HIPAA Health Information Portability

About This Presentation

Title:

HIPAA Health Information Portability

Description:

Title: HIPAA Health Information Portability & Accountability Act of 1996 Author: The Compliance Department Last modified by: Musso, Stephanie Created Date – PowerPoint PPT presentation

Number of Views:923

Avg rating:3.0/5.0

Slides: 99

Provided by: TheCompli7

Learn more at: http://www.stonybrookmedicalcenter.org

Category:

more less

Transcript and Presenter's Notes

Title: HIPAA Health Information Portability

1
Corporate Compliance HIPAA Privacy HIPAA
Security
2
Training Objectives

To Help
Bridge the Gap Between Ethics Compliance
Find Ways to Place Regulatory Theory into
Practice
Heighten Awareness of Non-Compliant Activities

3
Reality check

Rules provide a set of expectations towards an
expected end
they serve as a roadmap for direction

The healthcare industry is full of
RULES REGULATIONS
But they do serve a purpose!

5
FEDERAL COSTS

As noted by Withrow (1999)
Healthcare expenditure gt1 trillion/per year
Healthcare billing fraud 100 billion/per year

6
Compliance as a buzz wordIts really about
doing the right thing.Liken it to an ethical
responsibility.
7
Practice of Clinical Medicine

Requires a strong knowledge-base of practical
issues that can result in
Informed Consent
Truthful Communication
Confidentiality
End of Life Care
Pain Relief
Patient Rights
(HCCA,2004)

8
SBUH Responsibility

Organizations should find the right balance
between compliance and integrity.
Must do vs. Ought to do

9
LET US LOOK at CASE EXAMPLES

10
Case 1

Mr. Cope was admitted for inpatient
treatment of obesity with a protein-sparing
modified fasting regimen. He was found repeatedly
in the cafeteria, cheating on the diet. His
physician made reasonable efforts to persuade him
to change his behavior.
How should the physician handle this
situation?

11
Response

It would be ethically permissible for the
physician to abandon therapeutic goals and to
discharge the patient from the Hospital. These
goals are unachievable because of the patients
failure to participate in the treatment program.
(Jonsen, Siegler Winslade, 1998)

12
Case 2

A resident authorizes a medical student to
obtain and document the history and condition of
a patient without supervision. The resident then
tells the student to write a progress note and
leave it unsigned.
Is there a compliance implication?

13
Response

Medical students are not considered
residents under the Medicare guidelines.
Therefore, to meet the billing requirements under
PATH, services involving medical students are
only billable when performed in the physical
presence of an attending physician, or jointly
with a resident.

14
Case 3

Dr. Brown supervised resident physicians
during the hours of 8am and 10am on Monday
morning.
Is Dr. Brown allowed to bill Medicare for
services that he provides to these patients?

15
Response

Graduate Medical Education (GME) is
reimbursed under Medicare Part A. Private
physician services are reimbursed under Medicare
Part B. If Dr. Brown is unable to define the
line between where his academic, teaching
activities end and where his private physician
activities begin, then billing under Medicare
Part B will be considered double-dipping, which
is a fraudulent billing practice.

16
Case 4

Dr. Martin has just become a part-owner of XYZ
Clinical Laboratories. She intends to refer all
of her patients to this facility.
Are there any compliance implications for this
type of activity?

17
Response

This situation creates a conflict that
violates the Stark Law a federal, civil
prohibition. Under Stark a physician is not
allowed to self-refer to an entity in which the
physician or an immediate family member may have
a financial interest.
The federal government initially surveyed
Medicare patient clinical laboratory referrals
and found that when the doctor had a financial
interest in the facility, referrals were 65
higher than for non-Medicare patient referrals.

18
Conflicts of Interests

The Ethics Law and SBUH policy prohibit
situations that can create a conflict of
interest.

