Online Course START Click to begin… Module 2 General Information Security.

Online CourseOnline CourseOnline CourseOnline Course

STARTClick to begin…

Module 2 General Information Security

Prev

Introduction

• In this course, you will learn about UNC HCS’s information security policies and procedures.

• All UNC HCS workforce members must comply with our information security policies and procedures.

Prev Next

Prev

Information SecurityThe purpose of Information Security is to protect the confidentiality, integrity, and availability of information.

– Confidentiality means that data or information is not made available or disclosed to unauthorized persons or processes.

– Integrity means that data or information has not been altered or destroyed in an unauthorized manner.

– Availability means that data or information is accessible and useable upon demand by an authorized person.

Prev Next

Prev

Protected InformationProtected Health Information (PHI)

– Identifiable patient information

Confidential Information may include:– personnel information– system financial and operational information (such

as new business plans)– trade secrets of vendors and research sponsors – system access passwords

Internal information may include:– personnel directories– internal policies and procedures – most internal electronic mail messages

Prev Next

Prev

Your Responsibilities

• Access information only in support of your job duties

• Report losses or misuse of UNC HCS information, or other security problems, promptly to your Information Security Officer

• Comply with all Security and Privacy policies• Remember, YOU are responsible and will be

held accountable for the security of protected information that you access or maintain.

Prev Next

Prev

Malicious Software

Viruses, Worms, Spyware and Spam are examples of malicious software, sometimes known as “malware”.

Most damage can be prevented by regular updates (patches) of your computer’s operating system and antivirus software.

Prev Next

Prev

Virus

Prev Next

Computer viruses are a major threat to information systems and your data.

– Viruses “infect” your computer by modifying how it operates and, in many cases, destroying data.

– Viruses spread to other machines by the actions of users, such as opening email attachments.

Prev

Worms

Worms are programs that can:– run independently without user action– spread complete working versions of themselves

onto other computers on a network within seconds– destroy computer resources such as hard drives

Prev Next

Prev

Spyware

Spyware is software that is secretly loaded onto your computer, monitors your activities, and shares that information without your knowledge.

Certain websites install spyware on every computer that visits those sites.

Prev Next

Prev

For Example:

While online at work, Amanda sees a “pop up” ad for a free “atomic clock.” She clicks on the “I agree” button and her computer downloads and installs the atomic clock utility. After a few days she notices that her computer is running slower and calls the Help Desk.

What did she do wrong?

Next

Prev

For Example:

• She installed software from an unknown source

• She didn’t read the fine print before clicking “I agree”

Many “free” applications include a spyware utility that will cause performance problems and potentially release confidential information.

Prev Next

Prev

Spam

Spam is unsolicited or "junk" electronic mail messages, regardless of content.

Spam usually takes the form of bulk advertising and may contain viruses, spyware, inappropriate material or “scams”.

Spam also clogs email systems.

Prev Next

Prev

Safe Email Use• Do not open email attachments if the

message looks the least bit suspicious, even if you recognize the sender. When in doubt, throw it out.

• Do not respond to “spam” – simply discard or delete it, even if it has an “unsubscribe” feature.

• Email containing protected information such as PHI being sent outside the HCS requires additional protection. Contact your entity’s Information Security Officer for more information.

Prev Next

Prev

For Example:

Bill receives an unsolicited email which, when he opens it, determines that it is “junk”. He “clicks” on the unsubscribe button at the bottom of the email and then deletes the original message.

What did he do wrong?

Prev Next

Prev

For Example:

Once he identified the email as “spam” he should have deleted the message

He should not have “unsubscribed”; this confirms his address is valid and will result in additional “spam”

Prev Next

Prev

Password ControlMost security breaches come from within the organization – and many of these occur because of bad password habits. Therefore:

– Use strong passwords where possible (at least 6 characters, containing a combination of letters, numbers, special characters)

– Change your passwords frequently (45-90 days)– Keep your passwords confidential! (Do not share

them with ANYBODY.)– If you MUST write down your passwords:

• Store them in a secure location• Do NOT store them under your keyboard, on a Post-it,

etc!!

Prev Next

Prev

For Example:

Charlotte has to pick a new password. So she can remember the password she decides to use one of the following passwords.

ettolrahc (her name backwards)

12031965 (her birth date)

Ch@r1web (based on her favorite book)

Which password is the strongest?

