Safeguards: The What, Why, and How

Posted on July 14, 2019 by Meghan Davenport in Blog

Guest Blog Post by Tamara Beitel

Health Information Management Student, Centre for Distance Education, May 2015

Picture this, the reception room of the clinic was clean and organized, the patients were happy as they were quickly seen by an efficient, positive and qualified healthcare team. This is what happens when the clinic has taken the time to design their safeguards.

What are safeguards? Why are they important to you? How do you implement these safeguards into your clinic/office?

These are important questions to consider when thinking about safeguards. Implementing safeguards will make your clients/patients feel more confident that their personal information is safe. They will be more willing to share their information.

Why should you safeguard health information?

It is important to safeguard health information to protect your business, your reputation, and helps employees understand privacy, security and confidentiality. When your clients/patients see that you are actively making sure that their personal information is safe, they feel more confident in sharing that information knowing it will be protected.

What are safeguards?

There are three types of safeguards to use in maintaining the privacy and confidentiality of health information in your clinic.

Administrative safeguards are the policies and procedures and other written documents. Policies and procedures direct staff to properly access patient information, privacy training for staff, monitoring the policies and procedures, dealing with receiving and responding to privacy complaints and inquiries, and dealing with transferring, retaining and destroying personal information contained on electronic devices.

There is privacy breach management to help prevent or in case of a breach what the procedure is in dealing with the breach. In the blog, When is a privacy breach a privacy breach?, it discusses the repercussions of not implementing breach policies and also discusses the legislation that is in place to safeguard personal information from breaches. It is important to acknowledge when a breach has occurred, that you have taken the proper steps to address the breach, and have learned from the breach so as not to repeat the same mistakes.

Examples of Policies and Procedures:

Signed oaths of confidentiality for all affiliates
Screens should be private and not viewable from public areas
Prohibit disclosure of patient diagnostic, treatment and care information over the phone, even to an individual who claims to be the patient

Technical Safeguards are controls that protect and control access to personally identifiable and health information. Technical safeguards include electronic devices, surveillance cameras, security systems, and telephone systems. Let’s focus on electronic health information and computer networks for example.

Audits of the security and computer systems are vital to maintain privacy and security of personal information. Through audits you can enforce compliance of the policies and procedures and see where changes, if any, are needed. It helps the staff to be aware of the importance in protecting the client/patient personal information. They see that there are consequences for not following policies and procedures.

You should also be aware of the risks from external threats. These include:

identity theft
loss of information
information shared with unauthorized individuals
Some examples of external threats are: malware (malicious software, designed to infiltrate or damage a computer system), spyware (a type of malware that collects information, such as key loggers), and irresponsible use of the Internet

Mitigation strategies include:

regular training and refreshers on privacy and security
IT professionals reassess any software/hardware additions/changes

Examples of technical safeguards in electronic medical records (EMRs) are:

Strong passwords
Encryption of data
Using role-based access to limit access to health information to a need to know basis (user-based access rights ((secure)), role-based rights ((more secure)) and context-based rights ((most secure))

Physical Safeguards are the physical measures used to protect electronic health information from unauthorized access. This includes precautions to prevent break-ins, theft of computers and files, unauthorized access to personal information, applying physical barriers and control procedures against threats to personal information, and policies and procedures on locking up at night, computer etiquette, and office set up (how and where computers, fax machines etc. are set up).

Examples of physical safeguards are:

Limiting access to the building, clinic and storage areas
Alarms and security cameras, doors and locks, lighting
Placing fax machines and printers out of sight and reach of public areas

Safeguards Next Steps

All three of the safeguards should be used in conjunction with each other. The use of these safeguards will help protect your client/patient information from breach, identity theft, loss and unauthorized access. You have the power to make the clinic/office safe from threats to security, privacy and confidentiality. Your clients/patients will know that you have taken all reasonable steps to ensure that their personal information has been protected and appreciate it. It is beneficial to your clinic to review all of your safeguard measures with staff and have regular audits, reviews, updates to the policies and procedures, systems, and security of the clinic. There are many self-assessment tools available from the Privacy Commissioners in the provinces and from the federal government. See the resources below.

