Your Role in Information Security

University of Washington Division of

Allergy & Infectious Diseases
Winter 2005
 Overview
Information Security is not just about
computers, it is how we go about our
business here at UW Medicine.
 We have a set of standards and policies
that define our Information Security
requirements
 Information Security is a responsibility of
all the UW Medicine Workforce*
* Faculty, employees, trainees, volunteers, and
other persons who perform work for UW
Medicine
Version: 20040825 2 UW
Medicine
 Users

Any individual using a computer

connected to UW Medicine networks
or those who have been granted
privileges and access to UW Medicine
computing and network services,
applications, resources, and
information.

Version: 20040825 3 UW
Medicine
 User Responsibilities (on or off site)
The customary ones:
 Comply with UW and UW
Medicine policies,
 Comply with federal and state
law , and
 Restrict use to authorized
purposes.

Version: 20040825 4 UW
Medicine
 User Responsibilities (on or off site)
continued…
Directly related to information
security:
 Report all suspected security and/or
policy breaches to an appropriate
authority
 Don’t Disable your firewall and/or anti-
virus;
 Protect access accounts, privileges, and
associated passwords;
 Accept accountability for their individual
user accounts;
 Maintain confidentiality.
Version: 20040825 5 UW
Medicine
 Information Security Training
-- Dependent on Your Role

Everyone:
Privacy, Confidentiality, and
Information Security Agreement
If you access PHI:
New Employee Orientation and/or HCCS
on-line HIPAA Training
If their system has PHI:
System Owner and System Operator
Training
Version: 20040825 6 UW
Medicine
UW Medicine Clear Workspace
Standard (on or off site)
Reduce the risks of unauthorized
access, loss of, and damage to
information during and outside of
normal working hours by putting away
RESTRICTED and/or CONFIDENTIAL
information in your workspace.
 Clear it or Secure it (on or
off site). . .
 Lock away protected health information or critical
business information when not in use. Store
paper and computer media containing
RESTRICTED AND/OR CONFIDENTAIL information
in suitable locked cabinets or desks when not in
use or when unattended.
 Clear RESTRICTED AND/OR CONFIDENTAIL
information or critical business information from
printers immediately.
 Protect mail and fax machines from unauthorized
access.

 Locked doors count

Version: 20040825 8 UW
Medicine
 Log off or secure your workstations
when not in use or unattended (on or
off site)

 Terminate active computing

sessions when unattended, unless
they can be secured by an
appropriate locking mechanism, like
a password protected screen saver
(Ctrl+Alt+Delete) (Lock Computer)
 Log-off networked systems when
the computing session is finished

Version: 20040825 9 UW
Medicine
 Workstation Requirements
 Screen saver activation
Workstations with PHI in areas where
patients or the public have access to a
workstation require one minute activation
 After Hours
 AMC domain PCs are required to be
logged off and powered on after hours
 Otherwise follow the direction of those
responsible for your computer support

Version: 20040825 10 UW
Medicine
 Reusing electronic media
Example: Surplus or redistribute a computer
Media Intended for Reuse - Specific Processes
 Overwriting method Overwriting uses a
software program to write (1s, 0s, or a
combination) onto the media. Common practice
is to overwrite the media three times. Four times
is better.
 Degausing method magnetically erases data
from magnetic media. Two types of degausser
exist: strong, permanent magnet degaussers and
electric degaussers.

Version: 20040825 11 UW
Medicine
 Physical Space Security
 Use appropriate measures – like
locked doors

 Question individuals without badges

 Make sure that vendors check in and

are escorted in your department

Version: 20040825 12 UW
Medicine
 Taking UW Medicine Equipment
from the Premises
 Obtain authorization to take equipment offsite
 Log out the equipment
 When returned, log the equipment back in
 Be aware of department expectations about off-
site use of that equipment
 Secure the information with controls comparable
to those of equipment on-site

Version: 20040825 13 UW
Medicine
 Who can install software on my
workstation?
 Only designated system
administrators are to install
software,
and
 Only licensed and authorized*
software is used.
* Authorized means that the System
Owner approves.
Version: 20040825 14 UW
Medicine
 Appropriate Password Management
 Where PHI is accessed, each
user is issued a unique
username and password.
 It is against UW Medicine Policy
to share userID and/or
password (this includes logging
in for others…)

