logging in or signing up SPC0551 Beverly_Hunk Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 82 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: October 03, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Creating Confidentiality Agreements that Protect Data and Privacy: The Challenge of Keeping up With Changes in State and Federal Regulations: Creating Confidentiality Agreements that Protect Data and Privacy: The Challenge of Keeping up With Changes in State and Federal Regulations Elaine S. Reber California Institute of Technology Agenda: Agenda Speaker’s Qualifications Background Focus/Goal Access to Data Noteworthy Federal and State Laws Policies versus Confidentiality Statements What do we need to protect data? Summary Questions and AnswersSpeaker’s Qualifications: Speaker’s Qualifications Associate Director of Infrastructure for Administrative Applications for Caltech Oversees the areas of System Administration, Database Administration, Operations, Applications Security, and TelecommunicationsBackground: Background Caltech’s Mission: To expand human knowledge and benefit society by developing creative scientists and engineers Students: 900 undergraduates and 1200 graduates Faculty: 300 Full Time and 700 post-doctoral fellows Staff: 2,000 Research Funding: Over $200 million Total Budget: ~ $500 million Caltech administers the JPL (Jet Propulsion Laboratory) budget for NASA. Background (continued): Background (continued) July 1999 – Caltech upgraded its network and replaced of its legacy administrative systems with new applications, including: Oracle HRMS and Financials on 10.7 Network Computing Architecture (NCA) Exeter Student System Famis Job Costing System CEI Purchasing Card System Since 1999, Caltech has upgraded all of its administrative applications multiple times and has added several 3rd party applications and tools. Focus/Goal: Focus/Goal Understand the challenges of protecting personal data, student information, and financial and business records that we maintain for our community (students, faculty, staff, etc.)Focus/Goal – continued: Focus/Goal – continued Be aware of the laws and regulations that protect the privacy of data Recognize that security and privacy are different, but security is essential to privacy1 Make recommendations to create more robust data security environments on our campuses 1. Dr. Michael Zastrocky, “Higher Education and IT: What’s in the Future, http://www.njedge.net/conference2003/presentations/Gartner.pptWho gets access to protected data?: Who gets access to protected data? Internally: Human Resources Finance Student Affairs Development Offices Faculty Health Care Providers Administrative Staff Software Developers Database Administrators Application Security Staff Business Analysts Internal Auditors Others Who gets access to protected data? (continued): Who gets access to protected data? (continued) Externally: External Auditors 3rd Party Vendors Gov’t Offices Law Enforcement Officials Schools Requesting Transcripts Organizations Conducting Certain Types of Studies Others What is the Process for Internal Staff to get Access to Data? : What is the Process for Internal Staff to get Access to Data? Identify Data Needs Identify Appropriate Responsibilities / Privileges Submit Access Request Form/s Obtain Approvals May receive Training May sign Confidentiality / Non-disclosure Agreement or Implied Consent Receive Logon Credentials from Application Security Office Is that protocol for getting data access sufficient to protect the privacy, security, and integrity of our Institutions’ data? : Is that protocol for getting data access sufficient to protect the privacy, security, and integrity of our Institutions’ data? Slide12: …in a perfect world, YES! But in this world, we face: Hackers Viruses Cyber takeovers S/W with security holes H/W with security holes Stolen laptops Opportunists Etc. Perhaps, the laws surrounding privacy of data will fill in the gaps: Perhaps, the laws surrounding privacy of data will fill in the gapsNoteworthy Federal and State Laws: Noteworthy Federal and State Laws FEDERAL: 1974 – Family Education Right To Privacy Act (FERPA) 1996 – Health Insurance Portability and Accountability Act (HIPAA) 1999 – Financial Services Modernization Act (Gramm-Leach Bliley Act) 2002 – Sarbanes-Oxley (SOX) STATE: 1977 – California Information Practices Act Family Educational Rights And Privacy Act of 1974 - FERPA (20 U.S.C § 1232g): Family Educational Rights And Privacy Act of 1974 - FERPA (20 U.S.C § 1232g) FERPA, also known as the Buckley Amendment, is a federal law that protects the privacy of student education records. It is administered by the Family Policy Compliance Office (FPCO) at the U.S. Education Department.1 The Act went into law on 19 November 1974 and has been amended several times since its enactment. It applies to all educational agencies and institutions that are the recipients of federal funding.2 Schools are required to notify parents and eligible students annually of their rights under FERPA.3 1. http://chronicle.com/cgi-bin/printable.cgi?article=http://dhronicle.com/weekly/v50/i06/06a02202.htm 2. