Online Course START Click to begin… Module 2 General Information Security

Prev Introduction In this course, you will learn about UNC HCS’s information security policies and procedures. All UNC HCS workforce members must comply with our information security policies and procedures. PrevNext

Prev Information Security The purpose of Information Security is to protect the confidentiality, integrity, and availability of information. –Confidentiality means that data or information is not made available or disclosed to unauthorized persons or processes. –Integrity means that data or information has not been altered or destroyed in an unauthorized manner. –Availability means that data or information is accessible and useable upon demand by an authorized person. PrevNext

Prev Protected Information Protected Health Information (PHI) –Identifiable patient information Confidential Information may include: –personnel information –system financial and operational information (such as new business plans) –trade secrets of vendors and research sponsors –system access passwords Internal information may include: –personnel directories –internal policies and procedures –most internal electronic mail messages PrevNext

Prev Your Responsibilities Access information only in support of your job duties Report losses or misuse of UNC HCS information, or other security problems, promptly to your Information Security Officer Comply with all Security and Privacy policies Remember, YOU are responsible and will be held accountable for the security of protected information that you access or maintain. PrevNext

Prev Malicious Software Viruses, Worms, Spyware and Spam are examples of malicious software, sometimes known as “malware”. Most damage can be prevented by regular updates (patches) of your computer’s operating system and antivirus software. PrevNext

Prev Virus PrevNext Computer viruses are a major threat to information systems and your data. – –Viruses “infect” your computer by modifying how it operates and, in many cases, destroying data. – –Viruses spread to other machines by the actions of users, such as opening attachments.

Prev Worms Worms are programs that can: –run independently without user action –spread complete working versions of themselves onto other computers on a network within seconds –destroy computer resources such as hard drives PrevNext

Prev Spyware Spyware is software that is secretly loaded onto your computer, monitors your activities, and shares that information without your knowledge. Certain websites install spyware on every computer that visits those sites. PrevNext

Prev For Example: While online at work, Amanda sees a “pop up” ad for a free “atomic clock.” She clicks on the “I agree” button and her computer downloads and installs the atomic clock utility. After a few days she notices that her computer is running slower and calls the Help Desk. What did she do wrong? Next

Prev For Example: She installed software from an unknown source She didn’t read the fine print before clicking “I agree” Many “free” applications include a spyware utility that will cause performance problems and potentially release confidential information. PrevNext

Prev Spam Spam is unsolicited or "junk" electronic mail messages, regardless of content. Spam usually takes the form of bulk advertising and may contain viruses, spyware, inappropriate material or “scams”. Spam also clogs systems. PrevNext

Prev Safe Use Do not open attachments if the message looks the least bit suspicious, even if you recognize the sender. When in doubt, throw it out. Do not respond to “spam” – simply discard or delete it, even if it has an “unsubscribe” feature. containing protected information such as PHI being sent outside the HCS requires additional protection. Contact your entity’s Information Security Officer for more information. PrevNext

Prev For Example: Bill receives an unsolicited which, when he opens it, determines that it is “junk”. He “clicks” on the unsubscribe button at the bottom of the and then deletes the original message. What did he do wrong? PrevNext

Prev For Example: Once he identified the as “spam” he should have deleted the message He should not have “unsubscribed”; this confirms his address is valid and will result in additional “spam” PrevNext

Prev Password Control Most security breaches come from within the organization – and many of these occur because of bad password habits. Therefore: –Use strong passwords where possible (at least 6 characters, containing a combination of letters, numbers, special characters) –Change your passwords frequently (45-90 days) –Keep your passwords confidential! (Do not share them with ANYBODY.) –If you MUST write down your passwords: Store them in a secure location Do NOT store them under your keyboard, on a Post-it, etc!! PrevNext

Prev For Example: Charlotte has to pick a new password. So she can remember the password she decides to use one of the following passwords. ettolrahc (her name backwards) (her birth date) (based on her favorite book) Which password is the strongest? PrevNext

