1 / 24

HCI Data Security Initiative

HCI Data Security Initiative. HCI Data Security Initiative . Directive from Dr Vivian Lee, the Office of Legal Counsel, and UIT / ITS The policy applies to ALL areas of HSC, not just clinical areas . Department of Genetics Office of Comparative Medicine (Animal Research)

vinnie
Download Presentation

HCI Data Security Initiative

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HCI Data Security Initiative

  2. HCI Data Security Initiative • Directive from Dr Vivian Lee, the Office of Legal Counsel, and UIT / ITS • The policy applies to ALL areas of HSC, not just clinical areas. • Department of Genetics • Office of Comparative Medicine (Animal Research) • College of Health • College of Nursing • Huntsman Cancer Research • “If your reporting structure ends up at Dr. Lee, this applies to you”

  3. Data Security Initiative, Phase I Policy: System Requirements due by September 15 • Full Disk encryption required, on ALL laptops used to conduct anyU of U / HCI work, whether the work is clinical, research, administrative, etc. • This applies to both organization owned and personal laptops. • Covers laptops used at work, at home, at Starbucks, at cousin’s house, on trips… location of laptop is not a factor. • Applies to HSC work performed by non-HSC employees, such as other University department employees (eg, Biology, Chemistry, Business) and/or students.

  4. Data Security Initiative, Phase I Policy: System Requirements due by September 15 • All USB “Thumb Drives” (aka Flash drives) must be encrypted, and accounted for by CATG. • All external storage devices must be encrypted, and accounted for. (Eg, external USB Hard Drives used to back up systems or data.)

  5. Data Security Initiative, Phase I Policy: HR Requirements due by September 15 • Every employee (Hospital, Research, Administration) will be required to complete additional online HIPAA training on how to handle data. • Every employee will be required to “attest” that they are following the encryption policy.

  6. Data Security Initiative, Phase I Policy: HR Requirements due by September 15 • Every employee (Hospital, Research, Administration) will be required to complete additional online HIPAA training on how to handle data. • Every employee will be required to “attest” that they are following the encryption policy. • User accounts of employees who do not complete training and attest to compliance will be suspended.

  7. Data Security Initiative, Phase I Future violations of the policy will result in prescribed HR disciplinary actions For example: • First offense = remedial data protection training, HR disciplinary letter • Second offense = automatic “final warning” HR disciplinary letter • Third offense = employment termination In the case of a severe breach (ie, 500+ patients involved) the sanction could be termination on first offense. (Existing HSC “Sanctions Matrix” document available upon request)

  8. Data Security Initiative, Phase I Examples of prohibited use (after September): • Use unencrypted laptop to connect to PowerChart • Use unencrypted laptop to access HCI Webmail or U-Mail • Use unencrypted laptop to access HCI applications • Use unencrypted laptop to access to HCI Portals • Use unencrypted laptop to create work-related Excel file • Use unencrypted USB thumb drive to transfer data between systems • Use unencrypted external drive to backup systems (at work or at home) In the future, these prohibited use scenarios will include unencrypted “desktop” systems, personal devices (iPads, Android Pads, personal cell phones, etc.)

  9. Data Security Initiative • Background: U of U Health Sciences has open cases with Health and Human Services regarding lost / stolen laptops that were not encrypted, going back 3 years. HSC is negotiating the fine (hopefully) down to $750,000, with no media disclosure. • Another unencrypted laptop was stolen in January 2013 • Two encrypted laptops of HCI researchers / clinicians have been stolen in the past couple of months. (If laptops are encrypted, we don’t have to report the incidents to Health and Human Services.) • Two desktop systems of an HCI researcher were stolen from their home last year

  10. Data Security Initiative • To mitigate risk of further breaches at U of U Health Sciences, decision was made to expand existing laptop encryption policy to ALL HSC areas, and include USB thumb drives and external storage devices. • Risk of breach by variations in the policy deemed too great • Instances of laptops that started in Research areas and later had patient data on them via transfer to other personnel • Additional breaches at the U will almost certainly result in $1.5M fines, and press coverage (in cases of 500+ patients’ data)

  11. Data Security Initiative Examples of HHS violations: • Numerous organizations have had laptops stolen or lost, including the VA • Smaller practice in Idaho lost a laptop, media coverage & undetermined fine. • MD Anderson had a USB Thumb Drive lost by a Medical Student on a campus shuttle bus. Undetermined fine + media coverage. • Stanford Childrens Hospital had an unencrypted desktop system stolen in 2012 from within a locked office. The system had PHI data on it, Stanford was fined $1.5 Million, the incident was published in the press.

