The
Importance
of
Security
Awareness
Training
7
HIPAA
Security
|
164.312
Technical
Safeguards
29
Data
Security
Breaches
8
HIPAA
Security
|
Policies
and
Procedures
30
What
is
InformaDon
Security?
10
HIPAA
NoDficaDon
of
Breaches
|
As
Amended
by
the
Final
Omnibus
Roles
and
ResponsibiliDes
11
Ruling
|
January,
2013
31
InformaDon
Security
SoluDons
16
HIPAA
Privacy
Rules
33
Defense-‐in-‐Depth
17
HIPAA
Privacy
|
164.500
-‐
164.534
35
Layered
Security
18
HIPAA
Privacy
|
General
Principles
for
Uses
and
Disclosures
37
Cyber
Security
19
HIPAA
Privacy
|
PermiUed
Uses
and
Disclosures
38
Cloud
CompuDng
20
HIPAA
Privacy
|
Authorized
Uses
and
Disclosures
41
HIPAA
|
IntroducDon
22
HIPAA
Privacy
|
Individual
Rights
42
HITECH
|
IntroducDon
24
HIPAA
Privacy
|
AdministraDve
Requirements
43
HIPAA
Security
Awareness
Training
Requirements
26
HIPAA
Privacy
|
General
Safeguards
and
Best
PracDces
45
HIPAA
Security
Rule
26
Covered
EnDDes
46
HIPAA
Security
|
164.308
AdministraDve
Safeguards
27
Business
Associates
47
HIPAA
Security
|
164.310
Physical
Safeguards
28
Final
Omnibus
Ruling
(January,
2013)
49
Helpful
HIPAA
Resources
51
Incident
Response
74
FERPA
52
Personally
IdenDfiable
InformaDon
(PII)
75
FACTA
52
Protected
Health
InformaDon
(PHI)
|
HIPAA
78
Red
Flags
Rules
53
ProtecDng
InformaDon
(Hard-‐Copy)
79
PCI
DSS
54
ProtecDng
InformaDon
(Electronic
Format)
81
GLBA
55
Data
RetenDon
84
Other
RegulaDons
57
IdenDty
The`
86
Security
Awareness
Topics
58
Online
Security
and
Mobile
CompuDng
88
Account
Security
and
Access
Rights
59
Shopping
Online
91
Malware
60
Securing
Your
Home
Network
93
Security
Updates
61
ProtecDng
your
Children
Online
96
Clean
Desk
Policy
62
Security
Tips
for
Travelling
99
WorkstaDon
Security
63
Other
Important
Security
Awareness
ConsideraDons
and
Top
Internet
Laptop
Security
66
Scams
102
So`ware
Licensing
and
Usage
68
If
you
see
something,
say
something
–
Immediately
111
Internal
Threats
70
Top
20
Security
ConsideraDons
for
I.T.
Personnel
112
Physical
Security
and
Environmental
Security
72
Security
Awareness
Resources
123
Our
reliance
on
informaDon
technology
-‐
though
plenDful
with
benefits
-‐
also
brings
large
risks
and
even
larger
responsibiliDes
by
employees
for
being
aware
of
any
perceived
or
actual
instances
of
intenDonal
or
unintenDonal
release
of
secure
informaDon
into
an
untrusted
environment.
Data
security
breaches
are
costly,
extremely
damaging,
with
long-‐lasDng
negaDve
effects.
Again,
if
you
see
something,
say
something
-‐
immediately!
• Change
Management
|
Change
Control
Personnel:
ResponsibiliDes
include
reviewing,
approving,
and/or
denying
all
changes
to
criDcal
system
components
and
specifically
for
purposes
of
any
changes
to
the
various
baseline
configuraDon
standards.
While
changes
are
o`en
associated
with
user
funcDonality,
many
Dmes
the
issue
of
vulnerability,
patch,
and
configuraDon
management
are
brought
to
light
with
change
requests.
In
such
cases,
authorized
change
management
|
change
control
personnel
are
to
extensively
analyze
and
assess
these
issues
for
ensuring
the
safety
and
security
of
organizaDonal-‐wide
system
components.
• End
Users:
ResponsibiliDes
include
adhering
to
the
organizaDon’s
informaDon
security
policies,
procedures,
pracDces,
and
not
undertaking
any
measure
to
alter
such
standards
on
any
such
system
components.
AddiDonally,
end
users
are
to
report
instances
of
non-‐compliance
to
senior
authoriDes,
specifically
those
by
other
users.
End
users
–
while
undertaking
day-‐to-‐day
operaDons
–
may
also
noDce
issues
that
could
impede
the
safety
and
security
of
your
organizaDon's
system
components,
and
are
to
also
report
such
instance
immediately
to
senior
authoriDes.
•
• Vendors,
Contractors,
Other
Third-‐Party
EnDDes:
ResponsibiliDes
for
such
individuals
and
organizaDon
are
much
like
those
stated
for
end
users:
adhering
to
the
organizaDon’s
informaDon
security
policies,
procedures,
pracDces,
and
not
undertaking
any
measure
to
alter
such
standards
on
any
such
system
components.
• Having
pan-‐Dlt-‐zoom
(PTZ)
cameras
at
a
data
center,
along
with
comprehensive
badge
provisioning
procedures,
whereby
an
organizaDon
implements
the
use
of
access
control
cards
and
iris
recogniDon
at
the
actual
data
center
facility.
For
purposes
of
informaDon
security,
all
individuals
form
a
cohesive
and
vital
component
of
an
organizaDon's
overall
Defense-‐in-‐Depth
plasorm
-‐
one
that
uDlizes
mulDples
resources
for
enterprise-‐wide
cyber
security
protecDon.
EssenDally,
providers
need
to
show
they're
using
cerDfied
EHR
technology
in
ways
that
are
deemed
beneficial,
ulDmately
resulDng
in
the
following:
• Improvement
of
care
coordinaDon
• ReducDon
of
healthcare
dispariDes
• Engaging
of
paDents
and
their
families
• Improving
the
populaDon
and
public
health
• Ensuring
adequate
privacy
and
security
The
HIPAA
Security
Rule,
considered
rather
brief
in
terms
of
length
and
documentaDon
for
regulatory
compliance
legislaDon
-‐
nonetheless
places
a
large
focus
on
the
protecDon
of
electronically
Protected
Health
InformaDon
(ePHI).
UlDmately,
this
requires
covered
enDDes,
business
associates,
and
any
other
relevant
parDes
to
have
best-‐
of-‐breed
operaDonal,
business
specific,
and
informaDon
security
policies,
procedures,
and
pracDces
in
place.
While
the
HIPAA
Security
Rule
technically
includes
parts
164.302
to
164.318,
it’s
the
AdministraDve,
Physical,
and
Technical
Safeguards
that
draw
most
aUenDon
-‐
and
righsully
so
-‐
as
they
provide
explicit
guidance
on
various
mandates
that
must
be
in
place
for
ensuring
compliance.
• Maintain the policies and procedures implemented to comply with this subpart...
• Retain
the
documentaDon
required
by
paragraph
(b)(1)
of
this
secDon
for
6
years
from
the
date
of
its
creaDon
or
the
date
when
it
last
was
in
effect,
whichever
is
later.
• Make
documentaDon
available
to
those
persons
responsible
for
implemenDng
the
procedures
to
which
the
documentaDon
pertains.
• New
risk
assessment
requirements
put
into
place
requiring
documentaDon
of
such
pracDces
and
consideraDon
of
the
following
four
(4)
factors:
1. The
nature
and
extent
of
the
protected
health
informaDon
involved,
including
the
types
of
idenDfiers
and
the
likelihood
of
re-‐idenDficaDon.
2. The
unauthorized
person
who
used
the
protected
health
informaDon
or
to
whom
the
disclosure
was
made.
3. Whether
the
protected
health
informaDon
was
actually
acquired
or
viewed.
