1. Information Security Awareness Employee Training XYZ Medical Center Gene Hubbard, FISO
2. Purpose of this training The objective of this training is to prepare you to comply with the HIPAA Security Rule and other government regulations. Our goal is to ensure the confidentiality , integrity , and availability of all electronic protected health information (EPHI) that our facility creates, receives, maintains, or transmits.
23. Additional Reference Material You should each have a pocket sized copy of our information Security Guide. This is for your reference.
24.
25.
26.
27.
28.
29.
30.
31.
Hinweis der Redaktion
Presenter’s Talking Points: Stress the impact to patient safety and patient care.
Presenter’s Talking Points: Be sure to point out that John may not know that he downloaded a virus. Some malicious software works in a way that is invisible to the person that downloaded it. A site may look reputable, but that’s no guarantee that the software is safe to download. It’s important to stick with company approved software.
Presenter’s Talking Points: This is a difficult type of attack to guard against because it requires each of us to recognize when we are being conned. As much as we want to believe the best of people, we still need to verify that a person is legitimate. The only way to guard against social engineers is for everyone to stay aware. It is important to learn how to recognize these kinds of con artists, what to do if you suspect a con artist has contacted you, and how you can guard against being a victim of such a con. Other potential warning signs: Have you been contacted by someone claiming to be high up in the Company, or by someone outside of the Company who would normally not call you? If they are asking you for sensitive information, no matter how good their excuse for asking, verify they are who they say they are and that they are authorized to obtain such information from you. Someone higher up in the Company will appreciate that you are cautious with sensitive information, and someone outside the Company should expect such caution!
Presenter’s Talking Points: More ways to guard against social engineers: Ask for the name of their manager. This gives you a point of reference. You can always call their manager to verify the legitimacy of the contact. Refer the person to your Company or facility help desk. If someone is asking you for Company-related information, such as a dial-up connection number or information about how your computer works, your I.S. or Customer Services department should be able to help them. If they are legitimate, they will gladly call the help desk. Make sure you know Company and facility policies and standards. The best way to combat con artists is to be informed. If you are familiar with Company and facility policies and standards, you will better recognize when you are being asked to do something potentially dangerous.
Presenter’s Talking Points: Sometimes the caller will request information other than your user ID or password, and the information may seem harmless. Examples may include: The name of a supervisor. They could use that information to place a call to someone else within the facility, claiming to be the supervisor. They could use the appearance of authority to pressure the individual into supplying additional information. The phone number used to dial in to the facility’s network. They could claim to be an individual from another department, who’s trying to access the network for legitimate business purposes. Con artists may collect information from several different individuals. The information collected from one person may not be harmful, but the collective information may give the con artist the ability to access our computer systems.
Presenter’s Talking Points: It is also good practice to lock up video tapes when they are not in use.
Presenter’s Talking Points: Exiting applications and turning on password protected screensavers keep your workstation secure from passersby. Ask if everyone knows how to how to turn on the password protected screensaver when they leave their workstation. If they don’t, explain how. If someone else’s user ID appears on a computer that you should be the only user of, it could be an indication that someone has attempted to (or has successfully) accessed your computer. ( Note to Presenter: Make sure everyone understands this point. Training on this topic is a specific HIPAA Security requirement.) If you are locked out of a system and you haven’t had 3 or more unsuccessful login attempts, it could be an indication that someone has attempted to access a system using your user ID. ( Note to Presenter: Make sure everyone understands this point. Training on this topic is a specific HIPAA Security requirement.)
Presenter’s Talking Points: Make sure they know how to contact the FISO, HDIS, and (if applicable) IT helpdesk staff. Add the contact numbers to this slide or provide participants with a handout containing the proper contact names and numbers.
Presenter’s Talking Points: Be sure to stress that protected health information is more valuable to our patients than financial information. Whereas money can be replaced by your financial institution, a breach of patient privacy and safety cannot be undone.
Presenter’s Talking Points: Although the financial impact of a virus or worm can be substantial, the important point to stress is the potential impact to our patients.
Presenter’s Talking Points: Reference the Information Security Guide, pages 6-7, for more information about how to create quality passwords.
Notes to Presenter: Make them aware of which systems/applications they use that do not automatically enforce these requirements. Once the Authentication Standard is updated to allow a password change interval of 180 days, change the password change interval on this slide from 90 days to 180 days. If you are using the password change interval as a mitigating control for the vulnerability, “Application account lockout is not enabled,” change the slide text above to reflect a more frequent password change interval. Presenter’s Talking Points: Instruct them regarding how to change their password(s) for the application(s)/system(s) in question. Explain the importance of individual user accounts for accessing sensitive or confidential data. Explain that they could potentially be blamed for someone else inappropriately accessing information using that same user ID.
Presenter’s Talking Points: If the computer is used for Company purposes, including checking email, it is important to set up automatic updates to be certain all available security updates are applied. This helps guard the network from viruses and other attacks that could compromise the availability of key clinical systems, essentially affecting patient care in our hospitals. You can contact your facility IT staff for step-by-step instructions to properly secure your home PC in accordance with Company standards. Reference IS.SEC.001 Information Security – Program Requirements Policy, as well as the IT&S Mobile Computing and Virus Control Standards.