USF IT Security
Download
1 / 87

Ensuring IT Security: Policies, Training &Technology - PowerPoint PPT Presentation


  • 127 Views
  • Uploaded on

USF IT Security HIPAA Practice. Ensuring IT Security: Policies, Training &Technology. All USF workforce members utilizing/ coming in contact with HIPAA Protected Health Information (PHI) must complete this training program and pass the security quiz at the end of Part 4.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Ensuring IT Security: Policies, Training &Technology' - alayna


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

USF IT Security

HIPAA Practice

Ensuring IT Security:

Policies, Training &Technology


  • All USF workforce members utilizing/ coming in contact with HIPAA Protected Health Information (PHI) must complete this training program and pass the security quiz at the end of Part 4.

  • Employees directly involved in research with PHI must complete one additional module describing the relationship of HIPAA to the research process.


The purpose of this training is to provide USF HIPAA Protected Health Information (PHI) must complete this training program and pass the security quiz at the end of Part 4.

faculty & staff information on:

USF data security requirements & procedures

The Privacy Rule of the Health Insurance

Portability and Accountability Act (HIPAA)

The HITECH provisions of the ARRA Act


Part 1 HIPAA Protected Health Information (PHI) must complete this training program and pass the security quiz at the end of Part 4.

General Network Information and Security Procedures


Accessing HIPAA Protected Health Information (PHI) must complete this training program and pass the security quiz at the end of Part 4.

the

USF

Network


Usf computer network
USF Computer Network HIPAA Protected Health Information (PHI) must complete this training program and pass the security quiz at the end of Part 4.

USF employees work

on computers that are

linked through a network

that connects all

computers at the university


  • The network allows users to HIPAA Protected Health Information (PHI) must complete this training program and pass the security quiz at the end of Part 4. share computing resources and increases efficiency for all computer users.

  • A log-in ID and a secure password are needed to allow you to access this system.


Usf computer network1

With an ID and password, you are able to: HIPAA Protected Health Information (PHI) must complete this training program and pass the security quiz at the end of Part 4.

Use email

Access shared files & information stored in databases

Use hardware such as printers and scanners

Use software such as web browsers & virus protection programs.

USF Computer Network


Secure Log-in ID HIPAA Protected Health Information (PHI) must complete this training program and pass the security quiz at the end of Part 4.

The USF Information Technologies (IT) Office will help you establish a log-in ID that will be a unique identifier linking you to all of your computer transactions.


Secure log in id
Secure Log-in ID HIPAA Protected Health Information (PHI) must complete this training program and pass the security quiz at the end of Part 4.

Like a fingerprint, your ID can be traced for all authorized and unauthorized activities conducted on the USF network.


Secure password
Secure Password HIPAA Protected Health Information (PHI) must complete this training program and pass the security quiz at the end of Part 4.

  • You will need to establish a secure password to ensure that you and only you can access your network account and files.

  • Your secure password should NEVER be shared with others, including co-workers or family members.


Secure password1
Secure Password HIPAA Protected Health Information (PHI) must complete this training program and pass the security quiz at the end of Part 4.

To maximize security, passwords must be at least eight characters long and contain 3 of the following 4 types of characters: upper case letters, lower case letters, numbers; or special characters such as ! # &.

Example: GoBulls2!

Please don’t select this as your

own password – make up one yourself!


Password aging
Password Aging HIPAA Protected Health Information (PHI) must complete this training program and pass the security quiz at the end of Part 4.

  • All users will be asked to change their network password every 6 months.

  • You will be prompted by email when it is time to change your password.

  • If you do not change your password in a timely manner, your account will be temporarily locked.


Appropriate use
Appropriate Use HIPAA Protected Health Information (PHI) must complete this training program and pass the security quiz at the end of Part 4.

All USF users sign a statement agreeing to use the USF computers and network only to conduct activities related to the mission and business purposes of the University.


Closing accounts
Closing Accounts HIPAA Protected Health Information (PHI) must complete this training program and pass the security quiz at the end of Part 4.

All USF computer accounts are automatically closed when employment ends. Some transitional services (such as auto-forwarding of e-mail messages) may be offered as allowed by USF policy.


USF HIPAA Protected Health Information (PHI) must complete this training program and pass the security quiz at the end of Part 4.

Network

Security


General network security
General Network Security HIPAA Protected Health Information (PHI) must complete this training program and pass the security quiz at the end of Part 4.

