bcbsa advanced privacy –security training nes-503

A Blue Cross and Blue Shield Association Presentation

BCBSA Advanced Privacy –BCBSA Advanced Privacy –Security Training NES-503Security Training NES-503

1005572

Required Training

• On-The-Job Training provided by your manager or supervisor, or their designate

• General Privacy-Security Online Training Module (Blue Learning Center course NES-502)

• Advanced Privacy and Information Security Classroom Workshop (Blue Learning Center course NES-503)

• Privacy and Information Security Acknowledgement / Certification Form (NES-503F)

If you handle Personal Health Information (PHI) or Personal Identifiable Information (PII), you will need to be certified by completing the following required training:

1005573

Increase training and awareness of Protected Health Information (PHI) and Personal Identifiable Information (PII) including the policies, procedures and best practices that safeguard member data and protect BCBSA from future incidents.

Course Purpose

1005574

Course Objectives

• Define PHI and PIIDefine PHI and PII

• Explain why it is important to protect PHI and PIIExplain why it is important to protect PHI and PII

• Identify potential threats to PHI-PIIIdentify potential threats to PHI-PII

• Review current and new policies and proceduresReview current and new policies and procedures

• Review next stepsReview next steps

1005575

Plans

GovernmentLaw Firms

Vendors/Partners

Consulting Firms

• Approximately one-third of our workforce currently either receive, share and/or access PHI-PII, based on a PHI-PII inventory completed earlier this year.

Understanding the PHI Schematic

1005576

• Relates to past, present or future health condition, and the provision of health care or payment.

• Identifies, or can be used to identify, an individual.

• Created or received by a healthcare provider, health plan, healthcare clearinghouse or a business associate of one of these

• Transmitted or maintained in any form.

• Includes simple demographic information about an individual if it started out as PHI.

What is PHI (Protected Health Information)?What is PHI (Protected Health Information)?

1005577

• Names• All geographic subdivisions smaller than a

state, including:– street address, city, county, precinct – ZIP code and equivalent geocodes, except

for the initial three digits of a zip code if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people

• All elements of dates (except year) for dates directly related to an individual, including:

– birth date, date of service, admission/discharge dates, date of death

– and all ages over 89

• Telephone numbers• Fax numbers• E-mail addresses

• Social Security numbers• Medical record numbers• Health plan identification numbers• Account numbers• Certificate/license numbers• Vehicle identification numbers• Device identifiers and serial

numbers• Web URLs• IP addresses• Biometric identifiers, including

finger and voice prints• Full face photographic images• Any other unique identifying

number, characteristic, or code

• To be fully DE-IDENTIFIED (no longer PHI), all data elements must be removed, OR a qualified statistician’s opinion obtained stating it is de-identified.

• HIPAA requires that use of only MINIMUM NECESSARY amount of PHI for any authorized purpose.

What are PHI Data Elements?What are PHI Data Elements?

1005578

• PII is defined by various state laws and is usually Name in combination with any of the following:

– SSN

– Account Number

– Credit/Debit Card Number

– Some states include additional data elements, e.g., Passwords/PINs, Driver’s License numbers

• Note that Provider Tax ID Numbers (TINs), which can be a Social Security Number, must be treated as PII and de-identified whenever possible

• Like HIPAA for PHI, these state laws require notification to individuals in the event of a breach of PII

What is Personally Identifiable Information (PII)?

1005579

Privacy Versus Security

• Privacy– Individuals’ right for protection of their personal info

– Defines permissible uses and disclosures

– Applies to all PHI - including paper and verbal forms

– April 2003

• Security– Refers to how information is protected both at rest and in transit

– Requires administrative, physical and technical safeguards

– Applies specifically to ePHI (electronic PHI)

– Flexible and evolving

– April 2005

• HITECH Act: February 2009

10055710

Who is Responsible for PHI?

Everyone:

– BCBSA Officers

– Executive & Managing Directors

– Directors & Managers

– Employees

– Contingent staff

– Business Associates

• How do you use PHI and PII?

10055711

Data BreachData Breach is a is a release of “unsecured” PHI or PII or other sensitive information to an unauthorized entity or an insecure environment, whether intentional or unintentional.

NotificationNotification required within 60 days to affected individuals, HHS and required within 60 days to affected individuals, HHS and sometimes local news mediasometimes local news media

Why Should We Care About Privacy and Security of Personal Info?

10055712

What is Secured PHI?

• Health & Human Services (HHS) Considers PHI “Secured” if:Health & Human Services (HHS) Considers PHI “Secured” if:

– Data is encrypted (made unreadable) using approved encryption Data is encrypted (made unreadable) using approved encryption softwaresoftware

– Data is properly destroyed when no longer needed, both in electronic Data is properly destroyed when no longer needed, both in electronic and paper formatsand paper formats

• Data is no longer PHI if properly de-identifiedData is no longer PHI if properly de-identified

10055713

Data Breach Exceptions

• Unintentional acquisition, access, or use of PHI made by an Unintentional acquisition, access, or use of PHI made by an employee/representative of a covered entity or business employee/representative of a covered entity or business associate in “good faith” and within the scope of employment associate in “good faith” and within the scope of employment (and such information is not further acquired, accessed, used (and such information is not further acquired, accessed, used or disclosed)or disclosed)

