Presentation on theme: "Your Role in Information Security Center on Human Development and Disability January 2005 Rev12/08."— Presentation transcript:
Your Role in Information Security Center on Human Development and Disability January 2005 Rev12/08
UW Medicine Version: 200411052 Overview Information Security is not just about computers, it is how we go about our business here at UW & UW Medicine. We have a set of standards and policies that define our Information Security requirements Information Security is a responsibility of all the UW & UW Medicine Workforce* * Faculty, employees, trainees, volunteers, and other persons who perform work for UW Medicine
UW Medicine Version: 200411053 Users Any individual using a computer connected to UW &/or UW Medicine networks or those who have been granted privileges and access to UW Medicine computing and network services, applications, resources, and information.
UW Medicine Version: 200411054 User Responsibilities The customary ones: Comply with UW and UW Medicine policies, Comply with federal and state law, and Restrict use to authorized purposes.
UW Medicine Version: 200411055 User Responsibilities continued… Directly related to information security: Report all suspected security and/or policy breaches to an appropriate authority Don’t Disable your firewall and/or anti- virus; Protect access accounts, privileges, and associated passwords; Accept accountability for their individual user accounts; Maintain confidentiality.
UW Medicine Version: 200411056 Information Security Training -- Dependent on Your Role Everyone: Privacy, Confidentiality, and Information Security Agreement If you access PHI: New Employee Orientation and/or HCCS on-line HIPAA Training If their system has PHI: System Owner and System Operator Training
UW Medicine Clear Workspace Standard Reduce the risks of unauthorized access, loss of, and damage to information during and outside of normal working hours by putting away RESTRICTED and/or CONFIDENTIAL information in your workspace.
UW Medicine Version: 200411058 Clear it or Secure it... Lock away protected health information or critical business information when not in use. Store paper and computer media containing RESTRICTED AND/OR CONFIDENTAIL information in suitable locked cabinets or desks when not in use or when unattended. Clear RESTRICTED AND/OR CONFIDENTAIL information or critical business information from printers immediately. Protect mail and fax machines from unauthorized access. Locked doors count
UW Medicine Version: 200411059 Log off or secure your workstations when not in use or unattended Terminate active computing sessions when unattended, unless they can be secured by an appropriate locking mechanism, like a password protected screen saver (Ctrl+Alt+Delete) (Lock Computer) Log-off networked systems when the computing session is finished
UW Medicine Version: 2004110510 Workstation Requirements Screen saver activation Workstations with PHI in areas where patients or the public have access to a workstation require one minute activation After Hours AMC domain PCs are required to be logged off and powered on after hours Otherwise follow the direction of those responsible for your computer support
UW Medicine Version: 2004110511 Reusing electronic media Example: Surplus or redistribute a computer Media Intended for Reuse - Specific Processes Overwriting method Overwriting uses a software program to write (1s, 0s, or a combination) onto the media. Common practice is to overwrite the media three times. Four times is better. Degausing method magnetically erases data from magnetic media. Two types of degausser exist: strong, permanent magnet degaussers and electric degaussers.
UW Medicine Version: 2004110512 Physical Space Security Use appropriate measures – like locked doors Question individuals without badges Make sure that vendors check in and are escorted in your department
UW Medicine Version: 2004110513 Taking UW Medicine Equipment from the Premises Obtain authorization to take equipment offsite Log out the equipment When returned, log the equipment back in Be aware of department expectations about off- site use of that equipment Secure the information with controls comparable to those of equipment on-site
UW Medicine Version: 2004110514 Who can install software on my workstation? Only designated system administrators are to install software, and Only licensed and authorized* software is used. * Authorized means that the System Owner approves.
UW Medicine Version: 2004110515 Appropriate Password Management Where PHI is accessed, each user is issued a unique username and password. It is against UW & UW Medicine Policy to share userID and/or password (this includes logging in for others…)
UW Medicine Version: 2004110516 Comply with Copyright Law Unauthorized use of software, images, music, or files is regarded as a serious matter and any such use is without the consent of UW & UW Medicine If abuse of computer software, images, music, or files occurs, those responsible for such abuse may be held legally accountable as well as be held accountable for violation of UW & UW Medicine Policy It is against UW & UW Medicine for workforce members to copy or reproduce any licensed software except as expressly permitted by the software license.
UW Medicine Version: 2004110517 Use of Departmental Computers (RCW 42.52.360, WAC 292-110-010) In 1997, the State of Washington Executive Ethics Board defined permitted personal activities on State owned computers. This policy was amended in 2002 to permit limited Internet use. Aside from occasional and de minimus (e.g., of minimal cost to the State) use, the policy prohibits the personal use of computers, email and the Internet. This limitation is similar to permitted personal use of non- computer resources, such as telephone calls. The State allows limited personal use of computer resources provided the use: Results in little or no cost to the State; Does not interfere with the employee’s official duties; Is brief in duration, occurs infrequently, and is the effective use of time and resources; Does not disrupt or distract from the conduct of State business due to volume or frequency; Does not compromise the security or integrity of State property, information or software; Does not disrupt other State employees and does not obligate them to make personal use of State resources.