  • It is very important to protect all computer users at USF from loss or corruption of files and data on the network.

  • Network security is maintained through procedures and technical tools designed to prevent negative events like viruses, intrusion, and data loss.

  • These negative events have the potential to harm everyone connected within our computer network.


What is a computer virus
What is a computer virus? HIPAA Protected Health Information (PHI) must complete this training program and pass the security quiz at the end of Part 4.

  • A computer virus is a bit of computer programming code that instructs the computer to do something you did not intend for it to do.

  • The virus is usually invisible to the user until AFTER it has attached itself to the computer.


How do you get a computer virus
How do you get a computer virus? HIPAA Protected Health Information (PHI) must complete this training program and pass the security quiz at the end of Part 4.

Most computer viruses enter a computer from program or file “downloads” (for example, e-mail attachments) or from transfers from external disks (floppies, USB drives).


Although all USF PCs have a virus protection program installed, we all must be VERY CAREFUL about what we download to our computers.


Are viruses dangerous
Are viruses dangerous? installed, we all must be VERY CAREFUL about what we download to our computers.

  • Some viruses are simply a nuisance, but others can seriously harm the network and permanently damage computers and data.

  • The cost of restoring the system after a virus attack is very high in both time and money.


How do viruses work
How do viruses work? installed, we all must be VERY CAREFUL about what we download to our computers.

  • Some viruses open pathways or holes in the system to provide access for later intrusion into the network.

Some viruses and intrusions are more damaging than others, but all of them represent a hole in the security of the network.



USF computer, but may be searching for an unprotected point of access to the network.

E-mail

Policies


Access to e mail
Access to E-mail computer, but may be searching for an unprotected point of access to the network.

  • USF has established an electronic mail (e-mail) system to improve communication and facilitate the important work at USF.

  • E-mail may be accessed directly from USF network computers, or remotely from other locations (e.g. home computer) through the USF web-server, using a log-in ID and secure password.


Appropriate use1
Appropriate Use computer, but may be searching for an unprotected point of access to the network.

All communications using the USF e-mail system should be courteous and professional and should comply with USF anti-harassment policies, i.e., unwelcome, offensive or otherwise inappropriate messages are prohibited.


The USF e-mail system may computer, but may be searching for an unprotected point of access to the network. not be used for:

  • lobbying activities

  • political or religious causes

  • private, commercial ventures


E mail messages are public records
E-mail Messages are Public Records computer, but may be searching for an unprotected point of access to the network.

  • All e-mail created, transmitted, and stored in the USF e-mail system are the property of USF and become part of the public record of the University.

  • Your e-mail messages may be released by the University upon receipt of a public records request.

  • If you don’t want to read about it in the newspaper, don’t put it in email.


E mail monitoring
E-mail Monitoring computer, but may be searching for an unprotected point of access to the network.

  • USF reserves the right to review, audit, intercept, access, and disclose email.

  • However, your email will be treated as confidential and will be accessed only when necessary.


Remote computer, but may be searching for an unprotected point of access to the network.

Access


Remote access
Remote Access computer, but may be searching for an unprotected point of access to the network.

  • Employees who need remote access to the USF Network for purposes other than email must use Microsoft Remote Access or for HIPAA access the GoToMyPC remote access software.

  • GoToMyPC uses “encryption” to transfer information in a secure manner.

  • An application to establish a GoToMyPC account may be obtained from the CBCS Administrative Office.


What is encryption
What is encryption? computer, but may be searching for an unprotected point of access to the network.

  • Encryption is the conversion of data into a form that cannot be easily understood by unauthorized people.

  • An encrypted computer will require you to enter one additional password as the PC or laptop boots up.


Laptop security
Laptop Security computer, but may be searching for an unprotected point of access to the network.

  • All USF owned laptops (i.e., those that have a USF Property barcode tag) must have their entire hard disk drive encrypted.

  • Laptops will be encrypted by the IT staff during the initial setup of all new purchases.


Why is laptop encryption required
Why is laptop encryption required? computer, but may be searching for an unprotected point of access to the network.

  • Because of the portability of laptops, the chances of a lost or stolen laptop are higher than an office-based work station.

  • Thus, laptop encryption is used to protect our confidential data.


If only it had been encrypted
If only it had been encrypted… computer, but may be searching for an unprotected point of access to the network.

