370 likes | 500 Views
LANCASTER GENERAL HEALTH. LGCNHS INTRO TO COMPUTERS PRIVACY AND INFORMATION SECURITY. LANCASTER GENERAL HEALTH PRIVACY AND INFORMATION SECURITY SECTION 1: GENERAL OVERVIEW.
E N D
LANCASTER GENERAL HEALTH LGCNHS INTRO TO COMPUTERS PRIVACY AND INFORMATION SECURITY
LANCASTER GENERAL HEALTHPRIVACY AND INFORMATION SECURITYSECTION 1: GENERAL OVERVIEW Privacy refers to the right of an individual to control his/her personal information and to not have it disclosed or used by others against their wishes. Information Security means protecting information and information systems from unauthorized access, use, disclosure, modification, or destruction.
LANCASTER GENERAL HEALTHPRIVACY AND INFORMATION SECURITYSECTION 1: GENERAL OVERVIEW REGULATIONS AND STANDARDS The following are only some of the regulations or standards that affect privacy and information security at Lancaster General Health: • HITECH Act is the Health Information Technology for Economic and Clinical Health Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA) • HIPAA (Health Insurance Portability and Accountability Act) • HIPAA Privacy Rule • HIPAA Security Rule • Payment Card Industry (PCI) Security Standards • PA Breach of Personal Information Notification Act • Family Educational Rights & Privacy Act (FERPA)
LANCASTER GENERAL HEALTHPRIVACY AND INFORMATION SECURITYSECTION 1: GENERAL OVERVIEW DATA CLASSIFICATION Lancaster General Health’s information falls into two categories: • Public information is published or has been approved for general use, like the information on the Lancaster General Health’s website. • Non-Public information is not known by or released to the public without specific authorization or consent, like a patient’s medical record or billing information. Non-Public information has four types of data classifications: • Sensitive • Confidential • Proprietary • Internal
LANCASTER GENERAL HEALTHPRIVACY AND INFORMATION SECURITYSECTION 1: GENERAL OVERVIEW “A NEED TO KNOW” You are granted access to information based on your job, position, or role at Lancaster General Health, such as Student, Nurse, Housekeeper, System Administrator or Physician. You may only access classified information, such as PHI, on a need to know basis in order to carry out your job duties and responsibilities. You may not access classified information, such as PHI, out of curiosity or concern regarding family, friends, co-workers, or high-profile cases.
LANCASTER GENERAL HEALTHPRIVACY AND INFORMATION SECURITYSECTION 2: PRIVACY HIPAA Privacy Rule The federal Privacy rule identifies what information is protected and when and how that information may be used or disclosed. • Protected Health Information (PHI) • Notice of Privacy Practices (NOPP) • Authorizations Are Required To Disclose PHI • Facility Directory • Limit What You Say in Public Areas
LANCASTER GENERAL HEALTHPRIVACY AND INFORMATION SECURITYSECTION 3: INFORMATION SECURITY Components of Information Security C-I-A Confidentiality – This component ensures that information is accessible only to those authorized to have access. Integrity – In information security, integrity means that data is not to be modified without authorization. Availability – For any information system to serve its purpose, the information must be available when it is needed.
LANCASTER GENERAL HEALTHPRIVACY AND INFORMATION SECURITYSECTION 3: INFORMATION SECURITY Appropriate/Acceptable Use of Information Systems Appropriate or acceptable use is simply using information systems in ways that support Lancaster General Health’s Mission, Vision, and Values as well as its Policies, Procedures and Standards. The following are some examples of information systems usage that would be considered inappropriate or unacceptable: • Using Lancaster General Health’s computer and network resources to conduct or communicate illegal activities, obscenities, threats, or harassment; • Allowing access to LG-owned computer resources by unauthorized users; • Using LG Health’s computer and network for commercial or profit-making purposes; • Creating or forwarding “chain letters”; • Failing to adhere to organizational or departmental policies, procedures, and/or protocol; • Attempting to bypass or work around data protection controls.
LANCASTER GENERAL HEALTHPRIVACY AND INFORMATION SECURITYSECTION 3: INFORMATION SECURITY Remote Access Employees, students, and others who are authorized to work remotely (from home or while traveling for business) must use all reasonable means to maintain the security and privacy of Lancaster General Health’s classified information. Below are some specific examples to follow: • Never reveal passwords or share access with others, including family members, friends, or any other non-authorized individuals. • You must store and destroy classified information, such as PHI, in the same manner as if you were at work or on site, such as using secure network folders, or shredding paper documents. • Secure all portable devices – never let the device out of your sight, especially when going through such areas as airport security stations. • Never leave your device in a vehicle unattended or in sight.
