Your Role in Information Security Center on Human Development and Disability January 2005 Rev12/08.
-
Upload
isiah-laflin -
Category
Documents
-
view
214 -
download
0
Transcript of Your Role in Information Security Center on Human Development and Disability January 2005 Rev12/08.
Your Role in Information Security
Center on Human Development and DisabilityJanuary 2005
Rev12/08
UW Medicine
Version: 20041105 2
Overview
Information Security is not just about computers, it is how we go about our business here at UW & UW Medicine. We have a set of standards and policies
that define our Information Security requirements
Information Security is a responsibility of all the UW & UW Medicine Workforce** Faculty, employees, trainees, volunteers, and
other persons who perform work for UW Medicine
UW Medicine
Version: 20041105 3
Users
Any individual using a computer connected to UW &/or UW Medicine networks or those who have been granted privileges and access to UW Medicine computing and network services, applications, resources, and information.
UW Medicine
Version: 20041105 4
User Responsibilities
The customary ones: Comply with UW and UW
Medicine policies,Comply with federal and state
law , and Restrict use to authorized
purposes.
UW Medicine
Version: 20041105 5
User Responsibilities continued…
Directly related to information security: Report all suspected security and/or
policy breaches to an appropriate authority
Don’t Disable your firewall and/or anti-virus;
Protect access accounts, privileges, and associated passwords;
Accept accountability for their individual user accounts;
Maintain confidentiality.
UW Medicine
Version: 20041105 6
Information Security Training-- Dependent on Your Role
Everyone: Privacy, Confidentiality, and Information Security Agreement
If you access PHI:New Employee Orientation and/or HCCS on-line HIPAA Training
If their system has PHI:System Owner and System Operator Training
UW Medicine Clear Workspace Standard
Reduce the risks of unauthorized access, loss of, and damage to information during and outside of normal working hours by putting away RESTRICTED and/or CONFIDENTIAL information in your workspace.
UW Medicine
Version: 20041105 8
Clear it or Secure it . . .
Lock away protected health information or critical business information when not in use. Store paper and computer media containing RESTRICTED AND/OR CONFIDENTAIL information in suitable locked cabinets or desks when not in use or when unattended.
Clear RESTRICTED AND/OR CONFIDENTAIL information or critical business information from printers immediately.
Protect mail and fax machines from unauthorized access.
Locked doors count
UW Medicine
Version: 20041105 9
Log off or secure your workstations when not in use or unattended
Terminate active computing sessions when unattended, unless they can be secured by an appropriate locking mechanism, like a password protected screen saver (Ctrl+Alt+Delete) (Lock Computer)
Log-off networked systems when the computing session is finished
UW Medicine
Version: 20041105 10
Workstation Requirements
Screen saver activationWorkstations with PHI in areas where patients or the public have access to a workstation require one minute activation
After Hours AMC domain PCs are required to be
logged off and powered on after hours Otherwise follow the direction of those
responsible for your computer support
UW Medicine
Version: 20041105 11
Reusing electronic media
Example: Surplus or redistribute a computer Media Intended for Reuse - Specific Processes
Overwriting method Overwriting uses a software program to write (1s, 0s, or a combination) onto the media. Common practice is to overwrite the media three times. Four times is better.
Degausing method magnetically erases data from magnetic media. Two types of degausser exist: strong, permanent magnet degaussers and electric degaussers.
UW Medicine
Version: 20041105 12
Physical Space Security
Use appropriate measures – like locked doors
Question individuals without badges
Make sure that vendors check in and are escorted in your department
UW Medicine
Version: 20041105 13
Taking UW Medicine Equipment from the Premises
Obtain authorization to take equipment offsite
Log out the equipment
When returned, log the equipment back in
Be aware of department expectations about off-site use of that equipment
Secure the information with controls comparable to those of equipment on-site
UW Medicine
Version: 20041105 14
Who can install software on my workstation?
Only designated system administrators are to install software,
and Only licensed and authorized*
software is used.
* Authorized means that the System Owner approves.
UW Medicine
Version: 20041105 15
Appropriate Password Management
Where PHI is accessed, each user is issued a unique username and password.
It is against UW & UW Medicine Policy to share userID and/or password (this includes logging in for others…)
UW Medicine
Version: 20041105 16
Comply with Copyright Law Unauthorized use of software, images,
music, or files is regarded as a serious matter and any such use is without the consent of UW & UW Medicine
If abuse of computer software, images, music, or files occurs, those responsible for such abuse may be held legally accountable as well as be held accountable for violation of UW & UW Medicine Policy
It is against UW & UW Medicine for workforce members to copy or reproduce any licensed software except as expressly permitted by the software license.
UW Medicine
Version: 20041105 17
Use of Departmental Computers (RCW 42.52.360, WAC 292-110-010)
In 1997, the State of Washington Executive Ethics Board defined permitted personal activities on State owned computers. This policy was amended in 2002 to permit limited Internet use. Aside from occasional and de minimus (e.g., of minimal cost to the State) use, the policy prohibits the personal use of computers, email and the Internet. This limitation is similar to permitted personal use of non-computer resources, such as telephone calls. The State allows limited personal use of computer resources provided the use:
Results in little or no cost to the State; Does not interfere with the employee’s official duties; Is brief in duration, occurs infrequently, and is the effective use of
time and resources; Does not disrupt or distract from the conduct of State business
due to volume or frequency; Does not compromise the security or integrity of State property,
information or software; Does not disrupt other State employees and does not obligate
them to make personal use of State resources.
