Information Security Training 2018

Privacy & Security Compliance RCHSD is Committed to Privacy & Security Compliance Our goals with this training module are to Assist you with meeting compliance obligations; Help you understand key elements of privacy and security compliance to protect patient privacy and honor our promise to patients, families and regulators to keep medical records and patient information confidential. Upon completing this module you will understand: How to help protect the privacy of patient information; Common risks to privacy and security; How to describe safeguards used to protect patient information and information assets; Your compliance obligation to prevent privacy breaches and report suspected breaches when they occur.

The Number of Breaches per year in Health Care is Increasing Exponentially

DHHS Reported Incidents Our Information is Valuable DHHS Reported Incidents Marin Healthcare District – September, 2016 Ransomware infected systems operated by the covered entity’s business associate, Marin Medical Practice Concepts, Inc. During the restoration process, one of the backup systems failed, causing the loss of protected health information…… Medical College of Wisconsin – September, 2016 An unauthorized third-party comprised the protected health information found in an employee’s email account for a period of three days. The compromised email account contained the PHI of 3,225 individuals. The types of PHI involved in the breach included full names, home addresses, dates of birth, medical record numbers, diagnoses, and/or treatment information, and the social security numbers of two patients…

HIPAA and the Security Rule Covered entities are required to adhere to U.S. Department of Health and Human Services (HHS) developed regulations protecting the security of certain health information These regulations form the security rule, which establish national standards to protect individuals’ electronic PHI Requires appropriate security controls to ensure the following is applied to all electronic PHI Confidentiality – Ensuring information is not improperly disclosed; Integrity – Ensuring data is accurate, complete and has not been altered in an unauthorized manner; Availability – Systems are accessible upon demand by those authorized to use them to help care for our patients.

Information Security Goals The Security Rule and Information Security Goals The goal of RCHHC is safeguard our information and to comply with HIPAA Security Rule requirements by implementing administrative, physical and technical safeguards. RCHHC employees, contractors and affiliates have a personal responsibility to protect information and systems by: Adhering to email and internet security principles Following best practices for computer access Reporting incidents

Protecting PHI & Other Sensitive Information in Email Correspondence Consider whether the email you’re sending to an email address outside RCHSD contains PHI or other sensitive/confidential information. Remember, you should always ask yourself, “Should this type of information be leaving our organization?” or “Does the recipient have a need to know this information?” PHI or sensitive information sent by e-mail MUST be encrypted first using an approved encryption method NEVER use unauthorized public portal sites such as Box, DropBox, iCloud. If email doesn’t meet your requirements, contact the service desk

Email Encryption If you need to send PHI or sensitive information, you must encrypt your message with one of these methods: Select the Encrypt & Send “ZixSelect” button right above your send key when you open an email (if you don’t have this button, call the Service Desk at ext. 5177), OR Include the word Secure in the subject line of your email. IMPORTANT: Before you hit send, make sure your email is only addressed to those you want to send it to.

Email Data Loss Prevention RCHSD utilizes a Data Loss Prevention technology that blocks emails sent by users which contain unencrypted PHI. If you receive a blocked email notification, review your sent email, make any corrections and resend.  If you feel your email has been blocked in error, please contact the Compliance Department at rchsdcompliance@rchsd.org.   The Compliance Department receive copies of blocked emails and will monitor those emails accordingly. 

Social Engineering Social engineering is defined as manipulating and exploiting human behavior in order to gain unauthorized access to a system or to information. Common targets are: Passwords Employee’s personal data Other sensitive information

Phishing Attacks Phishing emails (or texts) is an example of social engineering where an attacker seeks information or access through a targeted message. They typically alert you to a problem or request information and often include links that could introduce malware or expose information when clicked. These emails look real and often pretend to be from another employee or from IT.

Information Security Best Practices E-mail and Internet Information Security Best Practices Do’s and Do Not’s Do Encrypt emails containing PHI, PII, or other sensitive data. Do report suspicious emails to phishing@rchsd.org Do Not Click on suspicious links in e-mail or on internet sites Do Not respond to email or text messages that ask for personal information like credit card numbers, Social Security numbers, passwords, etc. Do Not use a personal device to access or store PHI if the device has not been approved Do Not open attachments from untrusted sources

Preventing Unauthorized Access Use strong passwords and commit them to memory Never use the same password for your work account as for your personal account. Recent compromises on commercial sites (Yahoo!, LinkedIn, etc.) have exposed personal passwords! DO NOT write down passwords! Never leave a workstation that is logged in unattended: Lock your computer screen by pressing Ctrl-Alt-Delete whenever you leave a desk or work area, and be sure to secure the application you are using Log off of your computer when you leave work each day

Preventing Unauthorized Disclosure Never leave laptops or devices that contain PHI unattended in open areas such as cars, restaurants or waiting rooms Never leave printers unattended when printing sensitive information Never leave your computer monitor open towards public view when sensitive information is being accessed Report suspicious activities to the Service Desk Report suspected HIPAA violations through the Safety Reporting System (SRS).

Your Role in Privacy and Security Compliance Understand the reasons for confidentiality and agree to abide by our confidentiality policies and procedures; Keep patient information confidential at all times including electronic, written and verbal information; Report suspected or known violations of confidentiality and security such as: Unauthorized or suspicious visitors; Logged-on but unattended workstations; Uncontrolled access to areas that house equipment and/or PHI; Passwords on Post-it™ notes; Staff accessing records without a need to know.

Reporting Breaches or Other Security Concerns Call the Chief Information Security Officer! Use the Safety Reporting System Call the Compliance Hotline!! Reporting is Everyone’s Responsibility…do you know the Safety Penquin?

If You Have Concerns There are a number of resources available to you. Please do not hesitate to call if you have questions, suggestions or concerns: Contact Christina Galbo, Chief Compliance & Privacy Officer at (858) 966-8541 or cgalbo@rchsd.org. Contact Melody Herbert, Privacy Compliance Manager at (858) 966-1700 ext. 2483 or mherbert@rchsd.org. Contact the IT Security Department at (858) 966-8746 or _ITSecuritygroup@rchsd.org Call the confidential Compliance Hotline at (877) 862- 4228.

Reporting a Concern to the Compliance Hotline There may be times when your concerns cannot be properly addressed through the normal chain of command; Available seven days a week including all holidays; Your confidentiality and anonymity are guaranteed to the extent permitted by law; Your call will not be recorded or traced; All allegations will be thoroughly investigated and verified before any action is taken.

Compliance Hotline 1-877-862-4228 Do You Have a Concern? Make the right call Compliance Hotline 1-877-862-4228 24 HOUR TELEPHONE HOTLINE Staffed by trained personnel Independent from RCHHC Important that sufficient detail is shared This hotline should be used to report concerns about potential violations and to receive follow-up information in confidence

Non-Retaliation You will not be retaliated against for voicing a legitimate concern to RCHSD, or to an outside entity. If you feel you are a victim of retaliation, please report your concerns to the Compliance Department immediately to initiate an investigation.