Re: Ticket data content issues (Healthcare Industry)
Thank you all for your input. This is a good set of information to provide to the CSO. Thanks, Shane Buchholz Systems Analyst II - Remedy I.S. Business Operations Samaritan Health Services From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Logan, Kelly Sent: Tuesday, July 26, 2011 11:48 AM To: arslist@ARSLIST.ORG Subject: Re: Ticket data content issues (Healthcare Industry) ** Lee is right, a disclaimer to inform users will help protect the company from responsibility for user actions. I would recommend as well: 1. Disallow guest logins 2. Change the Demo user default password. 3. Use multi-tenancy to segregate data (if you have users without HIPAA clearance). 4. Set business policy to only put HIPAA-sensitive data certain fields (for example, only in Work Info, and default to internal, you could also add a HIPAA type of Work Info entry). 5. Consider any reporting to be sure those fields are not exposed. 6. Consider using Remedy Encryption to encrypt communications to and from the server. I'm sure there's more, but I have to run to a meeting. :^) Kelly Logan, Sr. Systems Administrator (Remedy), GMS ProQuest | 789 E. Eisenhower Parkway, P.O. Box 1346 | Ann Arbor MI 48106-1346 USA | 734.997.4777 kelly.lo...@proquest.commailto:kelly.lo...@proquest.com www.proquest.com ProQuest...Start here. 2010 InformationWeek 500 Top Innovator P Please consider the environment before printing this email. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender, and delete the message from your computer. From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Lee Cullom Sent: Saturday, July 23, 2011 2:02 PM To: arslist@ARSLIST.ORG Subject: Re: Ticket data content issues (Healthcare Industry) ** Shane, Someone from HCA should be on this list who could answer in greater detail, but... at one time, they had customized Remedy to include some legalese that was presented to the Remedy user upon logging in related to Patient sensitive information. In addition, I believe there were certain categorizations that would trigger an additional audit record, because those categorizations were related to Patient Sensitive information. Finally, in asset management, there were fines associated with patient sensitive information being left on an asset on disposal, so there was workflow that would remind the user of that during the disposal process. There may be more... and I may have forgotten a few things here and there. But that was the gist of them I believe... Lee Lee Cullom | Northcraft Analytics IT Metrics Specialist | Business Intelligence for ITSM 678-438-7244 | lee.cul...@northcraftanalytics.commailto:lee.cul...@northcraftanalytics.com [cid:image001.jpg@01CC50FB.787B1F50]http://www.linkedin.com/in/leecullom[cid:image002.jpg@01CC50FB.787B1F50]http://twitter.com/#!/NorthcraftIT http://www.northcraftanalytics.comhttp://www.northcraftanalytics.com/ Click on View Demo to see the product in action From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Shane Buchholz Sent: Friday, July 22, 2011 12:09 PM To: arslist@ARSLIST.ORG Subject: Ticket data content issues (Healthcare Industry) ** I have had a request from our security officer to find out if there are any specific security concerns we should be aware of in relation to processing Incident tickets in a healthcare environment. I think he is specifically looking at the Summary, Notes and Work Info data that could be entered by the Service Desk or any of the Technicians/Analysts. If anyone from the healthcare industry has some insight they could share I would appreciate it. I apologize for not being able to be detailed in the request, but this was presented to me as a hypothetical so I don't have much to go on. ARS 7.5 ITSM 7.6 Windows Server 2008 (64-bit) SQL 2005 Thanks, Shane Buchholz Systems Analyst II - Remedy I.S. Business Operations Samaritan Health Services Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _attend WWRUG11 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG11 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG11 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist
Re: Ticket data content issues (Healthcare Industry)