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/leg-history.html 3. Ibid. FERPA - continued (20 U.S.C § 1232g): FERPA - continued (20 U.S.C § 1232g) Schools may not furnish or release identifiable personal information without written consent specifying the records to be released, the reasons for release, and parties to whom they are being released.1 The same rules apply to third parties acting on behalf of the schools.2 The act also provides the “eligible student” (18 years or older or attending post-secondary school) and parents the right to inspect and review education records, to seek to amend those records, and to limit disclosure of information from those records.3 1. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/leg-history.html 2. http://nces.ed.gov/pubs97/web/97859.asp 3. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/index.html FERPA - continued (20 U.S.C § 1232g): FERPA - continued (20 U.S.C § 1232g) Any data collected by authorized officials must be protected from unauthorized access. It is the requester’s responsibility to destroy the data after it is no longer needed.1 Each school is required to keep a record of every request for student education information. Only the parents, the “eligible student”, and school officials responsible for the custody of records and auditing the system may see this information.2 1. http://www.epic.org/privacy/education/ferpa.html 2. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/leg-history.html FERPA - continued (20 U.S.C § 1232g): FERPA - continued (20 U.S.C § 1232g) Growing demands for institutional accountability, greater transparency, and national security have increased the challenge of protecting student data.1 Various State Freedom-of-Information Acts, The 2001 USA Patriot Act, and the 2001 No Child Left Behind Act also require schools to provide student information under certain circumstances. 1. http://chronicle.com/prm/weekly/v50/i42/42b00401.htm 2. http://chronicle.com/prm/weekly/v50/i42/42b00401.htm 3. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/leg-history.html FERPA - continued (20 U.S.C § 1232g): FERPA - continued (20 U.S.C § 1232g) The National Center for Education Statistics (NCES) is studying the feasibility of requiring colleges to provide “unit record (individually identifiable)” data rather than “aggregate” data for reporting.1 Officials at the Department of Education claim that “unit record” data would make it easier to measure a college’s retention and graduation rates and the net cost of tuition after financial aid is taken into account.2 FERPA would need to be amended to allow the release of student records without permission from the parents or student.3 1. CLHE, The Campus Privacy Letter, Volume 1, No.1, December 2004; http://www.clhe.org/campusprivacy/cplv1n1.pdf 2. Ibid. 3. http://chronicle.com/weekly/v5/i14/14a2201.htm Health Insurance Portability and Accountability Act (HIPAA): Health Insurance Portability and Accountability Act (HIPAA) HIPAA was implemented in 1996. The final HIPAA Security Rule establishing health data security standards was published in 2003. The main goals of HIPAA are to: Make the health care system more efficient, especially through increased use of electronic resources, and Make health insurance more portable (“portability”) when persons change employers. 1, 1. http://privacy.med.miami.edu/glossary/xd_hipaa.htm HIPAA (continued): HIPAA (continued) HIPAA protects private health information. Health plans, health care clearinghouses, health providers, and other organizations that process, transmit, and/or store Protected Health Information (PHI) in electronic form are covered by the Act.1 PHI is any individually identifiable health information. HIPAA is administered by the federal Department of Health and Human Services. 