  12. Data Security Initiative, Phase I Impact • For organization-owned laptops, we don’t anticipate majorissues in meeting encryption standard. • Some laptops may need to be declared “obsolete” • PC laptops that don’t have TPM chip may be upgraded to Windows 8 • Macintosh laptops that can’t be upgraded to Lion or Mountain Lionmay need to be declared obsolete.

  13. Data Security Initiative, Phase I Impact • Personal laptops that are used for HCI / U of U HSC work (again, location is not a factor) • CATG needs to manually verify encryption on both organization-owned and personal laptops used for HCI or UU HSC work, used at HCI, or from home, or from wherever, before Sept 15.

  14. Data Security Initiative, Phase I Encrypting personal laptops - options: • Must use “full disk encryption” • For Macs, we recommend using “FileVault”, the Apple-supplied encryption that comes with Lion and Mountain Lion. • For PCs, Windows 8 Professional uses “Bitlocker”, the Microsoft-supported encryption we use on organization owned PC laptops. • If laptop can’t be upgraded to Lion/Mountain Lion or Windows 8 Professional, another option is “TrueCrypt”, which is freeware encryption • CATG will provide more “how to” information for users to encrypt their own systems • CATG can assist with encryption, if need be, as resources allow

  15. Data Security Initiative, Phase I USB “Thumb Drive” Encryption Directions • CATG will provide and assign encrypted USB thumb drives for HCI employee use • After September 2013, all other USB thumb drives will be disallowed.

  16. Data Security Initiative, Phase I Policy Changes – Summary – September 15 deadline • ALL laptops used to connect to HCI / U of U, or to perform HCI / U of U Health Sciences work need to have full disk encryption • CATG needs to manually verify encryption and collect inventory on these systems • CATG will be providing new, encrypted USB “thumb drives” • After September, all non-HCI provided thumb drives will be disallowed • Employees, Faculty & Students doing HCI work will need to complete online HIPAA training and attest that they are in compliance with requirements

  17. Data Security Initiative, Phase I “Where is this all going?” • Ultimately, we need to change our culture and how we approach handling data • The risks of severe fines and bad publicity (and potentially even more onerous restrictions) is substantial

  18. Data Security Initiative • Additional Security Initiative Phases are Coming in the next 6-18 months (and probably beyond) • Anticipated ramifications for future HSC infractions: • $1.5 Million fines for unencrypted devices lost with patient data. • Examples: Lost or stolen unencrypted laptop, lost or stolen (unencrypted) USB drive • NEW: the department where the breach occurs will pay the fines. • More stringent security measures imposed by HHS that would cover all HSC entities • Over time, more stringent security standards are coming. This is “Phase I”

  19. Data Security Initiative, Phase I Expected “Phase II” requirements: • Requirements will apply to desktop systems as well as laptops. • All systems at work will need to be encrypted. • Any system used remotely will need to be encrypted. • Cell phones and personal devices will need to be encrypted* * (HCI has a solution) • Movement toward reducing use of USB Thumb drives • A U of U approved “cloud” storage provider will be named, soon

  20. Data Security Initiative, Phase I What about Cell Phones and various “Pad” devices? • Cell Phones, iPads, Android Pads and Surface RT tablets are not covered under the September deadline. • CATG is implementing a system that will help ensure data protection on cell phones and mobile devices called “BoxTone” • Users will need to comply with password policies on cell phones / mobile devices in order to get HCI Email or other access to HCI data or system resources • Fortunately, this process is “self-service”, ie, CATG won’t need to touch every device

  21. Data Security Initiative, Phase I Policy Changes – Summary – September 15 deadline • All laptops used to connect to HCI / U of U, or to perform HCI / U of U Health Sciences work need to have full disk encryption • CATG needs to manually verify encryption and collect inventory on these systems • CATG will be providing new, encrypted USB “thumb drives” • After September, all non-HCI provided thumb drives will be disallowed • Employees, Faculty & Students doing HCI / HSC work will need to complete online HIPAA training and attest that they are in compliance with requirements

  22. Data Security Initiative, Phase I Benefits • Data Encryption is becoming more & more common on personal devices, anyway. • If you have personal data (eg, bank data) on your laptop, you’ll be covered if it gets lost or stolen • These measures will help HCI avoid bad publicity and/or a $1.5 Million fine, not to mention adverse employment actions • CATG is available to assist HCI Users get through this process

  23. Data Security Initiative, Phase I Coming Soon… • Information coming soon on online training and “attestation” module • We hope to receive approved encrypted USB thumb drives this month • We’ll contact managers & PI’s on getting an inventory of laptops in use, their status, and getting them encrypted. • More information coming on our “Comp Info” website, at https://hci-portal.hci.Utah.edu/sites/CompInfo • Please feel free to ask me or Tony Murillo any questions, via email or phone • Mark – x5-1277 • Tony – x5-5674

  24. Data Security Initiative, Phase I Questions? (Answers?) Thank you…

More Related