UW Medicine Version: 2004110518 Your Email is NOT Private Before you freely email any extremely personal thoughts or information, please consider unlike telephone conversations, email and its archives are subject to legal and public inspection and that many computers retain old emails in archives for years. Private watchdog groups, outside UW and Washington State, monitor email for abuse, and lawyers subpoena email as a part of evidence gathering. If you do not want to see your most sensitive and/or private email printed in newspapers, do not send it.
UW Medicine Version: 2004110519 More: Using Washington State Equipment Washington State law also prohibits the use of UW computers for personal business-related, commercial, campaign or political purposes, or to promote an outside business or group or to conduct illegal activities. Additionally, employees are prohibited from allowing any member of the public to make personal use of state computers and computing resources. Washington State specifically prohibits use of the computer for all political and commercial activities. The following items have been additionally called out in detail. Notices for selling of personal items on any State owned computer system. Notices for charity/fund raising events whether selling an item or raising money unless the activity is University sponsored.
UW Medicine Version: 2004110520 Many Internet Activities Expressly Prohibited Although de minimus personal Internet use is now allowable, many Internet activities are still prohibited. Downloading copyrighted files, such as MP3 music files, may violate copyright law, and subject UW and you to penalties and fines. Other examples of improper or excessive use are included in the Executive Ethics Board web site: http://www.wa.gov/ethics http://www.wa.gov/ethics and the UW Administrative Policy web site http://www.washington.edu/admin/adminpro/APS/47.02.htm l http://www.washington.edu/admin/adminpro/APS/47.02.htm l Some examples of permitted activities may be prohibited in Lab Medicine because of their potential impacts. For example, extensive use of streaming video or streaming audio can overload the capacity of the network and interfere with the laboratory information system.
Understanding Information Classification Information classification is designated by the System Owner or Data Custodian. Classification ensures the appropriate level of security is applied for information and information systems, based on the identified level of impact to confidentiality, integrity, and availability.
UW Medicine Version: 2004110522 Definitions of Confidentiality, Integrity, & Availability Confidentiality: ensuring that information is accessible only to those authorized to have access; Integrity: safeguarding the accuracy, completeness, and control of information and processing methods; Availability: ensuring that authorized users have access to information and associated assets when required.
UW Medicine Version: 2004110523 PUBLIC Information Information that is intended for, or can be viewed by, the public or for the University community. Information can be verbal, electronic, or printed materials. Access to this information is usually anticipated or planned. Examples include university web pages, course descriptions, faculty profiles, individual and departmental announcements, or other general information that can be viewed by the public.
UW Medicine Version: 2004110524 RESTRICTED Information Information used by the UW & UW Medicine workforce with an established need-to-know relationship. Unauthorized data disclosure could impede the ability of UW & UW Medicine employees to conduct business, but does not violate any federal, state or UW regulations (e.g. poor business practices). Examples include proprietary information, such as business plans, intellectual property, financial information or other sensitive materials that may affect workforce or organizational operations.
UW Medicine Version: 2004110525 CONFIDENTIAL Information Information that is very sensitive in nature, where access requires careful controls and protection. Unauthorized disclosure of this data could seriously and adversely impact UW & UW Medicine, the interests of employees, students, patients, or other individuals, and organizations associated with UW & UW Medicine. Examples include: personally identifiable, and protected health information (PHI), workforce records, sensitive student records, social security numbers, legally protected University records, and passwords.
UW Medicine Version: 2004110526 Follow Department Processes Dispose of RESTRICTED and/or CONFIDENTIAL information in a secure manner. All floppy disks, hard drives, CDs, etc. have to be wiped before retasked to another use. Contact your computer support person to help you. CHDD personnel can contacted at email@example.com Autism Center – Susan Conarroe CTDS – Jeff Witzel
UW Medicine Version: 2004110527 Disposing of protected health information, proprietary documents, and confidential information in a secure and confidential manner When PHI and proprietary information are included: Paper Documentation – need to be shredded, pulped or otherwise obliterated in a manner that prevents reconstruction. Microfilm and Microfiche - must be pulverized . Laser Disks - used in write once- read many (WORM) document imaging applications shall be pulverized. Floppy Disks - shall be pulverized. Compact Discs - shall be pulverized. Magnetic Tape & Video Tape - preferred method for destroying computerized data is magnetic degaussing. If destruction is not achieved by degaussing, it must be executed in an alternative manner that assures that the information cannot be reconstructed. Hard Drives - To assure that computerized data is destroyed when equipment is decommissioned, use a three pass binary overwrite of the entire disk will reasonably assures that the information cannot be reconstructed. An alternative to this process is that the hard drive is removed from the device and pulverized. Carbon Rolls (from printers or fax machines) The method for destroying carbon rollers removed from printers or fax machines is to send them to Environmental Services for destruction by autoclaving.  Pulverized: Reduced (as by crushing, beating, or grinding) to very small particles that can not be reconstructed or used in any combination to reconstruct the original.
