Presentation is loading. Please wait.

Presentation is loading. Please wait.

Personal Accountability for Data Stewardship 2014 1 st Year Medical Students Noella RawlingsJohn Soltys Director of ComplianceSenior Computer Specialist.

Published byTanya Culpepper Modified over 9 years ago

Similar presentations

Presentation on theme: "Personal Accountability for Data Stewardship 2014 1 st Year Medical Students Noella RawlingsJohn Soltys Director of ComplianceSenior Computer Specialist."— Presentation transcript:

1 Personal Accountability for Data Stewardship 2014 1 st Year Medical Students Noella RawlingsJohn Soltys Director of ComplianceSenior Computer Specialist School of MedicineUW Medicine IT Security 1

2 Defining data stewardship and your responsibilities Safeguarding confidential information DO’s and DON’Ts Current Security Threats Tools and resources Agenda 2

3 Being personally and professionally responsible for the security and integrity of confidential information, electronic or paper, entrusted to you. Confidential Information – protection of data required by law and includes: Protected health information (PHI) – protected by HIPAA Individual student records – protected by FERPA Personally identifiable information (PII) – financial information (e.g., credit card, bank), social security number and driver’s license number – protected by Washington’s breach notification law Other personal information - public employee’s home addresses, personal contact information, performance evaluations – protected by the Washington Public Records Law Proprietary intellectual property or trade secrets, research data – protected by the Washington Public Records Law What is Data Stewardship? 3

4 You are responsible for the safekeeping of data in your care Limit the data in your care to minimize the risk of loss Comply with UW Medicine and UW policies regarding the safekeeping of data Must encrypt mobile devices used to store or transmit confidential information E-mail containing PHI must be secured in transport (encrypted connections) Use strong password Must use UW approved cloud services Your Responsibilities 4

5 “Breach” is the unauthorized acquisition, access, use or disclosure of unsecured PHI and compromises the security or privacy of the PHI Breaches of unsecured PHI require notification to the Office of Civil Rights (OCR) and affected individuals. May also require notice to the media and posting on the UW Medicine website A breach is presumed and covered entity has burden of showing a breach has not occurred There are two ways to secure PHI Encryption Destruction Renders PHI unusable, unreadable or indecipherable What is a Breach? 5

6 Potential damage to personal, professional and institutional reputation Breaches are: Very costly – fines, sanctions and remediation Very time consuming – investigation, reporting Embarrassing – your name is reported to your Program Director, Department Chair, Dean of the School of Medicine, UW Medicine Chief Health System Officer and UW Medicine and School of Medicine Compliance Officials AND possible public notification Consequences of a Breach 6

7 Unencrypted laptop stolen from locked, parked car Briefcase containing PHI stolen from locked, parked car Backpack containing PHI stolen from locked, parked car Unencrypted laptop containing PHI and PII stolen from office in Health Sciences Building Recent Examples of Loss 7

8 If you use a mobile device to store or transmit PHI or PII, your mobile device MUST be encrypted! Rule Number One 8

9 NEVER leave confidential data in your car! Rule Number Two 9

10 Avoid taking confidential data off-site or downloading to portable or mobile devices If taking confidential data with you, you MUST obtain supervisor or department head approval Password protect all devices Use VPN to connect remotely Ensure the physical security of information - lock up confidential data (locking file drawer, safe, or other locked device) Prepare for the worst - protect yourself against theft - nobody thinks they will be a victim! Other Basic Do’s and Don’ts 10

11 CURRENT SECURITY THREATS 11

12 Phishing is a very common way accounts are stolen Don’t click links in email and if you do, don’t enter your credentials UW Medicine periodically sends phishing messages to our workforce to help raise awareness – includes training YOU WILL RECEIVE PHISHING MESSAGES – be very wary and very cautious! PHISHING 12

13 Cryptolocker/Locker: Very destructive malware threat – encrypts your data and tries to sell it back to you Malware infection is obtained via e-mail attachments or by visiting/downloading a file (such as an MP3 file) from a website Sophos Anti-virus sometimes detects the malware (malware name used is Troj/Ransom-ACP) DON’T FALL FOR THIS SCHEME! MALWARE 13

14 NEVER open an attachment from an unknown source If the context of the message doesn’t make sense, delete the message or call the sender to verify the email Always be wary of messages that ask you to update your password or confirm you account – UW IT support groups will never ask you to do this via a link in an e-mail Report any warning messages from antivirus or other software immediately. DO NOT CLICK ON THE LINK! Minimize the confidential information you store Encrypt the data and the device Keep your operating system and software up to date (Stay patched) Empty your E-mail “Trash bin” (Deleted Items) regularly or set it to empty automatically when you exit the program Contact your Department IT support staff for assistance with any device you use for work What Can You Do? 14

15 If you get infected, or think you may be infected, contact UW Medicine IT Security IMMEDIATELY! Report information security incidents when they occur. Contact IT Services Help Desk at mcsos@u.washington.edu. If it is urgent, call 206- 543-7012 mcsos@u.washington.edu Report the loss or theft of PHI to UW Medicine Compliance at 206-543-3098 or comply@uw.edu immediatelycomply@uw.edu Immediately notify the Director of Compliance for the School of Medicine at noellar@uw.edu or 206- 685-0173noellar@uw.edu Incident Reporting 15

