John, We are a consultancy that performs HIPAA audits and compliance checks for our clients. We have clients in CA and we have examined the new regulations that apply in California. Generally, we've made a couple of recommendations in reference to your line of questioning. These are just the recommendations that we make; some clients take them and some do not! Also, I am intentionally not referencing laptops...as that is another line of discussion.
First, we take a hard line stance against anything that allows the removal of PHI from the office. As such we recommend that floppy drives, CD-Rs, ZIPs, etc are all disabled, removed or locked. I know that is a massive political barrier to break through. However with networked PCs, there are many methods to share files without the use of removable media. Again, some organizations like the idea and others are not so fond of it. The reason we take such a hard line is that we find that managers and others tend to work at home without official approval by simply bringing documents home. At one client the staff we were working with wanted to verify this fact for upper management. So, we created a little VB program that did nothing more than create a word doc and give it a special header and footer. To make this as simple as I can, effectively staff were told that this was a new report tool and needed to be used. The VB program actually had a splash screen that said do not use out of office. When the person launched the tool, in the background it posted to a URL that we were tracking. In less than 48 hours we had hits from the homes of employees. (There are a lot of details I am leaving out about our trial...but I'm not trying to do a case study!) Second, approved work at home - The only circumstance under which we promote any work at home scenario is through the use of a terminal server arrangement. As I'm sure you know that allows access to the office without the actual transmittal of files. We recommend disabling access to local PC drives to keep all data on the server. We also recommend the connection is secured by IPsec or a VPN. And last, we use modified policies in CA companies. The procedures that we have designed for reporting a security incident contain additional steps to notify those that have been or may have been compromised. Additionally, the security audit log review process contains steps to notify those that have been or may have been compromised. We take a pretty conservative approach to HIPAA and in case you can't tell, we like to see most things locked down. I understand well that users don't like to get locked down, especially in cases where they have had a lot of freedom. But these recommendations are the same that we make to all companies. In California, the only thing we change is the process for reporting a security breach. If you have any questions, feel free to contact me. Gary -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 10:40 AM To: WEDI SNIP Security Workgroup List Subject: California Disclosure Law - Best Practices & Work@ Home Considerations My organization is a healthcare insurer with several thousand national account members residing in California. California has recently passed SB1386 which requires that unauthorized disclosures of personal information belonging to California residents must be reported to the affected residents. I would be interested in hearing about best practices other organizations have put in place in response to this legislation. I am particularly interested in hearing if this legislation has impacted any organizations' Work at Home guidelines. When the employees work on-premises, the organization maintains control of the physical security of workstations. Regards, John M. Monaghan, CISSP, CISA Sr. Project Manager, Security Assurance Empire BlueCross BlueShield 212.476.2070 Background Info on California Disclosure Law: This law, effective July 1, 2003, requires a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, (defined below) to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The law permits the notifications required by its provisions to be delayed if a law enforcement agency determines that it would impede a criminal investigation. The law requires an agency, person, or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data, as specified. For purposes of the law, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver's license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. "WellChoice, Inc." made the following annotations on 08/14/2003 11:42:34 AM ------------------------------------------------------------------------ ------ Attention! This electronic message contains information that may be legally confidential and/or privileged. The information is intended solely for the individual or entity named above and access by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Release/Disclosure Statement --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org