1 / 70

Sponsored by: U.S . Department of Housing and Urban Development

Hmis 101: Module 4. In-Depth Security and Privacy. Sponsored by: U.S . Department of Housing and Urban Development. HMIS System Administrator Training Series. Partners. Jeff Ward, Abt Associates, Inc. Kat Freeman, The Cloudburst Group Natalie Matthews, Abt Associates, Inc .

faunia
Download Presentation

Sponsored by: U.S . Department of Housing and Urban Development

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hmis 101: Module 4 In-Depth Security and Privacy Sponsored by: U.S. Department of Housing and Urban Development HMIS System Administrator Training Series

  2. Partners • Jeff Ward, Abt Associates, Inc. • Kat Freeman, The Cloudburst Group • Natalie Matthews, Abt Associates, Inc. • Chris Pitcher, The Cloudburst Group

  3. Purpose • Provide HMIS System Administrators, end users, CoC representatives, consumers, and federal, state, and local partners with a basic understanding of: • In-Depth Privacy and Security

  4. Webinar Format • This training is part of a series of trainings that will provide new staff with the basic information needed to operate or participate in an HMIS • It is anticipated that this series of trainings will be offered quarterly • This training is anticipated to last 90 minutes • Presenters will walk through presentation material • Audience members are “muted” due to the high number of participants

  5. Submitting Questions • All follow-up questions should be submitted to the Ask the Expert function on www.hmis.info • If you have multiple questions, we recommend compiling them into a single submission to Ask the Expert with a reference to the HMIS 101: Module 4 training

  6. Webinar Materials & Evaluation • Quick follow up survey will be emailed out after the webinar • The webinar will be recorded, and all materials will be posted to HMIS.info • During webinar, we’ll be asking you a few questions as well

  7. Overview of Training Series • HMIS 101 Modules III, IV and V: • Module III: In-Depth Data Standards • Module IV: In-Depth Security and Privacy • Module V: Data Quality Standard and Compliance Plans • HMIS 201: • HMIS Budgeting and Staffing • PIT and HIC • Best Practice Highlights/ Use of Technology

  8. Who are You? • HMIS System Administrator • HMIS Data Entry staff/Program staff • CoC staff • Technical Assistance provider/Trainer • HMIS Vendor • Other

  9. How would you rate your knowledge of HMIS Privacy and Security? • A. Not knowledgeable • B. Somewhat knowledgeable • C. Knowledgeable • D. Expert

  10. HMIS Privacy and Security • Privacy is the control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others. • Confidentiality pertains to the treatment of information that an individual has disclosed in a relationship of trust and with the expectation that it will not be divulged to others without permission in ways that are inconsistent with the understanding of the original disclosure. • Security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled. • 2004 Technical Standards set forth expectations for privacy and security for HMIS

  11. HMIS Privacy and Security • Two tiers: required baseline standards and additional recommended protocols; • Applies to all agencies and programs that record, use, or process Protected Personal Information (PPI) for an HMIS including: • Continuum of Care (CoC) • Homeless service provider • HMIS host or administrator, etc. • Employees, volunteers, affiliates, contractors, and associates are covered by the privacy standards of the agencies they deal with; and • Privacy and security standards apply to all agencies- regardless of funding source- who use the HMIS.

  12. Introduction to Privacy

  13. Privacy Standards Framework • Personal Protected Information (PPI) • Includes name, SSN, program entry/exit, zip code of last permanent address, system/program ID, and program type • Allow for reasonable, responsible data disclosures • Derived from principles of fair information practices • Borrowed from Health Insurance Portability and Accountability Act (HIPAA)

  14. Privacy Requirements • Privacy Standards: • Protect client personal information from unauthorized disclosure • Seven components: • Collection limitations • Data quality • Purpose and use limitations • Openness • Access and Correction • Accountability

  15. Collection Limitations • Only collect information that is appropriate for the purposes that the information is obtained or when required by law • Use lawful and fair means to collect it • When appropriate, collect data with knowledge or consent of the client • Post sign; infer consent for collection • Must post a sign at intake desk (or comparable location) that explains generally the reasons for collecting this information.

