Beruflich Dokumente
Kultur Dokumente
Version: 20040825 3 UW
Medicine
User Responsibilities (on or off site)
The customary ones:
Comply with UW and UW
Medicine policies,
Comply with federal and state
law , and
Restrict use to authorized
purposes.
Version: 20040825 4 UW
Medicine
User Responsibilities (on or off site)
continued…
Directly related to information
security:
Report all suspected security and/or
policy breaches to an appropriate
authority
Don’t Disable your firewall and/or anti-
virus;
Protect access accounts, privileges, and
associated passwords;
Accept accountability for their individual
user accounts;
Maintain confidentiality.
Version: 20040825 5 UW
Medicine
Information Security Training
-- Dependent on Your Role
Everyone:
Privacy, Confidentiality, and
Information Security Agreement
If you access PHI:
New Employee Orientation and/or HCCS
on-line HIPAA Training
If their system has PHI:
System Owner and System Operator
Training
Version: 20040825 6 UW
Medicine
UW Medicine Clear Workspace
Standard (on or off site)
Reduce the risks of unauthorized
access, loss of, and damage to
information during and outside of
normal working hours by putting away
RESTRICTED and/or CONFIDENTIAL
information in your workspace.
Clear it or Secure it (on or
off site). . .
Lock away protected health information or critical
business information when not in use. Store
paper and computer media containing
RESTRICTED AND/OR CONFIDENTAIL information
in suitable locked cabinets or desks when not in
use or when unattended.
Clear RESTRICTED AND/OR CONFIDENTAIL
information or critical business information from
printers immediately.
Protect mail and fax machines from unauthorized
access.
Version: 20040825 9 UW
Medicine
Workstation Requirements
Screen saver activation
Workstations with PHI in areas where
patients or the public have access to a
workstation require one minute activation
After Hours
AMC domain PCs are required to be
logged off and powered on after hours
Otherwise follow the direction of those
responsible for your computer support
Version: 20040825 10 UW
Medicine
Reusing electronic media
Example: Surplus or redistribute a computer
Media Intended for Reuse - Specific Processes
Overwriting method Overwriting uses a
software program to write (1s, 0s, or a
combination) onto the media. Common practice
is to overwrite the media three times. Four times
is better.
Degausing method magnetically erases data
from magnetic media. Two types of degausser
exist: strong, permanent magnet degaussers and
electric degaussers.
Version: 20040825 11 UW
Medicine
Physical Space Security
Use appropriate measures – like
locked doors
Version: 20040825 12 UW
Medicine
Taking UW Medicine Equipment
from the Premises
Obtain authorization to take equipment offsite
Log out the equipment
When returned, log the equipment back in
Be aware of department expectations about off-
site use of that equipment
Secure the information with controls comparable
to those of equipment on-site
Version: 20040825 13 UW
Medicine
Who can install software on my
workstation?
Only designated system
administrators are to install
software,
and
Only licensed and authorized*
software is used.
* Authorized means that the System
Owner approves.
Version: 20040825 14 UW
Medicine
Appropriate Password Management
Where PHI is accessed, each
user is issued a unique
username and password.
It is against UW Medicine Policy
to share userID and/or
password (this includes logging
in for others…)
Version: 20040825 15 UW
Medicine
Comply with Copyright Law
Unauthorized use of software, images,
music, or files is regarded as a serious
matter and any such use is without the
consent of UW Medicine
If abuse of computer software, images,
music, or files occurs, those responsible for
such abuse may be held legally accountable
as well as be held accountable for violation
of UW Medicine Policy
It is against UW Medicine for workforce
members to copy or reproduce any licensed
software except as expressly permitted by
the software license.
Version: 20040825 16 UW
Medicine
Use of Departmental Computers
(RCW 45.52.160, WAC 292-110-010)
In 1997, the State of Washington Executive Ethics Board
defined permitted personal activities on State owned
computers. This policy was amended in 2002 to permit
limited Internet use. Aside from occasional and de minimus
(e.g., of minimal cost to the State) use, the policy prohibits
the personal use of computers, email and the Internet. This
limitation is similar to permitted personal use of non-computer
resources, such as telephone calls. The State allows limited
personal use of computer resources provided the use:
Results in little or no cost to the State;
Does not interfere with the employee’s official duties;
Is brief in duration, occurs infrequently, and is the effective use
of time and resources;
Does not disrupt or distract from the conduct of State business
due to volume or frequency;
Does not compromise the security or integrity of State property,
information or software;
Does not disrupt other State employees and does not obligate
them to make personal use of State resources.