About the author: Tamara Beitel has successfully completed the Health Information Management Diploma at Centre for Distance Education, she is currently preparing to challenge the National Certification Exam in July 2015. Tamara is looking forward to work as a Certified Health Information Management (CHIM) professional in the area of policy and privacy protection in the Calgary area.

Resources

Privacy Awareness Training– Corridor Interactive – Privacy Awareness in Healthcare: Essentials

Jean Eaton, When is privacy breach a privacy breach? https://informationmanagers.ca/privacy-breach-privacy-breach/

Office of the Information and Privacy Commissioner of Alberta

Office of the Privacy Commissioner of Canada

best practice, clinic management, good security practices, privacy, privacy breach, Safeguards, security

How do you manage USB’s?

Posted on October 18, 2016 by Jean Eaton in Blog

October is Cyber Security Awareness Month! Information Managers is celebrating by hosting our annual 15 Day Privacy Challenge. The 15 Day Privacy Challenge is a fun, no cost educational opportunity on privacy and security.

Privacy Challenge #4

We love to use USB sticks because they are convenient tools to temporarily store and transfer information. However, because they are small and easily lost or stolen, they also pose a huge risk for your confidential information to fall into the wrong hands.

Unfortunately, we rarely take the time to encrypt our data or use other security features on these drives. And if these drives go missing, it often goes unnoticed, which means the USB memory stick truly is a weak link in our information security.

How would you know if a device was lost?

Would you know what information it contained?

Is it encrypted?

Do you want to enjoy the benefits of the internet without the fear of cyber attacks and privacy breaches?

Join us for the Free 15 Day Privacy Challenge for more tips, tools, and templates that you can use right away!

We are proud to be a Champion of National Cyber Security Awareness Month #CyberAware. #15DayPrivacyChallenge.

#15DayPrivacyChallenge, #CyberAware, 15 Day Privacy Challenge, good security practices, Practical Privacy Coach, privacy

Is a Hosted Email Solution For You?

Posted on January 29, 2016 by Jean Eaton in Blog

Is your email secure? Backed up? If you suddenly lose your email, calendar, or contact list, this could either be a speed bump in your busy day, or a nightmare that may take days or weeks and a lot of money to recover.

If you use email as temporary communications or your primary method of business, it needs to be managed securely. When you or your staff use email from multiple devices – such as your desktop computer, smart phone, or website – you have additional privacy and security requirements.

Many small businesses have purchased an email software system like Outlook as part of their desktop software. Unfortunately, recent software updates from Microsoft do not include Outlook; you are encouraged instead to purchase MS Office 365 software where all of your email is stored on the MS Cloud.

Some businesses use free email accounts – like gmail or yahoo – where emails, calendars, and contact information is on the public cloud. It is accessible from any internet connection but is difficult to back up to a local device that you can control.
If you use email to transact business – employee records, business contacts, company newsletters, subscriptions, financial or consumer purchases, or personally identifying messaging – you need to meet privacy and security requirements.

Previous versions of Windows Server Small Business Server (SBS) edition included Microsoft Exchange so small businesses could create their own in-house email server. This is not included in Windows Server 2012 Essential (SBS replacement). But small businesses still have a few options:

Buy the Microsoft Exchange Server full licenses, although it can be quite expensive
Sign up to Office 365 which is a hosted / cloud based Microsoft Exchange service from Microsoft with email hosted in the USA. Offices will need to determine their level of risk using personally identifiable information in emails – including sensitive information like credit card, payroll, health information, and other sensitive content – which will be stored out of Canada and subject to US legislation and uses.
Contract with a Canadian hosted Microsoft Exchange service with a Canadian based cloud service provider. This might be a cost effective solution and permit full access to email in an environment which is backed up and more easily accessible.

Features offered with a hosted email service

There are many features offered with a hosted email service:

Collaboration is easy as you have access to group calendaring and scheduling, shared contacts, folders and calendars, tasks and task delegation, as well as public email folders.
Fully functional email software.
Sync capabilities to your smart phone without worrying about viruses, spam, or malware, and mail archiving is automatic. Store as much or as little email as you need and do so without dealing with annoying ads.
Anti-phishing, anti-virus, and malware software are attached to each email connection.
No data ‘left behind' on the device – all data is securely maintained in the hosted email. If a mobile device is lost or stolen, business email is not compromised.
You can apply business rules – for example, emails can be prevented from being forwarded to an employee's home gmail account. Employees can securely work from home.
All business data is maintained by the business. So if your employee wins the lottery and doesn't come back to work, all business emails have been maintained in the hosted email and not on an employee's home computer.
Data is encrypted during the internet transmission.