Version: 20040825 15 UW
Medicine
 Comply with Copyright Law
 Unauthorized use of software, images,
music, or files is regarded as a serious
matter and any such use is without the
consent of UW Medicine
 If abuse of computer software, images,
music, or files occurs, those responsible for
such abuse may be held legally accountable
as well as be held accountable for violation
of UW Medicine Policy
 It is against UW Medicine for workforce
members to copy or reproduce any licensed
software except as expressly permitted by
the software license.
Version: 20040825 16 UW
Medicine
 Use of Departmental Computers
(RCW 45.52.160, WAC 292-110-010)
In 1997, the State of Washington Executive Ethics Board
defined permitted personal activities on State owned
computers. This policy was amended in 2002 to permit
limited Internet use. Aside from occasional and de minimus
(e.g., of minimal cost to the State) use, the policy prohibits
the personal use of computers, email and the Internet. This
limitation is similar to permitted personal use of non-computer
resources, such as telephone calls. The State allows limited
personal use of computer resources provided the use:
 Results in little or no cost to the State;
 Does not interfere with the employee’s official duties;
 Is brief in duration, occurs infrequently, and is the effective use
of time and resources;
 Does not disrupt or distract from the conduct of State business
due to volume or frequency;
 Does not compromise the security or integrity of State property,
information or software;
 Does not disrupt other State employees and does not obligate
them to make personal use of State resources.

Version: 20040825 17 UW
Medicine
 Your Email is NOT Private
Before you freely email any extremely
personal thoughts or information, please
consider unlike telephone conversations,
email and its archives are subject to legal
and public inspection and that many
computers retain old emails in archives for
years.
Private watchdog groups, outside UW and
Washington State, monitor email for abuse,
and lawyers subpoena email as a part of
evidence gathering. If you do not want to
see your most sensitive and/or private
email printed in newspapers, do not send it.

Version: 20040825 18 UW
Medicine
 More:
Using Washington State Equipment
Washington State law also prohibits the use of UW
Medicine computers for personal business-related,
commercial, campaign or political purposes, or to
promote an outside business or group or to conduct
illegal activities. Additionally, employees are prohibited
from allowing any member of the public to make
personal use of state computers and computing
resources.
Washington State specifically prohibits use of the
computer for all political and commercial activities.
The following items have been additionally called
out in detail.
 Notices for selling of personal items on any State owned
computer system.
 Notices for charity/fund raising events whether selling an
item or raising money unless the activity is University
sponsored.

Version: 20040825 19 UW
Medicine
 Many Internet Activities Expressly Prohibited
Although de minimus personal Internet use is now allowable,
many Internet activities are still prohibited. Downloading files,
such as MP3 music files, violates copyright laws, and subjects
UW to lawsuits. Internet activities can be traced back to your
computer, and Internet sites can download software affecting
the operation of your computer and the privacy of confidential
information. Other examples of improper or excessive use are
included in the Executive Ethics Board web site:
http://www.wa.gov/ethics
and the UW Administrative Policy web site
http://www.washington.edu/admin/adminpro/APS/47.02.html

Some examples of permitted activities may be prohibited

because of their potential impacts. For example, extensive use
of streaming video or streaming audio can overload the
capacity of the network and interfere with the laboratory
information system.

Version: 20040825 20 UW
Medicine
Understanding Information Classification

Information classification is designated by the

System Owner or Data Custodian.
Classification ensures the appropriate level of
security is applied for information and
information systems, based on the identified
level of impact to confidentiality, integrity, and
availability.
 Definitions of Confidentiality,
Integrity, & Availability
 Confidentiality: ensuring that information is
accessible only to those authorized to have
access;
 Integrity: safeguarding the accuracy,
completeness, and control of information and
processing methods;
 Availability: ensuring that authorized users
have access to information and associated
assets when required.

Version: 20040825 22 UW
Medicine
 PUBLIC Information

 Information that is intended for, or can be

viewed by, the public or for the University
community. Information can be verbal,
electronic, or printed materials.
 Access to this information is usually anticipated
or planned.
 Examples include university web pages, course
descriptions, faculty profiles, individual and
departmental announcements, or other general
information that can be viewed by the public.

Version: 20040825 23 UW
Medicine
 RESTRICTED Information
 Information used by the UW Medicine
workforce with an established need-to-know
relationship.
 Unauthorized data disclosure could impede the
ability of UW Medicine employees to conduct
business, but does not violate any federal,
state or UW regulations (e.g. poor business
practices).
 Examples include proprietary information, such
as business plans, intellectual property,
financial information or other sensitive
materials that may affect workforce or
organizational operations.

