New Hire Information Security Awareness

  • 2,259 views
Uploaded on

IS Security orientation for new hires

IS Security orientation for new hires

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
2,259
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Presenter’s Talking Points: Stress the impact to patient safety and patient care.
  • Presenter’s Talking Points: Be sure to point out that John may not know that he downloaded a virus. Some malicious software works in a way that is invisible to the person that downloaded it. A site may look reputable, but that’s no guarantee that the software is safe to download. It’s important to stick with company approved software.
  • Presenter’s Talking Points: This is a difficult type of attack to guard against because it requires each of us to recognize when we are being conned. As much as we want to believe the best of people, we still need to verify that a person is legitimate. The only way to guard against social engineers is for everyone to stay aware. It is important to learn how to recognize these kinds of con artists, what to do if you suspect a con artist has contacted you, and how you can guard against being a victim of such a con. Other potential warning signs: Have you been contacted by someone claiming to be high up in the Company, or by someone outside of the Company who would normally not call you? If they are asking you for sensitive information, no matter how good their excuse for asking, verify they are who they say they are and that they are authorized to obtain such information from you. Someone higher up in the Company will appreciate that you are cautious with sensitive information, and someone outside the Company should expect such caution!
  • Presenter’s Talking Points: More ways to guard against social engineers: Ask for the name of their manager. This gives you a point of reference. You can always call their manager to verify the legitimacy of the contact. Refer the person to your Company or facility help desk. If someone is asking you for Company-related information, such as a dial-up connection number or information about how your computer works, your I.S. or Customer Services department should be able to help them. If they are legitimate, they will gladly call the help desk. Make sure you know Company and facility policies and standards. The best way to combat con artists is to be informed. If you are familiar with Company and facility policies and standards, you will better recognize when you are being asked to do something potentially dangerous.
  • Presenter’s Talking Points: Sometimes the caller will request information other than your user ID or password, and the information may seem harmless. Examples may include: The name of a supervisor. They could use that information to place a call to someone else within the facility, claiming to be the supervisor. They could use the appearance of authority to pressure the individual into supplying additional information. The phone number used to dial in to the facility’s network. They could claim to be an individual from another department, who’s trying to access the network for legitimate business purposes. Con artists may collect information from several different individuals. The information collected from one person may not be harmful, but the collective information may give the con artist the ability to access our computer systems.
  • Presenter’s Talking Points: It is also good practice to lock up video tapes when they are not in use.
  • Presenter’s Talking Points: Exiting applications and turning on password protected screensavers keep your workstation secure from passersby. Ask if everyone knows how to how to turn on the password protected screensaver when they leave their workstation. If they don’t, explain how. If someone else’s user ID appears on a computer that you should be the only user of, it could be an indication that someone has attempted to (or has successfully) accessed your computer. ( Note to Presenter: Make sure everyone understands this point. Training on this topic is a specific HIPAA Security requirement.) If you are locked out of a system and you haven’t had 3 or more unsuccessful login attempts, it could be an indication that someone has attempted to access a system using your user ID. ( Note to Presenter: Make sure everyone understands this point. Training on this topic is a specific HIPAA Security requirement.)
  • Presenter’s Talking Points: Make sure they know how to contact the FISO, HDIS, and (if applicable) IT helpdesk staff. Add the contact numbers to this slide or provide participants with a handout containing the proper contact names and numbers.
  • Presenter’s Talking Points: Be sure to stress that protected health information is more valuable to our patients than financial information. Whereas money can be replaced by your financial institution, a breach of patient privacy and safety cannot be undone.
  • Presenter’s Talking Points: Although the financial impact of a virus or worm can be substantial, the important point to stress is the potential impact to our patients.
  • Presenter’s Talking Points: Reference the Information Security Guide, pages 6-7, for more information about how to create quality passwords.
  • Notes to Presenter: Make them aware of which systems/applications they use that do not automatically enforce these requirements. Once the Authentication Standard is updated to allow a password change interval of 180 days, change the password change interval on this slide from 90 days to 180 days. If you are using the password change interval as a mitigating control for the vulnerability, “Application account lockout is not enabled,” change the slide text above to reflect a more frequent password change interval. Presenter’s Talking Points: Instruct them regarding how to change their password(s) for the application(s)/system(s) in question. Explain the importance of individual user accounts for accessing sensitive or confidential data. Explain that they could potentially be blamed for someone else inappropriately accessing information using that same user ID.