  16. Collection Limitations – Other Stuff You Can Do • Restrict collection of personal data, other than required HMIS data elements • Require written client consents • Obtain oral or written consent from the individual or a third party

  17. Data Quality • Data must be relevant to the purpose for which it is to be used • To extent necessary for those purposes, data should be accurate, complete, and timely • Must develop and implement plan for disposal of Personal Protected Information

  18. Purpose and Use Limitations • Notice must specify purposes for PPI collections and must describe all uses/disclosures • A program may use/disclosure PPI only if allowed by the standard and described in the privacy notice • Notice may infer consent for described uses/ disclosures and for compatible uses/ disclosures • All uses/disclosures are permissive (except first party request or required by law) • Uses/disclosures not specified in notice need written consent of the individual or legal requirement

  19. Allowable Uses/Disclosures • Provide and coordinate services • Payment or reimbursement • Administrative functions • Create de-identified PPI • Required by law • Avert serious threat to health/safety • Academic research (written agreement required) • Law Enforcement

  20. Purpose and Use Limitation – Other stuff you can do • Seek oral or written consent for use/disclosure • Agree to client requested restrictions on use/disclosure • Limit use/disclosure to those in notice and necessary (not compatible) purposes • Keep an audit trail for disclosures • Make audit trails available to the client, if requested • Limit disclosures to minimum necessary

  21. Openness • Be open with agencies, client’s, and other parties about how you protect client information from unethical use • You must post a sign about your Privacy policies (called a Privacy Notice) and your Privacy policies must be available to anyone who requests them – including clients and the media. • If your agency has a web page, you must post your Privacy Notice on your web page. This is true about individual agencies as well as any web pages associated with your HMIS.

  22. Openness – Other Stuff You Can Do • Provide a simplified copy of your Privacy Notice to clients at the time of data collection. • you may need to have copies of your Privacy Notice in more than one language • Provide advance notice on changes to your Privacy Policy and Notice, how you might enforce those changes, and ask for public comments.

  23. Access and Correction • Must allow individual to inspect and have a copy of his/her PPI • Must offer to explain PPI • Must consider request to correct inaccurate or incomplete PPI • May deny access to some info • Must explain denials

  24. Access and Correction – Other stuff you can do • Allow appeal of denial of access or correction • Limit grounds for denial of access • Allow a statement of disagreement • Provide written explanation for denial

  25. Accountability • Must establish procedure for accepting and considering complaints about privacy and security policies and practices • Must require all staff members to sign a confidentiality agreement (acknowledging receipt of and pledging to comply with the privacy notice)

  26. Accountability-Other Stuff You Can Do • Require formal privacy training • Regularly audit privacy compliance • Establish an appeals process for privacy policy complaints and denials of access and correction rights • Designate chief privacy officer

  27. HMIS and HIPAA • Health Insurance Portability and Accountability Act (HIPAA) privacy rules take precedence over HMIS Privacy Standards • HIPAA covered entities are required to meet HIPAA baseline privacy requirements not HMIS • Most programs are not covered by HIPAA: To learn more go to http://www.hhs.gov/ocr/hipaa/

  28. HMIS and Other Privacy Laws • Programs must comply with more stringent federal, state and local confidentiality laws; and • If a conflict exists between state law and the HMIS an official legal opinion on the matter should be prepared by the state’s Attorney General and submitted to HUD’s General Counsel for Review. • Domestic Violence Victim Service Providers are prohibited from entering data into HMIS and legal service providers are not to enter confidential client notes into HMIS.

  29. HMIS Consent Models • Inferred Consent: • Baseline Requirement; and • Client’s consent to release information is inferred from the privacy posting. • Implied/Informed Consent: • Verbal or physical consent is required. • Written Consent: • Client must sign a release of information (ROI).

  30. Levels of Consent • Consent to use data within an agency for program or agency operations. • Consent to share additional information across programs to coordinate case management and service delivery.

