SPONSORED BY: U.S. DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT

HMIS System Administrator Training Series

HMIS 101: MODULE 4In-Depth Security and Privacy

Partners2

Jeff Ward, Abt Associates, Inc. Kat Freeman, The Cloudburst Group Natalie Matthews, Abt Associates, Inc. Chris Pitcher, The Cloudburst Group

Purpose3

Provide HMIS System Administrators, end users, CoC representatives, consumers, and federal, state, and local partners with a basic understanding of: In-Depth Privacy and Security

Webinar Format4

This training is part of a series of trainings that will provide new staff with the basic information needed to operate or participate in an HMIS

It is anticipated that this series of trainings will be offered quarterly

This training is anticipated to last 90 minutes

Presenters will walk through presentation material

Audience members are “muted” due to the high number of participants

Submitting Questions 5

All follow-up questions should be submitted to the Ask the Expert function on www.hmis.info

If you have multiple questions, we recommend compiling them into a single submission to Ask the Expert with a reference to the HMIS 101: Module 4 training

Webinar Materials & Evaluation

6

Quick follow up survey will be emailed out after the webinar

The webinar will be recorded, and all materials will be posted to HMIS.info

During webinar, we’ll be asking you a few questions as well

Overview of Training Series7

HMIS 101 Modules III, IV and V: Module III: In-Depth Data Standards Module IV: In-Depth Security and Privacy Module V: Data Quality Standard and

Compliance Plans HMIS 201:

HMIS Budgeting and Staffing PIT and HIC Best Practice Highlights/ Use of Technology

Who are You?

A. HMIS System AdministratorB. HMIS Data Entry staff/Program staffC. CoC staffD. Technical Assistance provider/TrainerE. HMIS VendorF. Other

8

How would you rate your knowledge of HMIS Privacy and Security?

A. Not knowledgeable B. Somewhat knowledgeable C. Knowledgeable D. Expert

HMIS Privacy and Security

Privacy is the control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others.

Confidentiality pertains to the treatment of information that an individual has disclosed in a relationship of trust and with the expectation that it will not be divulged to others without permission in ways that are inconsistent with the understanding of the original disclosure.

Security is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled.

2004 Technical Standards set forth expectations for privacy and security for HMIS

HMIS Privacy and Security

Two tiers: required baseline standards and additional recommended protocols;

Applies to all agencies and programs that record, use, or process Protected Personal Information (PPI) for an HMIS including: Continuum of Care (CoC) Homeless service provider HMIS host or administrator, etc.

Employees, volunteers, affiliates, contractors, and associates are covered by the privacy standards of the agencies they deal with; and

Privacy and security standards apply to all agencies- regardless of funding source- who use the HMIS.

Introduction to Privacy12

Privacy Standards Framework Personal Protected Information (PPI)

Includes name, SSN, program entry/exit, zip code of last permanent address, system/program ID, and program type

Allow for reasonable, responsible data disclosures

Derived from principles of fair information practices

Borrowed from Health Insurance Portability and Accountability Act (HIPAA)

Privacy Requirements

Privacy Standards: Protect client personal information from

unauthorized disclosure Seven components:

Collection limitationsData qualityPurpose and use limitationsOpennessAccess and CorrectionAccountability

Collection Limitations

Only collect information that is appropriate for the purposes that the information is obtained or when required by law

Use lawful and fair means to collect it When appropriate, collect data with

knowledge or consent of the client• Post sign; infer consent for collection

– Must post a sign at intake desk (or comparable location) that explains generally the reasons for collecting this information.

Collection Limitations – Other Stuff You Can Do

Restrict collection of personal data, other than required HMIS data elements

Require written client consents Obtain oral or written consent from

the individual or a third party

Data Quality

Data must be relevant to the purpose for which it is to be used

To extent necessary for those purposes, data should be accurate, complete, and timely

Must develop and implement plan for disposal of Personal Protected Information

Purpose and Use Limitations

Notice must specify purposes for PPI collections and must describe all uses/disclosures

A program may use/disclosure PPI only if allowed by the standard and described in the privacy notice

Notice may infer consent for described uses/ disclosures and for compatible uses/ disclosures

