FundClass Archives:

Security, Privacy, Business Continuity, HIPAA

Edited Digest of FundClass Topic #36, January 2003

We are so fortunate to have one of our own, Timothy Casey, agree to facilitate this "Ask the Expert" session of FundClass.

Timothy will be answering questions surrounding the topic of "Security, Privacy, and Business Continuity," issues that concern all of us in the nonprofit sector.

Timothy Casey is a former President of the Hemochromatosis Foundation, and has worked for several other NPOs in leadership roles. Returning to a lifelong interest in Privacy protection after September 11, he is now a senior Information Security Analyst for a large US computer company and an accredited Certified Information Security Systems Professional. However, Timothy continues to do consultant work for small NPOs around Phoenix Arizona, especially in the areas of Security, Risk Analysis, and Privacy. He is also one of the Co-Founders and Directors of the FundClass.

This is a fantastic opportunity to explore the issue of security in our organizations. Help welcome Timothy by your active participation in class.

Opening Statement

 

Hello!

Thank you for participating in this forum on “Security, Privacy, and Business Continuity”. Being secure in your operations doesn't raise funds directly, but it does protect you from losses that could seriously affect your ability to conduct business.  I hope this discussion will raise your awareness of the full nature of "security," the need for it in your organization, and how a few simple steps can often dramatically improve your level of protection!

As you are no doubt aware, these issues have become increasingly important--and complex. The rules are changing sometimes weekly, and different regions and countries have very different approaches. I will try my best to answer any questions you have in this arena, if you'll forgive the occasional "I'll have to get back to you on that one..."

I look forward to your questions!

Overview

Since this week's topic is a little outside of most people's domain, I've been asked to provide some background. I apologize for the length of this post. However, it should give us a common vocabulary and understanding for even more productive discussions.

Security

Most people think of "security" as protecting themselves from someone who wants to commit a crime, such as a burglar or a computer hacker. Actually the field of security is much broader than that. While there are no official definitions, the best way to describe security is "the art and science of protecting an asset from harm." An asset can be anything that is important to you, such as financial records, a donor database, a person, your private information (more on that later), offices and equipment, even your reputation. Harm can come from almost anywhere, and is not restricted to external criminals. It can also come from natural disasters, accidents, power outages, or vandals, but the single largest security threat facing your organization is untrained employees. Exact numbers are difficult to determine, but most studies show that 50%-60% of all security breaches come from inside, and most of those are unintentional.

Most people think of theft when talking about security, and you are probably wondering if these statistics are created by millions of kleptomaniac employees. No, thank goodness! Harm can come to an asset in one of three ways:

  1. Loss of Availability

    When you are unable to use an asset for any reason, you have suffered an “Availability Compromise”. Loss can occur in many different ways and has a different impact, depending on the asset. Some examples:

    • A power surge destroys the fax machine just before the Annual Fundraising event, and you are unable to send important reminders to your targeted attendees.
    • A volunteer accidentally reformats the computer hard drive, and wipes out your financial data.
    • The only person who knows how to run the donor database leaves suddenly for more pay (Loss #1), and your organization cannot recover the information (Loss #2).
  2. Loss of Confidentiality

    This is the unauthorized disclosure of sensitive information, and is the area in which governments have the most concern, and where most research and technology is focused. That doesn't mean Confidentiality is not important to even small NPOs/NGOs. Examples:

    • Someone breaks into your office and steals the credit card numbers of all your donors for the past two years, and starts selling the numbers on the internet.
    • A poorly installed computer program accidentally posts all employee information, including position and salaries, to the organizational website.
    • Your biggest anonymous donor sees her name published in the newspaper, and angrily calls to revoke all current and future gifts. Then she calls all her friends who do the same.
  3. Loss of Integrity

    This may sound the same as the other two, but it is very different. Integrity of an asset describes its accuracy or suitability. The asset is still available, and may not be exposed, but something has happened to it that decreases its worth. And the worst part is you may not even know it! Some examples:

    • A new user accidentally sets all the zip codes in your mailing list to 99999.
    • Just for fun, a hacker quietly breaks in to your system and changes some of the numbers in your tax records, then leaves without a trace.
    • The classic and most common Integrity event: Two people unknowingly work on different parts of the same data file at the same time. When the second person saves the file, the changes saved by the first person are overwritten and lost forever. The first person never realizes his changes were lost, so the data in the file is used even though it is wrong or incomplete.

