Monday, March 22, 2010

Massachusetts Data Protection Regulations Update

Many of you will need to explain the latest Federal and State security mandates to your organizations. Here's the letter I sent out on Friday. Feel free to use it as a template for your own communications.

In 2007, Massachusetts became one of 45 states that require companies to report the loss or theft of personal information. (For more information on the data breach law see MGL ch. 93H

In Massachusetts, personal information is defined as a state resident’s last name and first name or first initial as well as any one or more of the following:
• Social Security Number;
• Driver’s License Number or state-issued identification card number; or
• Financial account number, or credit or debit card number, with or without the necessary security code.

In addition to passing a data breach law, Massachusetts passed regulations that set out requirements for how businesses must protect personal information. (See 201 CMR 17.00 Those regulations became effective on March 1, 2010.

In general, those regulations require BIDMC to protect personal information in the same way that it already protects patient information.

Minimum Necessary Standard – We must make sure that the people with access to personal information have a legitimate need for that access based on their job functions and that the access granted is the minimum necessary to fulfill that function.

Information Security Program – We must employ an information security program that ensures that personal information (in any form) is not used by or disclosed to people who do not meet the minimum necessary standard. As we do with patient data, we must ensure that:
• Users must provide a unique user id and password to access personal information;
• Computers that are used to access or transmit personal information have up-to-date patches and anti-virus software;
• Personal information on laptops and other portable devices is encrypted; and
• Personal information transmitted wirelessly or over the Internet is encrypted.

Employee Training and Enforcement – We must conduct employee training and make sure that our community is complying with these requirements for protecting this data.

System Monitoring – We must monitor our information system to ensure that outside parties don’t gain access to personal information and that BIDMC Users with such access are active BIDMC employees who are authorized to have such access.

Incident Response – Where someone does gain unauthorized access to personal information, we must respond promptly to limit the harm caused and use the lessons learned from the to continually improve our information security program.

Third Parties, Vendors, Contractors – We must ensure that third parties who require access to our personal information commit to and are capable of meeting the same requirements for protecting the data.

Annual Review – Finally, we must review how well our information security program is working and make the changes necessary to appropriately protect our data.

For many of you, this new state law will simply mean that the protection we already provide for patient data must be expanded to include personal information. In most cases, the systems being used to access and transmit personal information already meet this standard.

Over the last year we have been updating our existing IS policies and creating some new policies to respond to recent changes in federal and state information security law and to better inform you about what you need to do to help us protect patient and staff data.

We expect to have these approved and available to you within the next couple of months. We will also be updating our information security training program to reflect these changes.

In the interim, if you have any questions, please contact the IS Security team at They will be happy to answer any questions that you may have.

Protecting private and sensitive data is something the BIDMC community already takes very seriously. With your cooperation, we can ensure that our protections for personal information meet the standard already provided to patient data.


Anonymous said...

In David Scott’s words, everyone needs to be a mini-Security Officer in the modern organization today. I think Mr. Scott is right: Most individuals and organizations enjoy Security largely as a matter of luck. Anyone else here reading I.T. WARS? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google IT WARS – check out a couple links down and read the interview with the author David Scott at Boston’s Business Forum. (Full title is I.T. WARS: Managing the Business-Technology Weave in the New Millennium).

jeremytech said...

Great to have a better understanding of your policies and why you chose them.