Module 4 - HUD Exchange

In-Depth Security and Privacy
HMIS System Administrator Training Series
Jeff Ward, Abt Associates, Inc.
Kat Freeman, The Cloudburst Group
Natalie Matthews, Abt Associates, Inc.
Chris Pitcher, The Cloudburst Group
Provide HMIS System Administrators, end users, CoC
representatives, consumers, and federal, state, and
local partners with a basic understanding of:
 In-Depth
Privacy and Security
Webinar Format
This training is part of a series of trainings that will
provide new staff with the basic information
needed to operate or participate in an HMIS
It is anticipated that this series of trainings will be
offered quarterly
This training is anticipated to last 90 minutes
Presenters will walk through presentation material
Audience members are “muted” due to the high
number of participants
Submitting Questions
All follow-up questions should be submitted to the
Ask the Expert function on
If you have multiple questions, we recommend
compiling them into a single submission to Ask the
Expert with a reference to the HMIS 101: Module 4
Webinar Materials & Evaluation
Quick follow up survey will be emailed out after the
The webinar will be recorded, and all materials will
be posted to
During webinar, we’ll be asking you a few questions
as well
Overview of Training Series
HMIS 101 Modules III, IV and V:
 Module
III: In-Depth Data Standards
 Module IV: In-Depth Security and Privacy
 Module V: Data Quality Standard and Compliance
HMIS 201:
Budgeting and Staffing
 PIT and HIC
 Best Practice Highlights/ Use of Technology
Who are You?
HMIS System Administrator
HMIS Data Entry staff/Program staff
CoC staff
Technical Assistance provider/Trainer
HMIS Vendor
How would you rate your knowledge
of HMIS Privacy and Security?
A. Not knowledgeable
B. Somewhat knowledgeable
C. Knowledgeable
D. Expert
HMIS Privacy and Security
Privacy is the control over the extent, timing, and
circumstances of sharing oneself (physically, behaviorally, or
intellectually) with others.
Confidentiality pertains to the treatment of information
that an individual has disclosed in a relationship of trust and
with the expectation that it will not be divulged to others
without permission in ways that are inconsistent with the
understanding of the original disclosure.
Security is the means of ensuring that data is kept safe from
corruption and that access to it is suitably controlled.
2004 Technical Standards set forth expectations for privacy
and security for HMIS
HMIS Privacy and Security
Two tiers: required baseline standards and additional
recommended protocols;
Applies to all agencies and programs that record, use, or
process Protected Personal Information (PPI) for an HMIS
Continuum of Care (CoC)
Homeless service provider
HMIS host or administrator, etc.
Employees, volunteers, affiliates, contractors, and associates
are covered by the privacy standards of the agencies they
deal with; and
Privacy and security standards apply to all agenciesregardless of funding source- who use the HMIS.
Introduction to Privacy
Privacy Standards Framework
Personal Protected Information (PPI)
Includes name, SSN, program entry/exit, zip code of last
permanent address, system/program ID, and program type
Allow for reasonable, responsible data disclosures
Derived from principles of fair information practices
Borrowed from Health Insurance Portability and
Accountability Act (HIPAA)
Privacy Requirements
Privacy Standards:
 Protect
client personal information from unauthorized
 Seven components:
 Collection limitations
 Data quality
 Purpose and use limitations
 Openness
 Access and Correction
 Accountability
Collection Limitations
Only collect information that is appropriate for
the purposes that the information is obtained or
when required by law
Use lawful and fair means to collect it
When appropriate, collect data with knowledge
or consent of the client
Post sign; infer consent for collection
Must post a sign at intake desk (or comparable location) that explains
generally the reasons for collecting this information.
