Personal Accountability for Data Stewardship st Year Medical Students Noella RawlingsBrad Peda Director of ComplianceInformation Security Program Analyst School of MedicineUW Medicine IT Services 1

Defining data stewardship and your responsibilities Safeguarding confidential information DO’s and DON’Ts Current security threats Tools and resources Agenda 2

YOUR ROLE: Every individual is personally and professionally responsible for the security and integrity of confidential information, electronic or paper, entrusted to you. UW Medicine Professionalism Policy: Demonstrated excellence, integrity, respect, compassion, accountability and a commitment to altruism in all our work interactions and responsibilities. policies/Pages/Professional-Conduct.aspx policies/Pages/Professional-Conduct.aspx What is Data Stewardship? 3

Confidential Information – protection of data required by law and includes: Protected health information (PHI) – protected by HIPAA Individual student records – protected by FERPA Personally identifiable information (PII) – financial information (e.g., credit card, bank), social security number and driver’s license number – protected by Washington’s breach notification law Other personal information - public employee’s home addresses, personal contact information, performance evaluations – protected by the Washington Public Records Law Proprietary intellectual property or trade secrets, research data – protected by the Washington Public Records Law Confidential Information 4

“Breach” is the unauthorized acquisition, access, use or disclosure of unsecured PHI and compromises the security or privacy of the PHI Breaches of unsecured PHI require notification to the Office of Civil Rights (OCR) and affected individuals. May also require notice to the media and posting on the UW Medicine website A breach is presumed and covered entity has burden of showing a breach has not occurred There are two ways to secure PHI Encryption Destruction Renders PHI unusable, unreadable or indecipherable What is a Breach? 5

Possible consequences of a loss of confidential information that has not been secured Personal and professional – time spent on an investigation; name known to UW Medicine Leadership; impact to reputation and relationship with patients; imposition of disciplinary action and civil/criminal penalties Institutional – report to the Office of Civil Rights (OCR) for HIPAA breaches; notification to patients; imposition of fines and sanctions; financial costs of investigation and remediation, e.g., providing credit monitoring; impact to UW Medicine reputation Why Is This Important to Me? 6

May $4.8M against New York- Presbyterian Hospital and Columbia University due to physician causing PHI to be accessible on Google April 2014 – $1.73M against Concentra Health Services for a stolen unencrypted laptop June $1.7M against Alaska Department of Health and Human Services for unencrypted USB drive stolen from employee’s car HIPAA Fines 7

Unencrypted laptop and external hard drive stolen from locked, parked car Briefcase containing (paper) PHI stolen from locked, parked car Backpack containing (paper) PHI stolen from locked, parked car Unencrypted laptop containing PHI and PII stolen from office in Health Sciences Building Recent Examples of Loss 8

If you use a mobile device to store or transmit PHI or PII, your mobile device MUST be encrypted! Rule Number One 9

NEVER leave confidential data in your car! Rule Number Two 10

Avoid taking confidential data off-site or downloading to portable or mobile devices If taking confidential data with you, you MUST obtain supervisor or department head approval Password protect AND encrypt all devices Only use UW approved cloud services Ensure the physical security of information - lock up confidential data (locking file drawer, safe, or other locked device) Prepare for the worst - protect yourself against theft - nobody thinks they will be a victim! Other Basic Do’s and Don’ts 11

CURRENT SECURITY THREATS 12

Phishing is a very common way accounts are stolen Don’t click links in and if you do, don’t enter your credentials UW/UW Medicine will never ask for account information via UW Medicine periodically sends phishing messages to our workforce to help raise awareness – includes training YOU WILL RECEIVE PHISHING MESSAGES – be very wary and very cautious! PHISHING 13

Cryptolocker/Locker: Very destructive malware threat – encrypts your data and tries to sell it back to you Malware infection is obtained via attachments or by visiting/downloading a file (such as an MP3 file) from a website Sophos Anti-virus sometimes detects the malware (malware name used is Troj/Ransom-ACP) DON’T FALL FOR THIS SCHEME! MALWARE 14

NEVER click on links and NEVER open attachments from unknown or unexpected sources Rule Number Three 15

NEVER open an attachment from an unknown source If the context of the message doesn’t make sense, delete the message or call the sender to verify the Always be wary of messages that ask you to update your password or confirm you account – UW IT support groups will never ask you to do this via a link in an Report any warning messages from antivirus or other software immediately. DO NOT CLICK ON THE LINK! Minimize the confidential information you store Encrypt the data and the device Keep your operating system and software up to date (Stay patched) Empty your “Trash bin” (Deleted Items) regularly or set it to empty automatically when you exit the program Contact your Department IT support staff for assistance with any device you use for work What Can You Do? 16

If you get infected, or think you may be infected, contact UW Medicine IT Security IMMEDIATELY! Report information security incidents when they occur. Contact IT Services Help Desk at If it is urgent, call Report the loss or theft of PHI to UW Medicine Compliance at or Immediately notify the Director of Compliance for the School of Medicine at or 206- Incident Reporting 17

TOOLS AND RESOURCES 18

Tools to Assist You in Safeguarding Data Encryption Complex passwords Physical data security - lock offices, files and computers Education and training materials Privacy, Confidentiality and Information Security Agreement (PCISA) Following policies restricting removal of data from worksites 19

UW Medicine Compliance Policies UW Medicine IT Security Policies UW Medicine Polices 20

Smartphone/Tablet Security If you use a smartphone or tablet (UW owned or your personal device) to conduct UW business, such as accessing your UW , we recommend: Auto lock device and use a strong password Enable encryption on the device Set an automatic lockout timer on the device Activate Tamper Wipe: i.e. phone is wiped clean after 10 pass code or PIN attempts (all data is deleted) Activate “find my phone” function Don’t use cloud back up services, such as iCloud or Google Drive, unless it is an approved cloud by UW Medicine IT Security for PHI or FERPA data Don’t store data on the SIM card 21

Encryption Resources Where to get information and help with encryption: Encryption guidelines mobile devices: sp sp Whole disk encryption guidelines: e.pdf e.pdf vice_Encryption/other_windows_linux_guidance.asp vice_Encryption/other_windows_linux_guidance.asp IT Services Help Desk: DOM IT Help Desk: 22

One Drive for Business (formerly UW SkyDrive Pro) requires UW NetID nformation-technology/skydrivepro nformation-technology/skydrivepro wares/online-storage/onedrive/ wares/online-storage/onedrive/ Cloud Resources 23

Educational Tools UW Medicine IT Security Phishing Awareness Announcement: ations/Phishing_Awareness_ _041212/default.asp ations/Phishing_Awareness_ _041212/default.asp Office of the Chief Information Security Officer phishing video: y.html y.html Phishing Resources 24

Other Resources Office of the Chief Information Security Officer training/ training/ computing/ computing/ UW Medicine IT Security 25

UW Medicine IT Services Help Desk: UW Medicine ITS Security Team: uwmed- UW Medicine Compliance: Noella Rawlings, UW School of Medicine, Director of Compliance: Contact Information 26

Questions ? 27