John,
We are a consultancy that performs HIPAA audits and compliance
checks for our clients. We have clients in CA and we have examined the
new regulations that apply in California. Generally, we've made a
couple of recommendations in reference to your line of questioning.
These are just the recommendations that we make; some clients take them
and some do not! Also, I am intentionally not referencing laptops...as
that is another line of discussion.
First, we take a hard line stance against anything that allows the
removal of PHI from the office. As such we recommend that floppy
drives, CD-Rs, ZIPs, etc are all disabled, removed or locked. I know
that is a massive political barrier to break through. However with
networked PCs, there are many methods to share files without the use of
removable media. Again, some organizations like the idea and others are
not so fond of it.
The reason we take such a hard line is that we find that managers and
others tend to work at home without official approval by simply bringing
documents home. At one client the staff we were working with wanted to
verify this fact for upper management. So, we created a little VB
program that did nothing more than create a word doc and give it a
special header and footer. To make this as simple as I can, effectively
staff were told that this was a new report tool and needed to be used.
The VB program actually had a splash screen that said do not use out of
office. When the person launched the tool, in the background it posted
to a URL that we were tracking. In less than 48 hours we had hits from
the homes of employees. (There are a lot of details I am leaving out
about our trial...but I'm not trying to do a case study!)
Second, approved work at home - The only circumstance under which we
promote any work at home scenario is through the use of a terminal
server arrangement. As I'm sure you know that allows access to the
office without the actual transmittal of files. We recommend disabling
access to local PC drives to keep all data on the server. We also
recommend the connection is secured by IPsec or a VPN.
And last, we use modified policies in CA companies. The procedures that
we have designed for reporting a security incident contain additional
steps to notify those that have been or may have been compromised.
Additionally, the security audit log review process contains steps to
notify those that have been or may have been compromised.
We take a pretty conservative approach to HIPAA and in case you can't
tell, we like to see most things locked down. I understand well that
users don't like to get locked down, especially in cases where they have
had a lot of freedom. But these recommendations are the same that we
make to all companies. In California, the only thing we change is the
process for reporting a security breach.
If you have any questions, feel free to contact me.
Gary
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 14, 2003 10:40 AM
To: WEDI SNIP Security Workgroup List
Subject: California Disclosure Law - Best Practices & Work@ Home
Considerations
My organization is a healthcare insurer with several thousand national
account members residing in California. California has recently passed
SB1386 which requires that unauthorized disclosures of personal
information belonging to California residents must be reported to the
affected residents.
I would be interested in hearing about best practices other
organizations have put in place in response to this legislation.
I am particularly interested in hearing if this legislation has
impacted
any organizations' Work at Home guidelines. When the employees work
on-premises, the organization maintains control of the physical
security
of workstations.
Regards,
John M. Monaghan, CISSP, CISA
Sr. Project Manager, Security Assurance
Empire BlueCross BlueShield
212.476.2070
Background Info on California Disclosure Law:
This law, effective July 1, 2003, requires a state agency, or a
person
or business that conducts business in California, that
owns or licenses computerized data that includes personal
information,
(defined below) to disclose in specified ways, any breach of the
security of the data, as defined, to any resident of California
whose
unencrypted personal information was, or is reasonably believed to
have
been, acquired by an unauthorized person. The law permits the
notifications required by its provisions to be delayed if a law
enforcement agency determines that it would impede a criminal
investigation. The law requires an agency, person, or business that
maintains computerized data that includes personal information owned
by
another to notify the owner or licensee of the information of any
breach
of security of the data, as specified.
For purposes of the law, "personal information" means an individual's
first name or first initial and last name in combination with any one
or
more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card
number.
(3) Account number, credit or debit card number, in combination
with
any required security code, access code, or
password that would permit access to an individual's
financial
account.
"WellChoice, Inc." made the following
annotations on 08/14/2003 11:42:34 AM
------------------------------------------------------------------------
------
Attention! This electronic message contains information that may be
legally confidential and/or privileged. The information is intended
solely for the individual or entity named above and access by anyone
else is unauthorized. If you are not the intended recipient, any
disclosure, copying, distribution, or use of the contents of this
information is prohibited and may be unlawful. If you have received this
electronic transmission in error, please reply immediately to the sender
that you have received the message in error, and delete it.
Release/Disclosure Statement
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the
individual participants, and do not necessarily represent the views of
the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an
official opinion, post your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/. These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products
and services. They also are not intended to be used as a forum for
personal disagreements or unprofessional communication at any time.
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions
on this listserv therefore represent the views of the individual participants, and do
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If
you wish to receive an official opinion, post your question to the WEDI SNIP Issues
Database at http://snip.wedi.org/tracking/. These listservs should not be used for
commercial marketing purposes or discussion of specific vendor products and services.
They also are not intended to be used as a forum for personal disagreements or
unprofessional communication at any time.
You are currently subscribed to wedi-security as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the
address subscribed to the list, please use the Subscribe/Unsubscribe form at
http://subscribe.wedi.org
