Presentation on theme: "PERSONAL ACCOUNTABILITY FOR DATA STEWARDSHIP"— Presentation transcript:
1 PERSONAL ACCOUNTABILITY FOR DATA STEWARDSHIP UW MEDICINE WORKFORCEPERSONAL ACCOUNTABILITYFORDATA STEWARDSHIP
2 Agenda Define personal and professional accountability Explain elements of data stewardshipToolsCase StudiesDO’s and DON’TsClosing the Loop – Your Role
3 Personal and Professional Accountability Personal Accountability = Being answerable for the outcome of your actions or inactionsProfessional Accountability = Demonstrating excellence, integrity, respect, compassion, accountability and a commitment to altruism in all your work interactions and responsibilities (UW Medicine Professionalism Policy)As representatives of UW Medicine, you are personally, professionally, ethically and legally responsible for your actionsThe public, our patients, employees and students place their trust in us
4 Your Accountability for Data Stewardship All UW Medicine workforce members are personally responsible for ensuring the security and integrity of all confidential, restricted, and proprietary information (electronic or paper) to which they are given access.Workforce members include: faculty, staff, students and trainees, volunteers, and other persons who perform work for UW MedicineWorkforce members must safeguard the security and integrity of the information entrusted to them
5 Data SecuritySafeguard and promote privacy of employees, patients and studentsSafeguard access to University and UW Medicine information systemsSafeguard institutional data, systems, and devices
6 Data Integrity Ensure that data is only accessed by authorized users Ensure that data is not changed, corrupted, or tampered withEnsure that data is retrievable and usable, backed up and managed in a reliable way
7 Confidential Data and Information Definition of Confidential Data:Confidential data and information is very sensitive in nature and typically subject to federal or state regulations.Unauthorized disclosure of this information could seriously and adversely impact the University or the interests of individuals and organizations associated with the University.
8 Confidential Data and Information Examples of Confidential Data/InformationHIPAA – protected health information (PHI), including patient names, addresses, social security numbers, health conditions and symptoms, prescriptions, medical record numbersFERPA – individual student records, including grades, courses taken, schedule, test scores, advising records, educational services received, disciplinary actions, student identification number, social security numberGramm-Leach-Bliley (GLB) – employee financial account information, student financial account information (aid, grants, bills), individual financial information, business partner and vendor financial account informationExport Controls (e.g., EAR, ITAR)Employee employment records including performance information applications for employment, resumes and related materialDonor informationTrade secrets, intellectual and/or proprietary research informationVendor non-disclosure agreementsInformation required to be protected by contractComputer account passwords
9 Restricted Data and Information Definition of Restricted Data:Data and information that is circulated on a need-to-know basis or sensitive enough to warrant careful management and protection to safeguard its integrity and availability, as well as appropriate access, use, and disclosure.Examples of Restricted InformationTelephone billing informationParking permitsLocation of assetsCritical infrastructure blueprints or schematicsSpecific physical security measuresProprietary research
10 Tools to Assist You in Safeguarding Data Privacy, Confidentiality and Information Security Agreement (PCISA) and discussion outline https://security.uwmedicine.org/training/data_stewardship/PCISA.pdfhttps://security.uwmedicine.org/training/data_stewardship/PCISA_discuss_tool.pdfCitrix or VPN remote access https://networks.uwmedicine.org/content/secure-remote-accessEncryption https://security.uwmedicine.org/guidance/technical/encryption/default.asp
11 Tools - ContinuedComplex passwords https://security.uwmedicine.org/guidance/role_based/end_user/default.aspEducation and training materials https://security.uwmedicine.org/Training/Sec_Aware/default.aspRole based guidelines https://security.uwmedicine.org/guidance/role_based/default.aspPolicies restricting removal of data from worksites https://security.uwmedicine.org/guidance/policy/electronic_data/sp- 01%20electronic%20data%20ver%203.0.pdfPhysical Security: remember to always lock offices and files
12 Privacy, confidentiality and information security agreement PCISA must be signed by all UW Medicine workforce members annually.Reminder of what and how to safeguard confidential and restricted informationCircumstances change and this gives supervisors and managers an opportunity to review and updateProvides units with information that can be used in asset management (e.g. what systems have confidential or restricted data)May help identify needed resources to help people do their jobs (e.g. can someone use VPN instead of transporting data to their home to work at night?)https://security.uwmedicine.org/training/data_stewardship/PCISA.pdf
