM 7.6 Windows Server 2008 (64-bit) SQL 2005 Thanks, Shane Buchholz Systems Analyst II - Remedy I.S. Business Operations Samaritan Health Services ________________________________ Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _attend WWRUG11 www.wwrug.com<http://www.wwrug.com> ARSlist: "Where the Answers Are"_ _attend WWRUG11 www.wwrug.com<http://www.wwrug.com> ARSlist: "Where the Answers Are"_ _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are"
<<inline: image001.jpg>>
<<inline: image002.jpg>>