4. The
extent
to
which
the
risk
to
the
protected
health
informaDon
has
been
miDgated.
Business
Associates
(BA)
and
their
relevant
third-‐party
providers
are
also
in
scope
for
the
breach
noDficaDon
changes
under
the
final
omnibus
ruling.
HIPAA
Security
Awareness
Training
Program
|
2013
31
HIPAA
NoDficaDon
of
Breaches
|
As
Amended
by
the
Final
Omnibus
Ruling
|
January,
2013
Other
important
considers
regarding
the
enhanced
breach
noDficaDon
rule
are
the
following:
• Requires
a
covered
enDty
to
noDfy
an
individual
when
unsecured
PHI
has
been
improperly
disclosed
• The
Department
of
Health
and
Human
Services
(HHS)
is
to
be
noDfied
regarding
confirmed
breaches,
either
through
an
annual
report
or
sooner,
depending
on
the
number
of
individuals
affected.
• The
definiDon
of
a
breach,
according
to
HHS,
is
the
following:
"acquisiDon,
access,
use,
or
disclosure"
of
PHI
in
violaDon
of
the
Privacy
Rule
that
"compromises
the
security
or
privacy"
of
the
PHI”.
Thus,
an
impermissible
use
or
disclosure
of
PHI
is
presumed
to
be
a
"breach”.
There
are
excepDons
to
a
“breach”,
which
consist
of
the
following:
1. Any
unintenDonal
acquisiDon,
access
or
use
of
protected
health
informaDon
by
a
workforce
member
(including
volunteer
or
trainee)
or
person
acDng
under
the
authority
of
a
covered
enDty
or
business
associate,
if
the
acquisiDon,
access
or
use
was
made
in
good
faith
and
within
the
scope
of
authority
and
does
not
result
in
further
use
or
disclosure
in
a
manner
not
permiUed
by
the
Privacy
Rule.
2. Inadvertent
disclosures
of
protected
health
informaDon
from
a
person
who
is
authorized
to
access
protected
health
informaDon
at
a
covered
enDty
or
business
associate
to
another
person
authorized
to
access
protected
health
informaDon
at
the
same
covered
enDty,
business
associate
or
organized
health
care
arrangement
in
which
the
covered
enDty
parDcipates.
3. Where
a
covered
enDty
or
a
business
associate
has
a
good-‐faith
belief
that
an
unauthorized
person
to
whom
the
disclosure
was
made
would
not
reasonably
have
been
able
to
retain
such
informaDon.
AddiDonally,
enhanced
policies,
procedures,
and
pracDces
will
need
to
be
developed
and
implemented
in
accordance
with
the
final
omnibus
ruling.
32
HIPAA
Security
Awareness
Training
Program
|
2013
HIPAA Privacy Rules
The
“Privacy
Rule”
-‐
technically
known
as
Standards
for
Privacy
of
Individually
IdenDfiable
Health
InformaDon
(Subpart
E)
put
in
place
a
set
of
naDonal
standards
for
the
protecDon
of
certain
health
informaDon.
The
U.S.
Department
of
Health
and
Human
Services
(“HHS”)
effecDvely
issued
the
Privacy
Rule
to
implement
the
requirement
of
the
Health
Insurance
Portability
and
Accountability
Act
of
1996
(“HIPAA”).
The
Privacy
Rule
standards
address
the
use
and
disclosure
of
individuals’
health
informaDon—called
“protected
health
informaDon”
by
these
very
organizaDons
subject
to
the
Privacy
Rule,
such
as
“covered
enDDes”,
and
at
Dmes,
business
associates,
and
their
affiliates.
According
to
the
Department
of
Health
and
Human
Services,
www.hhs.gov.,
“A
major
goal
of
the
Privacy
Rule
is
to
assure
that
individuals’
health
informaDon
is
properly
protected
while
allowing
the
flow
of
health
informaDon
needed
to
provide
and
promote
high
quality
health
care
and
to
protect
the
public's
health
and
well-‐being.”
As
to
who
specifically
is
covered
and
mandated
to
comply
with
the
Privacy
Rule,
it
generally
consists
of
the
following:
• Health
Plans
• Health
Care
Providers
• HealthCare
Clearinghouses
It’s
important
to
note
that
the
Department
of
Health
and
Human
Services,
www.hhs.gov.
states
that
“The
Privacy
Rule…apply
to
health
plans,
health
care
clearinghouses,
and
to
any
health
care
provider
who
transmits
health
informaDon
in
electronic
form
in
connecDon
with
transacDons
for
which
the
Secretary
of
HHS
has
adopted
standards
under
HIPAA.”
And
combined
with
the
Final
Omnibus
Ruling
(January,2013),
which
includes
provisions
for
“business
associates”,
it’s
safe
to
say
that
“ANY”
enDty
working
with
health
informaDon
and
data
will
need
to
be
compliant
with
the
HIPAA
Privacy
Rules
and
all
applicable
Subpart
E
mandates.
HIPAA
Security
Awareness
Training
Program
|
2013
34
HIPAA Privacy | 164.500 - 164.534
Technically
speaking
Subpart
E
of
the
HIPAA
Privacy
Rules
contains
the
following:
• §
164.500
Applicability
• §
164.501
DefiniDons
• §
164.502
Uses
and
disclosures
of
protected
health
informaDon:
general
rules
• §
164.504
Uses
and
disclosures:
organizaDonal
requirements
• §
164.506
Uses
and
disclosures
to
carry
out
treatment,
payment,
or
health
care
operaDons
• §
164.508
Uses
and
disclosures
for
which
an
authorizaDon
is
required
• §
164.510
Uses
and
disclosures
requiring
an
opportunity
for
the
individual
to
agree
or
to
object
• §
164.512
Uses
and
disclosures
for
which
an
authorizaDon
or
opportunity
to
agree
or
object
is
not
required
58
• §
164.514
Other
requirements
relaDng
to
uses
&
disclosures
of
protected
health
informaDon
• §
164.520
NoDce
of
privacy
pracDces
for
protected
health
informaDon
• §
164.522
Rights
to
request
privacy
protecDon
for
protected
health
informaDon
• §
164.524
Access
of
individuals
to
protected
health
informaDon
• §
164.526
Amendment
of
protected
health
informaDon
• §
164.528
AccounDng
of
disclosures
of
protected
health
informaDon
• §
164.530
AdministraDve
requirements
• §
164.532
TransiDon
provisions
• §
164.534
Compliance
dates
for
iniDal
implementaDon
of
the
privacy
standards
HIPAA
Security
Awareness
Training
Program
|
2013
35
HIPAA Privacy | 164.500 - 164.534
As
menDoned
earlier,
Privacy
Rule
covers
the
following
four
(4)
broad-‐based
areas
and
respecDve
requirements:
• Uses
and
Disclosures
• Individual
Rights
• AdministraDve
Requirements
• General
Safeguards
and
Best
PracDces
To
learn
more
about
the
Privacy
Rule,
please
visit
the
Department
of
Health
and
Human
Services
(HHS)
at:
hUp://www.hhs.gov/ocr/privacy/hipaa/
understanding/summary/index.html
As
for
“PermiUed
Uses
and
Disclosures”,
as
an
employee
you
need
to
know
that
a
covered
enDty
(and
other
relevant
parDes)
is
permiUed
-‐
but
not
required
-‐
to
use
and
disclose
protected
health
informaDon,
without
an
individual’s
authorizaDon,
for
the
following
purposes
or
situaDons
(source:
www.hhs.gov):
1. To
the
Individual
(unless
required
for
access
or
accounDng
of
disclosures.
2. Treatment,
Payment,
and
Health
Care
OperaDons.
3. Opportunity
to
Agree
or
Object.
4. Incident
to
an
otherwise
permiUed
use
and
disclosure.
5. Public
Interest
and
Benefit
AcDviDes.