  • A thief who stole a laptop from UC Berkeley might have walked off with more than a computer. The thief wandered into a building and snatched the laptop off a desk. The laptop contained personal data, on more than 100,000 UC Berkeley alumni or applicants, such as their Social Security numbers, birth dates and addresses.

  • The school had to notify ALL 100,000 consumers who might have had their data compromised, some whom had graduated as long ago as 1976!

  • Adapted from article by:

  • MICHAEL LIEDTKE, AP Business Writer


What do i do if my laptop is stolen or lost
What do I do if my laptop is stolen or lost? computer, but may be searching for an unprotected point of access to the network.

  • Immediately contact the IT Help Desk at USF and report the loss.

  • The IT staff will help you secure sensitive data, investigate and document the loss, and report the incident to the proper authorities.


Adding computer, but may be searching for an unprotected point of access to the network.

New Equipment

to the Network


If you purchase new computer equipment and want it connected to the USF network, it must comply with USF standards and be approved prior to purchase by the IT department.


If you purchase new equipment
If you purchase new equipment.. connected to the USF network, it must comply with USF standards and be approved prior to purchase by the IT department.

  • Contact the IT Help Desk at USF for additional information or go to the policy section of the IT website:

  • http://it.usf.edu/policies.cfm


Part 2 connected to the USF network, it must comply with USF standards and be approved prior to purchase by the IT department.

USF Security

Policies and

Procedures


Part 2 of this training program connected to the USF network, it must comply with USF standards and be approved prior to purchase by the IT department.

provides an overview of USF

computer security

policies and procedures.


Basic principles
Basic Principles connected to the USF network, it must comply with USF standards and be approved prior to purchase by the IT department.

Faculty and staff at USF often use sensitive and confidential data to conduct research and evaluation studies.


Data security is not only an obligation of individual researchers, but also of the University, it’s Colleges and Institutes as academic entities.


Potential dangers
Potential Dangers researchers, but also of the University, it’s Colleges and Institutes as academic entities.

Because USF stores confidential information, our data systems must be protected against:

  • Internet hackers

  • Access by unauthorized users

  • Improper printing or distribution of protected electronic information

  • Inappropriate use or access by employees

  • Other threats to protected information


Risk assessment
Risk Assessment researchers, but also of the University, it’s Colleges and Institutes as academic entities.

  • To enhance the security of our data, USF systematically monitors its network for intrusions, security incidents, and inappropriate activity.

  • USF also conducts periodic audits of all PC’s and network devices.


Security infrastructure
Security Infrastructure researchers, but also of the University, it’s Colleges and Institutes as academic entities.

Our security infrastructure includes:

  • clear policies and procedures

  • secure facilities and equipment

  • shared responsibility for information security among faculty and staff


Information security
Information Security researchers, but also of the University, it’s Colleges and Institutes as academic entities.

The USF security infrastructure includes the:

  • Information Security Officer (ISO)

  • Information Security Coordinator (ISC)

  • Data Network Committee

  • Information Liaison to each College and Dean


Usf it liaison
USF IT Liaison researchers, but also of the University, it’s Colleges and Institutes as academic entities.

  • Rick Jones acts as the liaison between USF IT and CBCS for all issues needing escalation between the two entities


Part 3 researchers, but also of the University, it’s Colleges and Institutes as academic entities.HIPAA:Basic Information for All Employees


What is hipaa
What is HIPAA? researchers, but also of the University, it’s Colleges and Institutes as academic entities.

  • HIPAA stands for the Health Insurance Portability and Accountability Act.

  • Congress passed HIPAA in 1996 to make health insurance eligibility “portable” from one employer to the next when employees change jobs or have a change in family status.

  • Congress passed HITECH in 2005 significantly affected HIPAA, including changes to security and privacy rules, increased enforcement and more severe penalties


HIPAA establishes a civil right to the protection of personal health information through the U.S. Department of Health and Human Services.

Health Information is any information created or received that relates to the past, present, or future physical or mental health of an individual.


What is protected health information
What is Protected Health Information? personal health information through the U.S. Department of Health and Human Services.

Protected Health

Information (PHI) is any information that contains data that may be used to directly or indirectly identify an individual.


Elements that can make Health Information identifiable: personal health information through the U.S. Department of Health and Human Services.

Address/geographic info Name of employer

Name Names of relatives

Telephone # Fax number

Email address Birthdate; other dates

Finger or voice prints Photo image/x-rays

Social Security # Internet IP address

Vehicle I.D./device serial # Web URL

Health plan # Medical record #

Certificate/license # Account #


Does usf have phi data
Does USF Have PHI data? personal health information through the U.S. Department of Health and Human Services.