• Inadvertent disclosure by an individual authorized to access Inadvertent disclosure by an individual authorized to access PHI to another individual similarly situated at the same PHI to another individual similarly situated at the same covered entity or business associate (as long as the PHI is covered entity or business associate (as long as the PHI is not further used or disclosed)not further used or disclosed)

10055714

Examples of How Breaches Could Occur

1.1. Failure to encrypt dataFailure to encrypt data

2.2. Using weak passwords (Password1)Using weak passwords (Password1)

3.3. Unencrypted computer assets lost, stolen or compromisedUnencrypted computer assets lost, stolen or compromised

4.4. Malicious software (malware)Malicious software (malware)

5.5. Sensitive information on publicly-Sensitive information on publicly-accessible computersaccessible computers

6.6. Sensitive information left on paperSensitive information left on paperunattendedunattended

10055715

• Security concerns take on many forms:Security concerns take on many forms:

– Human error by workforce members, business associates, Plans and Human error by workforce members, business associates, Plans and PartnersPartners

› ““I knew that only I knew that only gendergender and and ageage were needed for a quote, but since it were needed for a quote, but since it takes too much time to purge other PHI, it was just easier to send it all.”takes too much time to purge other PHI, it was just easier to send it all.”

› ““I assumed that as long as the CD was encrypted, it was okay to install I assumed that as long as the CD was encrypted, it was okay to install the data unencrypted on my home computer so I could finish my project.”the data unencrypted on my home computer so I could finish my project.”

› ““I suspected that the individual I transmitted PHI to did not have a I suspected that the individual I transmitted PHI to did not have a legitimate business need, but because they work for BCBSA, I assumed legitimate business need, but because they work for BCBSA, I assumed it was ok to share the information.”it was ok to share the information.”

– Insider fraud by workforce members, business associates, Plans and Insider fraud by workforce members, business associates, Plans and PartnersPartners

– Outsider compromise of data to perpetrate identity theft and fraudOutsider compromise of data to perpetrate identity theft and fraud

Causes of Data Breaches

10055716

• According to the Privacy Rights Clearinghouse, in 2009, According to the Privacy Rights Clearinghouse, in 2009, there were 252 reported security incidents within the United there were 252 reported security incidents within the United StatesStates

• From 2005 to mid-2010, over 500 million sensitive records From 2005 to mid-2010, over 500 million sensitive records were breachedwere breached

Data Breach Incidents

10055717

• Stolen Computer Hard Drives (Oct. 2009):Stolen Computer Hard Drives (Oct. 2009): A total of 57 computer hard A total of 57 computer hard drives were stolen from a Blue Cross and Blue Shield Plan’s training drives were stolen from a Blue Cross and Blue Shield Plan’s training facility. The hard drives were not encrypted and contained the personal facility. The hard drives were not encrypted and contained the personal data of 500,000 customers in 32 states, including names, ID numbers, data of 500,000 customers in 32 states, including names, ID numbers, dates-of-birth; and, in a number of cases, social security numbers.dates-of-birth; and, in a number of cases, social security numbers.

• Laptop and Document Theft (June 2008):Laptop and Document Theft (June 2008): A Blue Cross and Blue Shield A Blue Cross and Blue Shield Plan’s employee laptop computer and hard copy documents in the Plan’s employee laptop computer and hard copy documents in the possession of the employee were stolen from the trunk of her car. The possession of the employee were stolen from the trunk of her car. The computer was encrypted; therefore, this data was not breached. However, computer was encrypted; therefore, this data was not breached. However, the hard copy documents contained the PHI of two FEP members' data. the hard copy documents contained the PHI of two FEP members' data. The Plan was required to offer identity theft protection services to the The Plan was required to offer identity theft protection services to the impacted members.impacted members.

• EOBs Mailed to Wrong Addresses (July 2008):EOBs Mailed to Wrong Addresses (July 2008): 200,000 benefit letters 200,000 benefit letters containing personal and health information were sent to the wrong containing personal and health information were sent to the wrong addresses. The letters included the patient's name and ID number, provider addresses. The letters included the patient's name and ID number, provider name, and the amounts charged and owed. Some of the letters also name, and the amounts charged and owed. Some of the letters also contained the patient's Social Security numbers.contained the patient's Social Security numbers.

Examples of BCBS Data Breach Incidents

10055718

Avenues of Data Loss ExposuresAvenues of Data Loss Exposures-Individuals with Access to PHI-PIIIndividuals with Access to PHI-PII

-Collecting/Using More PHI-PII Than NecessaryCollecting/Using More PHI-PII Than Necessary-Using PHI-PII Outside the OfficeUsing PHI-PII Outside the Office

-Data Copied to Mobile Media (CD, DVD, USB, Backup Tapes)Data Copied to Mobile Media (CD, DVD, USB, Backup Tapes)-Laptops Compromised / Non-BCBSA ComputersLaptops Compromised / Non-BCBSA Computers

-Data Transmitted Outside BCBSAData Transmitted Outside BCBSA-Server, Database, Application VulnerabilitiesServer, Database, Application Vulnerabilities

-Printouts with PHI-PII Left Unprotected / Human ErrorPrintouts with PHI-PII Left Unprotected / Human Error

Impacts of Data LossImpacts of Data Loss-Damage to the Blue BrandDamage to the Blue Brand

