Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005 1 Federal, State and UC Rules re Information Security HIPAA Security Rule (45 CFR 160, 162, 164) California Confidentiality of Medical Information Act (Cal. Civil Code 56 - 56.16) California law governing information security breaches (Cal. Civil Code 1798.29) California law governing use of social security numbers (Cal. Civil Code 1798.85) UC electronic information security guidelines (Bus. & Fin. Bulletin IS-3) 2 HIPAA Security Rule – What is It? Federal Rule Requires healthcare providers and businesses to protect the privacy and confidentiality of electronic Protected Health Information (ePHI) ePHI is patient health information that is stored, maintained, processed or transmitted in any electronic media, such as computers, laptops, disks, memory stick, PDA, network, email. 3 HIPAA Security Rule – What’s Required? If you use ePHI in your research, you must meet the Information Security Standards What are the Information Security Standards? Confidentiality – Information is not disclosed to unauthorized entities Integrity – Information is not altered or destroyed in unauthorized manner, and is transmitted accurately Availability – Information is accessible and useable upon demand by authorized person 4 UC Guidelines on Information Security - IS-3 Guidelines for campuses on: Technical, physical and administrative security measures Disaster recovery Information Security Program at every campus <http://www.ucop.edu/ucophome/policie s/bfb/is3.pdf> 5 What are the Risks when Confidentiality is Breached? Risk to Human Subject of: Identity theft, embarrassment, misuse of personal information, victimization in fraudulent scams Risk to Research of: Loss of data and loss of integrity Risk to UC of: Loss of trust; media attention to security lapse; litigation by subject; penalties; prosecution Risk to Investigator of: Loss of data, time and money; embarrassment; media attention to security lapse; litigation by subject; internal disciplinary action; penalties; prosecution 6 How Do I Protect Electronic Information? Technical safeguards, e.g., passwords, encryption, archiving, anti-virus software (10% of Information Security) AND Good Computing Practices, i.e., COMMON SENSE (90% of Information Security) 7 What are the Technical Safeguards? 1. 2. 3. 4. 5. Unique log-in access 6. 7. Passwords Workstation security 8. 9. Portable device security Data management, 10. e.g., back-up and archive Remote access security Safe e-mail use Safe Internet Use Report security incidents and stolen devices Clean data off computers before recycling 8 Technical Safeguard: PASSWORD Don't use a word that is obvious or can be found in a dictionary. Every word in a dictionary can be hacked within minutes. Don't share your password. Don't let your Web browser remember your password. Use a minimum of eight characters containing at least one each of the following: Uppercase letters ( A-Z ) Lowercase letters ( a-z ) Numbers ( 0-9 ) Punctuation marks ( !@#$%^&*()_+=- ) Better yet, use a “pass-phrase” to remember your password: MCp1t@DR! (My Cat purrs louder than a Dosco Roadheader!) Jw1n,aDTtr! (Just what I need, another Dumb Thing to remember!) 9 Technical Safeguard: WORKSTATION SECURITY LOCK UP offices, windows, workstations, sensitive papers, laptops, PDAs, mobile devices and mobile media. LOG OFF before leaving a workstation unattended. AUTO LOG-OFF – Configure workstation to automatically log off and require user to re-log in if left unattended for more than 15 minutes. SCREEN SAVER - Set to 5 minutes with password protection. 10 Technical Safeguard: PORTABLE DEVICE SECURITY In addition to Workstation Security measures: DELETE identifiable data when no longer needed Use up-to-date anti-virus software Install computer software updates Back-up critical data and software programs Encrypt and password protect portable devices Refer questions to your Information Security Office 11 More PORTABLE DEVICE SECURITY Safeguards Ask your Information Security Office about: Turning off your wireless port if you are not using it. Using a Virtual Private Network if you are using a wireless connection Installing a firewall Encrypting data during transmission. Refer questions to your Information Security Office 12 What are Good Computing Practices? COMMON SENSE Do NOT use a portable device for storing ePHI, e.g., laptop, PDA, memory stick, cell phone If you do store ePHI on a portable device, either de-identify or encrypt the data Keep subject identifiers physically separate from de-identified data Once you are finished using ePHI on the portable device, delete it Do NOT use social security numbers as subject identifiers Do NOT transmit ePHI on the Internet Do NOT transmit ePHI by email If you must transmit ePHI on the Internet or by email be sure it 13 is encrypted More COMMON SENSE Good Computing Practices Use COMMON SENSE when handling individually identifiable information Do not leave sensitive or identifiable information lying around for anyone to read LOCK UP your equipment when not in use ENGRAVE a personal ID on your laptop or other transportable device so it is less likely to be stolen DO NOT share your password with anyone LOG OFF before leaving your computer 14 Campus Resource for IT Help and for Reporting Security Incidents [http://www.ucop.edu/research/policies/data security/UC Security Officers HIPPA] 15