1. Marne Gordon, HIPAA Security Standards Cybertrust Implementation and Strategy and Management, 2005, http://www.trusecure.com/cgi-bin/download.cgi?ESCD=W0188&file=wp_HIPAA_Cybertrust.pdf HIPAA (continued): HIPAA (continued) In general, covered entities are required to: Ensure the confidentiality, integrity, and availability of all electronic PHI they create, receive, maintain, or transmit Protect against threats or hazards to the security and integrity of the PHI Protect against unauthorized disclosures of PHI Ensure compliance by employees of the covered organization1 1. Marne Gordon, HIPAA Security Standards Cybertrust Implementation and Strategy and Management, 2005, http://www.trusecure.com/cgi-bin/download.cgi?ESCD=W0188&file=wp_HIPAA_Cybertrust.pdf HIPAA, FERPA, and State Laws: HIPAA, FERPA, and State Laws The definition of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA), specifically excludes identifiable health information in "education records" subject to the Family Education Rights and Privacy Act (FERPA, 20 USC 1232g).1 FERPA provides privacy protections for student health records held by federally funded educational institutions.2 If State laws are more stringent than HIPAA, then HIPAA gives way to State law.3 1. http://privacy.med.miami.edu/glossary/xd_education_records.htm 2. Ibid. 3. http://www.bowditch.com/PDF/HIPPA.pdf Financial Services Modernization Act of 1999 – Gramm-Leach Bliley Act (GLB): Financial Services Modernization Act of 1999 – Gramm-Leach Bliley Act (GLB) The GLB establishes federal requirements for safeguarding non-public personal information collected by financial institutions. There are three principal parts to the GLB privacy requirements: The Financial Privacy Rule governs the collection and disclosure of customers’ personal financial information. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Pretexting Provision of the GLB Act protects consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as “pretexting.” 1. http://www.ftc.gov/privacy/glbact/ Gramm-Leach Bliley Act (GLB) - continued: Gramm-Leach Bliley Act (GLB) - continued The GLB requires financial institutions to establish an information security program that will: Insure the security and confidentiality of customer information; Protect against any anticipated threats or hazards to the security or integrity of such information; and Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.1 1. Federal Register / Vol. 67, No. 100 / Thursday, May 23, 2002 / Rules and Regulations Gramm-Leach Bliley Act (GLB) - continued: Gramm-Leach Bliley Act (GLB) - continued The GLB preempts only “inconsistent” state laws. It sets a minimum standard beyond which states may pass stricter laws.1 1. http://www.the-dma.org/government/grammleachblileyact.shtml Sarbanes-Oxley Act of 2002 (SOX): Sarbanes-Oxley Act of 2002 (SOX) SOX sets new financial accountability standards for publicly held companies and their audit firms. SOX does not apply to nonprofits, but companies that rate bonds for universities advise them to follow its guidelines. Investors are asking for “more disclosure and transparency of information.”1 Officials in several States (California, Maryland, and New York) have proposed legislation to require nonprofits to follow the same rules as publicly traded companies.2 1. http://chronicle.com/weekly/v50/i23/23a02602.htm 2. http://chronicle.com/weekly/v50/i18/18a03201.htm SOX - continued: SOX - continued Some universities have already adopted reforms in response to SOX, such as: Clarifying procedures for preparation and certification of financial statements Establishing policies for disclosure of transactions not usually included in main budget reports Creating standards for audit committees of governing boards Modifying code of ethics for senior financial officers Increasing protection for whistle-blowers1 1. http://chronicle.com/weekly/v50/i18/18a03201.htmPrivacy Coverage Compared1: Privacy Coverage Compared1 1. http://www.usmd.edu/Leadership/USMOffice/AdminFinance/itcc/day/regissues.ppt Security Requirements Compared1: Security Requirements Compared1 1. http://www.usmd.edu/Leadership/USMOffice/AdminFinance/itcc/day/regissues.ppt California Information Practices Act (California Civil Code §§1798): California Information Practices Act (California Civil Code §§1798) Applies to California state agencies, including state-funded educational institutions. Does not apply to student records, but does apply to records of potential students before enrollment, i.e., records of applicants for admission.1 Establishes requirements for the collection, maintenance, and dissemination of any information that identifies or describes an individual.2 1. http://www.ucop.edu/ucophome/policies/bfb/rmp8.html 2. Ibid.California Information Practices Act (California