Some things to note about the examples for Availability, Confidentiality, and Integrity:

  • All of these actually happened within the last few years, and are very typical of the types of events most security professionals deal with every day.
  • Most occurred as a result of inexperienced or inattentive employees. Awareness and training are needed much more than expensive technology.
  • Organizational size provides very little protection.
  • You don't need to own a computer to have a security problem.
  • Most of these were preventable, or at least recoverable.

The last point leads in to the next item...

Business Continuity

Business Continuity (BC) is a relatively new field that deals with the "big picture" of steady business operation. The overall goal of BC is much as it sounds, to make sure business with clients continues, with little or no interruption, regardless of the events behind the scenes. It is actually much larger than security, which deals almost entirely with prevention, by also adding a recovery focus. There are three basic parts to BC:

  1. Risk Analysis: The first step in protecting yourself is by taking a hard look at which assets you have, what threats are facing them, and what weaknesses in your system may expose them to harm (a sometimes sensitive subject). This sounds technical, but the techniques are actually very simple and can be applied to almost any situation. The Risk Analysis will tell you which of your assets are most at risk. You then have two tasks to reduce the risk that a major event will disrupt your operations...
  2. Mitigation Planning: An ounce of prevention. A Mitigation Plan describes the efforts you make to reduce the probability of a security compromise from occurring. The type of mitigation is dependant on the asset, e.g. surge protectors for delicate equipment, change control tools for data files, and ample, ongoing training for everyone. But no protection is 100% guaranteed, so you also need...
  3. Contingency Planning: Plan "B", what to do when a problem does occur. (This is also sometimes called "Disaster Recovery Planning," although current usage typically reserves that term for true disasters like earthquakes.) You have to assume that since you cannot possibly predict and prevent every possible threat, some day you will suffer a loss. In that case, you should already have thought out what you would do. Typical contingency plans include data and power backups, repair and consultant contact lists, alternate office space, etc., plus all the policies and training needed to make these effective.

Finally, there are some risks for which there may be no viable mitigation or contingency. In that case you must decide to live with the risk, or transfer the risk to someone else, i.e. buy insurance to cover it.

Privacy

Privacy is a special type of asset. It is, essentially, the information that identifies you as an individual, i.e. it is the aspects of your life that are unique to you. Because of its tremendous personal value and impact, it is an asset that receives considerable attention, especially since computers have made the invasion of privacy so widespread. Many governments and organizations are looking at the subject, and it has become a specially all its own within Security.

I'm going to introduce a term you will hear often in this discussion: Personally Identifiable Information (PII). PII is any information that is unique and distinguishes you from other people. This can include records of finances, health, schooling, purchases, media accesses, and other matters not of public record. Most of the discussion of "privacy" is specifically about PII.

The difficulty in discussing Privacy in a forum such as this is that the definition changes from country to country. In fact, every individual has his or her own definition, and a different estimation of its value. I've noticed that there are already a few questions about the privacy implications of the U.S. HIPAA legislation. While these are legitimate questions, please keep in
mind that the subject is very large, and in the case of items like HIPAA, applies only to the U.S.

I hope this has been some help to you in examining your organizations security position. Please feel free to ask any questions on the subjects above, or any others you have regarding Security, Privacy, & Business Continuity.

Privacy concerns and HIPAA [U.S. Specific]

Michael

Timothy:

Health information privacy is a big issue for hospitals and other health-related charities and nonprofits. The HIPAA regulations issued by the Federal government place new restrictions on who may solicit "grateful patients" and how they may be targeted for solicitation.

What are the best resources you've found for briefly outlining which
nonprofits are affected and how the new regulations affect health-related fundraising?

Thanks!

 

Liz

Timothy, I'm also interested in this topic, especially as it relates to "other health-related charities and nonprofits." I do some volunteer work with a cancer org. We use survivors in our PR. Do we now need to get written permission to do that? What else do we need to know?

