Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security for End Users in Health Care Name of Presenter Title of Presenter.

Published byHillary Garrett Modified over 8 years ago

Similar presentations

Presentation on theme: "Network Security for End Users in Health Care Name of Presenter Title of Presenter."— Presentation transcript:

1 Network Security for End Users in Health Care Name of Presenter Title of Presenter

2 Agenda Why Is Security Important? Components of Network Security How You Can Help Keep the Network Secure

3 Why is Security Important?

4 Why Should We Care about Network Security? Potential for downtime and impact on patient care Expense to the practice (the dreaded blank check scenario) Damage to reputation for security breaches (newspaper headlines) Possible fines for security breaches HIPAA requires we implement security measures to protect PHI on paper and electronically!

5 PHI Protected Health Information (PHI) under HIPAA means any information that identifies an individual and relates to at least one of the following: The individual’s past, present or future physical or mental health. The provision of health care to the individual. The past, present or future payment for health care. Information is deemed to identify an individual if it includes either the individual’s name or any other information that could enable someone to determine the individual’s identity.

6 ePHI and Encryption Desktops, tablets, or laptops External hard drives, including iPods, tapes, or disks Removable storage devices (USB drives, keys, CDs, DVDs, etc.) PDAs, Smart Phones Electronic transmission including Email, File Transfer (FTP), wireless, etc. Electronic PHI (ePHI) includes any device or medium used to store, transmit or receive PHI electronically.

7 Headlines July 07, 2010 Conn. AG, Health Net Reach Settlement Over Medical Data Breach On Tuesday, insurer Health Net reached a $250,000 settlement with Connecticut Attorney General Richard Blumenthal (D), who sued the company after it lost a computer hard drive in 2009, Dow Jones/Wall Street Journal reports. T he hard drive contained medical and financial information on about 500,000 members from the state. (Solsman, Dow Jones/Wall Street Journal, 7/6).

8 Headlines June 2, 2010 “Many of the major healthcare information breaches reported since last September, when the HITECH Breach Notification Rule took effect, have involved the theft or loss of unencrypted laptops and other portable devices.” Terrell Herzig is HIPAA security officer at UAB Health System in Birmingham, Ala.

9 What is a Breach? A breach is the impermissible use or disclosure of PHI such that said use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. Breach notification is only required where unsecured PHI is involved.  Unsecured PHI is PHI which has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance. According to the Health Information Technology for Economic and Clinical Health (HITECH) Act:

10 Data Breach – Lost CDs with ePHI

11 Components of Network Security

12 Typical Practice Network Firewall Remote Access Wireless Tablet PC’s Wireless Access Point Light duty Scanner Copier/Scanner Office Workstations Internet Switch High Speed Scanner Front Desk EHR Server

13 The Front Door of Your Network Internet Firewall Hides your network Provides access rules Allows only trusted partners access to your network Remote Access Allows only trusted users (authentication) Must be encrypted (VPN or SSL/TLS) Security wins over ease of use Wireless Devices Must be encrypted Allow only trusted devices

14 The Back Door of Your Network Email born threats Viruses – software that reproduces Malware – malicious software Out of date Antivirus system Outdated Operating Systems Missing patches for Operating Systems

15 The Danger Within Lost laptops, tablets, PDAs, and smart phones with ePHI Sharing passwords or using the same password for everything Emailing ePHI without encryption Responding to bogus requests: phone, email, web ePHI leaving the building on electronic media without encryption (tapes, CDs, USB drives, etc.) Installing Risky Software (Audiogalaxy, Limewire, etc.)

16 Phishing: Tricking the user to go to a web site and give up private information or passwords. If you receive the email below with the subject “Reset your symquest.com password”, please delete it. This was not sent by the Information Systems department. Thanks, Darrin >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> From: symquest.com [mailto:support@symquest.com] Sent: Tuesday, June 29, 2010 11:48 AM To: odinability@symquest.com Subject: Reset your symquest.com password Hello, odinability@symquest.com. We received your request to reset your symquest.com password. To confirm your request and reset your password, follow the instructions below. Confirming your request helps prevent unauthorized access to your account. If you didn't request that your password be reset, please follow the instructions below to cancel your request. CONFIRM REQUEST AND RESET PASSWORD Click on the following web address: https://symquest.com/EmailPage.srf?emailid=mail/?shva=1#inbox/12983ccaa8732d93 CANCEL PASSWORD RESET Click on the following web address:odinability@symquest.com https://symquest.com/EmailPage.srf?emailid=mail/?shva=1#inbox/12983ccaa8732d93

17 Other Security Risks: Disposal of Equipment Many technologies today use hard drives that can contain ePHI! Care must be taken in disposal so that ePHI is erased. Always ensure that IT has cleaned or destroyed hard drives prior to disposal.

18 Risks of Social Networks: Malware attacks – Facebook rated the riskiest Compromises the user’s machine Collects personal information for sale on the black market Targets circle of friends to get to primary target Other Security Risks: Social Networking Sites

19 How You Can Help Keep the Network Secure

20 Typical Network Health Firewall Network Printer Front Desk Office Workstations Internet Switch

21 User Access Control and Password Guidance Unique User ID Never share your user ID! All system access with your ID is YOUR responsibility. Password Guidelines Do not re-use the last 12 passwords. Change your password at least every 90 days. Passwords must be at least 8 characters. Passwords must be a combination of upper and lower case letters, number and special characters. User account locks after 3 failed attempts.

22 Automatic Logoff Your EHR session should terminate after 15 minutes of inactivity.  Always save your work before leaving your workstation! Your Windows screen-saver should lock your workstation after 15 minutes of inactivity.  Pushing Windows+L or Ctrl+Alt+Delete and Enter on your keyboard will manually lock your workstation.

23 Remote Access Must use a VPN tunnel or SSL/TLS connection. Requires user authentication. Always physically secure your laptop, PDA, or other mobile device when traveling! (Remember the headline on Slide 8?)

24 Accounting for Disclosures Always indicate why treatment, payment, or authorization information is being disclosed. Minimum Necessary Rule: “…take reasonable steps to limit the use or disclosure of, and requests for, [PHI] to the minimum necessary to accomplish the intended purpose.”

25 Role-Based Access: Manage who gets access to what. Firewall Review: Make sure that communication with the outside world is secure. Wireless Security: Manage who gets WiFi access. Antivirus: Manage software to keep viruses and malware at bay. Server/Workstation Updates: Make sure all software gets appropriate updates to mitigate problems. Tasks for “the IT Guy” (or Gal)

26 Backup: Keep a backup of all data, just in case! Backup Encryption: Make backup data unreadable to snoopers. Recovery: Have a plan in case disaster strikes!

27 Summary Protecting data is everyone’s responsibility. Understand HIPAA. Hold each other accountable.

Download ppt "Network Security for End Users in Health Care Name of Presenter Title of Presenter."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
HIPAA Health Insurance Portability and Accountability Act of 1996

HIPAA Health Insurance Portability and Accountability Act of 1996
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Page 1 of 16 DMC HIPAA Privacy and Security DMC’S COMMITMENT TO COMPLIANCE: HIPAA PRIVACY and SECURITY DMC Corporate Audit and Compliance Department Detroit.

Page 1 of 16 DMC HIPAA Privacy and Security DMC’S COMMITMENT TO COMPLIANCE: HIPAA PRIVACY and SECURITY DMC Corporate Audit and Compliance Department Detroit.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.

Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Information Security Awareness:

Information Security Awareness:
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Similar presentations

Ads by Google