HIPAA Data Security

PCF Data Security UpdateMay 1st, 2015

PediatricsPCF

Understanding of the Data Transfer Requirements• What are you trying to accomplish?• Who do you need to share your data with?• Do you need a BAA and is one already in place?

• More on this later…

• Some have requirements to share and/or exchange data with various agencies• Internal Connections• External Connections

PediatricsPCF

HIPAA Policies

• WUSM Security and Privacy Policies are located at: http://secpriv.wusm.wustl.edu/Pages/SecPrivWelcome.aspx

• E-Mail and Internet Usage Guideline Policy # 02.03.04

• Storing Protected and/or confidential information on Internet Servers

• Sending e-mails that contain Protected and/or Confidential Information• Disclaimer – PCF automatically appends the disclaimer to all outbound

email• Encryption – all email containing protected information other than

provider-to-patient communication should utilize an encryption mechanism to ensure the integrity and confidentiality of the protected information

PediatricsPCF

PCF Email Services

• Discussed the Email Disclaimer previously

• PCF and BJC Email environments route email to each other through the GroupWise Email Connector• Automatically routes email addressed to respective email recipients

through the connector – no need to encrypt!• Shared address books• Free/Busy Calendar views – allows for better integration for areas that

require hybrid (SLCH/Dept. of Pediatrics)• Helps breakdown organizational barriers• This tool will be extended to the other WUSM email environments in

the future

PediatricsPCF

Mobile Device Management (MDM)

• WUSM has implemented the AirWatch MDM product

• All mobile devices connecting to the WUSM-secure Wi-Fi network are required to use the AirWatch service

• Download the AirWatch client from the appropriate App store

PediatricsPCF

AirWatch Email notification from the PCF Helpdesk

Also attached is a PowerPoint Presentation from Information Security that provides additional information regarding AirWatch and why it is being implemented. Time is running out before AirWatch will be required to be installed on your Smartphone. UPDATED Configuration Instructions – You must be logged out of the WUSM-Secure network to configure AirWatch. Attached are instructions for downloading the AirWatch application from the App store. The instructions are broken down by iPhone and Android. Also included is a FAQ for AirWatch. If you are configuring AirWatch on your SmartPhone and when you are prompted for group ID enter PCF. When prompted for server name enter https://mdm.wusm.wustl.edu If you have any questions about configuration contact the PCF Helpdesk. As mobile devices become increasingly powerful tools, so does their use in the workplace. As the usage and capabilities gaps between mobile devices and traditional computers continue to widen, we must begin to think more strategically about security for each tool, separately. This means taking the steps necessary to protect mobile devices, minimizing the risk of a data breach. The Washington University Information Security Office has deployed a new mobile device management service called AirWatch to the WUSM-Secure Wi-Fi Network. AirWatch adds a layer of security for all mobile devices (Apple and Android phones and tablets) and helps us protect university data. The AirWatch service is free and available now on your devices app store. Beginning 03/31/2015, all mobile devices connecting to the WUSM-secure Wi-Fi network will be required to use the AirWatch service. Without the app you will be unable to access the WUSM-secure Wi-Fi network. An FAQ for the service, as well as installation instructions for installing the App can be found on the WU Security website. We are aware of concerns with the app voiced in product reviews on various app provider Websites. Our custom configuration of the app simply enforces the PIN and encryption of the device and therefore we foresee no negative impact to battery life of the device. Also, tracking of installed personal apps has been disabled to ensure your privacy. If you have any policy related questions, please contact Denise Woodward at 314-362-0735 or email infosec@wusm.wustl.edu. If you have issues or questions concerning the installation and operation of the AirWatch client, please contact your Desktop Support Organization helpdesk.

WUSM-AirWatch Terms of Service Mobile devices that connect to the School of Medicine secure wireless network (WUSM-secure) will be required to enroll that smartphone or tablet into a mobile device management solution called AirWatch. By downloading the AirWatch App from your app store and registering it on our network, you will agree to allow information security policies to be enforced on your device to meet HIPAA requirements for protection. These policies require;

The device to have a pin or password set.

