BSHSI Security Awareness Training
Originally developed by the
Greater New York Hospital Association
Edited by the BSHSI Education Team
Modified by HSO Security 7/1/2008
• A requirement under the Health Insurance Portability and
Accountability Act (HIPAA)
Regulations (HIPAA Security Rule went into effect 4/21/05)
• Webster’s definition: measures taken to guard against espionage,
sabotage, crime, attack or escape.
• Our goal today: discuss what you can
What is Security?
What is Sensitive Data?
Sensitive Data = Electronic Protected Health
Information (EPHI), business sensitive data,
staff sensitive data, or any other non-public
data.
Protected Health Information is:
Health or medical information that could be identified or linked to a specific individual; information about a patient’s:
• Identity
• Medical condition
• Treatment
• Status as a patient
• Physiological data
• Medications
EPHI:
• Protected Health Information on your computer is known as EPHI
– Electronic Protected Health Information.
• EPHI: PHI that our organization creates, receives, maintains, and/or transmits electronically.
• EPHI is stored on computers, clinical equipment, and
computer disks.
Business Sensitive Data is:
Business Sensitive Data = Information that pertains to the business activities of BSHSI including financial and investment activities, margins, projects, etc and that provide
competitive advantage.
Staff Sensitive Data is:
• Staff Sensitive Data = Personal information on staff members of BSHSI or the members of
business associates including contact details,
salary, qualifications, performance, etc.
Any other non-public data is:
• Other Non-public Data = Information that has
been duly classified and does not fall under
the previous categories.
What regulations apply?
• HIPAA (Health Information Portability and Accountability Act)
• JCAHO (Joint Commission on Accreditation of Healthcare Organizations)
• Gramm Leach Bliley Act of 1999 (Financial)
• Various State and Federal laws and regulations
Workshop Goals
By the end of the session, participants will:
1. Understand the importance of
protecting sensitive data including EPHI.
2. Understand how information security can be compromised.
3. Understand steps to better protect sensitive data including EPHI.
4. Be motivated to follow security
Main Security Issues
• Confidentiality – Protected records are to be kept private (HIPAA Privacy).
• Integrity – Records aren’t changed without authorization.
• Availability – Records can be accessed when
needed.
What are the consequences of a
Security failure / breach?
Patient safety/medical care is compromised.
Negative publicity.
Increased costs.
Identity theft:
- Patients or employees can become targets of con artists.
- Employee reputation and career damaged.
Legal liability/lawsuits.
What are the consequences of a security failure /
breach?
• We are able to and we will be auditing and monitoring how people use the system:
• What records you access without a “need to know”
• What you download and where you web surf
• If we find breaches or violations of policy, we will take action
The health system is responsible for all electronic information in our system:
Who’s responsible?
How can security fail/be breached?
How can security fail/be breached?
Intentional attack…..
or unintentional carelessness…..
They all have the same negative consequences
What is an intentional “attack”?
• Malicious software (“malware”).
• Password stolen or code broken.
• Imposter asking for sensitive information.
• PDA or laptop stolen.
• Employees accessing records
they have no legitimate need
Employee carelessness
• Leaving your
computer logged on and unattended
• Letting others know your
password
• Downloading unauthorized software
• Misdirected e-mail
Here’s what IT is doing to protect the system
Anti-virus scanning.
Restrict downloads.
Restrict attachments in e-mail from outside the system.
Firewalls to help keep out hackers.
Require user ID and passwords.
Restrict and update access as employee status changes.
Install and continually update stable software.
Encryption.
What YOU can do
• General Issues
• Password Protection
• Patient Information
• Internet Security
• Workstation Protocol
General Issues
General issues:
• Follow all approved security policies and procedures
• Only use approved software
• Maintain heightened vigilance
• Report to IT / ask questions if anything looks unusual
• Know who you’re dealing with. If in doubt,
Password management and Password Risks
Password Management and Password Risks
1. Your password is stolen or the code is broken:
• Your log-in/electronic signature is used maliciously:
• Negative messages are sent out in your name
• Sensitive data and/or EPHI is released under your log-in
• A hacker gains access to your system
2. A computer is stolen and without strong password
Password management
What is a password?
• A string of characters, to verify users identity
• Characters can include:
• Alphabetic characters
(case sensitive– A differs from a)
• Numeric – 0 to 9
• Special Characters – ~ ; ! @ # $ % ^ & * (
Use a strong password
A strong password should be:
• Seven characters or longer.
• Not a word or name in any language.
• A mix of uppercase and lowercase letters + numbers and special characters.
• Does NOT use public information about you or your family or friends.
• Is NOT a variation of your user ID.
Examples of strong passwords
• 4s&7yaAL
• 2Bon2Bti?
How to remember these complex passwords?
Pass-phrase
Take a phrase that is easy to remember and convert it into characters
“Four score and seven years ago”
Abraham Lincoln
• “ F our S core A nd S even Y ears A go”
( A braham L incoln)
• Converts to 4s&7yaAL
Anyone remember my complex passwords?
4 s & 7 y a A L
2 B o n 2 B t i ?
Time it takes to crack a password
Type of character set Length of time to crack
English words 8 letters or longer
Less than one second
Lowercase letters only 9 hours Lowercase with one
uppercase
3 days
All letters 96 days
Time it takes to crack various types of 8 character
passwords: (times are getting continually faster)
Password Reminders
Remember:
• Never share your password with anyone!
• Sharing your password is a violation of our policy.
• If you want someone to access your e- mail or computer, ask IT.
• Don’t let someone watch when you enter your password.
• Don’t write your password where others
Password Reminders (continued)
Remember:
• Treat your password and your smart card as you would treat a PIN number or a credit card.
• Change your password every 120 days.
• If someone knows your password, change it
right away and notify the IS Support Center.
