A small presentation I gave to a not-for-profit healthcare organization.

1. September 24, 2014
Brian Solomon

2.  Keep a clean computer
 Data/ePHI Security at the Workstation
 Passwords
 Summary
 References
Brian Solomon 2

3.  Never open email attachments from unknown senders.
 Never re-send “chain-mail.”
 Keep your operating system software up to date.
 Install anti-spyware software and keep it updated.
 Install anti-virus software and keep it updated.
 Make sure your firewall is enabled.
 Use strong passwords (See Password section).
 Remove unnecessary software.
 Use secure system configuration settings (browser, email, etc…).
Brian Solomon 3

4.  Never provide passwords or other personal information via email.
 Log off your computer when you leave your workstation.
 Use a strong screen saver with password. Password-protected
screensavers should be enabled on workstation/laptops with a time-
out interval deemed appropriate.
 All sensitive information such as ePHI must be encrypted.
 Periodically backup your data.
 If external data drives are used (CDs, flash drives, etc..), secure them
before leaving your workstation.
 Have your IT department evaluate any shareware or free software
before downloading.
Brian Solomon 4

5.  Passwords ought to have a minimum of six alphanumeric characters
in length.
 A “Strong” password contains a combination of upper and lower case
letters, numbers, and special characters (&, #, !, @, etc…).
 Passwords should not contain a word found in the dictionary, in any
language, slang, jargon nor represent a name.
 Passwords should expire, be changed, every 90 to 180 days.
 If passwords need to be written down or stored on-line, they should
be stored in a secure place separate from the application or system
that is being protected by the password.
Brian Solomon 5

6.  Employees should not use the “Remember Password” feature of their
computer or installed applications.
 Employee passwords and account information should never be
shared.
 In rare cases where password sharing is unavoidable, restricted
account access should be established by the IT staff.
 Password audits should be performed on a periodic basis by the IT
staff.
Brian Solomon 6

7.  Never open email attachments from unknown senders.
 Never re-send “chain-mail.”
 Use strong passwords.
 Never provide passwords or other personal information via email.
 Log off your computer when you leave your workstation.
 If external data drives are used (CDs, flash drives, etc..), secure them
before leaving your workstation.
 Do not use the “Remember Password” feature of the computer or
installed applications.
Brian Solomon 7

8.  Reference to HIPAA Standard: Security Management Process
(161.308(a)(1));
 Information Access Management (161.308(a)(4));
 Security Awareness and Training (161.308(a)(5));
 Access Control (161.312(a));
 Person or Entity Authentication (164.312(d)),
 Workstation Use 164.310(b);
 Workstation Security 164.310(c).
Brian Solomon 8