Must score 89% or above. If you score below 89%, we will be contacting you to go over the material individually.

Transcription

1 April 23, 2014

2 Must score 89% or above. If you score below 89%, we will be contacting you to go over the material individually.

3 What is it? Electronic Protected Health Information There are 18 specific types of identifiers covered as part of electronic protected health information, including patient names, addresses (if more specific than the state of residence), dates related to the individual, phone/fax numbers, Social Security numbers, addresses, fingerprints or photographic images, claim numbers, health plan numbers, license numbers, web or IP addresses, device serial numbers, etc. Rule of thumb is: personally identifiable information (PII) that is created, or received by a health care provider, health plan or health care clearing house and relates to past, present, or future physical or mental health conditions of an individual; the provision of health care to the individual; or past, present, or future payment for health care to an individual. For Ohio workers compensation, the guidelines are a bit different and are outlined as part of the BWC s Sensitive Data Policy, available in the MCO Resources folder for all MCO employees. See the grid (3.2) for details.

4 Criminals will attempt to pose as an individual who should have access (such as a coworker, patient, or vendor) in order to extract information or gain access to systems or facilities. This becomes more of a consideration post-merger, as employees won t know everyone in the organization. Examples: Someone embroiders OBM on a polo, gets entry to the office, and takes printed jobs from the copier that include SSNs for use in ID theft. You get a call from IT stating that you need to visit a website to install a program update, but this program actually captures everything that you type, including passwords, and relays them to the criminals. A relative calls in and requests information about the treatment of an injured worker. You should verify any requests for information or access through channels known prior to the request. For instance, call a member of IT at their internal extension and ask them to verify the copier service call, software installation, etc. Calling a number provided by the person requesting the information is not sufficient.

5 Information should only be discussed or disseminated on a need-to-know basis. Under no circumstances should you share details about a specific individual s case or treatment with other employees unless it is necessary to perform the services we provide. Be particularly careful with social media. Could photos taken in the workplace contain information about an injured worker, for instance? Don t be an idiot.

6 Basic security practices AntiVirus/AntiSpyware active subscription Firewall OS default or purchased Automatic Updates (Windows, Adobe, Java, etc.) Do not save any passwords related to company network access (VPN or Remote Desktop) Exercise caution when online. Do not attempt to install any unfamiliar programs. Home wireless networks must use a passphrase with WPA/WPA2 encryption.

7 Can you send encrypted s from a smart phone? This is now possible using subject tags. Force Encryption equivalent: *Confidential: Claim Number xxx Bypass Encryption equivalent: *Nonsensitive: Educational Presentation on TBI Please note that texting is not considered a secure method of transmission. You should never text sensitive data/ephi.

8 Ultimately, it is your responsibility to protect company information that may be retrieved via and stored on a mobile device. We currently require a lock screen with password for remote access. This is good practice in general. Any lost or stolen device should be immediately reported to IT. Outside of normal business hours, call (216) This same procedure applies to any equipment used to access company computing resources or facilities, including key fobs/access cards/badges, laptops, etc.

9 DO NOT under any circumstances send an unencrypted e- mail containing ephi to any external address. This includes your own personal accounts with Yahoo!, Gmail, etc. Avoid the use of these public messaging systems (webmail, Facebook, WhatsApp, etc.) for any work-related correspondence. Do not use public terminals to access company systems. Do not use your work address to sign up for social media accounts or other offers unrelated to the workplace. Post-merger, this will include LinkedIn. Double or triple check the recipients before sending an e- mail or fax, especially if you added them through autocomplete. There may be similarly named people in your recent contacts of which you may not be aware.

10 A common technique for gaining access to accounts is phishing. Example: You may receive an claiming to be your bank with a link to verify a transaction, but the link goes to chase.co (or chase.com.ru) instead of chase.com. Spear phishing may include personal information gleaned from public sales-related mailing lists or hand-compiled.

11

12

13 These threats can come in as seemingly harmless documents such as PDFs and may actually come from known sources. You should always verify unexpected attachments through other means, such as by phone, before opening.

14

15

16

17 Can arrive through attachments or from suspicious websites. Runs under your own account, meaning that it doesn t need administrator rights to install and has access to all of the same files and folders that you do. A new approach in the last year is to encrypt all documents found on the local machine, shared drives, and even other network locations it can discover and encrypt them with a key known only to the criminals. Users are given a short window (2 to 3 days) to pay a ransom of about $300 to $1000 to get the key to decrypt these files before the attackers delete the key and the documents are lost for good. Backups are useful only if the files on the backups are prior to the infection; otherwise, they will also be encrypted.

18 You are responsible for authorizing access to files and folders and for requesting changes to an employee s current role assignment based on changing job duties. The employee is not allowed to request access for themselves. Must be logged by the supervisor in the help desk as an Access Auth/Deauth request. On termination, you are responsible for reviewing the terminated employee s to determine if any items need to be addressed or saved. Should be completed within two weeks of termination. The entire database can be archived if required on encrypted media at the supervisor s request if absolutely necessary. Our new archiving solution makes this less necessary.

19 Access to the building is to be limited to contractors, vendors and visitors to whom the company knows or can vet. Each guest will be required to sign in and fill out a form. Your door code is unique to you and should never be shared with any other person, employee or not, under any circumstance. Building keys and fobs should not be loaned to anyone, and any lost or stolen keys must be reported immediately to the Privacy Officer. Any unknown guests must be left in the hallway until their name and purpose for their visit has been verified and they are cleared to enter. All doors must remain locked at all times. Do not temporarily leave a door unlocked, even if you intend to return in just a moment.

20 What is a security incident? Evidence of virus, trojan, worm, malware, or other malicious code activity, either through explicit alerts from protection software or through suspicious or unusual system behavior Denial of service attacks or other intrusion alerts, often reported by protection software Any realized or attempted unauthorized access to systems, files, and data Hardware or data theft Illegal activity or ethics violations Intentional sabotage to computer systems, websites, or other data Data misuse or unauthorized disclosure Infliction of physical damage on computing equipment Disruption of service When a breach of Protected Health Information (PHI) is discovered or is thought to have happened

21 What does the employee need to do? Tell your immediate supervisor, the Privacy Officer (Megan), and the Security Officer (Ted) immediately. What does the supervisor need to do? Communicate with Ted regarding the existence of the potential security risk Contact Megan in the event of suspected illegal activity What does IT do? They will perform an initial assessment and log it in the Help Desk application as a Security Risk Senior management will be copied if business operations are affected Will perform mitigation and remediation steps, logging the outcome in the Help Desk

22 What are our notification requirements? Based on several assessment factors The nature and extent of PHI involved The unauthorized person that received the information Whether or not the data was actually viewed or if the opportunity merely existed The extent to which the risk was mitigated If the assessment doesn t indicate a low risk of compromised data, the following must be done under HIPAA: Individual notification Media notification Notification to the Secretary of breaches of unsecured PHI (HHS) within different timeframes based on the number of individuals involved (>= or < 500) HB 104 in Ohio also has reporting requirements based on the expectation that a real or suspected breach may cause identify theft or fraud for specific data types name and federal (SSN/Tax ID/EIN) state (Driver s License or other state ID) or financial account numbers

23 You can access the quiz by going to the following address in your web browser: security-refresher