HSDMHDC Training - PowerPoint PPT Presentation

1 / 31

About This Presentation

Title:

HSDMHDC Training

Description:

Password protected screen savers. Wearing your HUID. Sanctions procedures in place ... Password protected screensavers. Access establishment and modification ... – PowerPoint PPT presentation

Number of Views:74

Avg rating:3.0/5.0

Slides: 32

Provided by: amyew

Category:

more less

Transcript and Presenter's Notes

Title: HSDMHDC Training

1
HSDM/HDC Training

HIPAA Security Training Module

2
Background Information

Three parts to the Security Standards
Administrative
Physical
Technical

3
History

HIPAA Privacy Rule became effective April 14,
2003
April 21, 2005 the HIPAA Security Rule became
effective
The Security Rule applies to ePHI, which is
patient-identifiable information in an electronic
form

4
Administrative Safeguards Security Management
Process

Process to prevent, detect, contain, correct
security violations
Our policies, procedures address this
Risk assessment has been completed
Measures have been taken to reduce risk
Password protected screen savers
Wearing your HUID
Sanctions procedures in place
Dentech system review procedures in place
Dentech HIPAA Log Review

5
Administrative SafeguardsPolicy and Documents
Standard

Policies and procedures documented
Document retention policy
Documentation available for workforce
Hard copy in Deans Office
Posted on eCommons
Training on HSDM website
Procedure for document review

6
Administrative SafeguardsAssigned Security
Responsibility

HSDMs Information Security Officer is Mary
Cassesso

7
Administrative SafeguardsWorkforce Security

Authorization and Supervision
Confidential Data Protections Policy
Minimum necessary rule
UNIX/Dentech Access Request Form and New User
Form
Access we are working on procedures for when
workforce members join HSDM
Termination we are working on procedures to end
access upon termination

8
Administrative SafeguardsInformation Access
Management

Access authorization to ePHI
UNIX/Dentech Access Request Form and New User
Form
Password protected screensavers
Access establishment and modification
Supervisor authorizes access/termination to
Dentech

9
Administrative SafeguardsSecurity Awareness and
Training

Training program established
Training sessions in person and posted online
Periodic security reminders
Email reminders will be sent by the first of
every month
Remember
Be on alert for suspicious emails, suspect
computer behavior
Password management (general login, Dentech
login)

10
Administrative SafeguardsSecurity Incident
Procedures

Procedures are in place to address, identify and
respond to, and mitigate incidents
Confidential Data Protections Policy
Sanctions Procedures

11
Administrative SafeguardsSecurity Incident
Procedures

Confidential Data Protections Policy
Non-confidential data provided when feasible
De-identified data
Access restricted to those with a business need
to know
Written authorization kept on file for 6 years
Access limited to minimum necessary
Unique user IDs, passwords
Access to Dentech or Records Room does not permit
access to other records not required for
individuals work

12
Administrative SafeguardsSecurity Incident
Procedures

Confidential Data Protections Policy
Access to Dentech will be monitored and audited
as needed
Confidential information will be physically
protected
Confidential information will be destroyed before
disposal
Confidential information will be removed from
computers, media before re-use
Disclosure of confidential information for other
than HSDM/HDC business purposes is prohibited

13
Administrative SafeguardsContingency Plan

Data back up
Disaster recovery plan
Emergency mode operation plan
Testing and revision procedure
Applications and data criticality analysis

14
Physical SafeguardsFacility Access Controls

Limits physical access to electronic information
systems and the facility
Business Continuity and Disaster Recovery Plan
Protection of Confidential Information Policy
Card swipes and security guards at entrances
Visitor Procedures
Procedure to Document Security-Related Building
Repairs
If repairs appear to lessen physical security to
an unacceptable degree, then the work order will
be revised so as not to compromise security of
HSDMs information assets

15
Physical SafeguardsWorkstation Use Standard

Access to workstations is limited
Access is restricted to authorized users
Unique user IDs, passwords
Password protected screensavers

16
Physical SafeguardsDevice and Media Controls

Disposal
Media re-use
Accountability
Data Backup and Storage

17
Physical SafeguardsDevice and Media Controls

Disposal and Media Re-Use
ePHI can be found on servers, personal computers,
laptops, portable drives, disks, CDs, digital
cameras
We have procedures that apply to all electronic
devices/media containing ePHI, including
personally owned devices/media

18
Physical SafeguardsDevice and Media Controls

Disposal
HSDM must ensure that devices and media
containing ePHI are disposed of or prepared for
re-use in a way that will prevent accidental
disclosure
Single-user workstations the individual leaving
the workforce will be asked to remove all
personal electronic files and computer is left
as-is or hard drive is wiped if computer is being
reassigned
Media all portable media containing ePHI must be
destroyed when ePHI is no longer needed

19
Physical SafeguardsDevice and Media Controls

Accountability
Portable Computers and Media Security
Portable computers/media are at a greater risk of
theft
If they contain confidential information that
information could be compromised by unauthorized
access
There is also a risk that HSDMs network could be
accessed if the device is used
We now have controls to contain these risks

20
Physical SafeguardsDevice and Media Controls

Accountability
Portable Computers and Media Security
This applies to those who use portable computers
or media to access or store HSDM confidential
data
This applies both when HSDM owns the device/media
and when it does not
Portable computers include laptops, tablets,
hand-held devices, cell phones
Portable media include disks, CDs, some MP3
players, USB port storage devices

21
Physical SafeguardsDevice and Media Controls

Accountability
Portable Computers and Media Security
HSDM will create an inventory of portable
computing devices (both HSDM-owned and
personally-owned) used to access/store
confidential information
When this is initiated, departments will be
responsible to reporting new devices promptly
Individuals must be authorized in writing prior
to removing HSDM confidential information on a
computer/media
Access to portable computers must require at
least one form of authentication (password)
Virus protection should be installed on the
device
Encryption software should be installed
Portable devices must be kept locked

22
Physical SafeguardsDevice and Media Controls

Why is all of this so important?

23
Physical SafeguardsDevice and Media Controls
24
Physical SafeguardsDevice and Media Controls
25
Technical SafeguardsAccess Control

Unique User Identification
Must have unique logins/passwords
Emergency Access Procedure
Business continuity plan

26
Technical SafeguardsAccess Control

Automatic Logoff because the Dentech software
doesnt include this feature, HSDM has password
protected screensavers
Encryption and Decryption
All confidential electronic information,
including ePHI must be encrypted when transmitted
over the Internet
Until an email encryption solution is
implemented, workforce should avoid including
ePHI or other confidential information over
email, except where patient care is at stake
Attachments may contain ePHI if they are
encrypted

27
Technical SafeguardsAccess Control