Information Security and Privacy Training Module

1
Information Security and Privacy Training Module
2
Introduction
Prev
Next

• The objective of this course is to provide staff
  members with an update of UNC Health Cares
  Information Security and Privacy policies and
  procedures.
• In addition, new state regulations that address
  the protection of personal information are
  covered in this course.

3
Privacy/Information Security
Prev
Next

• Privacy and Information Security go hand-in-hand.
• Security safeguards are used to protect the
  privacy of patient and confidential information.

4
Protected Information
Prev
Next

• Protected Health Information (PHI)
• Identifiable patient information
• Confidential Information may include
• personnel information
• system financial and operational information
  (such as new business plans)
• trade secrets of vendors and research sponsors
• system access passwords
• Internal Information may include
• personnel directories
• internal policies and procedures

5
Your Responsibilities
Prev
Next

• Access information only in support of your job
  duties
• Do not access PHI of friends, family members,
  co-workers, VIPs, ex-spouses, etc., as it is not
  required to perform your job.
• Do not access your own online medical record,
  demographic or appointment information. Follow
  the same procedures as all other patients to
  obtain this information.
• Do not share your access or passwords to systems
  with anyone, even if a co-worker needs access to
  the same information to do their job. You are
  responsible for all system activity performed
  under your unique UserID and password.

6
Your Responsibilities
Prev
Next

• Report losses or misuse of information (possible
  security breaches) promptly to your Information
  Security or Privacy Officer
• Comply with all Information Security and Privacy
  policies
• Remember, YOU are responsible and will be held
  accountable for the privacy and security of
  information that you access or maintain.

7
Release of PHI
Prev
Next

• Staff members responsible for release of patient
  information have received specific training.
  Some of these staff members include
• Medical Information Management, Information Desk,
  Phone Operators, Public Affairs
• When release of patient information is not a part
  of your job responsibilities, please follow the
  same procedures as our patients and visitors.

8
For Example
Next

• An accountant with UNC Health Care, receives the
  following requests
• The accountants wife calls and asks him to check
  her test results from a recent appointment.
• The accountants neighbor calls and asks for the
  room number of another neighbor that was admitted
  to the hospital on the previous evening.

Is it OK for the accountant to look up the
information and provide the information back to
his wife and neighbor?
9
For Example
Prev
Next

• Answers
• No! The accountants wife should provide
  Medical Information Management an authorization
  form that gives permission to release the
  information to her husband.
• No! The accountant should call the hospital
  operator to obtain the room number of his
  neighbor.

10
Good Password Habits
Prev
Next

• Use strong passwords where possible (at least 6
  characters, containing a combination of letters,
  numbers, special characters)
• Change your passwords frequently (45-90 days)
• Keep your passwords confidential!
• If you MUST write down your passwords
• Store them in a secure location
• Do NOT store them near your computer, such as
  under the keyboard or on a sticky note on your
  monitor!!

11
For Example
Prev
Next

• An employee has to pick a new password that is
  easy to remember, but hard to guess. So she
  decides to use one of the following passwords.
• porkchop (her dogs name)
• 110295 (her sons birthdate)
• Tm2tbg (based on a phrase)

Which password is the strongest?
12
For Example
Prev
Next

• Tm2tbg is the strongest password because
• It is six or more characters long
• It contains upper and lower case letters
• It contains a number
• It contains special characters
• Its based on a phrase that is memorable
• (Take me to the ballgame )
• You should not use passwords that can be
  associated with yourself. If someone knows you
  then they might guess your password.

13
Malicious Software
Prev
Next

• Most damage from Malicious Software can be
  prevented by regular updates (patches) of your
  computers operating system and antivirus
  software.
• Viruses spread to other machines by the actions
  of users, such as opening email attachments.
• Worms are programs that can run independently
  without user action.
• Spyware is software that is secretly loaded onto
  your computer from certain web sites.
• Spam is unsolicited or "junk" electronic mail
  messages that can clog up e-mail systems.

