Tip

Security controls needed when collecting personal information


Mark T. Edmead


An interesting thing happened to me last week, and it reminded me about the concerns information security professionals have regarding privacy and confidential information. I took my son to the dentist, and because I don't have dental insurance my plan was to pay for the dentist's services with my credit card.

During the new patient enrollment process, the form they gave me had a statement of their policy. In this policy it states that they need to have a credit card on file, just in case the insurance company doesn't pay. Now, I don't have a problem with the dentist wanting to get paid for services.

However, since I was already paying with a credit card, it didn't make sense for me to provide them with my credit card information so they can keep it on file. It's bad enough they already have a lot of information about me. In fact, the patient information form also wants additional information

    Requires Free Membership to View

including driver's license (Why do they need to know my license?) and my social security number (Again, why is this information needed by my dentist?).

This incident reminded me of how much personal information is sometimes requested by organizations. How much private and confidential information is leaving your company without your knowledge? Does your company have a privacy policy regarding the dissemination of private corporate information? Should you be concerned with the information you provide your doctor or the hospital? Would you want your hospital to release private information without your consent or knowledge?

There are differences between confidentiality and privacy issues. Confidentiality, as it pertains to the triad of information security (confidentiality, integrity and availability), deals with the fact that we need assurances that the information being transmitted can be viewed only by the intended recipients. Encryption is a good enabling technology that makes confidentiality possible. Privacy, on the other hand, is the level of confidentiality provided. Corporate users, for instance, have an expectation of privacy when it comes to e-mail. That is, they believe that their corporate e-mail account is private and no one should view their e-mail. In reality, most companies do have a privacy policy that states effectively that employees' e-mail is NOT private and that the company has the right to view the employees' e-mail at any time.

The medical industry is going through some major changes regarding protection of patient information. The Health Insurance Portability and Accountability Act (HIPAA) is designed to improve efficiency in health care delivery by standardizing electronic data interchange, and it implements the protection of confidentiality and security of health data through setting and enforcing standards.

Compliance with HIPAA requires:

  • Building initial organizational awareness of HIPAA
  • Comprehensive assessing of the organization's information security systems, policies and procedures
  • Developing an action plan with deadlines and timetables
  • Developing a technical and management infrastructure to implement the plan
  • Implementing a comprehensive action plan, including:
  •        o Developing new policies, processes and procedures 
           o Building "chain of trust" agreements with service organization 
           o Redesigning a compliant technical information infrastructure 
           o Purchasing new, or adapting, information systems 
           o Developing new internal communications 
           o Training and enforcement

    Regardless of whether you are in the medical profession or not, the issue regarding privacy is something that needs to be dealt with in any organization. Privacy issues are typically handled in the security policy or a privacy policy.

    If companies want to gather personal information on patients, then they need to assure them that the information will not get into the wrong hands and that they have security controls in place.

    By the way, I didn't provide the dentist with my credit card information, social security or driver's license number (after a lengthy discussion with the office manager).

    Useful Web sites:

    http://www.privacy.org/: A site for news, information and action regarding privacy information.

    http://www.hipaadvisory.com/regs/: Great HIPAA resource site.

    About the author
    Mark Edmead, CISSP, SSCP, TICSA, Security+, is president of MTE Software Inc. and has more than 25 years of experience in software development, product development and network systems security. He is co-author of the book Windows NT: Performance, Monitoring and Tuning published by New Riders and editor of the SANS Business Continuity/Disaster Recovery Plan Step-by-Step Guide.


    This was first published in January 2008

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.