Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Slides:



Advertisements
Similar presentations
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Advertisements

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
NAU HIPAA Awareness Training
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
BUS VIDEO RECORDINGS COLLECTION – PROCESSING - REDACTION - SHARING WHAT IS RIGHT FOR YOUR DISTRICT?
Helping you protect your customers against fraud Division of Finance and Corporate Securities.
SIU School of Medicine Identity Protection Act and Associated SIU Policy.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
MINNESOTA GOVERNMENT DATA PRACTICES ACT How the law affects University employees and recordkeeping Susan McKinney Records & Information Management.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Security Controls – What Works
Information Security Policies and Standards
VITA [Virginia Information Technologies Agency]
Developing a Records & Information Retention & Disposition Program:
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Information Security Technological Security Implementation and Privacy Protection.
General Awareness Training
Electronic Records Management: What Management Needs to Know May 2009.
HIPAA PRIVACY AND SECURITY AWARENESS.
Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.
1 Records Inventory & Data Classification Workshop Data Classification Project Note: This is an example of one agency’s approach to meeting the state records.
HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.
Dealing with Business Associates Business Associates Business Associates are persons or organizations that on behalf of a covered entity: –Perform any.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Florida Information Protection Act of 2014 (FIPA).
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
Information Security Training for People who Supervise Computer Users.
The Privacy Symposium – Summer 2008 Identity Theft Resource Center Jay Foley, Executive Director Presents: Privacy: Pre- and Post-Breach © Aug 2007.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Welcome….!!! CORPORATE COMPLIANCE PROGRAM Presented by The Office of Corporate Integrity 1.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
Final HIPAA Rule Special Training What you need to know to remain compliant with the new regulations.
Data Security Survival Skills for 21 st Century Evaluators Teresa Doksum & Sean Owen October 17, 2013.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Nassau Association of School Technologists
Protecting PHI & PII 12/30/2017 6:45 AM
By: Eamon Callahan and Wilston Johnston
Chapter 3: IRS and FTC Data Security Rules
Red Flags Rule An Introduction County College of Morris
Disability Services Agencies Briefing On HIPAA
County HIPAA Review All Rights Reserved 2002.
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
Student Data Privacy: National Trends and Wyoming’s Role
Introduction to the PACS Security
PERSONALLY IDENTIFIABLE INFORMATION: AUDIT CONSIDERATIONS
School of Medicine Orientation Information Security Training
Presentation transcript:

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts

2 Headlines Target 70 Million 2013 Credit Card Breach South Carolina DOR 3.6 million 2012 PII Breach TriCare 4.6 Million 2012 HIPAA breach Home Depot 56 Million 2014 Credit Card Breach Linkedln 6.5 Million 2012 Passwords Stolen Living Social 50 Million 2013 Password & PII Breach UPS Unknown 2014 Credit Card Breach Walgreens 100, PHI breach Community Health Systems 4.5 Million 2014 HIPAA Breach

Total Number of Total Number Records Exposedof Data breaches Jan Through Sept 2, 2014 About 17.8 Million 521 Source : Identity Theft Resource Center

Georgia Department of Audits and Accounts4 First Things First Security Awareness Data Classification Risk Assessments

Georgia Department of Audits and Accounts5 Security Awareness Establish Policies Staff IT Policies Educate Staff Awareness Training Enforce Compliance Monitoring

Georgia Department of Audits and Accounts6 Security Awareness Staff are required to go through security awareness training every year Last year we purchased SANs training Securing the Human Prior years – IT Division has developed training and focused on: IT policies Current security events that have occurred in public

Georgia Department of Audits and Accounts7 Security Awareness Emphasis SecUrity is everyone's responsibility and "U" are at the center. Make sure U are not the weakest link

Georgia Department of Audits and Accounts8 Security Awareness Emphasis Be a good example to entities that you audit. We should be setting the example for good SecUrity

Georgia Department of Audits and Accounts9 Data Classification Once you have trained ~ need to make sure all Data is Classified. Data classification – classifying the data based on its level of sensitivity/confidentiality and the impact to our office in the event the data is disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data.