19
A Conflict of Interests Arises

when a persons judgment and discretion is
or may be influenced by personal considerations,
or if the interests of SBUH
are compromised.
Examples include
Accepting gifts from vendors
Misuse of Hospital assets
Activities that violate principles governing
research

20
What is a Gift?

According to the NYS Ethics Commission a
gift may be in the form of
Money
Loan
Travel
Meal
Refreshment
Entertainment
Any Good or Service

21
Violations of Ethics Law

With regard to gift taking, NYS employees
are not
allowed to accept gifts valued above
nominal Value
For example, coffee mug, pads, pens, key tags,
lanyards, jar grip openers, magnets business
Cards, retractable tape measures, etc.
Penalties imposed by the Ethics Commission
are up to 10,000/per incident.

22
ABOUT CODING AND DOUMENTATION
23
Evaluation and Management/EM codes

Are categorized by place of service
(i.e. Hospital, Office, ER, etc.)
Provide definitions for new and established
patients
Begin with 99 and are 5 digits in length
Require history, physical examination and/or
medical decision making
Describe the Who, What, Where, and Why

Accurate billing diagnosis code procedure
code
These two elements should be in harmony.

25
Documentation is Key

Medicare says
If its not documented then it didnt happen.

FACT
Documentation must always support the billing
for a claim.

27
EXAMPLE

A patient is admitted to a unit after
complaining of pain in his left arm.
Any tests ordered should support this
condition.
Without proper documentation an order for an MRI
of the brain would be questionable.

28
Down the Pipeline

Billing codes are based on the documentation
Codes that dont match will raise a flag!

29
Implications

Rejected/Denied claims
Possible audit of the organization

30
Consequence

Increased governmental scrutiny
Fines
Loss of revenue
Service and staffing cuts
Loss of privileges
(i.e., exclusion from the Medicare Program)

31
The Joint Commission is

A private agency entrusted by Medicare to
certify that healthcare organizations meet a set
of established standards. These criteria are
incorporated in
Medicares Conditions of Participation

The formula
Delivery of quality healthcare services
Imposition of governmental mandates
Cost-cutting measures by insurance carriers
Accrediting body rules
Guidance for Clinical Practice

33
Patient Choice vs. Patient Consent

1) Patient consent
Patient agrees to a proposed course of treatment
by medically authorized personnel.
It is best to have consent in writing

34
Patient Choice vs. Patient Consent

2) Patient choice
Preferences are based on patient values and
personal assessment of benefits and burdens.
(HCCA, 2004)

35
Patient choice What to ask?

Physicians should ask
What does the patient want?
What are the patients treatment goals?
Is the patients right to choose being respected?

Physicians are challenged when patients fail to
accept or cooperate with a medical
recommendation. However
Clinicians should not be expected to render
treatment that is illegal or contradictory to the
recognized standard of care (HCCA, 2004)

37
Beyond the Hippocratic Oath

Professional Ethics for Residents must include
adherence to the following doctrines
Medical Necessity
Physicians at Teaching Hospitals (PATH)

38
PATH

Teaching Physicians
Are required to be present during complex
procedures
Must be available to furnish all procedures for
Medicare patients

39
PATH Constraints

FACT
The inherent nature of academic medical center
(AMC) operations preclude attending physicians
from being present in every situation.

40
Deficit Reduction/False Claims Act

Federal and State Laws
Imposes penalties and fines on INDIVIDUALS and
ORGRANIZATIONS that file false or fraudulent
claims for payment from Medicare, Medicaid or
other federal health programs.
NYS False Claims can be Civil and or Criminal
Both provide Whistleblower protections
An employer MAY NOT take retaliatory action
against an employee if the employee discloses
information about the employers policies,
practices or activities to a regulatory, law
enforcement or other similar agency or public
official.
The employees disclosure is protected only if
the employee FIRST brought up the matter with a
supervisor (departmental chain or command) and
gave the employer a reasonable opportunity to
correct the alleged violation

41
Compliance is more than

Adherence to regulatory requirement
(i.e.)
EMTALA
Medicare Medicaid Regulations
HIPAA
Anti-Kickback Stark Law(s)
Deficit Reduction/False Claims Act(s)

