Personal Accountability for Data Stewardship

2015

1st Year Medical StudentsNoella Rawlings Brad Peda

Director of Compliance Information Security Program AnalystSchool of Medicine UW Medicine IT Services

1

• Defining data stewardship and your responsibilities

• Safeguarding confidential information

• DO’s and DON’Ts • Current security threats• Tools and resources

Agenda

2

• YOUR ROLE: Every individual is personally and professionally responsible for the security and integrity of confidential information, electronic or paper, entrusted to you.

• UW Medicine Professionalism Policy: Demonstrated excellence, integrity, respect, compassion, accountability and a commitment to altruism in all our work interactions and responsibilities. http://uwmedicine.washington.edu/Global/policies/Pages/Professional-Conduct.aspx

What is Data Stewardship?

3

Confidential Information – protection of data required by law and includes:

• Protected health information (PHI) – protected by HIPAA

• Individual student records – protected by FERPA• Personally identifiable information (PII) – financial

information (e.g., credit card, bank), social security number and driver’s license number – protected by Washington’s breach notification law

• Other personal information - public employee’s home addresses, personal contact information, performance evaluations – protected by the Washington Public Records Law

• Proprietary intellectual property or trade secrets, research data – protected by the Washington Public Records Law

Confidential Information

4

• “Breach” is the unauthorized acquisition, access, use or disclosure of unsecured PHI and compromises the security or privacy of the PHI

• Breaches of unsecured PHI require notification to the Office of Civil Rights (OCR) and affected individuals. May also require notice to the media and posting on the UW Medicine website

• A breach is presumed and covered entity has burden of showing a breach has not occurred

• There are two ways to secure PHI• Encryption• Destruction• Renders PHI unusable, unreadable or indecipherable

What is a Breach?

5

Possible consequences of a loss of confidential information that has not been secured

• Personal and professional – time spent on an investigation; name known to UW Medicine Leadership; impact to reputation and relationship with patients; imposition of disciplinary action and civil/criminal penalties

• Institutional – report to the Office of Civil Rights (OCR) for HIPAA breaches; notification to patients; imposition of fines and sanctions; financial costs of investigation and remediation, e.g., providing credit monitoring; impact to UW Medicine reputation

Why Is This Important to Me?

6

• May 2014 - $4.8M against New York-Presbyterian Hospital and Columbia University due to physician causing PHI to be accessible on Google

• April 2014 – $1.73M against Concentra Health Services for a stolen unencrypted laptop

• June 2012 - $1.7M against Alaska Department of Health and Human Services for unencrypted USB drive stolen from employee’s car

HIPAA Fines

7

• Unencrypted laptop and external hard drive stolen from locked, parked car

• Briefcase containing (paper) PHI stolen from locked, parked car

• Backpack containing (paper) PHI stolen from locked, parked car

• Unencrypted laptop containing PHI and PII stolen from office in Health Sciences Building

Recent Examples of Loss

8

If you use a mobile deviceto store or transmit PHI

or PII, your mobile device MUST be encrypted!

Rule Number One

9

NEVER leave confidential data

in your car!

Rule Number Two

10

• Avoid taking confidential data off-site or downloading to portable or mobile devices

• If taking confidential data with you, you MUST obtain supervisor or department head approval

• Password protect AND encrypt all devices

• Only use UW approved cloud services• Ensure the physical security of

information - lock up confidential data (locking file drawer, safe, or other locked device)

• Prepare for the worst - protect yourself against theft - nobody thinks they will be a victim!

Other Basic Do’s and Don’ts

11

CURRENT SECURITY THREATS

12

• Phishing is a very common way accounts are stolen

• Don’t click links in email and if you do, don’t enter your credentials

• UW/UW Medicine will never ask for account information via email

• UW Medicine periodically sends phishing messages to our workforce to help raise awareness – includes training

• YOU WILL RECEIVE PHISHING MESSAGES – be very wary and very cautious!

PHISHING

13

• Cryptolocker/Locker: Very destructive malware threat – encrypts your data and tries to sell it back to you

• Malware infection is obtained via e-mail attachments or by visiting/downloading a file (such as an MP3 file) from a website

• Sophos Anti-virus sometimes detects the malware (malware name used is Troj/Ransom-ACP)

DON’T FALL FOR THIS SCHEME!