Civil Code §§1798) - continued: California Information Practices Act (California Civil Code §§1798) - continued Any information that identifies or describes an individual, the disclosure of which would constitute an unwarranted invasion of personal privacy, is considered personal information. Common types of personal information are: Birth date Citizenship Social Security Number Income Tax Withholding Information Performance evaluations Letter of corrective actions Names of spouse or other relatives1 1. http://www.ucop.edu/ucophome/policies/bfb/rmp8.htmlCalifornia Information Practices Act (California Civil Code §§1798) - continued: California Information Practices Act (California Civil Code §§1798) - continued In recent years, the Act has been amended to require: Notification of security breaches involving personal information1 Greater protection of Social Security Numbers (SSNs) by: Reducing collection of SSNs Explaining the purpose of the collection, the intended use, whether it is mandatory, and consequences of refusing to provide SSN Eliminating public display of SSNs Controlling access to SSNs Improving security safeguards Making the organization accountable for protecting SSNs2 1. http://www.privacy.ca.gov/recommendations/secbreach.pdf 2. http://www.privacy.ca.gov/recommendations/ssnrecommendations.pdf Are the laws really sufficient to protect the privacy, security, and integrity of our Institutions’ data? : Are the laws really sufficient to protect the privacy, security, and integrity of our Institutions’ data? Slide35: …in a perfect world, YES! But in this world, we face: Hackers Viruses Cyber takeovers S/W with security holes H/W with security holes Opportunists Legislation is not enough Maybe policies and confidentiality agreements will fill in the gaps.: Maybe policies and confidentiality agreements will fill in the gaps.What is a Policy?: What is a Policy? A policy is “a definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions.”1 1. Webster’s Ninth New Collegiate DictionaryWhat is a Confidentiality Agreement?: What is a Confidentiality Agreement? A Confidentiality Agreement (or Non-disclosure Agreement) is a document that, when signed, will allow one party to discuss their confidential information (including their work and ideas) with other interested parties. It legally binds those parties to keep the information confidential and not to disclose it to third parties. 1. King’s College of London: Technology Transfer Group What is a Confidentiality Agreement? (continued) : What is a Confidentiality Agreement? (continued) A Confidentiality Agreement should give the purpose for the disclosure and also state that the receiving party shall not be permitted to use the confidential information for any purpose except the one defined in the agreement (e.g., to evaluate their interest in collaborating/investing in the ideas/work).1 1. King’s College of London: Technology Transfer Group Will policies and confidentiality statements increase the likelihood that we can protect the privacy, security, and integrity of our Institutions’ data? : Will policies and confidentiality statements increase the likelihood that we can protect the privacy, security, and integrity of our Institutions’ data? Not really…. Then, what do we Need?: Not really…. Then, what do we Need? Commitment from the University Leadership IT security group/CSO Resources Institute Privacy Policies Not really…. Then, what do we Need? (cont): Not really…. Then, what do we Need? (cont) Institute Policies for the Acceptable Use of Electronic Information Resources Confidentiality/ Non-Disclosure Agreements or Implied Consent Active User Awareness Training Periodic Risk Assessments Firewalls SSL Not really…. Then, what do we Need? (cont): Not really…. Then, what do we Need? (cont) Strong Authentication / Single Sign On Authorization Anti Virus Software Vigilant Network Monitoring Incident Reporting EnforcementPeer Survey - Data Privacy Policies: Peer Survey - Data Privacy PoliciesSummary : Summary To protect the privacy of our data; we need Legislation Institute commitment Institute policy statements Confidentiality statements User awareness training programs Develop Best Practices Pro-Active Network Monitoring Antivirus ProtectionSummary : Summary Authentication/Authorization Utilize the experts Legal Department Risk Management Human Resources Security Department Local Law Enforcement Peer Institutions Enforcement Questions and Answers: Questions and Answers Thank you! Elaine.reber@caltech.edu : Thank you! Elaine.reber@caltech.edu You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
