Best Practices for Data Security and Protecting Personal Information

Slides:



Advertisements
Similar presentations
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Advertisements

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
Privacy, Security, Confidentiality, and Legal Issues
Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.
Springfield Technical Community College Security Awareness Training.
Information Privacy and Compliance Training For All Brigham Young University– Idaho Employees.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Security Controls – What Works
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
New Data Regulation Law 201 CMR TJX Video.
Protecting Sensitive Information PA Turnpike Commission.
1Copyright Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.
April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
Electronic Records Management: What Management Needs to Know May 2009.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA PRIVACY AND SECURITY AWARENESS.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
RESPONSIBLE SHREDDING Bob Johnson CEO, NAID. Compliant and secure disposition.
ENCRYPTION Team 2.0 Pamela Dornan, Thomas Malone, David Kotar, Nayan Thakker, and Eddie Gallon.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
© Copyright 2010 Hemenway & Barnes LLP H&B
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
October 23, 2015 Setting the Stage: Financial Due Diligence to Boost Credibility and Deal Value.
Welcome….!!! CORPORATE COMPLIANCE PROGRAM Presented by The Office of Corporate Integrity 1.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Western Asset Protection
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
WESTERN PA CHAPTER OF THE AMERICAN PAYROLL ASSOCIATION – NOVEMBER 4, 2015 Risk Management for Payroll.
Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.
Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Payment Card Industry (PCI) Rules and Standards
Law Firm Data Security: What In-house Counsel Need to Know
iSecurity Compliance with HIPAA
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
E&O Risk Management: Meeting the Challenge of Change
Protection of CONSUMER information
Data Security Policies
HIPAA.
E&O Risk Management: Meeting the Challenge of Change
Chapter 3: IRS and FTC Data Security Rules
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Red Flags Rule An Introduction County College of Morris
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
County HIPAA Review All Rights Reserved 2002.
CompTIA Security+ Study Guide (SY0-401)
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
Data Security Julie D. Wilson Sr
Introduction to the PACS Security
Colorado “Protections For Consumer Data Privacy” Law
Presentation transcript:

Best Practices for Data Security and Protecting Personal Information MCLE – March 2017

Presenter Matthew Pettine, CGEIT, CISA, ASE, MCSE, MCDBA, MBA Managing Director, IT Advisory Practice MFA Cornerstone Consulting (978) 557-5354 mpettine@mfacornerstone.com Page 2 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

About MFA Proactive CPA and consulting firm with national and global reach Founded in 1982 Over 150 professionals, including 25 partners Located in Tewksbury, Massachusetts Page 3 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