MALWARE

14

NEVER click on links and NEVER open attachments from unknown or

unexpected sources

Rule Number Three

15

• NEVER open an attachment from an unknown source• If the context of the message doesn’t make sense, delete

the message or call the sender to verify the email• Always be wary of messages that ask you to update your

password or confirm you account – UW IT support groups will never ask you to do this via a link in an e-mail

• Report any warning messages from antivirus or other software immediately. DO NOT CLICK ON THE LINK!

• Minimize the confidential information you store• Encrypt the data and the device• Keep your operating system and software up to date (Stay

patched)• Empty your E-mail “Trash bin” (Deleted Items) regularly or

set it to empty automatically when you exit the program • Contact your Department IT support staff for assistance

with any device you use for work

What Can You Do?

16

• If you get infected, or think you may be infected, contact UW Medicine IT Security IMMEDIATELY!

• Report information security incidents when they occur. Contact IT Services Help Desk at mcsos@u.washington.edu. If it is urgent, call 206-543-7012

• Report the loss or theft of PHI to UW Medicine Compliance at 206-543-3098 or comply@uw.edu immediately

• Immediately notify the Director of Compliance for the School of Medicine at noellar@uw.edu or 206-685-0173

Incident Reporting

17

TOOLS AND RESOURCES

18

Tools to Assist You in Safeguarding Data

• Encryption https://security.uwmedicine.org/training/dept_materials/default.asp

• Complex passwords http://security.uwmedicine.org/guidance/role_based/end_user/default.asp

• Physical data security - lock offices, files and computers

• Education and training materials https://security.uwmedicine.org/Training/Sec_Aware/default.asp

• Privacy, Confidentiality and Information Security Agreement (PCISA)

http://depts.washington.edu/comply/docs/PP_04_A.pdf https://security.uwmedicine.org/training/data_stewardship/PCISA_discuss_tool.pdf

• Following policies restricting removal of data from worksites 19

UW Medicine Compliance Policies• http://depts.washington.edu/comply/privacy.shtml• http://depts.washington.edu/comply/docs/PP_30.pdf

UW Medicine IT Security Policies• http://security.uwmedicine.org/guidance/policy/defau

lt.asp

UW Medicine Polices

20

Smartphone/Tablet SecurityIf you use a smartphone or tablet (UW owned or your personal device) to conduct UW business, such as accessing your UW e-mail, we recommend:

• Auto lock device and use a strong password

• Enable encryption on the device• Set an automatic lockout timer on the

device• Activate Tamper Wipe: i.e. phone is wiped

clean after 10 pass code or PIN attempts (all data is deleted)

• Activate “find my phone” function• Don’t use cloud back up services, such as

iCloud or Google Drive, unless it is an approved cloud by UW Medicine IT Security for PHI or FERPA data

• Don’t store data on the SIM card

21

Encryption ResourcesWhere to get information and help with encryption:

• Encryption guidelines mobile devices: • https://security.uwmedicine.org/training/dept_materials/default.

asp• https://security.uwmedicine.org/guidance/technical/encryption/d

efault.asp

• Whole disk encryption guidelines:• http://ciso.washington.edu/site/files/Whole_Disk_Encryption_Gui

deline.pdf• http://security.uwmedicine.org/guidance/technical/encryption/M

obileDevice_Encryption/other_windows_linux_guidance.asp

• IT Services Help Desk: mcsos@u.washington.edu

• DOM IT Help Desk: domhelp@u.washington.edu22

One Drive for Business (formerly UW SkyDrive Pro)• requires UW NetID • https://

depts.washington.edu/uwsom/information-technology/skydrivepro

• http://www.washington.edu/itconnect/wares/online-storage/onedrive/

Cloud Resources

23

Educational Tools• UW Medicine IT Security Phishing

Awareness Announcement: https://security.uwmedicine.org/Home/Communications/Phishing_Awareness_Email_041212/default.asp

• Office of the Chief Information Security Officer phishing video: http://ciso.washington.edu/site/files/Phishing/story.html

Phishing Resources

24

Other Resources

Office of the Chief Information Security Officer

• http://ciso.washington.edu/resources/online-training/

• http://ciso.washington.edu/resources/smart-computing/

• http://ciso.washington.edu/

UW Medicine IT Security• https://security.uwmedicine.org

25

• UW Medicine IT Services Help Desk: mcsos@u.washington.edu

• UW Medicine ITS Security Team: uwmed-security@uw.edu

• UW Medicine Compliance: comply@uw.edu 206-543-3098

• Noella Rawlings, UW School of Medicine, Director of Compliance: noellar@uw.edu

206-685-0173

Contact Information

26

Questions ?

27