1

Security of Electronic Information

Protecting Confidential, Protecting Confidential, Sensitive and Personal Sensitive and Personal

Data Data in the Electronic Worldin the Electronic World

2

Purpose of the Training Raise awareness about how each of us can protect UCSF patients’UCSF patients’ confidential and sensitive electronic information and our own personalour own personal electronic informationBetter understand the risks when using and storing electronic informationBetter understand how to reduce those risks

3

Basic and Advanced Training

Basic: for those of you who use confidential information to do your job, rarely use email to send confidential, UCSF electronic information, and work from a workstation “on-site” at UCSFAdvanced: for those of you who routinely use email to conduct UCSF business that contains sensitive, confidential information; who use mobile or home workstations to transmit confidential information; or for those of you who want more information about reducing risks in the electronic world

4

The OPEN Nature of the Internet:

The Internet, a Powerful Tool for unlimited, uncontrolled access to electronic information = a PLUS Limitless opportunity for those seeking data

for business, education, research, general knowledge

The Internet, A Powerful Tool for unlimited, uncontrolled access to electronic information = a MINUS Limitless opportunity for those seeking data

for criminal or unethical purposes

5

Introduction: Security of Electronic Information

Why now? What is sensitive and confidential, electronic information, including Electronic Protected Health Information (ePHI)?Why me? What do I need to do to protect confidential, electronic information?How do I get help?

6

Why Now?The HIPAA Security Rule mandates that All UCSF workforce members obtain Security Awareness

Training and implement appropriate security measures by April 2005

Other laws and policies require us to secure information State law SB 1386 UC and UCSF Policies

Wireless theft is exploding and threatens UCSF, our patients, you and me

UCSF needs your help to protect the confidentiality, integrity and availability of electronic health & financial information

7

What electronic information is covered by this training and UC

Policy?

…all information that is confidential and sensitiveconfidential and sensitive

…including electronic electronic Protected Health Information Protected Health Information

(ePHI) (ePHI) covered by the HIPAA Security

Rule

8

Confidential Electronic Information is…“Information that may or may not be protected by law but which is desired to be treated as confidential and protected as such”

“Access to confidential information is prohibited unless permitted by policy or an exception to the law. “

All reference to “Confidential Electronic Information” in this training includes Electronic Protected Health Information (ePHI)

9

ePHI is Confidential Information and is:

An individual’s health or financial information that is used, created, received, transmitted or storedused, created, received, transmitted or stored by UCSF using any type of electronic information resourceInformation in an electronic medical record, patient billing information transmitted to a payer, digital images and print outs, information when it is being sent by UCSF to another provider, a payer or a researcher

For example: An unsolicited email message from a patient after

it is received by the healthcare provider or UCSF ePHI = information received,

transmitted, stored, “at rest”

10

Where Do You Find Confidential Information? On your workstation—at work, at home, or mobile devices: memory sticks, iPods, laptops, Blackberries, Palms, CDs, floppy discs, etc.,

You have responsibility for the You have responsibility for the security of information on your workstationsecurity of information on your workstation

On “information resource media”—e.g., networks, application systems, including operating systems, tools, communications systems

In most cases these systems In most cases these systems are the responsibility are the responsibility

of IT managers and system ownersof IT managers and system owners

11

Why Me?

YouYou use electronic information to do your

job…YouYou use

a UCSF workstation to do your job

…Each of us Each of us is responsible for understanding

and reducing the risks to confidential, electronic

information

12

Information Technology alone is not the answer…

Each one of us must be responsible for her/his workstation, mobile device and data!

13

What do I need to do to protect ePHI or other Confidential Information?

…at my UCSF Workstation?…on a Mobile Device?

14

First: Understand the Risks:

Identify risks at your workstation, for example: Shared passwords Failure to logoff after each use Use of unlicensed software Viruses

Reduce risks at your workstationGet help with questions or concernsReport suspected security incidents

15

Next: Follow Safe Computing Guidelines -- Passwords

1. Protect your user ID and Password. You are responsible for ACTIONS taken with your ID a. Do NOT post, write or share

Passwords with ANYONE b. The HIPAA Security Rule requires UCSF

to be able to audit an individual’s actions using confidential information

c. Protect your user ID and Password from fraudulent use or unethical behavior

16

Safe Computing Guidelines – Control Access to Confidential Information

2. Use strong passwords that are hard to guess, easy to remember and change them oftena. Use letters, numbers, and capitalize a letter

3. Use a Password protected screensaver for your workstation (on-site, laptop, home, etc.)

4. Always log off shared workstationsa. If you don’t log off, someone else could

use your User ID to illegally access confidential information

17

Safe Computing Guidelines---Control Physical Access to Your Workstation1. Only authorized UCSF users should have physical physical

accessaccess to your workstation, including monitors, mouse, keyboard, etc.

