Monday, October 6, 2008

Massachusetts Data Protection regulations

On September 19, 2008, the Massachusetts Office of Consumer Affairs and Business Regulation established significant new regulations, 201 CMR 17.00: Standards for The Protection of Personal Information, which affect how all Massachusetts organizations protect confidential data.

The Boston Globe’s Business Section featured an article titled “Tougher Consumer Data Rule Adopted, Businesses must improve safeguards."

The deadline for compliance is January 1, 2009. (This has been revised to March 1, 2010).

Like all regulations the cost/effort of implementation is dependant on how stringently we choose to interpret them. Putting aside the physical security portions of the regulations and focusing on the electronic/IT portions there are several areas that we are working on. To follow these to the letter of the regulation will require additional capital and labor. We do not yet have estimates, since we're in the planning phase now.

I have included below the sections of the regulations that I think will impact us the most.

section 17.03 subsection C - This states that there needs to be an explicit policy that governs how employees are allowed to keep, access, and transport records containing personal information outside of business premises. This has two components, electronic records and physical records. We are reviewing our policies and procedures to close any gaps we may have.

section 17.03 subsection E - This states "Preventing terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names." We have kicked off a project to address this point. since our existing processes take a few hours rather than immediately.

Section 17.03 subsection H. This refers to vendors/third parties who are provided access to our information and/or are obtaining copies of any data from us. It requires that we obtain a written certification that the third party has a written, comprehensive information security program that is in compliance with the provisions of the regulations. There may be a need for some capital expenditures late in the FY09 year. We first need to build up a policy, educate and determine an auditing technique before pursuing any product based solutions.

Section 17.03 subsection H This section requires that we know where every paper and computing system including laptops and portable devices (portable devices are not defined in the regulation so it is unclear if this includes handheld devices ) are located that contain personal information. To conform to the regulation we will need to put some additional vended solutions in place and labor to operate them.

Section 17.04 subsection (3) This requires reasonable monitoring of systems for unauthorized use/access to personal information. We do this today.

Section 17.04 subsection (5) This section states "Encryption of all personal information stored on laptops or other portable devices;" We have just started to roll out encryption for laptops. The question of what is a portable device is a challenge. It could mean USB drives, Blackberries and cell phones. We're working through the implications of that.

We spend over a million dollars per year for IT security. This only includes expenses that are purely security related. There are other
costs embedded in the software and hardware. For example, when we purchase a server operating system, data base product, or network router, the manufacturers have expended effort making these products secure.

As you can see, the regulations will involve a great deal of planning, the addition of new staff and the purchase of new software to ensure compliance. We are committed to protecting the privacy of patient records, so adding additional resources to enforce privacy policy with technical security is a "must do".


Kevin said...

A few questions if you don't mind. What encrytpion solution have you selected for laptop computers (NTFS, etc)? And, what are you using on the MAC side (File Vault, PGP etc.) Thanks in advance -Kevin M

John Halamka said...

Sure, we're using McAfee Safeboot

Heather Morris Kyer said...

When you mention subsection H, referring to vendors and third parties, you suggest that you will need to "determine an auditing technique before pursuing any product based solutions."

You may find the following free webinar of interest:

“Third Party Risk Management: Do your vendors protect your sensitive data as you would?”

You can register at:

I hope you find this informative.

Fritz said...

Regarding smartphones, do you allow usage of SMS/PIN messages/Personal email? If yes, do you archive all of these? What about pager text messages?


Alan Zaslavsky said...

My understanding is that the Massachusetts regulations include a specific definition of the scope of "personal information". Please include that as part of your blog entry for our benefit in interpreting the selections that were copied. Of course Harvard can make any reasonable rules about use of computers that it pays for, but it would be helpful to know which part of this is mandated by the Massachusetts policies and which part is purely Harvard policy.

John M. Black said...

Alan - In partial answer to your question,

"Personal Information" is defined as "a Massachusetts resident's first name/first initial and last name or in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account."

found this on this Mass201 page.