Version: 20040825 24 UW
Medicine
 CONFIDENTIAL Information
 Information that is very sensitive in nature,
where access requires careful controls and
protection.
 Unauthorized disclosure of this data could
seriously and adversely impact UW Medicine,
the interests of employees, students, patients,
or other individuals, and organizations
associated with UW Medicine.
 Examples include: personally identifiable, and
protected health information (PHI), workforce
records, sensitive student records, social
security numbers, legally protected University
records, and passwords.
Version: 20040825 25 UW
Medicine
 Follow Department Processes

Dispose of RESTRICTED and/or

CONFIDENTIAL information in a
secure manner.

Secure disposal usually means to

reduce to very small particles that can
not be reconstructed or used in any
combination to reconstruct the
original.

Version: 20040825 26 UW
Medicine
 Report Events, Incidents and/or
Malfunctions
An occurrence or event that conflicts
with or interrupts normal process.
 Call the IT Services Helpdesk at (206)
543-7012
or
o Myrna Izidor (myrnai@u.washington.edu), 206-616-1594
o Dany Hun (dbhun@u.washington.edu), 206-616-4840

Version: 20040825 27 UW
Medicine
 Priorities of Incident Response
1. Protect human life and people's safety; human life
always has precedence over all other considerations.
2. Protect RESTRICTED and/or CONFIDENTIAL data.
Prevent exploitation of RESTRICTED and/or
CONFIDENTIAL systems, networks or sites. Inform
affected RESTRICTED and/or CONFIDENTIAL systems,
networks or sites about already occurred penetrations.
3. Protect RESTRICTED and/or CONFIDENTIAL
Information.
• Prevent exploitations of other systems, networks or sites
and inform already affected systems, networks or sites
about successful penetrations.

Version: 20040825 28 UW
Medicine
 Priorities - continued
1. Prevent damage to systems (loss or
alteration of system files, damage to disk
drives). Damage to systems can result in
costly down time and recovery.
2. Minimize disruption of computing resources
- including processes.
• It is better in many cases to shut a system
down or disconnect from a network than to
risk damage to data or systems.

Version: 20040825 29 UW
Medicine
 Protect Against Malicious Software
 Do not disable the anti-virus
software
 Do not install or run unknown
software
 Report virus incident to your Help
Desk

Version: 20040825 30 UW
Medicine
 Protect Against Malicious Software (2)
 Use anti-virus software to scan all diskettes and
files provided to you by others or after using
them on another computer
 Do not open email attachments from unknown
senders.
 Verify attachments from known senders and
scan them before opening. If the user expects
an attachment, make sure that the
attachment's file type and sender are consistent
with what was expected
 Follow this same process for Internet
downloads.

Version: 20040825 31 UW
Medicine
 Sanctions
 The regulation requires that we apply
appropriate sanctions against individuals if
you fail to comply with the security policies
and procedures that are based upon our
security policies and the relative severity of
the violation.
 UW Medicine has sanctions for the failure to
follow policy and/or for a breach of patient
confidentiality or information security.

Version: 20040825 32 UW
Medicine
 Five Levels/Categories of Actions
and/or Sanctions

After an investigation, a sanction level is applied -

[0] No Breach of Information Security
Although someone reported a suspected breach, upon investigation it
is realized that an exception was granted

[1] Unable to Determine Whether a Breach Occurred

A breach or potential breach was discovered after the system in
question was redeployed and evidence of the breach has been mostly
or completely destroyed.

[2] Policy Violation with Mitigating Circumstances

The workforce member attempted to implement or supplement
security controls believing them to be in be in compliance or
improving security.

Version: 20040825 33 UW
Medicine
 Five Levels/Categories continued….
[3] Policy Violation without Reasonable
Appearance of Malicious Intent
Unauthorized use of another employee's username
and/or password.

[4] Policy Violation with Reasonable

Appearance of Malicious Intent
1. Member of workforce intentionally alters or destroys
data or equipment.
2. Failure to implement standards after repeated
notification.

Version: 20040825 34 UW
Medicine
 DEFINITIONS:
System Owner & System Operator

 System Owners are individuals within

the UW Medicine community accountable
for the management and use of one or
more electronic information systems,
electronic databases, or electronic
applications that are associated with UW
Medicine or EPHI
 System Operators administer and/or
manage the daily activities of one or more
electronic information systems, electronic
databases, or electronic applications

Version: 20040825 35 UW
Medicine
 Data Custodian &
Department Administrator/Manager
 Data Custodians are the individuals who
have been officially designated as
accountable for protecting the
confidentiality of specific data that is
transmitted, used, and stored on a system
or systems within a department, college,
school, or administrative unit of UW
Medicine
 Department Administrator/Manager
individual who manages the users of UW
Medicine systems

Version: 20040825 36 UW
Medicine
 The Life Cycle of User privileges
 Manager/Supervisor request user
privileges
 Manager/Supervisor updates any
information on user or privileges
during workforce engagement
 Manager/Supervisor disables user
privileges when workforce member
is separated or transferred

Version: 20040825 37 UW
Medicine
 Access Principles
• Principle of Least Privilege: Access privileges for users are
limited to what is necessary to be able to complete their assigned
duties or functions.