6. Limited
Data
Set
for
the
purposes
of
research,
public
health
or
health
care
operaDons.18
Covered
enDDes
may
rely
on
professional
ethics
and
best
judgments
in
deciding
which
of
these
permissive
uses
and
disclosures
to
make.
Each
of
the
above
condiDons
warrants
further
explanaDon,
so
please
consider
the
following
regarding
these
items:
1. “To
the
Individual”.
It
means
just
that
-‐
a
covered
enDty
(and
other
relevant
parDes)
may
disclose
protected
health
informaDon
to
the
individual
who
is
the
subject
of
the
informaDon.
2. “Treatment,
Payment,
and
Health
Care
OpDons”.
Generally
speaking,
a
covered
enDty
(and
other
relevant
parDes)
may
use
and
disclose
protected
health
informaDon
for
its
own
treatment,
payment,
and
health
care
operaDons
acDviDes.
Furthermore,
a
covered
enDty
(and
other
relevant
parDes)
also
may
disclose
protected
health
informaDon
for
the
treatment
acDviDes
of
any
health
care
provider,
the
payment
acDviDes
of
another
covered
enDty
and
of
any
health
care
provider,
or
the
health
care
operaDons
of
another
covered
enDty
involving
HIPAA
Security
Awareness
Training
Program
|
2013
38
HIPAA Privacy | Permitted Uses and Disclosures
2. either
quality
or
competency
assurance
acDviDes
or
fraud
and
abuse
detecDon
and
compliance
acDviDes,
if
both
covered
enDDes
(or
other
relevant
parDes)
have
or
had
a
relaDonship
with
the
individual
and
the
protected
health
informaDon
pertains
to
the
relaDonship.
3. “Opportunity
to
Agree
or
Object”.
Informal
permission
can
also
be
obtained
by
asking
the
individual
outright,
or
by
relevant
circumstance
or
situaDons
that
clearly
give
the
individual
the
opportunity
to
agree,
acquiesce,
or
object.
4. “Incident
to
an
otherwise
permiUed
use
and
disclosure”.
The
Privacy
Rule
also
permits
certain
incidental
uses
and
disclosures
that
occur
as
a
by-‐product
of
another
permissible
or
required
use
or
disclosure,
as
long
as
the
covered
enDty
(or
other
relevant
party)
has
applied
reasonable
safeguards
and
implemented
the
minimum
necessary
standard,
where
applicable.
Furthermore,
an
incidental
use
or
disclosure
is
a
secondary
use
or
disclosure
that
cannot
reasonably
be
prevented,
is
limited
in
nature,
and
that
occurs
as
a
result
of
another
use
or
disclosure
that
is
permiUed
by
the
Rule.
Source:
www.hhs.gov
|
Incidental
Uses
and
Disclosures)
5. “Public
Interest
and
Benefit
AcDviDes”.
The
Privacy
Rule
permits
use
and
disclosure
of
protected
health
informaDon,
without
an
individual’s
authorizaDon
or
permission,
for
12
naDonal
priority
purposes,
which
are
the
following:
Individuals
also
have
numerous
rights
that
have
been
well-‐documented
within
the
HIPAA
Privacy
Rule,
specifically,
the
following:
• The
right
to
access
Protected
Health
InformaDon
(PHI)
by
and
individual,
which
is
oben
referred
to
as
a
paDent.
• The
right
to
for
requesDng
certain
restricDons
regarding
the
use
and
disclosure
of
PHI.
• The
right
to
authorize
markeDng
communicaDon.
More
specifically,
the
following
secDons
within
Subpart
E,
§
164.500
through
§
164.534
discuss
various
privacy
rights
for
individuals:
• §
164.520
-‐
“an
individual
has
a
right
to
adequate
noDce
of
the
uses
and
disclosures
of
protected
health
informaDon…”.
• §
164.522
-‐
“must
permit
an
individual
to
request
that
the
Covered
EnDty
restrict
use
or
disclosure
of
Protected
Health
InformaDon
about
the
individual
to
carry
out
treatment,
payment
or
health
care
operaDons
and
restricDons
related
to
family
members,
friends…”
• §
164.524
-‐
“an
individual
has
a
right
of
access
to
inspect
and
obtain
a
copy
of
Protected
Health
InformaDon
about
the
individual
in
a
designated
record
set,
for
as
long
as
the
protected
health
informaDon
is
maintained
in
the
designated
record
set”.
• §
164.526
-‐
“An
individual
has
the
right
to
have
a
Covered
EnDty
amend
Protected
Health
InformaDon
in
a
designated
record
set
for
as
long
as
the
Protected
Health
InformaDon
is
maintained
in
the
record
set”.
• §
164.528
-‐
Similar
in
context
to
§
164.526.
AddiDonally,
many
other
individual
(i.e.,
paDent)
rights
are
discussed
within
the
aforemenDoned
secDons
of
Subpart
E,
§
164.500
through
§
164.534.
The
HIPAA
AdministraDve
Requirements
-‐
specifically
HIPAA
Privacy
§164.53
outline
in
detail
various
broad-‐based
measures
required
to
be
in
place
by
covered
enDDes,
such
as
the
following:
• Personnel
DesignaDons:
A
covered
enDty
must
designate
a
privacy
official
who
is
responsible
for
the
development
and
implementaDon
of
the
policies
and
procedures
of
the
enDty.
• Workforce
Training:
A
covered
enDty
must
train
all
members
of
its
workforce
on
the
policies
and
procedures
with
respect
to
protected
health
informaDon.
More
specifically,
a
covered
enDty
must
provide
training
that
meets
the
requirements
in
the
following
manner:
(A)
no
later
than
the
compliance
date
for
the
covered
enDty.
(B)
Within
a
reasonable
period
of
Dme
a`er
the
person
joins
the
covered
enDty's
workforce.
(c)
To
each
member
of
the
covered
enDty's
workforce
whose
funcDons
are
affected
by
a
material
change
in
the
policies
or
procedures.
AddiDonally,
a
covered
enDty
must
document
that
the
training
has
been
provided,
as
required.
• Safeguards:
A
covered
enDty
must
have
in
place
appropriate
administraDve,
technical,
and
physical
safeguards
to
protect
the
privacy
of
protected
health
informaDon.
AddiDonally,
a
covered
enDty
must
reasonably
safeguard
protected
health
informaDon
from
any
intenDonal
or
unintenDonal
use
or
disclosure.
Moreover,
a
covered
enDty
must
reasonably
safeguard
protected
health
informaDon
to
limit
incidental
uses
or
disclosures.
• Complaints:
A
covered
enDty
must
provide
a
process
for
individuals
to
make
complaints
concerning
the
covered
enDty's
policies
and
procedures.
• SancDons:
A
covered
enDty
must
have
and
apply
appropriate
sancDons
against
members
of
its
workforce
who
fail
to
comply
with
the
privacy
policies
and
procedures
of
the
covered
enDty.
• MiDgaDon:
A
covered
enDty
must
miDgate,
to
the
extent
pracDcable,
any
harmful
effect
that
is
known
to
the
covered
enDty
of
a
use
or
disclosure
of
protected
health
informaDon
in
violaDon
of
its
policies
and
procedures.
HIPAA
Security
Awareness
Training
Program
|
2013
43
HIPAA Privacy | Administrative Requirements 164.530
• Waiver
of
Rights:
A
covered
enDty
may
not
require
individuals
to
waive
their
rights
under
§
160.306
of
this
subchapter.
• Policies
and
Procedures:
A
covered
enDty
must
implement
policies
and
procedures
with
respect
to
protected
health
informaDon
that
are
designed
to
comply
with
the
standards,
implementaDon
specificaDons,
or
other
requirements.
AddiDonally,
a
covered
enDty
must
change
its
policies
and
procedures
as
necessary
and
appropriate
to
comply
with
changes
in
the
law.