Lee is right, a disclaimer to inform users will help protect the company from responsibility for user actions. I would recommend as well: 1. Disallow guest logins 2. Change the Demo user default password. 3. Use multi-tenancy to segregate data (if you have users without HIPAA clearance). 4. Set business policy to only put HIPAA-sensitive data certain fields (for example, only in Work Info, and default to internal, you could also add a HIPAA type of Work Info entry). 5. Consider any reporting to be sure those fields are not exposed. 6. Consider using Remedy Encryption to encrypt communications to and from the server. I'm sure there's more, but I have to run to a meeting. :^) Kelly Logan, Sr. Systems Administrator (Remedy), GMS ProQuest | 789 E. Eisenhower Parkway, P.O. Box 1346 | Ann Arbor MI 48106-1346 USA | 734.997.4777 kelly.lo...@proquest.commailto:kelly.lo...@proquest.com www.proquest.com ProQuest...Start here. 2010 InformationWeek 500 Top Innovator P Please consider the environment before printing this email. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender, and delete the message from your computer. From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Lee Cullom Sent: Saturday, July 23, 2011 2:02 PM To: arslist@ARSLIST.ORG Subject: Re: Ticket data content issues (Healthcare Industry) ** Shane, Someone from HCA should be on this list who could answer in greater detail, but... at one time, they had customized Remedy to include some legalese that was presented to the Remedy user upon logging in related to Patient sensitive information. In addition, I believe there were certain categorizations that would trigger an additional audit record, because those categorizations were related to Patient Sensitive information. Finally, in asset management, there were fines associated with patient sensitive information being left on an asset on disposal, so there was workflow that would remind the user of that during the disposal process. There may be more... and I may have forgotten a few things here and there. But that was the gist of them I believe... Lee Lee Cullom | Northcraft Analytics IT Metrics Specialist | Business Intelligence for ITSM 678-438-7244 | lee.cul...@northcraftanalytics.commailto:lee.cul...@northcraftanalytics.com [cid:image001.jpg@01CC4BA1.A5ADCB30]http://www.linkedin.com/in/leecullom[cid:image002.jpg@01CC4BA1.A5ADCB30]http://twitter.com/#!/NorthcraftIT http://www.northcraftanalytics.comhttp://www.northcraftanalytics.com/ Click on View Demo to see the product in action From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Shane Buchholz Sent: Friday, July 22, 2011 12:09 PM To: arslist@ARSLIST.ORG Subject: Ticket data content issues (Healthcare Industry) ** I have had a request from our security officer to find out if there are any specific security concerns we should be aware of in relation to processing Incident tickets in a healthcare environment. I think he is specifically looking at the Summary, Notes and Work Info data that could be entered by the Service Desk or any of the Technicians/Analysts. If anyone from the healthcare industry has some insight they could share I would appreciate it. I apologize for not being able to be detailed in the request, but this was presented to me as a hypothetical so I don't have much to go on. ARS 7.5 ITSM 7.6 Windows Server 2008 (64-bit) SQL 2005 Thanks, Shane Buchholz Systems Analyst II - Remedy I.S. Business Operations Samaritan Health Services Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _attend WWRUG11 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG11 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: Where the Answers Are inline: image001.jpginline: image002.jpg
Re: Ticket data content issues (Healthcare Industry)
Shane, Someone from HCA should be on this list who could answer in greater detail, but... at one time, they had customized Remedy to include some legalese that was presented to the Remedy user upon logging in related to Patient sensitive information. In addition, I believe there were certain categorizations that would trigger an additional audit record, because those categorizations were related to Patient Sensitive information. Finally, in asset management, there were fines associated with patient sensitive information being left on an asset on disposal, so there was workflow that would remind the user of that during the disposal process. There may be more... and I may have forgotten a few things here and there. But that was the gist of them I believe... Lee Lee Cullom | Northcraft Analytics IT Metrics Specialist | Business Intelligence for ITSM 678-438-7244 | lee.cul...@northcraftanalytics.com [Description: Description: http://t0.gstatic.com/images?q=tbn:ANd9GcSo4qhIq-bDh4Z1UzKXet0tiAZqqejjd1BT8lVOHdrzZQwqeZun]http://www.linkedin.com/in/leecullom[Description: Description: http://t0.gstatic.com/images?q=tbn:ANd9GcSWE5AoudybparNXkh21Br8ZWGNBqdra5ylZ63igCoZ36o5b5iFEA]http://twitter.com/#!