Collection Limitations – Other Stuff You Can Do
Restrict collection of personal data, other than
required HMIS data elements
 Require written client consents
 Obtain oral or written consent from the
individual or a third party
Data Quality
Data must be relevant to the purpose for which it is
to be used
To extent necessary for those purposes, data
should be accurate, complete, and timely
 Must develop and implement plan for disposal
of Personal Protected Information
Purpose and Use Limitations
Notice must specify purposes for PPI collections
and must describe all uses/disclosures
A program may use/disclosure PPI only if allowed
by the standard and described in the privacy
Notice may infer consent for described uses/
disclosures and for compatible uses/ disclosures
All uses/disclosures are permissive (except first
party request or required by law)
Uses/disclosures not specified in notice need
written consent of the individual or legal
Allowable Uses/Disclosures
Provide and coordinate services
 Payment or reimbursement
 Administrative functions
 Create de-identified PPI
 Required by law
 Avert serious threat to health/safety
 Academic research (written agreement
 Law Enforcement
Purpose and Use Limitation – Other
stuff you can do
Seek oral or written consent for use/disclosure
 Agree to client requested restrictions on
 Limit use/disclosure to those in notice and
necessary (not compatible) purposes
 Keep an audit trail for disclosures
 Make audit trails available to the client, if
 Limit disclosures to minimum necessary
Be open with agencies, client’s, and other parties
about how you protect client information from
unethical use
You must post a sign about your Privacy policies
(called a Privacy Notice) and your Privacy policies
must be available to anyone who requests them –
including clients and the media.
If your agency has a web page, you must post your
Privacy Notice on your web page. This is true about
individual agencies as well as any web pages
associated with your HMIS.
Openness – Other Stuff You Can Do
Provide a simplified copy of your Privacy
Notice to clients at the time of data collection.
 you
may need to have copies of your
Privacy Notice in more than one language
Provide advance notice on changes to your
Privacy Policy and Notice, how you might
enforce those changes, and ask for public
Access and Correction
Must allow individual to inspect and have a
copy of his/her PPI
 Must offer to explain PPI
 Must consider request to correct inaccurate or
incomplete PPI
 May deny access to some info
 Must explain denials
Access and Correction – Other stuff
you can do
Allow appeal of denial of access or correction
 Limit grounds for denial of access
 Allow a statement of disagreement
 Provide written explanation for denial
Must establish procedure for accepting and
considering complaints about privacy and security
policies and practices
Must require all staff members to sign a
confidentiality agreement (acknowledging receipt
of and pledging to comply with the privacy notice)
Accountability-Other Stuff You Can Do
Require formal privacy training
Regularly audit privacy compliance
Establish an appeals process for privacy policy
complaints and denials of access and correction
Designate chief privacy officer
Health Insurance Portability and Accountability Act
(HIPAA) privacy rules take precedence over HMIS
Privacy Standards
HIPAA covered entities are required to meet HIPAA
baseline privacy requirements not HMIS
Most programs are not covered by HIPAA: To learn
more go to
HMIS and Other Privacy Laws
Programs must comply with more stringent federal,
state and local confidentiality laws; and
If a conflict exists between state law and the HMIS
an official legal opinion on the matter should be
prepared by the state’s Attorney General and
submitted to HUD’s General Counsel for Review.
Domestic Violence Victim Service Providers are
prohibited from entering data into HMIS and legal
service providers are not to enter confidential client
notes into HMIS.
HMIS Consent Models
Inferred Consent:
 Baseline
Requirement; and
 Client’s consent to release information is inferred from
the privacy posting.
Implied/Informed Consent:
 Verbal
or physical consent is required.
Written Consent:
Client must sign a release of information (ROI).
Levels of Consent
Consent to use data within an agency for program
or agency operations.
Consent to share additional information across
programs to coordinate case management and
service delivery.
Privacy Summary
Privacy refers to the safeguarding of protected
personal information in the HMIS from open view,
sharing or inappropriate use
Protected Personal Information (PPI) is any
information that might identify a specific individual
or that might be manipulated or linked with other
information to identify a specific individual
Baseline Privacy Standards
Must comply with other federal, state, and local
confidentiality law
Must comply with limits to data collection (relevant,
appropriate, lawful, specified in privacy notice)
Must have written privacy policy - and post it on
your web site
Must post sign at intake or comparable location
with general reasons for collection and reference
to privacy policy
May infer consent for uses in the posted sign and
written privacy policy
How Much Do You Know?
(T/F) Privacy policies are not meant to restrict the use and
disclosure of data.