 

Carolyn

I am very interested in this topic, but it would be very helpful if information or rules that apply directly to the country or state you are in are identified as such so we will know what items may not be relevant where we are. Thanks

 

Timothy

Hi Michael,

Boy, starting off with the tough questions! :-)

Bear with me while I provide a little background for those who are not familiar with HIPAA:

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the US Congress in 1996. HIPAA included a number of provisions intended to make health insurance more affordable and accessible. It also required the Health and Human Services agency (HHS) to adopt national standards for certain electronic health care transactions, codes, identifiers and security. It also set a three-year deadline for Congress to enact comprehensive privacy legislation to protect medical records and other personal health information. When Congress did not enact such legislation by 1999, HIPAA required HHS to issue health privacy regulations.

As a result, HIPAA is a large and well-intentioned piece of legislation that has not been completely implemented with regard to privacy. In the vacuum left by Congress, HHS and various other agencies are forced to move slowly in setting policy & regulations to meet HIPAA. Consequently, it is still a little difficult to describe specific applications of the law because so many gray areas remain.

However, the intent of the Act is very clear: to prevent the disclosure of anyone's personal medical facts to anyone who has not received explicit permission to receive it. The good news is that HHS has proposed a "Final Ruling" protecting the confidentiality of medical records. The rule limits the use and release of personal medical information, gives patients the right to access their medical records, restricts most disclosure of health information to the minimum needed for the intended purpose, and establishes safeguards and restrictions regarding disclosure of records for certain public responsibilities, such as public health, research and law enforcement. And as you noted, a few of the provisions address NPO operations, but there is very little guidance. If Congress does not intervene, this rule will become effective starting in April of this year.

Now back to your questions, Michael:

Who is affected?

  1. HIPAA is not restricted to clients, so it affects all NPOs with U.S. employees who participate in an employer-sponsored health plan. You have specific responsibilities to protect your employees' medical privacy to the same degree as clients.
  2. The regulations regarding medical privacy also apply additionally to all organizations that collect personal health information, regardless of their tax standing. Say for instance you are the XYZ Disease Association and you maintain a database of people who have that disease, collected from letters and visits to your website. Under HIPAA, you are obligated to limit access and protect that information, even if those people volunteered that information to you. In the future, you will need to inform visitors & clients that you intend to collect the info, for what purpose, their rights to see what you have on them, and give them the option to decline to participate.

Best resources?

Much general information about HIPAA is available on the web and at the library. The authoritative source is the Health & Human Services agency http://www.hhs.gov. A search of "HIPAA" on the HHS site will show you a number of useful documents, including the new regulations and some interpretive documents. Unfortunately, I do not know of a good reference specifically for NPOs other than the Final Ruling itself. As I said before, so much of this is so new that very little information about its application has been published. If you do know of such a resource, please share it with the group.

However, you might try contacting your health plan insurance provider. HIPAA has some of its biggest impacts on the insurance industry, so they have invested considerable research into its application and often provide consultation free of charge. Your provider will know your organization best, so I would start there. If you don't have an employee health plan, contact one of the larger insurance companies in your area, they can often provide the information or contact you need.

Whew! Sorry about the long post, but as I said, you started with the tough questions!

 

Michael

Timothy:

Thanks for a great introduction to a tough issue. One reason for my asking the question here was to demonstrate that it's not simple. I know a local consultant who attended a one-day seminar at a national conference and is now marketing herself to attorneys as well as nonprofits as an "expert" on HIPAA. Groan!

Another resource is the Association for Healthcare Philanthropy (AHP). Their web site includes an entire section on HIPAA and what it means for healthcare-related fundraisers: http://www.go-ahp.org/

One major issue specific to the fundraising area is the issue of so-called "grateful patient" fundraising mailings. It's now a lot tougher to mail a fund raising appeal to, say, parents of newborns born in a certain hospital that is targeted to their particular situation. Providers must respect privacy when it comes to patient department of service information when it comes to fund raising. This has the effect of making "grateful patient" appeals generic rather than specific, protecting patient privacy but making appeals less successful (targeted appeals generally work better than generic ones).

Thanks again, Timothy, for your thoughtful response.

 

Timothy

Hi Liz,

This is a very interesting question! I have not found anything in the HHS Rule to cover this specifically. However, if the survivors are identifiable in any way, I am quite sure the use of their info would fall under the privacy regulations, and you will need their permission. Even if HIPAA did not cover it, you'll still need a standard media release form signed.