13 SAFEGuarding research Information The following slide is key to protecting research information
14 Safeguarding Research Information Proprietary research data, at a minimum, is considered restrictedUniversity policy (GIM 37) requires research data be preserved, protected and sharable in accordance with academic, scientific and legal normsResearch data that includes protected health information, personally identifiable data or student data must follow federal requirements for data security and privacyConsequences of lost research data can be significant:May negatively impact the research team, department or UniversityHuman subjects may be affected
15 SAFEGuarding Patient Information The following set of slides are key to protecting patient information
16 Uw Medicine Healthcare Components UW Medicine Healthcare components include the following:UW Medical Center and ClinicsHarborview Medical Center and ClinicsNorthwest Hospital and Medical Center and ClinicsValley Medical Center and ClinicsUW Neighborhood ClinicsAirlift NorthwestHall Health Primary Care CenterUW Medicine Sports Medicine ClinicThe Association of University Physicians (UWP)
18 HIPAA Breach Notification Rules Definition of Breach: “acquisition, access, use or disclosure of PHI … that compromises the security or privacy of the PHI.”Notification requirements apply only to “unsecured” PHI. PHI is deemed unsecured unless rendered “unusable, unreadable, or indecipherable” to unauthorized individuals by technologies or methodologies identified by HHS (currently limited to encryption or destruction).Notification of affected individuals required if the breach poses a “significant risk of financial, reputational or other harm to the individual.”Beginning September 23, 2013, there will be a new standard to determine whether a breach occurred. A breach will be presumed and there will be a more objective test to determine whether PHI has been compromised and notification required.
19 HIPAA Breach Notification Rules All breaches must be reported annually to the Office of Civil Rights.If a breach involves 500 or more individuals, it must be reported to media that reach location(s) in which the individuals reside.If a breach involves more than 10 individuals for whom an address is not available, the covered entity must place notice of the breach on its website for 90 days.
20 Institutional Consequences of a Breach Potential loss of public trust in UW Medicine and UWSignificant time and resources to investigate, conduct forensics, analyze findings and determine appropriate course of actionInvolvement of legal counsel, risk management, executive directors, unit headsExposure to civil liabilityProtected Health Information (PHI) only:Patient notificationCall center for each case requiring patient notificationOffice of Civil Rights InvestigationPossible imposition of civil/criminal penalties, fines and sanction
21 Personal Consequences of a Breach Loss of public, patients, employees and students trustYour name is reported toYour program director, department chair, executive director and/or unit headCEO, UW Medicine and Dean of the School of Medicine, University of WashingtonUW Medicine Chief Health System OfficerUW Health Sciences Risk ManagementUW Chief Information Security OfficerFederal and State regulatory agenciesThe time you will spend cooperating with investigations, being retrained, and other remedial activitiesImposition of sanctions, disciplinary actions, and potential civil/criminal penaltiesYour personal and professional reputation
22 Case studiesThe following national and UW Medicine case studies are examples of lessons learned in the stewardship of confidential or restricted data
23 National Case Studies National Events $1 million settlement with General Hospital Corp. and Massachusetts General Physicians Organization, Inc.--February 14, 2011University of Hawaii settles class action data breach involving personal information of 100,000 students, faculty, staff and alumni – January 2012American company had all of its data from a 10-year, $1 billion research program copied by hackers in one night- April 2012Alaska DHHS settles HIPAA security case for $1,700,000--June 26, 2012
24 UW Medicine Case Study #1 A medical student working on an IRB-approved study whose residence was broken into and his laptop was stolenPHI of 1200 patients (study data) was stored on the stolen laptopLaptop and files containing PHI were password protected, but not encryptedResearch data considered unsecured since not encryptedPossible notification of patientsLessons LearnedPassword protect and encrypt
25 Case Study #2A UW file cabinet was sent to surplus without removing all documentsA member of the public purchased a surplused file cabinet at a second-hand store. She found grant applications and research data and information in the drawers. Grant applications contained proprietary information and Investigators’ social security numbers.No PHIRisk analysis done and concluded risk of identity theft and/or harm lowInvestigators were notified