Version: 20040825 17 UW
Medicine
Your Email is NOT Private
Before you freely email any extremely
personal thoughts or information, please
consider unlike telephone conversations,
email and its archives are subject to legal
and public inspection and that many
computers retain old emails in archives for
years.
Private watchdog groups, outside UW and
Washington State, monitor email for abuse,
and lawyers subpoena email as a part of
evidence gathering. If you do not want to
see your most sensitive and/or private
email printed in newspapers, do not send it.
Version: 20040825 18 UW
Medicine
More:
Using Washington State Equipment
Washington State law also prohibits the use of UW
Medicine computers for personal business-related,
commercial, campaign or political purposes, or to
promote an outside business or group or to conduct
illegal activities. Additionally, employees are prohibited
from allowing any member of the public to make
personal use of state computers and computing
resources.
Washington State specifically prohibits use of the
computer for all political and commercial activities.
The following items have been additionally called
out in detail.
Notices for selling of personal items on any State owned
computer system.
Notices for charity/fund raising events whether selling an
item or raising money unless the activity is University
sponsored.
Version: 20040825 19 UW
Medicine
Many Internet Activities Expressly Prohibited
Although de minimus personal Internet use is now allowable,
many Internet activities are still prohibited. Downloading files,
such as MP3 music files, violates copyright laws, and subjects
UW to lawsuits. Internet activities can be traced back to your
computer, and Internet sites can download software affecting
the operation of your computer and the privacy of confidential
information. Other examples of improper or excessive use are
included in the Executive Ethics Board web site:
http://www.wa.gov/ethics
and the UW Administrative Policy web site
http://www.washington.edu/admin/adminpro/APS/47.02.html
Version: 20040825 20 UW
Medicine
Understanding Information Classification
Version: 20040825 22 UW
Medicine
PUBLIC Information
Version: 20040825 23 UW
Medicine
RESTRICTED Information
Information used by the UW Medicine
workforce with an established need-to-know
relationship.
Unauthorized data disclosure could impede the
ability of UW Medicine employees to conduct
business, but does not violate any federal,
state or UW regulations (e.g. poor business
practices).
Examples include proprietary information, such
as business plans, intellectual property,
financial information or other sensitive
materials that may affect workforce or
organizational operations.
Version: 20040825 24 UW
Medicine
CONFIDENTIAL Information
Information that is very sensitive in nature,
where access requires careful controls and
protection.
Unauthorized disclosure of this data could
seriously and adversely impact UW Medicine,
the interests of employees, students, patients,
or other individuals, and organizations
associated with UW Medicine.
Examples include: personally identifiable, and
protected health information (PHI), workforce
records, sensitive student records, social
security numbers, legally protected University
records, and passwords.
Version: 20040825 25 UW
Medicine
Follow Department Processes
Version: 20040825 26 UW
Medicine
Report Events, Incidents and/or
Malfunctions
An occurrence or event that conflicts
with or interrupts normal process.
Call the IT Services Helpdesk at (206)
543-7012
or
o Myrna Izidor (myrnai@u.washington.edu), 206-616-1594
o Dany Hun (dbhun@u.washington.edu), 206-616-4840
Version: 20040825 27 UW
Medicine
Priorities of Incident Response
1. Protect human life and people's safety; human life
always has precedence over all other considerations.
2. Protect RESTRICTED and/or CONFIDENTIAL data.
Prevent exploitation of RESTRICTED and/or
CONFIDENTIAL systems, networks or sites. Inform
affected RESTRICTED and/or CONFIDENTIAL systems,
networks or sites about already occurred penetrations.
3. Protect RESTRICTED and/or CONFIDENTIAL
Information.
• Prevent exploitations of other systems, networks or sites
and inform already affected systems, networks or sites
about successful penetrations.
Version: 20040825 28 UW
Medicine
Priorities - continued
1. Prevent damage to systems (loss or
alteration of system files, damage to disk
drives). Damage to systems can result in
costly down time and recovery.
2. Minimize disruption of computing resources
- including processes.
• It is better in many cases to shut a system
down or disconnect from a network than to
risk damage to data or systems.
Version: 20040825 29 UW
Medicine
Protect Against Malicious Software
Do not disable the anti-virus
software
Do not install or run unknown
software
Report virus incident to your Help
Desk
Version: 20040825 30 UW
Medicine
Protect Against Malicious Software (2)
Use anti-virus software to scan all diskettes and
files provided to you by others or after using
them on another computer
Do not open email attachments from unknown
senders.
Verify attachments from known senders and
scan them before opening. If the user expects
an attachment, make sure that the
attachment's file type and sender are consistent
with what was expected
Follow this same process for Internet
downloads.
