Massachusetts Data Protection regulations

On September 19, the Massachusetts Office of Consumer Affairs and Business Regulation established significant new regulations, 201 CMR 17.00: Standards for The Protection of Personal Information, which affect how all Massachusetts organizations protect confidential data.

The Boston Globe’s Business Section featured an article titled “Tougher Consumer Data Rule Adopted, Businesses must improve safeguards."

The deadline for compliance is January 1, 2009.

Like all regulations the cost/effort of implementation is dependant on how stringently we choose to interpret them. Putting aside the physical security portions of the regulations and focusing on the electronic/IT portions there are several areas that we are working on. To follow these to the letter of the regulation will require additional capital and labor. We do not yet have estimates, since we're in the planning phase now.

I have included below the sections of the regulations that I think will impact us the most.

section 17.03 subsection C - This states that there needs to be an explicit policy that governs how employees are allowed to keep, access, and transport records containing personal information outside of business premises. This has two components, electronic records and physical records. We are reviewing our policies and procedures to close any gaps we may have.

section 17.03 subsection E - This states "Preventing terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names." We have kicked off a project to address this point. since our existing processes take a few hours rather than immediately.

Section 17.03 subsection H. This refers to vendors/third parties who are provided access to our information and/or are obtaining copies of any data from us. It requires that we obtain a written certification that the third party has a written, comprehensive information security program that is in compliance with the provisions of the regulations. There may be a need for some capital expenditures late in the FY09 year. We first need to build up a policy, educate and determine an auditing technique before pursuing any product based solutions.

Section 17.03 subsection H This section requires that we know where every paper and computing system including laptops and portable devices (portable devices are not defined in the regulation so it is unclear if this includes handheld devices ) are located that contain personal information. To conform to the regulation we will need to put some additional vended solutions in place and labor to operate them.

Section 17.04 subsection (3) This requires reasonable monitoring of systems for unauthorized use/access to personal information. We do this today.

Section 17.04 subsection (5) This section states "Encryption of all personal information stored on laptops or other portable devices;" We have just started to roll out encryption for laptops. The question of what is a portable device is a challenge. It could mean USB drives, Blackberries and cell phones. We're working through the implications of that.

We spend over a million dollars per year for IT security. This only includes expenses that are purely security related. There are other
costs embedded in the software and hardware. For example, when we purchase a server operating system, data base product, or network router, the manufacturers have expended effort making these products secure.

As you can see, the regulations will involve a great deal of planning, the addition of new staff and the purchase of new software to ensure compliance. At BIDMC, we are committed to protecting the privacy of patient records, so adding additional resources to enforce privacy policy with technical security is a "must do".