View
38
Download
1
Embed Size (px)
Citation preview
TheNetworkofChristianCounselors13February2017
Copyright©2017.HarryMorgan.AllRightsReservedPermissiongrantedtoreproducewithattribution&citationofwww.http://networkofchristiancounselors.com/
OnAugust30,2016theOfficeofCivilRights(“OCR”—HIPAA)announcedthattheirregionalofficeswillstartactivelyinvestigatingsmallsecuritybreaches.
2
Part III
They seem especially interested in situations where breaches happen because cloud services got hacked, or because equipment got lost or stolen.
3
Introduced to HIPAA “breach notification” which means that when a security “breach” happens — such as a laptop with health records on it being stolen or lost — the affected clients need to be notified as does the federal government.
4
Ø Any cloud service provider who “maintains” your information —even if they “don’t look at it” —must be a Business Associate.
Ø As “cloud”-based paperless offices have become more popular, several services that use this encrypt-before-you-send scheme have popped up, including Carbonite’s self-managed key service, Swiss Disk, and Sookasa.
January, 2013Final Rule forHIPAA and HITECH
5
As of September 1, 2016, 47 states and all US territories have their own breach notification rules. (Mintz Levin, 2016)
https://www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf
DATA SECURITY BREACH NOTIFICATION LAWS
6
DATA SECURITY BREACH NOTIFICATION LAWS
The 2016 Florida Statutes501.171 Security of confidential personal information
• The Department of Legal Affairs must be contacted within 30 days
Ifa“securitybreach”occurs:
• Each individual must be contacted within 30days
7
Ø Privacy?
Ø Confidentiality?
What is . . .
Ø Security?
Clientchoicesaboutinformation
Dutytoupholdprivacychoices
Logisticsofconfidentiality
8
According to guidelines put out by the National Institutes of Standards and Technology (NIST), a “risk” is defined by:
A Vulnerability + A Threat
What is . . .
9
Risk 1Email Service (your resource):“Emails are sent across the Internet without anything to hide their contents from prying eyes”
(vulnerability) + Hacking (threat) =
Risk 2Laptop Computer (your resource):“Laptop computer with confidential information gets carried out of the office regularly”
(vulnerability) + Theft (threat) =
10
Wecanreducerisksbyusing securitymeasures.HIPAAdefinesthreekindsofsecuritymeasures:1. Technicalmeasures:Usingsoftwareandhardwareto
reducesecurityrisks.Thismeansusingpasswords,encryptinginformation,etc.
2. Physicalmeasures:Puttingthingsintoplacethatrestrictphysicalaccesstoinformation.Thismeansputtinglocksondoorsandcabinets,storingcomputersinlockedrooms,etc.
3. Administrativemeasures:Creatingpoliciesandproceduresthatreducesecurityrisks.Thismeansmakingapolicyforwhenandhowyouandclientsexchangetextmessages,makingaprocedurethatlaysouthowoftenyoubackupyourcomputer,etc.⇒ Neverunderestimatethepowerandnecessityofadministrativesecuritymeasures.
11
Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
45 CFR §164.308 (a)(1)(ii)(A)
Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).
45 CFR §164.308 (a)(1)(ii)(B) (emphasis mine)
12
Email addresses can be used to identify people very easily, and email addresses are on the list of 18 identifiers that HIPAA defines as without-a-doubt personally identifying.Personally identifying information combined with health information makes what HIPAA calls “protected health information.” Ethically, we would consider it “confidential information.”
13
The EncryptingFileSystem (EFS)onMicrosoftWindowsisafeatureintroducedinversion3.0ofNTFSthatprovides filesystem-level encryption.Thetechnologyenables files tobetransparentlyencrypted toprotectconfidentialdatafromattackerswithphysicalaccesstothecomputer.
14
1. “I look good”2. “I like cats”3. “A lite card”4. I have no idea what it says
https://personcenteredtech.com
15
01=M 02=N 03=O 04=P 05=Q 06=R 07=S
08=T 09=U 10=V 11=W 12=X 13=Y 14=Z
15=A 16=B 17=C 18=D 19=E 20=F 21=G
22=H 23=I 24=J 25=K 26=L
How about if I show you this code key?
