Security Compliance

[Robin Deatherage]

This is a two part question. 

1.  Do you have guidelines for your users on what types of information must be sent using email encryption?  I know the basics but don't really want to start from scratch with coming up with a list if I could help it.

2.  Do you have an Offsite Work Agreement that you would be willing to share?  This would be for employees who are allowed to work from home and or those who travel (while at hotels, conferences, etc), and be security related guidelines that they agree to follow.

Thanks

[Mark]

Hi Robin,

For #1) We use keywords to trigger encryption, so it doesn't matter if the user *wants* to encrypt the email or not (and believe me, many times they think they do NOT want it encrypted).  If the pattern of a SSN or credit card number is matched (via RegEx) the email is automatically encrypted.  I also have a list of keywords that will driver it, like "drivers license number", "DOB", etc that will trigger it.  Lastly, (and this is a dead giveaway as to what product we're using) if none of the above fit your email but you still want it encrypted, putting the text:

Code Select Expand

[encrypt]

anywhere in the email will trigger encryption.

So, we don't currently have a written guideline, but we are basically attempting to make the decision for the user instead of giving them the option.  We do have documentation showing what we are encrypting, which may count as a guideline in a legal case... or may not.  We are still working on that piece.  :-)

#2) I got nothing.  Sorry! :-)

[Adri]

Mark- don't call Robin a Ho!!!!

[Mark]

Mark- don't call Robin a Ho!!!!

What?  I know I can't type... but that NEVER happened!!

[Robin Deatherage]

   Thanks Adri.  I have to admit I've been called worse.  

[Mark]

Robin is my friend!!  :-)

[Robin Deatherage]

Robin is my friend!!  :-)

I was until you called me a Ho.  "unfriend"
Just kidding.  I still luv ya Mark.   

[Robin Deatherage]

Adri, I love your profile pic.  Is that your daughter?  She's adorable.

[Mark]

Robin is my friend!!  :-)

I was until you called me a Ho.  "unfriend"
Just kidding.  I still luv ya Mark.   

:-)

[Mark]

I was until you called me a Ho.  "unfriend"

There still is no evidence of this....   

[Adri]

Adri, I love your profile pic.  Is that your daughter?  She's adorable.

Yep, that is my youngest, Olivia.  Thanks!

[Adri]

Mark- don't call Robin a Ho!!!!

What?  I know I can't type... but that NEVER happened!!

LOL-  Look at what you started!

[Mark]

LOL-  Look at what you started!

I started nothing!    You are just a trouble-maker!

[brinkerdana]

2.  Do you have an Offsite Work Agreement that you would be willing to share?  This would be for employees who are allowed to work from home and or those who travel (while at hotels, conferences, etc), and be security related guidelines that they agree to follow.

I've worked from home for the last 3 jobs and never had an agreement.  I KNEW the data was sensitive and made sure my computer had the appropriate safety features. 

[Robin Deatherage]

2.  Do you have an Offsite Work Agreement that you would be willing to share?  This would be for employees who are allowed to work from home and or those who travel (while at hotels, conferences, etc), and be security related guidelines that they agree to follow.

I've worked from home for the last 3 jobs and never had an agreement.  I KNEW the data was sensitive and made sure my computer had the appropriate safety features. 

One of the classes I attended at TENCon was the HIPAA and HITECH Survival Guide by Laura Nelson.  During the class she recommended that agencies have an Offsite Work Agreement in place spelling out to the employees exactly what is expected of them security wise.  That's why I'm asking about this.  Just a CYA in case you are audited.

[brinkerdana]

Two of those work-from-home jobs were pre-HIPPA, etc. 

[Lance Bateman]

Not to be picky, but it's HIPAA - Health Insurance Portability and Accountability Act - though it was gutted from the original intent of the bill (which would have allowed you to take your insurance with you if you changed employer), and now is mostly on the privacy aspects.

Anyway - it wouldn't matter if they started pre- or post- you'd need to update.  Our "work at home" also specified space, separation from other people in the house (such as children), etc - and we provided the computer they were to use.

Two of those work-from-home jobs were pre-HIPPA, etc. 

[Robin Deatherage]

Lance do you have a document that you can share?  If not that's ok.

With HITECH there are so many new issues. sigh....   
I've been referring to HITECH as "HIPAA on steriods".   

[Lance Bateman]

Sorry, Robin, I don't have access to it now.  And did you mean HITECH is HIPAA on steroids, or PMS?  (LOL)

Lance do you have a document that you can share?  If not that's ok.

With HITECH there are so many new issues. sigh....   
I've been referring to HITECH as "HIPAA on steriods".   

[Robin Deatherage]

And did you mean HITECH is HIPAA on steroids, or PMS?  (LOL)

Either one works.    

[Jan Regnier]

With HITECH there are so many new issues. sigh....   
I've been referring to HITECH as "HIPAA on steriods".   

Hmmm  I call it CRAP....... ("obscene word for unacceptable behavior" - among others)   

[Robin Deatherage]

I finally found something for offsite workers.  It's geared toward the healthcare industry but could work for us too I think.  I would appreciate any thoughts or comments please.

[Lance Bateman]

Just a couple decisions we made:
1.  We provided the computer and monitors - that way there was no concern of their own computer being used by others, or not meeting required standards (think of how many people want to limit their own computer to Windows Classic screen, or don't have the proper security set up).

2.  They were only set up for printing to the computers in the office.  Nothing from the system should be printed at their home.

3.  Workplace in the home must be dedicated, not in a room they would be dealing with children, etc.

Good luck.