Security of Electronic Information

1
Security of Electronic Information

• Protecting Confidential, Sensitive, and Personal
  Data
• in the Electronic World

UCLA TRANSPLANTATION SERVICES
2
Purpose of the Training

• Raise awareness about how each of us can protect
  UCLA TRANSPLANTATION SERVICES patients
  confidential and sensitive electronic information
  and our own personal electronic information
• Better understand the risks when using and
  storing electronic information
• Better understand how to reduce those risks

3
Basic and Advanced Training

• Basic for those of you who use confidential
  information to do your job, rarely use email to
  send confidential, UCLA TRANSPLANTATION SERVICES
  electronic information, and work from a
  workstation on-site.
• Advanced for those of you who routinely use
  email to conduct UCLA TRANSPLANTATION SERVICES
  business that contains sensitive, confidential
  information who use mobile or home workstations
  to transmit confidential information or for
  those of you who want more information about
  reducing risks in the electronic world

4
The OPEN Nature of the Internet

• The Internet, a Powerful Tool for unlimited,
  uncontrolled access to electronic information a
  PLUS
• Limitless opportunity for those seeking data for
  business, education, research, general knowledge
• The Internet, A Powerful Tool for unlimited,
  uncontrolled access to electronic information a
  MINUS
• Limitless opportunity for those seeking data for
  criminal or unethical purposes

5
Introduction Security of Electronic Information

• Why now?
• What is sensitive and confidential, electronic
  information, including Electronic Protected
  Health Information (ePHI)?
• Why me?
• What do I need to do to protect confidential,
  electronic information?
• How do I get help?

6
Why Now?

• The HIPAA Security Rule mandates that
• All UCLA TRANSPLANTATION SERVICES workforce
  members shall obtain Security Awareness Training
  and implement appropriate security measures
• Other laws and policies require us to secure
  information
• State law SB 1386
• UC and UCLA TRANSPLANTATION SERVICES Policies
• Wireless/Data theft is exploding and threatens
  UCLA TRANSPLANTATION SERVICES , our patients, you
  and me
• UCLA TRANSPLANTATION SERVICES needs your help to
  protect the confidentiality, integrity and
  availability of electronic health financial
  information

7
What electronic information is covered by this
training and UC Policy?all information that is
confidential and sensitiveincluding electronic
Protected Health Information (ePHI) covered by
the HIPAA Security Rule
8
Confidential Electronic Information is

• Information that may or may not be protected by
  law but which is desired to be treated as
  confidential and protected as such
• Access to confidential information is prohibited
  unless permitted by policy or an exception to the
  law.
• All reference to Confidential Electronic
  Information in this training includes Electronic
  Protected Health Information (ePHI)

9
ePHI is Confidential Information and is

• An individuals health or financial information
  that is used, created, received, transmitted or
  stored by UCLA TRANSPLANTATION SERVICES using
  any type of electronic information resource
• Information in an electronic medical record,
  patient billing information transmitted to a
  payer, digital images and print outs, information
  when it is being sent by UCLA TRANSPLANTATION
  SERVICES to another provider, a payer or a
  researcher
• For example
• An unsolicited email message from a patient after
  it is received by the healthcare provider or
  UCLA TRANSPLANTATION SERVICES ePHI
  information received, transmitted, stored, at
  rest

Notes
10
Where Do You FindConfidential Information?

• On your workstationat work, at home, or mobile
  devices memory sticks, laptops, Blackberries,
  Palms, CDs, floppy discs, etc.,
• You have responsibility for the
• security of information on your workstation
• On information resource mediae.g., networks,
  application systems, including operating systems,
  tools, communications systems
• These systemsare the responsibility of IT
  managers and system owners

11
Why Me?Oh, WHY ME?You use electronic
information to do your jobYou use a UCLA
TRANSPLANTATION SERVICES workstation to do your
jobEach of us is responsible for understanding
and reducing the risks to confidential,
electronic information
12
Information Technology alone is not the
answerEach one of us must be responsible for
her/his workstation, mobile device and data.
13
What do I need to do to protect ePHI or other
Confidential Information?at my UCLA
TRANSPLANTATION SERVICES Workstation?on a
Mobile Device/Home PC I sometimes use for
work-related purposes?
14
First Understand the Risks

• Identify risks at your workstation, for example
• Shared passwords
• Failure to logoff after each use
• Use of unlicensed software
• Viruses
• Reduce risks at your workstation
• Get help with questions or concerns
• Report suspected security incidents

