sponsored by: u.s. department of housing and urban development hmis system administrator training...
TRANSCRIPT
SPONSORED BY: U.S. DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT
HMIS System Administrator Training Series
HMIS 101: MODULE 4In-Depth Security and Privacy
Partners2
Jeff Ward, Abt Associates, Inc. Kat Freeman, The Cloudburst Group Natalie Matthews, Abt Associates, Inc. Chris Pitcher, The Cloudburst Group
Purpose3
Provide HMIS System Administrators, end users, CoC representatives, consumers, and federal, state, and local partners with a basic understanding of: In-Depth Privacy and Security
Webinar Format4
This training is part of a series of trainings that will provide new staff with the basic information needed to operate or participate in an HMIS
It is anticipated that this series of trainings will be offered quarterly
This training is anticipated to last 90 minutes
Presenters will walk through presentation material
Audience members are “muted” due to the high number of participants
Submitting Questions 5
All follow-up questions should be submitted to the Ask the Expert function on www.hmis.info
If you have multiple questions, we recommend compiling them into a single submission to Ask the Expert with a reference to the HMIS 101: Module 4 training
Webinar Materials & Evaluation
6
Quick follow up survey will be emailed out after the webinar
The webinar will be recorded, and all materials will be posted to HMIS.info
During webinar, we’ll be asking you a few questions as well
Overview of Training Series7
HMIS 101 Modules III, IV and V: Module III: In-Depth Data Standards Module IV: In-Depth Security and Privacy Module V: Data Quality Standard and
Compliance Plans HMIS 201:
HMIS Budgeting and Staffing PIT and HIC Best Practice Highlights/ Use of Technology
Who are You?
A. HMIS System AdministratorB. HMIS Data Entry staff/Program staffC. CoC staffD. Technical Assistance provider/TrainerE. HMIS VendorF. Other
8
How would you rate your knowledge of HMIS Privacy and Security?
A. Not knowledgeable B. Somewhat knowledgeable C. Knowledgeable D. Expert
HMIS Privacy and Security
Privacy is the control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others.
Confidentiality pertains to the treatment of information that an individual has disclosed in a relationship of trust and with the expectation that it will not be divulged to others without permission in ways that are inconsistent with the understanding of the original disclosure.
Security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled.
2004 Technical Standards set forth expectations for privacy and security for HMIS
HMIS Privacy and Security
Two tiers: required baseline standards and additional recommended protocols;
Applies to all agencies and programs that record, use, or process Protected Personal Information (PPI) for an HMIS including: Continuum of Care (CoC) Homeless service provider HMIS host or administrator, etc.
Employees, volunteers, affiliates, contractors, and associates are covered by the privacy standards of the agencies they deal with; and
Privacy and security standards apply to all agencies- regardless of funding source- who use the HMIS.
Introduction to Privacy12
Privacy Standards Framework Personal Protected Information (PPI)
Includes name, SSN, program entry/exit, zip code of last permanent address, system/program ID, and program type
Allow for reasonable, responsible data disclosures
Derived from principles of fair information practices
Borrowed from Health Insurance Portability and Accountability Act (HIPAA)
Privacy Requirements
Privacy Standards: Protect client personal information from
unauthorized disclosure Seven components:
Collection limitationsData qualityPurpose and use limitationsOpennessAccess and CorrectionAccountability
Collection Limitations
Only collect information that is appropriate for the purposes that the information is obtained or when required by law
Use lawful and fair means to collect it When appropriate, collect data with
knowledge or consent of the client• Post sign; infer consent for collection
– Must post a sign at intake desk (or comparable location) that explains generally the reasons for collecting this information.
