Presentation on theme: "SPONSORED BY: U.S. DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT HMIS System Administrator Training Series HMIS 101: MODULE 4 In-Depth Security and Privacy."— Presentation transcript:
SPONSORED BY: U.S. DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT HMIS System Administrator Training Series HMIS 101: MODULE 4 In-Depth Security and Privacy
Partners 2 Jeff Ward, Abt Associates, Inc. Kat Freeman, The Cloudburst Group Natalie Matthews, Abt Associates, Inc. Chris Pitcher, The Cloudburst Group
Purpose 3 Provide HMIS System Administrators, end users, CoC representatives, consumers, and federal, state, and local partners with a basic understanding of: In-Depth Privacy and Security
Webinar Format 4 This training is part of a series of trainings that will provide new staff with the basic information needed to operate or participate in an HMIS It is anticipated that this series of trainings will be offered quarterly This training is anticipated to last 90 minutes Presenters will walk through presentation material Audience members are “muted” due to the high number of participants
Submitting Questions 5 All follow-up questions should be submitted to the Ask the Expert function on If you have multiple questions, we recommend compiling them into a single submission to Ask the Expert with a reference to the HMIS 101: Module 4 training
Webinar Materials & Evaluation 6 Quick follow up survey will be ed out after the webinar The webinar will be recorded, and all materials will be posted to HMIS.info During webinar, we’ll be asking you a few questions as well
Overview of Training Series 7 HMIS 101 Modules III, IV and V: Module III: In-Depth Data Standards Module IV: In-Depth Security and Privacy Module V: Data Quality Standard and Compliance Plans HMIS 201: HMIS Budgeting and Staffing PIT and HIC Best Practice Highlights/ Use of Technology
Who are You? A. HMIS System Administrator B. HMIS Data Entry staff/Program staff C. CoC staff D. Technical Assistance provider/Trainer E. HMIS Vendor F. Other 8
How would you rate your knowledge of HMIS Privacy and Security? A. Not knowledgeable B. Somewhat knowledgeable C. Knowledgeable D. Expert
HMIS Privacy and Security Privacy is the control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others. Confidentiality pertains to the treatment of information that an individual has disclosed in a relationship of trust and with the expectation that it will not be divulged to others without permission in ways that are inconsistent with the understanding of the original disclosure. Security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled. 2004 Technical Standards set forth expectations for privacy and security for HMIS
HMIS Privacy and Security Two tiers: required baseline standards and additional recommended protocols; Applies to all agencies and programs that record, use, or process Protected Personal Information (PPI) for an HMIS including: Continuum of Care (CoC) Homeless service provider HMIS host or administrator, etc. Employees, volunteers, affiliates, contractors, and associates are covered by the privacy standards of the agencies they deal with; and Privacy and security standards apply to all agencies- regardless of funding source- who use the HMIS.
Introduction to Privacy 12
Privacy Standards Framework Personal Protected Information (PPI) Includes name, SSN, program entry/exit, zip code of last permanent address, system/program ID, and program type Allow for reasonable, responsible data disclosures Derived from principles of fair information practices Borrowed from Health Insurance Portability and Accountability Act (HIPAA)
Privacy Requirements Privacy Standards: Protect client personal information from unauthorized disclosure Seven components: Collection limitations Data quality Purpose and use limitations Openness Access and Correction Accountability
Collection Limitations Only collect information that is appropriate for the purposes that the information is obtained or when required by law Use lawful and fair means to collect it When appropriate, collect data with knowledge or consent of the client Post sign; infer consent for collection – Must post a sign at intake desk (or comparable location) that explains generally the reasons for collecting this information.
Collection Limitations – Other Stuff You Can Do Restrict collection of personal data, other than required HMIS data elements Require written client consents Obtain oral or written consent from the individual or a third party
Data Quality Data must be relevant to the purpose for which it is to be used To extent necessary for those purposes, data should be accurate, complete, and timely Must develop and implement plan for disposal of Personal Protected Information
Purpose and Use Limitations Notice must specify purposes for PPI collections and must describe all uses/disclosures A program may use/disclosure PPI only if allowed by the standard and described in the privacy notice Notice may infer consent for described uses/ disclosures and for compatible uses/ disclosures All uses/disclosures are permissive (except first party request or required by law) Uses/disclosures not specified in notice need written consent of the individual or legal requirement
Allowable Uses/Disclosures Provide and coordinate services Payment or reimbursement Administrative functions Create de-identified PPI Required by law Avert serious threat to health/safety Academic research (written agreement required) Law Enforcement
Purpose and Use Limitation – Other stuff you can do Seek oral or written consent for use/disclosure Agree to client requested restrictions on use/disclosure Limit use/disclosure to those in notice and necessary (not compatible) purposes Keep an audit trail for disclosures Make audit trails available to the client, if requested Limit disclosures to minimum necessary
Openness Be open with agencies, client’s, and other parties about how you protect client information from unethical use You must post a sign about your Privacy policies (called a Privacy Notice) and your Privacy policies must be available to anyone who requests them – including clients and the media. If your agency has a web page, you must post your Privacy Notice on your web page. This is true about individual agencies as well as any web pages associated with your HMIS.