15
Next Follow Safe Computing Guidelines --
Passwords

• 1. Protect your user ID and Password. You are
  responsible for ACTIONS taken with your ID
• a. Do NOT post, write or share Passwords with
  ANYONE
• b. The HIPAA Security Rule requires UCLA
  TRANSPLANTATION SERVICES to be able to audit an
  individuals actions using confidential
  information
• c. Protect your user ID and Password from
  fraudulent use or unethical behavior

16
Safe Computing Guidelines Control Access to
Confidential Information

• 2. Use strong passwords that are hard to guess,
  easy to remember and change them often
• a. Use letters, numbers, and capitalize a letter
• 3. Always log off shared workstations
• a. If you dont log off, someone else could use
  your User ID to illegally access confidential
  information

17
Safe Computing GuidelinesControl Physical
Access to Your Workstation

• 1. Only authorized UCLA TRANSPLANTATION
  SERVICES users should have physical access to
  your workstation, including monitors, mouse,
  keyboard, etc.
• 2. If you use a mobile device or home
  workstation to conduct UCLA TRANSPLANTATION
  SERVICES business (including treatment, payment
  or operations) you are responsible for physically
  securing and protecting the device and any
  confidential information.

18
Safe Computing GuidelinesProtect the
Availability of Confidential Data

• Ask Yourself
• Could I do my job if this data were lost due to a
  power outage, virus, crash, etc?
• What would be the effect on patient care if this
  data were no longer available?
• Do I know what to do in the event of a power
  outage or crash?

19
Safe Computing Guidelines Virus Protection

• 1. Do not open an email attachment, unless you
  know who sent it and why.
• If in doubt, call the sender of the email to
  confirm that the attachment is safe and valid.
• 2. Always run an updated antivirus tool do NOT
  cancel the scheduled virus scan.
• 3. Do not load software that you or your
  department are not licensed to use on a UCLA
  TRANSPLANTATION SERVICES workstation.

20
Safe Computing Guidelines Email

• Be Aware Email is NEVER 100 secure
• 1. Do not use email to send, receive or store
  confidential information unless it is required by
  your job
• Always LIMIT the the confidential information
  sent by email to the minimum necessary
• 2. NEVER send, reply or forward UCLA
  TRANSPLANTATION SERVICES confidential
  information from a non-UCLA TRANSPLANTATION
  SERVICES mail account (e.g., Yahoo, AOL, etc.)

21
Safe Computing Guidelines--Report Computer
Security Incidents

• 1. Report erratic computer behavior or unusual
  email messages to your department manager, dept
  IT resource, or IT Customer Support
• 2. Report any suspected issues or incidents to a
  manager or the UCLA TRANSPLANTATION SERVICES
  admininistration (see resources)
• 3. Report lost or stolen devices to UCLA Police
  _at_ (310) 825-1492 and, when appropriate, Local
  Police

22
Is This a Security Incident?

• You return to your workstation after lunch and
  notice that a patients medical record is open on
  the screen
• Your supervisor comments that she saw the record
  on the screen while you were away
• You check and determine that not only is that
  record accessible, but by a click one can easily
  get into a medical record database, or other
  applications containing confidential information

23
What Was Your Responsibility to Secure Your
Workstation?

• Do you think that someone has attempted to access
  your workstationeither manually or
  electronically?
• Is this a shared workstation? Did you allow
  unauthorized physical and electronic access
  because you did not log off when you went to
  lunch?
• Do you have a strong password and user ID in
  place?

24
This is a Security Incident if

• Your passwords are weakand there is unauthorized
  access to confidential information
• You did not log offand confidential information
  was compromised
• You suspect a problem and do not report it.
  Report immediately all suspected incidents or
  security compromises to your supervisor.

25
What Can Each of Us Do To Secure Confidential
Information?

• Each member of the workforce must take
  responsibility for securing his/her workstation
• Get help from your system managers to implement
  IT solutions that are cost effective and meet
  your needs
• Understand the laws and procedures and seek help
  when requirements arent clear
• Report suspected security incidents to a manager
  or IT Customer Support
• Understand the consequences of non-compliance

26
Understand the LawFor Example

• You can not access another employees medical
  records or financial information UNLESS it is
  specifically required by your job at UCLA
  TRANSPLANTATION SERVICES
• You can not look at a patients medical records
  or financial information UNLESS it is
  specifically required by your job at UCLA
  TRANSPLANTATION SERVICES
• If it is not required for your job,
• it is against the law!
• For example, NO friends information
• NO celebrity patients information

27
HIPAA Requires UCLA TRANSPLANTATION SERVICES to
Tell You the Consequencesfor Individuals and
UCLA TRANSPLANTATION SERVICES if There is a
Violation

• A violation of the Security Rule could also be a
  violation of the Privacy Rule and State Law
• Civil Monetary Penalties range from 100 to
  25,000/year more for multiple year violations
• Criminal Penalties range from 50,000 - 250,000
  and imprisonment for a term of 1 to 10 years
• Fines and penalties for violation of state law,
  including SB 1386
• UCLA TRANSPLANTATION SERVICES corrective and
  disciplinary actions, up to and including
  dismissal

28
True or False

• Security is not a one time project. It is an
  ongoing, dynamic process that will create new
  challenges
• as organizations change
• and new technologies emerge.

