Personal Accountability for Data Stewardship st Year Medical Students Noella RawlingsJohn Soltys Director of ComplianceSenior Computer Specialist School of MedicineUW Medicine IT Security 1

Defining data stewardship and your responsibilities Safeguarding confidential information DO’s and DON’Ts Current Security Threats Tools and resources Agenda 2

Being personally and professionally responsible for the security and integrity of confidential information, electronic or paper, entrusted to you. Confidential Information – protection of data required by law and includes: Protected health information (PHI) – protected by HIPAA Individual student records – protected by FERPA Personally identifiable information (PII) – financial information (e.g., credit card, bank), social security number and driver’s license number – protected by Washington’s breach notification law Other personal information - public employee’s home addresses, personal contact information, performance evaluations – protected by the Washington Public Records Law Proprietary intellectual property or trade secrets, research data – protected by the Washington Public Records Law What is Data Stewardship? 3

You are responsible for the safekeeping of data in your care Limit the data in your care to minimize the risk of loss Comply with UW Medicine and UW policies regarding the safekeeping of data Must encrypt mobile devices used to store or transmit confidential information containing PHI must be secured in transport (encrypted connections) Use strong password Must use UW approved cloud services Your Responsibilities 4

“Breach” is the unauthorized acquisition, access, use or disclosure of unsecured PHI and compromises the security or privacy of the PHI Breaches of unsecured PHI require notification to the Office of Civil Rights (OCR) and affected individuals. May also require notice to the media and posting on the UW Medicine website A breach is presumed and covered entity has burden of showing a breach has not occurred There are two ways to secure PHI Encryption Destruction Renders PHI unusable, unreadable or indecipherable What is a Breach? 5

Potential damage to personal, professional and institutional reputation Breaches are: Very costly – fines, sanctions and remediation Very time consuming – investigation, reporting Embarrassing – your name is reported to your Program Director, Department Chair, Dean of the School of Medicine, UW Medicine Chief Health System Officer and UW Medicine and School of Medicine Compliance Officials AND possible public notification Consequences of a Breach 6

Unencrypted laptop stolen from locked, parked car Briefcase containing PHI stolen from locked, parked car Backpack containing PHI stolen from locked, parked car Unencrypted laptop containing PHI and PII stolen from office in Health Sciences Building Recent Examples of Loss 7

If you use a mobile device to store or transmit PHI or PII, your mobile device MUST be encrypted! Rule Number One 8

NEVER leave confidential data in your car! Rule Number Two 9

Avoid taking confidential data off-site or downloading to portable or mobile devices If taking confidential data with you, you MUST obtain supervisor or department head approval Password protect all devices Use VPN to connect remotely Ensure the physical security of information - lock up confidential data (locking file drawer, safe, or other locked device) Prepare for the worst - protect yourself against theft - nobody thinks they will be a victim! Other Basic Do’s and Don’ts 10

CURRENT SECURITY THREATS 11

Phishing is a very common way accounts are stolen Don’t click links in and if you do, don’t enter your credentials UW Medicine periodically sends phishing messages to our workforce to help raise awareness – includes training YOU WILL RECEIVE PHISHING MESSAGES – be very wary and very cautious! PHISHING 12

Cryptolocker/Locker: Very destructive malware threat – encrypts your data and tries to sell it back to you Malware infection is obtained via attachments or by visiting/downloading a file (such as an MP3 file) from a website Sophos Anti-virus sometimes detects the malware (malware name used is Troj/Ransom-ACP) DON’T FALL FOR THIS SCHEME! MALWARE 13

NEVER open an attachment from an unknown source If the context of the message doesn’t make sense, delete the message or call the sender to verify the Always be wary of messages that ask you to update your password or confirm you account – UW IT support groups will never ask you to do this via a link in an Report any warning messages from antivirus or other software immediately. DO NOT CLICK ON THE LINK! Minimize the confidential information you store Encrypt the data and the device Keep your operating system and software up to date (Stay patched) Empty your “Trash bin” (Deleted Items) regularly or set it to empty automatically when you exit the program Contact your Department IT support staff for assistance with any device you use for work What Can You Do? 14

If you get infected, or think you may be infected, contact UW Medicine IT Security IMMEDIATELY! Report information security incidents when they occur. Contact IT Services Help Desk at If it is urgent, call Report the loss or theft of PHI to UW Medicine Compliance at or Immediately notify the Director of Compliance for the School of Medicine at or 206- Incident Reporting 15

TOOLS AND RESOURCES 16

Tools to Assist You in Safeguarding Data Encryption Complex passwords Physical data security - lock offices, files and computers Education and training materials Privacy, Confidentiality and Information Security Agreement (PCISA) Following policies restricting removal of data from worksites 17

UW Medicine Compliance Policies UW Medicine IT Security Policies UW Medicine Polices 18

Smartphone/Tablet Security If you use a smartphone or tablet (UW owned or your personal device) to conduct UW business, such as accessing your UW , we recommend: Auto lock device and use a strong password Enable encryption on the device Set an automatic lockout timer on the device Activate Tamper Wipe: i.e. phone is wiped clean after 10 pass code or PIN attempts (all data is deleted) Activate “find my phone” function Don’t use cloud back up services, such as iCloud or Google Drive, unless it is an approved cloud by UW Medicine IT Security for PHI or FERPA data Don’t store data on the SIM card 19

Encryption Resources Where to get information and help with encryption: Encryption guidelines mobile devices: sp sp Whole disk encryption guidelines: e.pdf e.pdf vice_Encryption/other_windows_linux_guidance.asp vice_Encryption/other_windows_linux_guidance.asp IT Services Help Desk: DOM IT Help Desk: 20

SkyDrive Pro Site (requires UW NetID): ion-technology/skydrivepro SkyDrive Pro (OneDrive) Resource 21

Educational Tools UW Medicine IT Security Phishing Awareness Announcement: ations/Phishing_Awareness_ _041212/default.asp ations/Phishing_Awareness_ _041212/default.asp Office of the Chief Information Security Officer phishing video: y.html y.html Phishing Resources 22

Other Resources Office of the Chief Information Security Officer training/ training/ computing/ computing/ UW Medicine IT Security 23

UW Medicine IT Services Help Desk: UW Medicine ITS Security Team: uwmed- UW Medicine Compliance: Noella Rawlings, UW School of Medicine, Director of Compliance: Contact Information 24

Questions ? 25