Access and Correction Must allow individual to inspect and have a copy of his/her PPI Must offer to explain PPI Must consider request to correct inaccurate or incomplete PPI May deny access to some info Must explain denials
Access and Correction – Other stuff you can do Allow appeal of denial of access or correction Limit grounds for denial of access Allow a statement of disagreement Provide written explanation for denial
Accountability Must establish procedure for accepting and considering complaints about privacy and security policies and practices Must require all staff members to sign a confidentiality agreement (acknowledging receipt of and pledging to comply with the privacy notice)
HMIS and HIPAA 27 Health Insurance Portability and Accountability Act (HIPAA) privacy rules take precedence over HMIS Privacy Standards HIPAA covered entities are required to meet HIPAA baseline privacy requirements not HMIS Most programs are not covered by HIPAA: To learn more go to
HMIS and Other Privacy Laws 28 Programs must comply with more stringent federal, state and local confidentiality laws; and If a conflict exists between state law and the HMIS an official legal opinion on the matter should be prepared by the state’s Attorney General and submitted to HUD’s General Counsel for Review. Domestic Violence Victim Service Providers are prohibited from entering data into HMIS and legal service providers are not to enter confidential client notes into HMIS.
HMIS Consent Models 29 Inferred Consent: Baseline Requirement; and Client’s consent to release information is inferred from the privacy posting. Implied/Informed Consent: Verbal or physical consent is required. Written Consent: Client must sign a release of information (ROI).
Levels of Consent 30 Consent to use data within an agency for program or agency operations. Consent to share additional information across programs to coordinate case management and service delivery.
Privacy Summary 31 Privacy refers to the safeguarding of protected personal information in the HMIS from open view, sharing or inappropriate use Protected Personal Information (PPI) is any information that might identify a specific individual or that might be manipulated or linked with other information to identify a specific individual
How Much Do You Know? (T/F) Privacy policies are not meant to restrict the use and disclosure of data.
The purpose of privacy is to protect the client’s information from: A. Unauthorized access B. Unauthorized disclosure C. Law Enforcement D. All of the Above
Introduction to Security 35
Defining Security 36 Security refers to the protection of client personal protected information and sensitive program information from unauthorized access, use or modification. All workstations, desktops, laptops, and servers that connect to a network that accesses or directly accesses the HMIS must comply with the baseline security requirements.
3 P’s of Security Management Products: Physical security Door locks Intrusion-detection systems Physical firewalls People: Personnel security Those who implement and properly use security products to protect data Those who collect, input, or otherwise have access to data Procedures: Organizational security Plans and policies established to ensure that people correctly use products and access data
Security Requirements 38 System security provisions apply to all the systems where Personal Protected Information (PPI) is stored, including, but not limited to, networks, desktops, laptops, mini-computers, mainframes and servers Security has three categories: System Security Software Application Security Hard Copy Security
System Security Requirements 39 User authentication Limited multiple access Virus protection with auto-update Firewalls - individual workstation or network Encryption - transmission Public access controls Location control Backup and disaster recovery System monitoring Secure disposal
User Authentication 40 Every user accessing the HMIS system must have a unique username and password. Passwords must: Include at least one number and one letter; Be at least 8 characters long; Not be based on user’s name, organization, or software; and Not be based on common words. Good: [Na$car#39] Bad: bobclark99 Terrible: hmis Passphrases: Great: (I Like Cake)
User Authentication (cont.) 41 All computers used to access HMIS data must require user authentication (e.g., username/passwords). Logging on to the HMIS computer alone is not sufficient. IDs and Passwords for the HMIS software should be different than the workstation ID and Password IDs and Passwords should not be stored or displayed in any publicly accessible location. HMIS IDs and Passwords must not be shared.
WHAT DO I JUST SAY?????? Strong password Keep it secret
Multiple Access 43 An individual user must NOT be allowed access to the HMIS from multiple workstations on the network at the same time. An individual user must NOT be allowed to log onto the local network from more than one location at a time.
System Level Virus Protection 44 All computers accessing HMIS (including remote and VPN users) must have anti-virus software installed and updated regularly that automatically scans files. Old Anti-Virus Software = No Anti-Virus Software
Firewalls 45 Image found at :
Public Access 46 HMIS that use public forums for data collection/reporting must have additional security to limit access using Public Key Infrastructure (PKI) or through IP filtering. Translation: Any Web-based HMIS accessed over the Internet, needs digital certificates installed on all browsers on all computers accessing the HMIS (PKI) or an extranet to limit access based on IP address.
What is Public Key Infrastructure? 47 Each user is issued a private key to encrypt messages and a public key to decode messages; Private key is kept secret and known only to user; Public key uses a digital certificate to authenticate the identity of the user; Digital certificates must be issued by a recognized Certificate Authority; and Secure socket layer “SSL” encryption does not meet the baseline PKI requirements.