29
UCLA TRANSPLANTATION SERVICES Is Only as Strong
As Our Weakest Link.Help UCLA TRANSPLANTATION
SERVICES maintain a strong defense and secure
our patients confidential information
30
Thank you for helping UCLA TRANSPLANTATION
SERVICES protect the security of our patients
Confidential Information. You have completed
the Basic Component of the Security Awareness
Training.
31
Resources and References

• UCLA TRANSPLANTATION SERVICES Organ Specific
  Departmental Manager
• TRANSPLANTATION SERVICES ADMINISTRATION _at_ EXT.
  42688
• UCLA TRANSPLANTATION SERVICES HIPAA Security
  Procedures, Electronic Security Policies and the
  HIPAA Handbook (http//transplant.mednet.ucla.edu/
  click on Hipaa)
• Report Suspected Security Incidents to
• Dept CSC
• IT Customer Support 514-4100
• UCLA TRANSPLANTATION SERVICES Police 476-1414
• For additional information about the security of
  email, portable devices and home workstations, go
  to http//transplant.mednet.ucla.edu/ and click
  on hipaa

32
Please Continue with the Advanced Training if YOU

• Use email containing Confidential Information to
  conduct UCLA TRANSPLANTATION SERVICES business,
  provide treatment and carry out teaching
  activities
• Use a UCLA TRANSPLANTATION SERVICES workstation
  at home to conduct business with Confidential
  Information
• Use a mobile device or portable workstation to
  conduct business with Confidential Information

33
Could This Become a Security Incident?

• Dr. Gadget prides himself on being IT smart. He
  always uses emerging technologies for provider
  and patient communications. He believes this
  enhances his treatment and teaching activities.
• His newest mobile device, his sidekick, is a
  mini-computer (about the size of a 3x5 card) with
  phone, email and instant-messaging. He routinely
  goes to the local wireless café to receive and
  send email communications to his colleagues and
  patients.
• The device has replaced the old-fashioned note
  card, so he stores patient treatment reminders
  and info on his sidekick.

34
What are Dr. GadgetsPotential Risks?

• Use of email to receive, transmit and store
  confidential information
• Use of a mobile device over a wireless network
  for confidential information
• Use of a personal, mobile device for teaching and
  treatment notes
• Use of mobile media (memory sticks, jump drive
  card, Secured Digital (SD) card)
• Use of a wireless caféa hot spotfor ones
  workstation
• Can you think of any more?

35
Be Aware, Dr. Gadget!

• Email
• Never 100 secure
• Sending UCLA TRANSPLANTATION SERVICES
  confidential information from a non-UCLA
  TRANSPLANTATION SERVICES account (e.g., Yahoo,
  AOL, SBC Global) is very risky business
• Wireless network/Hot Spot Café/Public Places
• Allow for ease of access by hackers without your
  knowledge
• No firewalls protect the cafés perimeters
• You NEVER know who is looking over your shoulder!
• Personal, mobile devices
• YOU are responsible for understanding the risks
  and securing the confidential information stored,
  received, and sent with a mobile device or by
  mobile media

36
What Should Dr. Gadget Have Done to Secure His
Confidential Information?
37
Safe Computing GuidelinesMobile Devices

• Only use devices that can restrict access by way
  of a password or other authentication method
• Enable all security features the device may have
• Remove all Personal Identifiers when possible
  (see slide 9--notes for list of identifiers)
• ONLY receive, transmit and store if absolutely
  required to do your job

38
Safe Computing GuidelinesMobile Devices

• UCLA TRANSPLANTATION SERVICES protected servers
  should be the first option for storage of
  confidential data or ePHI.
• Never use a mobile device or media to store
  confidential data that is critical to providing
  patient care
• If the device is lost or stolen, you may never be
  able to recover data critical for providing
  life-saving patient care
• You must download and backup all confidential and
  sensitive data
• Store and transmit ONLY the minimum amount of
  data for the shortest period of time

39
Safe Computing GuidelinesMobile Devices

• Use only an approved, secure method for accessing
  the UCLA TRANSPLANTATION SERVICES network via
  VPN

40
Is This a Security Incident?

• You use a UCLA TRANSPLANTATION SERVICES mobile,
  wireless device, to record and review medical
  records and/or your teaching notes
• Your car is broken into and your briefcase,
  containing your mobile device, is stolen
• Is this a Security Incident?
• Are you worried that you could be held
  responsible for the lost or stolen device?