About MFA Business Tax Individual, Family and Fiduciary Tax State and Local Tax Audit and Assurance Technical Accounting Advisory Transaction Services Valuation Litigation Support Fraud and Forensic Accounting Business Performance Enhancement Sarbanes-Oxley Compliance Internal Controls IT Advisory Wealth Management Retirement Plan Advisory Professional Staffing Page 4 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Some Privacy and Electronic Data Regulations Health Information Privacy Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Financial Service Modernization Act (Graham-Leach-Bliley GLBA) Family Educational Rights and Privacy Act of 1974 (FERPA) FTC – Fair and Accurate Credit Transactions Act (FACTA) Red Flags Rule Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act) Massachusetts Privacy Regulations: 201 CMR 17 PCI -DSS (Payment Card Industry – Data Security Standards) Page 5 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Enforcement and Penalties! Common Themes Physical, Technical and Administrative Controls Protection against unauthorized access or disclosure Notification Requirements Written Policies Training Business Process Development and Monitoring Enforcement and Penalties! Page 6 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Massachusetts Privacy Regulations: 201 CMR 17 Law is designed to protect the personal information of Massachusetts citizens Intent of law is to prevent personal information from being breached in the first place As opposed to merely addressing what must happen in the wake of a security breach Establishes minimum standards, responsibilities and reporting protocol Page 7 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Massachusetts Personal Data Security Law Personal information to be protected includes: A citizen’s name (first & last or first initial & last name) COMBINED with one or more of the following: Credit card number Social security number Financial account number State issued identification number Page 8 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Massachusetts Personal Data Security Law Applies to individuals and businesses that own, license, store or maintain “personal information” about a citizen of Massachusetts HR Departments – I9s, background checks, direct deposits, health and life insurance, 401(k)s Finance Departments – third-party vendors and sole proprietors Dealing directly with credit card-based retail sales Real estate, mortgage and investments Page 9 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Failure to Comply If an information breach occurs, and no prescribed information security efforts were in place – companies may be subject to both criminal and civil penalties Fines established under Massachusetts General Law 93H-93I Very specific public notification requirements Damage to reputation if security breach occurs Significant time, resources and costs required to properly handle a security breach Page 10 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Becoming Compliant Page 11 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Steps to Achieve Compliance Organizational Risk Assessment Create a Written Information Security Plan (WISP) Computer system security Vendor management Training employees Monitoring protocols Page 12 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Step 1: Risk Assessment Identify where sensitive information is handled and stored within the business Identify potential risks Evaluate controls relative to existing risks Gap analysis and remediation plan Page 13 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Step 2: Create a Written Information Security Plan (WISP) Designate a security coordinator Document information flows Document general computer controls Develop organizational policies Develop employee consequences for non-adherence Page 14 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Step 3: Computer System Security Regulations include specific requirements related to computer system security Authentication – Encryption Access Controls – Firewalls & OS Patches Data Transmission – Viruses & Malware Monitoring – Training Page 15 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Step 3: Computer System Security (Continued) Authentication Control of User Accounts “Control of IDs” “Reasonably secure passwords” Control of password security Restrict access to active users Block access after multiple attempts Page 16 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Step 3: Computer System Security (Continued) Access Controls Restrict access to those who “need to know” to perform their jobs File system security / permissions Third-party tools available Assign IDs and passwords Unique (not shared) “Not vendor supplied defaults” Page 17 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Step 3: Computer System Security (Continued) Data Transmission Encryption of transmitted data “Where technically feasible” Web Sites (SSL / https) Email (PGP / 3rd party services) Remote Access Solutions Online Service Providers Wireless (“All Data”) Page 18 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Step 3: Computer System Security (Continued) Monitoring “Reasonable monitoring of systems for unauthorized use of or access to personal information” Intrusion Detection Application Logs Server Firewalls Network Security Logs File System Auditing Page 19 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Step 3: Computer System Security (Continued) Encryption of Personal Information Stored on Portable Devices Laptops Encryption vs. Passwords File-based vs. Entire Laptop Operating System vs. Third Party Solutions “Other Devices” Portable Hard Drives (USB devices) Backup Media CDs, DVDs, iPhones, PDAs Page 20 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Step 3: Computer System Security (Continued) Firewalls & OS Patches Firewall Protection “Reasonably up-to-date” Vendor supported and routinely updated Operating System Security Patches Automatic update features Servers & workstations User considerations Page 21 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Step 3: Computer System Security (Continued) Viruses & Malware “Reasonably up-to-date versions” “Must include malware protection” Supported by vendor Up-to-date patches and definitions “Set to receive the most current security updates on a regular basis” Page 22 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Step 3: Computer System Security (Continued) “Education and training of employees on the proper use of the computer security system and the importance of personal information security.” New hire orientation Specific routine organizational efforts Page 23 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Step 4: Assessing 3rd Party Vendors Must ensure that third party providers have the capacity to protect personal information you give them access to Payroll providers Health insurance broker Background check provider 401(k) provider Online/Cloud Service providers Cleaners & disposal crews Conduct due diligence Make safeguards a condition of your contract with them Page 24 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Step 5: Training Employees Organizations must train their employees on a regular basis Training sessions need to be documented Employee attendance at training sessions needs to be documented as well Sanctions for violations need to be clear and contain disciplinary measures Measures must be in place to prevent terminated employees from accessing records containing personal information Page 25 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Step 6: Monitoring Compliance Ensuring employee training Executing on violations in a demonstrable and evidenced manner Regular review of policies for relevancy Reviewing organizational adherence to established operational protocol Page 26 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Additional Resources The Massachusetts Personal Data Security Law – August 2010 http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf Frequently Asked Questions regarding The Massachusetts Personal Data Security Law http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf An MFA Perspective Article on the new Massachusetts Personal Data Security Law http://www.mfa-cpa.com/mfa-news-and-resources/thought-leadership/PDFs/massachusetts-privacy-law-update-nov09.pdf MFA Web Seminar Presentation on the new Massachusetts Personal Data Security Law http://www.mfa-cpa.com/mfa-news-and-resources/thought-leadership/ma_privacy_form.asp Understand how MFA can help in your efforts toward compliance: MFA's Privacy and Data Protection Services http://www.mfacornerstone.com/Solutions/IT-Advisory/MFAPrivacyAndDataProtectionServices.pdf Page 27 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Questions? Page 28 | Copyright 2017. MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

How to Contact Us Matthew Pettine, CGEIT, CISA, ASE, MCSE, MCDBA, MBA Managing Director, IT Advisory Practice MFA Cornerstone Consulting (978) 557-5354 mpettine@mfacornerstone.com Page 29 | Copyright 2017 MFA – Moody, Famiglietti & Andronico, LLP. All rights reserved.

Thank You Follow us on /mfacpa.boston Follow us on /mfacpa

MFA - Moody, Famiglietti & Andronico | MFA Cornerstone Consulting MFA Capital Advisors | MFA Asset Management MFA Talent Management | MFA Global