SHS Annual Information Security Training

Transcription

1 SHS Annual Information Security Training

2 Information Security: What is It? The mission of the SHS Information Security Program is to Protect Valuable SHS Resources Information Security is Everyone s Responsibility

3 What Valuable Resources are We Protecting? Protected Health Information (PHI) Other Sensitive Information, including: Social Security Numbers Personnel Data: includes Names, Addresses, Dates of birth, etc. Credit Card Numbers Financial Data Hardware, Software, and Equipment (computers & laptops) SHS Reputation in the Community SHS Legal Position Employees

4 Why You Need to Know about Information Security Without Information Security, SHS cannot protect PHI, other sensitive information, and other valuable SHS resources The Health Insurance Portability and Accountability Act (HIPAA) requires SHS to provide for the physical and electronic security of PHI Our customers are counting on us to protect their privacy

5 What are the Greatest Threats to these Valuable Resources? Loss and Theft of Sensitive Information Phishing Scams that Compromise Sensitive Information Poor Password Practices that Lead to Unauthorized Access Computer Malware, Including Viruses Improper Disposal of Sensitive Information

6 The Three Categories of Security Controls: Physical Controls Physical Controls: designed to deny unauthorized access to facilities, equipment and resources, and to protect personnel and property from damage or harm. These include: Badge Security Motion Detectors and Alarms Security Cameras Security Lighting Fire Detection and Suppression Emergency Power

7 The Three Categories of Security Controls: Administrative Controls Administrative Controls: In general what people do to protect valuable resources, including: Following policies, procedures, and work instructions Participating in education, training and awareness

8 The Three Categories of Security Controls: Technical Controls Technical Controls: Safeguards or countermeasures for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. These include: Computer Access Control Authentication mechanisms, including unique user names and complex passwords Outbound Encryption Computer Whole Disk Encryption Malware Protection Inbound Spam and Phishing Filters Auditing and Monitoring of User Access

9 How to Prevent Loss or Theft Secure mobile devices (laptops, tablets, smart phones, and USB drives) at all times Do not leave mobile devices unattended in your car Do not store sensitive information on your mobile device unless it is part of an approved business process Enforce visitor policies

10 Proper Disposal of Sensitive Information Dispose of all printed material in Recycling bins Destroy CD and DVDs that contain sensitive information before disposing of them

11 Protecting Against Phishing Attacks Never reveal your SHS network password to anyone SHS will never contact you and ask you for your password Phishing Attacks Can be by or Phone s often contain: A link that takes you outside the SHS network make sure you know where you are being asked to go! Requests your user name, password, or credit card False communications from web sites, auction sites, banks, online payment processors or IT administrators Phishing Attacks often contain threats or promises Verify the source of the request Call the Service Desk Ask your Manager

12 Choosing and Protecting Your Passwords Never Share Your SHS Network password with anyone else Longer passwords are generally more secure Do not reuse your SHS password on any other site Do not write your password down and store it in an unsecured place, especially on your desk or next to your computer

13 Protecting against Malware Malware gets introduced to the SHS network most frequently by employees: Visiting a website that has malware on it Downloading a file from a website Opening an attachment that contains malware Visit only trusted websites Do not open attachments from unexpected or untrusted sources Maintain anti-virus protection on your home computer and your mobile devices

14 Outbound s and Faxes containing PHI ALWAYS use the encrypt message button or type send secure into the subject line when sending PHI or other sensitive information to a non-shs (not samhealth.org) address. ALWAYS use a coversheet when faxing PHI or other sensitive information anywhere. ALWAYS double check addresses or fax numbers BEFORE you hit the SEND button.

15 Social Media Many of us use social media Facebook, Twitter, LinkedIn, etc. as a means of staying in touch with family, friends, and professional contacts. SHS uses social media in its Marketing and Foundation campaigns. These are fantastic communication tools! HOWEVER, A WORD OF CAUTION: Patient information even disguised patient information has no place on your personal or professional social media account or page. This includes photos of the worksite, which may include patients, documents, or employee sensitive information in the background.

16 Social Media, cont. You may think that no one will recognize the difficult patient you dealt with last evening by your clever description, but in our small communities identifying an unnamed patient can be a very simple matter. You may be held personally responsible for that disclosure intentional or not up to and including SHS corrective action and possible personal liability. If you notice that a co-worker has posted PHI or other sensitive information on their site, you should report that immediately.

17 If You See Something, Say Something Report anything suspicious or out of the ordinary Rapid response minimizes the damage done as the result of an information security incident Report lost or stolen devices or equipment to the IS Service Desk immediately at: (541)

18 In Conclusion Protect Valuable SHS Assets Identify and Understand Threats to Security Secure you Mobile Devices Employ Physical, Administrative, and Technical Security Controls Protect Yourself from Phishing Attacks Safeguard Your Passwords Report Anything Suspicious