2. If you use a mobile device or home workstation to conduct UCSF business (including treatment, payment or operations) you are responsible for physically securing and protecting the device and any confidential information.

If you use a mobile device or home workstation If you use a mobile device or home workstation for UCSF confidential business, you must for UCSF confidential business, you must take the advanced “Security of Electronic take the advanced “Security of Electronic

Information” training that follows. Information” training that follows.

18

Safe Computing Guidelines---Protect the Availability of Confidential Data

Ask Yourself:Ask Yourself: Could I do my job if this data were lost

due to a power outage, virus, crash, etc? What would be the effect on patient care

if this data were no longer available? How often should I backup my work? Do I backup to a secure server? Do I know what to do in the event of a

power outage or crash?

19

Safe Computing Guidelines -- Virus Protection

1. Do not open an email attachment, unless you know who sent it and why. a. If in doubt, call the sender of the email to confirm that the attachment is safe and valid.

2. Always run an updated antivirus tool; do NOT cancel the scheduled virus virus scan.scan.

3. Do not load software that you or your department are not licensed to use on a UCSF workstation.

20

Safe Computing Guidelines -- EmailBe Aware: Email is NEVER 100% secure1. Do not use email to send, receive or store

confidential information unless it is required by your job• Always LIMIT the the confidential information

sent by email to the minimum necessary

2. NEVER send, reply or forward UCSF confidential information from a non-UCSF mail account (e.g., Yahoo, AOL, etc.) If you routinely use email to transmit

confidential, UCSF information, you must take the advanced portion of this training.

21

Safe Computing Guidelines---Report Computer Security Incidents

1. Report1. Report erratic computer behavior or unusual email messages to your department manager, dept IT resource, or IT Customer Support

2. Report2. Report any suspected issues or incidents to a manager or the UCSF Enterprise Information Security Officer (see resources)

3. ReportReport lost or stolen devices to UCSF Police (476-1414) and, when appropriate, Local Police

22

Is This a Security Incident?

You return to your workstation after lunch and notice that a patient’s medical record is open on the screenYour supervisor comments that she saw the record on the screen while you were awayYou check and determine that not only is that record accessible, but by a click one can easily enter STOR, a medical record database, or other applications containing confidential information

23

What Was Your Responsibility to Secure Your Workstation?

Do you think that someone has attempted to access your workstation—either manually or electronically?Is this a shared workstation? Did you allow unauthorized physical and electronic access because you did not log off when you went to lunch? Do you have a strong password and user ID in place?

24

This is a Security Incident if

Your passwords are weak…and there is unauthorized access to confidential informationYou did not log off…and confidential information was compromisedYou suspect a problem and do not report it. Report immediately all suspected incidents or security compromises to your supervisor.

25

What Can Each of Us Do To Secure Confidential Information?

Each member of the workforce must take responsibility for securing his/her workstationGet help from your system managers to implement IT solutions that are cost effective and meet your needsUnderstand the laws and procedures and seek help when requirements aren’t clearReport suspected security incidents to a manager or IT Customer SupportUnderstand the consequences of non-compliance

26

Understand the Law…For Example: You can not access another employee’s

medical records or financial information UNLESS it is specifically required by your job at UCSF

You can not look at a patient’s* medical records or financial information UNLESS it is specifically required by your job at UCSF

If it is not required for your job, If it is not required for your job, it is against the law!it is against the law!

*For example, NO friend’s informationNO celebrity patient’s information

27

HIPAA Requires UCSF to Tell You the Consequences for Individuals and UCSF if There is a Violation

A violation of the Security Rule could also be a violation of the Privacy Rule and State LawCivil Monetary Penalties range from $ 100 to $ 25,000/year – more for multiple year violationsCriminal Penalties range from $ 50,000 - $250,000 and imprisonment for a term of 1 to 10 years Fines and penalties for violation of state law, including SB 1386UCSF corrective and disciplinary actions, up to and including dismissal

28

True or False

Security is not a one time project. It is an ongoing, dynamic process that will create new challenges

as organizations change and new technologies emerge.

