1 / 13

School of Medicine Orientation Information Security Training

School of Medicine Orientation Information Security Training. August 2019. What We Will Cover Today. Security Basics How to Report a Security Concern or Breach. Sources of Healthcare Confidentiality Obligations. HIPAA: Privacy, Security, and Breach Notification Rules

hiroko
Download Presentation

School of Medicine Orientation Information Security Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. School of Medicine Orientation Information Security Training August 2019

  2. What We Will Cover Today • Security Basics • How to Report a Security Concern or Breach

  3. Sources of Healthcare Confidentiality Obligations • HIPAA: Privacy, Security, and Breach Notification Rules • Massachusetts law: General confidentiality, combined with obligation to report in certain circumstances • Department of Public Health (DPH) licensing law also requires confidentiality • Professional Codes of Ethics • Healthcare Research is regulated by Institutional Review Board regulations (federal), and contractual obligations – federal funding and data use agreements

  4. Main Source of Healthcare Confidentiality Obligation

  5. What’s The Big Deal? At Feinstein Institute for Medical Research, an unencrypted laptop was stolen from a car, containing data of about 50 research studies and approximately 13,000 individuals • Big money payment: settled alleged HIPAA violations for $3.9 million • Ongoing government scrutiny: three year corrective action plan • Loss of confidence and reputation: required to notify research subjects and media outlets

  6. Safeguards: BU Restricted Use Data Patient info in any form must be protected

  7. Secure Your Devices Every device (e.g., desktop, laptop, phone) used to access, process, or store patient or research data must have: • Operating system that is supported and updated • Anti-malware (McAfee free) • Disk encryption • Auto screen lock (15 min max) • www.bu.edu/tech (search for securing devices)

  8. Phishing emails • Almost every phishing attack is successful. At least a few users • Click on a link or document that triggers a malware download, or • Provide login credentials (i.e., name and password) • BU will never ask for login credentials by email • Check before you Click • Odd spelling, unexpected request • Hover over links • look at sender email address • Suspicious email? forward to abuse@bu.edu

  9. BU Data Protection Standards, Classification Policy • Restricted Use: loss or misuse may require notification to individuals or state/federal government, includes: • HIPAA, individually identifiable health information used in research • SSN, driver license #, debit/credit card #, checking account # (billing records) • Confidential: loss or misuse may adversely affect individuals or BU business, such as HIPAA Limited Data Set or FERPA (info about you - students) • Internal: potentially sensitive, requires protection from disclosure • Public: does not require protection from disclosure

  10. Storing and Sharing Research Data Restricted Use • BU Restricted Use network drive (Y Drive) • BU Microsoft SharePoint, OneDrive, Teams, etc. • BU REDCap and MyCap app for research Confidential • MCHPCC Shared Computing Cluster (SCC4) for HIPAA Limited Data Set • Google Drive and other Google apps cannot be used for HIPAA or HIPAA Limited Data Set, only student (FERPA) or school related communications BU Email options (Outlook and Gmail cannot be used – no encryption) • Use Data Motion to send a secure email or • Encrypt the document or spreadsheet before attaching it. If you choose to encrypt the document and send it via non-secure email, take care to avoid identifying individuals in the subject line or body of the email.

  11. What is a Breach? • Any unauthorized access, use, or disclosure of patient information (includes unintentional) • Theft or loss of devices • Unauthorized viewing/accessing, including snooping • Handing or sending PHI to the wrong person • Hacking / Cyberattack

  12. Reporting Loss of Confidential Patient Information • Notify your department and send an email to the BU Incident Response Team (irt@bu.edu) • Information Security will to determine who to involve and report to • No provider or researcher is authorized to report, only BU Information Security in coordination with the appropriate BU Offices can report • We’ll assess the situation, determine whether any notifications need to be made, and help you analyze how similar events can be prevented.

  13. Resources • General Computer Help: bumchelp@bu.edu • Securing Devices: http://www.bu.edu/tech/support/information-security/securing-your-devices/ • or bu.edu/tech (search for securing devices) • BU HIPAA Policy: www.bu.edu/hipaa • BUMC Information Security Officer David Corbett: corbettd@bu.edu

More Related