UW MEDICINE WORKFORCE
PERSONAL ACCOUNTABILITY
FOR
DATA STEWARDSHIP
Agenda
•
•
•
•
•
•
Define personal and professional accountability
Explain elements of data stewardship
Tools
Case Studies
DO’s and DON’Ts
Closing the Loop – Your Role
2
Personal and Professional Accountability
• Personal Accountability = Being answerable for the outcome
of your actions or inactions
• Professional Accountability = Demonstrating excellence,
integrity, respect, compassion, accountability and a
commitment to altruism in all your work interactions and
responsibilities (UW Medicine Professionalism Policy)
http://uwmedicine.washington.edu/Global/policies/Pages/Professional-Conduct.aspx
• As representatives of UW Medicine, you are personally,
professionally, ethically and legally responsible for your
actions
The public, our patients, employees and students
place their trust in us
3
Your Accountability for Data Stewardship
All UW Medicine workforce members are
personally responsible for ensuring the security and
integrity of all confidential, restricted, and
proprietary information (electronic or paper) to
which they are given access.
• Workforce members include: faculty, staff,
students and trainees, volunteers, and other
persons who perform work for UW Medicine
• Workforce members must safeguard the security
and integrity of the information entrusted to
them
4
Data Security
• Safeguard and promote privacy of
employees, patients and students
• Safeguard access to University and
UW Medicine information systems
• Safeguard institutional data,
systems, and devices
5
Data Integrity
• Ensure that data is only accessed
by authorized users
• Ensure that data is not changed,
corrupted, or tampered with
• Ensure that data is retrievable and
usable, backed up and managed in
a reliable way
6
Confidential Data and Information
Definition of Confidential Data:
• Confidential data and information is very
sensitive in nature and typically subject
to federal or state regulations.
• Unauthorized disclosure of this
information could seriously and
adversely impact the University or the
interests of individuals and organizations
associated with the University.
7
Confidential Data and Information
Examples of Confidential Data/Information
•
•
•
•
•
•
•
•
•
•
HIPAA – protected health information (PHI), including patient names,
addresses, social security numbers, health conditions and symptoms,
prescriptions, medical record numbers
FERPA – individual student records, including grades, courses taken,
schedule, test scores, advising records, educational services received,
disciplinary actions, student identification number, social security number
Gramm-Leach-Bliley (GLB) – employee financial account information,
student financial account information (aid, grants, bills), individual financial
information, business partner and vendor financial account information
Export Controls (e.g., EAR, ITAR)
Employee employment records including performance information
applications for employment, resumes and related material
Donor information
Trade secrets, intellectual and/or proprietary research information
Vendor non-disclosure agreements
Information required to be protected by contract
Computer account passwords
8
Restricted Data and Information
Definition of Restricted Data:
• Data and information that is circulated on a need-toknow basis or sensitive enough to warrant careful
management and protection to safeguard its integrity
and availability, as well as appropriate access, use, and
disclosure.
• Examples of Restricted Information
• Telephone billing information
• Parking permits
• Location of assets
• Critical infrastructure blueprints or schematics
• Specific physical security measures
• Proprietary research
9
Tools to Assist You in Safeguarding Data
•
Privacy, Confidentiality and Information Security
Agreement (PCISA) and discussion outline
https://security.uwmedicine.org/training/data_stewardship/PCISA.pdf
https://security.uwmedicine.org/training/data_stewardship/PCISA_discuss_t
ool.pdf
•
Citrix or VPN remote access
https://networks.uwmedicine.org/content/secure-remote-access
•
Encryption
https://security.uwmedicine.org/guidance/technical/encryption/default.asp
http://ciso.washington.edu/site/files/Whole_Disk_Encryption_Guideline.pdf
10
Tools - Continued
•
Complex passwords
https://security.uwmedicine.org/guidance/role_based/end_user/default.asp
•
Education and training materials
https://security.uwmedicine.org/Training/Sec_Aware/default.asp
• Role based guidelines
https://security.uwmedicine.org/guidance/role_based/default.asp
•
Policies restricting removal of data from worksites
https://security.uwmedicine.org/guidance/policy/electronic_data/sp 01%20electronic%20data%20ver%203.0.pdf
•
Physical Security: remember to always lock offices and
files
11
PRIVACY, CONFIDENTIALITY AND
INFORMATION SECURITY AGREEMENT
PCISA must be signed by all UW Medicine workforce
members annually.