Yes, we house private information for individuals receiving services through Medicaid, Medicare, as well as mental health and substance abuse services. These data sets

contain names, Social Security numbers, addresses, patient ID numbers, and other identifiers and are protected health information.


PHI is protected in any form personal health information through the U.S. Department of Health and Human Services.:

  • database or computer files

  • email

  • conversations

  • documents

  • hand-written notes

  • student logs


Can phi be used in research
Can PHI be used in research? personal health information through the U.S. Department of Health and Human Services.

Yes. PHI may be used for research with the express authorization of the individual or through other measures designed to protect the privacy of the individual.


What is the impact on usf
What is the impact on USF? personal health information through the U.S. Department of Health and Human Services.

USF must provide as good, or better, security for sensitive data than the agencies and providers from whom we obtain the data.


Non compliance with hipaa can result in
Non-compliance with HIPAA can result in: personal health information through the U.S. Department of Health and Human Services.

Minimum Penalties

“Did not know”

  • Tier A $100

    “Reasonable cause”

  • Tier B $1,000

    “Willful neglect”

  • Tier C $10,000

    “Uncorrected violation”

  • Tier D $50,000

Maximum Penalties

  • Tier A $25,000

  • Tier B $100,000

  • Tier C $250,000

  • Tier D $1,500,000


How does usf protect phi data
How does USF protect PHI data? personal health information through the U.S. Department of Health and Human Services.

Information security is the key to protecting PHI data. USF has developed

  • policies and procedures on Information Technology & Security through a HIPAA Practice established in the IT Security Department

  • training activities for employees

  • secure technology enhancements and risk assessment procedures.


Breach notification
Breach Notification personal health information through the U.S. Department of Health and Human Services.

  • Breach generally is the unauthorized acquisition, access, use or disclosure of PHI.

  • Breach Notification – must provide notice, via first class mail, to the affected person(s) within 60 days of the breach.

  • In any case in which 500 or more persons are affected by a breach, notice to major media outlets must occur.


Policies personal health information through the U.S. Department of Health and Human Services.

  • USF has security policies addressing:

  • Data procurement and use

  • Data access and security

  • Security incident reporting

  • Regular review of systems activity

  • For more information on specific policies, please contact USF IT or go to the policy webpage:

  • http://it.usf.edu/security


Usf training
USF Training personal health information through the U.S. Department of Health and Human Services.

  • We provide training through mandatory, periodic, basic training for all USF faculty and staff on security procedures and through

  • Specialized training for USF faculty and staff who use data that are subject to HIPAA guidelines.


Usf technology security
USF Technology Security personal health information through the U.S. Department of Health and Human Services.

USF has implemented several technological enhancements to address security concerns.


Usf technology security1
USF Technology Security personal health information through the U.S. Department of Health and Human Services.

We have installed a Firewall to protect our network. A firewall is computer hardware and/or software that limit access to a computer network from an outside source. Firewalls are used to prevent computer hackers from getting into computer systems.


USF Technology Security personal health information through the U.S. Department of Health and Human Services.

  • Restructured the USF computer network to increase security

  • Implemented the use of the GoToMyPC software for external data access to HIPAA ePHI


Part 4 personal health information through the U.S. Department of Health and Human Services.

Protected

Data


Who can be an authorized user
Who can be an Authorized User ? personal health information through the U.S. Department of Health and Human Services.

An authorized user is a person who has:

  • completed this USF training module;

  • received permission to use the sensitive data (including collecting such data themselves);

  • been approved by the IT Security Office to use the USF secure data servers.


Becoming an authorized user
Becoming an Authorized User personal health information through the U.S. Department of Health and Human Services.

  • To become an authorized user, submit an application to the HIPAA Security Director. The form may be obtained from USF IT.

  • A complete application will include supporting documentation of appropriate training as shown on next slide.


Application documentation
Application Documentation personal health information through the U.S. Department of Health and Human Services.

  • The certificate indicating that the applicant has completed the training on Human Subjects/Institutional Review Board (IRB) procedures required by the USF Division of Research Compliance.

  • A certificate from the IT Security Department indicating that this USF training on data security and HIPAA guidelines has been completed (may be submitted electronically)

  • If applicable, a signed Data Confidentiality Procedures agreement from the source from which the data were received (e.g., DCF, AHCA)


What is a data custodian
What is a Data Custodian? personal health information through the U.S. Department of Health and Human Services.

