mssmem.com

I forget…what did that email say? oh yeah, its at mssmem.com

Email Security

TO:                  All Faculty and Staff

 

FROM:            Aviva Halpert

Chief HIPAA Officer

The Mount Sinai Medical Center

 

Kenny Chu

Senior Director, Information Technology Security

The Mount Sinai Medical Center

 

DATE:              September 10, 2009

 

RE:                   Email Security

 

 

Email of Protected Health Information (PHI) or Other Confidential Information

Users of the Mount Sinai Medical Center email systems should review the policy on the Use of E-MAIL for communicating Protected Heath Information (PHI)and/or Personal Financial Information (Policy H-13).  Key points of the policy are:

· The minimum necessary amount of PHI should be disclosed via email.

· Messages that leave the medical center network that contain PHI or other confidential information must be encrypted.  Messages sent within The Mount Sinai Medical Center are not required to be encrypted.

· Encryption will not prevent misdirection or unintended forwarding of a previous string of emails.  Extreme caution must be exercised to prevent such risks.

· Unless the email is encrypted the patient’s name should not be used; if it is necessary to identify the patient the Medical Record Number should be used instead.

· If a patient wishes to communicate with his/her provider via e-mail regarding his/her care, the provider must obtain the patient’s consent.  Refer to Consent for Communication via E-mail (Physician-Patient) (Form MR-240).

The entire policy H-13 and form MR-240 can be found on the intranet-

http://intranet1.mountsinai.org/hipaa/policies/H-13.pdf

http://intranet1.mountsinai.org/MedicalRecords/pane.confidentiality/MR.pdf.240.pdf

Secure Messaging/Encryption

If you have to send PHI or other confidential information to an external recipient, you must use the email encryption option.  To activate the email encryption option, include the word [secure] within square brackets in the subject line of the message.  The recipient will be asked to self enroll when the message is opened.  The secure send mechanism can be used from any mail client (Outlook, Outlook Web Access, Blackberry.)

For certain destinations provisions have been made to ensure that all messages are encrypted using a mechanism called TLS.  For example, messages sent to Astra Zeneca and McKesson have been configured to auto encrypt so it is not necessary to manually activate encryption.

Beginning October 2009 the email system will automatically flag messages to external parties that contain confidential information but was not encrypted.

SPAM and Inappropriate Use

The use of Mount Sinai systems, including email, is intended for official business use.  Inappropriate use may result in the loss of access privilege and disciplinary actions.  Unsolicited mass emailing of material not related to medical center business is considered SPAM and may result in the loss of access privileges.  The entire policy HR 13.5 can be found on the intranet-

http://www.mountsinai.org/Education/School%20of%20Medicine/Computing%20Services/Network%20Access

 

Email Security and Phishing

Please remember to take care when opening attachments or following links contained in email messages.  Verify with the sender of the message if you receive an unexpected attachment or it contains suspicious links.  Be especially cautious of emails that have been quarantined by ProofPoint.  This product is very reliable in identifying SPAM. Unless a quarantined message is correspondence that you are expecting – do not release the email.

Please also take care with any messages that ask you to provide private information (Birthdays, Social Security Number, Credit Card numbers, User account passwords, etc.)  These messages may actually be a phishing attempt from a person pretending to be a legitimate company or organization.  If you have doubts please contact the party requesting the information for confirmation.  Users should not rely on the contact information contained in the email, but use the contact information typically found at the company website or on the back of the Bank or Credit card.

 

 

If you have any questions regarding any of the topics covered in this memo, please contact Kenny Chu – kenny.chu@mountsinai.org.

Written by phil

September 10th, 2009 at 5:21 pm

Posted in Admin

Leave a Reply