BSHSI Security Awareness Training

55  Download (0)

Full text


BSHSI Security Awareness Training

Originally developed by the

Greater New York Hospital Association

Edited by the BSHSI Education Team

Modified by HSO Security 7/1/2008


• A requirement under the Health Insurance Portability and

Accountability Act (HIPAA)

Regulations (HIPAA Security Rule went into effect 4/21/05)

• Webster’s definition: measures taken to guard against espionage,

sabotage, crime, attack or escape.

Our goal today: discuss what you can

What is Security?


What is Sensitive Data?

Sensitive Data = Electronic Protected Health

Information (EPHI), business sensitive data,

staff sensitive data, or any other non-public



Protected Health Information is:

Health or medical information that could be identified or linked to a specific individual; information about a patient’s:

• Identity

• Medical condition

• Treatment

• Status as a patient

• Physiological data

• Medications



• Protected Health Information on your computer is known as EPHI

– Electronic Protected Health Information.

• EPHI: PHI that our organization creates, receives, maintains, and/or transmits electronically.

• EPHI is stored on computers, clinical equipment, and

computer disks.


Business Sensitive Data is:

Business Sensitive Data = Information that pertains to the business activities of BSHSI including financial and investment activities, margins, projects, etc and that provide

competitive advantage.


Staff Sensitive Data is:

• Staff Sensitive Data = Personal information on staff members of BSHSI or the members of

business associates including contact details,

salary, qualifications, performance, etc.


Any other non-public data is:

• Other Non-public Data = Information that has

been duly classified and does not fall under

the previous categories.


What regulations apply?

• HIPAA (Health Information Portability and Accountability Act)

• JCAHO (Joint Commission on Accreditation of Healthcare Organizations)

• Gramm Leach Bliley Act of 1999 (Financial)

• Various State and Federal laws and regulations


Workshop Goals

By the end of the session, participants will:

1. Understand the importance of

protecting sensitive data including EPHI.

2. Understand how information security can be compromised.

3. Understand steps to better protect sensitive data including EPHI.

4. Be motivated to follow security


Main Security Issues

• Confidentiality – Protected records are to be kept private (HIPAA Privacy).

• Integrity – Records aren’t changed without authorization.

• Availability – Records can be accessed when



What are the consequences of a

Security failure / breach?


 Patient safety/medical care is compromised.

 Negative publicity.

 Increased costs.

 Identity theft:

- Patients or employees can become targets of con artists.

- Employee reputation and career damaged.

 Legal liability/lawsuits.

What are the consequences of a security failure /



• We are able to and we will be auditing and monitoring how people use the system:

• What records you access without a “need to know”

• What you download and where you web surf

• If we find breaches or violations of policy, we will take action

The health system is responsible for all electronic information in our system:

Who’s responsible?


How can security fail/be breached?


How can security fail/be breached?

Intentional attack…..

or unintentional carelessness…..

They all have the same negative consequences


What is an intentional “attack”?

• Malicious software (“malware”).

• Password stolen or code broken.

• Imposter asking for sensitive information.

• PDA or laptop stolen.

• Employees accessing records

they have no legitimate need


Employee carelessness

• Leaving your

computer logged on and unattended

• Letting others know your


• Downloading unauthorized software

• Misdirected e-mail


Here’s what IT is doing to protect the system

Anti-virus scanning.

Restrict downloads.

Restrict attachments in e-mail from outside the system.

Firewalls to help keep out hackers.

Require user ID and passwords.

Restrict and update access as employee status changes.

Install and continually update stable software.



What YOU can do

• General Issues

• Password Protection

• Patient Information

• Internet Security

• Workstation Protocol


General Issues

General issues:

• Follow all approved security policies and procedures

• Only use approved software

• Maintain heightened vigilance

• Report to IT / ask questions if anything looks unusual

• Know who you’re dealing with. If in doubt,


Password management and Password Risks

Password Management and Password Risks

1. Your password is stolen or the code is broken:

• Your log-in/electronic signature is used maliciously:

• Negative messages are sent out in your name

• Sensitive data and/or EPHI is released under your log-in

• A hacker gains access to your system

2. A computer is stolen and without strong password


Password management

What is a password?

• A string of characters, to verify users identity

• Characters can include:

• Alphabetic characters

(case sensitive– A differs from a)

• Numeric – 0 to 9

• Special Characters – ~ ; ! @ # $ % ^ & * (


Use a strong password

A strong password should be:

• Seven characters or longer.

• Not a word or name in any language.

• A mix of uppercase and lowercase letters + numbers and special characters.

• Does NOT use public information about you or your family or friends.

• Is NOT a variation of your user ID.


Examples of strong passwords

• 4s&7yaAL

• 2Bon2Bti?

How to remember these complex passwords?



Take a phrase that is easy to remember and convert it into characters

“Four score and seven years ago”

Abraham Lincoln

F our S core A nd S even Y ears A go”

( A braham L incoln)

Converts to 4s&7yaAL


Anyone remember my complex passwords?

4 s & 7 y a A L

2 B o n 2 B t i ?


Time it takes to crack a password

Type of character set Length of time to crack

English words 8 letters or longer

Less than one second

Lowercase letters only 9 hours Lowercase with one


3 days

All letters 96 days

Time it takes to crack various types of 8 character

passwords: (times are getting continually faster)


Password Reminders


• Never share your password with anyone!

• Sharing your password is a violation of our policy.

• If you want someone to access your e- mail or computer, ask IT.

• Don’t let someone watch when you enter your password.

• Don’t write your password where others


Password Reminders (continued)


• Treat your password and your smart card as you would treat a PIN number or a credit card.

• Change your password every 120 days.

• If someone knows your password, change it

right away and notify the IS Support Center.