42
HIPAA HITECH REGULATIONS Stephanie
Musso, SBUH HIPAA Privacy Officer
43
What is HIPAA?

Health Insurance Portability and Accountability
Act of 1996
Focus Title II
Addresses the privacy (4/14/03) security
(4/20/05) of health care information
Guaranteed individuals rights
Establish national standards for e-health care
transactions
Reduce health care fraud and abuse

44
What is HITECH?

On February 17, 2009 the Federal Stimulus Bill or
American Recovery and Reinvestment Act (ARRA) was
signed into law and included provisions to
address Health Information Technology For
Economic and Clinical Health Act (HITECH).
Purpose is to create a national health
information infrastructure and widespread
adoption of electronic health records through
monetary incentives.
Provide enhanced Privacy Security Protections
under HIPAA including increased legal liability
for non-compliance and greater enforcement.

45
Who must comply?

Organizations Involved in the Provision of
Healthcare Services
Individuals Involved in the Delivery of
Healthcare Services
Under the HITECH Act 2009 Business Associates are
now held to the same regulatory requirements as
the health care provider they do business with.

46
What are the HIPAA Privacy and Security Rules
Protecting?

PHI Protected Health Information
Any form of information that can identify,
relate or be associated with an individual
obtaining healthcare services and can be
electronic, hard copy or verbal.

47
What Constitutes PHI?

Personal Information
Name, Address, Phone Number, Fax Number, E-mail
Address. Dates Birth/Death, Admission/Discharge
, Procedure/Surgery. Numbers SSN,
Certificate/License Number, Automobile/Vehicle
Identifiers
Medical Information
Medical Record Number, Health Plan Information,
Test Results, Clinical Notes and Procedural
Information, Care Plans, Diagnoses
Technical Information
All of the above in electronic format and
Biometric Identifiers (finger or voice prints),
Full-Facial Photographic Images, Device
Identifiers/Serial numbers, Web URLs, IP
addresses, Account Numbers
The information can be written, verbal or
electronic

48
Patient Rights

Receive Notice - Inform them how their health
information is being used and shared Joint
Notice of Privacy Practices (JNPP)
Restrict - Decide whether to give permission
before their information can be used or shared
for certain purposes other then treatment,
payment or operations (opt-out)
Access - Ask to see and get a copy of their
health records
Amend - Ask to have corrections added to their
health information
Accounting - Request a report on when and why
their health information was shared
File a Complaint - If they believe their PHI was
used or shared in a way that is not allowed under
the privacy law or they were not able to exercise
a right.

49
How is HIPAA Enforced?

Civil monetary penalty
Civil penalty for inadvertent violation fines
of 100/per
incident up to 25,000/per year for each similar
offense.
EXAMPLE
A hospital employee violates HIPAA by
misdialing a fax number and sending 100 patient
records to Starbucks. The hospital the
employee may have to pay a 10,000 (100 X 100)
fine.

50
Worse Case Scenario.

Criminal Penalties
Criminal penalties large fines jail time,
and increase with the degree of the offense.
Example
A hospital employee steals and sells patient
information for personal profit. Criminal
penalties could be as much as 1.5 million and/or
10 years in jail.

51
What Must I Do?

Maintain Confidentiality
Find private locations to discuss patient
information
Always Close doors pull privacy curtains
Do Not discuss patient information in public
places
Use, disclose access only the Minimal Necessary
Leave generic messages on patient answering
machines
This is Dr. Smith calling for Mr. Jones
please call me at 444-XXXX at your earliest
convenience
Direct ALL media inquiries to the Public Affairs
Office
Discard ALL material containing PHI in the
Confidentiality Bins
(paper, whole binders, folders, scrap
notes, computer disks CDs)
Do Not leave any materials containing PHI open to
public viewing
LOG-OFF computers when you have completed your
task
DO NOT leave handheld devices, PDAs or laptops
unattended
Use your unique user ID and password and DO NOT
share ID/Passwords
DO NOT send PHI over the internet or via e-mail
including file attachments in an e-mail outside
of the UHMC Lotus Notes Network
Do Not Snoop (neighbors, friends, relatives,
immediate family members, colleagues)
When in doubt ask the HIPAA Privacy Officer at
4-5796.