Version: 20040825 31 UW
Medicine
Sanctions
The regulation requires that we apply
appropriate sanctions against individuals if
you fail to comply with the security policies
and procedures that are based upon our
security policies and the relative severity of
the violation.
UW Medicine has sanctions for the failure to
follow policy and/or for a breach of patient
confidentiality or information security.
Version: 20040825 32 UW
Medicine
Five Levels/Categories of Actions
and/or Sanctions
Version: 20040825 33 UW
Medicine
Five Levels/Categories continued….
[3] Policy Violation without Reasonable
Appearance of Malicious Intent
Unauthorized use of another employee's username
and/or password.
Version: 20040825 34 UW
Medicine
DEFINITIONS:
System Owner & System Operator
Version: 20040825 35 UW
Medicine
Data Custodian &
Department Administrator/Manager
Data Custodians are the individuals who
have been officially designated as
accountable for protecting the
confidentiality of specific data that is
transmitted, used, and stored on a system
or systems within a department, college,
school, or administrative unit of UW
Medicine
Department Administrator/Manager
individual who manages the users of UW
Medicine systems
Version: 20040825 36 UW
Medicine
The Life Cycle of User privileges
Manager/Supervisor request user
privileges
Manager/Supervisor updates any
information on user or privileges
during workforce engagement
Manager/Supervisor disables user
privileges when workforce member
is separated or transferred
Version: 20040825 37 UW
Medicine
Access Principles
• Principle of Least Privilege: Access privileges for users are
limited to what is necessary to be able to complete their assigned
duties or functions.
Version: 20040825 38 UW
Medicine
Minimum Information Security
Requirements
Approved Operating System that is
patched in a timely manner
Protection Against Malicious Software
(i.e. anti-virus protection)
Filtering or Firewall Protection
Version: 20040825 39 UW
Medicine
Advanced Information Security
Requirements
Systems with RESTRICTED & CONFIDENTIAL
Information must meet the Advanced
Information Security Requirements
Implementation of Minimum Information Security
Requirements with additional controls
Additional data protection required based on high risk
analysis (higher level administration):
Strict data access policies and procedures
System access audit logs
Physical protection includes privacy mandates
Servers need certification
Version: 20040825 40 UW
Medicine
Questions?
Version: 20040825 41 UW
Medicine
UW Medicine
Resource for Questions
Richard Meeks
HIPAA Compliance Officer
HIPAA Program Office
UW Medicine
206-543-0300
meeksr@u.washington.edu
Reference Materials
1. UW Medicine Policies:
https://security.uwmedicine.org/securitypolicies.asp
2. Disposing of protected health information, proprietary documents,
and confidential information in a secure and confidential manner
When PHI and proprietary
information are included: Hard Drives - To assure that
Paper Documentation – need to computerized data is destroyed
be shredded, pulped or otherwise when equipment is
obliterated in a manner that decommissioned, use a three pass
prevents reconstruction. binary overwrite of the entire disk
will reasonably assures that the
Microfilm and Microfiche - must be information cannot be
pulverized [1] . reconstructed. An alternative to
Laser Disks - used in write once- this process is that the hard drive is
read many (WORM) document removed from the device and
imaging applications shall be pulverized.
pulverized. Carbon Rolls (from printers or fax
Floppy Disks - shall be pulverized. machines) The method for
Compact Discs - shall be destroying carbon rollers removed
pulverized. from printers or fax machines is to
Magnetic Tape & Video Tape - send them to Environmental
preferred method for destroying Services for destruction by
computerized data is magnetic autoclaving.
degaussing. If destruction is not [1] Pulverized: Reduced (as by
achieved by degaussing, it must crushing, beating, or grinding) to
be executed in an alternative very small particles that can not be
manner that assures that the reconstructed or used in any
information cannot be combination to reconstruct the
reconstructed. original.
Version: 20040825 44 UW
Medicine
3. UW Medicine Resources for
Complaints & Investigations
Privacy Official’s Contact numbers for UW Medicine entities:
University of Washington Medical Center & Clinics (206) 598-4342
Harborview Medical Center & Clinics (206) 731-6048
University of Washington Physicians’ Network (206) 329-8976
University of Washington Sports Medicine Clinic (206) 543-1552
University of Washington East Specialties Clinic (206) 520-2222
University of Washington Hall Health Primary (206) 685-1081
Care Center
University of Washington Physicians (206) 543-6420
University of Washington School of Medicine (206) 543-0300
Version: 20040825 45 UW
Medicine
Certification
Version: 20040825 46 UW
Medicine