Security Fundamentals:What is Information Security

Managing risks, threats and vulnerabilities to preserve confidentiality, integrity, availability of information assets and systems

Ontario Hospitals are

responsible under Ontario’s

Personal Health Information

Protection Act (PHIPA) for

protecting our patients’

personal health information

(PHI)

Threats to Information Security

• Weak passwords & shared accounts

• Computer Virus/Malware

• Phishing emails & Social Engineering

• Theft/Loss of unencrypted end point devices

• PHI or confidential data sent by unencrypted e-mail

• Other natural disaster events

Strong Passwords Mandatory…

• on desktops, laptops, mobile devices & removable storage media –do not share or store passwords on equipment; use locked storage if written down

• STRONG: combination of letters, numbers, symbols, minimum of 8 characters & no dictionary words

• NEVER let anyone use your login and password to access Hospital computers/applications - they serve as your electronic signature

Always log off

• ALWAYS log off systems to prevent anyone accessing or changing confidential information under your electronic signature

• If you are the only user of a device, use the password locking feature when the computer is unattended

Virus and Malware

• A computer virus is a type of malicious software program (“malware”) that when clicked on, replicates itself and modifies other programs and inserts malicious code. The infected computer then spreads the virus.

• NYGH installs antivirus software on all computers which scan daily and look for viruses and vulnerabilities. They are flagged and investigated.

Computer Hygiene

Computer patch : a piece of software used to update a computer program and fix security holes. To keep computers “clean” and secure, patches must be kept up-to-date.

NYGH applies computer patches on

the 2nd Thursday of each month. On

“Patch Thursday”:

• Keep computers onsite

• Save your data and follow the

process

• Reboot the computer to allow the

patches to take effect

Phishing Emails Everyone is responsible for protecting hospital data from hackers. Be vigilant! Don’t click on suspicious emails, links or websites. If you don’t know the sender or the sender is asking for private information, i.e. passwords or financial info. DO NOT RESPOND

• clicking on a link could infect computers with a virus/malware so be careful

• an unsafe click could allow personal health information and hospital data to be accessed or stolen

Only if you

are sure

Physical Security

• All staff, physicians and volunteers are required to wear their NYGH ID badge at all times when on hospital premises

• Always be aware who is accessing computers in your area and don’t be afraid to question their identity and actions

• If you are unsure or suspect any suspicious activity, report to your supervisor or Security immediately.

Security Safeguards: encrypted, limited storage

• Information & Privacy Commissioner: confidential data must “never be stored or transmitted outside of secure institutional servers unless encrypted”

• End point devices - laptops, tablets, smartphones used to access, store, record or transmit confidential data must meet approved NYGH Information Services security/ encryption standards

• Storage of confidential data - limited to that which is absolutely necessary

Security Safeguards: Locked secure data

Cabinets, desks, offices, any areas containing confidential data must be locked when unattended. Keep keys with you or in secure location

Don't take confidential info out of hospital unless absolutely necessary.

Use secure remote access instead.

If you must leave the hospital with confidential data, lock it in the trunk of your car at the beginning of the trip and neverleave it overnight in the car

Saving your documents

Save your data properly: Information Services (IS) has provided every department/staff with shared network drive(s) which are secure and backed up nightly to help prevent against lost files, data etc.

Any information stored on your Local Disk (C:\ Drive) is NOT backed up, nor transferred to replaced devices. If you need access or help with saving to your home or shared drive, please contact the IS Helpdesk.

Secure email

NYGH’s email system protects confidential data and you - secure encrypted transmission between NYGH sites: General, Branson, Senior's Health Centre - if intercepted, it cannot be read

without encryption: it's like sending a postcard

Never send confidential info from or to a personal email account e.g. Hotmail, Gmail or Yahoo - transmission is not encrypted; can be intercepted & read

What you can do (1)• Maintain private and strong

passwords all the time

• Follow NYGH “Patch Thursday” practices to safeguard computer devices

• Save documents on shared drives

• Be vigilant as to what you click/open on a computer device.

What you can do (2)

• Minimize storage of confidential info on any end point devices

• Ensure encryption enabled on your end point devices

• Never send confidential information from/to personal email address (Gmail, Hotmail, Yahoo etc.)

Information Security Summary

• Combine physical, administrative & technical protections

• Avoid “What’s the risk?” thinking

• See Something, Say Something!

• Security is not complete

without “U”!

Reporting IncidentsYour speed in reporting a problem, or suspected problem, is critical to incident management

Immediately report theft or loss of a laptop, mobile device, USB stick, or paper records

to NYGH’s Chief Privacy Officer (CPO), Rita Reynolds, Security AND IS Helpdesk

Immediately report unauthorized access, collection, use, disclosure, copying or

modification of PHI to our CPO

If it doesn’t go as planned… just call!

Rita ReynoldsChief Privacy Officer

416-756-6448

IS Helpdesk

416-756-6074

Information & Privacy Commissioner/Ontario (IPC)

Provides oversight of compliance with the Personal Health Information Protection Act. In this role the Commissioner:

• adjudicates access appeals, investigates privacy complaints and may issue public reports

• may enter and inspect premises, records, information management practices and require evidence under oath, affirmation

• has Order making power;

Prosecution by Attorney GeneralIf found guilty of an offence under PHIPA, an individual may be fined up to $100,000; organizations may be fined up to $500,000

IPC Contact: 416-326-3333 www.ipc.on.ca

For more information please contact Rita Reynolds Chief Privacy Officer at 416-756-6448

For more information please contact Rita Reynolds Chief Privacy Officer at 416-756-6448

Thank you for completing the Security FundamentalsThank you for completing the Security Fundamentals