• Changes
in
Law:
Whenever
there
is
a
change
in
law
that
necessitates
a
change
to
the
covered
enDty's
policies
or
procedures,
the
covered
enDty
must
promptly
document
and
implement
the
revised
policy
or
procedure.
• Changes
to
Privacy
PracDces:
To
implement
a
change,
a
covered
enDty
must:
(A)
Ensure
that
the
policy
or
procedure,
as
revised
to
reflect
a
change
in
the
covered
enDty's
privacy
pracDce
as
stated
in
its
noDce,
complies
with
the
standards,
requirements,
and
implementaDon
specificaDons.
(B)
Document
the
policy
or
procedure.(C)
Revise
the
noDce
as
required
by
§
164.520(b)(3)
to
state
the
changed
pracDce
and
make
the
revised
noDce
available
as
required
by
§
164.520(c).
• Group
Health
Plans:
A
Group
Health
Plan
that
provides
all
health
benefits
through
issuer
or
HMO
and
does
not
create
or
receive
PHI
other
than
summary
health
informaDon
or
enrollment/disenrollment
informaDon
is
NOT
subject
to
the
requirements
of
this
secDon
except,
the
following:
While
not
an
explicit
secDon
under
the
HIPAA
Privacy
Rule
-‐
collecDvely
speaking
-‐
general
safeguards
and
best
pracDces
are
discussed
and
enumerated
throughout
§
164.500
through
§
164.534
through
the
following
examples
of
verbiage:
• The
business
associate
will
appropriately
safeguard
the
informaDon
-‐
-‐§
164.502.
• Use
appropriate
safeguards
to
prevent
use
or
disclosure
of
the
informaDon
other
than
as
provided
for
by
its
contract
-‐
§
164.504.
• Use
appropriate
safeguards
to
prevent
use
or
disclosure
of
the
informaDon
other
than
as
provided
for
by
the
data
use
agreement
-‐
§
164.514.
•
“A
covered
enDty
must
reasonably
safeguard
protected
health
informaDon”
-‐
§
164.530.
• A
covered
enDty
must
have
in
place
appropriate
administraDve,
technical,
and
physical
safeguards
-‐
§
164.530.
• A
covered
enDty
must
implement
policies
and
procedures
with
respect
to
protected
health
informaDon
-‐
§
164.530.
• Health
Care
Clearinghouses:
This
includes
enDDes
that
process
nonstandard
health
informaDon
they
receive
from
another
enDty
into
a
standard
(i.e.,
standard
electronic
format
or
data
content),
or
vice
versa.
• Health Care Providers: Doctors, Clinics, Psychologists, DenDsts, Chiropractors, Nursing Homes, and Pharmacies
Source:
h_p://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredenDDes/
HIPAA
Security
Awareness
Training
Program
|
2013
46
Business Associates
The
definiDon
of
a
“business
associate”
has
fundamentally
changed
with
the
Final
Omnibus
Ruling
of
January,
2013,
which
effecDvely
expands
and
increases
the
scope
and
accountability
of
such
organizaDons.
IniDally,
a
business
associate
was
defined
as
“a
person
or
enDty
that
performs
certain
funcDons
or
acDviDes
that
involve
the
use
or
disclosure
of
protected
health
informaDon
on
behalf
of,
or
provides
services
to,
a
covered
enDty”.
With
the
Final
Omnibus
Ruling,
it’s
been
significantly
enhanced
to
include
the
following
provisions:
“…a
person
or
enDty
that
creates,
receives,
maintains
or
transmits
protected
health
informaDon
to
perform
certain
funcDons
or
acDviDes
on
behalf
of
a
covered
enDty”.
AddiDonally,
the
following
three
(3)
different
types
of
service
providers
are
now
specifically
idenDfied
as
business
associates
under
the
final
rule:
1. Health
informaDon
organizaDons,
e-‐prescribing
gateways,
and
other
people
or
enDDes
that
provide
data
transmission
services
to
a
covered
enDty
with
respect
to
protected
health
informaDon
and
that
require
access
on
a
rouDne
basis
to
such
protected
health
informaDon
2. People
or
enDDes
that
offer
personal
health
records
to
one
or
more
individuals
on
behalf
of
a
covered
enDty
3. Subcontractors
that
create,
receive,
maintain
or
transmit
protected
health
informaDon
on
behalf
of
business
associates
In
summary,
there’s
now
a
clear
“downstream
effect”
in
place
-‐
specifically,
rights,
duDes,
and
obligaDons
for
which
a
business
associate
is
responsible
for
are
now
also
the
responsibility
of
subcontractors
and
other
related
parDes.
UlDmately,
business
associates
will
need
to
enter
into
“business
associate
contracts”
with
such
downstream
providers
-‐
and
in
turn
-‐
these
downstream
providers
will
need
to
enter
into
contractual
relaDonships
with
their
providers,
etc.
Business Associates
According
to
www.hhs.gov,
the
following
are
examples
of
business
associates:
• A
third
party
administrator
that
assists
a
health
plan
with
claims
processing.
• An
accounDng
firm
whose
accounDng
services
to
a
health
care
provider
involve
access
to
protected
health
informaDon.
• An a_orney whose legal services to a health plan involve access to protected health informaDon.
• A
health
care
clearinghouse
that
translates
a
claim
from
a
non-‐standard
format
into
a
standard
transacDon
on
behalf
of
a
health
care
provider
and
forwards
the
processed
transacDon
to
a
payer.
HIPAA
Security
Awareness
Training
Program
|
2013
48
Final Omnibus Ruling (January, 2013)
In
January,
2013,
The
Department
of
Health
and
Human
Services
(HHS)
Office
for
Civil
Rights
(OCR)
released
its
final
regulaDons
containing
modificaDons
to
the
HIPAA
Privacy,
Security,
Enforcement,
and
Breach
NoDficaDon
Rules
(Final
Omnibus
Ruling),
which
paved
the
way
for
dramaDc
changes
to
HIPAA,
parDcularly
to
the
Privacy
and
Security
Rules.
In
the
past,
HIPAA
compliance
was
lacking
any
real
regulatory
compliance
“teeth”
-‐
a
law
that
simply
advocated
voluntary
compliance.
Fast-‐forward
to
2013
and
what’s
now
in
place
are
real
and
severe
penalDes,
along
with
enhanced
compliance
requirements
for
covered
enDDes,
business
associates,
and
other
related
parDes.
Notable
points
worth
menDoning
for
purpose
of
HIPAA
Security
Awareness
and
Workforce
Training
are
the
following:
• PenalDes
that
range
from
$100
to
$50,000
per
violaDon,
depending
on
the
level
of
culpability,
with
a
$1.5
million
cap
per
calendar
year
for
mulDple
violaDons
of
idenDcal
provisions,
and
criminal
penalDes
of
up
to
10
years
in
prison.
• Significantly
changes
the
breach
noDficaDon
analysis
with
a
four
(4)
point
process
to
test
and
ulDmately
determine
whether
or
not
protected
health
informaDon
(PHI)
has
been
compromised,
thus
requiring
breach
noDficaDon.
• Regarding
markeDng,
the
final
rule
requires
authorizaDon
for
all
treatment
and
health
care
operaDons
communicaDons
whereby
the
covered
enDty
receives
financial
remuneraDon
from
the
third
party
whose
products
or
services
are
being
marketed,
though
there
sDll
are
excepDons.
• Streamlined authorizaDon requirements for the use of individuals’ PHI for research purposes.
• Clarified
that
while
business
associates
are
not
subject
to
all
requirements
of
the
Privacy
Rule,
they
are
to:
• Comply with the terms of a business associate agreement related to the use and disclosure of PHI;
• Provide
an
electronic
copy
of
PHI
available
to
an
individual
(or
covered
enDty)
related
to
an
individual’s
request
for
an
electronic
copy
of
PHI;
• Make
reasonable
efforts
to
limit
PHI
to
the
minimum
necessary
to
accomplish
the
intended
purpose
of
the
use,
disclosure,
or
request;
and
• Enter
into
business
associate
agreements
with
subcontractors
that
create
or
receive
PHI
on
their
behalf.