UW Medicine Version: 2004110528 Report Events, Incidents and/or Malfunctions An occurrence or event that conflicts with or interrupts normal process. Contact your Supervisor, System Operator and CHDD Administrator, Christene James 206-221-5496
UW Medicine Version: 2004110529 Priorities of Incident Response 1. Protect human life and people's safety; human life always has precedence over all other considerations. 2. Protect RESTRICTED and/or CONFIDENTIAL data. Prevent exploitation of RESTRICTED and/or CONFIDENTIAL systems, networks or sites. Inform affected RESTRICTED and/or CONFIDENTIAL systems, networks or sites about already occurred penetrations. 3. Protect RESTRICTED and/or CONFIDENTIAL Information. Prevent exploitations of other systems, networks or sites and inform already affected systems, networks or sites about successful penetrations.
UW Medicine Version: 2004110530 Priorities - continued 4. Prevent damage to systems (loss or alteration of system files, damage to disk drives). Damage to systems can result in costly down time and recovery. 5. Minimize disruption of computing resources - including processes. It is better in many cases to shut a system down or disconnect from a network than to risk damage to data or systems.
UW Medicine Version: 2004110531 Protect Against Malicious Software Do not disable the anti-virus software Do not install or run unknown software Report virus incident to your Help Desk
UW Medicine Version: 2004110532 Protect Against Malicious Software (2) Use anti-virus software to scan all diskettes and files provided to you by others or after using them on another computer Do not open email attachments from unknown senders. Verify attachments from known senders and scan them before opening. If the user expects an attachment, make sure that the attachment's file type and sender are consistent with what was expected Follow this same process for Internet downloads.
UW Medicine Version: 2004110533 Sanctions The regulation requires that we apply appropriate sanctions against individuals if you fail to comply with the security policies and procedures that are based upon our security policies and the relative severity of the violation. UW has sanctions for the failure to follow policy and/or for a breach of patient confidentiality or information security.
UW Medicine Version: 2004110534 Five Levels/Categories of Actions and/or Sanctions After an investigation, a sanction level is applied -  No Breach of Information Security Although someone reported a suspected breach, upon investigation it is realized that an exception was granted  Unable to Determine Whether a Breach Occurred A breach or potential breach was discovered after the system in question was redeployed and evidence of the breach has been mostly or completely destroyed.  Policy Violation with Mitigating Circumstances The workforce member attempted to implement or supplement security controls believing them to be in be in compliance or improving security.
UW Medicine Version: 2004110535 Five Levels/Categories continued….  Policy Violation without Reasonable Appearance of Malicious Intent Unauthorized use of another employee's username and/or password.  Policy Violation with Reasonable Appearance of Malicious Intent 1. Member of workforce intentionally alters or destroys data or equipment. 2. Failure to implement standards after repeated notification.
UW Medicine Version: 2004110536 DEFINITIONS: System Owner & System Operator System Owners are individuals within the UW & UW Medicine community accountable for the management and use of one or more electronic information systems, electronic databases, or electronic applications that are associated with UW & UW Medicine or EPHI System Operators administer and/or manage the daily activities of one or more electronic information systems, electronic databases, or electronic applications
UW Medicine Version: 2004110537 Data Custodian & Department Administrator/Manager Data Custodians are the individuals who have been officially designated as accountable for protecting the confidentiality of specific data that is transmitted, used, and stored on a system or systems within a department, college, school, or administrative unit of UW Medicine Department Administrator/Manager individual who manages the users of UW Medicine systems
UW Medicine Version: 2004110538 The Life Cycle of User privileges Manager/Supervisor request user privileges Manager/Supervisor updates any information on user or privileges during workforce engagement Manager/Supervisor disables user privileges when workforce member is separated or transferred
UW Medicine Version: 2004110539 Minimum Information Security Requirements Approved Operating System that is patched in a timely manner Protection Against Malicious Software (i.e. anti-virus protection) Filtering or Firewall Protection Enabled Logging and Auditing Approved Network Media & Protocols
UW Medicine Version: 2004110540 Advanced Information Security Requirements Systems with RESTRICTED & CONFIDENTIAL Information must meet the Advanced Information Security Requirements Implementation of Minimum Information Security Requirements with additional controls Additional data protection required based on high risk analysis (higher level administration): Strict data access policies and procedures System access audit logs Physical protection includes privacy mandates Servers need certification
UW Medicine Version: 2004110541 Questions? Please let Christene James know if you have any questions. 206-221-5496 or firstname.lastname@example.org
UW Medicine Resource for Questions Richard Meeks HIPAA Compliance Officer HIPAA Program Office UW Medicine 206-543-0300 email@example.com
Reference Materials 1. UW Medicine Policies: https://security.uwmedicine.org/securitypolicies.asp