SPC0551 Beverly_Hunk Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 82 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: October 03, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Creating Confidentiality Agreements that Protect Data and Privacy: The Challenge of Keeping up With Changes in State and Federal Regulations: Creating Confidentiality Agreements that Protect Data and Privacy: The Challenge of Keeping up With Changes in State and Federal Regulations Elaine S. Reber California Institute of Technology Agenda: Agenda Speaker’s Qualifications Background Focus/Goal Access to Data Noteworthy Federal and State Laws Policies versus Confidentiality Statements What do we need to protect data? Summary Questions and AnswersSpeaker’s Qualifications: Speaker’s Qualifications Associate Director of Infrastructure for Administrative Applications for Caltech Oversees the areas of System Administration, Database Administration, Operations, Applications Security, and TelecommunicationsBackground: Background Caltech’s Mission: To expand human knowledge and benefit society by developing creative scientists and engineers Students: 900 undergraduates and 1200 graduates Faculty: 300 Full Time and 700 post-doctoral fellows Staff: 2,000 Research Funding: Over $200 million Total Budget: ~ $500 million Caltech administers the JPL (Jet Propulsion Laboratory) budget for NASA. Background (continued): Background (continued) July 1999 – Caltech upgraded its network and replaced of its legacy administrative systems with new applications, including: Oracle HRMS and Financials on 10.7 Network Computing Architecture (NCA) Exeter Student System Famis Job Costing System CEI Purchasing Card System Since 1999, Caltech has upgraded all of its administrative applications multiple times and has added several 3rd party applications and tools. Focus/Goal: Focus/Goal Understand the challenges of protecting personal data, student information, and financial and business records that we maintain for our community (students, faculty, staff, etc.)Focus/Goal – continued: Focus/Goal – continued Be aware of the laws and regulations that protect the privacy of data Recognize that security and privacy are different, but security is essential to privacy1 Make recommendations to create more robust data security environments on our campuses 1. Dr. Michael Zastrocky, “Higher Education and IT: What’s in the Future, http://www.njedge.net/conference2003/presentations/Gartner.pptWho gets access to protected data?: Who gets access to protected data? Internally: Human Resources Finance Student Affairs Development Offices Faculty Health Care Providers Administrative Staff Software Developers Database Administrators Application Security Staff Business Analysts Internal Auditors Others Who gets access to protected data? (continued): Who gets access to protected data? (continued) Externally: External Auditors 3rd Party Vendors Gov’t Offices Law Enforcement Officials Schools Requesting Transcripts Organizations Conducting Certain Types of Studies Others What is the Process for Internal Staff to get Access to Data? : What is the Process for Internal Staff to get Access to Data? Identify Data Needs Identify Appropriate Responsibilities / Privileges Submit Access Request Form/s Obtain Approvals May receive Training May sign Confidentiality / Non-disclosure Agreement or Implied Consent Receive Logon Credentials from Application Security Office Is that protocol for getting data access sufficient to protect the privacy, security, and integrity of our Institutions’ data? : Is that protocol for getting data access sufficient to protect the privacy, security, and integrity of our Institutions’ data? Slide12: …in a perfect world, YES! But in this world, we face: Hackers Viruses Cyber takeovers S/W with security holes H/W with security holes Stolen laptops Opportunists Etc. Perhaps, the laws surrounding privacy of data will fill in the gaps: Perhaps, the laws surrounding privacy of data will fill in the gapsNoteworthy Federal and State Laws: Noteworthy Federal and State Laws FEDERAL: 1974 – Family Education Right To Privacy Act (FERPA) 1996 – Health Insurance Portability and Accountability Act (HIPAA) 1999 – Financial Services Modernization Act (Gramm-Leach Bliley Act) 2002 – Sarbanes-Oxley (SOX) STATE: 1977 – California Information Practices Act Family Educational Rights And Privacy Act of 1974 - FERPA (20 U.S.C § 1232g): Family Educational Rights And Privacy Act of 1974 - FERPA (20 U.S.C § 1232g) FERPA, also known as the Buckley Amendment, is a federal law that protects the privacy of student education records. It is administered by the Family Policy Compliance Office (FPCO) at the U.S. Education Department.1 The Act went into law on 19 November 1974 and has been amended several times since its enactment. It applies to all educational agencies and institutions that are the recipients of federal funding.2 Schools are required to notify parents and eligible students annually of their rights under FERPA.3 1. http://chronicle.com/cgi-bin/printable.cgi?article=http://dhronicle.com/weekly/v50/i06/06a02202.htm 2. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/leg-history.html 3. Ibid. FERPA - continued (20 U.S.C § 1232g): FERPA - continued (20 U.S.C § 1232g) Schools may not furnish or release identifiable personal information without written consent specifying the records to be released, the reasons for release, and parties to whom they are being released.1 The same rules apply to third parties acting on behalf of the schools.2 The act also provides the “eligible student” (18 years or older or attending post-secondary school) and parents the right to inspect and review education records, to seek to amend those records, and to limit disclosure of information from those records.3 1. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/leg-history.html 2. http://nces.ed.gov/pubs97/web/97859.asp 3. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/index.html FERPA - continued (20 U.S.C § 1232g): FERPA - continued (20 U.S.C § 1232g) Any data collected by authorized officials must be protected from unauthorized access. It is the requester’s responsibility to destroy the data after it is no longer needed.1 Each school is required to keep a record of every request for student education information. Only the parents, the “eligible student”, and school officials responsible for the custody of records and auditing the system may see this information.2 1. http://www.epic.org/privacy/education/ferpa.html 2. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/leg-history.html FERPA - continued (20 U.S.C § 1232g): FERPA - continued (20 U.S.C § 1232g) Growing demands for institutional accountability, greater transparency, and national security have increased the challenge of protecting student data.1 Various State Freedom-of-Information Acts, The 2001 USA Patriot Act, and the 2001 No Child Left Behind Act also require schools to provide student information under certain circumstances. 1. http://chronicle.com/prm/weekly/v50/i42/42b00401.htm 2. http://chronicle.com/prm/weekly/v50/i42/42b00401.htm 3. http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/leg-history.html FERPA - continued (20 U.S.C § 1232g): FERPA - continued (20 U.S.C § 1232g) The National Center for Education Statistics (NCES) is studying the feasibility of requiring colleges to provide “unit record (individually identifiable)” data rather than “aggregate” data for reporting.1 Officials at the Department of Education claim that “unit record” data would make it easier to measure a college’s retention and graduation rates and the net cost of tuition after financial aid is taken into account.2 FERPA would need to be amended to allow the release of student records without permission from the parents or student.3 1. CLHE, The Campus Privacy Letter, Volume 1, No.1, December 2004; http://www.clhe.org/campusprivacy/cplv1n1.pdf 2. Ibid. 3. http://chronicle.com/weekly/v5/i14/14a2201.htm Health Insurance Portability and Accountability Act (HIPAA): Health Insurance Portability and Accountability Act (HIPAA) HIPAA was implemented in 1996. The final HIPAA Security Rule establishing health data security standards was published in 2003. The main goals of HIPAA are to: Make the health care system more efficient, especially through increased use of electronic resources, and Make health insurance more portable (“portability”) when persons change employers. 1, 1. http://privacy.med.miami.edu/glossary/xd_hipaa.htm HIPAA (continued): HIPAA (continued) HIPAA protects private health information. Health plans, health care clearinghouses, health providers, and other organizations that process, transmit, and/or store Protected Health Information (PHI) in electronic form are covered by the Act.1 PHI is any individually identifiable health information. HIPAA is administered by the federal Department of Health and Human Services. 