-Potential Loss of OPM or Plan SupportPotential Loss of OPM or Plan Support-Regulatory/Legal ExposureRegulatory/Legal Exposure

-Unplanned CostsUnplanned Costs

Risk MitigationRisk Mitigation-PHI-PII EncryptedPHI-PII Encrypted

-Access Tightly ControlledAccess Tightly Controlled-Workforce Trained-CertifiedWorkforce Trained-Certified

-Activity Monitored/ControlledActivity Monitored/Controlled

Summary

10055719

Please complete the exam

and move to the next section



10055720

Section 2Security Threats

Section 2Security Threats

10055721

• According to the Javelin Strategy and Research report for According to the Javelin Strategy and Research report for 2009:2009:

– Approximately 11 million Americans affected by identity-theft in 2009, Approximately 11 million Americans affected by identity-theft in 2009, up 12% from 2008. This follows a 22% increase from 2007.up 12% from 2008. This follows a 22% increase from 2007.

– $54 billion cost to American businesses and individuals in 2009.$54 billion cost to American businesses and individuals in 2009.

– American fraud resolution time per victim is 21 hours, and the American fraud resolution time per victim is 21 hours, and the consumer out-of-pocket cost was $373 in 2009.consumer out-of-pocket cost was $373 in 2009.

• Cyber-Theft Organizations use e-mail “phishing” and Cyber-Theft Organizations use e-mail “phishing” and hacking to obtain personal information:hacking to obtain personal information:

– The Carder Planet networkThe Carder Planet network› Boasts 7,000 members; run by a dozen individuals.Boasts 7,000 members; run by a dozen individuals.

› Marketplace for millions of stolen accounts.Marketplace for millions of stolen accounts.

› Charge a few dollars to hundreds of dollars for accounts.Charge a few dollars to hundreds of dollars for accounts.

Security Threats – Overview

10055722

• Intrusion Detection/PreventionIntrusion Detection/Prevention::– In a typical month, between 10 to 20 million network events are blocked. In a typical month, between 10 to 20 million network events are blocked. – Top three detected events: (1) Pre-Attack Scans to probe for weaknesses; Top three detected events: (1) Pre-Attack Scans to probe for weaknesses;

(2) Denial of Service scans to try and overwhelm devices; and (3) (2) Denial of Service scans to try and overwhelm devices; and (3) Unauthorized access attempts.Unauthorized access attempts.

Security Threats – Hackers & Malware

10055723

• Internet E-mailInternet E-mail::– In a typical month, 30 to 50 million SPAM e-mails are blocked (e.g., 96% of all incoming In a typical month, 30 to 50 million SPAM e-mails are blocked (e.g., 96% of all incoming

e-mail). In addition to SPAM, policy filtering eliminates additional undesirable email.e-mail). In addition to SPAM, policy filtering eliminates additional undesirable email.

– The e-mail gateway servers also block between 1,000 to 6,000 viruses per month.The e-mail gateway servers also block between 1,000 to 6,000 viruses per month.

– Microsoft Gateway Online Protection For Exchange is utilized.Microsoft Gateway Online Protection For Exchange is utilized.

Security Threats – E-mail

10055724

• Your computer can become infected with malicious software Your computer can become infected with malicious software (malware) simply by clicking on links or forms contained within(malware) simply by clicking on links or forms contained withine-mail, or by visiting infected or inappropriate websitese-mail, or by visiting infected or inappropriate websites

• In 2010, BCBSA hired a third party security company to evaluate In 2010, BCBSA hired a third party security company to evaluate how users would react to a typical social engineering exploit. The how users would react to a typical social engineering exploit. The third party consultant, acting as a Help Desk technician, sentthird party consultant, acting as a Help Desk technician, sente-mails and placed telephone calls to some BCBSA users (from e-mails and placed telephone calls to some BCBSA users (from outside BCBSA) that appeared to be coming from outside BCBSA) that appeared to be coming from insideinside BCBSA. BCBSA.

• BCBSA users were then asked to click on links to install IT BCBSA users were then asked to click on links to install IT software or to login to a BCBSA “look-a-like” websitesoftware or to login to a BCBSA “look-a-like” website

– The bad news was that approximately half of the targeted individuals The bad news was that approximately half of the targeted individuals clicked on the e-mail linkclicked on the e-mail link

– The good news was that several individuals called the BCBSA Help The good news was that several individuals called the BCBSA Help Desk, and IT technicians responded quickly to investigate the incidentDesk, and IT technicians responded quickly to investigate the incident

Security Threats – Malicious Software

10055725

• Remember that BCBSA IT technician staff will Remember that BCBSA IT technician staff will nevernever ask you to click ask you to click on links or forms to install IT software or system patches, nor will on links or forms to install IT software or system patches, nor will they ask you to provide your password or to login to a websitethey ask you to provide your password or to login to a website

• You can protect BCBSA computers and PHI-PII by reporting to the You can protect BCBSA computers and PHI-PII by reporting to the BCBSA Help Desk e-mails or telephone calls received that ask you BCBSA Help Desk e-mails or telephone calls received that ask you to:to:

– Install softwareInstall software

– Login into websitesLogin into websites

– Visit external websitesVisit external websites

– Provide personal or company informationProvide personal or company information

• According to the most recent Data Breach Investigations Report According to the most recent Data Breach Investigations Report (DBIR), malicious software is one of the most frequently used (DBIR), malicious software is one of the most frequently used attacks by unauthorized outsiders to gain access to personal attacks by unauthorized outsiders to gain access to personal sensitive informationsensitive information

• Therefore, we need your help!Therefore, we need your help!