If we use the code key, we can see that the secret message is “I like cats.”
https://personcenteredtech.com
16
ENCRYPTION
Mac – FileVault2
Windows – Bitlocker
iPhone – set a strong passcode
https://personcenteredtech.com/courses/investigation-repellent-self-study/
HIGHLY RECOMMENDED:For on-line training: Roy Huggins, LPC NCC
17
Ø Encrypt your computer, phone, or tabletØ Encrypt external stuff like USB thumb
drives and external hard drivesØ Set stronger passwords on your phones and
tabletsØ Activate the antivirus on your deviceØ Activate the firewall on your deviceØ Know when a WiFi network is safe and
when it isn’t
FaceTimeEnd-to-Endencryption- guaranteessecurecall
GoogleHangoutsandSkypeNotechnicalsafeguards– callscanbewiretapped
19
TransitEncryption
UnreadableEncryption
ContactIdentifying
SecureCommunications
Open toIndependent
Review
SecurityDocumentation
AuditedCode
FaceTime yes yes no yes no yes yesGoogleHangouts yes no no no no no yesHushmail yes no no no no no noiMessage yes yes no yes no yes yes
20
SecurityinRegardtoConfidentiality
NotingAPAcommentsaboutSkype:Resultingfromlackofencryptionandsecurity,Skypeisnotaconfidentialformofcommunicationandisdeemed“illadvised”forprovidingtelepsychology.
21
MentalHealthCounselorsmust:Ø Checkwiththeirmalpracticecarriertoseeif
SkypeiscoveredØ Checkwiththepatient’sinsurancetodetermine
coverageØ UseonlywithestablishedpatientsØ AvoidusingwithhighriskpatientsØ ObtainwrittenconsentbeforeusingSkypeØ EnsurepatientsfullyunderstandthatSkypeisnot
thesameasconversation,andanythingsaidonSkypecanbepublished,use,broadcast,etc.
22
23
Business Associates are people and organizations who, in the normal course of business, handle sensitive information on your behalf. Examples:
• Billing services• Collection agencies• Record storage companies• Practice Management Systems• Electronic Health Record systems• Email providers• Attorneys• Accountants
24
Getting an updated NPP (“HIPAA Form”):
1. Free models supplied by the federal government: http://www.healthit.gov/providers-professionals/model-notices-privacy-practices
2. Roy and Ofer Zur’s 1-Hour CE course on the compliance deadline includes Dr. Zur’supdated NPP Form: http://zurinstitute.com/hipaa_compliance13_course.html
q Collie,K.,Cubranic,D.,&Long,B.(2002).Audiographic CommunicationforDistanceCounselling:AFeasibilityStudy.BritishJournalofGuidance&Counseling,30(3),269-284.
q Gregory,KimL.(2010,Jan10)CamarilloFuneralHomeUnplugsOnlineGriefCounseling.Ventura CountyStar:Ventura,California.
q Heinlen,K.,Welfel,E.,Richmond,E.,&O'Donnell,M.(2003).Thenature,scope,andethicsofpsychologists'e-therapyWebsites:WhatconsumersfindwhensurfingtheWeb.Psychotherapy:Theory,Research,Practice,Training,40(1),112-124.
q Heinlen,K.,Welfel,E.,Richmond,E.,&Rak,C.(2003).ThescopeofWeb-Counseling:AsurveyofservicesandcompliancewithNBCCStandardsfortheethicalpracticeofWebCounseling.JournalofCounseling&Development,81(1),61-69.
q “InternationalOnlineTherapy:WhatToKnowBeforeYouGo."Person-CenteredTechnology.N.p.,2016.Web.29Dec.2016.
q Kaplan,D.(2005).EthicalUseofTechnologyonCounseling.CounselingToday.AmericanCounselingAssociation:Alexandria,Virginia.
q "MilitaryPatients:RecommendationsforTreatingServiceMembers.“NationalRegister.N.p.,2016.Web.27Dec.2016.
26
q NetCE.ContinuingEducationforFloridaMentalHealthProfessionals.5thed.Vol.142.Sacramento,CA:NetCE,2017.Print.ContinuingEducation.
q Ritchie,Rene."Apple'sFaceTimeIsEnd-to-endEncrypted.GoogleHangouts...Isn't.”iMore.MobileNations,13May2015.Web.27Dec.2016.
q Scharff,JillSavege.PsychoanalysisOnline2:ImpactofTechnologyonDevelopment,Training,andTherapy.London:Karnac,2015.Print.
q Shaw,H.,&Shaw,S.(2006).Criticalethicalissuesinonlinecounseling:Assessingcurrentpracticeswithanethicalintentchecklist.JournalofCounseling&Development,84(1),41-53.
q "SocialWorkersandE-Therapy."N.p.,Web.27Dec.2016.
27
YoucancontactHarryat:BiblicalCounselingCenter8254th StreetWestPalmetto,FL34221941-729-6600