Personal Accountability for Data Stewardship

Medical Students

1

• Review of elements of data stewardship, including personal and professional accountability

• Safeguarding patient and other confidential information

• Do’s and Don’ts• Current Security Threats• Tools and resources

Agenda

2

Your Accountability for Data Stewardship

• All UW Medicine workforce members are personally and professionally responsible for the security and integrity of confidential information, electronic or paper, entrusted to you

• Workforce members include: faculty, staff, students and trainees, volunteers, and other persons who perform work for UW Medicine

3

Confidential Information

Confidential Information– protection of data required by law

• Protected health information (PHI)- protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

• Individual Student Records – protected by Family Educational Rights and Privacy Act (FERPA)

• Personally identifiable information (PII) - financial information (e.g., credit card, bank), social security number and driver’s license number – protected by Washington’s breach notification law

• Proprietary intellectual property, trade secrets, research data – protected by the Washington Public Records Law

4

• “Breach” is the unauthorized acquisition, access, use or disclosure of unsecured PHI and compromises the security or privacy of the PHI

• Breaches of unsecured PHI required notification to the Office of Civil Rights and affected individuals

• To prevent a loss of electronic PHI from being a breach, must encrypt

HIPAA Breach

5

Possible consequences . . . We may:• have a breach

• need to notify the patient of the breach

• have to pay fines and penalties

• lose the trust of our patients

• lose the trust of the general public

• have closer scrutiny by the media and

• have closer scrutiny by enforcement agencies

May result in corrective/disciplinary action for individual(s) violating UW Medicine policy

Why Is This Important to Me?

6

• Unencrypted laptop and external hard drive stolen from locked, parked car

• Briefcase containing (paper) PHI stolen from locked, parked car

• Backpack containing (paper) PHI stolen from locked, parked car

• Unencrypted laptop containing PHIand PII stolen from office in Health Science Building

Recent Examples of Loss

7

If you use a mobile deviceto store or transmit PHI or

PII, your mobile device

MUST be encrypted!

Number One

8

NEVER leave confidential data in

your car!

Number Two

9

üEncrypt and password protect dataüDo not save to an unencrypted mobile deviceüUse encrypted email or sent through an approved email domain üDo not open an email or attachment from an unknown sourceüObtain approval to take PHI offsite and do not leave unattendedüReport all possible breaches

WHAT YOU CAN DO

10

Steps to secure confidential information:

When taking information offsite… secure it and keep in your possession at all times.

Social Media Creates Vulnerabilities for Workforce• Patient privacy must be maintained• Discussion about patients on social networking sites

should never take place on social networking sites, even if patient names are not used. The patient, their families and your co-workers may recognize them.

• Social Networking Policy and Guidelineshttp://depts.washington.edu/comply/social_media/

Patient Information and Social Media

11

• Think twice before posting• If in doubt, don’t post• Remember your legal and ethical obligation to

maintain patient privacy and confidentiality at all times

• Do not share, post or otherwise disseminate any information, including images, about a patient or information gained in your professional relationship

• Do not identify patients by name or publish information that may lead to the identification of a patient• Anonymity is a myth

• Familiarize yourself with and use conservative privacy settings regardless of the content on your profile

How to Avoid Problems

12

CURRENT SECURITY THREATS

13

A breach is the inappropriate acquisition, access, use or disclosure of protected health information. Examples:

BREACHES

Breaches

Lost or stolen device containing unencrypted PHI

Clicking suspicious external links (usually sent via email or accessed via internet usage)

Accessing the information of others “out of curiosity”

Information sent to the wrong location via email, fax, or mail

Paper information not disposed of properly or handed to the wrong person

Smartphone/Tablet SecurityIf you use a smartphone or tablet to conduct UW business, such as accessing your UW email:

