90 likes | 198 Views
C4HCO Security and Privacy Discussion. Bill Jenkins C4HCO Security and Privacy Officer 16 October 2013. Agenda. Introductions What – Needs to be Protected? How – Does it Need to be Protected? When – Does it Need to be Protected? Who – Assistance Sites Questions and Answers.
E N D
C4HCO Security and Privacy Discussion Bill Jenkins C4HCO Security and Privacy Officer 16 October 2013
Agenda • Introductions • What – Needs to be Protected? • How – Does it Need to be Protected? • When – Does it Need to be Protected? • Who – Assistance Sites • Questions and Answers
Introductions Bill Jenkins C4HCO Security and Privacy Officer bjenkins@connectforhealthco.com 720-810-0568 Security@conncectforhealthco.com Privacy@connectforhealthco.com
What Needs to be Protected • C4HCO handles: • Personally Identifiable Information (PII) • Protected Health Information (PHI) • Payment Card Industry (PCI) data • Federal Tax Information (FTI) • From C4HCO, Assistance Sites receive –>>> PII • Incidental exposure to the others
What is PII? • OMB Memorandum M-07-16 defines Personally Identifiable Information (PII) as information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. • Stand-alone PII: Full name, Social Security Number, Immigration Number, etc. • Linkable PII: Bank Account Information, Credit Card Information, Health/Dental Policy Number, Pregnancy/Disability/Incarceration Status, etc. when attached to an identifier (stand-alone PII). • Examples of documents that contain PII: • Single Streamline Application (SSAp), Appeals Application, Citizenship Documents, Tax Returns, W2s/Income Verification Documents, Reports • You may only use or disclose PII as authorized as part of your job.
How Does it Need to be Protected? • Establish technical, physical, and administrative controls that: • Authorizes access to data (grant permission) • Ensures only authorized people access the data (limit access) • Use the data to do your job and then get rid of it (minimize retention) • Transmit and store data safely (lock it up) • C4HCO has 30+ Security and Privacy Policies • Even more procedures • Only a subset applies to you! – depends on your business model • Will take time to fully implement • Most Relevant • Security Training and Awareness • Incident Response • Personnel Security • Accountability and Risk Management • Use Limitation
When Does it Need to be Protected? • Upon receipt • From C4HCO • From Customer • While being used • Be aware of your surroundings • Stick to the script • While stored or retained • Is it really needed? • Apply common sense • Two tests – your own data, answering the reporter afterwards • When done with it • Return it • Really deleted? • Valuable scraps
Assistance Sites • Partners with C4HCO • Yet independent entities • Business Models Vary • For some, an added service • For some, an primary mission • Different uses of data can be permitted • Informed Customer Consent • Permitted C4HCO use • Get it in writing! We will all learn and grow together
Questions and Answers Go for it!