Monday, March 22, 2010
Massachusetts Data Protection Regulations Update
Many of you will need to explain the latest Federal and State security mandates to your organizations. Here's the letter I sent out on Friday. Feel free to use it as a template for your own communications.
In 2007, Massachusetts became one of 45 states that require companies to report the loss or theft of personal information. (For more information on the data breach law see MGL ch. 93H http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm)
In Massachusetts, personal information is defined as a state resident’s last name and first name or first initial as well as any one or more of the following:
• Social Security Number;
• Driver’s License Number or state-issued identification card number; or
• Financial account number, or credit or debit card number, with or without the necessary security code.
In addition to passing a data breach law, Massachusetts passed regulations that set out requirements for how businesses must protect personal information. (See 201 CMR 17.00 http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf) Those regulations became effective on March 1, 2010.
In general, those regulations require BIDMC to protect personal information in the same way that it already protects patient information.
Minimum Necessary Standard – We must make sure that the people with access to personal information have a legitimate need for that access based on their job functions and that the access granted is the minimum necessary to fulfill that function.
Information Security Program – We must employ an information security program that ensures that personal information (in any form) is not used by or disclosed to people who do not meet the minimum necessary standard. As we do with patient data, we must ensure that:
• Users must provide a unique user id and password to access personal information;
• Computers that are used to access or transmit personal information have up-to-date patches and anti-virus software;
• Personal information on laptops and other portable devices is encrypted; and
• Personal information transmitted wirelessly or over the Internet is encrypted.
Employee Training and Enforcement – We must conduct employee training and make sure that our community is complying with these requirements for protecting this data.
System Monitoring – We must monitor our information system to ensure that outside parties don’t gain access to personal information and that BIDMC Users with such access are active BIDMC employees who are authorized to have such access.
Incident Response – Where someone does gain unauthorized access to personal information, we must respond promptly to limit the harm caused and use the lessons learned from the to continually improve our information security program.
Third Parties, Vendors, Contractors – We must ensure that third parties who require access to our personal information commit to and are capable of meeting the same requirements for protecting the data.
Annual Review – Finally, we must review how well our information security program is working and make the changes necessary to appropriately protect our data.
For many of you, this new state law will simply mean that the protection we already provide for patient data must be expanded to include personal information. In most cases, the systems being used to access and transmit personal information already meet this standard.
Over the last year we have been updating our existing IS policies and creating some new policies to respond to recent changes in federal and state information security law and to better inform you about what you need to do to help us protect patient and staff data.
We expect to have these approved and available to you within the next couple of months. We will also be updating our information security training program to reflect these changes.
In the interim, if you have any questions, please contact the IS Security team at firstname.lastname@example.org. They will be happy to answer any questions that you may have.
Protecting private and sensitive data is something the BIDMC community already takes very seriously. With your cooperation, we can ensure that our protections for personal information meet the standard already provided to patient data.
Posted by John Halamka at 3:00 AM