personal accountability for data stewardship 2015 1 st year medical students noella rawlingsbrad...
DESCRIPTION
YOUR ROLE: Every individual is personally and professionally responsible for the security and integrity of confidential information, electronic or paper, entrusted to you. UW Medicine Professionalism Policy: Demonstrated excellence, integrity, respect, compassion, accountability and a commitment to altruism in all our work interactions and responsibilities. policies/Pages/Professional-Conduct.aspx policies/Pages/Professional-Conduct.aspx What is Data Stewardship? 3TRANSCRIPT
Personal Accountability for Data Stewardship
2015
1st Year Medical StudentsNoella Rawlings Brad Peda
Director of Compliance Information Security Program AnalystSchool of Medicine UW Medicine IT Services
1
• Defining data stewardship and your responsibilities
• Safeguarding confidential information
• DO’s and DON’Ts • Current security threats• Tools and resources
Agenda
2
• YOUR ROLE: Every individual is personally and professionally responsible for the security and integrity of confidential information, electronic or paper, entrusted to you.
• UW Medicine Professionalism Policy: Demonstrated excellence, integrity, respect, compassion, accountability and a commitment to altruism in all our work interactions and responsibilities. http://uwmedicine.washington.edu/Global/policies/Pages/Professional-Conduct.aspx
What is Data Stewardship?
3
Confidential Information – protection of data required by law and includes:
• Protected health information (PHI) – protected by HIPAA
• Individual student records – protected by FERPA• Personally identifiable information (PII) – financial
information (e.g., credit card, bank), social security number and driver’s license number – protected by Washington’s breach notification law
• Other personal information - public employee’s home addresses, personal contact information, performance evaluations – protected by the Washington Public Records Law
• Proprietary intellectual property or trade secrets, research data – protected by the Washington Public Records Law
Confidential Information
4
• “Breach” is the unauthorized acquisition, access, use or disclosure of unsecured PHI and compromises the security or privacy of the PHI
• Breaches of unsecured PHI require notification to the Office of Civil Rights (OCR) and affected individuals. May also require notice to the media and posting on the UW Medicine website
• A breach is presumed and covered entity has burden of showing a breach has not occurred
• There are two ways to secure PHI• Encryption• Destruction• Renders PHI unusable, unreadable or indecipherable
What is a Breach?
5
Possible consequences of a loss of confidential information that has not been secured
• Personal and professional – time spent on an investigation; name known to UW Medicine Leadership; impact to reputation and relationship with patients; imposition of disciplinary action and civil/criminal penalties
• Institutional – report to the Office of Civil Rights (OCR) for HIPAA breaches; notification to patients; imposition of fines and sanctions; financial costs of investigation and remediation, e.g., providing credit monitoring; impact to UW Medicine reputation
Why Is This Important to Me?
6
• May 2014 - $4.8M against New York-Presbyterian Hospital and Columbia University due to physician causing PHI to be accessible on Google
• April 2014 – $1.73M against Concentra Health Services for a stolen unencrypted laptop
• June 2012 - $1.7M against Alaska Department of Health and Human Services for unencrypted USB drive stolen from employee’s car
HIPAA Fines
7
• Unencrypted laptop and external hard drive stolen from locked, parked car
• Briefcase containing (paper) PHI stolen from locked, parked car
• Backpack containing (paper) PHI stolen from locked, parked car
• Unencrypted laptop containing PHI and PII stolen from office in Health Sciences Building
Recent Examples of Loss
8
If you use a mobile deviceto store or transmit PHI
or PII, your mobile device MUST be encrypted!
Rule Number One
9
NEVER leave confidential data
in your car!
Rule Number Two
10
• Avoid taking confidential data off-site or downloading to portable or mobile devices
• If taking confidential data with you, you MUST obtain supervisor or department head approval
• Password protect AND encrypt all devices
• Only use UW approved cloud services• Ensure the physical security of
information - lock up confidential data (locking file drawer, safe, or other locked device)
• Prepare for the worst - protect yourself against theft - nobody thinks they will be a victim!
Other Basic Do’s and Don’ts
11
CURRENT SECURITY THREATS
12
• Phishing is a very common way accounts are stolen
• Don’t click links in email and if you do, don’t enter your credentials
• UW/UW Medicine will never ask for account information via email
• UW Medicine periodically sends phishing messages to our workforce to help raise awareness – includes training
• YOU WILL RECEIVE PHISHING MESSAGES – be very wary and very cautious!
PHISHING
13
• Cryptolocker/Locker: Very destructive malware threat – encrypts your data and tries to sell it back to you
• Malware infection is obtained via e-mail attachments or by visiting/downloading a file (such as an MP3 file) from a website
• Sophos Anti-virus sometimes detects the malware (malware name used is Troj/Ransom-ACP)
DON’T FALL FOR THIS SCHEME!