Security Threats – Social Engineering

10055726

• Summary of Data Breach Investigations Report (DBIR) for 2009:Summary of Data Breach Investigations Report (DBIR) for 2009:

Security Threats – Malicious Software (Malware)

10055727

• Summary of HHS-reported breaches, from 9/9/09 thru 1/18/10:Summary of HHS-reported breaches, from 9/9/09 thru 1/18/10:– 15 states reporting incidents involving 500 or more individuals15 states reporting incidents involving 500 or more individuals

Health & Human Services (HHS) – Complete Source, Inc.

10055728





10055729

Section 3BCBSA Security Policies

Section 3BCBSA Security Policies

10055730

• Information Security Policy Groups:Information Security Policy Groups:

– Group #1Group #1: Information Access and Acceptable Use: Information Access and Acceptable Use

– Group #2Group #2: Technology Related Policies: Technology Related Policies

– Group #3Group #3: Information Security Governance: Information Security Governance

• Location of Security Policies:Location of Security Policies:

– BlueWeb / BCBSA / Human Resources / BCBSA Policies and BlueWeb / BCBSA / Human Resources / BCBSA Policies and Procedures Manual / Chapter 8 Information SecurityProcedures Manual / Chapter 8 Information Security

– http://blueweb.bcbs.com/blueweb/Leaf?docId=14703http://blueweb.bcbs.com/blueweb/Leaf?docId=14703

BCBSA Information Security Policies

10055731

• Definition of TermsDefinition of Terms

• Information Access PolicyInformation Access Policy

• Technology Assets and Usage PolicyTechnology Assets and Usage Policy

• PHI-PII Acceptable Use PolicyPHI-PII Acceptable Use Policy

• Internet Acceptable Use PolicyInternet Acceptable Use Policy

• E-Mail Acceptable Use PolicyE-Mail Acceptable Use Policy

• Remote Access SecurityRemote Access Security

Policy Group #1: Information Access & Acceptable Use

10055732

• Authorization for access to PHI-PII must be approved byAuthorization for access to PHI-PII must be approved bya Division Vice Presidenta Division Vice President

• Access to PHI-PII must reviewed at least semi-annuallyAccess to PHI-PII must reviewed at least semi-annually

• Access to systems must be modified when a workforce Access to systems must be modified when a workforce member’s needs change or as a result of a change in their member’s needs change or as a result of a change in their role or job withinrole or job within

• Separation of duties must be maintained. For example, Separation of duties must be maintained. For example, individuals approving access must not also be individuals approving access must not also be administrators.administrators.

Information Access PolicyInformation Access Policy

10055733

http://blueweb.bcbs.com/blueweb/Leaf?docId=14703

Privacy-Security Request Form

10055734

Privacy-Security Request Form (continued)

10055735

• BCBSA technology assets are to be used for business BCBSA technology assets are to be used for business purposes, and must protected from loss or misuse, and purposes, and must protected from loss or misuse, and returned upon terminationreturned upon termination

• Only software approved for use may be utilized, and only Only software approved for use may be utilized, and only authorized IT Service Delivery personnel may install software authorized IT Service Delivery personnel may install software or hardwareor hardware

• Non-BCBSA technology assets (for example, non-BCBSA Non-BCBSA technology assets (for example, non-BCBSA laptops) may not be connected to the BCBSA Local Area laptops) may not be connected to the BCBSA Local Area NetworkNetwork

• BCBSA-licensed software may not be installed on non-BCBSA-licensed software may not be installed on non-BCBSA technology assetsBCBSA technology assets

Technology Assets and Usage PolicyTechnology Assets and Usage Policy

10055736

• When PHI-PII must be utilized, only the minimum necessary When PHI-PII must be utilized, only the minimum necessary may be collected, stored or transmittedmay be collected, stored or transmitted

• One-time or ongoing export of PHI-PII outside of BCBSA is One-time or ongoing export of PHI-PII outside of BCBSA is prohibited unless its release is approved by a Division Vice prohibited unless its release is approved by a Division Vice PresidentPresident

• Data must be encrypted in transit and when stored on Data must be encrypted in transit and when stored on laptops and removable medialaptops and removable media

• PHI-PII must be de-identified for IT development & PHI-PII must be de-identified for IT development & prototypesprototypes

PHI-PII Acceptable Use PolicyPHI-PII Acceptable Use Policy

10055737

http://blueweb.bcbs.com/blueweb/Leaf?docId=14703

Release of PHI-PII Request FormRelease of PHI-PII Request Form

10055738

Release of PHI-PII Request Form (continued)Release of PHI-PII Request Form (continued)

10055739

• Access to websites which contain offensive or disruptive Access to websites which contain offensive or disruptive content is prohibitedcontent is prohibited

• BCBSA business practices and work environment information BCBSA business practices and work environment information must not be posted on personal or social networking sitesmust not be posted on personal or social networking sites

• BCBSA reserves the right to block access to inappropriate BCBSA reserves the right to block access to inappropriate sites, as well as personal e-mail and social networkingsites, as well as personal e-mail and social networking