29

UCSF Is Only as Strong UCSF Is Only as Strong As Our Weakest Link.As Our Weakest Link.

Help UCSF maintain a strong Help UCSF maintain a strong defense and secure our patients’ defense and secure our patients’

confidential informationconfidential information

30

Thank youThank you for helping UCSF protect the for helping UCSF protect the security of our patients’ security of our patients’ Confidential Information. You Confidential Information. You have completed the Basic have completed the Basic Component of theComponent of theSecurity Awareness Training.Security Awareness Training.

31

Resources and References

UCSF Departmental Manager (Ms. UR IT)UCSF Information Security Officer (ctianen@its.ucsf.edu)UCSF HIPAA Security Procedures, Electronic Security Policies and the HIPAA Handbook (www.ucsf.edu/hipaa)Report Suspected Security Incidents to:

Dept CSC IT Customer Support: 514-4100 UCSF Police: 476-1414

For additional information about the security of email, portable devices and home workstations, go to www.ucsf.edu/hipaa.

32

Please Continue with the Advanced Training if YOU…

Use email containing Confidential Information to conduct UCSF business, provide treatment and carry out teaching activitiesUse a UCSF workstation at home to conduct business with Confidential InformationUse a mobile device or portable workstation to conduct business with Confidential Information

33

Could This Become a Security Incident? Dr. Gadget prides himself on being IT smart. He always uses emerging technologies for provider and patient communications. He believes this enhances his treatment and teaching activities. His newest mobile device, his “sidekick,” is a mini-computer (about the size of a 3x5 card) with phone, e-mail and instant-messaging. He routinely goes to the local wireless café to receive and send email communications to his colleagues and patients. The device has replaced the old-fashioned notecard, so he stores patient treatment reminders and info on his “sidekick.”

34

What are Dr. Gadget’s Potential Risks?

Use of emailemail to receive, transmit and store confidential informationUse of a mobile device over a wireless wireless networknetwork for confidential informationUse of a personal, mobile devicepersonal, mobile device for teaching and treatment notesUse of mobile mediamobile media (memory sticks, jump drive card, Secured Digital (SD) card)Use of a wireless café—a “hot spot”—a “hot spot”—for ones “workstation”Can you think of any moreany more?

35

Be Aware, Dr. Gadget!Email:Email:

Never 100% secure Sending UCSF confidential information from a

non-UCSF account (e.g., Yahoo, AOL, SBC Global) is very risky business

Wireless network/Hot Spot Café/Public PlacesWireless network/Hot Spot Café/Public Places Allow for ease of access by hackers without your

knowledge No firewalls protect the café’s perimeters You NEVER know who is looking over your

shoulder!Personal, mobile devicesPersonal, mobile devices

YOU are responsible for understanding the risks and securing the confidential information stored, received, and sent with a mobile device or by mobile media

36

What Should Dr. Gadget Have Done to Secure His Confidential Information?

37

Safe Computing Guidelines---Mobile Devices

Provide a tracking #tracking # for your UCSF Mobile Devices to your Department UCSF can inventory all mobile devices

Only use devices that can restrict restrict accessaccess by way of a password or other authentication methodEnable all security featuressecurity features the device may haveRemove all Personal IdentifiersRemove all Personal Identifiers when possible (see slide 9--notes for list of identifiers) ONLY receive, transmit and store if absolutely

required to do your job

38

Safe Computing Guidelines---Mobile Devices

UCSF protected serversprotected servers should be the first option for storage of confidential data or ePHI. Never use a mobile device or media to store

confidential data that is critical to providing patient care

If the device is lost or stolen, you may never be able to recover data critical for providing life-saving patient care

You must download and backup all confidential and sensitive data

Store and transmit ONLY the minimumminimum amount of data for the shortestshortest period of time

39

Safe Computing Guidelines---Mobile Devices

Use only an approved, secure method for accessing the UCSF network via VPN or other means VPN or other means :

its.ucsf.edu/services/network

Obtain a copy of the GuidelinesGuidelines for “Mobile Computing and Mobile Devices Security” www.ucsf.edu/hipaa/dept_compliance/

40

Is This a Security Incident?You use a UCSF mobile, wireless device, to record and review your teaching notesYour car is broken into and your briefcase, containing your mobile device, is stolen

Is this a Security Incident?Is this a Security Incident?