1. Marne Gordon, HIPAA Security Standards Cybertrust Implementation and Strategy and Management, 2005, http://www.trusecure.com/cgi-bin/download.cgi?ESCD=W0188&file=wp_HIPAA_Cybertrust.pdf HIPAA (continued): HIPAA (continued) In general, covered entities are required to: Ensure the confidentiality, integrity, and availability of all electronic PHI they create, receive, maintain, or transmit Protect against threats or hazards to the security and integrity of the PHI Protect against unauthorized disclosures of PHI Ensure compliance by employees of the covered organization1 1. Marne Gordon, HIPAA Security Standards Cybertrust Implementation and Strategy and Management, 2005, http://www.trusecure.com/cgi-bin/download.cgi?ESCD=W0188&file=wp_HIPAA_Cybertrust.pdf HIPAA, FERPA, and State Laws: HIPAA, FERPA, and State Laws The definition of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA), specifically excludes identifiable health information in "education records" subject to the Family Education Rights and Privacy Act (FERPA, 20 USC 1232g).1 FERPA provides privacy protections for student health records held by federally funded educational institutions.2 If State laws are more stringent than HIPAA, then HIPAA gives way to State law.3 1. http://privacy.med.miami.edu/glossary/xd_education_records.htm 2. Ibid. 3. http://www.bowditch.com/PDF/HIPPA.pdf Financial Services Modernization Act of 1999 – Gramm-Leach Bliley Act (GLB): Financial Services Modernization Act of 1999 – Gramm-Leach Bliley Act (GLB) The GLB establishes federal requirements for safeguarding non-public personal information collected by financial institutions. There are three principal parts to the GLB privacy requirements: The Financial Privacy Rule governs the collection and disclosure of customers’ personal financial information. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Pretexting Provision of the GLB Act protects consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as “pretexting.” 1. http://www.ftc.gov/privacy/glbact/ Gramm-Leach Bliley Act (GLB) - continued: Gramm-Leach Bliley Act (GLB) - continued The GLB requires financial institutions to establish an information security program that will: Insure the security and confidentiality of customer information; Protect against any anticipated threats or hazards to the security or integrity of such information; and Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.1 1. Federal Register / Vol. 67, No. 100 / Thursday, May 23, 2002 / Rules and Regulations Gramm-Leach Bliley Act (GLB) - continued: Gramm-Leach Bliley Act (GLB) - continued The GLB preempts only “inconsistent” state laws. It sets a minimum standard beyond which states may pass stricter laws.1 1. http://www.the-dma.org/government/grammleachblileyact.shtml Sarbanes-Oxley Act of 2002 (SOX): Sarbanes-Oxley Act of 2002 (SOX) SOX sets new financial accountability standards for publicly held companies and their audit firms. SOX does not apply to nonprofits, but companies that rate bonds for universities advise them to follow its guidelines. Investors are asking for “more disclosure and transparency of information.”1 Officials in several States (California, Maryland, and New York) have proposed legislation to require nonprofits to follow the same rules as publicly traded companies.2 1. http://chronicle.com/weekly/v50/i23/23a02602.htm 2. http://chronicle.com/weekly/v50/i18/18a03201.htm SOX - continued: SOX - continued Some universities have already adopted reforms in response to SOX, such as: Clarifying procedures for preparation and certification of financial statements Establishing policies for disclosure of transactions not usually included in main budget reports Creating standards for audit committees of governing boards Modifying code of ethics for senior financial officers Increasing protection for whistle-blowers1 1. http://chronicle.com/weekly/v50/i18/18a03201.htmPrivacy Coverage Compared1: Privacy Coverage Compared1 1. http://www.usmd.edu/Leadership/USMOffice/AdminFinance/itcc/day/regissues.ppt Security Requirements Compared1: Security Requirements Compared1 1. http://www.usmd.edu/Leadership/USMOffice/AdminFinance/itcc/day/regissues.ppt California Information Practices Act (California Civil Code §§1798): California Information Practices Act (California Civil Code §§1798) Applies to California state agencies, including state-funded educational institutions. Does not apply to student records, but does apply to records of potential students before enrollment, i.e., records of applicants for admission.1 Establishes requirements for the collection, maintenance, and dissemination of any information that identifies or describes an individual.2 1. http://www.ucop.edu/ucophome/policies/bfb/rmp8.html 2. Ibid.California Information