• Reminder of what and how to safeguard confidential
and restricted information
• Circumstances change and this gives supervisors and
managers an opportunity to review and update
• Provides units with information that can be used in
asset management (e.g. what systems have
confidential or restricted data)
• May help identify needed resources to help people do
their jobs (e.g. can someone use VPN instead of
transporting data to their home to work at night?)
https://security.uwmedicine.org/training/data_stewardship/PCISA.pdf
12
SAFEGUARDING
RESEARCH INFORMATION
The following slide is key to protecting
research information
13
Safeguarding Research Information
•
•
Proprietary research data, at a minimum, is considered
restricted
University policy (GIM 37) requires research data be
preserved, protected and sharable in accordance with
academic, scientific and legal norms
http://www.washington.edu/research/osp/gim/gim37.html
•
Research data that includes protected health information,
personally identifiable data or student data must follow
federal requirements for data security and privacy
http://depts.washington.edu/comply/training_hipaa.shtml
•
Consequences of lost research data can be significant:
• May negatively impact the research team,
department or University
• Human subjects may be affected
14
SAFEGUARDING PATIENT
INFORMATION
The following set of slides are key to
protecting patient information
15
UW Medicine Healthcare Components
UW Medicine Healthcare components include the
following:
•UW Medical Center and Clinics
•Harborview Medical Center and Clinics
•Northwest Hospital and Medical Center and Clinics
•Valley Medical Center and Clinics
•UW Neighborhood Clinics
•Airlift Northwest
•Hall Health Primary Care Center
•UW Medicine Sports Medicine Clinic
•The Association of University Physicians (UWP)
16
Safeguarding Patient Information
•
•
•
Consequences of lost patient information (PHI) are
significant, costly and can tarnish our reputation.
Comply with UW and UW Medicine policies:
Privacy:
http://depts.washington.edu/comply/privacy.shtml
Information Security:
http://security.uwmedicine.org/guidance/policy/default
.asp
Privacy Policy PP-30
http://depts.washington.edu/comply/docs/PP_30.pdf
17
HIPAA Breach Notification Rules
• Definition of Breach: “acquisition, access, use or disclosure of PHI …
that compromises the security or privacy of the PHI.”
• Notification requirements apply only to “unsecured” PHI. PHI is
deemed unsecured unless rendered “unusable, unreadable, or
indecipherable” to unauthorized individuals by technologies or
methodologies identified by HHS (currently limited to encryption or
destruction).
• Notification of affected individuals required if the breach poses a
“significant risk of financial, reputational or other harm to the
individual.”
• Beginning September 23, 2013, there will be a new standard to
determine whether a breach occurred. A breach will be presumed and
there will be a more objective test to determine whether PHI has been
compromised and notification required.
18
HIPAA Breach Notification Rules
• All breaches must be reported annually to the
Office of Civil Rights.
• If a breach involves 500 or more individuals, it
must be reported to media that reach location(s)
in which the individuals reside.
• If a breach involves more than 10 individuals for
whom an address is not available, the covered
entity must place notice of the breach on its
website for 90 days.
19
Institutional Consequences of a Breach
• Potential loss of public trust in UW Medicine and UW
• Significant time and resources to investigate, conduct
forensics, analyze findings and determine appropriate
course of action
• Involvement of legal counsel, risk management, executive
directors, unit heads
• Exposure to civil liability
• Protected Health Information (PHI) only:
• Patient notification
• Call center for each case requiring patient notification
• Office of Civil Rights Investigation
• Possible imposition of civil/criminal penalties, fines
and sanction
20
Personal Consequences of a Breach
• Loss of public, patients, employees and students trust
• Your name is reported to
• Your program director, department chair, executive director
and/or unit head
• CEO, UW Medicine and Dean of the School of Medicine,
University of Washington
• UW Medicine Chief Health System Officer
• UW Health Sciences Risk Management
• UW Chief Information Security Officer
• Federal and State regulatory agencies
• The time you will spend cooperating with investigations, being
retrained, and other remedial activities
• Imposition of sanctions, disciplinary actions, and potential
civil/criminal penalties
• Your personal and professional reputation
21
CASE STUDIES
The following national and UW
Medicine case studies are examples of
lessons learned in the stewardship of
confidential or restricted data
22
National Case Studies
National Events
• $1 million settlement with General Hospital Corp. and
Massachusetts General Physicians Organization, Inc.-February 14, 2011
• University of Hawaii settles class action data breach
involving personal information of 100,000 students,
faculty, staff and alumni – January 2012
• American company had all of its data from a 10-year, $1
billion research program copied by hackers in one nightApril 2012
• Alaska DHHS settles HIPAA security case for
$1,700,000--June 26, 2012
23
UW Medicine Case Study #1
A medical student working on an IRB-approved
study whose residence was broken into and his
laptop was stolen
• PHI of 1200 patients (study data) was stored on the
stolen laptop
• Laptop and files containing PHI were password
protected, but not encrypted
• Research data considered unsecured since not
encrypted
• Possible notification of patients
• Lessons Learned
• Password protect and encrypt
24
Case Study #2
A UW file cabinet was sent to surplus without
removing all documents
A member of the public purchased a surplused file
cabinet at a second-hand store. She found grant
applications and research data and information in the
drawers. Grant applications contained proprietary
information and Investigators’ social security
numbers.