16 TOOLS AND RESOURCES 16

17 Tools to Assist You in Safeguarding Data Encryption https://security.uwmedicine.org/training/dept_materials/default.asp https://security.uwmedicine.org/training/dept_materials/default.asp Complex passwords http://security.uwmedicine.org/guidance/role_based/end_user/default.asp http://security.uwmedicine.org/guidance/role_based/end_user/default.asp Physical data security - lock offices, files and computers Education and training materials https://security.uwmedicine.org/Training/Sec_Aware/default.asp https://security.uwmedicine.org/Training/Sec_Aware/default.asp Privacy, Confidentiality and Information Security Agreement (PCISA) http://depts.washington.edu/comply/docs/PP_04_A.pdf https://security.uwmedicine.org/training/data_stewardship/PCISA_discuss_tool.pdf Following policies restricting removal of data from worksites 17

18 UW Medicine Compliance Policies http://depts.washington.edu/comply/privacy.shtml http://depts.washington.edu/comply/docs/PP_30.pdf UW Medicine IT Security Policies http://security.uwmedicine.org/guidance/policy/default.asp UW Medicine Polices 18

19 Smartphone/Tablet Security If you use a smartphone or tablet (UW owned or your personal device) to conduct UW business, such as accessing your UW e-mail, we recommend: Auto lock device and use a strong password Enable encryption on the device Set an automatic lockout timer on the device Activate Tamper Wipe: i.e. phone is wiped clean after 10 pass code or PIN attempts (all data is deleted) Activate “find my phone” function Don’t use cloud back up services, such as iCloud or Google Drive, unless it is an approved cloud by UW Medicine IT Security for PHI or FERPA data Don’t store data on the SIM card 19

20 Encryption Resources Where to get information and help with encryption: Encryption guidelines mobile devices: https://security.uwmedicine.org/training/dept_materials/default.asp https://security.uwmedicine.org/guidance/technical/encryption/default.a sp https://security.uwmedicine.org/guidance/technical/encryption/default.a sp Whole disk encryption guidelines: http://ciso.washington.edu/site/files/Whole_Disk_Encryption_Guidelin e.pdf http://ciso.washington.edu/site/files/Whole_Disk_Encryption_Guidelin e.pdf http://security.uwmedicine.org/guidance/technical/encryption/MobileDe vice_Encryption/other_windows_linux_guidance.asp http://security.uwmedicine.org/guidance/technical/encryption/MobileDe vice_Encryption/other_windows_linux_guidance.asp IT Services Help Desk: mcsos@u.washington.edu mcsos@u.washington.edu DOM IT Help Desk: domhelp@u.washington.edu domhelp@u.washington.edu 20

21 SkyDrive Pro Site (requires UW NetID): https://depts.washington.edu/uwsom/informat ion-technology/skydrivepro SkyDrive Pro (OneDrive) Resource 21

22 Educational Tools UW Medicine IT Security Phishing Awareness Announcement: https://security.uwmedicine.org/Home/Communic ations/Phishing_Awareness_Email_041212/default.asp https://security.uwmedicine.org/Home/Communic ations/Phishing_Awareness_Email_041212/default.asp Office of the Chief Information Security Officer phishing video: http://ciso.washington.edu/site/files/Phishing/stor y.html http://ciso.washington.edu/site/files/Phishing/stor y.html Phishing Resources 22

23 Other Resources Office of the Chief Information Security Officer http://ciso.washington.edu/resources/online- training/ http://ciso.washington.edu/resources/online- training/ http://ciso.washington.edu/resources/smart- computing/ http://ciso.washington.edu/resources/smart- computing/ http://ciso.washington.edu/ UW Medicine IT Security https://security.uwmedicine.org 23

24 UW Medicine IT Services Help Desk: mcsos@u.washington.edu mcsos@u.washington.edu UW Medicine ITS Security Team: uwmed- security@uw.eduuwmed- security@uw.edu UW Medicine Compliance: comply@uw.educomply@uw.edu 206-543-3098 Noella Rawlings, UW School of Medicine, Director of Compliance: noellar@uw.edunoellar@uw.edu 206-685-0173 Contact Information 24

25 Questions ? 25

Download ppt "Personal Accountability for Data Stewardship 2014 1 st Year Medical Students Noella RawlingsJohn Soltys Director of ComplianceSenior Computer Specialist."

Similar presentations

HIPAA Health Insurance Portability and Accountability Act of 1996

HIPAA Health Insurance Portability and Accountability Act of 1996
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Welcome to the SPH Information Security Learning Module.

Welcome to the SPH Information Security Learning Module.
Personal Accountability for Data Stewardship 1 st Year Medical Students – October 18, 2012 2 nd Year Medical Students – October 9, 2012 Noella RawlingsRichard.

Personal Accountability for Data Stewardship 1 st Year Medical Students – October 18, nd Year Medical Students – October 9, 2012 Noella RawlingsRichard.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.

WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
PERSONAL ACCOUNTABILITY FOR DATA STEWARDSHIP

PERSONAL ACCOUNTABILITY FOR DATA STEWARDSHIP
Health information security & compliance

Health information security & compliance
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
KDE Employee Training. What IS a Data Breach? Unauthorized release (loss or theft) of Sensitive or Confidential Data, such as PII, PHI, etc. On site or.

KDE Employee Training. What IS a Data Breach? Unauthorized release (loss or theft) of Sensitive or Confidential Data, such as PII, PHI, etc. On site or.
IT Security is Everyone’s Responsibility Presented by Hooman Moayyed IT Security Awareness Program Manager.

IT Security is Everyone’s Responsibility Presented by Hooman Moayyed IT Security Awareness Program Manager.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Information Security Awareness:

Information Security Awareness:
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Similar presentations

Ads by Google