DATA STEWARDSHIP SLIDES E15
Download
Report
Transcript DATA STEWARDSHIP SLIDES E15
Personal Accountability
for Data Stewardship
2014
1st Year Medical Students
Noella Rawlings
Director of Compliance
School of Medicine
John Soltys
Senior Computer Specialist
UW Medicine IT Security
1
Agenda
• Defining data stewardship and your
responsibilities
• Safeguarding confidential information
• DO’s and DON’Ts
• Current Security Threats
• Tools and resources
2
What is Data Stewardship?
• Being personally and professionally responsible for
the security and integrity of confidential
information, electronic or paper, entrusted to you.
• Confidential Information – protection of data
required by law and includes:
• Protected health information (PHI) – protected by HIPAA
• Individual student records – protected by FERPA
• Personally identifiable information (PII) – financial information (e.g.,
credit card, bank), social security number and driver’s license number
– protected by Washington’s breach notification law
• Other personal information - public employee’s home addresses,
personal contact information, performance evaluations – protected by
the Washington Public Records Law
• Proprietary intellectual property or trade secrets, research data –
protected by the Washington Public Records Law
3
Your Responsibilities
• You are responsible for the safekeeping of
data in your care
• Limit the data in your care to minimize the
risk of loss
• Comply with UW Medicine and UW policies
regarding the safekeeping of data
•
Must encrypt mobile devices used to store or transmit
confidential information
•
E-mail containing PHI must be secured in transport
(encrypted connections)
•
Use strong password
•
Must use UW approved cloud services
4
What is a Breach?
• “Breach” is the unauthorized acquisition, access, use
or disclosure of unsecured PHI and compromises the
security or privacy of the PHI
• Breaches of unsecured PHI require notification to the
Office of Civil Rights (OCR) and affected individuals.
May also require notice to the media and posting on
the UW Medicine website
• A breach is presumed and covered entity has burden
of showing a breach has not occurred
• There are two ways to secure PHI
• Encryption
• Destruction
• Renders PHI unusable, unreadable or indecipherable
5
Consequences of a Breach
• Potential damage to personal, professional
and institutional reputation
• Breaches are:
•
Very costly – fines, sanctions and remediation
•
Very time consuming – investigation, reporting
•
Embarrassing – your name is reported to your Program
Director, Department Chair, Dean of the School of
Medicine, UW Medicine Chief Health System Officer and
UW Medicine and School of Medicine Compliance
Officials AND possible public notification
6
Recent Examples of Loss
• Unencrypted laptop stolen from locked,
parked car
• Briefcase containing PHI stolen from
locked, parked car
• Backpack containing PHI stolen from
locked, parked car
• Unencrypted laptop containing PHI
and PII stolen from office in Health
Sciences Building
7
Rule Number One
If you use a mobile device
to store or transmit PHI or
PII,
your mobile device
MUST be encrypted!
8
Rule Number Two
NEVER leave
confidential data in
your car!
9
Other Basic Do’s and Don’ts
•
Avoid taking confidential data off-site or
downloading to portable or mobile devices
•
If taking confidential data with you, you MUST
obtain supervisor or department head approval
•
Password protect all devices
•
Use VPN to connect remotely
•
Ensure the physical security of information - lock up
confidential data (locking file drawer, safe, or other
locked device)
•
Prepare for the worst - protect yourself against theft
- nobody thinks they will be a victim!
10
CURRENT SECURITY
THREATS
11
PHISHING
• Phishing is a very common way accounts
are stolen
• Don’t click links in email and if you do,
don’t enter your credentials
• UW Medicine periodically sends
phishing messages to our workforce to
help raise awareness – includes training
• YOU WILL RECEIVE PHISHING
MESSAGES – be very wary and very
cautious!
12
MALWARE
• Cryptolocker/Locker: Very destructive
malware threat – encrypts your data and
tries to sell it back to you
• Malware infection is obtained via e-mail
attachments or by visiting/downloading a
file (such as an MP3 file) from a website
• Sophos Anti-virus sometimes detects the
malware (malware name used is
Troj/Ransom-ACP)
DON’T FALL FOR THIS SCHEME!
13
What Can You Do?