52
What changes can I expect under HITECH?

Effective September 23, 2009 Breach Notification
is required for any unauthorized acquisition,
access, use or disclosure of unsecured PHI (PHI
that is not secured through the use of a
technology or methodology specified by the
Secretary of HHS gt encryption or destruction).
Notice Requirements gt Patient, Secretary of HHS
Business Associates of a Covered Entity are held
to the same standards and are liable under the
HITECH Act. Business Associate Agreements must
be updated to include HITECH provisions. (SUNY
effective July 1, 2009)
Accounting of Disclosures from the electronic
medical record to now include treatment, payment
and healthcare operations for up to a 3 year
period.

53
What changes can we expect? Continued

Patients can get a copy of their record in an
electronic format and can request we send it to
their PHR provider.
Individually Directed Privacy Restrictions
patient pays out-of-pocket in full for services
can restrict all disclosures
Restrictions on Marketing, Fundraising and the
sale of PHI
Preference for Limited Data Sets and
De-Identified Info
Clarification on Minimum Necessary guidance
expected 8/17/10
Enforcement and New Penalties Increased
enforcement and oversight activities CEs and
individual subject to criminal provisions State
AGs can bring civil suit in Federal Courts on
behalf of state residents harmed individuals can
receive a of CMPs or settlement

54
Outpatient Services

Be aware that many of our Physician Practices are
maintaining outpatient health care records
Several Physician Practices are using some form
of electronic outpatient health care record
These records are governed by the same
Privacy/Security Regulations defined by the HIPAA
Rule and NYS Law
SBUH HIM department provides guidance to the
physician practices in order to ensure compliance
with HIPAA and NYS Regulations

55
Myth or Fact

A doctor's office can send medical records of a
patient to another doctor's office without that
patient's authorization.

56
Fact

Authorization is not necessary for one doctor's
office to transfer a patient's medical records to
another doctor's office for treatment purposes.
However, an ancillary service department
(Radiology, Laboratory) can not send a report to
a physician who calls in a request if they are
not the ordering physician or the patient did not
request at the time of the testing the
additional physician(s) who should receive the
report.

57
Myth or Fact

A hospital is prohibited from sharing
information with the patients family without the
patients authorization.

58
Myth

Under the Privacy Rule, a health care provider
may disclose to a family member, other relative,
or a close personal friend of the individual, or
any other person identified by the individual ,
the medical information directly relevant to such
persons involvement with the patients care or
payment related to the patients care. What we
should not be doing is providing information
related to the patients past medical history,
only information pertinent to his/her present
condition.

59
Myth or Fact

A patients family member can no longer pick up
prescriptions for the patient.

60
Myth

Under the Regulation, a family member or other
individual may act on the patients behalf to
pick up prescriptions, medical supplies, X-rays
or other similar forms of protected health
information (appropriate authorization by the
patient must have been obtained medical
records).

61
Myth or Fact

A patient can not sue me if I violation HIPAA

62
Myth

HIPAA does not provide for a private right to
sue.
However, under HITECT States AG can bring civil
action in federal court on behalf of the
residents of his/her state who have been or are
threatened to be adversely affected by a HIPAA
violation.

63
Myth or Fact

The press can access information from hospitals
about accident or crime victims.

64
Fact

HIPAA allows hospitals to continue to make public
(including to the press) certain patient
information including the patients location in
the facility and condition in general terms -
unless the patient has specifically opted out of
having such information made publicly available.

65
Scenario 1

Two physicians are discussing a patients
treatment in an elevator filled with people.
During the conversation, the physicians mention
the patients name.
Is this a HIPAA violation?
What steps should the physicians have taken to
safeguard the patients privacy?

66
Response

Yes, this is a HIPAA violation
The physicians should have held this
conversation in a private location.
This is not considered an incidental
disclosure. This is an inappropriate
disclosure that must be avoided by utilizing
appropriate safeguards. These safeguards
include, but are not limited to, holding the
conversation in a private location, behind closed
doors or in the absence of others (not in public
locations such as elevators, cafeterias,
hallways, etc.).