Prev Next

Prev

For Example

Ch@r1web is the strongest password because:– It is six or more characters long– It contains upper and lower case letters– It contains a number– It contains special characters– It’s based on something memorable

Prev Next

Prev

Peer-to-Peer(P2P) File Sharing

• P2P file sharing programs such as Morpheus, Kazaa, etc. are commonly used to download unauthorized or illegal copies of copyrighted materials such as music or movies.

• P2P programs also frequently contain spyware, viruses, etc.

• Use of P2P programs on UNC HCS networks is prohibited.

Prev Next

Prev

Mobile Computing DevicesIf you use a Palm/Pocket PC (PDA) device or a laptop PC, you must employ the following security controls:

– power-on passwords– automatic logoff– data encryption or a comparable approved

safeguard to protect the data

Never leave mobile computing devices unattended in unsecured areas.

Immediately report the loss or theft of any mobile computing device to your entity’s Information Security Officer.

Prev Next

Prev

For Example:

A physician leaves his PDA which contains PHI as well as personal information on the back seat of his vehicle. The PDA did not have a power-on password nor encryption. When he returns to the vehicle, the PDA is missing.

What should the physician have done?

What should the physician do now?

Next

Prev

For Example:

The physician should have password protected the PDA and PHI should have been encrypted to prevent unauthorized access.

He should now:– Contact his Privacy or Information Security Officer– Report the loss to his immediate supervisor

Next

Prev

Remote Access

All computers used to connect to UNC HCS networks or systems from home or other off-site locations should meet the same minimum security standards that apply to your work PC.

Prev Next

Prev

External Storage Devices• Protected Information stored on external

storage devices (diskettes, cd-roms, portable storage, memory sticks, etc…) must be safeguarded to prevent theft and unauthorized access.

• Whenever possible, encrypt protected information on these devices.

• External storage devices should never be left unattended in unsecured areas.

• Immediately report the loss or theft of any external storage devices to your entity’s Information Security Officer.

Prev Next

Prev

Faxing Protected Information

• Fax protected information only when mail delivery is not fast enough to meet patient needs.

• Use a UNC HCS approved cover page that includes the confidentiality notice with all faxes.

• Ensure that you send the information to the correct fax number by using pre-programmed fax numbers whenever possible.

• Refer to the UNC HCS fax policy.

Prev Next

Prev

PHI Notes

PHI, whether in electronic or paper format, should always be protected! Persons maintaining notes containing PHI are responsible for:

– Using minimal identifiers– Appropriate security of the notes – Properly disposing of information when no longer

needed.

Information on paper should never be left unattended in unsecured areas

Prev Next

Prev

Appropriate Disposal of DataProtected Information should be disposed of appropriately.

– Hard copy materials such as paper or microfiche must be properly shredded or placed in a secured bin for shredding later.

– Magnetic media such as diskettes, tapes, or hard drives must be destroyed or “electronically shredded” using approved software and procedures.

– CD ROM disks must be rendered unreadable by shredding, defacing the recording surface, or breaking.

– No Protected Information should be placed in the regular trash!

Prev Next

Prev

Physical SecurityEquipment such as PCs, servers, mainframes, fax machines, and copiers must be physically protected.

– Computer screens, copiers, and fax machines must be placed so that they cannot be accessed or viewed by unauthorized individuals.

– Computers must use password-protected screen savers.

– PCs that are used in open areas must be protected against theft or unauthorized access.

– Servers and mainframes must be in a secure area where physical access is controlled.

Prev Next

Prev

Reporting Losses or Misuses of Information

You should immediately report any losses or misuses of protected information to your Information Security Officer.

The Security Incident Response Team (SIRT) will investigate any incidents.

Prev Next

Prev

Disciplinary Actions

Individuals who violate the UNC HCS Information Security Policy will be subject to appropriate disciplinary action as outlined in the entity’s personnel policies, as well as possible criminal or civil penalties.

Prev Next

Prev

For more information:

www.unch.unc.edu/hipaa

Prev Next

Prev

You have now successfully completed You have now successfully completed the online HIPAA General Security the online HIPAA General Security

ModuleModule

You have now successfully completed You have now successfully completed the online HIPAA General Security the online HIPAA General Security

ModuleModule

- Click <HERE> to end show -- Click <HERE> to end show -

Prev