•
•
•
•
•
•
•
•
•
NEVER open an attachment from an unknown source
If the context of the message doesn’t make sense, delete the
message or call the sender to verify the email
Always be wary of messages that ask you to update your password
or confirm you account – UW IT support groups will never ask you
to do this via a link in an e-mail
Report any warning messages from antivirus or other software
immediately. DO NOT CLICK ON THE LINK!
Minimize the confidential information you store
Encrypt the data and the device
Keep your operating system and software up to date (Stay patched)
Empty your E-mail “Trash bin” (Deleted Items) regularly or set it to
empty automatically when you exit the program
Contact your Department IT support staff for assistance with any
device you use for work
14
Incident Reporting
•
•
•
•
If you get infected, or think you may be infected,
contact UW Medicine IT Security
IMMEDIATELY!
Report information security incidents when they
occur. Contact IT Services Help Desk at
[email protected]. If it is urgent, call 206543-7012
Report the loss or theft of PHI to UW Medicine
Compliance at 206-543-3098 or [email protected]
immediately
Immediately notify the Director of Compliance for
the School of Medicine at [email protected] or 206685-0173
15
TOOLS AND RESOURCES
16
Tools to Assist You in Safeguarding Data
•
Encryption
https://security.uwmedicine.org/training/dept_materials/default.asp
•
Complex passwords
http://security.uwmedicine.org/guidance/role_based/end_user/default.asp
•
•
Physical data security - lock offices, files and
computers
Education and training materials
https://security.uwmedicine.org/Training/Sec_Aware/default.asp
•
Privacy, Confidentiality and Information Security
Agreement (PCISA)
http://depts.washington.edu/comply/docs/PP_04_A.pdf
https://security.uwmedicine.org/training/data_stewardship/PCISA_discuss_tool
.pdf
•
Following policies restricting removal of data from
worksites
17
UW Medicine Polices
UW Medicine Compliance Policies
• http://depts.washington.edu/comply/privacy.shtml
• http://depts.washington.edu/comply/docs/PP_30.pdf
UW Medicine IT Security Policies
• http://security.uwmedicine.org/guidance/policy/default.asp
18
Smartphone/Tablet Security
If you use a smartphone or tablet (UW owned or your
personal device) to conduct UW business, such as
accessing your UW e-mail, we recommend:
• Auto lock device and use a strong password
• Enable encryption on the device
• Set an automatic lockout timer on the device
• Activate Tamper Wipe: i.e. phone is wiped clean
after 10 pass code or PIN attempts (all data is
deleted)
• Activate “find my phone” function
• Don’t use cloud back up services, such as iCloud
or Google Drive, unless it is an approved cloud by
UW Medicine IT Security for PHI or FERPA data
• Don’t store data on the SIM card
19
Encryption Resources
Where to get information and help with encryption:
• Encryption guidelines mobile devices:
• https://security.uwmedicine.org/training/dept_materials/default.asp
• https://security.uwmedicine.org/guidance/technical/encryption/default.a
sp
• Whole disk encryption guidelines:
• http://ciso.washington.edu/site/files/Whole_Disk_Encryption_Guidelin
e.pdf
• http://security.uwmedicine.org/guidance/technical/encryption/MobileDe
vice_Encryption/other_windows_linux_guidance.asp
• IT Services Help Desk: [email protected]
• DOM IT Help Desk: [email protected]
20
SkyDrive Pro (OneDrive) Resource
SkyDrive Pro Site (requires UW NetID):
https://depts.washington.edu/uwsom/informat
ion-technology/skydrivepro
21
Phishing Resources
Educational Tools
• UW Medicine IT Security Phishing
Awareness Announcement:
https://security.uwmedicine.org/Home/Communic
ations/Phishing_Awareness_Email_041212/default
.asp
• Office of the Chief Information Security
Officer phishing video:
http://ciso.washington.edu/site/files/Phishing/stor
y.html
22
Other Resources
Office of the Chief Information Security Officer
• http://ciso.washington.edu/resources/onlinetraining/
• http://ciso.washington.edu/resources/smartcomputing/
• http://ciso.washington.edu/
UW Medicine IT Security
• https://security.uwmedicine.org
23
Contact Information
• UW Medicine IT Services Help Desk:
[email protected]
• UW Medicine ITS Security Team: [email protected]
• UW Medicine Compliance: [email protected]
206-543-3098
• Noella Rawlings, UW School of Medicine, Director of
Compliance: [email protected]
206-685-0173
24
Questions ?
25