67
Scenario 2

A physician calls a patients home and leaves the
following message with the patients wife
Please tell your husband that I called in the
prescription for his prostate infection this
morning and that he can call the pharmacy to see
when the medication will be ready for pickup.
Did the physician do anything wrong?

68
Response

Yes, this is a HIPAA violation.
The physician must remember to use only the
minimal necessary when disclosing patient
information (PHI).
This message should have been either a simple I
have called in a prescription for your husband to
his pharmacy. Have him call me if he has any
questions or better yet have your husband call
my office.

69
Scenario 3

A physician, after documenting a note in a
patients medical record, places the chart in an
unlocked chart holder outside the patients room.
Is this a violation of HIPAAs Privacy Rule?

70
Response

No, this is not a HIPAA violation.
The chart must be closed and placed in the
appropriate location whether it is in a chart
holder in the nurses station or in a unlocked
chart holder outside the patients room. The
responsibility is to ensure that PHI is not left
out in the open and easily assessable for viewing
by a passerby. We must utilize the safeguards
that are in place to meet this expectation - in
this case an unlocked chart holder.

71
Health Insurance Portability Accountability Act
HIPAAand related State Federal Information
Security LawsElectronic Information Security to
Ensure Privacy, and Trust of Information
Information Security
Tom Consalvo Information Security Officer, SBUMC,
HSC, and Dental School
72
Privacy vs. Security

The Privacy Rule sets the standards for, among
other things, who may have access to PHI, while
the Security Rule sets the standards for ensuring
that only those who should have access to e- PHI
will actually have access.
The Security Rule applies only to e-PHI, while
the Privacy Rule applies to PHI which may be in
electronic, oral, and paper form.
e-PHI Electronic Protected Health Information

73
What is Information Security?
Information Security is the process of protecting
data from accidental or intentional misuse by
persons inside or outside of Stony Brook Hospital
74
State and Federal Laws as relates to Information
Security

NYS Cyber Security Policy, P03-002 Information
Security
NYS Cyber Security P03-001, Incident Reporting
Policy
SUNY Cyber Security Reporting procedure
Federal HIPAA Security regulation 45 CFR Parts
160, 162 164
Federal HIPAA Security Guidelines Dec 28, 2006
for Removable Devices
JCAHO Information Management (IM) section 2
NYS Information Security Breach Notification
Act, General Business Law (Section 899-aa),
Technology Law (Section 208)
New Yorks Social Security Number Protection Law,
General Business Statutes, Article 26, Section
399-DD
SUNY Minimal Required Actions of a SUNY Campus
Information Security Program. Effective January
2008, Ted Phelps SUNY ISO
HIPAA 45 CFR Parts 160 and 164 Final Enforcement
Rule, Feb. 2006
NYS Technology Law, Internet Security Privacy
Act

As part of the daily processes the Hospital must
be ready to be audited at any time, without
notice.
75
HIPAA Security Standards

What is the Security Rule??
Bottom Line We must assure that systems and
applications operate effectively and provide
appropriate confidentiality, integrity and
availability (CIA).
HIPAA asks that organizations to continually look
at themselves to find their vulnerabilities,
To continually implement measures to address
their deficiencies,
To apply appropriate sanctions against those who
do not comply with the rules they set, and
Have the appropriate technology in place to track
all changes that occur.

76
HIPAA Information Security

HIPAA Information Security has three categories
Administrative
Physical
Technical controls

Note The Federal HIPAA Security Regulation
requirements are mappable to the NYS Cyber
Information Security Law and Policies including
JC and the DOH.
77
HIPAA Administrative Safeguards

Designate a Security Officer (Also required by
NYS Cyber Security Law)
Implement work-force security policies and
procedures for appropriate access to electronic
PHI access authorization ensure access level is
appropriate and termination of access.
Train the work force in security awareness.
Establish procedures to address security
incidents.
Prepare a contingency plan to permit data
recovery and access in the event of an emergency.
Perform periodic evaluations to ensure
technical and non-technical compliance to the
code.
Create business associate agreements for
vendors who need access to Electronic Protected
Health Information (ePHI).