HIPAA
Security
Awareness
Training
Program
|
2013
50
Helpful HIPAA Resources
HIPAA
is
large,
expansive,
and
complex
piece
of
legislaDon,
one
that
requires
long
hours
of
studying
for
understanding
all
of
its
working
parts.
However,
there
are
numerous
helpful
resources
that
effecDvely
break
down,
clarify,
and
disDll
the
actual
law
without
having
to
mine
through
the
actual
legislaDve
publicaDon.
Spend
some
Dme
visiDng
the
following
websites
for
gaining
a
stronger
understanding
of
HIPAA:
FACTA
Known
as
the
Fair
and
Accurate
Credit
TransacDon
Act
of
2003
-‐
FACTA
or
the
FACT
ACT-‐
as
it’s
commonly
referred
to,
contains
essenDal
provisions
for
helping
reduce
the
growing
problem
of
idenDty
the`
by
allowing
consumers
to
place
fraud
alerts
on
consumer
reporDng
agency
files
(i.e.,
the
credit
scoring
bureaus).
AddiDonally,
FACTA
also
prohibits
businesses
from
prinDng
more
than
5
digits
of
any
customer's
card
number
or
card
expiraDon
date
on
any
receipt
provided
to
the
cardholder
at
the
point
of
sale
or
transacDon.
Furthermore,
FACTA
mandates
that
regulaDons
be
established
by
certain
government
agencies
regarding
the
detecDon
of
idenDty
the`
by
financial
insDtuDons
and
creditors.
As
an
employee,
you
need
to
be
aware
of
these
provisions
regarding
the
protecDon
of
any
consumer
informaDon
held
by
the
organizaDon.
AddiDonally,
if
you
feel
your
idenDty
has
been
compromised
in
any
way,
then
it’s
important
to
place
“fraud
alerts”
on
your
consumer
informaDon
with
the
major
credit
reporDng
agencies.
You
can
learn
more
about
FACTA
by
searching
online,
where
numerous
resource
are
available.
52
HIPAA
Security
Awareness
Training
Program
|
2013
Red Flags Rules
The
Red
Flags
Rule
was
created
by
the
Federal
Trade
Commission
(FTC)
for
purposes
of
fighDng
idenDfy
the`
and
it
generally
applies
to
financial
insDtuDon
and
creditors.
As
for
a
“Financial
insDtuDon”
it’s
defined
as
a
state
or
naDonal
bank,
a
state
or
federal
savings
and
loan
associaDon,
a
mutual
savings
bank,
a
state
or
federal
credit
union,
or
any
other
enDty
that
holds
a
“transacDon
account”
belonging
to
a
consumer.
As
for
a
“creditor”,
it
applies
to
any
enDty
that
regularly
extends
or
renews
credit
–
or
arranges
for
others
to
do
so
–
and
includes
all
enDDes
that
regularly
permit
deferred
payments
for
goods
or
services.
Thus,
the
Red
Flags
Rule
sets
out
how
certain
businesses
and
organizaDons
must
develop,
implement,
and
administer
their
IdenDty
The`
PrevenDon
Programs,
which
must
include
the
following
four
basic
elements:
• IdenDfy
Relevant
Red
Flags
• Detect
Red
Flags
• Prevent
and
MiDgate
IdenDty
Theb
• Update
Program
AddiDonally,
the
Red
Flags
Rules
provide
all
financial
insDtuDons
and
creditors
the
opportunity
to
design
and
implement
a
program
that’s
appropriate
to
their
size
and
complexity,
and
specific
for
their
business.
Lastly,
it’s
important
to
note
that
“red
flags”
fall
under
the
following
five
(5)
categories:
• Alerts,
noDficaDons,
or
warnings
from
a
consumer
reporDng
agency
• Suspicious
documents
• Suspicious
idenDfying
informaDon,
such
as
a
suspicious
address
• Unusual
use
of
–
or
suspicious
acDvity
relaDng
to
–
a
covered
account
• NoDces
from
customers,
vicDms
of
idenDty
theb,
law
enforcement
authoriDes,
or
other
businesses
about
possible
idenDty
theb
in
connecDon
with
covered
accounts
With
some
basic
knowledge
of
informaDon
security
provided
to
you,
along
with
an
introducDon
numerous
laws,
regulaDons,
and
industry
specific
mandates,
it's
now
Dme
to
focus
on
a
number
of
key
security
awareness
subject
maUer
topics.
Please
note
that
the
informaDon
presented
serves
to
educate
employees
and
other
in-‐scope
personnel
on
general
best
pracDces
for
informaDon
security,
which
directly
correlates
to
the
numerous
HIPAA
mandates
put
forth
for
the
protecDon
of
Protected
Health
InformaDon
(PHI).
Security
awareness
is
much
more
than
just
protecDng
sensiDve
and
confidenDal
informaDon
for
purposes
of
compliance,
it's
about
being
aware
and
responsive
at
all
Dmes
to
any
incidents
potenDally
affecDng
the
safety
and
security
of
our
organizaDon,
and
to
you
personally.
Remember,
adopDng
the
Department
of
Homeland
Security's
(DHS)
moUo
for
reporDng
suspicious
acDvity
-‐
"If
You
See
Something,
Say
Something™"
-‐
is
a
pracDcal
way
to
look
at
security
awareness
in
today's
world
of
growing
security
threats.
Let's
look
at
a
number
of
criDcal
security
awareness
topics
you
need
to
know
about
for
helping
ensure
the
safety
and
security
of
both
you
and
the
organizaDon.
Please
keep
in
mind
that
the
list
is
extensive,
much
like
the
threats
that
have
evolved
in
recent
years.
• Microsob
Windows
OperaDng
Systems:
Simply
automaDng
the
"Windows
Update"
service
is
all
that
really
needs
to
be
done,
so
visit
your
"Control
Panel"
and
enable
this
feature,
which
may
likely
be
on
anyway.
• Portable
Document
Format
(PDF)
|
Adobe:
Hackers
can
create
malicious
files
and
other
executable
that
can
exploit
Portable
Document
Format
(PDF)
protocol
so`ware,
therefore
it's
important
to
click
"yes"
when
Adobe
so`ware
asks
if
you
want
to
make
security
updates.
• Other
essenDal
applicaDons:
There's
an
almost
endless
list
of
applicaDons
being
used
today,
so
keep
a
list
handy
of
what's
on
your
computer,
making
sure
to
perform
security
updates
as
required
for
not
only
safety,
but
performance
and
so`ware
stability.
For
any
documents
no
longer
needed
for
work,
make
sure
to
shred
or
place
in
a
secure
bin
such
material,
regardless
of
sensiDvity,
never
placing
such
documents
in
any
public
trash
can,
such
as
those
immediately
in
your
workspace.
Never
use
Post-‐it
notes
or
other
forms
of
notes
and
reminders
in
your
workstaDon
that
contain
sensiDve
and
confidenDal
informaDon,
such
as
passwords,
account
informaDon,
etc.
Furthermore,
if
you
have
visitors
at
your
workstaDon,
please
put
away
all
sensiDve
and
confidenDal
informaDon.
If
you
incur
an
extended
absence
from
work,
such
as
holidays,
vacaDon,
etc.
–
please
clear
your
desk
of
all
items
considered
sensiDve
and
confidenDal.
Lastly,
do
a
brief
check
before
leaving
your
workstaDon
for
the
day,
securing
all
appropriate
items.
This
list
goes
on
and
on,
from
deliberate
acts
to
dangerous,
unintended
mishaps
and
acDons,
internal
threats
are
everywhere.
All
employees
have
a
responsibility
to
live
and
act
by
the
moUo,
“if
you
see
something,
say
something”
-‐
and
immediately.