Practices Act (California Civil Code §§1798) - continued: California Information Practices Act (California Civil Code §§1798) - continued Any information that identifies or describes an individual, the disclosure of which would constitute an unwarranted invasion of personal privacy, is considered personal information. Common types of personal information are: Birth date Citizenship Social Security Number Income Tax Withholding Information Performance evaluations Letter of corrective actions Names of spouse or other relatives1 1. http://www.ucop.edu/ucophome/policies/bfb/rmp8.htmlCalifornia Information Practices Act (California Civil Code §§1798) - continued: California Information Practices Act (California Civil Code §§1798) - continued In recent years, the Act has been amended to require: Notification of security breaches involving personal information1 Greater protection of Social Security Numbers (SSNs) by: Reducing collection of SSNs Explaining the purpose of the collection, the intended use, whether it is mandatory, and consequences of refusing to provide SSN Eliminating public display of SSNs Controlling access to SSNs Improving security safeguards Making the organization accountable for protecting SSNs2 1. http://www.privacy.ca.gov/recommendations/secbreach.pdf 2. http://www.privacy.ca.gov/recommendations/ssnrecommendations.pdf Are the laws really sufficient to protect the privacy, security, and integrity of our Institutions’ data? : Are the laws really sufficient to protect the privacy, security, and integrity of our Institutions’ data? Slide35: …in a perfect world, YES! But in this world, we face: Hackers Viruses Cyber takeovers S/W with security holes H/W with security holes Opportunists Legislation is not enough Maybe policies and confidentiality agreements will fill in the gaps.: Maybe policies and confidentiality agreements will fill in the gaps.What is a Policy?: What is a Policy? A policy is “a definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions.”1 1. Webster’s Ninth New Collegiate DictionaryWhat is a Confidentiality Agreement?: What is a Confidentiality Agreement? A Confidentiality Agreement (or Non-disclosure Agreement) is a document that, when signed, will allow one party to discuss their confidential information (including their work and ideas) with other interested parties. It legally binds those parties to keep the information confidential and not to disclose it to third parties. 1. King’s College of London: Technology Transfer Group What is a Confidentiality Agreement? (continued) : What is a Confidentiality Agreement? (continued) A Confidentiality Agreement should give the purpose for the disclosure and also state that the receiving party shall not be permitted to use the confidential information for any purpose except the one defined in the agreement (e.g., to evaluate their interest in collaborating/investing in the ideas/work).1 1. King’s College of London: Technology Transfer Group Will policies and confidentiality statements increase the likelihood that we can protect the privacy, security, and integrity of our Institutions’ data? : Will policies and confidentiality statements increase the likelihood that we can protect the privacy, security, and integrity of our Institutions’ data? Not really…. Then, what do we Need?: Not really…. Then, what do we Need? Commitment from the University Leadership IT security group/CSO Resources Institute Privacy Policies Not really…. Then, what do we Need? (cont): Not really…. Then, what do we Need? (cont) Institute Policies for the Acceptable Use of Electronic Information Resources Confidentiality/ Non-Disclosure Agreements or Implied Consent Active User Awareness Training Periodic Risk Assessments Firewalls SSL Not really…. Then, what do we Need? (cont): Not really…. Then, what do we Need? (cont) Strong Authentication / Single Sign On Authorization Anti Virus Software Vigilant Network Monitoring Incident Reporting EnforcementPeer Survey - Data Privacy Policies: Peer Survey - Data Privacy PoliciesSummary : Summary To protect the privacy of our data; we need Legislation Institute commitment Institute policy statements Confidentiality statements User awareness training programs Develop Best Practices Pro-Active Network Monitoring Antivirus ProtectionSummary : Summary Authentication/Authorization Utilize the experts Legal Department Risk Management Human Resources Security Department Local Law Enforcement Peer Institutions Enforcement Questions and Answers: Questions and Answers Thank you! Elaine.reber@caltech.edu : Thank you! Elaine.reber@caltech.edu