78
HIPAA Physical Safeguards

Facility access controls Implement policies
and procedures to limit unauthorized physical
access to electronic information systems or
facilities.
Work station use Implement policies and
procedures for proper use and physical
attributes of the work station and surroundings.
Workstation security Implement physical
policies and procedures for all workstations
that have access to PHI.
Device and media controls Implement physical
policies and procedures that govern the receipt
and removal of hardware and electronic media in
and into and out of a facility.

79
HIPAA Technical Safeguards

Access controls Implement technical policies and
procedures for electronic information systems
with PHI to allow access only to those authorized
or to authorized software programs as per 164.306
(a)(4).
Audit controls Implement hardware, software, and
/or procedural mechanism that record and examine
system activity for Electronic PHI.
Integrity Implement policies and procedures to
protect health information from improper
alteration or destruction.
Person or entity authentication Implement
procedures to verify that a person or entity
seeking access to EPHI is the one claimed.
Transmission security Implement technical
security measures to guard against unauthorized
access to electronically transmitted PHI over a
communications network.

80
What can be a threat to Information Security?

Natural Disasters
Hurricane
LI has had 6 category 3 or above since 1938, last
was Sandy in 2012
Earthquake
4.0 in Smithtown in 1985 and 2.8 in Montauk in
1992
Flood
Tornado
F-Zero (40-70 mph) in East Massapequa 2006
Fire
Fire In HSC Elevator By Data Center Sept 2006
Nonhuman
Product failures, bugs, etc.
Human
Unauthorized Access
Data Entry Errors
Poor Training in Application Use

81
The Effects of a Compromise

Business Impact
Loss of revenues or other assets
Legal liability (HIPAA)
Tarnished name, bad press
Degraded customer service
Privacy violations
Lost productivity

Effects of Attacks
Alter or destroy data (Integrity of patient data)
Steal passwords or data
Damage or disable drives
Tie up system resources (Delay treatment)

82
If You Have AccessTo Patient Information System
If the patient is not in your chain of care Dont
look at their Data Dont be curious if you heard
that some VIP is in the Hospital If you are
working on 3, dont look up patients on 9. Dont
be curious about why your neighbor was
admitted. If you look at patient data that has
nothing to do with the patients you treat You
are breaking Federal and State Law.
83
Your New User Accounts
Once you get an account you are given a unique
user name.
Dont give it out, and most importantly,
Never Share Your Passwords If you give out your
username and password to someone, You are in
violation of Federal and State Law. If the audit
trail comes back to your account, you can be held
liable to sanctions, up to but not limited to
fines, suspension, termination, and criminal
prosecution.
Treat your passwords like your toothbrush Dont
share them!!!
84
The best way to protect yourselfmake your
passwords difficult to guess

NEVER tell anyone your password.
NEVER write your password down, such as on a
post-it note.
Dont use common info about you or your family,
pets, or friends names, SS , birthdates
anniversary, credit card number, telephone
number, etc. to create a password.
Dont use names you have used before, variation
of your user ID, or something significant about
yourself as a password.
Dont let someone see what you are entering as
your password.
If you think there is even a slight chance
someone knows your password, CHANGE IT
Remember if someone logs on as you and does
something improper,
you can be held responsible.

85
Weak Passwords (examples)
This cant be stressed enough

Cat, dog, querty hart, heat, heart, mary
September, superman, mickeymouse, r2d2
Aaaabbbccd, 12345678, a1b2c3d4

Strong Passwords (examples)
Wweand nadtd 2BoN2bTist? IsfgaWDo6 3bmstfw1491
86
What can I use in a Password?

Use a combination of alphanumeric symbols
consisting of at least 8 letters, numbers, and
symbols.
Passwords are usually case sensitive so
capitalizing random letters makes it even harder
to guess.
Alphabetic A to Z and a to z
Numeric 0 to 9
Special Characters ! _at_
( ) / ? lt gt ,
\ .