  • Presenter’s Talking Points: If the computer is used for Company purposes, including checking email, it is important to set up automatic updates to be certain all available security updates are applied. This helps guard the network from viruses and other attacks that could compromise the availability of key clinical systems, essentially affecting patient care in our hospitals. You can contact your facility IT staff for step-by-step instructions to properly secure your home PC in accordance with Company standards. Reference IS.SEC.001 Information Security – Program Requirements Policy, as well as the IT&S Mobile Computing and Virus Control Standards.

Transcript

  • 1. Information Security Awareness Employee Training XYZ Medical Center Gene Hubbard, FISO
  • 2. Purpose of this training The objective of this training is to prepare you to comply with the HIPAA Security Rule and other government regulations. Our goal is to ensure the confidentiality , integrity , and availability of all electronic protected health information (EPHI) that our facility creates, receives, maintains, or transmits.
  • 3. Why Does XYZ Need Information Security?
    • Information security helps us:
    • Protect the availability and integrity of clinical and patient administration systems.
    • Protect our patients’ confidentiality.
    • Maintain our facility’s reputation.
    • Comply with federal and state information security laws, including the HIPAA Security Rule.
    • The true cost of ignoring information security is an impact to patient safety and our quality of patient care!
  • 4. Doing Your Part
    • As an employee, you play a crucial role to protect our patients and our company. You are responsible to:
    • Protect your passwords.
    • Create quality passwords.
    • Safely use email and the Internet to help protect our systems from malicious software.
    • Recognize signs of someone attempting to illegally access our systems.
    • Get help or more information about Information Security, as needed.
  • 5. Keeping Passwords Private
    • To protect your passwords…
    • Keep your passwords to yourself.
    • Don’t allow others to give you their passwords, no matter the circumstance.
    • Never post passwords around your workstation.
    • If you suspect anyone has learned your password, change it. Call the help desk (4357 or H-E-L-P on the keypad) or your Facility Information Security Official (FISO) for assistance.
  • 6. The Case of the Busy Doctor…
    • You are a nurse at the Emergency Department nursing station, and a doctor approaches you at the beginning of his rounds. The doctor needs test results for Mrs. Jones. You do not have access to Mrs. Jones’ records, so the doctor wants to give you his user ID and password to print Mrs. Jones’ test results.
    • Where else could this happen in your facility?
    • Anywhere a computer is present.
    • What should you, the nurse, do?
    • Suggest that the doctor use the computer in the dictation room right next to the nurses’ station (or any common workstation).
    • What are the possible consequences for a nurse who signs onto a system using a doctor’s user ID and password? For the doctor?
    • They are both open to sanctions per Company policies.
  • 7. Creating Quality Passwords
    • It can be surprisingly easy for hackers to guess your password!
    • Create a hard to guess password and never share it.
    • If the application allows, use a combination of special characters (like @, #, !), numbers, and upper and lower case letters.
    • Never use words found in a dictionary or proper names.
    • Do not use social security numbers, names of family members, pet names, or birthdays.
    • If the application allows, create passwords that contain at least 7 characters.
    • Passphrases make great, easy to remember, hard to guess passwords!
  • 8. Protecting Against Email Viruses
    • Only open email that you need to perform your job.
    • Don’t open email attachments in strange or unexpected emails.
    • Transmit confidential information to appropriate individuals outside the company using only approved, secure methods. (Contact your FISO if you need additional information.)
    • Only use company approved software – when in doubt, ask!
    • Only use company supplied diskettes or CDs.
  • 9. The Case of the Mysterious Email Attachment…
    • It’s Christmas time. Mary, an administrative assistant at a facility, receives an email with an attachment from Bill Brown. She does not know Bill, but his email address shows that he works for a company that has a business relationship with her department. The email subject line reads “Dancing Santa Screensaver.”
    • What should Mary do with the email?
    • Delete it without opening. The subject line indicates it isn’t work related anyway, so there is no reason to take the risk of getting a computer virus.
    • If Mary received an email like this from a friend, what should she do?
    • Again, delete it without opening. The risk of receiving a computer virus from a friend is just as great.
    • If you suspect that you have opened an email that contains a virus, what should you do?
    • Notify your Facility Information Security Official (FISO), or other member of your facility’s IT staff immediately.
  • 10. Safe Internet Use
    • Only access websites that you need to perform your job.
    • Be cautious about entering any company information on an Internet site.
    • Do not access Internet email accounts (AOL, Hotmail, etc.) through the XYZ network or from XYZ computers.
    • When on the Internet, use passwords and IDs that are different than your XYZ ID and password.
    • Never download screensavers, games, or other executable files (such as files ending in .exe, .vbs, or .com) from the Internet or any other outside source.