/NorthcraftIT http://www.northcraftanalytics.comhttp://www.northcraftanalytics.com/ Click on View Demo to see the product in action From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Shane Buchholz Sent: Friday, July 22, 2011 12:09 PM To: arslist@ARSLIST.ORG Subject: Ticket data content issues (Healthcare Industry) ** I have had a request from our security officer to find out if there are any specific security concerns we should be aware of in relation to processing Incident tickets in a healthcare environment. I think he is specifically looking at the Summary, Notes and Work Info data that could be entered by the Service Desk or any of the Technicians/Analysts. If anyone from the healthcare industry has some insight they could share I would appreciate it. I apologize for not being able to be detailed in the request, but this was presented to me as a hypothetical so I don't have much to go on. ARS 7.5 ITSM 7.6 Windows Server 2008 (64-bit) SQL 2005 Thanks, Shane Buchholz Systems Analyst II - Remedy I.S. Business Operations Samaritan Health Services Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _attend WWRUG11 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: Where the Answers Are inline: image001.jpginline: image002.jpg
Ticket data content issues (Healthcare Industry)
I have had a request from our security officer to find out if there are any specific security concerns we should be aware of in relation to processing Incident tickets in a healthcare environment. I think he is specifically looking at the Summary, Notes and Work Info data that could be entered by the Service Desk or any of the Technicians/Analysts. If anyone from the healthcare industry has some insight they could share I would appreciate it. I apologize for not being able to be detailed in the request, but this was presented to me as a hypothetical so I don't have much to go on. ARS 7.5 ITSM 7.6 Windows Server 2008 (64-bit) SQL 2005 Thanks, Shane Buchholz Systems Analyst II - Remedy I.S. Business Operations Samaritan Health Services Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: Where the Answers Are
Re: Ticket data content issues (Healthcare Industry)
The concerns as I understand them are around privacy and tracking who can and has accessed private patient information. Some companies get past that by logging each time a record is viewed and certain fields have been modified. Others create separate fields for sensitive information, and password protect the fields. Lots of ways to skin that cat. Rick On Jul 22, 2011 9:09 AM, Shane Buchholz sha...@samhealth.org wrote: I have had a request from our security officer to find out if there are any specific security concerns we should be aware of in relation to processing Incident tickets in a healthcare environment. I think he is specifically looking at the Summary, Notes and Work Info data that could be entered by the Service Desk or any of the Technicians/Analysts. If anyone from the healthcare industry has some insight they could share I would appreciate it. I apologize for not being able to be detailed in the request, but this was presented to me as a hypothetical so I don't have much to go on. ARS 7.5 ITSM 7.6 Windows Server 2008 (64-bit) SQL 2005 Thanks, Shane Buchholz Systems Analyst II - Remedy I.S. Business Operations Samaritan Health Services Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: Where the Answers Are
Re: Ticket data content issues (Healthcare Industry)
Shane, HIPAA is a concern in Healthcare institutions so you need to make sure that either the techs aren't entering in any patient related data into the open text fields or that the tickets are viewable only by authorized individuals. Ben Cantatore Remedy Manager (914) 457-6209 Emerging Health IT 3 Odell Plaza Yonkers, New York 10701 sha...@samhealth.org 07/22/11 12:08 PM ** I have had a request from our security officer to find out if there are any specific security concerns we should be aware of in relation to processing Incident tickets in a healthcare environment. I think he is specifically looking at the Summary, Notes and Work Info data that could be entered by the Service Desk or any of the Technicians/Analysts. If anyone from the healthcare industry has some insight they could share I would appreciate it. I apologize for not being able to be detailed in the request, but this was presented to me as a hypothetical so I don't have much to go on. ARS 7.5ITSM 7.6Windows Server 2008 (64-bit)SQL 2005 Thanks, Shane BuchholzSystems Analyst II - RemedyI.S. Business OperationsSamaritan Health Services Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. _attend WWRUG11 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: Where the Answers Are
