Information Security Awareness: Building a Culture of Commitment to Security

Security Awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization

UW Medicine IT Resources IT Services ITS provides information systems support for UW Medicine. Its core mission is to make a difference through the use of information technology for teaching, research and patient care. A few services ITS provides are Help Desk support, work station support, account support, and clinical systems administration. The ITS Help Desk can be reached at 206-543-7012 or mcsos@u.washington.edu

Other IT Resources UW Technology – www.washington.edu/uwtech or 206-221-5000 Departmental IT Provide local support for computing devices distributed by the department You If there is no assigned IT staff for a device then you are responsible for it’s security

Information Security Principles UW Medicine computers and data need protection Protection is based on the needs to preserve Confidentiality, Integrity and Availability Security is everyone’s responsibility Decision Box Determine if the IT security training is required for all staff. This may require system specific training for various users vs. general training for a majority of the staff. Make sure management understands: the benefits of IT security training on staff behavior, that is cost effective, and the need to invest in adequate staff training.

Data Classification Public = This is information that is either approved for general access, or by its nature, is not necessary to protect, and can be shared with anyone. Restricted = This is information which is intended strictly for use by designated parties and requires careful management. Confidential = This classification of information is very sensitive in nature, and requires careful controls and protection. Examples of confidential data include PHI, PII, and passwords

STRONG Passwords Why is it important to use strong passwords? Password guessing tools guess in 7 character sets. Lengths of 8 characters or more make it more difficult to guess An apparent random set of characters makes it more difficult for a hacker to guess. !@#$%&*, ABCD, abcd, 1234 Where supported a “pass phrase” should be used. They are easier to remember and much harder to break.

User ID and Password Management Your manager is responsible for making sure your access rights are correctly assigned initially and to update your access upon role changes, transfer or termination. Each workforce member is assigned a unique User ID and must not share it with anyone. Each system that a user has access to will be logged and tracked. All passwords must be changed every 120 days. It is the user’s responsibility to do this. UW Medicine Account or http://myuw.washington.edu AMC Login

Email Security Always be aware of phishing and social engineering scams, dangerous attachments, viruses, embedded links to malicious websites and social engineering All UW Medicine email is open to public disclosure Delete confidential emails as soon as they are no longer needed DO NOT forward confidential emails to a third party email system e.g., hotmail, yahoo, aol, gmail Check and double-check all messages containing restricted or confidential information for proper recipient email addresses Encrypt email messages when sending confidential information to email systems outside of UW Medicine

Mobile Device Security Mobile devices include laptops, Blackberries, smart phones, or any portable device capable of storing and interpreting data. Mobile devices are of special concern because they are easily lost and attractive to thieves. Personally owned mobile devices must comply with UW Medicine policies and standards when used for work purposes. The owner of the device is responsible. Encryption required when storing PHI, PII or passwords No automatic login, require password to log on to the device Passwords on these devices must be changed every 120 days Patched and up to date operating system

Data Transmission Security There are many other ways to transmit data electronically. They also require encryption as a protection in certain cases. Examples of other forms of transmission include faxes, instant messaging, text messaging, smart phones and other file sharing mechanisms. PII, PHI or passwords transmitted by any mechanism or device across non-UW Medicine networks or any wireless networks, must be encrypted.

Wireless Security Throughout UW Medicine, wireless networks are provided by UW Technology. These wireless networks are labeled “University of Washington”. UW Technology does not provide encryption for transmission of data on their wireless networks. When using wireless networks you must use encryption when transmitting PHI, PII or passwords. Always disable your wireless when not in use. Windows will automatically scan for known (trusted) wireless networks. Wireless networks are easily monitored by unauthorized individuals. Users should be aware that any transmitted data could be stolen unless encrypted.

Workstation/Work Area Security Workstations must be locked or logged out of when not in use or unattended. Never enter passwords or conduct UW Medicine business from 3rd party kiosks, such as an Internet café computer. Workforce members that use their personal computer for work must comply with the minimum computer security standard. Restricted or Confidential information in your work area must be secured when not in use. Always clear Restricted or Confidential information from printers immediately.

Risks of Web Browsing Users should be aware that even “trusted” websites can house malicious software. Clicking links on WebPages can download and run programs on your computer. Plug-ins should only be downloaded if absolutely necessary and after they are used should be removed. Where technically feasible an alternate web browser i.e. – Firefox, Opera, Safari should be used to conduct sensitive business.

Remote Access UW Medicine provides SSL VPN (encrypted transmission) for it’s remote access purposes. VPN access can be requested through IT Services Help Desk. Have your supervisor contact the Help Desk for the request form. Remote Access is only provided to conduct official UW Medicine business that is part of the requestors job function. Any transmission of PHI, PII, or passwords from a remote site to a UW Medicine site must be encrypted. This protection can be provided by the application, e.g. an SSL protected web application, or by VPN.

Copying of Data and Media Disposal Media is any portable device that is capable of storing electronic data. Examples include USB drives, CD/DVD, external hard drives, tapes, flash memory cards, etc. Once a workforce member removes data from a controlled system it becomes their responsibility to ensure the protection of the data. PHI, PII and passwords stored on media must be encrypted. Media containing restricted or confidential information must be destroyed in such a way to make the data unrecoverable when no longer needed.

Security Incident and Complaint Response Security Incidents are any event involving a breach or potential breach of a UW Medicine computing device or data. Security Complaints are a report of a suspected violation of UW Medicine policy, state or federal law, or other regulation. All UW Medicine workforce members must report security incidents and complaints to the ITS Help Desk. If you suspect a security incident has occurred on a UW Medicine computing device then you must not alter the state of the device. You should unplug the network cable and leave it powered on. A UW Medicine ITS or Compliance member will contact you once you report an incident or complaint.

Questions http://security.uwmedicine.org Brad Peda bpeda@u.washington.edu 206-616-5829