• Use of Instant Messaging and Peer-to-Peer networks such as Use of Instant Messaging and Peer-to-Peer networks such as Skype, Limewire and Kazaa over the Internet is prohibitedSkype, Limewire and Kazaa over the Internet is prohibited

• BCBSA management reserves the right to monitor workforce BCBSA management reserves the right to monitor workforce member activity without prior knowledge of the workforce member activity without prior knowledge of the workforce membermember

Internet Acceptable Use PolicyInternet Acceptable Use Policy

10055740

• BCBSA reserves the right to block attachments addressed BCBSA reserves the right to block attachments addressed to personal-type e-mail addressesto personal-type e-mail addresses

• The use of the List Management System (LMS) to transmit The use of the List Management System (LMS) to transmit PHI-PII is prohibitedPHI-PII is prohibited

• While limited personal use of BCBSA e-mail is permitted, While limited personal use of BCBSA e-mail is permitted, workforce members are expected to use e-mail in a workforce members are expected to use e-mail in a professional and courteous mannerprofessional and courteous manner

E-Mail Acceptable Use PolicyE-Mail Acceptable Use Policy

10055741

• All requests for remote access must be approvedAll requests for remote access must be approved

• Formal telecommuting arrangements involving set-days-per-Formal telecommuting arrangements involving set-days-per-week must be approved by a Division Vice President and week must be approved by a Division Vice President and Human ResourcesHuman Resources

• Workforce members must protect BCBSA-issued equipment Workforce members must protect BCBSA-issued equipment from loss, and not allow use by othersfrom loss, and not allow use by others

• Remote users must ensure that unauthorized viewing of PHI, Remote users must ensure that unauthorized viewing of PHI, PII or other BCBSA sensitive or proprietary information does PII or other BCBSA sensitive or proprietary information does not occurnot occur

Remote Access SecurityRemote Access Security

10055742

http://blueweb.bcbs.com/information_technology/attachments/http://blueweb.bcbs.com/information_technology/attachments/IT_COMM_2009/IT_CSP_RemoteAccessRequestForm.pdfIT_COMM_2009/IT_CSP_RemoteAccessRequestForm.pdf

Application For Remote AccessApplication For Remote Access

10055743

• All employees who transmit sensitive information such as All employees who transmit sensitive information such as protected health information (PHI) or other Personally protected health information (PHI) or other Personally Identifiable Information (PII) as part of their job Identifiable Information (PII) as part of their job responsibilities must do so using the BCBSA LAN (J, H or I responsibilities must do so using the BCBSA LAN (J, H or I drive directories, BCBSA e-mail system, BCBSA printers)drive directories, BCBSA e-mail system, BCBSA printers)

• The storage or transmission of PHI or PII through any other The storage or transmission of PHI or PII through any other means is a violation of BCBSA policies, unless an means is a violation of BCBSA policies, unless an exception is approved via the BCBSA Privacy-Security exception is approved via the BCBSA Privacy-Security Request FormRequest Form

• Under no condition should PHI, PII or other BCBSA-Under no condition should PHI, PII or other BCBSA-sensitive data be stored on non-BCBSA equipmentsensitive data be stored on non-BCBSA equipment

Policy 352: Telecommuting ArrangementsPolicy 352: Telecommuting Arrangements

10055744

• Password and Userid PolicyPassword and Userid Policy

• File Shares PolicyFile Shares Policy

• Transmission Security PolicyTransmission Security Policy

• Removable Media PolicyRemovable Media Policy

• IT Equipment and Data Disposal PolicyIT Equipment and Data Disposal Policy

• Vulnerability Management & Malicious Software PolicyVulnerability Management & Malicious Software Policy

• Information Security Audit & Logging PolicyInformation Security Audit & Logging Policy

Policy Group #2: Technology Related PoliciesPolicy Group #2: Technology Related Policies

10055745

• Each workforce member must utilize a unique Each workforce member must utilize a unique userid/passworduserid/password

• Passwords must not be divulged, and must never be Passwords must not be divulged, and must never be displayed or stored in files unless access is restricteddisplayed or stored in files unless access is restrictedand the file encryptedand the file encrypted

• Passwords must not be dictionary words unless brokenPasswords must not be dictionary words unless brokenup with numbers or symbols:up with numbers or symbols:

– Excellent Excellent : JaJwuth9, Dywtdlt1: JaJwuth9, Dywtdlt1

– Good Good : Wednes#day, Tuesd$ay: Wednes#day, Tuesd$ay

– Poor Poor : Password1 or September1: Password1 or September1

• Passwords will expire once every 90-daysPasswords will expire once every 90-days

• IT IT Local AdminLocal Admin, , ServiceService and and ApplicationApplication accounts require accounts require15-character passwords, with knowledge by only a small 15-character passwords, with knowledge by only a small number of individualsnumber of individuals

Password and Userid PolicyPassword and Userid Policy

10055746

Peer PressurePeer Pressure

10055747

• Access to PHI-PII or other BCBSA sensitive and proprietary Access to PHI-PII or other BCBSA sensitive and proprietary information within Application or Group File Shares (for information within Application or Group File Shares (for example, J: and I: drives) must be limitedexample, J: and I: drives) must be limited

• Under no condition, may PHI-PII or other BCBSA sensitive Under no condition, may PHI-PII or other BCBSA sensitive information be stored on the G: driveinformation be stored on the G: drive