Prev For Example is the strongest password because: –It is six or more characters long –It contains upper and lower case letters –It contains a number –It contains special characters –It’s based on something memorable PrevNext

Prev Peer-to-Peer(P2P) File Sharing P2P file sharing programs such as Morpheus, Kazaa, etc. are commonly used to download unauthorized or illegal copies of copyrighted materials such as music or movies. P2P programs also frequently contain spyware, viruses, etc. Use of P2P programs on UNC HCS networks is prohibited. PrevNext

Prev Mobile Computing Devices If you use a Palm/Pocket PC (PDA) device or a laptop PC, you must employ the following security controls: –power-on passwords –automatic logoff –data encryption or a comparable approved safeguard to protect the data Never leave mobile computing devices unattended in unsecured areas. Immediately report the loss or theft of any mobile computing device to your entity’s Information Security Officer. PrevNext

Prev For Example: A physician leaves his PDA which contains PHI as well as personal information on the back seat of his vehicle. The PDA did not have a power-on password nor encryption. When he returns to the vehicle, the PDA is missing. What should the physician have done? What should the physician do now? Next

Prev For Example: The physician should have password protected the PDA and PHI should have been encrypted to prevent unauthorized access. He should now: –Contact his Privacy or Information Security Officer –Report the loss to his immediate supervisor Next

Prev Remote Access All computers used to connect to UNC HCS networks or systems from home or other off-site locations should meet the same minimum security standards that apply to your work PC. PrevNext

Prev External Storage Devices Protected Information stored on external storage devices (diskettes, cd-roms, portable storage, memory sticks, etc…) must be safeguarded to prevent theft and unauthorized access. Whenever possible, encrypt protected information on these devices. External storage devices should never be left unattended in unsecured areas. Immediately report the loss or theft of any external storage devices to your entity’s Information Security Officer. PrevNext

Prev Faxing Protected Information Fax protected information only when mail delivery is not fast enough to meet patient needs. Use a UNC HCS approved cover page that includes the confidentiality notice with all faxes. Ensure that you send the information to the correct fax number by using pre-programmed fax numbers whenever possible. Refer to the UNC HCS fax policy. PrevNext

Prev PHI Notes PHI, whether in electronic or paper format, should always be protected! Persons maintaining notes containing PHI are responsible for: –Using minimal identifiers –Appropriate security of the notes –Properly disposing of information when no longer needed. Information on paper should never be left unattended in unsecured areas PrevNext

Prev Appropriate Disposal of Data Protected Information should be disposed of appropriately. –Hard copy materials such as paper or microfiche must be properly shredded or placed in a secured bin for shredding later. –Magnetic media such as diskettes, tapes, or hard drives must be destroyed or “electronically shredded” using approved software and procedures. –CD ROM disks must be rendered unreadable by shredding, defacing the recording surface, or breaking. –No Protected Information should be placed in the regular trash! PrevNext

Prev Physical Security Equipment such as PCs, servers, mainframes, fax machines, and copiers must be physically protected. –Computer screens, copiers, and fax machines must be placed so that they cannot be accessed or viewed by unauthorized individuals. –Computers must use password-protected screen savers. –PCs that are used in open areas must be protected against theft or unauthorized access. –Servers and mainframes must be in a secure area where physical access is controlled. PrevNext

Prev Reporting Losses or Misuses of Information You should immediately report any losses or misuses of protected information to your Information Security Officer. The Security Incident Response Team (SIRT) will investigate any incidents. PrevNext

Prev Disciplinary Actions Individuals who violate the UNC HCS Information Security Policy will be subject to appropriate disciplinary action as outlined in the entity’s personnel policies, as well as possible criminal or civil penalties. PrevNext

Prev For more information: PrevNext

Prev You have now successfully completed the online HIPAA General Security Module - Click to end show - Prev