QIP Education Session INFORMATION SECURITY Joseph Zurba Information Security & IT Compliance Officer Harvard Medical School February 16, 2015.

Slides:



Advertisements
Similar presentations
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Advertisements

Welcome to the SPH Information Security Learning Module.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Clinical Trial Agreements
Informed Consent.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Springfield Technical Community College Security Awareness Training.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
1 Outsourcing Contract and Service Level Issues Sharon O’Bryan Week 5 November 2, 2004.
Security Controls – What Works
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Data Security Overview ORSP Staff AT Desktop Service Team November 18th, 2014.
Steps to Compliance: Electronic Devices Overview PRESENTED BY.
Security and Confidentiality Practices - Houston Dept. of Health and Human Services Jerald Harms, MPH, CART and Jeff Meyer, MD, MPH HIV/AIDS Surveillance.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
SECURITY: Personal Health Information Protection Act, 2004 this 5 min. course covers: changing landscape of electronic health records security threats.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
New Data Regulation Law 201 CMR TJX Video.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
General Awareness Training
Health Insurance Portability and Accountability Act (HIPAA)
Measuring Compliance with Tenable Security Center
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Murphy’s Law If anything can go wrong, it will.. 2 Data Security and Confidentiality “… a firm belief in Murphy’s Law and in the necessity to try and.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
SPH Information Security Update September 10, 2010.
© Copyright 2010 Hemenway & Barnes LLP H&B
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES 1 The Technical Services Stuff in IT Services A brief tour of the technical and service offering plethora.
Jeff Miller Tamra Pawloski IT Procurement Summit headline news…
When you request technical support Please remember to request it by ing or calling , Even if you .
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
When Can You Redact Information Without Requesting an Attorney General Decision? Karen Hattaway Assistant Attorney General Open Records Division Views.
STANFORD UNIVERSITY RESEARCH COMPUTING Are we outliers? Institutional minimum security requirements RUTH MARINSHAW OCTOBER 14, 2015.
Development of a Clean Room/Highly Restricted Zone June 12, 2012 Thomas Garrubba - CVS Caremark; Manager, Technical Assessments Group ©2011 The Shared.
Robert Ono Office of the Vice Provost, Information and Educational Technology September 9, 2010 TIF-Security Cyber-safety Plans for 2010.
TRUENORTH TECHNOLOGY POLICIES OVERVIEW. This includes but is not limited to : – Games – Non-work related software – Streaming media applications – Mobile.
Data Security at Duke DECEMBER What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.
Paul Kelly Facility Research Compliance Officer for the Ralph H. Johnson VA Medical Center.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Introduction: Introduction: As technology advances, we have cheaper and easier ways to stay connected to the world around us. We are able to order almost.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
UC Riverside Health Training and Development
PCard Sensitive and Protected Information Procedures
Regulatory Compliance
Privacy & Confidentiality
Privacy and Confidentiality in Research
Privacy & Access to Information
County HIPAA Review All Rights Reserved 2002.
HIPAA Overview.
Introduction to the PACS Security
Colorado “Protections For Consumer Data Privacy” Law
The Health Insurance Portability and Accountability Act
Presentation transcript:

QIP Education Session INFORMATION SECURITY Joseph Zurba Information Security & IT Compliance Officer Harvard Medical School February 16, 2015

2 DEPARTMENT OF Information Technology IT Security Key Contacts Joseph Zurba: Information Security & IT Compliance Officer – HMS Andy Ross: Information Security Manager – Chan School Ingrid Skoog: Information Security Specialist – HUIT

3 DEPARTMENT OF Information Technology OVPR: Data Security Key Contacts Ara Tahmassian: Chief Research Compliance Officer

4 DEPARTMENT OF Information Technology University Data Classification Table (Research) High Risk Confidential and Research Data Level 4 Confidential and Research Data Level 3 Internal Confidential and Research Data Level 2 Public And Research Data Level 1 Information designated as high risk under University policy. Examples* Name plus one or more of below: Social Security number Driver’s license number or state-issued identification card number Financial account, credit or debit card number Identifiable Research subject data Biometric identifier Information that, if disclosed, could cause material harm to persons or the University or risk of legal liability. Examples* Designated institutional information Donor, development or planning information Non-directory student information Limited research data sets Lower risk confidential information which Harvard has chosen to restrict. Examples* School or self designated intellectual property University ID numbers with or without name Results of research where confidentiality was promised but is not required Public information. Examples Published or widely available information about Harvard University course catalogs Campus maps Employment postings De-identified research data *Subject to IRB requirements and third-party contractual agreements (e.g. data use agreement).

