Information Security Training 2012 Authored by: Gwinnett Medical Center Information Security Department Modified for affiliated schools students & instructors by: Linda Horst, RN, BSN, BC
Objectives After you finish this Computer-Based Learning (CBL) module, you should be able to: Explain the basic concepts of Information Security. Explain your security responsibilities and the part you play in protecting sensitive information and assets belonging to GMC.
Topics Covered in this CBL What needs to be protected? What is information security? What are the consequences of security failure? What are the types of security failure? How can we protect against security failure?
What Needs to be Protected? Protected Health Information (PHI) Health or medical information linked to a specific individual: Identity demographic and financial data Medical condition and treatment clinical data Electronic Protected Health Information (EPHI) PHI stored on or transmitted via our computers and networks, including USB drives, CDs, PDAs, tapes, and clinical equipment
What is Information Security? Information security is the process of ensuring the confidentiality, integrity, and availability of information through safeguards. Confidentiality Prevent unauthorized access or release of PHI Prevent abuse of access (identity theft, gossip) Integrity Prevent unauthorized changes to PHI Availability Prevent service disruption due to malicious or accidental actions or natural disasters
What is Information Security? Regulations, Standards GMC Information Security policies and procedures are based on the following regulations and standards: Health Insurance Portability and Accountability Act (HIPAA) National Institute of Standards and Technology (NIST) standards Health Information Technology for Economic and Clinical Health (HITECH) Act Payment Card Industry (PCI) standards Joint Commission (JC) accreditation
Consequences of Security Failure Security failures can result in: Disruption of patient care. Increased cost to the organization. Legal liability and lawsuits. Negative publicity. Identity theft (monetary loss). Disciplinary action.
What are the Types of Security Failure? There are two types of security failure: 1. Intentional attack 2. Employee/academic affiliate carelessness Intentional attack Malicious software (viruses) Stolen passwords Impostors calling or emailing to steal information (phishing) Theft (laptop, PDA) Abuse of privilege (employee/academic affiliate/vip clinical data)
Types of Security Failure, continued Employee/academic affiliate carelessness Sharing passwords Not signing off the systems Downloading and executing software Improper use of email or web surfing Not questioning or reporting suspicious or improper behavior
Protection Against Security Failures We protect against security failure by: Using email and the internet appropriately. Creating strong passwords. Securing desktops and portable devices. Following minimum necessary. Reporting breaches.
How Do We Protect Against Security Failures? Appropriate Use of Email & Internet When you use GMC information technology and computer systems, your activities are not private. GMC monitors activity that occurs on its network, including: Internet use, Corporate email, Web-based email (Yahoo, Hotmail, Gmail), and Instant messaging.
How Do We Protect Against Security Failures? Appropriate Use of Email & Internet, cont. GMC monitors computer use to ensure that: Sensitive information is sent out correctly. No sexually harassing or pornographic communications are taking place. Associates are using time and resources appropriately. Associates are viewing appropriate websites. If you misuse GMC computer equipment, you are subject to disciplinary action.
How Do We Protect Against Security Failures? Appropriate Use of Email Do not open emails from someone that you do not know. Do not forward work emails to a non-ghs email account. Do not send emails that contain: Profanity, obscenities or derogatory remarks. Pornographic material. Threats and hate literature. Chain letters inside or outside the organization. Sexual, ethnic, racial or other workplace harassment.
How Do We Protect Against Security Failures? Appropriate Use of Email, continued Be aware of risks, including spam and phishing emails: Spam is unsolicited bulk email, including: Commercial solicitations, advertisements, chain letters, pyramid schemes and fraudulent offers. Do not reply to or forward spam messages. Phishing emails pretend to be from trusted names, such as Citibank or PayPal or Amazon, but direct recipients to rogue sites. Never click on a link in a suspicious email. A reputable company will never ask you to send your password through email.
How Do We Protect Against Security Failures? Appropriate Use of the Internet You may not visit inappropriate internet sites or engage in inappropriate communications. Examples of sites or communications that are inappropriate: Pornographic Culturally offensive Racist or hate-related Related to gambling Related to computer hacking Terroristic
How Do We Protect Against Security Failures? Email, Internet and Viruses Computer viruses: Computer viruses are dangerous programs that: Run on a computer without the knowledge or permission of the user, and Are meant to damage your computer or to gain access to your information. Viruses can: Spread onto computer discs and across a network. Corrupt data files. Format your hard drive. Delete files. Install software that will allow a hacker access to your system. Cause a total failure of a computer system.
