SHS Annual Information Privacy and Security Training

Transcription

1 SHS Annual Information Privacy and Security Training

2 Purpose for Training Samaritan Health Services has created the following training to meet the annual regulatory requirements for education related to information privacy and security as part of our corporate compliance program. Assignment of this training has been requested/approved by Colleen Fair, SHS Corporate Compliance Officer.

3 Information Privacy: What Is It? Establish and maintain the confidentiality and security of our patients and members protected health information (personal, financial and/or health information) in all forms paper, verbal, electronic, and social.

4 When Should You Access, Use or Share Patient/Member PHI? With patient/member authorization When it is part of your work-related duties for Treatment Payment Healthcare Operations As required by law Contact your supervisor, Compliance/Privacy Officer, Information Security Officer

5 Question 1 When are SHS employees allowed to access patient or member PHI? a) To satisfy a curiosity b) For Treatment, Payment, or Operations c) When they are concerned about a neighbor s health d) When asked by a co-worker e) At any time

6 When Accessing Patient/Member Information REMEMBER Only access the minimum necessary information required to fulfill your job duties and responsibilities.

7 Investigating Concerns Privacy and Security concerns are investigated by the SHS Privacy Officer and/or the Information Security Officer. See the SHS Information Privacy & Security Investigation and Corrective Action policy

8 Auditing of System Activity SHS audits user access to patient/member electronic medical records. Inappropriate access may lead to corrective action, up to and including termination.

9 Question 2 The worst thing that can happen to an employee who inappropriately accesses patient PHI is: a) Lunch detention b) Verbal counseling c) Stern warning d) Termination e) Final written warning

10 Information Security: What Is It? The mission of the SHS Information Security Program is to protect valuable SHS resources Information security is everyone s responsibility

11 What Valuable Resources are We Protecting? Protected Health Information (PHI) Other Sensitive Information, including: Social Security Numbers Credit Card Numbers HR Data SHS Financial Data Laptops, Computers, Mobile Devices SHS Reputation in the Community SHS Legal Position Employees

12 Why You Need to Know About Information Security Without information security, SHS cannot protect PHI, other sensitive information, and other valuable SHS resources The Health Insurance Portability and Accountability Act (HIPAA) requires SHS to provide for the physical and electronic security of PHI Our customers expect us to protect their privacy

13 What Are The Greatest Threats to These Valuable Resources? Phone-Based Social Engineering Phishing Scams Computer Viruses Weak Passwords Revealing Login and password information Mobile Devices Improper Disposal of Sensitive Information

14 Question 3 Among the greatest threats to valuable SHS resources are: a) Phishing s b) Malware c) Streaming music services d) Sedentary lifestyles e) C&D only f) A&B only

15 Phone-Based Social Engineering Social Engineering is manipulation of people into performing actions or divulging confidential information External callers might ask you to: share your password or address navigate to a website download a document

16 How to Protect Yourself from Phone-Based Social Engineering Attacks Verify external callers Ask for their name and telephone number Offer to call them back at their number Never reveal your SHS network password to anyone, including co-workers SHS will never contact you and ask you for your network password Call the IS Service Desk if you receive a suspicious phone call

17 Question 4 To protect yourself from Phone-Based Social Engineering attacks: a) Never answer your phone b) Never share your password with anyone c) Forward all of your work call to your manager s extension d) Verify the identity of callers e) A & C only f) B & D only g) All of the above

18 Phishing Attacks Phishing s are after your SHS network access Phishing s often contain: Promises, offers, or threats An attachment that contains a computer virus A link that takes you outside the SHS network Requests for your user name and password

19 How to Protect Yourself from Phishing Attacks Verify the sender before responding Hover over links to verify web addresses Never reveal your SHS network password to anyone, including co-workers SHS will never contact you and ask you for your network password Call the IS Service Desk if you receive a suspicious

20 Question 5 To protect yourself from Phishing attacks: a) Verify senders of external s b) Never reveal your SHS password c) Call the IS Service Desk if you suspect a phishing d) Don t open attachments or click on links from external senders unless you were expecting the . e) All of the above

21 Computer Viruses and Other Malware Malware" is short for malicious software and refers to software that causes damage to computers or networks. Malware includes viruses, spyware, Trojan Horses, and internet worms. Viruses and other malware get introduced to the SHS network most frequently when employees: Open an attachment that contains a virus Download a file from a website Visit a website that has malware on it

22 Protecting Yourself from Malware Limit personal internet access while on SHS network to incidental and occasional use only Visit only trusted websites Do not open attachments from unexpected or untrusted external sources Maintain anti-virus protection on personal computers and mobile devices that you use to connect to the SHS network Contact the Service Desk if you are uncertain about an attachment or a website

23 Choosing and Protecting Your Passwords Longer and complex passwords are generally more secure Passphrases can be easier to remember and are hard to crack Never Share Your SHS Network password with anyone Do not reuse your SHS Network password on any other site Do not write your password down and store it in an unsecured place, especially on your desk or next to your computer

24 How to Prevent Loss or Theft Secure mobile devices (laptops, tablets, smart phones, and USB drives) at all times Do not leave mobile devices unattended in your car Do not store sensitive information on your mobile device unless it is part of an approved business process Lock or log off your workstation when not in use Know and enforce your site s visitor policies

25 Proper Disposal of Sensitive Information Dispose of all printed material in Shred-It bins Destroy CDs and DVDs that contain sensitive information before disposing of them

26 If You See Something, Say Something Report anything suspicious or out of the ordinary Rapid response minimizes the damage done as the result of an information security incident Report lost or stolen devices or equipment to the IS Service Desk immediately at: (541)

27 In Conclusion Protect valuable SHS Assets Identify and understand threats to security Protect yourself from Phishing Attacks and Malware Safeguard your passwords Secure mobile devices Report anything suspicious

28 Compliance Team Colleen Fair, Corporate Compliance and Privacy Officer - (541) James Kelly, Information Security Officer - (541) Tyler Jacobsen General Counsel (541) Altove (Tovee) Rowley Assistant General Counsel (541) SHS Compliance Anonymous Hotline: or at