Don’t give out information without proper authorization

• Watch out for spoofing/phishing.

• Be suspicious of unusual requests – even if it appears to be from someone you know.

• Con artists appear knowledgeable and gain your trust.

You are responsible for taking reasonable


Internet security


1. Malicious software

2. e-mail carelessness

3. Instant Messaging/Chats


Malicious software




Malicious software (aka “malware”)

• Follow all virus scanning procedures.

• Don’t download ANYTHING form the internet without IS approval.

• If you have any doubt about an attachment delete it or ask IS to check it out.

• Don’t click on links or go to web sites if you have any doubts about their legitimacy.

• Don’t use your BSHSI network password at any website.

• Don’t unsubscribe from spam.

• If your computer acts at all strangely – ask IS to


Rules for emailing:

1) Don’t send sensitive data outside the facility’s

internal network unless encrypted (ask IS for help doing this.)

2) To prevent misdirected e-mail:

• Proof all e-mails before sending

• Use an address book to limit typos

• Be careful where you click

• Be careful with use of “Reply All”

3) Forwarded tails: Scroll to the end of all e-mails

before sending to ensure sensitive data is not being sent forward.



Workstation Protocol

Always keep protected information in a secure place.

• If you walk away secure the workstation.

• In public areas, protect the monitor from prying eyes.

• Secure all removable media.

• Dispose of all computer equipment and media by returning it to Bio-med or IS.

• Verify with IS that your data is being Backed-Up.


Review - Risky Situations

• Someone goes surfing on the web on their lunch break – what’s the risk?

• You notice you have some returned

(undeliverable) e-mail that you never sent – what might this mean?

• Sending e-mail “reminders” from home to

your office computer (or vice versa) with

EPHI in it – what’s the risk?


Review - Risky Situations (cont.)

• Taking work home on a laptop – what’s the risk?

• Sending out an e-mail without proofing it fully – what’s the risk?

• Leaving your work station (in a non-public area) for a second to answer a co-

worker’s ringing phone that is nearby, but

out of sight of your computer – what’s the




• Measures taken to guard against espionage or sabotage, crime, or attack

• Security can be breached through

intentional attack or unintentional




Security Goal:

• Ensure confidentiality, integrity, and availability of all sensitive data

• This only works if everyone follows our

security and acceptable use policies and stays aware.

Report any and all security concerns or


Ten Key action steps to take every day / daily reminders:

1. Don’t give anyone your password 2. Choose a strong password and

change it regularly

3. Don’t download any software without IS approval

4. Don’t go to unknown web sites

5. Virus scan all files before accessing


Ten Key action steps to take every day / daily reminders: (cont.)

6. Don’t send sensitive data in e-mails going outside BSHSI or in instant message of any kind.

7. When e-mailing – watch out for tails!

8. Don’t leave your workstation without first locking your computer and securing all media.

9. Don’t give out patient information without

proper authorization.




can prevent security breaches”


BSHSI Information Security Policies

• Information Security Audit Controls Policy

• Information Security Authorization and Access Policy

• Information Security Automatic Logoff Policy

• Information Security Awareness Training Policy

• Information Security Change Management Policy

• Information Security Data Backup Policy

• Information Security Data Integrity Control Policy

• Information Security Device and Media Controls Policy

• Information Security Disaster Recovery Policy

• Information Security E-mail Use Policy


BSHSI Information Security Policies

• Information Security Incident Handling Policy

• Information Security Information Risk Management Policy

• Information Security Internet Use

• Information Security Intrusion Detection Policy

• Information Security Management Policy

• Information Security Network Security

• Information Security Password Management

• Information Security Physical Security

• Information Security Protection from Malicious Software

• Information Security Workstation Security





Mobile equipment – PDA, laptop:

• If it has sensitive data on it, keep it in your sight or locked up

• Password protect it (strong

password) in case lost or stolen

• Don’t save your user ID and

password on the laptop or PDA

• Keep anti-virus, security patches

and a firewall up to date


Remote access:

• Protect your home computers as you would your regular workstation:

keep sensitive data locked up and protected by a strong password

be aware of who might be looking at the screen while you work

properly dispose of media that had

sensitive data on it


Wireless access:

Unless set up properly, wireless access can have serious security holes.

 A wireless system that’s been compromised can release malicious software into our network.

 Proper set up includes a wireless system with:

• encryption

• a firewall

• anti-virus software

• up to date security and operating system patches




Additional Learning Goals:

Understand at a higher level the

importance of protecting sensitive data (liability issues).

Increase awareness of the supervisor’s role in monitoring sensitive data security issues on the job.

Understand steps supervisors can take

to make sure their staff better protect


Key security roles for the supervisor/manager

• Monitor access and report changes in status

• Monitor usage – for legitimate business purposes?

• Monitor physical security of the work site – work station protocols

• If you have any questions or

concerns about security, report


Supervisor’s reasonable steps to monitor security in their work area

1. Key things to do/look for:

• Physical Security

• Sensitive data is locked up when no one is present

• Members of the public and staff from other areas have limited view of monitors and no access to computers or electronic media (disks)

• Electronic security

• Access is properly restricted

Only authorized software is in use


Supervisor is expected to take additional steps (cont.)

2. Encourage staff to follow security procedures:

 Be sure new staff are trained in IS security and proper use policies

 Periodically remind staff of key security procedures

 Do spot audits of workstations


Supervisor is expected to take additional steps (cont.)

3. Monitor access / use

Continuously audit/ report status changes (transfers, terminations, other changes)

Make sure access levels are appropriate

Know who is doing what with sensitive data 4. Make sure all computers and electronic media

is sent to Bio-med or IS for proper disposal

5. Report any concerns to IS




Related subjects :