How Do We Protect Against Security Failures? Email, Internet and Viruses, cont. Viruses spread through: Jump drives, CDs, Internet sites, File downloads, and Email. Never: Download software or files from the Internet. Contact the Customer Response Center (CRC) if you need to install software on your PC. Open unknown or unexpected email attachments. Download files from discs or jump drives: Received from a source you do not trust. Created by an unprotected computer. Open email from someone you do not know.
How Do We Protect Against Security Failures? Social Networking Do not access social networks while on GMC campuses. Do not use information gained as a result of your position with GMC to contact or communicate with patients, clients or third-party business associates. Do not share information related to: Our corporation, Patients, or Clients. Represent GMC in a professional manner at all times. If you post anything from a GMC email address: Include a disclaimer stating that the opinions you ve expressed are strictly your own and not necessarily those of GMC. Exception: The posting is in the course of business duties.
How Do We Protect Against Security Failures? Creating Strong Passwords Do choose strong passwords. A strong password: Is at least 8 characters long, and Contains a combination of capital letters, lower case letters, numbers, and characters. Don t share your passwords. This makes you responsible for the actions others take with your computer access. Don t store passwords in your office or where they are accessible to others. Don t use the remember password feature on computer systems. Do change your password if you suspect a breach, and report it to the CRC at x23333.
How Do We Protect Against Security Failures? Secure Desktops and Portable Devices Log off and exit computer programs when leaving a work station. Ensure that your computer screen is turned so that passersby cannot read information on the screen. Notebook computers and portable devices: Never leave them unattended. Lock them up! Never leave them visible in your car. Store as little sensitive information on them as possible. If your notebook computer or portable device is lost or stolen, report it to the Information Security and Public Safety departments Immediately. Use an encrypted USB drive if you must store or transport data. Do so only if there is a business purpose. Contact the CRC at x23333 to obtain an encrypted USB drive.
How Do We Protect Against Security Failures? Secure Desktops, Portable Devices, cont. Be aware of social engineering, which is the process of tricking or manipulating someone into giving access to sensitive information. Examples: Tailgating: One or more person(s) follow(s) an authorized person through a secured door or other entrance. Shoulder surfing: Direct observation techniques, such as looking over someone s shoulder to get information. Impersonation: A person pretends to be someone he or she is not in order to gain information. For example, you receive a phone call from someone claiming to be a PC tech or GMC associate requesting such information as: Passwords, User name, or Other sensitive information.
How Do We Protect Against Security Failures? Secure Desktops, Portable Devices, cont. Media disposal: You must dispose of media containing sensitive information so that the information cannot be accessed by any unauthorized person. Proper media disposal methods: Paper records: Place in shred bins. CDs: Take to Information Services (Operations). Hard disc drives: Contact the CRC at x23333.
How Do We Protect Against Security Failures? Follow Minimum Necessary Minimum Necessary means limiting access to PHI that is used only to complete your task or job. Never access any information without a business purpose. Do not abuse clinical access privileges. Report abuse if you observe it. Never copy or duplicate PHI without appropriate authorization.
Reporting Incidents or Breaches If you believe an information security incident or breach has occurred: Let your instructor/manager know, especially if you notice any problems with meeting the rule requirements. Report incidents or breaches of sensitive GMC information to: Security hotline: 404-291-8233 or E-mail: Information-Security@gwinnettmedicalcenter.org or Corporate Compliance Hotline: 888-696-9881.
Reporting Incidents, Breaches, cont. GMC takes disciplinary actions in response to confirmed information security breaches. If you fail to report a known or suspected breach, or if you report a breach for malicious reasons, you might receive a disciplinary action. The Information Security department investigates all suspected information security breaches. Disciplinary action may result in termination of employment/student experience. As an associate, if you disagree with the disciplinary action, you can file a grievance.
Information Security Policies You can access the information security policies covered in this CBL on GwinnettWork. 9530-100 Information Security Program 9530-101 Information Security Training 9530-102 Disposal of Media Containing Sensitive Information 9530-104 E-mail Usage 9530-105 User Password Management 9530-106 Internet/Intranet Usage 9530-108 Virus Checking 9530-109 Acceptable Use of Computer Equipment 9530-125 Social Networking 9530-127 Securing Sensitive Information in Work Area 300-517 Associate Disciplinary Actions for Confidentiality and Information Security Breaches
Congratulations! You have completed this CBL module. See the next link to take the Information Security Test. Questions? Contact Information Security: Kelly Keeler 678-312-4381 Allen Olmstead 678-312-4243