Transcript PowerPoint Presentation - Security Awareness Training

Internal Medicine
Associates
7/18/2015
1
Security
Awareness
Training
 Presented
by Chris Lundy
–Information Systems
Manager, Internal Medicine
Associates
–HIPAA Security Officer
7/18/2015
2
HIPAA



Health Insurance Portability
& Accountability Act of 1996
HIPAA helps you understand
your responsibilities based
on your job responsibilities
Procedures to Guard Data
Integrity, Confidentiality, and
Availability
7/18/2015





Such as:
Administrative Procedures
Physical Safeguards
Technical Security
– Services
– Mechanisms
Electronic Signature
3
Administrative Procedures

Personnel
Security




7/18/2015
Assure supervision of maintenance
personnel as set forth by security
protocol
Maintain a record of all access
authorizations
Personnel security policy/procedure
reviewed at corporate compliance
meeting
System users trained in security
and ways to identify breaches
4
Administrative Procedures, cont.

Security
Configuration
Management

Documentation
– Hardware/Software
installation
– Maintenance review
– Testing for security
– Inventory of all
hardware/software
– Virus checking
• Procedures outlined
• Policies enforced
7/18/2015
5
Administrative Procedures, cont.


Security
Incident/
Management

Reporting


7/18/2015
Report procedures
– Incident reported to management
– Report written with witnesses
involved and then forwarded to
security personnel
Response procedures
– Response will be documented and
accurate the first time
Risk analysis
– A periodic assessment will be
taken after an initial analysis
Risk management
– All identifiable risks will be
documented and due diligence
planning will be instituted
6
Administrative Procedures

Termination
Procedures
7/18/2015

In the Event of
Termination:
– Combination locks
changed
– Removal from access
lists
– Removal of user
account(s)
– Turn in keys, token or
cards that allow access
7
Administrative Procedures, cont.

Training





7/18/2015
Training is provided for all
personnel(incl.mgmt)
Periodic security reminders will
be issued in our newsletter
Users will receive training
concerning virus protection
Users will receive training
concerning monitoring
success/failure and how to
report discrepancies
User education in password
mgmt
8
Physical Safeguards

Assigned
Security
Responsibility
7/18/2015

Responsibility will be
assigned as follows:
–
–
–
–
–
–
Federal Regulations
Security Officer-HIPAA
Management
Supervisors
Users
Patients-Patients will be
trained by correspondence,
leaflets, etc.
9
Physical Safeguards

Media
Controls





7/18/2015
Assigned access to media
Accountability-tracking is done
on media
Data backup is done by
Information Systems and is
not to be backed up on floppy,
cd or any other type of media
Data storage is done offsite at
data center
Information Systems is
responsible for disposal of
media and no user will destroy
media
10
Physical Safeguards

Physical
Access
Controls

Disaster Recovery
– In the event of a disaster all
access will be secured if possible
– All liabilities are documented

Emergency Mode Operation
– There are drills performed on a
random basis to test the physical
control in the event of an
emergency
7/18/2015
11
Physical Safeguards

Physical
Access
Controls

Equipment Control
– All equipment is asset tagged,
documented and tested to meet
security requirements
– Check in/out procedures are in
place and no protected health
information (PHI) is allowed to
leave the premises without
written authorization

Facility Security Plan
– All physical security is
documented and floor plans are
mapped out
7/18/2015
12
Physical Safeguards

Physical
Access
Controls

– All authorizations will be preregistered and access cards,
identifiers, and escort will be
arranged


7/18/2015
Pre-registered Access Authorizations
All maintenance on the facility
should be reported and documented
All access is on a need to know
basis
– Example, the Director of Business
Office doesn’t need to know the
security access of the nursing staff
– Information Systems will not
volunteer access specifications
– Any changes will be sent via
appropriate documentation
13
Physical Safeguards

Physical
Access
Controls
7/18/2015

Testing and Revision
– All procedures and policies will be
tested periodically
– Upon completion, the needed
changes will be documented and
due diligence will be initiated to
correct any breaches or gaps in
security
– It is everyone’s responsibility to
protect the facility and work with
their management team to assess
and correct any lapses
14
Physical Safeguards


Policies
Procedures

– Workstation Use
– Secure Workstation Location
– These are discussed in
corporate compliance training

7/18/2015
Policies & Procedures are
written for:
Training sessions on Physical
Safeguards will be conducted
one (1) time per year or as
needed
15
Technical Security Services

Access
Control

Context-based access
– Based on a transaction, date, time,
etc.

Role-based access
– RBAC used for mapping specific
functions in an organization

User-based access
– Based on the identity of the person
involved (not used at IMA)

Encryption
– Transforming confidential plaintext
into ciphertext to protect it
– This feature is automatic on most
systems
7/18/2015
16
Technical Security Services



Audit Controls
Authorization
Control
Data
Authentication

–
–


7/18/2015
Audits are done by
Information Systems and
outside services
These are closely protected
audits and safeguarded by
contracts
In the event of an audit, your
department will be notified
and you will comply with said
audit
Role-based authorization
Based on specific software,
hardware and procedures but,
is regulated by Information
Systems
17
Technical Security Services

Entity
Authentication



7/18/2015
Automatic logoff is in place on
all systems
Passwords are required on all
operating systems and
systems accessed via the
network
Unique user identification is
used to protect you and your
workmates
18
Technical Security Mechanisms


Communi
cations
Network
Control








7/18/2015
All communications have access controls
All network devices have access controls,
anti-hack devices and alarms
Audit trails are generated on virtually every
device on the network or communicating
with the network
Certain data sets are encrypted and this is
documented
Tokens are passed between systems to
assure genuine identity
Event alarms report problems or hacks
Integrity devices alert us to hardware or
software problems and IDS reports
continually on unauthorized access
Transaction logs are generated to assure
message authentication and accurate
access control verification
19
Security Awareness
Training
7/18/2015
20