physician office presentation
DESCRIPTION
Training slide show for staff awarenessTRANSCRIPT
A guide to keeping your healthcare data safe and secure
Securing Data at a Physician’s Practice
Agenda
Password discussion
Common terms
More recommendations – data protection 102
Security Awareness Program
Why we need to secure data in Healthcare
Keep your data safe – data protection 101
1
2
3
4
5
6
7
Where to start
• PasswordA string of characters used to authenticate yourself (usually) to a computer- Used to authenticate (user name is used for identification). - Can also use a PIN# (after a password has been entered.)
• EncryptionA way to transform plain text into unreadable material. - Purpose is to hide the plain text from non-authorized agents/readers- Need a key to encrypt and decrypt the message
• HIE / Remote Access / Patient PortalThis is the main way SJH make our data available to Offices and Physicians
- Health Information Exchange – This is the recommended way to connect to our database- Netilla- Patient Portal
• ePHIElectronic Protected Health Information Any PHI created, stored or transmitted elctronically• PhishingMethod for hackers to gather information about you
- email containing links- websites containing links
• Social EngineeringManipulation of people to get information from them or to get them to perform certain actions.- Many ways
You will recognize these terms when they come across your deskCommon terms
Your Logo
Should be classified: secret, confidential, private and public – depending on the classification, it may require to be encrypted …
This is where the data is being moved from- 1 closet to another- 1 computer to another- From the file closet to the consult room - Etc…
This is where the data is stored- In a file closet- In the main file server- On the computer desktop- In the computer memory- Etc…
A little of everythingData
At rest
in motion
Data
So many reasons, so little time … If you haven’t, act now!Why we need to secure data in Healthcare
Your Logo
Healthcare Data is extremely valuable. But it is vulnerable – It is just sitting there. It cannot defend itself so you have to protect it.Physical risksSoftware risksLatest trend - Blackmail
Your patient data is under attack
HIPAA – Health Insurance Portability and Accountability Act.HITECH – Health Information Technology for Economic and Clinical Heath is part of ARRA of 2009 (American Recovery and Reinvestment Act) – Also called HIPAA with teeth because it implements enforcement.
Government regulation
21
Reputation
Data is extremely important to medicine – Chart, computer records, …Medical Identity TheftYou may have to close the office during an investigationLoss of income for employees if office is closed
Loss of business – Financial consequences
43 You could lose the trust of the patientsYou could lose the trust of the physiciansReputation of the office is key
Your Logo
Physical Safety is importantTake care of your equipment!
Your Logo
• Fire• Floods• Equipment Failure• Theft• …
Physical RisksAgain, there are so many risks
Your Logo
• Hacking• Phishing• Viruses and Malware• Blackmail• Misconfiguration• …
Other Technical Risks More risks !!!!
Your Logo
Why not with the weakest link?
Where to start
1In Information Security, employees are the weakest link. Why?
Weakest link, you said ???
This is a characteristic that we all have. We want to trust others. This is where “Social Engineering” comes in.
People want to trust each others
4Background checksGood Policies and ProceduresInformation Security Awareness ProgramDoctors must lead by examplePassword – complex and change regularly(3 months)Access codes should be changed when an employee leaves (recover keys ...)
Necessary steps
Google – Many Definitions:
Social Engineering: “art of manipulating people into performing actions of divulging confidential information.”“act of manipulating a person to accomplish goals that may or may not be in the target’s best interest.This translates into deception either over the phone, in person, via a computer or any other ways. It includes obtaining information, gaining access or getting the target to take certain actions.
2
3
Teach any chance you getSecurity Awareness Program
Your Logo
Repeat the program every year and document that you did. Test the employeesKeep it simple
Repeat every year
1
Starts with the Hiring Process
tEvery chance you get, reinforce the training and the concepts. Look for those “moments”.Use what is readily available on the web – Google Information Security awarenessBe creative with passwords (more later)
Teachable moments
It starts during the Hiring process. You should have a section of your GEO dedicated to Information Security.Make everyone sign an agreement to keep userID and PASSWORD confidential
32
Your Logo
PasswordsComplexity can be bad!
Don’t like them but that is all we have right now.Passwords
Your Logo
Why we do not like them (can be shared too easily …)
Use these recommendations for home (personal accounts)
Do not reuse or use the same password for multiple apps
Components, rules and examples of complex passwords
Change your password regularly
Complexity while required should be used with caution
Passwords alternatives – tokens …✓
✓
✓
✓
✓
✓
✓
1
2
3
4
5
6
7
Your Logo
Security vs. UsabilityThis is always a struggle!
Do not leave paper charts, USB, CDs etc … laying around the office
Encrypt your data – if necessary. This means during transit and when it is stored in a location you do not control (USB key, CD, cloud, …)
Do not use generic accounts (no accountability). A patient could ask to see a log of who had access to his data
Know where your data is (map it) and classify it if you can (ePhi is classified as confidential by default) Consider data flows (data in transit)
Use complex passwords to authenticate to the computer system
Review access and privileges regularly (privilege transfer …) at least once a year and audit yourself.
Back up your data – you may need to restore it in the event of a disaster or even data corruption. Review your backup strategy (When, What …). Test your backups – restore a randomly chosen file once a month.
Your Logo
Data Protection 101Keep your data safe and secure
1
2
3
4
5
6
7
Use an Information Security Professional or at least an IT Professional. They have the experience and should guarantee their work. Ask for references and Healthcare experience.
Don’t forget that your data could be on some hardware you are getting rid of … PC, server, copier, … if you encrypt, you are OK.
Think about BYOD – secure access, easily stolen, encryption is necessary …
Keep your servers patched to the latest level. Do not forget the patching of databases (SQL …). Do not forget to turn on the security features in your “certified software”. Do not trust the vendor to do this. You have to initiate!
Incorporate Redundancy and Fault Tolerance in your designs (computers, servers, networks – wired and wireless) so that you always have a safe and secure access to your data.
Do a DRP test yearly. Get with a local business who will let you use their facilities in the event of a disaster
Remote access should be secured via encryption, passwords, dual factor authentication...
Your Logo
Data Protection 102More recommendations
1
2
3
4
5
6
7
Make sure your PCs auto logoff or use password protected screen savers
Be aware of your environment!
Deactivate USB ports and CD writers to prevent unauthorized copy of ePHI – Discuss DLP with a professional
Save the logs of who is accessing which record
Use computer privacy screen filters for the computers placed if full view of the public
If you want to communicate with patients, use a portal instead of email. Email is NOT secure.
Download the following pdf from the OCR site (this is an information Security guide for small practices) http://healthit.hhs.gov/portal/server.pt?open=512&objID=1173&parentname=CommunityPage&parentid=34&mode=2&in_hi_userid=10732&cached=true
Your Logo
Data Protection 102 - continuedMore recommendations
1
2
3
4
5
6
7
Your Logo
Make Information Security part of what you doBake it into your processes
Information Security should always be considered in everything you do. It will help later (during audits) especially if you document your efforts.
Questions?
THANK YOU!
Your Logo