LANCASTER GENERAL HEALTHPRIVACY AND INFORMATION SECURITYSECTION 3: INFORMATION SECURITY CLASSIFIED DATA/INFORMATION DISPOSAL Never dispose of classified information, such as PHI (paper or electronic media), in the regular trash containers. Always ensure that classified information is discarded in appropriate shred-it / blue containers, or shred it yourself. Do not leave the facility with classified information unless it is essential to your job and you have supervisory permission or it is in accordance with strict organizational procedures. Make sure it is properly secured.
LANCASTER GENERAL HEALTHPRIVACY AND INFORMATION SECURITYSECTION 4: PRIVACY AND INFORMATION SECURITY GUIDELINES YOUR USER ID AND PASSWORD NEVER reveal or talk about your password or share your password with ANYONE! The more characters in your password, the stronger it will be and the less likely it is to be guessed. Always use a combination of lower (a-z) and upper (A-Z) case letters, numbers, and special characters such as the $, @, &, *, !, %, =, etc. Your user ID and password are also referred to as your electronic credentials. The use of your individual electronic credentials, e.g. user ID and password or other means of authentication, constitutes your electronic signature and is treated as a written signature with all legal and ethical implications. ALWAYS sign off or lock your computer before walking away or letting someone else use the same computer.
LANCASTER GENERAL HEALTHPRIVACY AND INFORMATION SECURITYSECTION 4: PRIVACY AND INFORMATION SECURITY GUIDELINES AUDITING AND MONITORING Lancaster General Health information systems and applications are regularly monitored to ensure compliance with privacy and information security policies and standards as well as perform normal operational support. Users of Lancaster General Health’s information systems and/or applications should not have an expectation of guaranteed privacy when it comes to using these systems or applications. To monitor privacy and information security compliance, Lancaster General Health reviews certain types of activity that might indicate a privacy or security issue has occurred. Examples of activities reviewed may include: • access outside a user’s role or job function; • changes made to records outside a user’s role or job function; • failed logon activity; • extended inactivity.
LANCASTER GENERAL HEALTHPRIVACY AND INFORMATION SECURITYSECTION 4: PRIVACY AND INFORMATION SECURITY GUIDELINES LANCASTER GENERAL HEALTH IDENTIFICATON BADGE Your Lancaster General Health identification badge: • must be worn appropriately and at all times while on any Lancaster General Health property; • provides a consistent process for identifying authorized individuals to have access to areas not available to the general public; • provides patients and visitors a means of easily identifying authorized individuals. Reminders about your Lancaster General Health identification badge: • do not share your badge; • do not allow piggybacking or tailgating – these are tactics used by unauthorized individuals who wait for you near a door or walk closely behind you in order for you to open a door to gain access to an authorized area.
LANCASTER GENERAL HEALTHPRIVACY AND INFORMATION SECURITYSECTION 4: PRIVACY AND INFORMATION SECURITY GUIDELINES Maintain good privacy, information security and physical security on the following devices: • Portable devices, e.g. lap tops, USB/thumb drives, PDAs, etc. • Printers • Photocopiers • Fax machines • Multi-function machines (fax, copy and scanner) • Telephone
LANCASTER GENERAL HEALTHPRIVACY AND INFORMATION SECURITYSECTION 4: PRIVACY AND INFORMATION SECURITY GUIDELINES PRIVACY AND INFORMATION SECURITY REPORTING METHODS Always report immediately, upon discovery: • any unauthorized use or disclosure of PHI or other classified information; • any physical or information security issue that may affect the systems that contain classified information. If you have a question or want to report a privacy or information security violation or concern, you may; • Contact your immediate supervisor or manager or, • Call the Compliance Alertline at 1-888-411-3380 or, • Submit it through LG Health Intranet by clicking on Share Your Experience, then click the Compliance link or, • Contact the Lancaster General Health Privacy and Security Official, Ramon (Ray) Balut, phone (544-4060 or 544-2723) or email at rabalut@lancastergeneral.org
THANK YOU FOR KEEPING INFORMATION PRIVATE AND SECURE AT LANCASTER GENERAL HEALTH
Three Good Quotes A good security guy is someone who always looks both ways before crossing a one-way street. Security in IT is like locking your house or car – it doesn't stop the bad guys, but if it's good enough they may move on to an easier target. — Paul Herbka A computer lets you make more mistakes faster than any invention in human history - with the possible exceptions of handguns and tequila. — Mitch Ratliff