• Auto lock device and use a strong password• Enable encryption on the device• Set an automatic lockout timer on the device• Activate Tamper Wipe• Activate “find my phone” function• Don’t use cloud back up services, such as iCloud

or Google Drive, unless it is an approved cloud by UW Medicine IT Security for PHI or FERPA data

• Don’t store data on the SIM card

15

PHISHING EXAMPLE

Report suspicious emails:uwmed-abuse@uw.edu

HOVER DON’T CLICK

Don’t click on links and don’t open attachments

from unknown or unexpected sources

Protect Yourself

17

Disposal of Electronic PHI

• Remove data prior to disposal, recycling, or reassignment of electronic devices (e.g., fax machine, biomedical device, desktop computer, or mobile device)

• Empty your electronic trash bin regularly• Deleted files and emails may still exist on your device until you empty the trash

bin

Contact your entity Help Desk for assistance with the above practices.

18

• If you get infected, or think you may be infected, contact DOM IT at domhelp@uw.edu

• Report information security incidents when they occur to DOM IT

•• Report the loss or theft of PHI to UW Medicine

Compliance at 206.543.3098 or comply@uw.edu

Incident Reporting

19

• Review, Sign & Turn (staff will collect these at the end of the class meeting)

• You are accountable for what you are signing

PCISA

20

Privacy, Confidentiality & Information Security Agreement

TOOLS AND RESOURCES

21

Tools to Assist You in Safeguarding Data• Creating strong passwords

https://depts.washington.edu/uwmedsec/restricted/accounts-and-passwords/

• How to encrypt https://depts.washington.edu/uwmedsec/restricted/guidance/encryption/

• Securing your physical space • Contact your building facilities department

• Education and training materials https://depts.washington.edu/uwmedsec/restricted/training/

• UW Medicine Privacy, Confidentiality and Information Security Agreement (PCISA)

http://depts.washington.edu/comply/docs/002_F1.pdf

22

One Drive for Business (formerly UW SkyDrive Pro)

• requires UW NetID https://depts.washington.edu/uwsom/information-technology/skydrivepro

http://www.washington.edu/itconnect/wares/online-storage/onedrive/

Cloud Resources

23

Educational Tools• UW Medicine IT Security Phishing and Spam

Email Guidance: https://depts.washington.edu/uwmedsec/restricted/guidance/phishing-and-spam-email-guidance/

• Office of the Chief Information Security Officer phishing video:https://ciso.uw.edu/education/online-training/#phishing

Phishing Resources

24

Other Resources

Office of the Chief Information Security Officerhttp://ciso.washington.edu/

UW Medicine IT Security (requires UW NetID)https://depts.washington.edu/uwmedsec/restricted/about-its-security/

UW Medicine Professionalism Policyhttp://uwmedicine.washington.edu/Global/policies/Pages/Professional-Conduct.aspx

25

• Dean of Medicine IT: domhelp@uw.edu; 206.221.2459

• SoM Academic and Learning Technologies: somalt@uw.edu

• UW Medicine IT Services Help Desk: mcsos@u.washington.edu

• UW Medicine Compliance: comply@uw.edu; 206.543.3098

• Laurie Halvorson, UW Medicine, Compliance Officer –Research & Academic Affairs: lh48@uw.edu; 206.543.9012

• Michael Middlebrooks, UW School of Medicine, Director of Information Technology: mdmiddle@uw.edu; 206.543.4599

Contact Information

26

• Dean of Medicine IT: domhelp@uw.edu; 206.221.2459

• SoM Academic and Learning Technologies: somalt@uw.edu

• UW Medicine IT Services Help Desk: mcsos@u.washington.edu

• UW Medicine Compliance: comply@uw.edu; 206.543.3098

• Laurie Halvorson, UW Medicine, Compliance Officer –Research & Academic Affairs: lh48@uw.edu; 206.543.9012

• Michael Middlebrooks, UW School of Medicine, Director of Information Technology: mdmiddle@uw.edu; 206.543.4599

Contact Information

27

Questions ?

28