• While workforce members may create directories and sub-While workforce members may create directories and sub-directories within existing file shares, only authorized IT directories within existing file shares, only authorized IT Service Delivery workforce members may create or modify Service Delivery workforce members may create or modify file sharesfile shares

• BCBSA file shares may not be utilized for music, personal BCBSA file shares may not be utilized for music, personal photos, illegal or inappropriate contentphotos, illegal or inappropriate content

File Shares PolicyFile Shares Policy

10055748

Protect InformationProtect Information

10055749


• The transmission of PHI or PII over open networks such as The transmission of PHI or PII over open networks such as the Internet must be encryptedthe Internet must be encrypted

• Communication sessions for new IT applications containing Communication sessions for new IT applications containing PHI-PII, as well as for major upgrades for existing PHI-PII, as well as for major upgrades for existing applications with PHI-PII, must utilize session encryptionapplications with PHI-PII, must utilize session encryption

Transmission Security PolicyTransmission Security Policy

10055750

Securing E-mail ExampleSecuring E-mail Example

10055751

• Files that are larger than 10 MB cannot be sent via e-mailFiles that are larger than 10 MB cannot be sent via e-mail

• Files that are larger than 10 MB should be sent via secure Files that are larger than 10 MB should be sent via secure File Transfer Protocol (FTP) File Transfer Protocol (FTP)

• Directory names and a list of authorized individuals must Directory names and a list of authorized individuals must be pre-establishedbe pre-established

• If you have questions about sending large file transfers, If you have questions about sending large file transfers, please contact Sandra Vincente, Olga Rivera or Derek please contact Sandra Vincente, Olga Rivera or Derek ChangChang

Large File TransfersLarge File Transfers

10055752

Desktop FTP ExampleDesktop FTP Example

10055753


• Removable media containing PHI-PII or other BCBSA Removable media containing PHI-PII or other BCBSA sensitive information must be encrypted and, if shipped, the sensitive information must be encrypted and, if shipped, the transport must be via signed-receipttransport must be via signed-receipt

• Removable media with PHI-PII and other BCBSA sensitive Removable media with PHI-PII and other BCBSA sensitive data must be logged and tracked, and reported if lost or data must be logged and tracked, and reported if lost or stolenstolen

• Workforce members must protect removable media from loss Workforce members must protect removable media from loss or misuse, and must return these devices, and discontinue or misuse, and must return these devices, and discontinue their use, upon termination their use, upon termination

Removable Media PolicyRemovable Media Policy

10055754

• Technology assets that will be re-deployed internally must be Technology assets that will be re-deployed internally must be “re-imaged”, with all data removed, before being reassigned “re-imaged”, with all data removed, before being reassigned to another workforce memberto another workforce member

• Technology assets and removable media no longer needed Technology assets and removable media no longer needed must have all data permanently purged or destroyedmust have all data permanently purged or destroyed

• Legal contracts (current, extensions, and future) with any Legal contracts (current, extensions, and future) with any third party who will dispose of or re-market technology assets third party who will dispose of or re-market technology assets requires that the third party also comply with the provisions of requires that the third party also comply with the provisions of this policythis policy

IT Equipment and Data Disposal PolicyIT Equipment and Data Disposal Policy

10055755

• Business Protection Services (BPS) is responsible for identifying critical vulnerabilities

• Applicable IT departments must:

– Remediate critical security vulnerabilities

– Install Critical security patches

– Keep anti-virus software current

– Maintain software at vendor supported versions

• Technology assets without appropriate security, or unsupportedor unlicensed software, are subject to immediate removal from the BCBSA network

• Laptop users are responsible for connecting their laptops to the Local Area Network at least 1-hour every month to receive updates

Vulnerability Management & Malicious SoftwareVulnerability Management & Malicious Software

10055756

• An electronic audit trail or log of activity involving use ofAn electronic audit trail or log of activity involving use ofPHI-PII and other BCBSA sensitive or proprietary information PHI-PII and other BCBSA sensitive or proprietary information must be maintained for one yearmust be maintained for one year

• Access to audit and log information must be limited to only Access to audit and log information must be limited to only authorized individuals, and the audit logs must be reviewed authorized individuals, and the audit logs must be reviewed on a periodic basison a periodic basis

• Any activity involving unauthorized or inappropriate accessAny activity involving unauthorized or inappropriate accessor use of PHI-PII must be reported to Business Protection or use of PHI-PII must be reported to Business Protection ServicesServices

Information Security Audit & LoggingInformation Security Audit & Logging

10055757

• Workforce Management PolicyWorkforce Management Policy

• Information Security Training PolicyInformation Security Training Policy

• HIPAA Documentation Requirements PolicyHIPAA Documentation Requirements Policy

• Security Incidents PolicySecurity Incidents Policy

• Business Continuity PlanningBusiness Continuity Planning

• External IT Services PolicyExternal IT Services Policy

• Security Policy ExceptionsSecurity Policy Exceptions

Policy Group #3:Policy Group #3:Information Security GovernanceInformation Security Governance

10055758

• Defines roles and responsibilities for BCBSA:Defines roles and responsibilities for BCBSA:

