1
Information Security Awareness:
Building a Culture of Commitment to Security
2
• Security Awareness is the knowledge and
attitude members of an organization
possess regarding the protection of the
physical and, especially, information assets
of that organization
3
UW Medicine IT Resources
• IT Services
▫ ITS provides information systems support for UW Medicine. Its
core mission is to make a difference through the use of
information technology for teaching, research and patient
care.
▫ A few services ITS provides are Help Desk support, work
station support, account support, and clinical systems
administration.
▫ The ITS Help Desk can be reached at 206-543-7012 or
mcsos@u.washington.edu
4
Other IT Resources
• UW Technology – www.washington.edu/uwtech
or 206-221-5000
• Departmental IT
▫ Provide local support for computing devices
distributed by the department
• You
▫ If there is no assigned IT staff for a device then
you are responsible for it’s security
5
Information Security Principles
 UW Medicine computers and data need
protection
 Protection is based on the needs to preserve
Confidentiality, Integrity and Availability
 Security is everyone’s responsibility
6
Data Classification
Public = This is information that is either approved for general
access, or by its nature, is not necessary to protect, and can
be shared with anyone.
Restricted = This is information which is intended strictly for
use by designated parties and requires careful management.
Confidential = This classification of information is very
sensitive in nature, and requires careful controls and
protection. Examples of confidential data include PHI, PII, and
passwords
7
STRONG Passwords
• Why is it important to use strong passwords?
▫ Password guessing tools guess in 7 character sets. Lengths of 8
characters or more make it more difficult to guess
▫ An apparent random set of characters makes it more difficult for
a hacker to guess. !@#$%&*, ABCD, abcd, 1234

Where supported a “pass phrase” should
be used. They are easier to remember
and much harder to break.
8
User ID and Password Management
▫ Your manager is responsible for making sure your access rights
are correctly assigned initially and to update your access upon
role changes, transfer or termination.
▫ Each workforce member is assigned a unique User ID and must
not share it with anyone.
▫ Each system that a user has access to will be logged and tracked.
▫ All passwords must be changed every 120 days. It is the user’s
responsibility to do this.
http://myuw.washington.edu
UW Medicine Account
or
AMC Login
9
Email Security
▫ Always be aware of phishing and social engineering scams,
dangerous attachments, viruses, embedded links to malicious
websites and social engineering
▫ All UW Medicine email is open to public disclosure
▫ Delete confidential emails as soon as they are no longer needed
▫ DO NOT forward confidential emails to a third party email system
e.g., hotmail, yahoo, aol, gmail
▫ Check and double-check all messages containing restricted or
confidential information for proper recipient email addresses
▫ Encrypt email messages when sending confidential information to
email systems outside of UW Medicine
10
Mobile Device Security
▫ Mobile devices include laptops, Blackberries,
smart phones, or any portable device capable
of storing and interpreting data.
▫ Mobile devices are of special concern because
they are easily lost and attractive to thieves.
▫ Personally owned mobile devices must comply with UW
Medicine policies and standards when used for work
purposes. The owner of the device is responsible.
 Encryption required when storing PHI, PII or passwords
 No automatic login, require password to log on to the device
 Passwords on these devices must be changed every 120 days
 Patched and up to date operating system
11
Data Transmission Security
▫ There are many other ways to transmit data electronically.
They also require encryption as a protection in certain
cases.
▫ Examples of other forms of transmission include faxes,
instant messaging, text messaging, smart phones and
other file sharing mechanisms.
▫ PII, PHI or passwords transmitted by any mechanism or
device across non-UW Medicine networks or any wireless
networks, must be encrypted.
12
Wireless Security
▫ Throughout UW Medicine, wireless networks are provided by UW Technology.
These wireless networks are labeled “University of Washington”.
▫ UW Technology does not provide encryption for transmission of data on their
wireless networks.
▫ When using wireless networks you must use encryption when transmitting
PHI, PII or passwords.
▫ Always disable your wireless when not in use.
Windows will automatically scan for known (trusted)
wireless networks.
▫ Wireless networks are easily monitored by
unauthorized individuals. Users should be aware that
any transmitted data could be stolen unless
encrypted.
13
Workstation/Work Area Security
▫ Workstations must be locked or logged out of when not in use or
unattended.
▫ Never enter passwords or conduct UW Medicine business from 3rd
party kiosks, such as an Internet café computer.
▫ Workforce members that use their personal computer for work
must comply with the minimum computer security standard.
▫ Restricted or Confidential information in your work area must be
secured when not in use.
▫ Always clear Restricted or Confidential information from printers
immediately.
14
Risks of Web Browsing
▫ Users should be aware that even “trusted” websites can house
malicious software.
▫ Clicking links on WebPages can download and run programs on
your computer.
▫ Plug-ins should only be downloaded if absolutely necessary and
after they are used should be removed.
▫ Where technically feasible an alternate
web browser i.e. – Firefox, Opera, Safari
should be used to conduct sensitive
business.
15
Remote Access
▫ UW Medicine provides SSL VPN (encrypted transmission) for it’s
remote access purposes.
▫ VPN access can be requested through IT Services Help Desk. Have
your supervisor contact the Help Desk for the request form.
▫ Remote Access is only provided to conduct official UW Medicine
business that is part of the requestors job function.
▫ Any transmission of PHI, PII, or passwords from a remote site to a
UW Medicine site must be encrypted. This protection can be
provided by the application, e.g. an SSL protected web
application, or by VPN.
16
Copying of Data and Media Disposal
▫ Media is any portable device that is capable of storing
electronic data. Examples include USB drives, CD/DVD,
external hard drives, tapes, flash memory cards, etc.
▫ Once a workforce member removes data from a
controlled system it becomes their responsibility to
ensure the protection of the data.
▫ PHI, PII and passwords stored on media must
be encrypted.
▫ Media containing restricted or confidential
information must be destroyed in such a way
to make the data unrecoverable when no
longer needed.
17
Security Incident and Complaint Response
▫ Security Incidents are any event involving a breach or potential breach of a
UW Medicine computing device or data.
▫ Security Complaints are a report of a suspected violation of UW Medicine
policy, state or federal law, or other regulation.
▫ All UW Medicine workforce members must report security incidents and
complaints to the ITS Help Desk.
▫ If you suspect a security incident has occurred on a UW Medicine
computing device then you must not alter the state of the device. You
should unplug the network cable and leave it powered on.
▫ A UW Medicine ITS or Compliance member will contact you once you
report an incident or complaint.
Questions
http://security.uwmedicine.org
Brad Peda
bpeda@u.washington.edu
206-616-5829