Personal Accountability for Data Stewardship
Medical Students
1
• Review of elements of data stewardship, including personal and professional accountability
• Safeguarding patient and other confidential information
• Do’s and Don’ts• Current Security Threats• Tools and resources
Agenda
2
Your Accountability for Data Stewardship
• All UW Medicine workforce members are personally and professionally responsible for the security and integrity of confidential information, electronic or paper, entrusted to you
• Workforce members include: faculty, staff, students and trainees, volunteers, and other persons who perform work for UW Medicine
3
Confidential Information
Confidential Information– protection of data required by law
• Protected health information (PHI)- protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Individual Student Records – protected by Family Educational Rights and Privacy Act (FERPA)
• Personally identifiable information (PII) - financial information (e.g., credit card, bank), social security number and driver’s license number – protected by Washington’s breach notification law
• Proprietary intellectual property, trade secrets, research data – protected by the Washington Public Records Law
4
• “Breach” is the unauthorized acquisition, access, use or disclosure of unsecured PHI and compromises the security or privacy of the PHI
• Breaches of unsecured PHI required notification to the Office of Civil Rights and affected individuals
• To prevent a loss of electronic PHI from being a breach, must encrypt
HIPAA Breach
5
Possible consequences . . . We may:• have a breach
• need to notify the patient of the breach
• have to pay fines and penalties
• lose the trust of our patients
• lose the trust of the general public
• have closer scrutiny by the media and
• have closer scrutiny by enforcement agencies
May result in corrective/disciplinary action for individual(s) violating UW Medicine policy
Why Is This Important to Me?
6
• Unencrypted laptop and external hard drive stolen from locked, parked car
• Briefcase containing (paper) PHI stolen from locked, parked car
• Backpack containing (paper) PHI stolen from locked, parked car
• Unencrypted laptop containing PHIand PII stolen from office in Health Science Building
Recent Examples of Loss
7
If you use a mobile deviceto store or transmit PHI or
PII, your mobile device
MUST be encrypted!
Number One
8
NEVER leave confidential data in
your car!
Number Two
9
üEncrypt and password protect dataüDo not save to an unencrypted mobile deviceüUse encrypted email or sent through an approved email domain üDo not open an email or attachment from an unknown sourceüObtain approval to take PHI offsite and do not leave unattendedüReport all possible breaches
WHAT YOU CAN DO
10
Steps to secure confidential information:
When taking information offsite… secure it and keep in your possession at all times.
Social Media Creates Vulnerabilities for Workforce• Patient privacy must be maintained• Discussion about patients on social networking sites
should never take place on social networking sites, even if patient names are not used. The patient, their families and your co-workers may recognize them.
• Social Networking Policy and Guidelineshttp://depts.washington.edu/comply/social_media/
Patient Information and Social Media
11
• Think twice before posting• If in doubt, don’t post• Remember your legal and ethical obligation to
maintain patient privacy and confidentiality at all times
• Do not share, post or otherwise disseminate any information, including images, about a patient or information gained in your professional relationship
• Do not identify patients by name or publish information that may lead to the identification of a patient• Anonymity is a myth
• Familiarize yourself with and use conservative privacy settings regardless of the content on your profile
How to Avoid Problems
12
CURRENT SECURITY THREATS
13
A breach is the inappropriate acquisition, access, use or disclosure of protected health information. Examples:
BREACHES
Breaches
Lost or stolen device containing unencrypted PHI
Clicking suspicious external links (usually sent via email or accessed via internet usage)
Accessing the information of others “out of curiosity”
Information sent to the wrong location via email, fax, or mail
Paper information not disposed of properly or handed to the wrong person
Smartphone/Tablet SecurityIf you use a smartphone or tablet to conduct UW business, such as accessing your UW email:
• Auto lock device and use a strong password• Enable encryption on the device• Set an automatic lockout timer on the device• Activate Tamper Wipe• Activate “find my phone” function• Don’t use cloud back up services, such as iCloud
or Google Drive, unless it is an approved cloud by UW Medicine IT Security for PHI or FERPA data
• Don’t store data on the SIM card
15
Don’t click on links and don’t open attachments
from unknown or unexpected sources
Protect Yourself
17
Disposal of Electronic PHI
• Remove data prior to disposal, recycling, or reassignment of electronic devices (e.g., fax machine, biomedical device, desktop computer, or mobile device)
• Empty your electronic trash bin regularly• Deleted files and emails may still exist on your device until you empty the trash
bin
Contact your entity Help Desk for assistance with the above practices.
18
• If you get infected, or think you may be infected, contact DOM IT at [email protected]
• Report information security incidents when they occur to DOM IT
•• Report the loss or theft of PHI to UW Medicine
Compliance at 206.543.3098 or [email protected]
Incident Reporting
19
• Review, Sign & Turn (staff will collect these at the end of the class meeting)
• You are accountable for what you are signing
PCISA
20
Privacy, Confidentiality & Information Security Agreement
TOOLS AND RESOURCES
21
Tools to Assist You in Safeguarding Data• Creating strong passwords
https://depts.washington.edu/uwmedsec/restricted/accounts-and-passwords/
• How to encrypt https://depts.washington.edu/uwmedsec/restricted/guidance/encryption/
• Securing your physical space • Contact your building facilities department
• Education and training materials https://depts.washington.edu/uwmedsec/restricted/training/
• UW Medicine Privacy, Confidentiality and Information Security Agreement (PCISA)
http://depts.washington.edu/comply/docs/002_F1.pdf
22
One Drive for Business (formerly UW SkyDrive Pro)
• requires UW NetID https://depts.washington.edu/uwsom/information-technology/skydrivepro
http://www.washington.edu/itconnect/wares/online-storage/onedrive/
Cloud Resources
23
Educational Tools• UW Medicine IT Security Phishing and Spam
Email Guidance: https://depts.washington.edu/uwmedsec/restricted/guidance/phishing-and-spam-email-guidance/
• Office of the Chief Information Security Officer phishing video:https://ciso.uw.edu/education/online-training/#phishing
Phishing Resources
24
Other Resources
Office of the Chief Information Security Officerhttp://ciso.washington.edu/
UW Medicine IT Security (requires UW NetID)https://depts.washington.edu/uwmedsec/restricted/about-its-security/
UW Medicine Professionalism Policyhttp://uwmedicine.washington.edu/Global/policies/Pages/Professional-Conduct.aspx
25
• Dean of Medicine IT: [email protected]; 206.221.2459
• SoM Academic and Learning Technologies: [email protected]
• UW Medicine IT Services Help Desk: [email protected]
• UW Medicine Compliance: [email protected]; 206.543.3098
• Laurie Halvorson, UW Medicine, Compliance Officer –Research & Academic Affairs: [email protected]; 206.543.9012
• Michael Middlebrooks, UW School of Medicine, Director of Information Technology: [email protected]; 206.543.4599
Contact Information
26
• Dean of Medicine IT: [email protected]; 206.221.2459
• SoM Academic and Learning Technologies: [email protected]
• UW Medicine IT Services Help Desk: [email protected]
• UW Medicine Compliance: [email protected]; 206.543.3098
• Laurie Halvorson, UW Medicine, Compliance Officer –Research & Academic Affairs: [email protected]; 206.543.9012
• Michael Middlebrooks, UW School of Medicine, Director of Information Technology: [email protected]; 206.543.4599
Contact Information
27
Questions ?
28