– Business Owners/StewardsBusiness Owners/Stewards

– Managers and SupervisorsManagers and Supervisors

– System AdministratorsSystem Administrators

• Business owners/stewards must define rules for user access to Business owners/stewards must define rules for user access to PHI-PII and other sensitive data, and ensure periodic review of PHI-PII and other sensitive data, and ensure periodic review of accessaccess

• Managers and supervisors must enforce BCBSA information Managers and supervisors must enforce BCBSA information security policies and procedures, and monitor workforce member security policies and procedures, and monitor workforce member activitiesactivities

• System administrators must ensure access to PHI-PII is approved System administrators must ensure access to PHI-PII is approved before granting accessbefore granting access

Workforce Management PolicyWorkforce Management Policy

10055759

The End Does Not Justify the MeansThe End Does Not Justify the Means

10055760

• Workforce members must be trained and certified before Workforce members must be trained and certified before being granted access to PHI or PIIbeing granted access to PHI or PII

• Certification requires completion of classroom trainingCertification requires completion of classroom training(NES-503), online training with quiz (NES-502), departmental (NES-503), online training with quiz (NES-502), departmental training, and a signed or online acknowledgement formtraining, and a signed or online acknowledgement form

• Workforce members without access to PHI-PII are only Workforce members without access to PHI-PII are only required complete general privacy-security online training required complete general privacy-security online training (NES-502)(NES-502)

• All workforce members, regardless of access to PHI-PII, All workforce members, regardless of access to PHI-PII, must complete online privacy-information security refresher must complete online privacy-information security refresher training on an annual basistraining on an annual basis

Information Security Training PolicyInformation Security Training Policy

10055761

• Department-level HIPAA security policies and procedures Department-level HIPAA security policies and procedures must be developed when PHI is present, and must be must be developed when PHI is present, and must be reviewed/updated annuallyreviewed/updated annually

• Workforce members within departments must be trained to Workforce members within departments must be trained to follow these departmental policies and proceduresfollow these departmental policies and procedures

• Changes to departmental HIPAA policies and procedures Changes to departmental HIPAA policies and procedures must be approved by Legal and the Division Vice President, must be approved by Legal and the Division Vice President, with signed copy provided to Business Protection Serviceswith signed copy provided to Business Protection Services

HIPAA Documentation Requirements Policy

10055762

Departmental Policy – Procedure TemplateDepartmental Policy – Procedure Template

10055763

• Workforce members must report actual or suspected Workforce members must report actual or suspected incidents involving the unauthorized release, loss, accessincidents involving the unauthorized release, loss, accessor use of PHI-PII or other BCBSA sensitive or proprietary or use of PHI-PII or other BCBSA sensitive or proprietary information:information:

– Incidents involving data must be reported to Business Protection Incidents involving data must be reported to Business Protection Services (BPS)Services (BPS)

– Physical security incidents must be reported to Facility ManagementPhysical security incidents must be reported to Facility Management

• Incidents will be investigated by the Privacy-Information Incidents will be investigated by the Privacy-Information Security Incident Response Team (PSIRT), which is led by Security Incident Response Team (PSIRT), which is led by Business Protection Services (BPS).Business Protection Services (BPS).

Security Incidents PolicySecurity Incidents Policy

10055764

• Business Protection Services (BPS) shall develop and Business Protection Services (BPS) shall develop and maintain a Business Continuity / Disaster Recovery Planmaintain a Business Continuity / Disaster Recovery Plan

• Business owners/stewards must cooperate to complete a Business owners/stewards must cooperate to complete a Business Impact Analysis (BIA) of BCBSA-owned processesBusiness Impact Analysis (BIA) of BCBSA-owned processes

• Business owners/stewards must develop and maintain formal Business owners/stewards must develop and maintain formal BC-DR proceduresBC-DR procedures

• Under the direction of BPS, the BC-DR plan must be tested Under the direction of BPS, the BC-DR plan must be tested on a periodic basison a periodic basis

Business Continuity PlanningBusiness Continuity Planning

10055765

http://blueweb.bcbs.com/blueweb/Leaf?docId=14703#1.0http://blueweb.bcbs.com/blueweb/Leaf?docId=14703#1.0

Business Continuity Plan (BCP)Business Continuity Plan (BCP)

10055766

• The IT Division must review external IT service solutions The IT Division must review external IT service solutions to ensure technology is compatible with what is in use at to ensure technology is compatible with what is in use at BCBSABCBSA

• A Privacy-Information Security Questionnaire must be A Privacy-Information Security Questionnaire must be completed by the third party to allow for assessment of:completed by the third party to allow for assessment of:

– PrivacyPrivacy

– Information securityInformation security

– Business Continuity / Disaster RecoveryBusiness Continuity / Disaster Recovery

External IT Services PolicyExternal IT Services Policy

10055767

• Any exception to a BCBSA information security policy must be Any exception to a BCBSA information security policy must be documented in writing to Business Protection Services (BPS) documented in writing to Business Protection Services (BPS) using the BCBSA Information Security Policy Exception Formusing the BCBSA Information Security Policy Exception Form

• Exceptions must include business justification, level of risk Exceptions must include business justification, level of risk being accepted, remediation plan, and signature of a Division being accepted, remediation plan, and signature of a Division Vice PresidentVice President

• Before submitting an exception, Business Protection Services Before submitting an exception, Business Protection Services (BPS) should be consulted to determine if an exception is (BPS) should be consulted to determine if an exception is necessary and to explore alternatives for mitigating the risknecessary and to explore alternatives for mitigating the risk