26 UW Medicine Case Study #3 A staff member’s laptop was stolen while shoppingNo confidential or restricted data on hard drive, device was password protected AND encrypted, department inventory details were up to date and centrally availableOutcome: loss of physical asset, no breach, no notification of patients, no notification to federal agenciesLessons LearnedImportance of not storing confidential or restricted information on hard drive, password protection, encryptionValue of central controls, device configuration and inventory
27 UW Medicine Case Study #4 A Resident’s log book left in backpack and locked in trunk of car was stolenPHI: patient name, EMR number, dates of service, date of birth, clinic and procedures487 patients notifiedSelf-reported to OCR; intense OCR follow-up investigationLessons LearnedWritten PHI may not be taken off site without authorization from supervisor, chair or program directorWritten PHI taken off site should not leave physical possession at any timeRequired hundreds of hours over more than a year and substantive policy changes
28 UW Medicine Case Study #5 A Fellow’s unencrypted hard drive stolen from unlocked officePHI and QI data3,948 patients involved; 324 patients notified due to risk of harm; notification to OCR; posted on UW Medicine website; likely OCR investigation forthcomingLessons LearnedDo not remove PHI from protected locationPassword protect AND encryptEnsure physical security of devices at all times
29 Basic DO’s and DON’TsAvoid taking confidential data off site or downloading to portable or mobile devicesUse the VPN to connect remotelyIf taking confidential data with you, you MUST obtain supervisor or department head approvalSecure confidential data (locking file drawer, safe, or other locked device)Never leave confidential data in your carConfidential data stored on mobile devices must be encrypted and your device password protected
30 Closing the Loop – Your Role INDIVIDUALMANAGERS, SUPERVISORS, DIRECTORSUNIT HEADS, SENIOR LEADERS COMPLIANCEIT SECURITYPersonal, professional, ethical and legal accountabilityConvey expectations for accountability to direct reports; accountable for ensuring complianceProvide active leadership; establish accountability expectations and professional standards; allocate resources for compliance and security program activitiesMaintain effective compliance programs to prevent, detect, and resolve noncompliance with federal/state laws governing privacy and UW policiesMaintain effective information security programUnderstand role-specific responsibilities and applicable policies and procedures; complete all required trainingDevelop and implement effective new employee orientation to ensure direct reports understand their roles and responsibilities, and applicable policies and procedures; enforce training requirementsAnnually reinforce role-specific responsibilities using PCISA toolkitApprove UW Medicine policies; support education/outreach activities; convey implementation expectations to operational areasEstablish UW Medicine privacy policies, education and outreach strategies, and implementation toolsEstablish UW Medicine Information Technology and security policies, education and outreach strategies, technical resources, and implementation toolsComply with policies and proceduresMonitor compliance; accountable for improving audit resultsEnforce compliance; evaluate audit findings and convey expectations for improved resultsAudit compliance with UW Medicine privacy policies and internal controls; report findings; analyze trendsAudit information security controls; report findings; analyze trendsImplement appropriate safeguards, maintain physical security and utilize appropriate technical controls; observe access rights and restrictionsActively manage information access rights upon hire, job change, and termination; monitor use of appropriate safeguards and controls; comply with risk management decisionsParticipate in risk assessment process; evaluate results; determine system-wide risk tolerance; make risk management decisionsAssess compliance risks using internal/external data, trends and regulatory developments; recommend program modificationsConduct information security risk assessmentsReport concerns, potential breaches and suspected noncompliance to supervisor, manager, unit head or compliance; cooperate fully with investigationsAddress concerns and/or refer to compliance; implement corrective actions and sanctionsReceive investigative reports; evaluate findings and determine appropriate corrective actions and sanctionsInvestigate noncompliance with federal and state laws, and UW Medicine policies; notify affected unit heads and senior leaders; report findings; analyze trendsConduct forensic analysis associated with potential breaches and suspected noncompliance
31 Contact Information and resourcesUW Medicine ITS Security TeamIT Services Help DeskDOM IT Help DeskUW Medicine ComplianceUW Medicine Compliance-Anonymous Hotline(toll free)
Your consent to our cookies if you continue to use this website.