  • 11. The Case of the Downloaded Screensaver…
    • John finds an Internet site with interesting healthcare-related screensavers. He downloads one that relates to his job.
    • What can happen as a result of John downloading the screensaver?
    • What looked like a simple screensaver may actually be a virus. John’s computer, and the entire HCA network, could be exposed. Clinical systems in John’s facility, as well as other facilities, could be shut down in order to contain the virus.
    • How can John ensure that the screensaver is safe to download?
    • He can’t. The only way for John to make sure he doesn’t download malicious software is to only use company approved software, including screensavers.
    • If you suspect that you have downloaded a virus from the Internet, what should you do?
    • Notify your Facility Information Security Official (FISO), Hospital Director of Information Systems (HDIS), or other member of your facility’s IT staff immediately.
  • 12. Social Engineering: Recognizing Con Artists
    • What is a Social Engineer?
    • “ Social Engineers” are con artists who attempt to gain access to confidential information by deceiving you.
    • They are good at what they do, and they know how to make you believe them.
    • They sound friendly and trustworthy, and sometimes will appear to be doing you a favor.
    • Possible Warning Signs
    • Is someone asking you "out of the blue" questions about patient information, system names, or software?
    • Has someone asked you for your password(s), or asked you to change your password(s) for them?
    • Did you initiate the call/email/office visit, or did they?
  • 13. Social Engineering: Outwitting Them!
    • Never give out your password over the phone. Even our own technical support can help you without knowing your password!
    • If you didn’t initiate the contact, offer to call them back through our facility’s help desk system. If they claim to be part of an authorized technical support team, you should be able to call them through normal channels.
    • Be aware of your surroundings. If you see someone you are not familiar with, politely ask their identity and ask if you can help them.
    • Don't be afraid to say "No." If anyone asks for information such as your user ID or password, or asks you to perform a task that goes against any Company policy, just say no.
    • Report it. If you think you have witnessed an attempted or successful security breach, report the incident to the FISO immediately.
  • 14. The Case of the Helpful Computer Technician…
    • You receive a call from Chris, who says he works for your HDIS. According to Chris, our facility has been exposed to a computer virus and he thinks your computer may be infected. To be sure, he needs your user ID and password. He says the situation is critical. If he can’t find the infected computers quickly, your facility’s network, including clinical systems, will have to be shut down to contain the virus.
    • Could a call like this ever be legitimate? Should you ever go along with a request for your user ID or password?
    • No! Legitimate computer technicians can always help you without having your user ID or password. Always insist that they do so, even if you know them or recognize their name.
    • Why would it be easy to fall for something like this?
    • Chris, like most social engineers, sounds legitimate. He appeals to your sense of duty by insinuating that your help could prevent a disruption to patient care. He also adds a sense of urgency, which further pressures you to supply information you may not otherwise share.
    • If you receive a call such as this, what should you do?
    • Don’t give out any information. Notify your FISO immediately.
  • 15. Media Controls
    • Protecting our systems only works if we also protect media.
    • Lock up portable storage and hand-held devices when not in use.
    • When transferring Electronic Protected Health Information (EPHI) to media such as USB drives, diskettes, and removable drives, use passwords, encrypt the data, and physically protect the media.
    • Keep sensitive and confidential information in a locked cabinet or drawer when not in use.
  • 16. What Else Can We Do? Be Aware!
    • Exit applications as soon as you complete your work.
    • Turn on your password protected screensaver when you walk away from your workstation.
    • If you are the only one who should use your computer, notify your FISO if someone else’s user ID appears on the login screen .
    • If you are locked out of a system, be sure to report it to your FISO.
  • 17. What Else Can We Do? Be Aware! (Continued)
    • In addition…
    • Read and follow the guidelines contained in the Information Security Guide.
    • Report any potential or suspected security breaches in your work area.
    • Use common sense!
    • Ask questions.
    • If you make a mistake, be the one to report it.
  • 18. Auditing!
    • Required by HCA, HIPAA and Sarbanes Oxley (SOX)
    • Access and use of all systems are monitored
    • Questionable activity and obvious violations are investigated.
    • All events reviewed by the Privacy/Security Committee composed of Ethics and Compliance Officer, Facility Privacy Officer, Facility Information Security Officer, Human Resources Director, or with the individual’s Director
    • If you make a mistake, be the one to report it.
  • 19. Sanctions for violations
    • Level 1 – Accidental and/or lack of education. Retraining, coaching.
    • Level 2 – Repeated Level 1 violations. Oral warning, retraining and re-evaluation, discussion of policy requirements.