With
that
said,
be
alert
and
on
the
lookout
for
the
following
suspicious
acDviDes
by
others:
It’s
about
being
alert
and
watchful,
yet
not
• Mood
swings,
violent
and/or
aggressive
acDons.
paranoid
as
accusing
somebody
of
a
crime
or
• Sudden
change
in
behavior,
work
ethic,
morals,
etc.
incident
they
did
not
commit
also
has
ramificaDons
• Discussion
of
suicide,
harming
others,
general
for
the
organizaDon,
and
for
you,
so
think
first.
negaDvity,
etc.
Also
be
watchful
of
things
that
just
don’t
seem
• CombaDve,
argumentaDve,
etc.
right,
such
as
a
door
ajar
for
no
apparent
reason,
• Appearing
intoxicated
or
using
illegal
substances.
confidenDal
documents
placed
in
a
public
area,
• Verbal
and/or
email
threats
towards
others.
smoke
or
other
environmental
factors
you
may
be
• Unexplained
absence
and
tardiness
at
work.
suspicious
of.
In
summary,
try
and
use
your
natural
• Disregard
for
company
rules
and
regulaDons.
intuiDon
in
helping
protect
the
organizaDon
from
a
• Not
being
a
“team
player”,
etc.
growing
list
of
serious
internal
threats.
HIPAA
Security
Awareness
Training
Program
|
2013
71
Physical Security and Environmental Security
Physical
security
elements
are
safeguards
enacted
to
ensure
only
authorized
individuals
have
access
to
various
physical
locaDons,
such
as
corporate
faciliDes,
data
warehouses,
computer
operaDon
centers,
and
any
other
criDcal
areas.
AddiDonally,
physical
security
also
consists
of
the
various
measures
put
in
place
for
protecDng
organizaDonal
assets,
ranging
from
people,
property,
to
any
number
of
tangible
goods,
services
or
products.
And
with
many
organizaDons
today
outsourcing
criDcal
funcDons
to
data
centers,
managed
services
providers,
and
document
storage
faciliDes
-‐
just
to
name
a
select
few
-‐
physical
security
has
now
become
a
criDcal
component
of
one's
risk
assessment
and
risk
management
framework.
Knowing
where
your
assets
are
and
how
they
are
protected
is
paramount.
But
it's
just
as
important
to
have
physical
security
controls
in
place
at
one's
corporate
office,
satellite
offices,
and
any
other
important
locaDons.
And
another
important
component
of
physical
security
is
the
supporDng
environmental
security
controls
in
place.
Specifically,
environmental
security
elements
are
the
essenDal
measures
uDlized
to
protect
physical
surroundings
from
damaging
elements,
such
as
fire,
water,
smoke,
electrical
surges,
spikes,
and
outages,
along
with
any
other
hidden
dangers.
Environmental
safeguards
are
criDcal
in
that
they
-‐
along
with
physical
security,
ensure
the
safety
of
the
employees,
company
property,
and
all
other
perDnent
physical
elements
near
the
facility.
AddiDonally,
Protected
Health
InformaDon
(PHI)
is
actually
a
subset
of
Personally
IdenDfiable
InformaDon
(PII),
which
shares
many
similariDes
towards
each
other
as
to
the
types
of
data
and
informaDon.
HIPAA
Security
Awareness
Training
Program
|
2013
78
Protecting Information (Hard-Copy)
Call
it
PII
or
any
other
variant
thereof
-‐
highly
confidenDal,
sensiDve,
restricted
informaDon
-‐
it
all
needs
to
be
protected
at
all
Dmes,
both
physical
hard-‐copy
material
and
in
electronic
format.
As
for
hard-‐copy
documents,
even
in
today’s
world
the
use
of
paper
is
sDll
quite
prevalent,
thus
protecDng
paper
records
in
the
following
manner
is
a
must:
• First
and
foremost,
avoid
prinDng
any
documentaDon
containing
PII
if
you
can.
If
that’s
not
possible,
then
limit
it
to
the
extent
possible.
Remember,
paper
records
should
only
be
generated,
used,
and/or
retained
if
there’s
a
true
legiDmate
business
need.
• For
paper
records
containing
PII,
assign
tracking
and
logging
mechanisms
as
necessary
for
ensuring
its
use
and
whereabouts
at
any
given
Dme,
along
with
assigning
an
approved
data
classificaDon
level
(i.e.,
sensiDve,
secret,
etc.)
for
such
material.
• For
paper
records
containing
PII,
they
must
be
physically
stored
in
a
secure
locaDon
at
all
Dmes,
such
as
locked
file
cabinets,
office
desks,
or
any
other
acceptable
measure
for
ensuring
their
safety
and
security
from
unauthorized
parDes.
• When
such
records
are
no
longer
needed
for
business
or
compliance
purposes
(such
as
date
retenDon
laws,
etc.),
they
are
to
be
shredded
and
documented
accordingly.
This
means
having
secure
shredding
bins
strategically
located
throughout
the
facility,
and
it
also
means
never
throwing
paper
records
containing
PII
-‐
or
any
other
sensiDve
and
confidenDal
informaDon
into
a
garbage
can
without
being
shredded.
• Other
acceptable
means
of
destroying
paper
records
containing
PII
may
include,
but
are
not
limited
to
shredding,
burning,
pulping,
or
pulverizing
the
records
so
that
PII
is
rendered
essenDally
unreadable,
indecipherable,
and
otherwise
cannot
be
reconstructed.
• Do
not
allow
paper
records
containing
PII
to
be
viewable
or
accessible
in
general
commons
areas,
or
in
an
unsupervised
fashion,
such
as
residing
on
your
desk
or
any
other
workstaDon
|
work
areas
while
not
being
present.
• Implement
physical
access
controls
and
other
security
safeguards
for
protecDng
paper
records
containing
PII
at
all
Dmes,
such
as
the
following:
o Use
electronic
access
control
systems
(ACS),
such
as
badge
readers,
and
applicable
biometrics
idenDfiers.
o Promptly
remove
all
users
from
company-‐wide
access
to
all
system
components
and
faciliDes
upon
their
terminaDon.
o UDlize
security
cameras,
alarms,
and
other
physical
security
detecDve
and
preventaDve
soluDons.
o Include
provisions
for
responding
to
issues
and
security
breaches
pertaining
to
paper
records
containing
PII.
• Be
alert
at
all
Dmes.
If
you
see
paper
records
being
inappropriately
handled,
residing
in
insecure
areas,
le`
unaUended,
have
been
stolen
or
compromised
in
any
other
way,
etc.,
then
say
something
and
report
the
issue
immediately
to
authorized
personnel.
Security
is
everyone’s
responsibility.
AddiDonally,
if
you
yourself
have
knowingly
lost
or
misplaced
paper
records
containing
PII,
then
report
the
issue
immediately.
• Use
a
shredder.
A
big
challenge
in
data
destrucDon
is
making
sure
all
employees
use
an
actual
shredder,
or
that
very
least,
dispose
of
hard
copy,
paper
based
documents
into
a
designated,
secured
bin,
one
ulDmately
used
for
shredding
documents.
That
means
never
throwing
business
documents
into
a
general
trash
can,
such
as
the
one
directly
under
your
workstaDon,
in
a
commons
area
(i.e.,
break
room,
bathroom,
etc.)
or
any
other
unsafe
bin.
How
many
Dmes
have
you
heard
on
the
news
of
“dumpster
divers”
finding
highly
sensiDve
and
confidenDal
documents
that
companies
have
carelessly
thrown
away,
such
as
blank
check
stock,
contractual
agreements,
and
other
privileged
informaDon?
It
happens,
unfortunately,
but
let’s
work
to
make
sure
it
doesn’t
happen
at
this
company!
Protect
your
physical
assets.
This
means
not
leaving
your
laptop,
PDA,
tablet,
etc.
unaUended
for
any
Dme
period.
Going
to
the
bathroom
at
the
coffee
house
while
leaving
your
notebook
alone
is
not
wise.