Collection Limitations – Other Stuff You Can Do
Restrict collection of personal data, other than required HMIS data elements
Require written client consents Obtain oral or written consent from
the individual or a third party
Data Quality
Data must be relevant to the purpose for which it is to be used
To extent necessary for those purposes, data should be accurate, complete, and timely
Must develop and implement plan for disposal of Personal Protected Information
Purpose and Use Limitations
Notice must specify purposes for PPI collections and must describe all uses/disclosures
A program may use/disclosure PPI only if allowed by the standard and described in the privacy notice
Notice may infer consent for described uses/ disclosures and for compatible uses/ disclosures
All uses/disclosures are permissive (except first party request or required by law)
Uses/disclosures not specified in notice need written consent of the individual or legal requirement
Allowable Uses/Disclosures
Provide and coordinate services Payment or reimbursement Administrative functions Create de-identified PPI Required by law Avert serious threat to health/safety Academic research (written
agreement required) Law Enforcement
Purpose and Use Limitation – Other stuff you can do
Seek oral or written consent for use/disclosure
Agree to client requested restrictions on use/disclosure
Limit use/disclosure to those in notice and necessary (not compatible) purposes
Keep an audit trail for disclosures Make audit trails available to the client, if
requested Limit disclosures to minimum necessary
Openness
Be open with agencies, client’s, and other parties about how you protect client information from unethical use
You must post a sign about your Privacy policies (called a Privacy Notice) and your Privacy policies must be available to anyone who requests them – including clients and the media.
If your agency has a web page, you must post your Privacy Notice on your web page. This is true about individual agencies as well as any web pages associated with your HMIS.
Openness – Other Stuff You Can Do
Provide a simplified copy of your Privacy Notice to clients at the time of data collection.
you may need to have copies of your Privacy Notice in more than one language
Provide advance notice on changes to your Privacy Policy and Notice, how you might enforce those changes, and ask for public comments.
Access and Correction
Must allow individual to inspect and have a copy of his/her PPI
Must offer to explain PPI Must consider request to correct
inaccurate or incomplete PPI May deny access to some info Must explain denials
Access and Correction – Other stuff you can do
Allow appeal of denial of access or correction
Limit grounds for denial of access Allow a statement of disagreement Provide written explanation for
denial
Accountability
Must establish procedure for accepting and considering complaints about privacy and security policies and practices
Must require all staff members to sign a confidentiality agreement (acknowledging receipt of and pledging to comply with the privacy notice)
Accountability-Other Stuff You Can Do
Require formal privacy training Regularly audit privacy compliance Establish an appeals process for privacy
policy complaints and denials of access and correction rights
Designate chief privacy officer
27
HMIS and HIPAA
Health Insurance Portability and Accountability Act (HIPAA) privacy rules take precedence over HMIS Privacy Standards
HIPAA covered entities are required to meet HIPAA baseline privacy requirements not HMIS
Most programs are not covered by HIPAA: To learn more go to http://www.hhs.gov/ocr/hipaa/
28
HMIS and Other Privacy Laws Programs must comply with more stringent
federal, state and local confidentiality laws; and
If a conflict exists between state law and the HMIS an official legal opinion on the matter should be prepared by the state’s Attorney General and submitted to HUD’s General Counsel for Review.
Domestic Violence Victim Service Providers are prohibited from entering data into HMIS and legal service providers are not to enter confidential client notes into HMIS.
29
HMIS Consent Models
Inferred Consent: Baseline Requirement; and Client’s consent to release information is
inferred from the privacy posting. Implied/Informed Consent:
Verbal or physical consent is required. Written Consent:
Client must sign a release of information (ROI).
30
Levels of Consent
Consent to use data within an agency for program or agency operations.
Consent to share additional information across programs to coordinate case management and service delivery.
31
Privacy Summary
Privacy refers to the safeguarding of protected personal information in the HMIS from open view, sharing or inappropriate use
Protected Personal Information (PPI) is any information that might identify a specific individual or that might be manipulated or linked with other information to identify a specific individual
Baseline Privacy Standards32
Must comply with other federal, state, and local confidentiality law
Must comply with limits to data collection (relevant, appropriate, lawful, specified in privacy notice)
Must have written privacy policy - and post it on your web site
Must post sign at intake or comparable location with general reasons for collection and reference to privacy policy
May infer consent for uses in the posted sign and written privacy policy
How Much Do You Know?
(T/F) Privacy policies are not meant to restrict the use and disclosure of data.
The purpose of privacy is to protect the client’s information from:
A. Unauthorized access B. Unauthorized disclosure C. Law Enforcement D. All of the Above
Introduction to Security35
36
Defining Security
Security refers to the protection of client personal protected information and sensitive program information from unauthorized access, use or modification.