All uses/disclosures are permissive (except first party request or required by law)

Uses/disclosures not specified in notice need written consent of the individual or legal requirement

Allowable Uses/Disclosures

Provide and coordinate services Payment or reimbursement Administrative functions Create de-identified PPI Required by law Avert serious threat to health/safety Academic research (written

agreement required) Law Enforcement

Purpose and Use Limitation – Other stuff you can do

Seek oral or written consent for use/disclosure

Agree to client requested restrictions on use/disclosure

Limit use/disclosure to those in notice and necessary (not compatible) purposes

Keep an audit trail for disclosures Make audit trails available to the client, if

requested Limit disclosures to minimum necessary

Openness

Be open with agencies, client’s, and other parties about how you protect client information from unethical use

You must post a sign about your Privacy policies (called a Privacy Notice) and your Privacy policies must be available to anyone who requests them – including clients and the media.

If your agency has a web page, you must post your Privacy Notice on your web page. This is true about individual agencies as well as any web pages associated with your HMIS.

Openness – Other Stuff You Can Do

Provide a simplified copy of your Privacy Notice to clients at the time of data collection.

you may need to have copies of your Privacy Notice in more than one language

Provide advance notice on changes to your Privacy Policy and Notice, how you might enforce those changes, and ask for public comments.

Access and Correction

Must allow individual to inspect and have a copy of his/her PPI

Must offer to explain PPI Must consider request to correct

inaccurate or incomplete PPI May deny access to some info Must explain denials

Access and Correction – Other stuff you can do

Allow appeal of denial of access or correction

Limit grounds for denial of access Allow a statement of disagreement Provide written explanation for

denial

Accountability

Must establish procedure for accepting and considering complaints about privacy and security policies and practices

Must require all staff members to sign a confidentiality agreement (acknowledging receipt of and pledging to comply with the privacy notice)

Accountability-Other Stuff You Can Do

Require formal privacy training Regularly audit privacy compliance Establish an appeals process for privacy

policy complaints and denials of access and correction rights

Designate chief privacy officer

27

HMIS and HIPAA

Health Insurance Portability and Accountability Act (HIPAA) privacy rules take precedence over HMIS Privacy Standards

HIPAA covered entities are required to meet HIPAA baseline privacy requirements not HMIS

Most programs are not covered by HIPAA: To learn more go to http://www.hhs.gov/ocr/hipaa/

28

HMIS and Other Privacy Laws Programs must comply with more stringent

federal, state and local confidentiality laws; and

If a conflict exists between state law and the HMIS an official legal opinion on the matter should be prepared by the state’s Attorney General and submitted to HUD’s General Counsel for Review.

Domestic Violence Victim Service Providers are prohibited from entering data into HMIS and legal service providers are not to enter confidential client notes into HMIS.

29

HMIS Consent Models

Inferred Consent: Baseline Requirement; and Client’s consent to release information is

inferred from the privacy posting. Implied/Informed Consent:

Verbal or physical consent is required. Written Consent:

Client must sign a release of information (ROI).

30

Levels of Consent

Consent to use data within an agency for program or agency operations.

Consent to share additional information across programs to coordinate case management and service delivery.

31

Privacy Summary

Privacy refers to the safeguarding of protected personal information in the HMIS from open view, sharing or inappropriate use

Protected Personal Information (PPI) is any information that might identify a specific individual or that might be manipulated or linked with other information to identify a specific individual

Baseline Privacy Standards32

Must comply with other federal, state, and local confidentiality law

Must comply with limits to data collection (relevant, appropriate, lawful, specified in privacy notice)

Must have written privacy policy - and post it on your web site

Must post sign at intake or comparable location with general reasons for collection and reference to privacy policy

May infer consent for uses in the posted sign and written privacy policy

How Much Do You Know?

(T/F) Privacy policies are not meant to restrict the use and disclosure of data.

The purpose of privacy is to protect the client’s information from:

A. Unauthorized access B. Unauthorized disclosure C. Law Enforcement D. All of the Above

Introduction to Security35

36

Defining Security

Security refers to the protection of client personal protected information and sensitive program information from unauthorized access, use or modification.