UW Medicine
Version: 20041105 18
Your Email is NOT Private
Before you freely email any extremely personal thoughts or information, please consider unlike telephone conversations, email and its archives are subject to legal and public inspection and that many computers retain old emails in archives for years. Private watchdog groups, outside UW and Washington State, monitor email for abuse, and lawyers subpoena email as a part of evidence gathering. If you do not want to see your most sensitive and/or private email printed in newspapers, do not send it.
UW Medicine
Version: 20041105 19
More:Using Washington State Equipment
Washington State law also prohibits the use of UW computers for personal business-related, commercial, campaign or political purposes, or to promote an outside business or group or to conduct illegal activities. Additionally, employees are prohibited from allowing any member of the public to make personal use of state computers and computing resources. Washington State specifically prohibits use of the computer for all political and commercial activities. The following items have been additionally called out in detail. Notices for selling of personal items on any State owned
computer system. Notices for charity/fund raising events whether selling an
item or raising money unless the activity is University sponsored.
UW Medicine
Version: 20041105 20
Many Internet Activities Expressly Prohibited
Although de minimus personal Internet use is now allowable, many Internet activities are still prohibited. Downloading copyrighted files, such as MP3 music files, may violate copyright law, and subject UW and you to penalties and fines. Other examples of improper or excessive use are included in the Executive Ethics Board web site: http://www.wa.gov/ethicsand the UW Administrative Policy web site http://www.washington.edu/admin/adminpro/APS/47.02.html
Some examples of permitted activities may be prohibited in Lab Medicine because of their potential impacts. For example, extensive use of streaming video or streaming audio can overload the capacity of the network and interfere with the laboratory information system.
Understanding Information Classification
Information classification is designated by the System Owner or Data Custodian.
Classification ensures the appropriate level of security is applied for information and information systems, based on the identified level of impact to confidentiality, integrity, and availability.
UW Medicine
Version: 20041105 22
Definitions of Confidentiality, Integrity, & Availability
Confidentiality: ensuring that information is accessible only to those authorized to have access;
Integrity: safeguarding the accuracy, completeness, and control of information and processing methods;
Availability: ensuring that authorized users have access to information and associated assets when required.
UW Medicine
Version: 20041105 23
PUBLIC Information
Information that is intended for, or can be viewed by, the public or for the University community. Information can be verbal, electronic, or printed materials.
Access to this information is usually anticipated or planned.
Examples include university web pages, course descriptions, faculty profiles, individual and departmental announcements, or other general information that can be viewed by the public.
UW Medicine
Version: 20041105 24
RESTRICTED Information
Information used by the UW & UW Medicine workforce with an established need-to-know relationship.
Unauthorized data disclosure could impede the ability of UW & UW Medicine employees to conduct business, but does not violate any federal, state or UW regulations (e.g. poor business practices).
Examples include proprietary information, such as business plans, intellectual property, financial information or other sensitive materials that may affect workforce or organizational operations.
UW Medicine
Version: 20041105 25
CONFIDENTIAL Information Information that is very sensitive in nature, where
access requires careful controls and protection. Unauthorized disclosure of this data could
seriously and adversely impact UW & UW Medicine, the interests of employees, students, patients, or other individuals, and organizations associated with UW & UW Medicine.
Examples include: personally identifiable, and protected health information (PHI), workforce records, sensitive student records, social security numbers, legally protected University records, and passwords.
UW Medicine
Version: 20041105 26
Follow Department Processes
Dispose of RESTRICTED and/or CONFIDENTIAL information in a secure manner.
All floppy disks, hard drives, CDs, etc. have to be wiped before retasked to another use.
Contact your computer support person to help you. CHDD personnel can contacted at [email protected] Center – Susan ConarroeCTDS – Jeff Witzel
UW Medicine
Version: 20041105 27
Disposing of protected health information, proprietary documents, and confidential information in a secure and confidential manner
When PHI and proprietary information are included:
Paper Documentation – need to be shredded, pulped or otherwise obliterated in a manner that prevents reconstruction.
Microfilm and Microfiche - must be pulverized [1] .
Laser Disks - used in write once-read many (WORM) document imaging applications shall be pulverized.
Floppy Disks - shall be pulverized. Compact Discs - shall be pulverized. Magnetic Tape & Video Tape -
preferred method for destroying computerized data is magnetic degaussing. If destruction is not achieved by degaussing, it must be executed in an alternative manner that assures that the information cannot be reconstructed.
Hard Drives - To assure that computerized data is destroyed when equipment is decommissioned, use a three pass binary overwrite of the entire disk will reasonably assures that the information cannot be reconstructed. An alternative to this process is that the hard drive is removed from the device and pulverized.
Carbon Rolls (from printers or fax machines) The method for destroying carbon rollers removed from printers or fax machines is to send them to Environmental Services for destruction by autoclaving.
