DSHS CA Security For Providers

Similar documents
CYBERSECURITY POLICY

Information Security Policy for Associates and Contractors

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

National Cyber Security Month 2015: Daily Security Awareness Tips

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

Information Security It s Everyone s Responsibility

Research Information Security Guideline

Policies and Procedures for Electronic Protected Health Information (ephi) and Personally Identifiable Information (PII)

Students Mobile Messaging Registration & Configuration

ALTA OFFICE SECURITY AND PRIVACY GUIDELINES ALTA

Encrypting Personal Health Information on Mobile Devices

INFORMATION SECURITY POLICY

NC DPH: Computer Security Basic Awareness Training

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training

Keeping Data Safe. Patients, Research Subjects, and You

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

Mobile Device Management (MDM) Policies. Best Practices Guide.

2014 Core Training 1

HIPAA and Health Information Privacy and Security

BSHSI Security Awareness Training

HIPAA Privacy & Security Rules

HELPFUL TIPS: MOBILE DEVICE SECURITY

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

State of South Carolina Policy Guidance and Training

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

Ministry of Children and Family Development (MCFD) Contractor s Information Management Guidelines

Why do we need to protect our information? What happens if we don t?

PHI- Protected Health Information

Welcome to Information Security Training

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

HIPAA and Privacy Policy Training

Retail/Consumer Client. Internet Banking Awareness and Education Program

Member FAQ. General Information: Security:

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS

HIPAA Security Alert

By the end of this course you will demonstrate:

ANNUAL SECURITY RESPONSIBILITY REVIEW

Montclair State University. HIPAA Security Policy

How-To Guide: Cyber Security. Content Provided by

Privacy & Security Standards to Protect Patient Information

8.03 Health Insurance Portability and Accountability Act (HIPAA)

Enterprise Information Security Procedures

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL

Protecting Privacy & Security in the Health Care Setting

MOBILE DEVICE SECURITY POLICY

School of Nursing Research Seminar. Data Security in The Academic Health Center. Presented By Jon Harper AHC Information Systems

Data Security in a Mobile, Cloud-Based World

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule

University of Cincinnati HIPAA Administrative, Physical and Technical Safeguards

How To Protect Your Information From Being Hacked By A Hacker

Avoiding Malware in Your Dental Practice. 10 Best Practices to Defend Your Data

Hot Topics in IT Security PREP#28 May 1, David Woska, Ph.D. OCIO Security

SENDING HIPAA COMPLIANT S 101

Learn to protect yourself from Identity Theft. First National Bank can help.

PREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO

Royal Mail Group. getting started. with Symantec Endpoint Encryption. A user guide from Royal Mail Technology

Avoiding Malware in Your Dental Practice. 10 Best Practices to Defend Your Data

Responsible Access and Use of Information Technology Resources and Services Policy

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

Management and Storage of Sensitive Information UH Information Security Team (InfoSec)

HIPAA ephi Security Guidance for Researchers

Security Awareness. ITS Security Training. Fall 2015

All Users of DCRI Computing Equipment and Network Resources

Mobile Device Management (MDM) Policies

Step 1. Step 2. Open your browser and go to and you will be presented a logon screen show below.

HIPAA Privacy. September 21, 2013

Security Awareness Quiz Questions

How to Encrypt Files Containing Sensitive Data (using 7zip software or Microsoft password protection) How to Create Strong Passwords

Security Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)

Administrative Procedures Memorandum A1452

Protect Yourself. Who is asking? What information are they asking for? Why do they need it?

Malware & Botnets. Botnets

Computer Security at Columbia College. Barak Zahavy April 2010

Advanced HIPAA Security Training Module

DriveLock and Windows 7

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

What s the difference between my Home Banking password and my Enhanced Login Security?

General Security Best Practices

Information Security

General Rules of Behavior for Users of DHS Systems and IT Resources that Access, Store, Receive, or Transmit Sensitive Information

A practical guide to IT security

STUDENT S INFORMATION SECURITY GUIDE

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

SCRIPT: Security Training

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Who must complete this training

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

ONE Mail Direct for Mobile Devices

HIPAA Security Training Manual

HIPAA 101: Privacy and Security Basics

Network and Workstation Acceptable Use Policy

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

Information Technology Security Policies

Network Security for End Users in Health Care

ENISA s ten security awareness good practices July 09

Transcription:

DSHS CA Security For Providers Pablo F Matute DSHS Children's Information Security Officer 7/21/2015 1

Data Categories: An Overview All DSHS-owned data falls into one of four categories: Category 1 - Public information can be released to the public. Category 2 - Sensitive information is not specifically protected by law but should be limited to official use and protected from unauthorized access. Category 3 - Confidential information is protected from disclosure by law. Category 4 - Confidential information requiring special handling is also protected from disclosure by law, regulation, or agreement and serious consequences could arise from unauthorized disclosure, ranging from life threatening situations to legal sanctions. DSHS CA Data is always Category 3 and above 7/21/2015 2