MALWARE
14
NEVER click on links and NEVER open attachments from unknown or
unexpected sources
Rule Number Three
15
• NEVER open an attachment from an unknown source• If the context of the message doesn’t make sense, delete
the message or call the sender to verify the email• Always be wary of messages that ask you to update your
password or confirm you account – UW IT support groups will never ask you to do this via a link in an e-mail
• Report any warning messages from antivirus or other software immediately. DO NOT CLICK ON THE LINK!
• Minimize the confidential information you store• Encrypt the data and the device• Keep your operating system and software up to date (Stay
patched)• Empty your E-mail “Trash bin” (Deleted Items) regularly or
set it to empty automatically when you exit the program • Contact your Department IT support staff for assistance
with any device you use for work
What Can You Do?
16
• If you get infected, or think you may be infected, contact UW Medicine IT Security IMMEDIATELY!
• Report information security incidents when they occur. Contact IT Services Help Desk at [email protected]. If it is urgent, call 206-543-7012
• Report the loss or theft of PHI to UW Medicine Compliance at 206-543-3098 or [email protected] immediately
• Immediately notify the Director of Compliance for the School of Medicine at [email protected] or 206-685-0173
Incident Reporting
17
TOOLS AND RESOURCES
18
Tools to Assist You in Safeguarding Data
• Encryption https://security.uwmedicine.org/training/dept_materials/default.asp
• Complex passwords http://security.uwmedicine.org/guidance/role_based/end_user/default.asp
• Physical data security - lock offices, files and computers
• Education and training materials https://security.uwmedicine.org/Training/Sec_Aware/default.asp
• Privacy, Confidentiality and Information Security Agreement (PCISA)
http://depts.washington.edu/comply/docs/PP_04_A.pdf https://security.uwmedicine.org/training/data_stewardship/PCISA_discuss_tool.pdf
• Following policies restricting removal of data from worksites 19
UW Medicine Compliance Policies• http://depts.washington.edu/comply/privacy.shtml• http://depts.washington.edu/comply/docs/PP_30.pdf
UW Medicine IT Security Policies• http://security.uwmedicine.org/guidance/policy/defau
lt.asp
UW Medicine Polices
20
Smartphone/Tablet SecurityIf you use a smartphone or tablet (UW owned or your personal device) to conduct UW business, such as accessing your UW e-mail, we recommend:
• Auto lock device and use a strong password
• Enable encryption on the device• Set an automatic lockout timer on the
device• Activate Tamper Wipe: i.e. phone is wiped
clean after 10 pass code or PIN attempts (all data is deleted)
• Activate “find my phone” function• Don’t use cloud back up services, such as
iCloud or Google Drive, unless it is an approved cloud by UW Medicine IT Security for PHI or FERPA data
• Don’t store data on the SIM card
21
Encryption ResourcesWhere to get information and help with encryption:
• Encryption guidelines mobile devices: • https://security.uwmedicine.org/training/dept_materials/default.
asp• https://security.uwmedicine.org/guidance/technical/encryption/d
efault.asp
• Whole disk encryption guidelines:• http://ciso.washington.edu/site/files/Whole_Disk_Encryption_Gui
deline.pdf• http://security.uwmedicine.org/guidance/technical/encryption/M
obileDevice_Encryption/other_windows_linux_guidance.asp
• IT Services Help Desk: [email protected]
• DOM IT Help Desk: [email protected]
One Drive for Business (formerly UW SkyDrive Pro)• requires UW NetID • https://
depts.washington.edu/uwsom/information-technology/skydrivepro
• http://www.washington.edu/itconnect/wares/online-storage/onedrive/
Cloud Resources
23
Educational Tools• UW Medicine IT Security Phishing
Awareness Announcement: https://security.uwmedicine.org/Home/Communications/Phishing_Awareness_Email_041212/default.asp
• Office of the Chief Information Security Officer phishing video: http://ciso.washington.edu/site/files/Phishing/story.html
Phishing Resources
24
Other Resources
Office of the Chief Information Security Officer
• http://ciso.washington.edu/resources/online-training/
• http://ciso.washington.edu/resources/smart-computing/
• http://ciso.washington.edu/
UW Medicine IT Security• https://security.uwmedicine.org
25
• UW Medicine IT Services Help Desk: [email protected]
• UW Medicine ITS Security Team: [email protected]
• UW Medicine Compliance: [email protected] 206-543-3098
• Noella Rawlings, UW School of Medicine, Director of Compliance: [email protected]
206-685-0173
Contact Information
26
Questions ?
27