Information Security at Natividad Medical Center:

Additional Recommendations 1

These recommendations are not explicitly linked to specific findings.

• R12-13
  servers. Before each laptop computer is assigned forces rights, and promulgates to an employee of Natividad Medical Center, it under- regulations, develops policy goes a total volume disk encryption, which prevents and provides technical assis- unauthorized access to data storage. If the user is unable tance and public education to to connect with the system, the laptop becomes unus- ensure understanding of and able. compliance with HIPAA privacy and security laws. Every night the workstation computers are scanned for Health Information Exchange security. All websites accessed by staff are content fil- (HIE): the mobilization of tered and scanned for viruses on an ongoing basis. Some healthcare information elec- have USB ports turned off. Users have access only to tronically across organizations those networks for which they have a need to access. within a region, community or Smart phones can only access a guest network; they hospital system. have no internal access. Employees can be set up to ac- Information Technology (IT): the cess their Natividad network email via their smart application of computers and phones, but users must give permission for phone wipes telecommunications equipment by the IT Department, which would completely elimi- to store, retrieve, transmit and nate all storage data on the user’s cell phone. manipulate data, often in the context of a business or other The IT Department staff through its system can deter- enterprise encompassing com- mine who accesses data, what data is accessed, where puter hardware, software, elec- and when it is accessed, and what is printed. All accesses tronics, semiconductors, to patient records are logged. Any suspicious activity can internet, telecom equipment, e- be traced to a specific workstation for follow-up. commerce and computer serv- ices. The Natividad IT Department is working with other Protected Health Information county hospitals to create a Health Information Ex- (PHI): any information about change (HIE) where patient information can be shared health status, provision of electronically. Salinas Valley Memorial Healthcare Sys- health care, or payment for tem, Natividad Medical Center, and Community Hospi- health care that can be linked tal of the Monterey Peninsula are close to being able to to a specific individual, includ- connect with each other. Mee Memorial Hospital will ing any part of a patient’s med- follow. The HIE will be inclusive of county clinics and ical record of payment history. 5 the Monterey County Health Department. Even without the HIE in effect, the IT Department re- ported that paper breaches are more common than electronic breaches at Natividad. When re- quested, printed medical information is physically given to a patient for transmittal to another service provider, because Natividad Medical Center is not yet able to transmit data through an HIE. TRAINING OFALLSTAFF, EMPLOYEES, AND THIRD PARTYVENDORS All staff are trained in their IT responsibilities when they are hired, and they receive security training regularly. Before being hired, each must pass a background check. Third party vendors must also go through training and execute contracts drafted by counsel for the IT Department to ensure compliance with Natividad’s patient PHI policies and procedures. All users have unique passwords to log on to workstation laptops. There are separate passwords for the various networks. They must be changed frequently, and no similarities to former pass- words are allowed. The system will lock out the user on multiple failed login attempts. All pass- words and account information are kept in a vault for access by IT staff when necessary. The IT system scans email coming in and going out of its networks. It blocks spam and any unauthorized links. It examines any suspected infections to the networks. POLICIESAND PROCEDURES TOACHIEVE COMPLIANCE AND SECURE SENSITIVE INFORMATION Natividad Medical Center staffs its IT Department 24 hours a day, 7 days a week, every day of the year. A minimum of two (2) IT staff are on call at all times. Natividad Medical Center de- votes 5.5% of its budget, approximately $10 million to IT. Currently, Natividad’s IT requires one factor (password) for access to the networks. The IT De- partment is moving toward two factors (badge and password) as a single access for all authorized platforms and auto logout users. This will eliminate the need to open multiple platforms and speed workflow. There is a formal handbook containing specific information for compliance with policies and procedures. Troubleshooting occurs regularly, and IT Department staff monitor the system 24 hours a day to protect the community that utilizes the services of Natividad Medical Center. MCCGJ was pleased to learn of the standards and quality of care by Natividad’s IT Department. One important aspect of Natividad’s service to the community is its readiness to communicate medical diagnoses and treatment in languages of the people it serves, including multiple dialects. Persons with language skills are on call to translate for patients and their families when no staff can. Currently Natividad has legally required written notices to persons who are impacted by PHI breaches in English and Spanish. If there are other languages commonly used by a large number of its patients, those notices should be translated for their understanding, as well. FINDINGS F1. The separation of Natividad’s IT Department from the County’s IT Department in 2009 was warranted, due to unique regulations and auditing standards for health provider insti- tutions. F2. Natividad Medical Center is exemplary of best practices in its protection of patients’ PHI. F3. Natividad Medical Center has 24/7 IT Department staff well-equipped to prevent cyberat- tacks. F4. Natividad Medical Center minimizes downtime of its IT networks by dedicated, continual monitoring. F5. Language translation services should be utilized in preparing written notices to persons im- pacted by PHI breaches whose common language is other than English or Spanish. F6. A weak link exists in security of PHI with hand-delivered paper documents. RECOMMENDATIONS R1. Natividad Medical Center share its IT Department model with other county hospitals as a standard of excellence when appropriate at all upcoming opportunities. R2. Natividad Medical Center immediately review and ensure that its notices to the public about HIPAA breaches are written in languages commonly understood by the impacted persons. R3. Natividad Medical Center continue to improve and update best practices for secure physi- cal delivery of PHI documents to other healthcare providers and individual patients while awaiting an active HIE for secure transmittals. RESPONSES REQUIRED Pursuant to Penal Code Section 933.05, the Grand Jury requests a response to all Findings and Recommendations from the following governing body: • Monterey County Board of Supervisors 7 APPLICABLE PRIVACY LAWS AND ENFORCEMENT MEASURES Notice Laws California’s Data Breach Notification Statutes provide that agencies (Civil Code §1798.29) and businesses (Civil Code §1798.82) who maintain computerized data that includes personal infor- mation of others must notify individuals of any breach of their personal data immediately upon discovery. Personal information is defined to mean (1) a person’s user name or email address in combination with a password or security question and answer that would allow access to an on- line account or (2) a person’s name and one of the following: • Social Security number • Driver’s license or California identification number • Account number, credit card number, debit card number, with any required security code, access code, or password that would allow someone to access the individual’s account number • Medical information1 • Health insurance information2 The HIPAA Final Omnibus Rule of 2013 requires agencies and businesses sending notices for a breach that effects 500 or more residents of California to send a copy of the written Notice to the California Attorney General, thereby making a record of the crime. As of February 20, 2015, there were 18 reported in 2015 throughout California. Law Enforcement The OCR arm of the U.S. Department of Health and Human Services is tasked with enforcing the privacy and security laws. It has three functions. (1) It teaches health and social service work- ers about civil rights, health information privacy, and patient safety confidentiality laws that they must follow; (2) It educates communities about civil rights and health information privacy rights; and (3) It investigates civil rights, health information privacy and patient safety confidentiality complaints to find out if there is discrimination or violation of the law and takes action to correct problems. Medical information as defined by the Civil Code is any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional. Health insurance information as defined by the Civil Code is an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records. 8