To get a Hosted Email, you will need internet access with a data plan. You can continue to use your desktop computer and its cable internet access. When you use mobile devices, you can use your mobile provider data plan (Rogers, Bell, Telus, etc), or connect to a trusted WiFi connection.

You are still responsible for good security practices at your location including:

Unique user ID and password on your computer network – including mobile devices – and
Good password management – complex passwords that are changed regularly
Physical safeguards to ensure that your work locations – including mobile locations – are secure from theft
Common sense awareness – don't open suspicious phishing or spam emails

Business-class Microsoft Exchange email hosting services mean you're always in touch and up-to-date, in the office or on the road accessing your mobile email.

3 Things to look for in a hosted email solution vendor

Canadian provider with data centres only in Canada (Alberta preferable)
Reputable company with proven track record
Contract including:
Termination clause – when the contract terminates, the vendor will:
Notify you in advance of termination
Allow local back up of your data or data transfer
Validate that your data has been completely and securely deleted from the data centre
Encrypted at the data centre – no one at the data centre can read your information and it is secure from someone else hacking into the data centre to steal your data

Confirm your backup plan for your email accounts. If you don't have one, create a plan.

business associate, BYOD, good security practices, hosted email service, mobile devices, MS Cloud, privacy, SBS, security, Windows Server 2012 Essential

Safer Internet Day

Posted on February 4, 2015 by Jean Daffin in Blog

February 10, 2015

Let’s create a better internet together!

“The theme for this year’s Safer Internet Day celebration is “Let’s create a better Internet together.” The day offers all of us the opportunity to do that – not just by increasing the number of people who use it safely and responsibly but also by growing the amount of good there is online and using the Internet to increase its visibility and impact. We’re talking about expressions of kindness and positive social action, big or small, by people of all ages.”

Start planning for safer internet day visit http://saferinternetday.us/ and find out how to get involved. #NCSAM

#NCSAM, good security practices, Internet, Practice Management Mentor, Safer Internet Day, security

ITPG announces Free Security Tools!

Posted on December 17, 2014 by Jean Daffin in Blog

Access Free Security Tools through the holiday season!

ITPG is an award-winning provider of professional education and certification programs, cyber security and GRC services. ITPG offers a broad range of services including assisting associations and organizations educate and certify professionals, manage end-user and customer awareness programs, and maintain compliance standards and practices.

From now through the holiday season, ITPG will be offering free access to new training sessions. To find out more visit Free Security Tools.org

“Free Security Tools was created by ITPG to give security professionals an opportunity to utilize special instruments and discounted certification training that may not be offered to them anywhere else”

Join ITPG on Twitter

best practice, good security practices, Practice Management Mentor

Corporate Security – a must for any business or organization

Posted on August 25, 2014 by Jean Daffin in PMN Replay

Do you ever worry about the safety of your employees? Your patients? Your business assets?

Then this expert interview in the Practice Management Series is for you!

Dave Rodwell developed his investigative acumen and expertise over a span of 28 years of service with the Royal Canadian Mounted Police. Upon retirement from the RCMP, Dave entered the field of private investigation and security consultation work. Dave helps companies and individuals by conducting investigations, assessing their security needs and writing procedural manuals to meet their company needs.

Risk management

Dave will explore current trends of security risks in your healthcare practice and help you identify the steps that you need to take to manage the risks and keep your employees, patients, and your business records secure. Topics include:

Employee theft, shoplifting
Exterior crimes against companies
New – working alone legislation

Corporate Security – a must for any business or organization

with Dave Rodwell, D.E. Rodwell Investigative Services Ltd.

Recorded Live Thursday, July 31, 2014 12 noon – 12:30 pm MST

Replay:

Audio Only:

Audio & Slides:

_________________________________________________________________________
Practice Management Nugget

Our weekly interviews are a hit with practice managers and healthcare providers.