The custodian of the data set is an authorized user who has primary responsibility for:

  • Developing the data use agreement with the source

  • Approving the scientific use of the data

  • Communicating with the IT HIPAA Security Director regarding the storage of data on a secure server

  • Ensuring that individuals who access data are appropriate co-investigators and have the approval of the data source (e.g., AHCA) to use these data.


All research data at USF, including data from active projects and archived data from inactive projects, are potentially subject to the regulation.


Three categories of data are subject to regulation: projects and archived data from inactive projects, are potentially subject to the regulation.

  • Protected Health Information (see previous section)

  • Sensitive, personally identified data

  • Non-sensitive or de-identified data


Sensitive personally identified data
Sensitive, Personally Identified Data projects and archived data from inactive projects, are potentially subject to the regulation.

  • Sensitive, personally identified data are:

  • Any research data (such as demographic characteristics) that contain information that might allow an individual’s identity to become known to others (who do not have authorization to see the data).

  • In brief, sensitive data is all non-PHI data that allows the identification of participants


Non sensitive or de identified data
Non-sensitive or de-identified data projects and archived data from inactive projects, are potentially subject to the regulation.

  • Non-sensitive or de-identified research data is any data where all identifiers have been removed or individual persons/entities cannot be identified.

  • Non-sensitive or de-identified data should be secured in a manner that the data owner or investigator determines is reasonable and appropriate.


Protecting data at usf
Protecting Data at USF projects and archived data from inactive projects, are potentially subject to the regulation.

  • Any data obtained or maintained by USF faculty or staff that include sensitive and/or PHI data, should be protected from unauthorized disclosure.

  • It is recommended that all such data be stored on USF secure data servers.

  • Any data not stored on an USF secure server should be stored according to the Generally Accepted System Security Principles (GASSP) of the International Information Security Foundation.


Sharing data with other users
Sharing data with other users… projects and archived data from inactive projects, are potentially subject to the regulation.

If the source of the sensitive data asks you to provide or share sensitive data with specific individuals, specific procedures must be used (continued on next slide).


  • The request from the source should be in writing (or via confirmed e-mail) and kept on file

  • The request should be specific as to what data sets are to be given the person

  • The person who will gain access to the data must complete the process to become an authorized user

  • No authorized user can allow anyone else to access or use data without following credentialing/approval by the USF IT HIPAA Security Director.


Archived data
Archived Data confirmed e-mail) and kept on file

If you have data that are no longer needed:

  • Determine if the data can be destroyed or deleted from server (this should comply with any data use agreements);

  • Maintain documentation on file that the PI has removed the data from his/her PC or other form of data storage and secured it appropriately.


Paper copies of data
Paper Copies of Data confirmed e-mail) and kept on file

  • If you print copies of sensitive/PHI data, the printed documents should never leave the USF premises and should be secured promptly.

  • Non-secured printouts should be shredded – never discarded or recycled.


Notification of data acquisition
Notification of Data Acquisition confirmed e-mail) and kept on file

  • The department chair or other designated authority should notify the HIPAA Security Director when a research project that will use sensitive data is approved at the departmental level.

  • Any USF investigator acquiring sensitive data should send a brief description of the data to the HIPAA Security Director.


  • The investigator may also choose to keep sensitive, primary data (data collected by the researcher for a specific research project) outside of a secure data server providing that the researcher demonstrates adequate proof of security. That proof must be filed with the HIPAA Security Director.


Data access by non authorized users
Data Access by Non-Authorized Users Server under high security.

  • All disclosures of sensitive/PHI data to non-authorized users must be approved by the custodian, with notice provided to the HIPAA Security Director.


Project closure
Project Closure Server under high security.

Custodians for sensitive data sets should inform the HIPAA Security Director when:

  • Projects have ended and the data can be archived

  • Computers are to be removed from the network and inactivated




Hipaa training
HIPAA Training reinforce your knowledge of critical security procedures.

  • Individuals who will be conducting research projects or who will be working with PHI data should also complete the training module on the impact of HIPAA on research at USF.


Please proceed to the security quiz. reinforce your knowledge of critical security procedures.

Click on the following link, print and complete the quiz, and send it to the USF IT HIPAA Security Office, SVC 4010.

LINK


ad