Georgia Department of Audits and Accounts10 Data Classification GA Department of Audits is in the process of classifying all our confidential data Developing a Department Catalog to identify datasets and business owners

Georgia Department of Audits and Accounts11 Data Classification Catalog

Georgia Department of Audits and Accounts12 Data Classification

Georgia Department of Audits and Accounts13 Questions to ask Where is my sensitive/confidential data? Can I manage all copies & versions of confidential data? Is all confidential data appropriately protected? Who can access confidential data? Is confidential data required for audit? Is confidential data being sent or transferred out ( and/or removable media) Are correct security processes being applied to confidential data? What about retention of confidential data?

What should be kept confidential?

Georgia Department of Audits and Accounts15 Risk Assessment After we do a Data Classification we will be doing a risk assessment Select a risk assessment methodology ( a repeatable process) Use data classification information Determine gaps in security Assess potential risks, threats and vulnerabilities Risk = Likelihood * Impact

Georgia Department of Audits and Accounts16 Risk Assessment If there was a Breach make sure you think about things such as: Reputation Credibility Cost to investigate Credit monitoring services for those affected

Georgia Department of Audits and Accounts17 GA State Law

Georgia Department of Audits and Accounts18 GA State Law to compel the production, inspection, and copying of documentary evidence, including without limitation evidence in electronic form and documentary evidence that is confidential or not available to the general public,

Georgia Department of Audits and Accounts19 GA State Law state auditor shall have access to inspect, compel production of, and copy confidential information in any form unless the law making such information confidential expressly refers to this Code section and qualifies or supersedes it

Georgia Department of Audits and Accounts20 GA State Law shall redact, destroy, or return to the custodial agency all confidential information except that information which the state auditor determines is necessary to retain for audit purposes

Georgia Department of Audits and Accounts21 GA State Law the state auditor may retain such confidential information in working papers as is minimally necessary to support findings and to comply with generally accepted governmental auditing standards.

Georgia Department of Audits and Accounts22 GA State Law confidential information in the hands of the state auditor shall have the same confidential status as it does in the hands of the custodial entity, and the state auditor shall protect its confidentiality with at least the care and procedures by which it is protected by the custodial agency or substantially equivalent care and procedures.

Obtaining Confidential Data Georgia Department of Audits and Accounts23 Give DOAA Confidentiality Form to Entity Sometimes entity wants to modify form Especially in regard to how long we can keep data The entity’s lawyer usually wants to get involved Federal law supersedes State Law Data and system may be with 3 rd Party Try to get data well in advance of start of audit Entity stall Practices Too big Wrong format

Transmitting Confidential Data Georgia Department of Audits and Accounts24 For most transfers we use a product called Accellion Secure File Transfer If large Dataset will give the entity an encrypted drive to copy data to

Storing Confidential Data Georgia Department of Audits and Accounts25 Encryption In Oracle – work with business owner to make sure field level encryption is on datasets Laptops – use PGP to encrypt all laptops Flash Drives– for HIPAA data encrypt all Flash Drives with PGP Looking at BitLocker to start encrypting all DOAA Flash Drives and possibly laptops Backups are encrypted

Using Confidential Data Georgia Department of Audits and Accounts26 In Oracle DB – if have to decrypt data fields– sent to IT and Manager of project to alert that data fields were decrypted DLP – Data Loss Prevention – use Cisco’s appliance – for DLP violations Notification sent to ISO and IT Director if a DLP violation – make sure it is not false positive Employee’s Director notified of any DLP violation in order to guide employees’ behavior to be more security conscious

Destroying Confidential Data Georgia Department of Audits and Accounts27 Destruction of Data – auditor’s responsible for destroying confidential data at the end of audit or, if needed for work papers, at the end of the retention period of 5 years. Auditors are provided with software (PGP Shredder) that facilitates the destruction of confidential electronic data by overwriting the data with random text and repeats this process through multiple passes. Records managers in each Division ensure compliance

Additional tools Georgia Department of Audits and Accounts28 Evaluating a product called Sensitive Data Manager by Identity Finder

Final Thought Georgia Department of Audits and Accounts29 State of _________ Audit Department Breach

Questions Lynn Bolton (404) Georgia Department of Audits and Accounts30

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.