14
Safe E-mail Use
Prev
Next

• Do not open email attachments if the message
  looks suspicious.
• Delete and DONT respond to spam even if it has
  an unsubscribe feature.
• E-mail containing protected information such as
  PHI being sent outside UNC Health Care requires
  additional protection. Contact your entitys IT
  Department or Information Security Officer for
  instructions on installation of secure e-mail.

15
For Example
Next

• While online at work, an employee sees a pop up
  ad for a free custom screen saver. He clicks on
  the I agree button and his computer downloads
  and installs the screen saver utility. After a
  few days he notices that his computer is running
  slower and calls the Help Desk.

What did he do wrong?
16
For Example
Prev
Next

• He installed software from an unknown source
• He didnt read the fine print before clicking I
  agree
• Many free applications include a spyware
  utility that will cause performance problems and
  potentially release confidential information.

17
Mobile Computing / External Storage
Prev
Next

• Palm/Pocket PC, PDA, and laptop PC are examples
  of mobile computing devices
• Diskettes, CD ROM disks, and memory sticks are
  examples of external storage devices.
• Protected information stored on these devices
  must be safeguarded to prevent theft and
  unauthorized access.

18
Mobile Computing / External Storage Controls
Prev
Next

• Mobile computing devices that store protected
  information must have a power-on password,
  automatic logoff, data encryption or other
  comparable approved safeguard.
• Whenever possible, protected information on
  external storage devices must be encrypted.

19
Mobile Computing / External Storage Controls
Prev
Next

• Never leave mobile computing or external storage
  devices unattended in unsecured areas.
• Immediately report the loss or theft of any
  mobile computing or external storage devices to
  your entitys Information Security Officer.

20
For Example
Next

• A physician leaves his PDA which contains PHI as
  well as personal information on the back seat of
  his car. The PDA did not have a power-on
  password nor encryption. When he returns to the
  car, the PDA is missing.

What should the physician have done?
What should the physician do now?
21
For Example
Next

• The physician should have password protected the
  PDA and PHI should have been encrypted to prevent
  unauthorized access.
• He should now
• Contact his Information Security Officer
• Report the loss to his immediate supervisor
• Since this was a possible theft, report the
  incident to the appropriate law enforcement agency

22
Remote Access
Prev
Next

• All computers used to connect to UNC Health Care
  networks or systems from home or other off-site
  locations should meet the same minimum security
  standards that apply to your work PC.
• Some good practices when working from home
  include
• Set up your computer in a private area
• Log off before walking away
• Ensure that passwords are not written down where
  they can be found
• Lock up disks and other electronic storage
  devices that contain patient and other
  confidential information
• Maintain up-to-date virus protection on your PC

23
Faxing Protected Information
Prev
Next

• Fax protected information only when mail delivery
  is not fast enough to meet patient needs.
• Use a UNC Health Care approved cover page that
  includes the confidentiality notice with all
  faxes.
• Ensure that you send the information to the
  correct fax number by using pre-programmed fax
  numbers whenever possible.
• Refer to the UNC Health Care fax policy.

24
PHI Notes
Prev
Next

• PHI, whether in electronic or paper format,
  should always be protected! Persons maintaining
  notes containing PHI are responsible for
• Using minimal identifiers
• Appropriate security of the notes
• Properly disposing of information when no longer
  needed.
• Information on paper should never be left
  unattended in unsecured areas

25
Disposal of Information
Prev
Next

• Protected Information should NEVER be disposed of
  in the regular trash!
• Paper and microfiche must be shredded or placed
  in the secured Shred-it bins.
• Diskettes and CD ROM disks can also be placed in
  the secured Shred-it bins or physically
  destroyed.
• The hard drives out of your PC must be physically
  destroyed or electronically shredded using
  approved software.
• Contact your entitys IT Department or
  Information Security Officer for specific
  procedures.

