The University of Illinois at Chicago. Health Science Colleges

Transcription

1 POLICY NUMBER: 12 INFORMATION SYSTEMS SECURITY POLICY NAME: SECURITY AWARENESS AND TRAINING Responsible Office HSC IT Group Effective Date 10/31/2011 Responsible Official William Chamberlin Last Revision 10/31/2011 Policy Sections 12.0 Purpose Policy Delegation Policy Security Reminders Security Training Program Protection from Malicious Software Procedures Required by or Referencing this Policy Forms Required by or Referencing this Policy Guidelines Required by or Referencing this Policy Standards Required by or Referencing this Policy Violations Policy Authority Responsibility for Process and Procedure Compliance Monitor Special Situations and Exceptions Contacts Revision History Purpose The have adopted this policy to provide a framework for security awareness and training within the. POLICY NUMBER: 12 Security Awareness and Training Policy Version 3.0 Page 1 of 7

2 This Policy is a statement of the minimum requirements, responsibilities, and accepted behaviors required to establish and maintain a secure technology environment within the Health Sciences Colleges, as well as to achieve the stated security objectives. This information security Policy emphasizes the Health Sciences Colleges commitment to strong information security; any individuals who use the information technology resources of the Health Sciences Colleges or the University resources that they depend upon are required to adhere to this Policy. The University s Combined Covered Entity 1, including the Health Sciences Colleges, is committed to securing and protecting High Risk data 2 including electronic Protected Health Information (ephi), 3 in accordance with widely accepted information systems security best practices and standards including those established by the International Organization for Standardization and the International Electrotechnical Commission (IEC); the ISO/IEC series of Information Systems Security standards; the National Institute of Standards and Technology (NIST) Information Security Standards and Guides; and the Standards for Security and Privacy of individually identifiable health information established by the Department of Health and Human Services under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) subject to later modification by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 as part of the American Recovery and Reinvestment Act (ARRA) of , 2, 3 See Covered Entity, High Risk data, and electronic Protected Health Information (ephi) definitions in HSC Policy Definitions POLICY NUMBER: 12 Security Awareness and Training Policy Version 3.0 Page 2 of 7

3 12.1 Policy Delegation An individual Health Science College may delegate the duties herein to departments or other units within the individual Health Science College, or to other campus units or external vendors. If a duty is delegated, then a Service Agreement defining what is delegated, to whom it is delegated, and the duties still required of the individual Health Science College will be identified Policy Security Reminders The must establish procedures on how their departments and users will be notified of periodic updates of security changes in High Risk data security policies and procedures and the Health Colleges general security policies Security Training Program The will ensure that its employees and users have been given the appropriate level of High Risk data security training so that all those who access, receive, transmit, or otherwise use High Risk data are familiar with the Information Systems Security Program and the employee and/or staff responsibilities regarding that Program. Training will include but is not limited to the following: a. HIPAA Security Policies (where appropriate; pdf). b. HIPAA Business Associate Policy (where appropriate; prov.html). c. HIPAA Sanction Policy (where appropriate). d. University Policies including Information Systems Security Policies. e. Relevant State and Federal Regulations. POLICY NUMBER: 12 Security Awareness and Training Policy Version 3.0 Page 3 of 7

4 f. Confidentiality, integrity, and availability. g. Individual security responsibilities. h. Common or well known security threats and vulnerabilities. i. Password structure and management procedures. j. Server, desktop computer, and mobile computer system security procedures, including security patch and update procedures and virus and malicious code procedures. k. Device and media control procedures. l. Incident response and reporting procedures Protection from Malicious Software a. The will develop and implement procedures to detect and guard against malicious software ( malware ) compromising vulnerable systems, and to ensure that malware identification definitions or signatures are kept current when they are used. b. The will notify its workforce of significant new and potential threats from malware, denial of service attacks, or any other computer program or code designed to interfere with the availability, integrity, or confidentiality of a Health Science College information system Policies or Procedures Required by or Referencing this Policy This: a b References: HIPAA Security Policies, 6.pdf HIPAA Business Associate Policy, POLICY NUMBER: 12 Security Awareness and Training Policy Version 3.0 Page 4 of 7

5 actprov.html c HIPAA Sanction Policy 12.4 Forms Required by or Referencing this Policy None 12.5 Guidelines Required by or Referencing this Policy None 12.6 Standards Required by or Referencing this Policy None 12.7 Violations Any individual found to have violated this policy may be subject to disciplinary action up to and including termination of employment, regardless of tenure status Procedure Authority Information Technology Group 12.9 Responsibility for Process and Procedure The Health Science College Information Security Officer, delegated for implementation to the organizational unit wherever possible Compliance Monitor The Health Science College Information Security Officer POLICY NUMBER: 12 Security Awareness and Training Policy Version 3.0 Page 5 of 7

6 12.11 Special Situations/Exceptions Any exceptions to this policy must be approved by the College Security Officer or delegate Contacts Subject Contact Phone Applied Health Sciences Mike Kirda Dr. Annette Valenta Dentistry Jay Dean Medicine Andre Pavkovic Interpretation of Policy Nursing Ursula Brozek Bala Ramaraju Pharmacy Philip J. Reiter Public Health Faith Davis Dr. Sylvia Furner La Don Reed Revision History 12/10/2007 Initial draft composed by College of Medicine: Ian Huggins, Robert McAuley, Andre Pavkovic 3/25/2009 Reviewed and Approved by HSC IT Group POLICY NUMBER: 12 Security Awareness and Training Policy Version 3.0 Page 6 of 7

7 College of Medicine: Robert McAuley, Andre Pavkovic, Ian Huggins. College of Applied Health Sciences: Mike Kirda, Dr. Annette Valenta. College of Dentistry: Jay Dean. College of Nursing: Bala Ramaraju. College of Pharmacy: Philip Reiter. School of Public Health: La Don Reed (with input by Academic Computing and Communications Center and University of Illinois Medical Center) 3/03/2010 Updated 1.12 Contacts, completed first annual review of HSC Policies 7/07/ /2010 through 6/2011 HSC IT Group Review of Policies - Edited by Judith Grobe Sachs; Group s following consensus revisions summarized by Ian Huggins 7/21/2011 Updated language by Mike Kirda, Judith Grobe Sachs, Ian Huggins, and Doug McCarthy 8/19/2011 Updated language, added numbering and automatic table of contents, added cross-references by Doug McCarthy. 10/31/2011 HSC IT Group approval of 10/2010 through 8/2011 Policy revisions, this completes the second annual review of the Policies. POLICY NUMBER: 12 Security Awareness and Training Policy Version 3.0 Page 7 of 7