BSHSI Security Awareness Training

BSHSI Security Awareness Training Originally developed by the Greater New York Hospital Association Edited by the BSHSI Education Team Modified by HSO Security 7/1/2008 1

What is Security? A requirement under the Health Insurance Portability and Accountability Act (HIPAA) Regulations (HIPAA Security Rule went into effect 4/21/05) Webster s definition: measures taken to guard against espionage, sabotage, crime, attack or escape. Our goal today: discuss what you can do to make sure that sensitive data stays protected and is not sabotaged, attacked, or allowed to escape 2

What is Sensitive Data? Sensitive Data = Electronic Protected Health Information (EPHI), business sensitive data, staff sensitive data, or any other non-public data. 3

Protected Health Information is: Health or medical information that could be identified or linked to a specific individual; information about a patient s: Identity Medical condition Treatment Status as a patient Physiological data Medications 4

EPHI: Protected Health Information on your computer is known as EPHI Electronic Protected Health Information. EPHI: PHI that our organization creates, receives, maintains, and/or transmits electronically. EPHI is stored on computers, clinical equipment, and computer disks. 5

Business Sensitive Data is: Business Sensitive Data = Information that pertains to the business activities of BSHSI including financial and investment activities, margins, projects, etc and that provide competitive advantage. 6

Staff Sensitive Data is: Staff Sensitive Data = Personal information on staff members of BSHSI or the members of business associates including contact details, salary, qualifications, performance, etc. 7

Any other non-public data is: Other Non-public Data = Information that has been duly classified and does not fall under the previous categories. 8

What regulations apply? HIPAA (Health Information Portability and Accountability Act) JCAHO (Joint Commission on Accreditation of Healthcare Organizations) Gramm Leach Bliley Act of 1999 (Financial) Various State and Federal laws and regulations 9

Workshop Goals By the end of the session, participants will: 1. Understand the importance of protecting sensitive data including EPHI. 2. Understand how information security can be compromised. 3. Understand steps to better protect sensitive data including EPHI. 4. Be motivated to follow security procedures. 10

Main Security Issues Confidentiality Protected records are to be kept private (HIPAA Privacy). Integrity Records aren t changed without authorization. Availability Records can be accessed when needed. 11

What are the consequences of a Security failure / breach? 12

What are the consequences of a security failure / breach? Patient safety/medical care is compromised. Negative publicity. Increased costs. Identity theft: - Patients or employees can become targets of con artists. - Employee reputation and career damaged. Legal liability/lawsuits. 13

Who s responsible? The health system is responsible for all electronic information in our system: We are able to and we will be auditing and monitoring how people use the system: What records you access without a need to know What you download and where you web surf If we find breaches or violations of policy, we will take action 14

How can security fail/be breached? 15

How can security fail/be breached? Intentional attack.. or unintentional carelessness.. They all have the same negative consequences 16

What is an intentional attack? Malicious software ( malware ). Password stolen or code broken. Imposter asking for sensitive information. PDA or laptop stolen. Employees accessing records they have no legitimate need to see. 17

Employee carelessness Leaving your computer logged on and unattended Letting others know your password Downloading unauthorized software Misdirected e-mail / faxes 18

Here s what IT is doing to protect the system Anti-virus scanning. Restrict downloads. Restrict attachments in e-mail from outside the system. Firewalls to help keep out hackers. Require user ID and passwords. Restrict and update access as employee status changes. Install and continually update stable software. Encryption. Regular back up of data. 19

What YOU can do General Issues Password Protection Patient Information Internet Security Workstation Protocol 20

General Issues General issues: Follow all approved security policies and procedures Only use approved software Maintain heightened vigilance Report to IT / ask questions if anything looks unusual Know who you re dealing with. If in doubt, check it out 21

Password management and Password Risks Password Management and Password Risks 1. Your password is stolen or the code is broken: Your log-in/electronic signature is used maliciously: Negative messages are sent out in your name Sensitive data and/or EPHI is released under your log-in A hacker gains access to your system 2. A computer is stolen and without strong password protection sensitive data can be easily accessed. 22

Password management What is a password? A string of characters, to verify users identity Characters can include: Alphabetic characters (case sensitive A differs from a) Numeric 0 to 9 Special Characters ~ ;! @ # $ % ^ & * ( ) + = [ ] { } /? < >, ; : \ `. 23

Use a strong password A strong password should be: Seven characters or longer. Not a word or name in any language. A mix of uppercase and lowercase letters + numbers and special characters. Does NOT use public information about you or your family or friends. Is NOT a variation of your user ID. 24

Examples of strong passwords 4s&7yaAL 2Bon2Bti? How to remember these complex passwords? 25

Pass-phrase Take a phrase that is easy to remember and convert it into characters Four score and seven years ago Abraham Lincoln Four Score And Seven Years Ago (Abraham Lincoln) Converts to 4s&7yaAL How about 2Bon2Bti? 26

Anyone remember my complex passwords? 4 s & 7 y a A L 2 B o n 2 B t i? 27

Time it takes to crack a password Time it takes to crack various types of 8 character passwords: (times are getting continually faster) Type of character set English words 8 letters or longer Lowercase letters only Lowercase with one uppercase All letters Letters and numbers All printable characters Length of time to crack Less than one second 9 hours 3 days 96 days One year Thirty-three years 28

Password Reminders Remember: Never share your password with anyone! Sharing your password is a violation of our policy. If you want someone to access your e- mail or computer, ask IT. Don t let someone watch when you enter your password. Don t write your password where others can see it memorize it! 29

Password Reminders (continued) Remember: Treat your password and your smart card as you would treat a PIN number or a credit card. Change your password every 120 days. If someone knows your password, change it right away and notify the IS Support Center. 30