All workstations, desktops, laptops, and servers that connect to a network that accesses or directly accesses the HMIS must comply with the baseline security requirements.

3 P’s of Security Management Products: Physical security

Door locks Intrusion-detection systems Physical firewalls

People: Personnel security Those who implement and properly use security

products to protect data Those who collect, input, or otherwise have

access to data Procedures: Organizational security

Plans and policies established to ensure that people correctly use products and access data

Security Requirements38

System security provisions apply to all the systems where Personal Protected Information (PPI) is stored, including, but not limited to, networks, desktops, laptops, mini-computers, mainframes and servers

Security has three categories: System Security Software Application Security Hard Copy Security

System Security Requirements39

User authentication Limited multiple access

Virus protection with auto-update Firewalls - individual workstation or network Encryption - transmission Public access controls Location control Backup and disaster recovery System monitoring Secure disposal

40

User Authentication

Every user accessing the HMIS system must have a unique username and password.

Passwords must: Include at least one number and one letter; Be at least 8 characters long; Not be based on user’s name, organization, or

software; and Not be based on common words.

Good: [Na$car#39] Bad: bobclark99 Terrible: hmis

Passphrases: Great: I1ik3C@k3 (I Like Cake)

41

User Authentication (cont.)

All computers used to access HMIS data must require user authentication (e.g., username/passwords).

Logging on to the HMIS computer alone is not sufficient.

IDs and Passwords for the HMIS software should be different than the workstation ID and Password

IDs and Passwords should not be stored or displayed in any publicly accessible location.

HMIS IDs and Passwords must not be shared.

WHAT DO I JUST SAY??????

Strong passwordKeep it secret

43

Multiple Access

An individual user must NOT be allowed access to the HMIS from multiple workstations on the network at the same time.

An individual user must NOT be allowed to log onto the local network from more than one location at a time.

44

System Level Virus Protection All computers accessing HMIS (including

remote and VPN users) must have anti-virus software installed and updated regularly that automatically scans files.

Old Anti-Virus Software = No Anti-Virus Software

45

Firewalls

Image found at: http://www.integration1.com.au/pages/default.cfm?page_id=21925

46

Public Access

HMIS that use public forums for data collection/reporting must have additional security to limit access using Public Key Infrastructure (PKI) or through IP filtering.

Translation: Any Web-based HMIS accessed over the Internet, needs digital certificates installed on all browsers on all computers accessing the HMIS (PKI) or an extranet to limit access based on IP address.

47

What is Public Key Infrastructure? Each user is issued a private key to

encrypt messages and a public key to decode messages;

Private key is kept secret and known only to user;

Public key uses a digital certificate to authenticate the identity of the user;

Digital certificates must be issued by a recognized Certificate Authority; and

Secure socket layer “SSL” encryption does not meet the baseline PKI requirements.

48

PKI: Public Key Infrastructure

Options for implementing PKI: Self issued certificate authority-Example:

Microsoft Certification Authority; Third party certificate authority Example:

Verisign or Thawte; USB token; or

Alternative to PKI: Limiting access to HMIS through IP filtering.

49

IP Addresses

Everything on the internet (servers, desktops, blackberries) is assigned an internet protocol (IP) address;

The internet uses IP addresses to move information from one place to another;

An IP address looks like this: 10.141.215.223; and

Firewalls block suspicious IP addresses from accessing your computer.

50

Physical Access/Location

Access to workstations must be controlled and monitored. Options: locked offices, privacy screens,

etc. Access to servers must be controlled to a

greater degree. Options: locked cabinet or cage; secure

facilities.

51

Backup and Disaster Recovery All HMIS data must be regularly backed

up and stored in a secure off-site location: Backup your data and applications; Save them to tape; Test the tapes; A Backup tape laying next to a server won’t

help if the server room catches fire!; and Alternatively, consider secure network-

based offsite backup solutions.

52

Secure Disposal

Tapes, disks and hard drives must be properly formatted and erased before disposal. At least two erasure passes (three or more

is recommended). Free and commercial software is

available to prepare old workstation hard drives, tapes, and floppies before discarding.