PediatricsPCF

PediatricsPCF

Who needs to install AirWatch

Required to Install

Connect your mobile device (iPhone, iPad, Android, etc.) to the secure wireless network WUSM-Secure

Not required to Install

Only connects your mobile device to e-mail or the Guest wireless network

PediatricsPCF

Box Cloud Services

• http://box.wustl.edu/

• WUSTL Box may be used to manage the following content:• Protected health information (HIPAA)• Attorney/Client privileged information• IT Security information• Protected identifiable human subject research data (HIPAA & Common

Rule)• Student education records (FERPA)• Student loan application information (GLBA)

PediatricsPCF

New SPAM Filters and [SECURE] Email Transport• PCF recently launched a new SPAM filter appliance,

ProofPoint• Improved SPAM filtering

• With this, PCF launched the new [SECURE] outbound email encryption service• Simply type in [SECURE] in the subject line

PediatricsPCF

New SPAM and [SECURE] Email notification from the PCF Helpdesk

Spam Filter Upgrade

On Thursday evening, April 9th PCF, will be replacing the current SPAM device that filters incoming messages and places messages meeting specific criteria into quarantine. This new service will give you the capability to better manage your Blocked lists and SafeSender lists. With the implementation of the new device, SPAM messages will be held for 14 days before deleting them. **With the new Spam appliance you will now have the capability to encrypt an outgoing e-mail message. Please see the Encrypting Message attachment for instructions on sending an encrypted. **Instructions for unencrypting a message you receive is included in the Receiving An Encrypted E-mail attachment. You will notice a difference in how the quarantine notice looks and the page that lists the messages. The attached SpamAppliance document contains screen shots of the new interface and instructions on creating your own SafeSender lists for emails received from a specific senders or organizations and blocking messages you do not want to receive. Implementation Date: April 9th Outage Window: None Affected Users: PCF Supported Users User Impact: None Action Required: None

PediatricsPCF

Encryption Options

1. Put the EPHI in a file (Access, Excel, Word) and encrypt the file with a secure password and email it (maximum of 32 GB file size)• Send the recipient the password for the encrypted file in a

separate email!

2. Put the EPHI in a file (Access, Excel, Word) and encrypt the file with a secure password and use the WUSTL Digital Dropbox service to transfer the file (maximum of 200 GB file size)• https://lft.wustl.edu• Instructions for the WUSM Large File Transfer service are located on

the site• Send the recipient the password for the encrypted file in a

separate email!

PediatricsPCF

Encryption Options, cont.

3. Contact PCF to use the Tumbleweed Secure Transport product (capable of handling large file transfers > 700 GB)• The Tumbleweed product can be set up as a point to point secure

dropbox service for sites or businesses that you routinely transfer EPHI with. 

• This is the preferred option to use when you have project requirements to regularly send documents with EPHI to businesses outside of the WUSM environment.

• Currently in place between agencies that Dept. of Pediatrics business relationships with that need this type of routine data exchange capabilities.

4. Use the [SECURE] transport service in your native Outlook or OWA client

PediatricsPCF

Tips on Data Exchange

• PCF has a policy to encrypt the hard drives on all PCF supported desktops and laptopso Older machines have not been encrypted and will be replaced via the

annual bulk device replacement process

• Citrix is encrypted end to end, designed as a remote access tool to map your network drives.o Can map your local drive on your remote PC or laptop file exchange

• VPN connection is encrypted end to end• PCF Web based email is encrypted end to end

o Quick and dirty way to send a file to yourself

• Use encrypted USB drives

• Never send an email that contains PHI to a non-WUSM email service without encrypting the email and/or the attachment!

PediatricsPCF

Business Associate Agreements

• New Business Associate Agreements (BAA) are required to comply with new HIPAA regulations

• New BAA form on the Purchasing web site

• List of all HIPAA BAA is on the site

• http://resourcemanagement.wustl.edu/ps/Pages/HIPAA.aspx

PediatricsPCF

Questions/Comments

• Thanks for your time!

PediatricsPCF

E. Scott Rich, B.S., M.B.A.Director I.S.

Campus Box 81161 Children’s Place

St. Louis, MO 63110(314) 362-9492

rich@wustl.edu

©2010