Transcript Slide 1
Information Security Training 2010 Authored by: Gwinnett Medical Center Information Security Department Modified for affiliated schools’ students & instructors by: Linda Horst, RN, BSN, BC Objectives After you finish this Computer-Based Learning (CBL) module, you should be able to: Explain the basic concepts included in the GMC Security Initiative. Explain your security responsibilities and the part you play in protecting sensitive information and assets belonging to GMC. Topics Covered in this CBL GMC Information Security Initiative Acceptable use Social engineering Passwords Desktop security Computer viruses Disposal of sensitive information Notebook computers and portable devices Information Security incidents or breaches Reporting incidents of breaches GMC Information Security Initiative Mission The mission of the GMC Information Security Initiative is to protect the Confidentiality, Integrity, and Availability of GMC information and information technology by applying Innovation, Sound strategies, and Proven security best practices. GMC Information Security Initiative Regulations, Standards The GMC Information Security Initiative is based on the following regulations and standards: Health Insurance Portability and Accountability Act (HIPAA). National Institute of Standards and Technology (NIST) standards. Health Information Technology for Economic and Clinical Health (HITECH) Act. Payment Card Industry (PCI) standards. Joint Commission (JC) accreditation. GMC Information Security Initiative GMC Responsibilities GMC must: Set up and follow information security policies. Train employees to follow the policies. Have an information security official who is responsible for making sure security rules are set up and followed. Make sure certain sensitive information stays secure. Control access to electronic protected health information (ePHI). Protect ePHI from alteration, destruction, loss, and disclosure to unauthorized persons. GMC Information Security Initiative Associate Responsibilities Associates must: Comply with GMC security policies and procedures. Sign a confidentiality agreement: Before beginning work, and With each performance review, or annually, or as appropriate. Agree, in writing, to follow security policies. Report security breaches or incidents. Acceptable Use GMC Assets Our GMC network, e-mail system, Internet, and connections to external services are mainly for business use. You can use GMC technology for personal use if: You get your instructor and the unit’s managers permission. Your personal use does not interfere with your work or the work of others. You may not remove GMC assets – such as computers or printers – from the facility. Acceptable Use E-mail Abuses of e-mail privileges include: Profanity, obscenities or derogatory remarks. Pornographic material. Threats and hate literature. Chain letters inside or outside the organization. Sexual, ethnic, racial or other workplace harassment. Do not open e-mails from someone that you do not know. Acceptable Use Internet Surfing You may not visit inappropriate Internet sites or engage in inappropriate communications. Examples include sites or communications that are: Pornographic. Culturally offensive. Racist or hate-related. Related to gambling. Related to computer hacking. Terroristic. Acceptable Use Internet Newsgroups If you post anything on an Internet newsgroup or bulletin board from a GMC e-mail address: Include a disclaimer stating that the opinions you’ve expressed are strictly your own and not necessarily those of GMC. Exception: If the posting is in the course of business duties. Acceptable Use Your Privacy When you use GMC information technology and computer systems, your activities are not private. GMC monitors activity that occurs on its network. If you misuse GMC computer equipment, you are subject to disciplinary action. Acceptable Use Your Privacy, continued GMC monitors electronic forms of communication, including: Internet use. Corporate e-mail (Outlook). Web-based e-mail (Yahoo! Mail, Hotmail, etc.). Instant messaging. Peer-to-peer file sharing (KazaA, Napster, etc.). File transfer (FTP). Telnet sessions. Acceptable Use Your Privacy, continued GMC monitors computer use to ensure that: Sensitive information is being sent out correctly. There are no sexually harassing or pornographic communications taking place. Associates are using their time and resources appropriately. Associates are viewing appropriate websites. Social Engineering Social engineering is the process of tricking or manipulating someone into giving access to sensitive information without the person realizing he or she has been manipulated. Social engineering remains one of the greatest vulnerabilities for the organization and the most successful way to defeat security. Social Engineering, continued Examples of social engineering: Tailgating: One person, or more than one person, follow(s) an authorized person through a secured door or other entrance when the authorized person opens the door legitimately. Shoulder Surfing Direct observation techniques, such as looking over someone's shoulder, to get information. Social Engineering, continued Examples of social engineering: Impersonation: A person pretends to be someone that he or she is not – such as a PC tech, support staff, or member of the cleaning crew – in order to gain information. Example: You receive a phone call from someone claiming to be a PC tech or GMC associate requesting such information as: Passwords User name Other sensitive information Passwords Passwords: Are a series of characters – such as a,b,c,1,2,3 – known only to you as the person approved to use the computer system. Allow you to access the GMC network and applications you are authorized to use. Help make sure you are not an intruder and that you are the user. Prevent unauthorized access to the GMC network. Passwords Make Them Strong “Strong” passwords: Contain characters from three of the following four categories: A capital letter, such as A, B, X, or T A lower case letter, such as a, b, x, or t A number: such as 1,4,7, or 9 A special character, such as @ * # $ \ or & Are at least eight alphanumeric characters long. Are changed at least once every 90 days. Passwords “Don’ts” Do not share passwords