If they are not identifiable, I would still get their permission as a courtesy. I'm not sure I'd appreciate seeing my story used without my permission, even if no one else could tell it was me.

 

Priscilla

Our organization works with cancer patients as well. We believe that no one has the right to tell another person's story unless you have their express permission. Written or emailed works for us but we have to have one of these before we will even use it anonymously.

Database Reuse

Carlos

Suppose the development officer moves to another similar organization and begins using the database he had collected while working for the organization to benefit the new organization?

What are the rights of deserted organization?

Thanks.

 

Timothy

Hi Carlos,

The situation as you describe it is outright theft, and the "deserted organization" should contact the authorities to determine the course of action to recover their property.

It is highly unethical and usually illegal to use ANY materials or data from a previous employer, unless it is already in the public domain. You can bring your expertise to the new job, and that's all.

 

Security Problems In Your Organization?

Sitting on my patio this morning reading the paper I came across a story about a company that donated some of their old computers to a charity. When the charity fired up the computers, though, they found that the hard drives had never been erased. All kinds of data, including finances, employee data, and customer billing information were not only still available, but also not protected in any way. Fortunately for the company, the charity immediately notified them, and the company then paid to have the drives wiped clean. Had the computers gone to someone not as scrupulous, it is possible that some very sensitive and personal data may have been used for less than honest purposes.

Since the topic this week includes "Security," this story made me curious about the security policies in NPO/NGOs. Obviously that particular company needs some work, but we know from many surveys that most large and medium sized companies are spending a great deal on security these days, and improving every day. However, we have little information on how NPO/NGOs are doing in protecting themselves. So although this is an "Ask The Expert" session, I'd like to ask *you* a few questions. Your participation is entirely voluntary, but the more responses we get, the better picture we can get about our overall state of awareness, and see if there are any obvious gaps that need immediate attention.

Ready? You can answer any or all of these, as simply as you like, and in any way that's convenient for you. However, please be courteous to others on the list if you respond here, and include only the text needed for your response to keep the messages as short as possible. Thanks!

1. Would you call your organization small, medium, or large?

2. Would you describe your security concerns as mostly physical (example: vandalism or theft), informational (the data in your files and on your computers), something else, or no concerns at all?

3. Does a person or department in your organization have the explicit responsibility for security?

4. How much do you spend on security in a typical year?

5. Are employees and volunteers given security training?

6. Have you had any serious security compromises in the last few years? What were they? What was done to prevent it from happening again?

I look forward to your answers!

Jeanne

This is in support of your point, though not directly answering your questions. I look forward to the compilation of the answers you receive.

I'm interested in the IT security issue in the larger context of emergency planning--whether an emergency may relate to destruction of, or lacking access to one's business, because of fire, flood and other typical disasters, or having a business cordoned off during a crime or fire investigation, or relating to impact of terrorism. The unscrupulous (or inept) employee fits here too.

The Westchester County Chamber of Commerce and American Red Cross have recently joined to provide training in emergency planning to small businesses and non-profits. IT security falls under this, and is an important part for most. The assumption is that the large businesses (the IBMs, other major corporations with headquarters or operations in Westchester) are well covered, as you said, but small businesses and non-profits are doing much less planning, and there is less awareness. A study by the U. of Delaware indicates that since 1985, of every business that suffers a major emergency or disaster, 50% never fully recover, and 80% of the 50% never open their doors again. I'm not aware of statistics for non-profits.

Those of us who have volunteered and received initial training will start in a month or so to hold awareness sessions for small businesses and non-profits, to be followed by more detailed workshops. I'm a trainer with a background in non-profit management including development, and was involved in preparing (or being affected by) security plans overseas—where there were threats of strikes and riots and possible need to evacuate employees--so am keenly aware of the issues.

Keep your good advice coming!

 

Timothy

Jeanne,

Thanks for the information. As you point out, emergency planning (aka disaster planning) is an important part of security planning for any organization, and as the statistics show, many companies don't survive "the big one." I presume that NPOs have the same failure rate, if not more.