26
Physical Security
Prev
Next

• Computer screens, copiers, and fax machines must
  be placed so that they cannot be accessed or
  viewed by unauthorized individuals.
• Personal computers must use password-protected
  screen savers to further protect against
  unauthorized access.

27
For Example
Next

• An employee working from home, takes a brief
  break and leaves her computer logged on to the
  system. CDs and paperwork containing PHI clutter
  her desk, so she decides to throw away some of
  the papers she no longer needs. When she returns
  30 minutes later, she finds her computer still
  logged on to the system.

Is the employee properly protecting the above
PHI?
How can the employee better protect the PHI?
28
For Example
Next

• Answer No, the PHI is not properly secured.
• The employee should put in place the following
  controls to protect the PHI
• Log off of the computer when she steps away
• Turn on her password protected screen saver that
  kicks in quickly when there is no activity (3-5
  minutes)
• Secure both the CD and Paper in a locked cabinet
  or drawer when not attended
• Use appropriate procedures for disposal of PHI,
  even at home paper should be shredded or taken
  back to the office and placed in the secure bin
  for shredding later

29
The Identity Theft Protection Act (ITPA)

• The ITPA is a NC State Law that imposes certain
  obligations on NC State agencies and NC
  businesses concerning the collection, use, and
  dissemination of Social Security Numbers and
  other personal identifying information.

30
Collection and Use of SSN

• NC State statute requires that UNC Health Care
  attempt to collect social security numbers (SSN)
  from patients and other individuals who may
  become debtors. Because of these requirements,
  the Identity Theft Protection Act allows UNC
  Health Care to continue to request and collect
  SSNs, but a patient cannot be required to provide
  it.
• UNC Health Care is required to protect SSNs and
  other personal identifying information.

31
ITPA Personal Identifying Information

• Drivers license number
• Social Security number
• Employer taxpayer identification numbers
• Identification card numbers
• Passport numbers
• Checking account numbers
• Savings account numbers
• Credit card numbers
• Debit card numbers

• Personal Identification Numbers (PIN)
• Digital signatures
• Biometric data
• Fingerprints
• Passwords
• Any other numbers or information that can be used
  to access a persons financial resources

32
Security Breaches and Notification

• Effective October 1, 2006, UNC Health Care and
  other state agencies are required to notify
  affected individuals of Security Breaches. Each
  potential Security Breach will be reviewed by the
  Identity Theft Sub-Committee. If it is
  determined that a Security Breach occurred,
  appropriate actions will be taken, including the
  notification of the affected individuals.

33
For Example

• A local school teacher checks into UNC Hospitals
  for cosmetic surgery. During the registration
  process she did not provide her Social Security
  Number when it was requested.
• Can the Hospital require her to provide her
  Social Security Number?

34
For Example

• No!
• The hospital can only collect Social Security
  Numbers on a voluntary basis.

35
Summary

• Patient, confidential, and personal identifying
  information should ONLY be accessed by, and
  shared with, authorized persons.
• It is YOUR responsibility to
• Protect SSN and other personal identifying
  information.
• Protect Patient, Confidential and Internal
  Information
• Review and comply with UNC Health Care Identity
  Theft Policy
• Review and comply with UNC Health Care Privacy
  and Security policies

36
Disciplinary Actions
Prev
Next

• Individuals who violate the UNC Health Care
  Information Security and Privacy policies will be
  subject to appropriate disciplinary action as
  outlined in the entitys personnel policies, as
  well as possible criminal or civil penalties.

37
For more information
Prev
Next

• Visit UNC Health Cares HIPAA Web site for
  more information on security and privacy
  policies.
• Intranet.unchealthcare.org/site/w3/hipaa

38
UNC Health Care Contacts

• Compliance Office
• Privacy Office
• Security Office
• Medical Information Management
• Compliance E-Mail

• (919) 966-8505
• (919) 843-2233
• (919) 966-0084
• (919) 966-1225
• Compliance_at_unch.unc.edu

39
Prev
You have now successfully completed the online
Information Security and Privacy Module
- Click ltHEREgt to end show -