Don t give out information without proper authorization Watch out for spoofing/phishing. Be suspicious of unusual requests even if it appears to be from someone you know. Con artists appear knowledgeable and gain your trust. You are responsible for taking reasonable precautions. 31

Internet security Risks: 1. Malicious software 2. e-mail carelessness 3. Instant Messaging/Chats 32

Malicious software aka: Malware 33

Malicious software (aka malware ) Follow all virus scanning procedures. Don t download ANYTHING form the internet without IS approval. If you have any doubt about an attachment delete it or ask IS to check it out. Don t click on links or go to web sites if you have any doubts about their legitimacy. Don t use your BSHSI network password at any website. Don t unsubscribe from spam. If your computer acts at all strangely ask IS to check it out. If virus protection software finds a virus, do not use the computer until IS has cleaned it. 34

E-mail Rules for emailing: 1) Don t send sensitive data outside the facility s internal network unless encrypted (ask IS for help doing this.) 2) To prevent misdirected e-mail: Proof all e-mails before sending Use an address book to limit typos Be careful where you click Be careful with use of Reply All 3) Forwarded tails: Scroll to the end of all e-mails before sending to ensure sensitive data is not being sent forward. 35

Workstation Protocol Always keep protected information in a secure place. If you walk away secure the workstation. In public areas, protect the monitor from prying eyes. Secure all removable media. Dispose of all computer equipment and media by returning it to Bio-med or IS. Verify with IS that your data is being Backed-Up. 36

Review - Risky Situations Someone goes surfing on the web on their lunch break what s the risk? You notice you have some returned (undeliverable) e-mail that you never sent what might this mean? Sending e-mail reminders from home to your office computer (or vice versa) with EPHI in it what s the risk? 37

Review - Risky Situations (cont.) Taking work home on a laptop what s the risk? Sending out an e-mail without proofing it fully what s the risk? Leaving your work station (in a non-public area) for a second to answer a coworker s ringing phone that is nearby, but out of sight of your computer what s the risk? 38

Review Security: Measures taken to guard against espionage or sabotage, crime, or attack Security can be breached through intentional attack or unintentional carelessness 39

Review Security Goal: Ensure confidentiality, integrity, and availability of all sensitive data This only works if everyone follows our security and acceptable use policies and stays aware. Report any and all security concerns or questions to the IS Support Center. 40

Ten Key action steps to take every day / daily reminders: 1. Don t give anyone your password 2. Choose a strong password and change it regularly 3. Don t download any software without IS approval 4. Don t go to unknown web sites 5. Virus scan all files before accessing 41

Ten Key action steps to take every day / daily reminders: (cont.) 6. Don t send sensitive data in e-mails going outside BSHSI or in instant message of any kind. 7. When e-mailing watch out for tails! 8. Don t leave your workstation without first locking your computer and securing all media. 9. Don t give out patient information without proper authorization. 10. 10 Maintain a proper vigilance. 42

Conclusion: Only PEOPLE can prevent security breaches 43

BSHSI Information Security Policies Information Security Audit Controls Policy Information Security Authorization and Access Policy Information Security Automatic Logoff Policy Information Security Awareness Training Policy Information Security Change Management Policy Information Security Data Backup Policy Information Security Data Integrity Control Policy Information Security Device and Media Controls Policy Information Security Disaster Recovery Policy Information Security E-mail Use Policy Information Security Encryption and Decryption Policy 44

BSHSI Information Security Policies Information Security Incident Handling Policy Information Security Information Risk Management Policy Information Security Internet Use Information Security Intrusion Detection Policy Information Security Management Policy Information Security Network Security Information Security Password Management Information Security Physical Security Information Security Protection from Malicious Software Information Security Workstation Security 45

FEEDBACK / REACTIONS FOR SELECTED GROUPS ONLY 46

Mobile equipment PDA, laptop: If it has sensitive data on it, keep it in your sight or locked up Password protect it (strong password) in case lost or stolen Don t save your user ID and password on the laptop or PDA Keep anti-virus, security patches and a firewall up to date 47

Remote access: Protect your home computers as you would your regular workstation: keep sensitive data locked up and protected by a strong password be aware of who might be looking at the screen while you work properly dispose of media that had sensitive data on it back up important files 48

Wireless access: Unless set up properly, wireless access can have serious security holes. A wireless system that s been compromised can release malicious software into our network. Proper set up includes a wireless system with: encryption a firewall anti-virus software up to date security and operating system patches Have someone in IT review the security set up. 49

Supervisor/Manager 50

Additional Learning Goals: Understand at a higher level the importance of protecting sensitive data (liability issues). Increase awareness of the supervisor s role in monitoring sensitive data security issues on the job. Understand steps supervisors can take to make sure their staff better protect sensitive data. 51

Key security roles for the supervisor/manager Monitor access and report changes in status Monitor usage for legitimate business purposes? Monitor physical security of the work site work station protocols If you have any questions or concerns about security, report them to IS 52

Supervisor s reasonable steps to monitor security in their work area 1. Key things to do/look for: Physical Security Sensitive data is locked up when no one is present Members of the public and staff from other areas have limited view of monitors and no access to computers or electronic media (disks) Electronic security Access is properly restricted Only authorized software is in use 53

Supervisor is expected to take additional steps (cont.) 2. Encourage staff to follow security procedures: Be sure new staff are trained in IS security and proper use policies Periodically remind staff of key security procedures Do spot audits of workstations 54

Supervisor is expected to take additional steps (cont.) 3. Monitor access / use Continuously audit/ report status changes (transfers, terminations, other changes) Make sure access levels are appropriate Know who is doing what with sensitive data 4. Make sure all computers and electronic media is sent to Bio-med or IS for proper disposal 5. Report any concerns to IS 55