• Principle of Separation of Duties: When it involves the potential

for fraud, abuse, or other harm, whenever practical, no one person
is responsible for completing or controlling a task, or set of tasks,
from beginning to end.

• Principle of Minimum Necessary: Protected health information is

defined as that “limited” health information required performing a
business activity or achieving an authorized requestor’s specified
purpose. Minimum necessary is based on the “need to know”
principle, which directs that when a user accesses personal health
information, the information accessed is required for the user’s job
function - role and responsibilities.

Version: 20040825 38 UW
Medicine
 Minimum Information Security
Requirements
 Approved Operating System that is
patched in a timely manner
 Protection Against Malicious Software
(i.e. anti-virus protection)
 Filtering or Firewall Protection

 Enabled Logging and Auditing

 Approved Network Media & Protocols

Version: 20040825 39 UW
Medicine
 Advanced Information Security
Requirements
Systems with RESTRICTED & CONFIDENTIAL
Information must meet the Advanced
Information Security Requirements
 Implementation of Minimum Information Security
Requirements with additional controls
 Additional data protection required based on high risk
analysis (higher level administration):
 Strict data access policies and procedures
 System access audit logs
 Physical protection includes privacy mandates
 Servers need certification
Version: 20040825 40 UW
Medicine
 Questions?

Please contact the following if you

have any questions:
Myrna Izidor (myrnai@u.washington.edu, 206-616-1594)
Dany Hun (dbhun@u.washington.edu, 206-616-4840)

Version: 20040825 41 UW
Medicine
UW Medicine
Resource for Questions
Richard Meeks
HIPAA Compliance Officer
HIPAA Program Office
UW Medicine
206-543-0300
meeksr@u.washington.edu
 Reference Materials

1. UW Medicine Policies:
https://security.uwmedicine.org/securitypolicies.asp
 2. Disposing of protected health information, proprietary documents,
and confidential information in a secure and confidential manner
When PHI and proprietary
information are included:
 Paper Documentation – need to
be shredded, pulped or otherwise
obliterated in a manner that
prevents reconstruction.
 Microfilm and Microfiche - must be
pulverized [1] .
 Laser Disks - used in write once-
read many (WORM) document
imaging applications shall be
pulverized.
 Floppy Disks - shall be pulverized.
 Compact Discs - shall be
pulverized.
 Magnetic Tape & Video Tape -
preferred method for destroying
computerized data is magnetic
degaussing. If destruction is not
achieved by degaussing, it must
be executed in an alternative
manner that assures that the
information cannot be
reconstructed.
Version: 20040825 44
 Hard Drives - To assure that
computerized data is destroyed
when equipment is
decommissioned, use a three pass
binary overwrite of the entire disk
will reasonably assures that the
information cannot be
reconstructed. An alternative to
this process is that the hard drive is
removed from the device and
pulverized.
 Carbon Rolls (from printers or fax
machines) The method for
destroying carbon rollers removed
from printers or fax machines is to
send them to Environmental
Services for destruction by
autoclaving.
[1] Pulverized: Reduced (as by
crushing, beating, or grinding) to
very small particles that can not be
reconstructed or used in any
combination to reconstruct the
original.
UW
Medicine
 3. UW Medicine Resources for
Complaints & Investigations
Privacy Official’s Contact numbers for UW Medicine entities:
University of Washington Medical Center & Clinics (206) 598-4342
Harborview Medical Center & Clinics (206) 731-6048
University of Washington Physicians’ Network (206) 329-8976
University of Washington Sports Medicine Clinic (206) 543-1552
University of Washington East Specialties Clinic (206) 520-2222
University of Washington Hall Health Primary (206) 685-1081
Care Center
University of Washington Physicians (206) 543-6420
University of Washington School of Medicine (206) 543-0300

Version: 20040825 45 UW
Medicine
 Certification

I certify that I have reviewed this

powerpoint presentation on
information security for the Division
of Allergy and Infectious Diseases

Name (please print):_____________

Signature:_____________________
Date:_________________________

Version: 20040825 46 UW
Medicine