with anyone. Doing so makes you responsible for the actions others take with your computer access. When possible, do not use the same password for accessing multiple GMC applications. Do not use the “remember password” feature of computer programs. Passwords Storage and Breaches Do not store passwords in your office where they are accessible to others. Keep written passwords on your person. Example: On sticky notes or attached to your computer or keyboard. Example: Inside your badge. If you suspect that your password has been compromised, report the incident to the Customer Response Center at x23333. Desktop Security Log off and exit computer programs when leaving a workstation. When not in use, protect all: Computers, Computer terminals, and Printers… – with – Key locks, Passwords, or Other controls. Ensure that your computer screen is turned so that passersby cannot read information on the screen (shoulder surfing). Desktop Security Screensaver GMC uses screen savers throughout the system. Personal computers are set to time-out after a period of inactivity: Clinical: Administrative: 1-minute screen timeout for inactivity. Not password protected. 15-minute screen timeout for inactivity. Password protected. Exempt: No screen saver. Not password protected. Exempt list additions must be supported by a good business reason and approved by Information Security and either the Chief Information Officer (CIO) or the Senior Information Security Officer (SISO). Desktop Security Data Backup The hard disc in your computer is always at risk of breaking down. Back up your important documents to your H: or G: drive. The H: drive is your “Home” or personal network drive. The G: drive is your “Group” or department share drive. As a rule, only your login name will have access to this data. The members of your department or group all have access to this data. Information Services backs up these network-based drives nightly. Generic logins – those logins used by many people – usually do not have H: or G: drive access. Computer Viruses Computer viruses are dangerous! A computer virus is a program that: Runs on a computer without the knowledge or permission of the user, and Is meant to damage your computer or to gain access to your information. GHS runs anti-virus software, but we need your help to ensure that we all do the best job we can to protect our network and the sensitive information that we are privileged to handle. Computer Viruses, continued Viruses can: Spread onto computer discs and across a network. Corrupt data files. Format your hard drive. Delete files. Install software that will allow a hacker access to your system. Cause a total failure of a computer system. Computer Viruses, continued Viruses spread through: CDs. Internet sites. File downloads. E-mail. If you suspect that your computer has a virus, contact the CRC at x23333. Computer Viruses, continued Never: Download software or files from the Internet unless they are from a known and reputable source. Open unknown or unexpected e-mail attachments. Download files from disc or jump drives: Received from a source you do not trust. Created by an unprotected computer. Open an e-mail from someone that you do not know. Disposal of Media You must dispose of media containing sensitive information so that the information cannot be accessed by any unauthorized person. Proper media disposal methods: Paper records: Place in Shredit Bins. Discs: Take to Information Services (Operations). Hard disc drives: Contact the CRC at x23333. Notebook Computers, Portable Devices Data on notebook computers and portable devices are at greater risk than other data. Never leave a notebook computer or portable devices unattended. Lock it up! Never leave a notebook computer case or portable devices visible in your car. Store as little sensitive information on the notebook computer or portable device as possible. If your notebook computer or portable device is lost or stolen, report it to the Information Security and Public Safety departments immediately. Security Incidents or Breaches There are three types of information security breaches: 1. Acts of carelessness or negligence Example: Leaving a notebook computer visible in your car. 2. Acts of curiosity or concern without authorized need to know Example: Watching over someone’s shoulder to see sensitive information that you are not authorized to view. 3. Acts of malice or for personal gain Example: Theft of GMC computer equipment. Reporting Incidents or Breaches If you believe an information security incident or breach has occurred: Let your instructor and manager know, especially if you notice any problems with meeting the rule requirements. Report incidents or breaches of sensitive GMC information to: Security hotline: 404-291-8233 or E-mail: [email protected] or Corporate Compliance Hotline: 888-696-9881. Reporting Incidents or Breaches, continued GMC takes disciplinary actions in response to confirmed information security breaches. If you fail to report a known or suspected breach, or if you report a breach for malicious reasons, you might receive a disciplinary action or be removed from your academic experience. The Information Security department investigates all suspected information security breaches. Disciplinary action may result in termination of employment and or your academic experience. As an associate, if you disagree with the disciplinary action, you can file a grievance. Information Security Policies You can access the information security policies covered in this CBL on Gwinnettwork. 9530-100 9530-101 9530-102 9530-103 9530-104 9530-105 9530-106 9530-107 9530-108 9530-109 300-517 Information Security Program Information Security Training Disposal of Media Containing Sensitive Information Clear Screen and Desk E-mail Usage User Password Management Internet/Intranet Usage Secure PC/Workstation Location Virus Checking Acceptable Use of Computer Equipment Associate Disciplinary Actions for Confidentiality and Information Security Breaches Congratulations! You have completed this CBL module. Continue on to take the test by referring back to the Student Orientation Website. Questions? Contact Information Security: Emmanuel Ogidigben 678-312-4691 Tracy Goodman 678-312-4381 Allen Olmstead 678-312-4243