87
Mnemonics Made Easy

Change them periodically. Take a phrase that is
easy for you to remember and convert it into
characters.
It could be the first line of a poem or a song
lyric.
Water, water everywhere and not a drop to drink
(Rhyme of the Ancient Mariner) converts to
Wweandnadtd.
We Three Kings from Orient Are converts to
w3KfOa to get beyond six characters add a number.
w3KfOa 3691 (3691 is the year 1963 backwards to
extend beyond six.)

88
Workstation Rulesand Storage of Important Data

Youre provided a computer that belongs to the
State of New York or the Research Foundation
and as such it is auditable by Information
Security and SBUMC IT.
Only SBUMC IT may install applications and
hardware.
Dont bring in any games or software from home
Use only approved software
Dont try to install or download any unauthorized
applications.
Licensing violations can cost millions in fines
Bugs and Malware can bring down the network.
All approved applications go through an in-depth
testing process.
Dont save important files to your local hard
drive, save to your network drive (U) or request
a secure share.
All requests for computer devices that allow
information to be portable (ie CD burners, USB
drives, PDAs, laptop computers, etc) must be
approved by the ISO. NO e-PHI should be stored
on these mobile devices. Use VPN

89
Security for USB Memory Sticks Storage Devices
Memory Sticks are devices which pack large
amounts of data in tiny packages, e.g., 1G, 4G,
16GB. NEVER store e-PHI on these memory sticks.
Unless used for external presentations or
education these devices are not allowed. Use VPN
connectivity instead!
90
Primary Carriers of Malicious Software

Viruses - A virus is a small piece of software
that piggybacks on real programs in order to run
destructive
E-mail viruses - An e-mail virus moves around in
e-mail messages, and usually replicates itself by
automatically mailing itself to dozens of people
in the victim's e-mail address book.
Worms - A worm is a small piece of software that
uses Computer networks and security holes to
replicate itself. A copy of the worm scans the
network for another machine that has a specific
security hole. It copies itself to the new
machine using the security hole, and then starts
replicating from there, as well.
Spyware Computer software that obtains
information from a users computer without the
users knowledge or consent.

Web pages
E-mail
Games
Freeware / shareware
Programs from associates/home

Stony Brook Information Security runs many tools
such as Internet browser reporting and filtering.

Social Networking Sites such as Facebook,
You-Tube, Twitter, etc are not permitted unless a
business need is defined and approved by the
Information Security Officer.
91
Email Security

Email is NOT the same as a letter sent through
the normal mail. It is the electronic equivalent
of Postcards!!
Within SBUHs Email system messages are
encrypted!
If an e-mail is sent outside of the Stony Brook
system (i.e. to Optonline, AOL, etc) it is sent
in clear text and anyone can intercept and read
it.
Do NOT use non-SBUH email such as Web Mail
(Yahoo, AOL, Hotmail, etc)to conduct business or
send information about a patient. If you or one
of your vendors feels that this must be done for
any reason, call the Help Desk first
(631-444-HELP /444-4357)

92
E-Mail Security Cont.

E-Mail Should Never Be Used for
Inappropriate and nonproductive material
The misuse of company resources
Forwarding of confidential information
REMEMBER
Never open any e-mail
if you dont know the source.

93
Security Best Practices

Never share your login or password and if you see
someone watching you enter your password, change
it.
Never browse and look at sensitive information
that you dont have a need to know to perform
your work responsibilities.
Shut down or LOCK your computer at night.
Never use Cell Phone Cameras in and around
patients and patient information!
When leaving your desk log off or
Do a CTRL-ALT-DEL
Then click to LOCK COMPUTER
This assures no one can sit down and your desk
and pretend to be you

94
REPORT SECURITY VIOLATIONS

Report a Security Incident if
You receive an email which includes threats or
material that could be considered harassment.
Someone asks you for your password or asks to use
your login account.
You suspect that someone is inappropriately using
confidential data.
You discover unauthorized or missing hardware or
software.