  31. Privacy Summary • Privacy refers to the safeguarding of protected personal information in the HMIS from open view, sharing or inappropriate use • Protected Personal Information (PPI) is any information that might identify a specific individual or that might be manipulated or linked with other information to identify a specific individual

  32. Baseline Privacy Standards • Must comply with other federal, state, and local confidentiality law • Must comply with limits to data collection (relevant, appropriate, lawful, specified in privacy notice) • Must have written privacy policy - and post it on your web site • Must post sign at intake or comparable location with general reasons for collection and reference to privacy policy • May infer consent for uses in the posted sign and written privacy policy

  33. How Much Do You Know? • (T/F) Privacy policies are not meant to restrict the use and disclosure of data.

  34. The purpose of privacy is to protect the client’s information from: • A. Unauthorized access • B. Unauthorized disclosure • C. Law Enforcement • D. All of the Above

  35. Introduction to Security

  36. Defining Security • Security refers to the protection of client personal protected information and sensitive program information from unauthorized access, use or modification. • All workstations, desktops, laptops, and servers that connect to a network that accesses or directly accesses the HMIS must comply with the baseline security requirements.

  37. 3 P’s of Security Management • Products: Physical security • Door locks • Intrusion-detection systems • Physical firewalls • People: Personnel security • Those who implement and properly use security products to protect data • Those who collect, input, or otherwise have access to data • Procedures: Organizational security • Plans and policies established to ensure that people correctly use products and access data

  38. Security Requirements • System security provisions apply to all the systems where Personal Protected Information (PPI) is stored, including, but not limited to, networks, desktops, laptops, mini-computers, mainframes and servers • Security has three categories: • System Security • Software Application Security • Hard Copy Security

  39. System Security Requirements • User authentication • Limited multiple access • Virus protection with auto-update • Firewalls - individual workstation or network • Encryption - transmission • Public access controls • Location control • Backup and disaster recovery • System monitoring • Secure disposal

  40. User Authentication • Every user accessing the HMIS system must have a unique username and password. • Passwords must: • Include at least one number and one letter; • Be at least 8 characters long; • Not be based on user’s name, organization, or software; and • Not be based on common words. • Good: [Na$car#39] • Bad: bobclark99 • Terrible: hmis • Passphrases: • Great: I1ik3C@k3 (I Like Cake)

  41. User Authentication (cont.) • All computers used to access HMIS data must require user authentication (e.g., username/passwords). • Logging on to the HMIS computer alone is not sufficient. • IDs and Passwords for the HMIS software should be different than the workstation ID and Password • IDs and Passwords should not be stored or displayed in any publicly accessible location. • HMIS IDs and Passwords must not be shared.

  42. WHAT DO I JUST SAY?????? Strong password Keep it secret

  43. Multiple Access • An individual user must NOT be allowed access to the HMIS from multiple workstations on the network at the same time. • An individual user must NOT be allowed to log onto the local network from more than one location at a time.

  44. System Level Virus Protection • All computers accessing HMIS (including remote and VPN users) must have anti-virus software installed and updated regularly that automatically scans files. Old Anti-Virus Software= No Anti-Virus Software

  45. Firewalls Image found at:http://www.integration1.com.au/pages/default.cfm?page_id=21925

  46. Public Access • HMIS that use public forums for data collection/reporting must have additional security to limit access using Public Key Infrastructure (PKI) or through IP filtering. • Translation: Any Web-based HMIS accessed over the Internet, needs digital certificates installed on all browsers on all computers accessing the HMIS (PKI) or an extranet to limit access based on IP address.

  47. What is Public Key Infrastructure? • Each user is issued a private key to encrypt messages and a public key to decode messages; • Private key is kept secret and known only to user; • Public key uses a digital certificate to authenticate the identity of the user; • Digital certificates must be issued by a recognized Certificate Authority; and • Secure socket layer “SSL” encryption does not meet the baseline PKI requirements.

  48. Options for implementing PKI: Self issued certificate authority-Example: Microsoft Certification Authority; Third party certificate authority Example: Verisign or Thawte; USB token; or Alternative to PKI: Limiting access to HMIS through IP filtering. PKI: Public Key Infrastructure

  49. IP Addresses • Everything on the internet (servers, desktops, blackberries) is assigned an internet protocol (IP) address; • The internet uses IP addresses to move information from one place to another; • An IP address looks like this: 10.141.215.223; and • Firewalls block suspicious IP addresses from accessing your computer.

  50. Physical Access/Location • Access to workstations must be controlled and monitored. • Options: locked offices, privacy screens, etc. • Access to servers must be controlled to a greater degree. • Options: locked cabinet or cage; secure facilities.

More Related