5 DEPARTMENT OF Information Technology HRDSP Level 5 Level 5 information includes individually identifiable information that could cause significant harm to an individual if exposed, including, but not limited to, serious risk of criminal liability, serious psychological harm or other significant injury, loss of insurability or employability, or significant social harm to an individual or group. º Prison Studies º Gang Studies

6 DEPARTMENT OF Information Technology Key Controls per DSL - Progressive Level 2: º Strong password controls º Individual Accounts º No personal accounts or storage º Policies and Procedures Level 3: º Encryption of data in transit º Host-based firewalls º Security Training º Anti-Virus º Encryption of mobile devices (laptops, smartphones, etc.) º Comprehensive logging and monitoring º Breach notification Level 4 º Network firewalls – inbound and outbound restrictions º Vulnerability Scanning and remediation º No device storage permitted (except IronKey) º Secure facility under University control or contract º Private IP space º Comprehensive documentation

7 DEPARTMENT OF Information Technology Key Controls per DSL Level 5 º Dedicated System not connected to external network º Whole disk encryption of all systems º Not permitted on removable media or mobile devices º Secure room No janitorial access º Daily log review

8 DEPARTMENT OF Information Technology Security Tools (Harvard Provided) LastPass password manager º Secure storage of passwords º Random password generation º Synchronizes between Mac, PC, and mobile devices º Utilizes MFA º Free from Harvard IronKey encrypted thumbdrives º Government certified encryption º Remote wipe capable º Free from Harvard

9 DEPARTMENT OF Information Technology Security Tools (Harvard Provided) Secure file transfer º Securely transfer attachments º (HMS and HSDM) º (HSPH) Vulnerability Assessments º Scanning of systems and web applications for security vulnerabilities Additional tools and capabilities provided by your IT department: º Network firewalls º Anti-Virus/Anti-Malware software º Etc.

10 DEPARTMENT OF Information Technology Encryption Encryption should be used everywhere possible – required for DSL 3 and above º BitLocker – Windows º Filevault – Macintosh º IronKey – Harvard provided º Mobile devices – Most modern smartphones are capable of encryption – PIN or password required º Secure File Transfer – Harvard provided

11 DEPARTMENT OF Information Technology Security Training CITI Health Information Privacy and Security for Clinical Investigators (HIPS) º NIH Security Training º Harvard Information Security Training º Affiliate Security and Privacy Training Contact your local ISO for more training options

12 DEPARTMENT OF Information Technology Certified Facilities Certified Facilities are facilities that have been assessed by HUIT IT Security at a specific DSL. In order for a facility to become certified, the facility must demonstrate consistent, repeatable security controls, processes, documentation, and training. These facilities are reviewed annually for compliance with the specific DSL. Certified Facilities require no data security review for their approved level or lower DSL º Chan School – POP Center Data Enclave – DSL 4 º HMS – Health Care Policy – DSL 4 Certified facilities are compliant only with the HRDSP and not automatically compliant with FISMA, HIPAA, etc. º Facilities must undergo a separate assessment in order to meet additional requirements

13 DEPARTMENT OF Information Technology Approval Process DSL 3 IRB DSL 3 Determination Approval to PI PI Follows up with ISO ISO Review with PI Approval to IRB

14 DEPARTMENT OF Information Technology Approval Process DSL 4-5 IRB DSL 4-5 Determination Ancillary DSL Review to ISO ISO Follows up with PI ISO Approval to IRB IRB Approval to PI

15 DEPARTMENT OF Information Technology Approval Certified Facility (DSL 4) IRB DSL 1-4 Determination DSL 4 Certified Facility Approval

16 DEPARTMENT OF Information Technology Data Use Agreements Sponsored programs offices are authorized to sign on behalf of Harvard Contract must be reviewed by SPA and school ISO May contain data security and data sharing provisions, including restrictions on publication

17 DEPARTMENT OF Information Technology Building Requirements HRDSP Requirements Level 3Level 4Level 5 DUA Requirements Center for Medicare and Medicaid Services (CMS) Center for Health Information and Analysis (CHIA) National Institutes of Health (NIH) Legal Requirements MA 201 CMR 17.00FERPAHIPAA (HSDM)

18 DEPARTMENT OF Information Technology Closing Questions and Comments Contact information: º Joseph Zurba: or º

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.