THE WHY AND HOW OF DATA SECURITY YOUR ROLE IN DATA STEWARDSHIP DEPARTMENT OF MEDICINE IT SERVICES.

Slides:



Advertisements
Similar presentations
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Advertisements

Financial Services Workshop Margaret Umphrey ECU Information Security Officer March 12, IT Security, East Carolina University.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Jeopardy $100 Access Controls Faxing My Workstation Pot Luck $200 $300 $400 $500 $400 $300 $200 $100 $500 $400 $300 $200 $100 $500 $400 $300 $200.
Maintaining Security While Using Computers What all of Our Computer Users Need to Know.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Springfield Technical Community College Security Awareness Training.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Personal Accountability for Data Stewardship st Year Medical Students Noella RawlingsJohn Soltys Director of ComplianceSenior Computer Specialist.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
YOUR ROLE IN DATA STEWARDSHIP THE WHY AND HOW OF DATA SECURITY DEPARTMENT OF MEDICINE IT SERVICES.
Confidentiality and Privacy Controls
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
KDE Employee Training. What IS a Data Breach? Unauthorized release (loss or theft) of Sensitive or Confidential Data, such as PII, PHI, etc. On site or.
Critical Data Management Indiana University HR Summit April 24, 2014.
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Information Security Awareness:
Developing a Records & Information Retention & Disposition Program:
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
Network & Computer Security Training.  Prevents unauthorized access to our network and your computer  Helps keep unwanted viruses and malware from entering.
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
SECURITY: Personal Health Information Protection Act, 2004 this 5 min. course covers: changing landscape of electronic health records security threats.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
HIPAA PRIVACY AND SECURITY AWARENESS.
ESCCO Data Security Training David Dixon September 2014.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Security Squad Keeping your Equipment and Information Safe Security Squad Keeping your Equipment and Information Safe Security Squad Video Series, Part.
Best Practices for Protecting Data. Section Overview Mobile Computing Devices Technical Procedures Data Access and Permissions Verbal Communication Paper.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Safeguarding Your Privacy Section 1.3. Safeguarding Your Privacy 1. What is Identity Theft? 2. Research a story on identity theft and be prepared to report.
University Health Care Computer Systems Fellows, Residents, & Interns.
Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.
Murphy’s Law If anything can go wrong, it will.. 2 Data Security and Confidentiality “… a firm belief in Murphy’s Law and in the necessity to try and.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Types of Electronic Infection
What are the rules? Information technology is available to every student, faculty and staff member in support of the essential mission of the University.
Information Systems Security
STARTFINISH DisposePrint & ScanShareStore Protect information and equipment ClassifyProtect.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
© Copyright 2010 Hemenway & Barnes LLP H&B
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Personal Accountability for Data Stewardship st Year Medical Students Noella RawlingsBrad Peda Director of ComplianceInformation Security Program.
Information Security Everyday Best Practices Lock your workstation when you walk away – Hit Ctrl + Alt + Delete Store your passwords securely and don’t.
Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.
ANNUAL HIPAA AND INFORMATION SECURITY EDUCATION. KEY TERMS  HIPAA - Health Insurance Portability and Accountability Act. The primary goal of the law.
OCTOBER IS CYBER SECURITY AWARENESS MONTH. October is Cyber Security Awareness Month  Our Cyber Security Awareness Campaign focuses on topics such as.
2015Computer Services – Information Security| Information Security Training Budget Officers.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Reviewed by: Gunther Kohn Chief Information Officer, UB School of Dental Medicine Date: October 20, 2015 Approved by: Sarah L. Augustynek Compliance Officer,
Information Security Awareness Training
HIPAA Privacy and Security
Protecting PHI & PII 12/30/2017 6:45 AM
DATA SECURITY FOR MEDICAL RESEARCH
HIPAA Online Student Orientation
Robert Leonard Information Security Manager Hamilton
Move this to online module slides 11-56
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Confidentiality and Privacy Controls
Welcome to the SPH Information Security Learning Module
County HIPAA Review All Rights Reserved 2002.
HIPAA Overview.
School of Medicine Orientation Information Security Training
Presentation transcript:

THE WHY AND HOW OF DATA SECURITY YOUR ROLE IN DATA STEWARDSHIP DEPARTMENT OF MEDICINE IT SERVICES

What is data stewardship?  Minimizing risk that private information falls into public hands  Confidential – Protection of data required by law  Patient information (PHI) - Protected by HIPAA  Student information (FERPA) - Individual Student Records  Individual Financial Information - (e.g., credit card, bank) and Personal Information (e.g., social security #, driver’s license #) – Protected by Washington state’s Personal Information law  Personal information (Gotcha!) - (e.g., home address, personal contact information, performance reviews) – Protected by Washington state’s public records law  Proprietary/research information - Intellectual property or trade secrets – Protected by Washington state’s public records law  Restricted - Data that is not regulated, but for business purposes, is considered protected either by contract or best practice.