• Note that BCBSA reserves the right to reject any exception Note that BCBSA reserves the right to reject any exception request which creates undue risk to the organizationrequest which creates undue risk to the organization

Security Policy ExceptionsSecurity Policy Exceptions

10055768

• Prevent privacy-security breaches byPrevent privacy-security breaches by::

– Using only the Using only the minimum necessaryminimum necessary PHI, and restricting the export of PHI, and restricting the export of PHI (for example, only online reports with no export functionality)PHI (for example, only online reports with no export functionality)

– Limiting support staff with access to sensitive personal information Limiting support staff with access to sensitive personal information based on a strict need-to-know and need-to-use basis; and reviewing based on a strict need-to-know and need-to-use basis; and reviewing those permissions on a periodic basisthose permissions on a periodic basis

– Typing the word “secure” in your subject line to encrypt sensitive Typing the word “secure” in your subject line to encrypt sensitive information sent via e-mail; and never including PHI in the subject lineinformation sent via e-mail; and never including PHI in the subject line

– Purging PHI e-mail and J: or I:Purging PHI e-mail and J: or I: drive repositories that no longer have a drive repositories that no longer have a legitimate business purpose, and not storing PHI on open drives such legitimate business purpose, and not storing PHI on open drives such as G:as G:

– Maintaining departmental privacy/security policies and training new Maintaining departmental privacy/security policies and training new employees on how to protect sensitive information before granting employees on how to protect sensitive information before granting accessaccess

Summary: How You Can Help

10055769

• Prevent privacy-security breaches byPrevent privacy-security breaches by::

– Never storing PHI on non-BCBSA computers, including home Never storing PHI on non-BCBSA computers, including home computerscomputers

– Ensuring that PHI is de-identified for IT development, application Ensuring that PHI is de-identified for IT development, application prototypes, and demonstrationsprototypes, and demonstrations

– Utilizing SafeGuard to encrypt data on mobile media (with Utilizing SafeGuard to encrypt data on mobile media (with management approval) or File Transfer Protocol (FTP) for large file management approval) or File Transfer Protocol (FTP) for large file transfers that cannot utilize emailtransfers that cannot utilize email

– Not leaving printed PHI on your desk when not present, at the printer Not leaving printed PHI on your desk when not present, at the printer or on the fax machine. Make sure you pick-up documents immediate or on the fax machine. Make sure you pick-up documents immediate or use secure printor use secure print

– Locking your office door or file cabinets when you’re not present if Locking your office door or file cabinets when you’re not present if they contain PHI, PII or any other sensitive informationthey contain PHI, PII or any other sensitive information

Summary: How You Can Help (continued)

10055770

• Prevent privacy-security breaches by:Prevent privacy-security breaches by:

– Verifying callers and their authorized right to the information before Verifying callers and their authorized right to the information before discussing PHIdiscussing PHI

– Validating receipt of fax when sending PHI or PIIValidating receipt of fax when sending PHI or PII

– Not disclosing PHI inadvertently -- in conversations, fax, or e-mail. Not disclosing PHI inadvertently -- in conversations, fax, or e-mail. Don’t discuss PHI in crowdsDon’t discuss PHI in crowds

– Require “signed receipt” of documents by using UPS or FedEx Require “signed receipt” of documents by using UPS or FedEx services. For Inter-office mailings, it is best to hand deliver these to services. For Inter-office mailings, it is best to hand deliver these to the authorized individual.the authorized individual.

– Ensuring that business associate contracts are in place and that new Ensuring that business associate contracts are in place and that new business associates have completed the BCBSA Third Party business associates have completed the BCBSA Third Party Information Security questionnaire maintained by BPSInformation Security questionnaire maintained by BPS

Summary: How You Can Help (Continued)

10055771

• If you handle PHI-PII, you will need to be “certified” by If you handle PHI-PII, you will need to be “certified” by completing:completing:

– Today’s one-time Advanced Privacy-Information Security Today’s one-time Advanced Privacy-Information Security Workshop (Blue Learning Center course NES-503), andWorkshop (Blue Learning Center course NES-503), and

• When you get back to your desk, ensure you complete:When you get back to your desk, ensure you complete:

– On-The-Job Training provided by your manager or supervisor, or On-The-Job Training provided by your manager or supervisor, or their designatetheir designate

– General Privacy-Security Online Training Module (Blue Learning General Privacy-Security Online Training Module (Blue Learning Center course NES-502)Center course NES-502)

– Privacy-Information Security Acknowledgement / Certification Form Privacy-Information Security Acknowledgement / Certification Form (NES-503F)(NES-503F)

Next Steps/Wrap Up

10055772

• URL Addresses for Online FormsURL Addresses for Online Forms

• FAQ’s for PHI & PII Data Processes and Technical FAQ’s for PHI & PII Data Processes and Technical SafeguardsSafeguards

• Using the Secured Print FeatureUsing the Secured Print Feature

• How to use SafeGuard EncryptionHow to use SafeGuard Encryption

• IT Business Office OrganizationIT Business Office Organization

– Business Protection CommitteeBusiness Protection Committee

– PHI-PII Data ContactsPHI-PII Data Contacts

Job Aids

bcbsa advanced privacy –security training nes-503

Documents