    • Level 3 – Purposeful violation or repeated level 2 violation. Written warning, retraining, and discussion of policy requirements.
    • Level 4 – Purposeful violation or repeated level 3 violation, associated potential for patient harm. Termination, revocation of Medical Staff privileges, termination of contract.
  • 20. Examples of violations
    • Accessing your own or a family members record. (Level 3).
    • Accessing patient information (PHI) without a legitimate need to do so. (Level 3).
    • Using another Meditech user’s username and password to access Meditech. (Level 3) .
    • Sharing your username and password with any other person. (Level 3).
    • Improper disposal of PHI. (Level 1)
    • For more examples please refer to the Market Sanctions for Privacy, Security, and Appropriate Access Violations Policy available on the company’s Intranet
  • 21. Question and Answer
  • 22. In Closing
    • Over the past few years, we have moved rapidly into a very different world. More than ever before, we need to protect information systems.
    • Information security is essential to our business. You have an essential role in our success!
    • If you have any additional questions or concerns, contact our FISO or another member of our facility’s IT staff.
  • 23. Additional Reference Material You should each have a pocket sized copy of our information Security Guide. This is for your reference.
  • 24. What if…
    • What if it was your bank and your financial information at stake?
    • What if your bank’s employees…
    • Shared passwords that could access your bank account?
    • Posted passwords in plain site?
    • Jeopardized your account by opening unnecessary email attachments and accessing non-work related websites?
    • Let unescorted strangers wander through their work area without anyone asking questions?
    • Gave information over the phone to people they had never met that allowed strangers to access your account?
    • The confidentiality, integrity and availability of protected health information is invaluable to our patients!
  • 25. It Would Never Happen Here… Impacts of viruses and worms on operations
    • Patient safety was impacted at one facility when a worm infected and severely impacted the operation of 50 eMAR workstations due to password issues.
    • Clinical operations were affected throughout the company when SQLSlammer brought down XYZ’s core network for over 12 hours.
    • MSBlaster worm cost over $1,500,000 and 23,000 man hours of remediation effort (11.5 man years) in the first 4 weeks.
    • Public knowledge of a significant security incident devalues a company’s stock by an average of 5.5% within the first 3 days.  For XYZ, this represents a loss of over $1.09 billion in shareholder value.
  • 26. Appropriate Access: What Should We See?
    • Treat all information as if it were about you or your family.
    • Only access those systems you are officially authorized to access.
    • Only access information you need to do your job.
    • Protect all patient data, such as personal information, social security numbers, and medical data.
    • Only share sensitive and confidential information with others who have a "need to know."
    • Do not send protected health information outside our network boundaries unless using an approved means of protection.
  • 27. Creating Passphrases
    • Think of a phrase that is unique and familiar to you, easy to remember, but not easy to guess.
    • Use the first letter of each word to create a passphrase.
    • Example Passphrase
    • All good cows like to eat green grass.
    • Take the first letter of each word.
    • Use the number “2” instead of the letter “t” for “to.”
    • Your passphrase becomes “Agcl2egG”
    • This is only an example. Do not use this as a real password!
  • 28. Passwords and User IDs: Additional Protection
    • If an application doesn’t automatically enforce it, remember to:
    • Change your password every 180 days.
    • Don’t use the same password more than once in 12-month period.
    • Never use a generic or “shared” account to access applications that contain sensitive data, such as electronic protected health information (EPHI).
  • 29. Best Practices for Working From Home
    • When using your home computer for work purposes:
    • Install anti-virus software on your home PC.
    • Set up the anti-virus software so that every update will automatically be applied to your computer.
    • Set up an automatic update of the Windows operating system using Windows Update so that every Microsoft update will automatically be applied to the home computer.
    • Don’t trade files between your work computer and home system.
    • When in doubt, be safe! If you are unsure how to safely use your home computer, contact your FISO for more information.
  • 30. Protecting Laptops and PDAs
    • Use lockdown cables to secure your laptop at your workstation.
    • Lock up your PDA when it is not in use.
    • When traveling with a PDA or laptop:
      • Never leave it unattended, especially in public areas such as airports.
      • Never check it as baggage.
      • If your PDA or laptop is stolen, report it immediately to your FISO.
  • 31. HIPAA Security Rule
    • According to the HIPAA Security Rule, our facility must take specific measures to protect the Confidentiality, Integrity and Availability of Electronic Protected Health Information (EPHI).
    Confidentiality Data or information must not be available or disclosed to unauthorized persons. Integrity Data or information cannot be altered or destroyed in an unauthorized manner. Availability Data or information is accessible and usable upon demand by an authorized person.