For
company-‐
owned
laptops,
verify
with
your
I.T.
department
that
the
serial
number
has
indeed
been
recorded.
For
your
own
personal
laptop,
record
the
serial
number
also.
Clear
out
browser
sessions.
It's
a
good
idea
to
periodically
clean
out
your
browser
history
for
ensuring
no
pre-‐
populated
usernames
and
passwords
exist
especially
on
non-‐company
owned
desktops,
laptops,
and
workstaDons.
As
for
usernames
and
passwords,
keep
them
secure
(which
is
in
your
head!)
and
nowhere
else.
This
means
a
clean
desktop
work
policy,
one
that
does
not
contain
notes
lying
around
with
online
login
informaDon.
Be
mindful
on
social
media
sites.
You
work
for
your
organizaDon,
which
means
you
represent
it
in
everything
you
do,
both
inside
and
outside
the
walls
of
these
faciliDes.
As
such,
be
cognizant
of
informaDon
posted
and
please
strive
to
use
a
professional
tone
and
dialect
at
all
Dmes,
even
with
your
friends,
family
members,
co-‐
workers,
and
other
online
parDcipants
users
you
are
engaging
with.
Just
remember
to
ask
yourself
the
following
quesDon:
“Does
the
pos'ng
or
uploading
of
content
to
any
of
my
personal
social
media
resources
disclose
any
“sensi've
informa'on”
related
to
my
company,
or
does
it
in
any
way
impact
the
safety
and
security
of
my
organiza'on?
Remember
to
think
before
you
post.
One
of
the
most
important
security
awareness
iniDaDves
for
all
individuals
is
protecDng
what’s
arguably
the
most
important
asset
of
all
–
your
children.
Being
online
for
kids
can
be
fun-‐filled,
highly
entertaining
and
extremely
educaDonal,
yet
also
very
dangerous
with
predators
lurking
at
every
click-‐of-‐the
mouse.
As
responsible
parents,
ensuring
the
safety
and
security
of
your
children
is
the
first
and
most
important
task,
and
it
starts
with
being
aware
of
the
dangers
and
pisalls
of
the
Internet.
Listed
below
are
helpful
suggesDons
and
Dps
all
parents
should
be
aware
of
when
it
comes
to
their
children’s
online
acDviDes.
Remember
–
if
you
see
something,
say
something,
and
act
immediately,
especially
when
it
concerns
the
safety
and
security
of
children.
Limit
Internet
access.
Sure,
all
kids
want
to
be
online
at
all
hours
of
the
day
–
that’s
understandable
–
yet
it’s
important
to
set
rules
and
boundaries
on
Internet
usage,
which
means
not
puqng
a
computer
in
a
child’s
room
whereby
they
have
unrestricted
access,
24
hours
a
day,
7
days
a
week.
Schedule
and
agree
on
Dmes
and
limits
for
online
usage.
InsDll
Rules.
Create
a
list
of
rules
for
you
and
your
children
to
readily
agree
to,
such
as
the
Dmes
and
hours
they’re
allowed
to
access
the
Internet
–
more
specifically
–
what
websites
they
are
allowed
to
visit,
the
type
of
content
allowed
to
post,
etc.
Educate.
We
live
in
dangerous
world
–
unfortunately
–
one
filled
with
sexual
predators
and
online
thieves
seeking
to
steal
your
personal
informaDon
at
any
given
Dme.
Because
of
this,
it’s
important
to
educate
your
children
about
the
dangers
of
the
Internet,
common
scams
they
may
encounter,
and
what
to
do
if
they
see
something
that’s
suspicious.
Children
are
smart
–
much
more
than
we
give
them
credit
for
–
so
spend
Dme
educaDng
them
on
important
Internet
issues
–
you’ll
be
surprised
at
how
quick
they
pick
it
up
and
“get
it”.
Trust,
but
verify.
Encourage
your
children
to
use
cauDon
at
all
Dmes,
insDlling
what’s
commonly
known
as
the
“stranger
danger”
concept
–
keeping
everyone
at
a
distance
and
not
trusDng
anyone
they
don’t
know.
Tell
your
children
to
act
in
the
same
manner
online,
trusDng
only
their
close
circle
of
friends.
Don’t
disclose
private
informaDon.
Sexual
predators
and
other
malicious
individuals
are
quite
adept
at
social
engineering
–
gaining
the
trust
of
children
for
purposes
of
obtaining
personal
informaDon.
Train
your
kids
to
never
give
out
personal
informaDon,
such
as
their
full
name,
home
address
–
anything
that
can
clearly
idenDfy
them
and
allow
somebody
to
find
them
in
person.
MeeDng
people
in
person.
It’s
very
important
to
teach
your
children
of
the
dangers
of
meeDng
somebody
in
person
that
they’ve
met
online.
Though
many
Dmes
the
encounter
is
probably
safe,
sexual
predators
o`en
disguise
themselves
as
young
children
online,
building
trusted
relaDonships
with
innocent
children
who
unfortunately
become
vicDms.
Make
a
list.
Instruct
your
children
to
make
a
complete
list
of
all
accounts,
friends,
and
websites
they
interact
with
while
online.
EssenDally,
you’re
looking
to
gain
a
stronger
understanding
of
the
“who,
what,
when,
where,
and
why”
of
your
children’s
online
acDviDes.
The
more
you
know,
the
safer
your
children
will
be
as
knowledge
is
power.
Encourage
family
Internet
Dme.
That
means
siqng
with
your
children
and
interacDng
with
them
while
they
“surf”
the
Internet,
but
not
in
a
manner
that’s
intrusive
and
mandatory
–
rather
–
one
that
seeks
to
indirectly
monitor
and
reassure
yourself
of
your
children’s
browsing
acDviDes.
HIPAA
Security
Awareness
Training
Program
|
2013
97
Protecting Your Children Online
View
Internet
history.
A`er
each
session
–
and
unDl
you
feel
comfortable
as
a
parent
–
review
the
web
browser
history
of
your
child’s
online
acDviDes,
looking
for
any
suspicious
websites
or
communicaDon
from
quesDonable
people.
Set
browsing
limits.
This
means
installing
a
browser-‐safe
uDlity
for
children
along
with
placing
Internet
Protocol
(IP)
restricDons
in
place
that
block
the
viewing
of
quesDonable
sites.
Kids
are
curious
–
very
curious
–
all
it
takes
is
a
wrong
click-‐of-‐the-‐mouse
and
they’re
at
a
website
they
have
no
business
being
on.
Search
for
helpful
tools.
There
are
numerous
organizaDons
online
providing
support,
along
with
a
laundry
list
of
so`ware
applicaDon
and
protocols,
such
as
kid
friendly
search
engine
websites,
parental
control
apps,
pre-‐filtered
ISP
seqngs
for
your
home
computer,
event
monitoring
and
tracking
tools,
etc.
Be
diligent,
but
also
respect
privacy.
You
want
to
protect
your
children
online
–
no
quesDon
about
it
–
but
don’t
be
overzealous
–
give
your
children
a
certain
amount
of
privacy
and
respect
online,
and
they
in
turn
will
follow
your
guidance
when
it
comes
to
Interne
usage.
CreaDng
a
certain
level
of
balance
and
respect
is
the
key
to
forming
good
online
habits
for
children.
HIPAA
Security
Awareness
Training
Program
|
2013
98
Security Tips for Travelling
Travelling,
both
abroad,
or
just
naDonally,
can
be
extremely
stressful
with
today’s
ever-‐growing
terror
threats
and
other
malicious
acts
being
undertaken
by
dangerous
individuals.
It’s
important
to
be
alert
and
aware
of
your
surroundings
at
all
Dmes,
taking
the
necessary
precauDons
for
ensuring
your
safety
and
security,
while
also
making
travel
a
pleasurable
experience.
Please
take
note
of
the
following
security
trips
when
travelling:
Pre-‐plan.