41
Did You Take Responsibility for Securing the
Confidential Information?

• Did you protect access to the information with a
  unique ID and strong password?
• Did you enable all available security measures?
• Did you limit patient identifiers to the minimum
  necessary?
• Did you immediately report the lost device so
  that you and UCLA TRANSPLANTATION SERVICES can
  mitigate any potential harm to patients and UCLA
  TRANSPLANTATION SERVICES ?
• Did you report the loss or theft of a mobile
  device to UCLA TRANSPLANTATION SERVICES Police
  at (310) 825-1492 ?
• If you can answer YES,
• then you have done the Right Thing!

42
True or False

• Your mobile device can be safely in your pocket
  while your stolen, confidential information is on
  the Internet for all to see!
• There are IT solutions for assuring that your
  email is 100 secure.
• Confidential Information is a commodity in high
  demand!
• You are personally responsible for implementing
  safeguards that protect the confidentiality,
  integrity and availability of patient information
  on mobile devices or media.

43
Safe Computing GuidelinesUCLA TRANSPLANTATION
SERVICES Home Workstations

• Home workstations (computers, laptops, etc.)
  should have protection equal to that of computers
  located on-site at UCLA TRANSPLANTATION SERVICES
• Access by authorized users onlythis means YOU,
  not a family or friend who may ask for just a
  quick access to the Internet so I can check
  email
• Password and User ID must be on all Home
  Workstations
• Assure that your workstation has a properly
  configured virus software
• Assure that you have updated anti-virus
  protections
• Get help from your departmental IT resource or
  contact UCLA TRANSPLANTATION SERVICES IT
  Customer Support at Ext. 42688

44
Safe Computing GuidelinesNon-UCLA
TRANSPLANTATION SERVICES Home Workstations

• You should not use a personal, home workstation
  to carry out UCLA TRANSPLANTATION SERVICES
  business with confidential information, including
  ePHI UNLESS YOU
• Obtain approval from your manager to do so
• Take reasonable steps to assure that physical and
  technical safeguards are in place to protect the
  information, including password and user ID
  protection
• Connect to the UCLA TRANSPLANTATION SERVICES
  network ONLY by a a VPN
• Limit the information to the minimum necessary to
  do your job
• Never use a personal workstation to store UCLA
  TRANSPLANTATION SERVICES confidential data.
• Never allow access to UCLA TRANSPLANTATION
  SERVICES data by a family member or friend

45
Is Email Secure?

• Email is never 100 secure
• Limit confidential information to the minimum
  amount needed to do the job
• Email is most secure when you use one of the
  approved, UCLA TRANSPLANTATION SERVICES secure
  email solutions
• Risky Business Never send, reply or forward UCLA
  TRANSPLANTATION SERVICES confidential
  information from a non-UCLA TRANSPLANTATION
  SERVICES mail account (e.g., Yahoo, AOL, etc)

46
Email Risks Can Be Reduced

• Use a a combination of solutions that includes IT
  solutions and changing personal behavior
• Limit your reply list to only those who need to
  know
• Be succinctdont use a chain of replies that
  perpetuates the sending of information
• Use secure methods for wireless devices or when
  using email remotely, use VPN
• UCLA TRANSPLANTATION SERVICES has developed a
  secure email solution that will be reasonably
  transparent to the usersee your IT support or
  contact IT Customer Support at Ext. 42688

47
Secure Email Question

• I am a teaching physician at UCLA TRANSPLANTATION
  SERVICES and routinely work at home or at my
  local café and use my UCLA approved Blackberry to
  communicate w/ patients. I also want to connect
  with my wireless device to the UCLA
  TRANSPLANTATION SERVICES network.
• Is the communication secure? It was my impression
  that internal communications within the UCLA
  TRANSPLANTATION SERVICES network is secure, but
  communications outside are not. 
• Can you clarify if these communications meet the
  HIPAA safeguard requirements for electronic
  information. Thanks.