System Monitoring

Most security breaches are carried out by authorized users of client record systems

All systems including central servers must be monitored and “routinely” reviewed by staff

Monitoring decisions: Who monitors?; What is normal and what is abnormal usage and

access?; How do I access the information?; and What variables to monitor?

54

System Monitoring (cont.)

What variables to monitor: Logon success/failure; Account management; Policy changes; Privilege use; Process tracking; System events; and Connection attempts (IP and port).

Software Application Security User Authentication Electronic Data Transmission Electronic Data Storage

56

User Authentication

Like the workstation, the software used to access HMIS data should require user authentication (e.g., username/passwords).

Logging on to the HMIS computer alone is not sufficient.

IDs and Passwords for the HMIS software should be different than the workstation ID and Password

IDs and Passwords should not be stored or displayed in any publicly accessible location.

HMIS IDs and Passwords must not be shared.

57

Data Transmission Encryption

Two options 128 bit encryption over the wire; and

Secure Socket Layer (SSL): A communications protocol used to secure all sensitive data. SSL is normally described as wrapping an encrypted envelope around message transmissions over the Internet.

Secure direct connections. Virtual Private Network (VPN)

Electronic Data Storage

All HMIS data that are electrically transmitted over the internet must be encrypted Encryption is the conversion of plain text

into encrypted data (code) Encryption is used to protect a client’s

sensitive personal information from unauthorized viewing John Smith =

7Heuvvaj94naa@Tivn(f4Rnkin^43gn

Hard Copy Security

Applicable to any paper or other hard copy containing PPI that is generated by, or for, the HMIS Intake forms Consent forms Reports

Must supervise hard copies at all times when in a public area. Includes intake areas

When staff are not present, hard copies must be secured

Must not be stored or displayed in any publically accessible location

$3cur1ty1$G00d#4U Kfreeman*1 *7Fr8!yWzh

How Much Do You Know?

Which is the weakest password?

(T/F) The three categories of security are system security, software application security and hard copy.

Security Best Practices62

63

HMIS Security Best Practices

HMIS users Unique username and password Signed receipt of privacy notice

HMIS computers and networks Secure location Workstation username and password Virus protection with automatic update Locking password protected screen saver Individual or network firewall Public Key Infrastructure (PKI) to prevent

unauthorized access

64

Best Practices (cont…)

Designate a Chief Security Officer to implement and oversee security measures

Staff computers in public areas used to collect and store HMIS data at all times

Enable password protected automatic screen savers when workstation is not in use

Automatically log users off the system after a period of inactivity

Require regular changing of passwords and encourage creation of strong passwords

Use a bonded vendor to destroy HMIS data

65

User Training (Strongly Recommended)

Although not a baseline requirement, all users should participate in: Data and Technical Standards Training

Participation and Data Collection Requirements; and Privacy and Security Protocols to Protect Client Data.

Software training How to enter, edit, change, and delete data; and User and computer security requirements.

Ethics and privacy training Consent protocol and privacy protocols; and How to interview clients in a sensitive manner.

User groups are strongly encouraged to develop peer support opportunities

66

Key Security Points

Applies to all machines accessing or storing HMIS data;

All computers must have virus protection; All servers or computers directly accessing the

internet must be protected by a firewall; Web-based HMIS must use PKI or IP filtering to limit

public access to data; Physical access to computers and servers must be

restricted; Regular back-up and storage of HMIS data; and Regular monitoring of HMIS at the system level.

67

Security Resources

National Institute of Standards and Technology Computer and Security Resource Center http://csrc.ncsl.nist.gov

Carnegie Mellon/CERT: Connecting to the Internet http://www.cert.org/tech_tips/before_you_plug_in.html

CERT Implementation Tips for Servers and Networks http://www.cert.org/tech_tips/

National Institutes of Health Center for Information Technology Security Site http://www.alw.nih.gov/Security/security.html

Forum of Incident Response and Security Reform http://first.org

Resources

HUD Homeless Data Exchange (HDX):http://www.hudhdx.info/ HMIS.info:www.hmis.info HUD Homelessness Resource Exchange:www.hudhre.info

68

How would you rate your knowledge of HMIS Privacy and Security?

A. Not knowledgeable B. Somewhat knowledgeable C. Knowledgeable D. Expert

Thank you!

70