The purpose of privacy is to protect the client’s
information from:
A. Unauthorized access
B. Unauthorized disclosure
C. Law Enforcement
D. All of the Above
Introduction to Security
Defining Security
Security refers to the protection of client personal
protected information and sensitive program
information from unauthorized access, use or
All workstations, desktops, laptops, and servers that
connect to a network that accesses or directly
accesses the HMIS must comply with the baseline
security requirements.
3 P’s of Security Management
Products: Physical security
Door locks
 Intrusion-detection systems
 Physical firewalls
People: Personnel security
Those who implement and properly use security products to
protect data
 Those who collect, input, or otherwise have access to data
Procedures: Organizational security
Plans and policies established to ensure that people
correctly use products and access data
Security Requirements
System security provisions apply to all the systems
where Personal Protected Information (PPI) is stored,
including, but not limited to, networks, desktops,
laptops, mini-computers, mainframes and servers
Security has three categories:
 System
 Software Application Security
 Hard Copy Security
System Security Requirements
User authentication
Limited multiple access
Virus protection with auto-update
Firewalls - individual workstation or network
Encryption - transmission
Public access controls
Location control
Backup and disaster recovery
System monitoring
Secure disposal
User Authentication
Every user accessing the HMIS system must have a
unique username and password.
Passwords must:
Include at least one number and one letter;
 Be at least 8 characters long;
 Not be based on user’s name, organization, or software;
 Not be based on common words.
Good: [Na$car#39]
Bad: bobclark99
Terrible: hmis
Great: [email protected] (I Like Cake)
User Authentication (cont.)
All computers used to access HMIS data must
require user authentication (e.g.,
Logging on to the HMIS computer alone is not
IDs and Passwords for the HMIS software should be
different than the workstation ID and Password
IDs and Passwords should not be stored or
displayed in any publicly accessible location.
HMIS IDs and Passwords must not be shared.
Strong password
Keep it secret
Multiple Access
An individual user must NOT be allowed access to
the HMIS from multiple workstations on the network
at the same time.
An individual user must NOT be allowed to log onto
the local network from more than one location at a
System Level Virus Protection
All computers accessing HMIS (including remote and
VPN users) must have anti-virus software installed
and updated regularly that automatically scans files.
Old Anti-Virus Software = No Anti-Virus Software
Image found at:
Public Access
HMIS that use public forums for data
collection/reporting must have additional security to
limit access using Public Key Infrastructure (PKI) or
through IP filtering.
Translation: Any Web-based HMIS accessed over
the Internet, needs digital certificates installed on
all browsers on all computers accessing the HMIS
(PKI) or an extranet to limit access based on IP
What is Public Key Infrastructure?
Each user is issued a private key to encrypt
messages and a public key to decode messages;
Private key is kept secret and known only to user;
Public key uses a digital certificate to authenticate
the identity of the user;
Digital certificates must be issued by a recognized
Certificate Authority; and
Secure socket layer “SSL” encryption does not meet
the baseline PKI requirements.
PKI: Public Key Infrastructure
Options for implementing PKI:
 Self
issued certificate authority-Example: Microsoft
Certification Authority;
 Third party certificate authority Example: Verisign or
 USB token; or
Alternative to PKI: Limiting access to HMIS through
IP filtering.
IP Addresses
Everything on the internet (servers, desktops,
blackberries) is assigned an internet protocol (IP)
The internet uses IP addresses to move information
from one place to another;
An IP address looks like this:; and
Firewalls block suspicious IP addresses from
accessing your computer.
Physical Access/Location
Access to workstations must be controlled and
 Options:
locked offices, privacy screens, etc.
Access to servers must be controlled to a greater
 Options:
locked cabinet or cage; secure facilities.
Backup and Disaster Recovery
All HMIS data must be regularly backed up and
stored in a secure off-site location:
 Backup
your data and applications;
 Save them to tape;
 Test the tapes;
 A Backup tape laying next to a server won’t help if the
server room catches fire!; and
 Alternatively, consider secure network-based offsite
backup solutions.
Secure Disposal
Tapes, disks and hard drives must be properly
formatted and erased before disposal.