Data Categories: Categories 3 and 4 Here are some examples of category 3 and 4 data: Examples of confidential information include personal information about individual DSHS clients, Department employee personnel records, source code for computer applications, and any other documents or information that could potentially jeopardize the integrity of the Department, enable fraud, or trigger action by law enforcement or regulatory group. Personal information includes things like name, birthdate, and address. Examples of confidential information requiring special handling include information with especially strict handling requirements such as a client s Federal Tax Information (FTI), their Protected Health Information (PHI), a location of an abused spouse, or other potentially life-threatening data. 7/21/2015 3

Confidential Data: Not Sure? ASK! If you ever find yourself in a situation where you have a question about data security requirements, or if you think you discovered a breach but you aren t sure, ask your CA Contracts Manager. If you can t reach your CA contract contact the CA IT Security Administrator, pablo.matute@dshs.wa.gov Remember: it s always better to be safe than sorry. 7/21/2015 4

What encryption means Workstations and Laptops The following encryption technologies are approved for use on workstations and laptops Windows Microsoft BitLocker (Ultimate version) Trusted Computing Group (TCG)-compliant BIOS. TPM microchip version 1.2, enabled for use with BitLocker. Apple FileVault FileVault 2 7/21/2015 5

What encryption means Laptops containing confidential data must be encrypted (full-disk) as the risk of theft or accidental loss is high. If a workstation or laptop contains multiple drives for example, an operating system drive and a data drive all of the drives in the workstation or laptop must be encrypted. 7/21/2015 6

What encryption means Removable Media It is especially critical that removable media containing confidential data be encrypted due to the high risk of theft or loss. Examples of removable media include hard disk drives (internal/external), backup tapes, flash drives, optical discs (CDs/DVDs), and memory cards. Mobile Devices Like removable media, it is also especially critical that mobile devices such as smart phones and tablets be encrypted due to the high risk of theft or loss. Information on devices that cannot be encrypted (voice recorders or digital cameras, for example) must be protected using compensating controls approved by your administration s IT. 7/21/2015 7

What encryption means Servers The following encryption technologies are approved for use on servers SQL Transparent Data Encryption (TDE) or column-level encryption. Linux Linux Unified Key Setup (LUKS) Other Database, table, column, row, or file-level encryption depending on technical feasibility. These requirements apply regardless of whether it is a development, test, or production environment if that environment contains confidential data. 7/21/2015 8

Password Security: General Rules Passwords are the provider s first and sometimes last line of defense against unauthorized access to sensitive systems and information. As a DSHS contractor it is your job to use strong passwords, to protect them from disclosure, and to report any breaches immediately. You can protect your passwords by following these basic guidelines: Use complex passwords that can t easily be guessed. Never write your password down. Never share your password with anyone verbally or in writing. Never allow a coworker or contractor to assume control over a computer while you are logged in on your account. Change your passwords often, especially following a breach. 7/21/2015 9

Password Security: Minimum Requirements Minimum password requirements for DSHS contractor information systems may change from one system to the next. Here are some of the general guidelines: Workstation passwords must be at least eight characters long and contain at least one special character (ex: the $ symbol) and two of these three character classes: upper case letters, lower case letters, and numbers. Passwords must not contain your user ID or any form of your name. Passwords must not contain a telephone number, Social Security Number, your child or pet s name, or any other personal information that could be easily guessed by one of your coworkers. It s important to keep in mind that these are just the minimum requirements and general guidelines. Whenever possible a complex password is best. You ll learn what a complex password is on the next slide. 7/21/2015 10

Password Security: What s a Complex Password? A complex password is a password that meets the following criteria: It s at least fifteen (15) characters long: L8ther2nite@P4rt3 It isn t derived from the username in whole or in part. It combines upper and lower-case letters, numbers, and symbols; and It doesn t include dictionary words, names, birthdays, telephone numbers or any personal identification numbers. The stronger your password, the less likely it will be that unauthorized use or breach of your account will occur. Remember: You are responsible for ensuring the integrity of your account(s) 7/21/2015 11

Workstation Security: Locking Your Workstation All DSHS contractors are required to lock their workstations, laptops, servers, and any other devices when leaving them unattended. If you re logged in to a Windows-based DSHS workstation it s important that you lock it ( + the L key) before leaving your desk for a meeting, a break, or for any other reason that requires you to be more than arm s length from the keyboard. Locking workstations is especially important if you have access to any of the following information or information systems: Healthcare information Famlink Data Visitation Notes Department information that is considered sensitive or confidential. 7/21/2015 12

What Secure E-mail means When communicating with DSHS, always use the secure e-mail system. DSHS CA employees are required to use the secure email system when sending confidential data through providers/contractors Response from providers/contractors and data send by provider/contractor should use the same method Subject [secure] (test) 7/21/2015 13

