EHS Privacy and Information Security Resident Orientation 26 June 2015 Steve Winter CISSP, CNE, MCSE Senior Information Security Engineer Privacy and Information Security Office Erlanger Health System
Topics Privacy Threats to healthcare information security Internet access at EHS Secure file sharing USB drives BYOD Policies 2
Privacy Accessing patient information You may access the PHI of ONLY patients that you are involved in providing healthcare 3
Accessing patient information Privacy You may NOT access these types of PHI : Your own Family Friends Neighbors Co-workers Anyone else that you are not involved in providing treatment Automated monitoring Daily alerts for these types of events Your director will be contacted when this type of inappropriate activity occurs 4
Privacy Papers Census documents and anything containing PHI Keep track of them 5
Privacy Pictures and video CEO takes patient privacy very seriously Erlanger doctors have been disciplined recently for this type of inappropriate activity Social media, cloud storage, texts, emails Texting: BAD: This patient just needs to die! OK: Please check on patient in room 400 for cardiac issue Assume anything you send is publicly available 6
Threats to healthcare information security Poor information security hygiene Appropriate management of IT resources Software updates Shared responsibility EHS and users 7
Threats to healthcare information security Legislation 8
Threats to healthcare information security in 2015 Attacks from nation states Anthem -- 80 million patient records stolen Premera Blue Cross 11 million patient records CareFirst -- More than 1 million patient records stolen Several smaller healthcare organizations reportedly faced cybersecurity incidents According to the Experian Forecast, the threat level for healthcare organization is rising, and data breach costs could top $5.6 Billion in 2015 9
Threats to healthcare information security in 2015 For the healthcare industry, the personal information leaked in cyber attacks can cause a degree of damage other industries rarely see. Consumer data held by healthcare companies goes beyond credit card numbers and financial information, to sensitive details of people s prescriptions, medical histories, and illnesses. 10
Threats to healthcare information security Risk appetite -- the amount and type of risk that an organization is willing to take in order to meet their strategic objectives. Vendors Contractors New acquisitions New ventures New systems New users Management of legacy systems, procedures and people 11
Threats to healthcare information security Changes outside of healthcare Breaches at Target, Home Depot, Michaels, PF Changs and many others Flooded black market credit cards The new money maker: identity theft Perfect storm 12
Internet access at EHS Minimum necessary access Generic users Your EHS network account Personal devices Use ehsmainsecure Tech support: Call 423.778.8324 (TECH) or Email: servicedesk@antheliohealth.com 13
Secure file sharing Internal SharePoint sites Network drives EHS email accounts Webmail access: https://ehsmail.erlanger.org External To be addressed 14
USB drives Just say no Don t use or accept any FREE USB drives Do not use a USB drive you find. BadUSB undetectable malware If you have to use one, use an IronKey that is tamper-proof 15
BYOD Accessing EHS data on your personal device Minimum requirements: No jailbroken ios or rooted Android phones Password assigned to the device Encrypted Screen timeout Keep it updated with the latest operating system Search Google for instructions on how to secure your particular device 16
Policies http://ehsintranet EHS Policies & Procedures Most policies for privacy and information security are under Administration 17
EHS Privacy and Information Security Questions? Comments? Email: privacy@erlanger.org Phone: Office of Compliance x7703 18