What We’ll Talk About… 1 LEARN A BIT ABOUT THE BAD GUYS TAKE A LOOK AT HOW THEY DO IT 2 TALK ABOUT HOW TO PREVENT IT AT HOME & WORK 3 WHAT TO DO WHEN THINGS GO WRONG 4
Key things that made YOU a target High Speed / Always On Access. The explosive growth of on-line banking, shopping etc. Proliferation of information on the Internet about you. Most people will pick dancing elves over security every time. Who are the bad guys Organized Crime Gangs Activists / “Hacktivists” Disgruntled Employees, Angry Customers / Patients, X’s Script Kiddies A little bit about the bad guys…
A little bit about the bad guys… Then Now • Teens & Hackers looking to show off & create chaos • Attacks were high profile • Attacks were not targeted • Attacks often resulted in loss of productivity, loss of access and disabled systems • Cybercriminals located globally focused on gaining profit • Attacks are designed to be “low profile” • Attacks are targeted i.e. Phishing, Botnets, & Spyware • Attacks result in loss of revenue, intellectual property & ID theft
Physical Access How They Do It Work Home • Download information from a workstation (USB, Screen Shots etc.) • Directly placing Malicious Software on a system • Key Stroke Capture Device • Improper disposal of information • Passwords left laying around • Download information from a workstation (USB, Screen Shots etc.) • Directly placing Malicious Software on a system • Simply steal your computer, backup drive etc. • Improper disposal of information • No Passwords used at all
Remote Access How They Do It Work Home • Accidently placing classified information in the wrong place (web page, folder etc.) • Weak wireless systems. • Shared credentials allowing remote access. • Weak WIFI at home • Peer to Peer Networking improperly managed • Placing to much information out on the web
The Number 1 tool of the bad-guy… Malicious Software How they do it
How to prevent it:Sometimes you can’t • Malware is designed to run undetected in the background • Changes to your web browsers default or startup homepage. • Your firewall & antivirus programs are frequently turned off. • You can’t access security related websites or update your antivirus. • You get frequent alerts from your firewall about an unknown program or process trying to access the Internet. • Program and Files are suddenly missing. • Your Computer (not just your connection) slows down whether off-line or on-line
How to prevent it:Tools you can use BACK UP LOCAL REMOTE
How to prevent it:Tools you can use FIRE WALL What is a Firewall • A tool that sits between your computer and the outside world. • It prevents outsiders from “seeing” your computer and accessing services, applications, files etc. without your permission. • You have a choice of Software and Hardware based Firewalls. • Firewalls must watch traffic coming in and going out of your system. • Windows 7, Vista & XP-sp2 have a software firewall turned on by default. • You likely have one available if you have a wireless router. • Firewalls are often part of a Suite of tools.
How to prevent it:Tools you can use A V Free Paid • Basic AV Protection • Regular Updates to Signatures • Little or No Support • Part of a “Suite” that includes (AV, Firewall, Anti-Spam etc.) • Rapid Updates to Signatures • Support Available • Should detect all types of Malware (Virus, Worm, Trojan, Spyware etc.) • Should protect (E-mail, Internet, Portable Media) • Should Use Heuristics ( Looks for Suspicious Activity) • History / Report Logging
How to prevent it:Tools you can use BEYOND THE BASICS • Use a “Trusted Source” tool such as FINJAN Secure Browsing or AVG LinkScanner. • Consider the use of whole-disk encryption, especially if you have a laptop. • Consider LoJack for Laptops if you have a laptop. • Consider using a Knoppix CD. • Use a tool such as “Boot and Nuke” before disposing of a computer or drive.
What to do if things go wrong: • Don’t Panic and simply start deleting things. • If you need time to think and plan, unplug your computer from the Internet. • Update and run any anti-virus (AV), anti-trojan (AT), anti-spyware (AS) products you already have installed on your computer. • Record exactly the malware names and file names and locations of any malware the scans identify. • If you don’t have any resident anti-virus installed in your system or your AV product is not working then consider using an online virus scan.
What to do if things go wrong: • Learn a little about the Malware detected. • Look up the malware on your AV product’s website. • Google it. • Depending on what you find, you may want to consider: • Changing Passwords for Banks, Shopping, Investments, Social Networks, E-mail, (Work if you access LG Health from home). • Requesting new credit card(s). • Be prepared to utilize that backup you created in step 1… You did create a backup didn’t you?