Email Security: Identifying Malicious Messages Email is the primary method through which most DSHS employees and contractors communicate with each other, clients, and partners. Unfortunately, email is also the primary method through which people with malicious or criminal intent attempt to breach the DSHS or providers network. Identifying a malicious message can be challenging. Here are some quick tips to help you avoid falling victim to one: Be extremely cautious about how you handle unsolicited emails. Never click on links or open attachments in unsolicited emails. Never respond to emails asking for your username or password. If you have any doubts about the authenticity of an email, don t open it and notify your contract contact immediately 7/21/2015 14

Physical Security: Laptops and Mobile Devices Many DSHS contractors use laptops, mobile phones, tablets, voice recorders, and cameras to perform some or all of their duties. Laptops and mobile devices are very easy to lose and they re a prime target for thieves because they re small and valuable. It s extremely important that you keep these assets secure. Laptops should always be encrypted, and you should never leave them somewhere that they can be easily lost or stolen. You must report stolen or lost removable media to both your supervisor and your CA s contract contact 7/21/2015 15

Physical Security: Removable Media Removable media such as USB drives, external hard drives, memory cards, CDs or DVDs, and voice recorders are very easy to lose and they re a prime target for thieves because they re small and valuable. It s extremely important that you keep these assets secure. Sensitive data on removable media should always be encrypted and you should never leave it somewhere that it can be easily lost or stolen. Lock it up, keep it out of sight, and never leave it in a State or personal vehicle. You must report stolen or lost removable media to both your supervisor and your CA s contract contact 7/21/2015 16

Voice Mail Security in Contracts Regarding online voicemail through providers such as CenturyLink or Comcast. Can we use a service like this at our remote offices to run our voicemail or would this be a concern because a voicemail may contain voiced DSHS data in the cloud? Use any voice mail but do not leave DSHS data on it! 7/21/2015 17

Provider Instructions for Breach Situations ON DAY ONE Call your local contracts manager and provide a very detailed account of what happened. It may be easier if they do a conference call with you and the staff member who was actually involved in the loss. When, where, and how exactly did the incident happen? How many people s information was released? Exactly what information was disclosed? (It may be easier to ask the provider which documents were taken: Visitation referral, psychological evaluation, quarterly BRS report. Then you can look up those forms and see what s on them.) 7/21/2015 18

Provider Instructions for Breach Situations DAY ONE (CONTINUED) What precautions have you taken to prevent the information from being lost or stolen? If the situation involved computer equipment provide a police report. Reminder Using the same machine for personal and state business, is a bad idea. Steps need to be taken to avoid the loss of privacy, i.e. notify email contacts, change passwords, notify credit card companies about a fraud alert. 7/21/2015 19

Instructions for Breach Situations DAY ONE (CONTINUED) As soon as possible: Notify all affected individuals whose personal information may have been released. Use certified mail so you have a record the letter was received by the client. Notify Social workers of the breach. 7/21/2015 20

Frequently Asked Questions (FAQs) Why are SW s sending unencrypted data to the Providers? CA SW s should always use the secure email system, if a SW sends an unencrypted email with confidential data please contact Pablo Matute at pablo.matute@dshs.wa.gov Can we store data in the Cloud? If so, what are the requirements? DSHS data may not be stored on any medium not controlled by the Contractor. Storage on any Internet service such as DropBox, icloud, Amazon Web Services, or any other Internet based storage system is not allowed. Contact Pablo Matute for more information. 7/21/2015 21

FAQs: Can we use Flash Drives if the data is encrypted? Yes, just do not have the password typed on the device Which mobile Devices can be used for data? All, with a MDM Mobile Data Management solution that can encrypt, locate, change passcode, locate and remote wipe the device. MDM such as Meraki, Air watch, etc. 7/21/2015 22

In the Secure Email system, all emails go away after 21 days - can this be fixed? Messages are retained for 30 days. It s a global setting so it cannot be changed. Because the Secure email system is for secure transport only, and not built for permanent email storage, this was a vendor requirement. After 30 days no records at all of emails received or sent- not able to show proof The record of a message being sent would be with the DSHS employee. If the DSHS employee sent the message, then there is a record in their Sent Items folder. If they ve received a reply, then the DSHS employee will have that message for reference. 7/21/2015 23

Is there a way to track outgoing secure emails? Yes. Please send those requests to the ISSD Service Desk and include the sender, recipient, and the date the message was sent. Is there a way to save the secure email in the secure system? The secure email system is for transport only; it is not designed for permanent message storage. Individual messages can be saved as text files using the More Actions drop down menu that is available when viewing a message. Attachments can be saved the same way. 7/21/2015 24

How do I add other people in the email that are not a part of the original secure email? The Reply and Reply All options only include the original list of recipients, however, there is an option to forward the message to additional people. Is there a set up for spell check in secure email? That is not part of the system, but most web browsers offer some level of spell check abilities. 7/21/2015 25

Questions Security in Contracts 7/21/2015 26

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information