[1] Pulverized: Reduced (as by crushing, beating, or grinding) to very small particles that can not be reconstructed or used in any combination to reconstruct the original.
UW Medicine
Version: 20041105 28
Report Events, Incidents and/or Malfunctions
An occurrence or event that conflicts with or interrupts normal process.
Contact your Supervisor, System Operator and CHDD Administrator, Christene James 206-221-5496
UW Medicine
Version: 20041105 29
Priorities of Incident Response
1. Protect human life and people's safety; human life always has precedence over all other considerations.
2. Protect RESTRICTED and/or CONFIDENTIAL data. Prevent exploitation of RESTRICTED and/or CONFIDENTIAL systems, networks or sites. Inform affected RESTRICTED and/or CONFIDENTIAL systems, networks or sites about already occurred penetrations.
3. Protect RESTRICTED and/or CONFIDENTIAL Information.
• Prevent exploitations of other systems, networks or sites and inform already affected systems, networks or sites about successful penetrations.
UW Medicine
Version: 20041105 30
Priorities - continued
4. Prevent damage to systems (loss or alteration of system files, damage to disk drives). Damage to systems can result in costly down time and recovery.
5. Minimize disruption of computing resources - including processes.
• It is better in many cases to shut a systemdown or disconnect from a network than torisk damage to data or systems.
UW Medicine
Version: 20041105 31
Protect Against Malicious Software
Do not disable the anti-virus software
Do not install or run unknown software
Report virus incident to your Help Desk
UW Medicine
Version: 20041105 32
Protect Against Malicious Software (2) Use anti-virus software to scan all diskettes and
files provided to you by others or after using them on another computer
Do not open email attachments from unknown senders.
Verify attachments from known senders and scan them before opening. If the user expects an attachment, make sure that the attachment's file type and sender are consistent with what was expected
Follow this same process for Internet downloads.
UW Medicine
Version: 20041105 33
Sanctions
The regulation requires that we apply appropriate sanctions against individuals if you fail to comply with the security policies and procedures that are based upon our security policies and the relative severity of the violation.
UW has sanctions for the failure to follow policy and/or for a breach of patient confidentiality or information security.
UW Medicine
Version: 20041105 34
Five Levels/Categories of Actions and/or Sanctions
After an investigation, a sanction level is applied -
[0] No Breach of Information Security Although someone reported a suspected breach, upon investigation it is realized that an exception was granted
[1] Unable to Determine Whether a Breach Occurred
A breach or potential breach was discovered after the system in question was redeployed and evidence of the breach has been mostly or completely destroyed.
[2] Policy Violation with Mitigating Circumstances The workforce member attempted to implement or supplement security controls believing them to be in be in compliance or improving security.
UW Medicine
Version: 20041105 35
Five Levels/Categories continued….
[3] Policy Violation without Reasonable Appearance of Malicious Intent
Unauthorized use of another employee's username and/or password.
[4] Policy Violation with Reasonable Appearance of Malicious Intent
1. Member of workforce intentionally alters or destroys data or equipment.
2. Failure to implement standards after repeated notification.
UW Medicine
Version: 20041105 36
DEFINITIONS:System Owner & System Operator
System Owners are individuals within the UW & UW Medicine community accountable for the management and use of one or more electronic information systems, electronic databases, or electronic applications that are associated with UW & UW Medicine or EPHI
System Operators administer and/or manage the daily activities of one or more electronic information systems, electronic databases, or electronic applications
UW Medicine
Version: 20041105 37
Data Custodian & Department Administrator/Manager
Data Custodians are the individuals who have been officially designated as accountable for protecting the confidentiality of specific data that is transmitted, used, and stored on a system or systems within a department, college, school, or administrative unit of UW Medicine
Department Administrator/Manager individual who manages the users of UW Medicine systems
UW Medicine
Version: 20041105 38
The Life Cycle of User privileges
Manager/Supervisor request user privileges
Manager/Supervisor updates any information on user or privileges during workforce engagement
Manager/Supervisor disables user privileges when workforce member is separated or transferred
UW Medicine
Version: 20041105 39
Minimum Information Security Requirements
Approved Operating System that is patched in a timely manner
Protection Against Malicious Software (i.e. anti-virus protection)
Filtering or Firewall ProtectionEnabled Logging and AuditingApproved Network Media & Protocols
UW Medicine
Version: 20041105 40
Advanced Information Security Requirements
Systems with RESTRICTED & CONFIDENTIAL Information must meet the Advanced Information Security Requirements
Implementation of Minimum Information Security Requirements with additional controls
Additional data protection required based on high risk analysis (higher level administration):
Strict data access policies and procedures
System access audit logs
Physical protection includes privacy mandates
Servers need certification
UW Medicine
Version: 20041105 41
Questions?
Please let Christene James know if you have any questions.
206-221-5496 or [email protected]
UW Medicine Resource for Questions
Richard MeeksHIPAA Compliance OfficerHIPAA Program OfficeUW [email protected]
Reference Materials
1. UW Medicine Policies: https://security.uwmedicine.org/securitypolicies.asp