Are you worried that you could be held Are you worried that you could be held responsible for the lost or stolen device?responsible for the lost or stolen device?

41

Did You Take Responsibility for Securing the Confidential Information? Did you protect access to the information with a Did you protect access to the information with a

unique ID and strong password?unique ID and strong password? Did you enable all available security measures?Did you enable all available security measures? Did you limit patient identifiers to the minimum Did you limit patient identifiers to the minimum

necessary?necessary? Did you immediately report the lost device so Did you immediately report the lost device so

that you and UCSF can mitigate any potential that you and UCSF can mitigate any potential harm to patients and UCSF?harm to patients and UCSF?

Did you report the loss or theftDid you report the loss or theft of a mobile device to UCSF Police at 476-1414?

If you can answer YES, then you have done the Right Thing!

42

True or False

Your mobile device can be safely in your pocket while your stolen, confidential information is on the Internet for all to see!There are IT solutions for assuring that your email is 100% secure.Confidential Information is a commodity in high demand! You are personally responsible for implementing safeguards that protect the confidentiality, integrity and availability of patient information on mobile devices or patient information on mobile devices or media. media.

43

Safe Computing Guidelines---UCSF Home Workstations

UCSF workstations (computers, laptops, etc.) should have protection equal to that of computers located on-site at UCSF Access by authorized users only—this means only—this means

YOU, not a family or friend who may ask for YOU, not a family or friend who may ask for “just a quick access to the Internet so I can “just a quick access to the Internet so I can check email”check email”

Password and User ID must be on all Home Workstations

Assure that your workstation has a properly configured personal firewall

Assure that you have updated anti-virus protections

Get help from your departmental IT resource or contact UCSF IT Customer Support

44

Safe Computing Guidelines---Non-UCSF Home WorkstationsYou should not useshould not use a personal, home workstation to carry out UCSF business with confidential information, including ePHI UNLESS YOUUNLESS YOU: Obtain approval approval from your manager to do so Take reasonable steps to assure that physical assure that physical

and technical safeguardsand technical safeguards are in place to protect the information, including password and user ID protection

Connect to the UCSF network ONLY by a secure ONLY by a secure method, method, including a VPN, RWeb, Outlook Web Access (OWA) and have anti-virus protections in place

LimitLimit the information to the minimum necessary to do your job

NeverNever use a personal workstation to store UCSF confidential data.

Never Never allow access to UCSF data by a family member or friend

45

Is Email Secure?

Email is never 100% secure

Limit confidential informationLimit confidential information to the minimum amount needed to do the jobEmail is most securemost secure when you use one of the approved, UCSF secure email solutions

Risky BusinessRisky Business: Never send, reply or forward UCSF confidential information from a non-UCSF mail account (e.g., Yahoo, AOL, etc)

46

Email Risks Can Be Reduced

Use a a combination of solutions that includes IT solutions and changing personal behavior Limit your “reply list” to only those who need to knowBe succinct—don’t use a “chain of replies” that perpetuates the sending of informationUse secure methods for wireless devices or when using email remotely, including VPNsUCSF has developed a secure email solution that will be reasonably transparent to the user—see your IT support or contact IT Customer Support.

47

Secure Email Question

I am a teaching physician at UCSF and routinely work at home or at my local café and use my UCSF Blackberry to communicate w/ patients. I also want to connect with my wireless device to the UCSF network. Is the communication secure? It was my impression that internal communications within the UCSF network is secure, but communications outside are not.  Can you clarify if these communications meet the HIPAA safeguard requirements for electronic information. Thanks.

48

Answer:First, email is never 100% secure. Your responsibility is to understand what you can do to provide for reasonably secure email and wireless device solutions.

49

Securing Your Email and Wireless Device1. By April 2005, UCSF will have in place a

secure email solution that will reasonably secure outbound communications, including faculty to patient.

a. In general, when using a UCSF addressUCSF address, you will be able to communicate with your patient if you are using the secure email solution

b.b. Each department is responsibleEach department is responsible for implementing the secure email solution and instructing faculty and staff how to implement the solution.

c. If you have not received information from your departmental chair or IT resource, you are you are responsibleresponsible for finding out if your outbound emails are secure.