We’ve made it easier for you to attend. You don’t need to register for each FREE Practice Management Nugget event.

Simply Sign up Now to receive weekly notices of the next Practice Management Nugget guest speaker. Replays of each event will be available for only a limited time. You only need to sign up once to receive information for all the FREE Practice Management Nugget interviews.

good security practices, Practice Management Mentor, Practice Management Nugget, risk management, security, training, working alone legislation

Are They Watching You?

Posted on February 3, 2014 by Meghan Davenport in Blog

Smart appliances may be too smart for our own good. Take smart TVs, for instance. As this article illustrates, some of these new appliances are particularly vulnerable to hackers. Once compromised, the TVs allow access to account information, including login credentials (which owners may use for access to more than just their smart-TV account). Even scarier, hackers could gain access to front-facing cameras to see everything happening in the room where the TV is connected. Instead of you watching your favourite program, criminals may be watching you! This may also apply to Skype webcams, X-box and other games with webcams (Kinect, Wii, PS, etc), laptops, and security cameras.

Once the machine is compromised, hackers can stealthily activate its front-facing camera (available on higher-end smart TVs), hijack a Samsung account, steal credentials by presenting fake login pages and infect other applications on the TV with malware.

Tip: When you are not using the webcam, unplug it!

Other options include:

Use a hard wired LAN connection from PC to Smart TV – often more secure than using wireless networking (as wireless is often not installed securely)
Unplug the Ethernet cable and / or delete the wireless network connection settings
Put tape over the camera and inbuilt mic if included, and put a blank 3.5″ plug into any mic input sockets
Don't allow your Smart TV access to any other devices on your network (laptops, PCs, smartphones, tablets)
Don't log in from your TV to any websites that have sensitive information
Don't reuse passwords on any other sites, especially not high-value sites like banking or email

good security practices, mobile devices, privacy, security

Where is Your Encryption Key?

Posted on December 4, 2013 by Jean Eaton in Blog

Good business practices include having regular backup of your key documents, bookkeeping, website, emails, and databases including your Electronic Medical Record (EMR). If your information is personal or sensitive – to you, your client, or your business – the backup should also be encrypted.

Your backup plan should include a backup of your information in a separate location than the source documents. In case of a catastrophic failure – including bad weather, fire, theft – you can access your key information assets quickly. You could manage the backup yourself or outsource it to a remote backup provider.

So here's the question – where is your encryption key? Your encrypted backup files need a ‘key' or algorithm to de-encrypt the files so that you can read and access the information. Have you kept a copy of the encryption key in the same place as your source documents? Or have you kept the key in a separate location – away from the source documents and away from the backup files? Have you recorded in your disaster plan how to retrieve the key?

Carl Young of PlanetCom Inc, an IT Solution company in Sherwood Park, AB reports an increase number of ‘Cryptolocker' attacks to small businesses where business are being held ransom to recover their own data. Hackers embed a virus into an email which is opened by the business. The virus encrypts all of the data on the computer network locking out all authorized users until the hackers are paid to restore the data. The amount of ransom can vary, but is around 1 Bitcoin – which sounds cheap enough, but is actually equivalent to around $1100 USD on the open market.

How can you help yourself? First, make sure that you have regular full backups of your computer network. Routinely run a restoration of your backup so that you are sure that all the information that you need – both the source files and the software applications – is accessible. You can't restore the data unless you have your encryption key!

If your backup is on the same computer network that was hacked – or, perhaps, you backup to an external hard drive device that you keep plugged into the network – you will be locked out of both your source data and your backup.

Carl Young suggests taking these steps to prevent being a victim of ‘Cryptolocker':

Backup your data regularly
Encrypt your backup (where needed) and keep your encryption key in a separate, secure location known to more than one key person in the business.
Rotate your backup so that at least one full backup is kept remotely from the source data
Be cybersmart – know how to detect email virus / phishing / scams and install good anti-virus software on your network and your mobile devices that connect to your network. See our blog post “What Not to Do – Keep Your Backup Device Plugged In” for more info.

backup, encryption, external hard drive backup, good security practices