PKI: Public Key Infrastructure 48 Options for implementing PKI: Self issued certificate authority-Example: Microsoft Certification Authority; Third party certificate authority Example: Verisign or Thawte; USB token; or Alternative to PKI: Limiting access to HMIS through IP filtering.
IP Addresses 49 Everything on the internet (servers, desktops, blackberries) is assigned an internet protocol (IP) address; The internet uses IP addresses to move information from one place to another; An IP address looks like this: ; and Firewalls block suspicious IP addresses from accessing your computer.
Physical Access/Location 50 Access to workstations must be controlled and monitored. Options: locked offices, privacy screens, etc. Access to servers must be controlled to a greater degree. Options: locked cabinet or cage; secure facilities.
Backup and Disaster Recovery 51 All HMIS data must be regularly backed up and stored in a secure off-site location: Backup your data and applications; Save them to tape; Test the tapes; A Backup tape laying next to a server won’t help if the server room catches fire!; and Alternatively, consider secure network-based offsite backup solutions.
Secure Disposal 52 Tapes, disks and hard drives must be properly formatted and erased before disposal. At least two erasure passes (three or more is recommended). Free and commercial software is available to prepare old workstation hard drives, tapes, and floppies before discarding.
System Monitoring Most security breaches are carried out by authorized users of client record systems All systems including central servers must be monitored and “routinely” reviewed by staff Monitoring decisions: Who monitors?; What is normal and what is abnormal usage and access?; How do I access the information?; and What variables to monitor?
System Monitoring (cont.) 54 What variables to monitor: Logon success/failure; Account management; Policy changes; Privilege use; Process tracking; System events; and Connection attempts (IP and port).
Software Application Security User Authentication Electronic Data Transmission Electronic Data Storage
User Authentication 56 Like the workstation, the software used to access HMIS data should require user authentication (e.g., username/passwords). Logging on to the HMIS computer alone is not sufficient. IDs and Passwords for the HMIS software should be different than the workstation ID and Password IDs and Passwords should not be stored or displayed in any publicly accessible location. HMIS IDs and Passwords must not be shared.
Data Transmission Encryption 57 Two options 128 bit encryption over the wire; and Secure Socket Layer (SSL): A communications protocol used to secure all sensitive data. SSL is normally described as wrapping an encrypted envelope around message transmissions over the Internet. Secure direct connections. Virtual Private Network (VPN)
Electronic Data Storage All HMIS data that are electrically transmitted over the internet must be encrypted Encryption is the conversion of plain text into encrypted data (code) Encryption is used to protect a client’s sensitive personal information from unauthorized viewing John Smith =
Hard Copy Security Applicable to any paper or other hard copy containing PPI that is generated by, or for, the HMIS Intake forms Consent forms Reports Must supervise hard copies at all times when in a public area. Includes intake areas When staff are not present, hard copies must be secured Must not be stored or displayed in any publically accessible location
$3cur1ty1$G00d#4U Kfreeman*1 *7Fr8!yWzh How Much Do You Know? Which is the weakest password?
(T/F) The three categories of security are system security, software application security and hard copy.
Security Best Practices 62
HMIS Security Best Practices 63 HMIS users Unique username and password Signed receipt of privacy notice HMIS computers and networks Secure location Workstation username and password Virus protection with automatic update Locking password protected screen saver Individual or network firewall Public Key Infrastructure (PKI) to prevent unauthorized access
Best Practices (cont…) 64 Designate a Chief Security Officer to implement and oversee security measures Staff computers in public areas used to collect and store HMIS data at all times Enable password protected automatic screen savers when workstation is not in use Automatically log users off the system after a period of inactivity Require regular changing of passwords and encourage creation of strong passwords Use a bonded vendor to destroy HMIS data
User Training (Strongly Recommended) 65 Although not a baseline requirement, all users should participate in: Data and Technical Standards Training Participation and Data Collection Requirements; and Privacy and Security Protocols to Protect Client Data. Software training How to enter, edit, change, and delete data; and User and computer security requirements. Ethics and privacy training Consent protocol and privacy protocols; and How to interview clients in a sensitive manner. User groups are strongly encouraged to develop peer support opportunities
Key Security Points 66 Applies to all machines accessing or storing HMIS data; All computers must have virus protection; All servers or computers directly accessing the internet must be protected by a firewall; Web-based HMIS must use PKI or IP filtering to limit public access to data; Physical access to computers and servers must be restricted; Regular back-up and storage of HMIS data; and Regular monitoring of HMIS at the system level.
Security Resources 67 National Institute of Standards and Technology Computer and Security Resource Center Carnegie Mellon/CERT: Connecting to the Internet CERT Implementation Tips for Servers and Networks National Institutes of Health Center for Information Technology Security Site Forum of Incident Response and Security Reform