Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN.

Slides:



Advertisements
Similar presentations
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
Gaucho Round-Up FAQ’s This presentation covers some of the FAQ’s about campus clean-up day. Presentation #4 2/3/
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Springfield Technical Community College Security Awareness Training.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
Critical Data Management Indiana University HR Summit April 24, 2014.
REQUEST FOR PAYMENT OVERVIEW Spring - Summer 2010.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
Data Classification & Privacy Inventory Workshop
Security Controls – What Works
Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
Sensitive Data Accessibility Financial Management College of Education Michigan State University.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
New Data Regulation Law 201 CMR TJX Video.
Information Security Information Technology and Computing Services Information Technology and Computing Services
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Protecting Sensitive Information PA Turnpike Commission.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
General Awareness Training
HIPAA PRIVACY AND SECURITY AWARENESS.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
Compliance Strategies for Records Management
Florida Information Protection Act of 2014 (FIPA).
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
SPH Information Security Update September 10, 2010.
Incident Security & Confidentiality Integrity Availability.
© Copyright 2010 Hemenway & Barnes LLP H&B
Data Breach: How to Get Your Campus on the Front Page of the Chronicle?
Incident Security & Confidentiality Integrity Availability.
Security Discussion IST Retreat June IT Security Statement definition In the context of computer science, security is the prevention of, or protection.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.
Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.
What lessons can we learn from other data breaches? Target Sentry Insurance Dynacare Laboratories 1 INTRODUCTION.
Data Security Survival Skills for 21 st Century Evaluators Teresa Doksum & Sean Owen October 17, 2013.
The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Taking on Tomorrow's Challenges Today Taking on Tomorrow's Challenges Today Almost every organisation has been attacked …. But most don’t know about it!
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
Ferreting out Sensitive Data
Florida Information Protection Act of 2014 (FIPA)
Florida Information Protection Act of 2014 (FIPA)
Privacy & Access to Information
Red Flags Rule An Introduction County College of Morris
Disability Services Agencies Briefing On HIPAA
County HIPAA Review All Rights Reserved 2002.
Data Security Julie D. Wilson Sr
Introduction to the PACS Security
School of Medicine Orientation Information Security Training
Presentation transcript:

Allison Dolan Program Director, Protecting PII Handling Sensitive Data - WISP and PIRN

Context, including regulations What types of data are at risk What steps you must consider taking Presentation Overview

Key Take-Aways MA data protection regulations govern how certain sensitive data are handled MIT has a new written information security program (WISP) Everyone is responsible for compliance Know what data are in your systems Encourage “good hygiene” practices

MA Law & Regulations MA data breach law 93H – ◦ Definition of personal information ◦ Requirement to notify, if personal data compromised MA data destruction law 93I – ◦ Paper or electronic data must be destroyed so it can’t be read or reconstituted MA data protection regulations ◦ Requirement to have written information security program (WISP) ◦ WISP includes administrative, physical and technical safeguards

Other considerations FERPA – student info; currently no notification requirement HIPAA/HITECH – protected health information (PHI); includes notification requirement, if PHI held by a covered entity or business associate PCI-DSS – credit card information; some notification required FISMA – Research information MIT Policy 11.0 Privacy and disclosure of information 13.0 Information policies

Levels of Sensitivity Highly Sensitive ◦ “Personal Information Requiring Notification” (PIRN) e.g. SSN, credit card #, financial account #, driver’s license # ◦ Medical information ◦ Student information Medium Sensitivity ◦ Research, contract information ◦ Personnel data (e.g. salaries) Lower Sensitivity ◦ Directory information (unless individual has opted out)

How Data is Exposed Accidents – inadvertent exposure Reduce risk by Eliminating sensitive data from desktops, laptops, USB drives, departmental paper files, scanned images, etc. Using safe computing practices (strong passwords, using anti-virus, ignoring phishing s). Attacks – deliberate intent to capture data Reduce risk of attacks from insiders and outsiders by: encrypting data logging access to sensitive data physically securing files, etc.

What is at Risk? Reputation of the Institute Donor contributions Cost of forensics, notification and consumer services Fines or penalties imposed by federal, state, or other agencies Inconvenience for affected individual(s) Your personal reputation

Minimize # of people with access to PIRN Minimize collection of PIRN Risk Management Framework BUSINESS PROCESSES ROLES ROLES POLICYPOLICY RESPONSIBILITIES Protect PIRN in our custody Securely destroy PIRN

Where Does PIRN Hide? Central and distributed files/systems Paper and electronic files - Operational files - Backup and archived data - Internal and 3rd party locations Protected and unprotected spaces, with employee and non-employee access Equipment queued up for redeployment Other office equipment – copiers, printers, PDAs etc.

Processes with PIRN Applications Student loans Ongoing services Student-oriented processes Financially-oriented processes Employee-oriented processes HR systems & files Payroll, paychecks, benefits Employee certifications Miscellaneous processes Independent contractors Reimbursements Miscellaneous payments Donors Legal Campus Police

Key Message “You can’t lose what you don’t have” Avoid having sensitive data locally, especially PIRN, (e.g. don’t keep , Excel files, local databases, paper files) Corollaries: ◦ “If you can’t protect it, don’t collect it” ◦ “You can’t protect what you don’t know you have.”

What IT can do Ensure users know what it means to have strong passwords and how to protect them (including safe ways to record passwords) Ensure users have firewall, are applying patches, and running AV ◦ Set up desktops/laptops with ‘least privilege’ where possible ◦ Regularly check that patching/AV checks/backups are occurring as expected

What IT can do (con’t) Provide mechanisms for secure file access and file sharing; train users Provide secure delete for PC (e.g. PGP; Eraser); train users Install PGP Whole Disk Encryption on laptops Install Identity Finder; set up for regular scans Address access from home

What IT can do (con’t) Eliminate any shared accounts; consider monitoring access to sensitive files Have a process for sanitizing equipment (computers, copiers, etc.) Know what to do in the event of a possible compromise ◦ Remove computer from network (wired or wireless) ◦ Contact

Additional Steps Understand who has what sensitive data, and for what purpose Ensure new hires & temps are oriented to your data policies & practices Review system authorizations at least annually; ensure access removed for employees, contractors and temp Include appropriate language in any 3rd party contracts

Questions/other followup? Feel free to contact: Allison Dolan If a machine has been compromised, or you otherwise suspect a breach, immediately contact MIT’s WISP : Security Standards: ml If a machine has been compromised, or you otherwise suspect a breach, immediately contact MIT’s WISP : Security Standards: ml