Don’t give out information without proper authorization
• Watch out for spoofing/phishing.
• Be suspicious of unusual requests – even if it appears to be from someone you know.
• Con artists appear knowledgeable and gain your trust.
• You are responsible for taking reasonable
Internet security
Risks:
1. Malicious software
2. e-mail carelessness
3. Instant Messaging/Chats
Malicious software
aka:
“Malware”
Malicious software (aka “malware”)
• Follow all virus scanning procedures.
• Don’t download ANYTHING form the internet without IS approval.
• If you have any doubt about an attachment delete it or ask IS to check it out.
• Don’t click on links or go to web sites if you have any doubts about their legitimacy.
• Don’t use your BSHSI network password at any website.
• Don’t unsubscribe from spam.
• If your computer acts at all strangely – ask IS to
Rules for emailing:
1) Don’t send sensitive data outside the facility’s
internal network unless encrypted (ask IS for help doing this.)
2) To prevent misdirected e-mail:
• Proof all e-mails before sending
• Use an address book to limit typos
• Be careful where you click
• Be careful with use of “Reply All”
3) Forwarded tails: Scroll to the end of all e-mails
before sending to ensure sensitive data is not being sent forward.
Workstation Protocol
Always keep protected information in a secure place.
• If you walk away secure the workstation.
• In public areas, protect the monitor from prying eyes.
• Secure all removable media.
• Dispose of all computer equipment and media by returning it to Bio-med or IS.
• Verify with IS that your data is being Backed-Up.
Review - Risky Situations
• Someone goes surfing on the web on their lunch break – what’s the risk?
• You notice you have some returned
(undeliverable) e-mail that you never sent – what might this mean?
• Sending e-mail “reminders” from home to
your office computer (or vice versa) with
EPHI in it – what’s the risk?
Review - Risky Situations (cont.)
• Taking work home on a laptop – what’s the risk?
• Sending out an e-mail without proofing it fully – what’s the risk?
• Leaving your work station (in a non-public area) for a second to answer a co-
worker’s ringing phone that is nearby, but
out of sight of your computer – what’s the
Review
Security:
• Measures taken to guard against espionage or sabotage, crime, or attack
• Security can be breached through
intentional attack or unintentional
carelessness
Review
Security Goal:
• Ensure confidentiality, integrity, and availability of all sensitive data
• This only works if everyone follows our
security and acceptable use policies and stays aware.
• Report any and all security concerns or
Ten Key action steps to take every day / daily reminders:
1. Don’t give anyone your password 2. Choose a strong password and
change it regularly
3. Don’t download any software without IS approval
4. Don’t go to unknown web sites
5. Virus scan all files before accessing
Ten Key action steps to take every day / daily reminders: (cont.)
6. Don’t send sensitive data in e-mails going outside BSHSI or in instant message of any kind.
7. When e-mailing – watch out for tails!
8. Don’t leave your workstation without first locking your computer and securing all media.
9. Don’t give out patient information without
proper authorization.
Conclusion:
“Only PEOPLE
can prevent security breaches”
BSHSI Information Security Policies
• Information Security Audit Controls Policy
• Information Security Authorization and Access Policy
• Information Security Automatic Logoff Policy
• Information Security Awareness Training Policy
• Information Security Change Management Policy
• Information Security Data Backup Policy
• Information Security Data Integrity Control Policy
• Information Security Device and Media Controls Policy
• Information Security Disaster Recovery Policy
• Information Security E-mail Use Policy
BSHSI Information Security Policies
• Information Security Incident Handling Policy
• Information Security Information Risk Management Policy
• Information Security Internet Use
• Information Security Intrusion Detection Policy
• Information Security Management Policy
• Information Security Network Security
• Information Security Password Management
• Information Security Physical Security
• Information Security Protection from Malicious Software
• Information Security Workstation Security
FEEDBACK / REACTIONS
FOR SELECTED GROUPS ONLY
Mobile equipment – PDA, laptop:
• If it has sensitive data on it, keep it in your sight or locked up
• Password protect it (strong
password) in case lost or stolen
• Don’t save your user ID and
password on the laptop or PDA
• Keep anti-virus, security patches
and a firewall up to date
Remote access:
• Protect your home computers as you would your regular workstation:
keep sensitive data locked up and protected by a strong password
be aware of who might be looking at the screen while you work
properly dispose of media that had
sensitive data on it
Wireless access:
Unless set up properly, wireless access can have serious security holes.
A wireless system that’s been compromised can release malicious software into our network.
Proper set up includes a wireless system with:
• encryption
• a firewall
• anti-virus software
• up to date security and operating system patches
Supervisor/Manager
Additional Learning Goals:
Understand at a higher level the
importance of protecting sensitive data (liability issues).
Increase awareness of the supervisor’s role in monitoring sensitive data security issues on the job.
Understand steps supervisors can take
to make sure their staff better protect
Key security roles for the supervisor/manager
• Monitor access and report changes in status
• Monitor usage – for legitimate business purposes?
• Monitor physical security of the work site – work station protocols
• If you have any questions or
concerns about security, report
Supervisor’s reasonable steps to monitor security in their work area
1. Key things to do/look for:
• Physical Security
• Sensitive data is locked up when no one is present
• Members of the public and staff from other areas have limited view of monitors and no access to computers or electronic media (disks)
• Electronic security
• Access is properly restricted
• Only authorized software is in use
Supervisor is expected to take additional steps (cont.)
2. Encourage staff to follow security procedures:
Be sure new staff are trained in IS security and proper use policies
Periodically remind staff of key security procedures
Do spot audits of workstations
Supervisor is expected to take additional steps (cont.)
3. Monitor access / use
Continuously audit/ report status changes (transfers, terminations, other changes)
Make sure access levels are appropriate