View stunning SlideShares in full-screen with the new iOS app!Introducing SlideShare for AndroidExplore all your favorite topics in the SlideShare appGet the SlideShare app to Save for Later — even offline
View stunning SlideShares in full-screen with the new Android app!View stunning SlideShares in full-screen with the new iOS app!
Information Security Awareness Employee Training XYZ Medical Center Gene Hubbard, FISO
Purpose of this training The objective of this training is to prepare you to comply with the HIPAA Security Rule and other government regulations. Our goal is to ensure the confidentiality , integrity , and availability of all electronic protected health information (EPHI) that our facility creates, receives, maintains, or transmits.
You are a nurse at the Emergency Department nursing station, and a doctor approaches you at the beginning of his rounds. The doctor needs test results for Mrs. Jones. You do not have access to Mrs. Jones’ records, so the doctor wants to give you his user ID and password to print Mrs. Jones’ test results.
Where else could this happen in your facility?
Anywhere a computer is present.
What should you, the nurse, do?
Suggest that the doctor use the computer in the dictation room right next to the nurses’ station (or any common workstation).
What are the possible consequences for a nurse who signs onto a system using a doctor’s user ID and password? For the doctor?
They are both open to sanctions per Company policies.
It’s Christmas time. Mary, an administrative assistant at a facility, receives an email with an attachment from Bill Brown. She does not know Bill, but his email address shows that he works for a company that has a business relationship with her department. The email subject line reads “Dancing Santa Screensaver.”
What should Mary do with the email?
Delete it without opening. The subject line indicates it isn’t work related anyway, so there is no reason to take the risk of getting a computer virus.
If Mary received an email like this from a friend, what should she do?
Again, delete it without opening. The risk of receiving a computer virus from a friend is just as great.
If you suspect that you have opened an email that contains a virus, what should you do?
Notify your Facility Information Security Official (FISO), or other member of your facility’s IT staff immediately.
John finds an Internet site with interesting healthcare-related screensavers. He downloads one that relates to his job.
What can happen as a result of John downloading the screensaver?
What looked like a simple screensaver may actually be a virus. John’s computer, and the entire HCA network, could be exposed. Clinical systems in John’s facility, as well as other facilities, could be shut down in order to contain the virus.
How can John ensure that the screensaver is safe to download?
He can’t. The only way for John to make sure he doesn’t download malicious software is to only use company approved software, including screensavers.
If you suspect that you have downloaded a virus from the Internet, what should you do?
Notify your Facility Information Security Official (FISO), Hospital Director of Information Systems (HDIS), or other member of your facility’s IT staff immediately.
Never give out your password over the phone. Even our own technical support can help you without knowing your password!
If you didn’t initiate the contact, offer to call them back through our facility’s help desk system. If they claim to be part of an authorized technical support team, you should be able to call them through normal channels.
Be aware of your surroundings. If you see someone you are not familiar with, politely ask their identity and ask if you can help them.
Don't be afraid to say "No." If anyone asks for information such as your user ID or password, or asks you to perform a task that goes against any Company policy, just say no.
Report it. If you think you have witnessed an attempted or successful security breach, report the incident to the FISO immediately.
You receive a call from Chris, who says he works for your HDIS. According to Chris, our facility has been exposed to a computer virus and he thinks your computer may be infected. To be sure, he needs your user ID and password. He says the situation is critical. If he can’t find the infected computers quickly, your facility’s network, including clinical systems, will have to be shut down to contain the virus.
Could a call like this ever be legitimate? Should you ever go along with a request for your user ID or password?
No! Legitimate computer technicians can always help you without having your user ID or password. Always insist that they do so, even if you know them or recognize their name.
Why would it be easy to fall for something like this?
Chris, like most social engineers, sounds legitimate. He appeals to your sense of duty by insinuating that your help could prevent a disruption to patient care. He also adds a sense of urgency, which further pressures you to supply information you may not otherwise share.
If you receive a call such as this, what should you do?
Don’t give out any information. Notify your FISO immediately.
Questionable activity and obvious violations are investigated.
All events reviewed by the Privacy/Security Committee composed of Ethics and Compliance Officer, Facility Privacy Officer, Facility Information Security Officer, Human Resources Director, or with the individual’s Director
What if it was your bank and your financial information at stake?
What if your bank’s employees…
Shared passwords that could access your bank account?
Posted passwords in plain site?
Jeopardized your account by opening unnecessary email attachments and accessing non-work related websites?
Let unescorted strangers wander through their work area without anyone asking questions?
Gave information over the phone to people they had never met that allowed strangers to access your account?
The confidentiality, integrity and availability of protected health information is invaluable to our patients!
It Would Never Happen Here… Impacts of viruses and worms on operations
Patient safety was impacted at one facility when a worm infected and severely impacted the operation of 50 eMAR workstations due to password issues.
Clinical operations were affected throughout the company when SQLSlammer brought down XYZ’s core network for over 12 hours.
MSBlaster worm cost over $1,500,000 and 23,000 man hours of remediation effort (11.5 man years) in the first 4 weeks.
Public knowledge of a significant security incident devalues a company’s stock by an average of 5.5% within the first 3 days. For XYZ, this represents a loss of over $1.09 billion in shareholder value.
According to the HIPAA Security Rule, our facility must take specific measures to protect the Confidentiality, Integrity and Availability of Electronic Protected Health Information (EPHI).
Confidentiality Data or information must not be available or disclosed to unauthorized persons. Integrity Data or information cannot be altered or destroyed in an unauthorized manner. Availability Data or information is accessible and usable upon demand by an authorized person.