Though
it
sounds
academic,
having
an
essenDal
checklist
of
items
is
a
really
good
idea,
especially
if
you’re
travelling
abroad
and
for
an
extended
period
of
Dme.
Being
overly
cauDous
is
never
a
bad
thing
–
a`er
all
–
once
you’ve
forgoUen
something
–
you’ll
either
have
to
spend
considerable
amount
of
money
replacing
it
while
afar.
Many
websites
on
the
Internet
have
helpful
travel
checklists,
so
use
them
to
your
advantage.
Familiarize
yourself
with
new
surroundings.
Get
to
know
where
you’re
going,
and
that
means
idenDfying
local
police
s taDons,
y our
e mbassy
( criDcally
i mportant!),
restaurants,
and
other
venues
as
necessary.
Walking
around
with
the
look
of
being
hopelessly
lost
only
invite
thieves
to
prey
upon
you.
Consider
Travel
Insurance.
A
relaDvely
inexpensive,
yet
valuable
purchase
is
travel
insurance,
for
travelling
both
abroad
and
naDonally.
From
obtaining
full
reimbursements
for
airplane
Dckets
to
having
items
stolen
in
a
foreign
country
replaced
at
equal
or
greater
value,
there’s
insurance
readily
available
for
any
type
of
scenario,
so
consider
such
a
purchase.
17.
Logging
and
ReporDng.
Along
with
capturing
all
necessary
events
as
described
in
"Event
Monitoring",
effecDve
protocols
and
supporDng
measures
are
to
be
implemented
for
ensuring
all
required
events
and
their
associated
aUributes
are
logged,
recorded,
and
reviewed
as
necessary.
AddiDonally,
all
applicable
elevated
permissions
(those
for
administrators)
along
with
general
access
rights
permissions
(those
for
end-‐users)
to
system
components
are
to
be
reviewed
on
a
[monthly/quarterly/bi-‐annual/annual]
basis
by
an
authority
that
is
independent
from
all
known
users
(i.e.,
end-‐users,
administrator,
etc.)
and
who
also
has
the
ability
to
understand,
interpret,
and
ulDmately
idenDfy
any
issues
or
concerns
from
the
related
output
(i.e.,
log
reports,
and
other
supporDng
data).
The
specified
authority
reviewing
the
logs
is
to
determine
what
consDtutes
any
"issues
or
concerns",
and
to
report
them
immediately
to
appropriate
personnel.
Moreover,
protocols
such
as
syslog
and
other
capturing
and
forwarding
protocols
and,
or
technology,
such
as
specialized
so`ware
applicaDons,
are
to
be
used
as
necessary,
along
with
employing
security
measures
that
protect
the
confidenDality,
integrity,
and
availability
(CIA)
of
the
audit
trails
and
their
respecDve
log
reports
(i.e.,
audit
records)
that
are
produced.
• "DetecDng"
in
that
procedures
are
in
place
that
allow
for
Dmely
detecDon
of
all
threats,
such
as
the
use
of
specific
sobware
tools
and
other
monitoring
and
detecDon
elements.
• "Responding"
in
that
procedures
are
in
place
that
allow
for
rapid
and
swib
response
measures,
which
is
highly
necessary
for
containing
and
quaranDning
any
given
incident.
• "Recovering"
in
that
procedures
are
in
place
that
allow
for
full
recovery
of
the
affected
systems,
such
as
the
use
of
backup
media
and
the
ability
to
rebuild,
reconfigure
and
redeploy
as
necessary.
• "Post
Incident
AcDviDes
and
Awareness"
in
that
a
formal
and
documented
Incident
Response
Report
(IRR)
is
to
be
developed,
reviewed
by
appropriate
parDes,
resulDng
in
"Lessons
Learned"
from
the
incident
and
what
iniDaDves
can
be
implemented
for
hopefully
eliminaDng
the
likelihood
of
future
incidents.
121
HIPAA
Security
Awareness
Training
Program
|
2013
Top 20 Security Considerations for I.T. personnel
19.
Performance
and
Security
TesDng.
All
applicable
system
components
are
to
undergo
annual
vulnerability
assessments
along
with
penetraDon
tesDng
for
ensuring
their
safety
and
security
from
the
large
and
ever-‐
growing
external
and
internal
security
threats
facing
your
organizaDon
today.
Vulnerability
assessments,
which
entails
scanning
a
specified
set
of
network
devices,
hosts,
and
their
corresponding
Internet
Protocol
(IP)
addresses,
helps
idenDfy
security
weaknesses
within
[company
name's]
network
architecture.
AddiDonally,
penetraDon
tesDng
services,
which
are
designed
to
actually
compromise
the
organizaDon's
network
and
applicaDon
layers,
also
assists
in
finding
security
flaws
that
require
immediate
remediaDon.
Moreover,
contractual
requirements
along
with
regulatory
compliance
laws
and
legislaDon
o`en
mandate
organizaDons
perform
such
services,
at
a
minimum,
annually
(for
penetraDon
tests),
and
o`en
on
a
periodic
and/or
quarterly
basis
(for
vulnerability
assessments).
As
such,
your
organizaDon
will
adhere
to
these
stated
requirements
and
will
perform
the
necessary
services
on
all
applicable
system
components.
Careful
planning
and
consideraDon
of
what
systems
are
to
be
included
when
performing
vulnerability
assessments
and,
parDcularly
penetraDon
tesDng
is
a
criDcal
factor,
as
all
environments
(i.e.,
development,
producDon,
etc.)
must
be
safeguarded
from
any
accidental
or
unintended
exploits
caused
by
the
tester.
20.
Disaster
Recovery.
Documented
Business
ConDnuity
and
Disaster
Recovery
Planning
(BCDRP)
are
vital
to
protecDng
all
assets
along
with
ensuring
rapid
resumpDon
of
criDcal
services
in
a
Dmely
manner.
Because
disasters
and
business
interrupDons
are
extremely
difficult
to
predict,
it
is
the
responsibility
of
authorized
personnel
to
have
in
place
a
fully
funcDoning
BCDRP
process,
and
one
that
also
includes
specific
policies,
procedures,
and
supporDng
iniDaDves
relaDng
to
all
system
components.
122
HIPAA
Security
Awareness
Training
Program
|
2013
Security Awareness Resources
Listed
below
are
numerous
resources
for
helping
employees
gain
a
stronger
understanding
of
the
broader
topic
of
informaDon
security,
such
as
resources
relaDng
to
fraud
and
other
important
safety
consideraDons
for
today’s
informaDon
technology
world.
Security
awareness
is
broad,
in-‐depth,
complex,
and
constantly
evolving
-‐
requiring
a
true
commitment
from
all
individuals
for
helping
protect
criDcal
organizaDonal
assets
along
with
their
own
personal
assets.
Privacy
Right
Clearinghouse
(www.privacyrights.org)
Privacy
Rights
Clearinghouse
is
a
California
nonprofit
corporaDon
with
501(c)(3)
tax
exempt
status.
Their
mission
is
to
engage,
educate
and
empower
individuals
to
protect
their
privacy,
effecDvely
idenDfying
trends
and
communicaDng
their
findings
to
advocates,
policymakers,
industry,
media
and
consumers.
The
NaDonal
Check
Card
Fraud
Center
(h_p://www.ckfraud.org)
According
to
their
mission
statement,
the
NaDonal
Check
Fraud
Center
is
“a
private
organizaDon
that
provides
naDonwide,
updated
mulD-‐source
informaDon
and
intelligence
to
support
local
law
enforcement,
federal
agencies,
financial
and
retail
communiDes
in
the
detecDon,
invesDgaDon
and
the
prosecuDon
of
known
check
fraud
and
white
collar
crimes.”
If
you
have
been
a
vicDm
of
white
collar
fraud
or
are
aware
of
possible
fraudulent
schemes
and
acDviDes,
you
may
contact
them
at
843-‐571-‐2143.