Why worry about it?  Personal consequences  Professional obligations  HIPAA reporting cascade  All breaches must be reported to feds OCR (Office for Civil Rights investigation)  All individuals affected must be notified; if more than 10 lack addresses, public notice on web  If more than 500 affected, media must be informed

What is a Breach?  Unauthorized acquisition, access, use, or disclosure of sensitive information that compromises the security or privacy of the information.  The US Department of Health and Human Services (DHHS) identifies two methods of securing PHI:  Destruction  Encryption  No breach occurs if a compromised device is encrypted and password protected.  If a device is compromised and is not encrypted and password protected, the burden of proof is on you to show there was no confidential data stored on it.

Decision Pyramid: Likelihood of Information Security Breach

Responsibilities  Everyone who is using or viewing confidential or patient information must be personally and professionally accountable for safeguarding that information.  Users (YOU) are responsible for the safekeeping of data under your care.  Minimize your responsibility by limiting the data under your care.

Who to Contact if a Breach Occurs?  Contact Jennifer Dickey and Walt Morrison if a breach occurs.  Jennifer Dickey:  Walt Morrison:

Principle: Data thrift  Don’t be responsible for data you don’t need  Only store sensitive material on mobile devices if it is absolutely necessary.  Compute in place:  Use internal systems (e.g. ORCA/Epic patient lists) to track information  Use institutionally owned servers to store data  Utilize the Department of Medicine’s NetExtender SSL VPN or AMC’s Juniper SSL VPN service for remotely accessing UW resources.  Use a terminal server or remote desktop access to your workstation  Avoid using computers you are not personally responsible for to access UW resources.  Can you do it with de-identified information?

Principle: Physical security  Keep paper and physical documents in a safe place  Keep computers behind locked doors  Keep mobile devices close at hand  Lock computers while unattended.  CTRL + ALT + DEL  Enter  Windows Key + L

Principle: Encrypted storage  Encryption: scrambling data so it’s practically irretrievable without the key (passphrase)  All desktop and most mobile operating systems support encryption; many flash drives also include encryption software  Encryption is only as strong as its passphrase  “Cloud” storage is generally unsafe and not approved for use unless specifically approved by UW

Principle: Encrypted transport  A minimally skilled hacker (or moderately skilled lawyer) can read the you send outside of UW  “From” addresses can easily be faked  Secure web connection prevents “listening in”, helps verify authenticity of both parties  VPN, Citrix both good options for enterprise use

Principle: Strong Passwords  Use the full keyboard.  Variety in character types and length makes passwords exponentially stronger.  Don’t use single words or names.  String multiple random words together to form a long password.  Random sentences are a good example.  A strong password (required by policy) must:  Be at least 8 characters long.  Mix upper and lower case letters.  Include numbers and symbols.

Smartphone/Tablet Security  Use a strong password to lock the device.  Enable encryption.  Set an automatic lockout timer on the device.  No greater than 15 minutes.  Don’t use cloud backup services.  iOS devices – Use iTunes encrypted backups (  Android devices – Helium (available in the Play Store)  Initiate a device wipe after 10 failed password attempts.  If the device supports this  Don’t store data on the SIM card (contacts, SMS, etc).

Security  All containing Restricted or Confidential data must be secured in transport.  Encrypted connections must be used between servers.  Messages between University systems (Outpost, UW Exchange, and UW Deskmail) and some recipients are automatically encrypted.  This encryption only applies to message data while it moves between servers. It likely will not be encrypted once it reaches its destination mail server.  Restricted or Confidential information sent over must be delivered to a secure system.  UW Medicine maintains a list of pre-approved systems on their site:  in Outlook (and other clients) is cached on the local machine, as are any attachments you open from messages.  This information can be retrieved offline if the local storage of the device is not encrypted.

Key points  Delete anything sensitive; better yet don’t copy it in the first place  Keep everything you can in a safe place  Encrypt anything that moves  Use multiple, secure passwords  Be suspicious; trust no  Spread the word!

Informational Resources  Discussion Tool / Checklist for Employees  Privacy, Confidentiality and Information Security Agreement for all Employees (part of onboarding process/DoM IT inventory of current users)  UW Medicine Security:  The Office of the Chief Information Security Officer for the UW provides resources on their site regarding safe computing -  Risk Advisories and Best Practices -  Online Training -  A copy of this presentation, as well as technical documentation for securing computers and mobile devices, will be ed to you.

Where to Get Help  Department of Medicine IT Services  

End of Presentation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.