All workstations, desktops, laptops, and servers that connect to a network that accesses or directly accesses the HMIS must comply with the baseline security requirements.
3 P’s of Security Management Products: Physical security
Door locks Intrusion-detection systems Physical firewalls
People: Personnel security Those who implement and properly use security
products to protect data Those who collect, input, or otherwise have
access to data Procedures: Organizational security
Plans and policies established to ensure that people correctly use products and access data
Security Requirements38
System security provisions apply to all the systems where Personal Protected Information (PPI) is stored, including, but not limited to, networks, desktops, laptops, mini-computers, mainframes and servers
Security has three categories: System Security Software Application Security Hard Copy Security
System Security Requirements39
User authentication Limited multiple access
Virus protection with auto-update Firewalls - individual workstation or network Encryption - transmission Public access controls Location control Backup and disaster recovery System monitoring Secure disposal
40
User Authentication
Every user accessing the HMIS system must have a unique username and password.
Passwords must: Include at least one number and one letter; Be at least 8 characters long; Not be based on user’s name, organization, or
software; and Not be based on common words.
Good: [Na$car#39] Bad: bobclark99 Terrible: hmis
Passphrases: Great: I1ik3C@k3 (I Like Cake)
41
User Authentication (cont.)
All computers used to access HMIS data must require user authentication (e.g., username/passwords).
Logging on to the HMIS computer alone is not sufficient.
IDs and Passwords for the HMIS software should be different than the workstation ID and Password
IDs and Passwords should not be stored or displayed in any publicly accessible location.
HMIS IDs and Passwords must not be shared.
WHAT DO I JUST SAY??????
Strong passwordKeep it secret
43
Multiple Access
An individual user must NOT be allowed access to the HMIS from multiple workstations on the network at the same time.
An individual user must NOT be allowed to log onto the local network from more than one location at a time.
44
System Level Virus Protection All computers accessing HMIS (including
remote and VPN users) must have anti-virus software installed and updated regularly that automatically scans files.
Old Anti-Virus Software = No Anti-Virus Software
45
Firewalls
Image found at: http://www.integration1.com.au/pages/default.cfm?page_id=21925
46
Public Access
HMIS that use public forums for data collection/reporting must have additional security to limit access using Public Key Infrastructure (PKI) or through IP filtering.
Translation: Any Web-based HMIS accessed over the Internet, needs digital certificates installed on all browsers on all computers accessing the HMIS (PKI) or an extranet to limit access based on IP address.
47
What is Public Key Infrastructure? Each user is issued a private key to
encrypt messages and a public key to decode messages;
Private key is kept secret and known only to user;
Public key uses a digital certificate to authenticate the identity of the user;
Digital certificates must be issued by a recognized Certificate Authority; and
Secure socket layer “SSL” encryption does not meet the baseline PKI requirements.
48
PKI: Public Key Infrastructure
Options for implementing PKI: Self issued certificate authority-Example:
Microsoft Certification Authority; Third party certificate authority Example:
Verisign or Thawte; USB token; or
Alternative to PKI: Limiting access to HMIS through IP filtering.
49
IP Addresses
Everything on the internet (servers, desktops, blackberries) is assigned an internet protocol (IP) address;
The internet uses IP addresses to move information from one place to another;
An IP address looks like this: 10.141.215.223; and
Firewalls block suspicious IP addresses from accessing your computer.
50
Physical Access/Location
Access to workstations must be controlled and monitored. Options: locked offices, privacy screens,
etc. Access to servers must be controlled to a
greater degree. Options: locked cabinet or cage; secure
facilities.
51
Backup and Disaster Recovery All HMIS data must be regularly backed
up and stored in a secure off-site location: Backup your data and applications; Save them to tape; Test the tapes; A Backup tape laying next to a server won’t
help if the server room catches fire!; and Alternatively, consider secure network-
based offsite backup solutions.
52
Secure Disposal
Tapes, disks and hard drives must be properly formatted and erased before disposal. At least two erasure passes (three or more
is recommended). Free and commercial software is
available to prepare old workstation hard drives, tapes, and floppies before discarding.