 At
least two erasure passes (three or more is
Free and commercial software is available to
prepare old workstation hard drives, tapes, and
floppies before discarding.
System Monitoring
Most security breaches are carried out by
authorized users of client record systems
All systems including central servers must be
monitored and “routinely” reviewed by staff
Monitoring decisions:
 Who
 What is normal and what is abnormal usage and
 How do I access the information?; and
 What variables to monitor?
System Monitoring (cont.)
What variables to monitor:
 Logon
 Account management;
 Policy changes;
 Privilege use;
 Process tracking;
 System events; and
 Connection attempts (IP and port).
Software Application Security
User Authentication
Electronic Data Transmission
Electronic Data Storage
User Authentication
Like the workstation, the software used to access
HMIS data should require user authentication (e.g.,
Logging on to the HMIS computer alone is not
IDs and Passwords for the HMIS software should be
different than the workstation ID and Password
IDs and Passwords should not be stored or
displayed in any publicly accessible location.
HMIS IDs and Passwords must not be shared.
Data Transmission Encryption
Two options
 128
bit encryption over the wire; and
 Secure
Socket Layer (SSL): A communications protocol used
to secure all sensitive data. SSL is normally described as
wrapping an encrypted envelope around message
transmissions over the Internet.
 Secure
direct connections.
 Virtual
Private Network (VPN)
Electronic Data Storage
All HMIS data that are electrically transmitted over
the internet must be encrypted
 Encryption
is the conversion of plain text into encrypted
data (code)
 Encryption is used to protect a client’s sensitive personal
information from unauthorized viewing
 John
Smith = [email protected](f4Rnkin^43gn
Hard Copy Security
Applicable to any paper or other hard copy containing
PPI that is generated by, or for, the HMIS
Intake forms
 Consent forms
 Reports
Must supervise hard copies at all times when in a public
Includes intake areas
When staff are not present, hard copies must be
Must not be stored or displayed in any publically
accessible location
How Much Do You Know?
Which is the weakest
(T/F) The three categories of security are system security,
software application security and hard copy.
Security Best Practices
HMIS Security Best Practices
HMIS users
 Unique
username and password
 Signed receipt of privacy notice
HMIS computers and networks
 Secure
 Workstation username and password
 Virus protection with automatic update
 Locking password protected screen saver
 Individual or network firewall
 Public Key Infrastructure (PKI) to prevent unauthorized
Best Practices (cont…)
Designate a Chief Security Officer to implement and
oversee security measures
Staff computers in public areas used to collect and
store HMIS data at all times
Enable password protected automatic screen savers
when workstation is not in use
Automatically log users off the system after a period of
Require regular changing of passwords and encourage
creation of strong passwords
Use a bonded vendor to destroy HMIS data
User Training (Strongly Recommended)
Although not a baseline requirement, all users should participate in:
 Data and Technical Standards Training
 Participation and Data Collection Requirements; and
 Privacy and Security Protocols to Protect Client Data.
 Software training
 How to enter, edit, change, and delete data; and
 User and computer security requirements.
 Ethics and privacy training
 Consent protocol and privacy protocols; and
 How to interview clients in a sensitive manner.
 User groups are strongly encouraged to develop peer support
Key Security Points
Applies to all machines accessing or storing HMIS data;
All computers must have virus protection;
All servers or computers directly accessing the internet
must be protected by a firewall;
Web-based HMIS must use PKI or IP filtering to limit
public access to data;
Physical access to computers and servers must be
Regular back-up and storage of HMIS data; and
Regular monitoring of HMIS at the system level.
Security Resources
National Institute of Standards and Technology
Computer and Security Resource Center
Carnegie Mellon/CERT: Connecting to the Internet
National Institutes of Health Center for Information
Technology Security Site
CERT Implementation Tips for Servers and Networks
Forum of Incident Response and Security Reform
HUD Homeless Data Exchange (HDX):
 HUD Homelessness Resource Exchange:
How would you rate your knowledge
of HMIS Privacy and Security?
A. Not knowledgeable
B. Somewhat knowledgeable
C. Knowledgeable
D. Expert
Thank you!

similar documents