2. To secure your wireless device, please see slides 38 - 43

50

And, under all circumstances…

NEVER NEVER send, reply or forward send, reply or forward confidential email from a confidential email from a

non-UCSF accountnon-UCSF account (e.g., AOL, Yahoo, SBC Global, (e.g., AOL, Yahoo, SBC Global,

etc.)etc.)NEVER NEVER use use

Automatic ForwardsAutomatic Forwards to non-UCSF accountsto non-UCSF accounts

51

True or False

If no reasonable effort is made by the faculty member to address the risks of email transmissions, the individual and department could be at risk of violation of HIPAA Security, HIPAA Privacy and State Law SB 1386.

52

Is This Secure?

I am a UCSF faculty physician and routinely receive emails from referring physicians that contain patient confidential information. Does the secure email solution protect this information?What is my responsibility when I receive these emails?

53

AnswerProtect the information as though YOU created the information. You must secure confidential information that you receive by email or any other electronic means --- even if you did not solicit the email.The secure email solution will protect the information if you employ the solution when you reply to the referring physician.Your responsibility is to secure the emailsecure the email when the data is at rest, download the information to a secure server, then delete the data from your email. When replying, never use a non-UCSF never use a non-UCSF accountaccount, use only the minimum necessary, and limit or delete personal identifiers.

54

Protect Our Patients and Our Mission

A copy of all messages or data on a mobile device or media, when important to a patient’s care, should be placed in the patient’s medical record.Never change another person’s email message and pass it on without making it clear you have made the changes. Email should never be used for urgent or emergency problems and patient care casesNo confidential information should be typed in the “subject field” caption of an e-mail message.

55

True or False

Research is not part of HIPAA. The HIPAA Security and Privacy Rules do NOT apply to the transmission of confidential information to a UCSF researcher.

56

Safe Computing Guidelines-- Research Databases

When UCSF is providing data to a researcher by an electronic transmission—it is covered by the HIPAA Security and Privacy Rule UCSF must implement safeguards

When a health care provider/researcher is accessing UCSF patient records for research purposes or reviews preparatory to research—it is covered by the HIPAA Security and Privacy Rule The researcher must follow all requirements

for accessing information – See the UCSF HIPAA Handbook

57

True or False

There is no such thing as a totally secure system that carries no risks to security. To “ensure” the safety of confidential information, the covered entity (UCSF and its workforce) must take steps, to the best of its ability, to protect the information.

58

Why is the internet like a two-year old?

They are both “wired” to be adventurous, curious, inventive, unpredictable, self-centered, and to grow by leaps and boundsThey can be managed, directed, protected, but never controlledEfforts to control their nature would limit their potentialOur responsibility is to assure to the best of our ability that what they do is

reasonably protected!

59

Use a Layered Approach to Protecting Information (and 2-year olds)!

Layer 1Layer 1: Perimeter DefensePerimeter Defense, including firewalls that controls harmful things that could occur on the Internet (a fence around your home or a gated a fence around your home or a gated community, with lock or passcode)community, with lock or passcode)Layer 2:Layer 2: Server DefenseServer Defense, includes requiring identification and authentication of server users and assuring that current antivirus and other security patches are in place (a lock on your front doora lock on your front door)Layer 3:Layer 3: Workstation SecurityWorkstation Security, includes all of the defense mechanisms (access control, antivirus and anti-spyware, firewalls) (a lock on your bathroom a lock on your bathroom door)door)

60

Thank you for taking the time to participate in the UCSF Security of Electronic Information Training.

If you have additional questions, contact the UCSF Information Security Officer or one of the following resources.

61

Resources and References

UCSF Departmental Manager (Ms. UR IT)UCSF Information Security Officer (ctianen@its.ucsf.edu)UCSF HIPAA Security Procedures, Electronic Security Policies and the HIPAA Handbook (www.ucsf.edu/hipaa)Report Suspected Security Incidents to

Contact your CSC for help IT Customer Support: 514-4100 UCSF Police: 476-1414

For additional information about the security of email, portable devices and home workstations, go to www.ucsf.edu/hipaa.