48
AnswerFirst, email is never 100 secure. Your
responsibility is to understand what you can do
to provide for reasonably secure email and
wireless device solutions.
49
Securing Your Email and Wireless Device

• In a few months, UCLA TRANSPLANTATION SERVICES
  will have in place a secure email solution that
  will reasonably secure outbound communications,
  including faculty to patient.
• In general, when using a UCLA TRANSPLANTATION
  SERVICES address, you will be able to
  communicate with your patient if you are using
  the secure email solution
• Each department is responsible for implementing
  the secure email solution and instructing faculty
  and staff how to implement the solution.
• To secure your wireless device, please see
  slides 38 - 43

50
And, under all circumstances

• NEVER send, reply or forward confidential email
  from a
• non-UCLA TRANSPLANTATION SERVICES account
• (e.g., AOL, Yahoo, SBC Global, etc.)
• NEVER use
• Automatic Forwards
• to non-UCLA TRANSPLANTATION SERVICES accounts

51
True or False

• If no reasonable effort is made by the an
  employee to address the risks of email
  transmissions, the individual and department
  could be at risk of violation of HIPAA Security,
  HIPAA Privacy and State Law SB 1386.

52
Is This Secure?

• I am a UCLA TRANSPLANTATION SERVICES Transplant
  Coordinator and routinely receive emails from
  referring physicians that contain patient
  confidential information.
• Does the secure email solution protect this
  information?
• What is my responsibility when I receive these
  emails?

53
Answer

• Protect the information as though YOU created the
  information. You must secure confidential
  information that you receive by email or any
  other electronic means --- even if you did not
  solicit the email.
• The secure email solution will protect the
  information if you employ the solution when you
  reply to the referring physician.
• Your responsibility is to secure the email when
  the data is at rest, download the information to
  a protected network folder, then delete the data
  from your email.
• When replying, never use a non-UCLA
  TRANSPLANTATION SERVICES account, use only the
  minimum necessary, and limit or delete personal
  identifiers.

54
Protect Our Patients and Our Mission

• A copy of all messages or data on a mobile device
  or media, when important to a patients care,
  should be placed in the patients medical record.
• Never change another persons email message and
  pass it on without making it clear you have made
  the changes.
• Email should never be used for urgent or
  emergency problems and patient care cases
• No confidential information should be typed in
  the subject field caption of an e-mail message.

55
True or False

• Research is not part of HIPAA. The HIPAA
  Security and Privacy Rules do NOT apply to the
  transmission of confidential information to a
  UCLA Medical Center researcher.

56
Safe Computing GuidelinesResearch Databases

• When UCLA TRANSPLANTATION SERVICES is providing
  data to a researcher by an electronic
  transmissionit is covered by the HIPAA Security
  and Privacy Rule
• UCLA TRANSPLANTATION SERVICES must implement
  safeguards
• When a health care provider/researcher is
  accessing UCLA TRANSPLANTATION SERVICES patient
  records for research purposes or reviews
  preparatory to researchit is covered by the
  HIPAA Security and Privacy Rule
• The researcher must follow all requirements for
  accessing information See the UCLA
  TRANSPLANTATION SERVICES on PHI and electronic
  messages

57
True or False

• There is no such thing as a totally secure system
  that carries no risks to security.
• To ensure the safety of confidential
  information, the covered entity (UCLA
  TRANSPLANTATION SERVICES and its workforce) must
  take steps, to the best of its ability, to
  protect the information.

58
Why is the internet like a two-year old?

• They are both wired to be adventurous,
  curious, inventive, unpredictable, self-centered,
  and to grow by leaps and bounds
• They can be managed, directed, protected, but
  never controlled
• Efforts to control their nature would limit their
  potential
• Our responsibility is to assure to the best of
  our ability that what they do is reasonably
  protected!

59
Use a Layered Approach to Protecting Information
(and 2-year olds)!

• Layer 1 Perimeter Defense, including firewalls
  that controls harmful things that could occur on
  the Internet (a fence around your home or a gated
  community, with lock or passcode)
• Layer 2 Server Defense, includes requiring
  identification and authentication of server users
  and assuring that current antivirus and other
  security patches are in place (a lock on your
  front door)
• Layer 3 Workstation Security, includes all of
  the defense mechanisms (access control, antivirus
  and anti-spyware) (a lock on your bathroom door)

60
Thank youfor taking the time to participate in
the UCLA TRANSPLANTATION SERVICES Security of
Electronic Information Training. If you have
additional questions, contact UCLA
TRANSPLANTATION SERVICES ADMINISTRATION at ext.
42688 or one of the following resources
61
Resources and References

• UCLA TRANSPLANTATION SERVICES Organ Specific
  Departmental Manager
• UCLA TRANSPLANTATION SERVICES IT support at Ext.
  42688
• UCLA Medical Center HIPAA Security Procedures
• http//transplant.mednet.ucla.edu/ and click on
  hipaa
• Contact your CSC for help
• IT Customer Support 310 794-2688
• UCLA Campus Police at (310) 825-1492