USF IT Security HIPAA Practice Ensuring IT Security: Policies, Training &Technology
All USF workforce members utilizing/ coming in contact with HIPAA Protected Health Information (PHI) must complete this training program and pass the security quiz at the end of Part 4. • Employees directly involved in research with PHI must complete one additional module describing the relationship of HIPAA to the research process.
The purpose of this training is to provide USF faculty & staff information on: USF data security requirements & procedures The Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) The HITECH provisions of the ARRA Act
Part 1 General Network Information and Security Procedures
Accessing the USF Network
USF Computer Network USF employees work on computers that are linked through a network that connects all computers at the university
The network allows users to share computing resources and increases efficiency for all computer users. • A log-in ID and a secure password are needed to allow you to access this system.
With an ID and password, you are able to: Use email Access shared files & information stored in databases Use hardware such as printers and scanners Use software such as web browsers & virus protection programs. USF Computer Network
Secure Log-in ID The USF Information Technologies (IT) Office will help you establish a log-in ID that will be a unique identifier linking you to all of your computer transactions.
Secure Log-in ID Like a fingerprint, your ID can be traced for all authorized and unauthorized activities conducted on the USF network.
Secure Password • You will need to establish a secure password to ensure that you and only you can access your network account and files. • Your secure password should NEVER be shared with others, including co-workers or family members.
Secure Password To maximize security, passwords must be at least eight characters long and contain 3 of the following 4 types of characters: upper case letters, lower case letters, numbers; or special characters such as ! # &. Example: GoBulls2! Please don’t select this as your own password – make up one yourself!
Password Aging • All users will be asked to change their network password every 6 months. • You will be prompted by email when it is time to change your password. • If you do not change your password in a timely manner, your account will be temporarily locked.
Appropriate Use All USF users sign a statement agreeing to use the USF computers and network only to conduct activities related to the mission and business purposes of the University.
Closing Accounts All USF computer accounts are automatically closed when employment ends. Some transitional services (such as auto-forwarding of e-mail messages) may be offered as allowed by USF policy.
USF Network Security
General Network Security • It is very important to protect all computer users at USF from loss or corruption of files and data on the network. • Network security is maintained through procedures and technical tools designed to prevent negative events like viruses, intrusion, and data loss. • These negative events have the potential to harm everyone connected within our computer network.
What is a computer virus? • A computer virus is a bit of computer programming code that instructs the computer to do something you did not intend for it to do. • The virus is usually invisible to the user until AFTER it has attached itself to the computer.
How do you get a computer virus? Most computer viruses enter a computer from program or file “downloads” (for example, e-mail attachments) or from transfers from external disks (floppies, USB drives).
Although all USF PCs have a virus protection program installed, we all must be VERY CAREFUL about what we download to our computers.
Are viruses dangerous? • Some viruses are simply a nuisance, but others can seriously harm the network and permanently damage computers and data. • The cost of restoring the system after a virus attack is very high in both time and money.
How do viruses work? • Some viruses open pathways or holes in the system to provide access for later intrusion into the network. Some viruses and intrusions are more damaging than others, but all of them represent a hole in the security of the network.
An intruder may not be interested in what is on your computer, but may be searching for an unprotected point of access to the network. • A virus may even send sensitive information from your computer to another unauthorized location.
USF E-mail Policies
Access to E-mail • USF has established an electronic mail (e-mail) system to improve communication and facilitate the important work at USF. • E-mail may be accessed directly from USF network computers, or remotely from other locations (e.g. home computer) through the USF web-server, using a log-in ID and secure password.
Appropriate Use All communications using the USF e-mail system should be courteous and professional and should comply with USF anti-harassment policies, i.e., unwelcome, offensive or otherwise inappropriate messages are prohibited.
The USF e-mail system may not be used for: • lobbying activities • political or religious causes • private, commercial ventures
E-mail Messages are Public Records • All e-mail created, transmitted, and stored in the USF e-mail system are the property of USF and become part of the public record of the University. • Your e-mail messages may be released by the University upon receipt of a public records request. • If you don’t want to read about it in the newspaper, don’t put it in email.
E-mail Monitoring • USF reserves the right to review, audit, intercept, access, and disclose email. • However, your email will be treated as confidential and will be accessed only when necessary.
Remote Access • Employees who need remote access to the USF Network for purposes other than email must use Microsoft Remote Access or for HIPAA access the GoToMyPC remote access software. • GoToMyPC uses “encryption” to transfer information in a secure manner. • An application to establish a GoToMyPC account may be obtained from the CBCS Administrative Office.
What is encryption? • Encryption is the conversion of data into a form that cannot be easily understood by unauthorized people. • An encrypted computer will require you to enter one additional password as the PC or laptop boots up.
Laptop Security • All USF owned laptops (i.e., those that have a USF Property barcode tag) must have their entire hard disk drive encrypted. • Laptops will be encrypted by the IT staff during the initial setup of all new purchases.
Why is laptop encryption required? • Because of the portability of laptops, the chances of a lost or stolen laptop are higher than an office-based work station. • Thus, laptop encryption is used to protect our confidential data.
If only it had been encrypted… • A thief who stole a laptop from UC Berkeley might have walked off with more than a computer. The thief wandered into a building and snatched the laptop off a desk. The laptop contained personal data, on more than 100,000 UC Berkeley alumni or applicants, such as their Social Security numbers, birth dates and addresses. • The school had to notify ALL 100,000 consumers who might have had their data compromised, some whom had graduated as long ago as 1976! • Adapted from article by: • MICHAEL LIEDTKE, AP Business Writer
What do I do if my laptop is stolen or lost? • Immediately contact the IT Help Desk at USF and report the loss. • The IT staff will help you secure sensitive data, investigate and document the loss, and report the incident to the proper authorities.
Adding New Equipment to the Network
If you purchase new computer equipment and want it connected to the USF network, it must comply with USF standards and be approved prior to purchase by the IT department.
If you purchase new equipment.. • Contact the IT Help Desk at USF for additional information or go to the policy section of the IT website: • http://it.usf.edu/policies.cfm
Part 2 USF Security Policies and Procedures
Part 2 of this training program provides an overview of USF computer security policies and procedures.
Basic Principles Faculty and staff at USF often use sensitive and confidential data to conduct research and evaluation studies.
Data security is not only an obligation of individual researchers, but also of the University, it’s Colleges and Institutes as academic entities.
Potential Dangers Because USF stores confidential information, our data systems must be protected against: • Internet hackers • Access by unauthorized users • Improper printing or distribution of protected electronic information • Inappropriate use or access by employees • Other threats to protected information
Risk Assessment • To enhance the security of our data, USF systematically monitors its network for intrusions, security incidents, and inappropriate activity. • USF also conducts periodic audits of all PC’s and network devices.
Security Infrastructure Our security infrastructure includes: • clear policies and procedures • secure facilities and equipment • shared responsibility for information security among faculty and staff
Information Security The USF security infrastructure includes the: • Information Security Officer (ISO) • Information Security Coordinator (ISC) • Data Network Committee • Information Liaison to each College and Dean
USF IT Liaison • Rick Jones acts as the liaison between USF IT and CBCS for all issues needing escalation between the two entities
What is HIPAA? • HIPAA stands for the Health Insurance Portability and Accountability Act. • Congress passed HIPAA in 1996 to make health insurance eligibility “portable” from one employer to the next when employees change jobs or have a change in family status. • Congress passed HITECH in 2005 significantly affected HIPAA, including changes to security and privacy rules, increased enforcement and more severe penalties