System Monitoring
Most security breaches are carried out by authorized users of client record systems
All systems including central servers must be monitored and “routinely” reviewed by staff
Monitoring decisions: Who monitors?; What is normal and what is abnormal usage and
access?; How do I access the information?; and What variables to monitor?
54
System Monitoring (cont.)
What variables to monitor: Logon success/failure; Account management; Policy changes; Privilege use; Process tracking; System events; and Connection attempts (IP and port).
Software Application Security User Authentication Electronic Data Transmission Electronic Data Storage
56
User Authentication
Like the workstation, the software used to access HMIS data should require user authentication (e.g., username/passwords).
Logging on to the HMIS computer alone is not sufficient.
IDs and Passwords for the HMIS software should be different than the workstation ID and Password
IDs and Passwords should not be stored or displayed in any publicly accessible location.
HMIS IDs and Passwords must not be shared.
57
Data Transmission Encryption
Two options 128 bit encryption over the wire; and
Secure Socket Layer (SSL): A communications protocol used to secure all sensitive data. SSL is normally described as wrapping an encrypted envelope around message transmissions over the Internet.
Secure direct connections. Virtual Private Network (VPN)
Electronic Data Storage
All HMIS data that are electrically transmitted over the internet must be encrypted Encryption is the conversion of plain text
into encrypted data (code) Encryption is used to protect a client’s
sensitive personal information from unauthorized viewing John Smith =
7Heuvvaj94naa@Tivn(f4Rnkin^43gn
Hard Copy Security
Applicable to any paper or other hard copy containing PPI that is generated by, or for, the HMIS Intake forms Consent forms Reports
Must supervise hard copies at all times when in a public area. Includes intake areas
When staff are not present, hard copies must be secured
Must not be stored or displayed in any publically accessible location
$3cur1ty1$G00d#4U Kfreeman*1 *7Fr8!yWzh
How Much Do You Know?
Which is the weakest password?
(T/F) The three categories of security are system security, software application security and hard copy.
Security Best Practices62
63
HMIS Security Best Practices
HMIS users Unique username and password Signed receipt of privacy notice
HMIS computers and networks Secure location Workstation username and password Virus protection with automatic update Locking password protected screen saver Individual or network firewall Public Key Infrastructure (PKI) to prevent
unauthorized access
64
Best Practices (cont…)
Designate a Chief Security Officer to implement and oversee security measures
Staff computers in public areas used to collect and store HMIS data at all times
Enable password protected automatic screen savers when workstation is not in use
Automatically log users off the system after a period of inactivity
Require regular changing of passwords and encourage creation of strong passwords
Use a bonded vendor to destroy HMIS data
65
User Training (Strongly Recommended)
Although not a baseline requirement, all users should participate in: Data and Technical Standards Training
Participation and Data Collection Requirements; and Privacy and Security Protocols to Protect Client Data.
Software training How to enter, edit, change, and delete data; and User and computer security requirements.
Ethics and privacy training Consent protocol and privacy protocols; and How to interview clients in a sensitive manner.
User groups are strongly encouraged to develop peer support opportunities
66
Key Security Points
Applies to all machines accessing or storing HMIS data;
All computers must have virus protection; All servers or computers directly accessing the
internet must be protected by a firewall; Web-based HMIS must use PKI or IP filtering to limit
public access to data; Physical access to computers and servers must be
restricted; Regular back-up and storage of HMIS data; and Regular monitoring of HMIS at the system level.
67
Security Resources
National Institute of Standards and Technology Computer and Security Resource Center http://csrc.ncsl.nist.gov
Carnegie Mellon/CERT: Connecting to the Internet http://www.cert.org/tech_tips/before_you_plug_in.html
CERT Implementation Tips for Servers and Networks http://www.cert.org/tech_tips/
National Institutes of Health Center for Information Technology Security Site http://www.alw.nih.gov/Security/security.html
Forum of Incident Response and Security Reform http://first.org
Resources
HUD Homeless Data Exchange (HDX):http://www.hudhdx.info/ HMIS.info:www.hmis.info HUD Homelessness Resource Exchange:www.hudhre.info
68
How would you rate your knowledge of HMIS Privacy and Security?
A. Not knowledgeable B. Somewhat knowledgeable C. Knowledgeable D. Expert
Thank you!
70