I have noticed that organizational emergency planning is much like making a will. It's hard not to think you are tempting the fates, we it put off for later whenever possible, and it can be downright uncomfortable planning for the worst. But like a will, suffering an emergency without a plan is far worse than making the plan itself.

For anyone interested, there are many resources available to help you in your emergency planning--books, seminars, websites, and partnerships with support organizations such as the one Jeanne described with the American Red Cross.

You don't have to spend a fortune or many months to develop your plan. Working with partners and other resources you should be able to quickly put together a short, simple plan, and then refine it as time & resources allow. The important point is to HAVE a plan, and USE IT when the inevitable happens.

 

Lisa

1. Would you call your organization small, medium, or large? Small

2. Would you describe your security concerns as mostly physical (example: vandalism or theft), informational (the data in your files and on your computers), something else, or no concerns at all?

Our Security concerns are informational as we use an adoption application, which requires "some" personal information on those people wishing to adopt a rescue animal from us. Currently, only the two directors and two trained interviewers see these applications. Our database, which is open to a larger base of volunteers has separate "views", the "volunteer view" does not contain addresses, email, telephone etc. for "adopters". This also applies for those people who surrendered a pet to us but also blanks out the persons name, leaving dates, reasons for surrender, pet information etc. available.

3. Does a person or department in your organization have the explicit responsibility for security? The Directors take responsibility for the security of information and are the only ones who have full administrative database privileges. We train our interviewers and are certain they understand that this information is NOT for public viewing. Our files remain locked and our computers password protected. We also use Norton System works on our computers with the internet security alert always enabled. It can slow things down during peak usage hours, but so far has kept us from being "hacked into" and has caught all daily attempts to send an email virus to our organizational addresses (we get a minimum of 5 virus laden emails per day, luckily all have been detected and quarantined). We also insist our volunteers with access to our database programs use virus software and run FULL system scans on their personal computers weekly.

4. How much do you spend on security in a typical year? This is our first year of operation and our cost was roughly $440.00

5. Are employees and volunteers given security training? No employees and yes volunteers with access are trained in computer security regimens and volunteers without computer access to our system are taught that ALL adoption and surrender information must be privacy protected. Without this privacy owners and adopters will be less likely to use a rescue, which means more animals will end up euthanized at the local shelters. That usually "helps" them "remember" not to gossip.

6. Have you had any serious security compromises in the last few years? What were they? What was done to prevent it from happening again? One total hard drive crash just prior to our becoming a stand-alone organization. We were still working with a National group and the Executive Director did not keep her virus protection up to date and a Trojan Horse/Worm infected her computer. She sent this to 25 volunteers (us included) and never said a word to anyone unless they called her asking what in the world was going on (strange error messages were popping up everywhere). One of our computers was not up to date (the volunteer had continually told the system she'd update "later") and the hard drive was a total loss. So far, we've been lucky and our precautions have been enough. I'm certain as we grow, so will our security needs.

 

Timothy

Lisa,

Wow, I'm impressed! You've described a security plan that rivals that of many, much larger companies. Here are the important aspects you have in your security system:

- Someone high in the organization has responsibility for security.

- Everyone is assigned a clearly defined role, and access to info for each role is based on "least privilege" (only the minimal access needed to perform their duties). This access is enforced by technology.

- More than one person is assigned to every role, important for both redundancy and oversight.

- Training is in place and is mandatory.

- Information in storage is protected (in this case, with encryption).

- Intrusion detection systems are in place (Norton Systems firewall). Outside access is only by trusted (regularly scanned) systems.

- Reading between the lines, I presume you do regular backups.

Excellent! You have all 3 fundamentals -- Accessibility, Confidentiality, and Integrity -- covered, through a formal system of policy and procedures.

For your next step, I would recommend you add an oversight function, usually done as an occasional audit or walkthrough. The purpose is not to punish anyone doing something wrong, but to ensure the procedures you have are followed correctly. Used properly, an audit will augment training, and close the holes before a big mistake can happen.

Thanks for your reply!

 

Christine

Join me in thanking Timothy Casey for his time and effort in answering your questions and concerns about privacy and security. We are fortunate to have his expertise and knowledge on our behalf and for giving so generously of those talents to FundClass. Thanks, Timothy!