•No PHI
•Risk analysis done and concluded risk of identity
theft and/or harm low
•Investigators were notified
25
UW Medicine Case Study #3
A staff member’s laptop was stolen while shopping
• No confidential or restricted data on hard drive,
device was password protected AND encrypted,
department inventory details were up to date and
centrally available
• Outcome: loss of physical asset, no breach, no
notification of patients, no notification to federal
agencies
• Lessons Learned
• Importance of not storing confidential or
restricted information on hard drive, password
protection, encryption
• Value of central controls, device configuration and
inventory
26
UW Medicine Case Study #4
A Resident’s log book left in backpack and locked in
trunk of car was stolen
•PHI: patient name, EMR number, dates of service, date of
birth, clinic and procedures
•487 patients notified
•Self-reported to OCR; intense OCR follow-up investigation
•Lessons Learned
• Written PHI may not be taken off site without authorization from
supervisor, chair or program director
• Written PHI taken off site should not leave physical possession at
any time
• Required hundreds of hours over more than a year and
substantive policy changes
27
UW Medicine Case Study #5
A Fellow’s unencrypted hard drive stolen from
unlocked office
•PHI and QI data
•3,948 patients involved; 324 patients notified due to risk
of harm; notification to OCR; posted on UW Medicine
website; likely OCR investigation forthcoming
•Lessons Learned
• Do not remove PHI from protected location
• Password protect AND encrypt
• Ensure physical security of devices at all times
28
Basic DO’s and DON’Ts
•
•
•
•
•
•
Avoid taking confidential data off site or
downloading to portable or mobile devices
Use the VPN to connect remotely
If taking confidential data with you, you MUST
obtain supervisor or department head approval
Secure confidential data (locking file drawer, safe,
or other locked device)
Never leave confidential data in your car
Confidential data stored on mobile devices must be
encrypted and your device password protected
29
Closing the Loop – Your Role
INDIVIDUAL
MANAGERS, SUPERVISORS,
DIRECTORS
UNIT HEADS, SENIOR
LEADERS
COMPLIANCE
Personal, professional, ethical and
legal accountability
Convey expectations for accountability
to direct reports; accountable for
ensuring compliance
Provide active leadership; establish
accountability expectations and
professional standards; allocate
resources for compliance and
security program activities
Maintain effective compliance
programs to prevent, detect,
and resolve noncompliance with
federal/state laws governing
privacy and UW policies
Maintain effective information
security program
Understand role-specific
responsibilities and applicable
policies and procedures; complete
all required training
Develop and implement effective new
employee orientation to ensure direct
reports understand their roles and
responsibilities, and applicable policies
and procedures; enforce training
requirements
Approve UW Medicine policies;
support education/outreach
activities; convey implementation
expectations to operational areas
Establish UW Medicine privacy
policies, education and outreach
strategies, and implementation
tools
Establish UW Medicine
Information Technology and
security policies, education and
outreach strategies, technical
resources, and implementation
tools
Enforce compliance; evaluate audit
findings and convey expectations
for improved results
Audit compliance with UW
Medicine privacy policies and
internal controls; report
findings; analyze trends
Assess compliance risks using
internal/external data, trends
and regulatory developments;
recommend program
modifications
Audit information security
controls; report findings; analyze
trends
Investigate noncompliance
with federal and state laws,
and UW Medicine policies;
notify affected unit heads
and senior leaders; report
findings; analyze trends
Conduct forensic analysis
associated with potential
breaches and suspected
noncompliance
Comply with policies and
procedures
Annually reinforce role-specific
responsibilities using PCISA toolkit
Monitor compliance; accountable for
improving audit results
Implement appropriate safeguards,
maintain physical security and
utilize appropriate technical
controls; observe access rights and
restrictions
Actively manage information access
rights upon hire, job change, and
termination; monitor use of
appropriate safeguards and controls;
comply with risk management
decisions
Participate in risk assessment
process; evaluate results; determine
system-wide risk tolerance; make
risk management decisions
Report concerns, potential
breaches and suspected
noncompliance to supervisor,
manager, unit head or
compliance; cooperate fully with
investigations
Address concerns and/or refer to
compliance; implement corrective
actions and sanctions
Receive investigative reports;
evaluate findings and determine
appropriate corrective actions
and sanctions
IT SECURITY
Conduct information security
risk assessments
30
CONTACT INFORMATION AND
RESOURCES
UW Medicine ITS Security Team
uwmed-security@uw.edu 206.543.7012
IT Services Help Desk
mcsos@uw.edu
DOM IT Help Desk
domhelp@uw.edu 206.221.2459
UW Medicine Compliance
comply@uw.edu 206.543.3098
UW Medicine Compliance-Anonymous Hotline
comply@uw.edu 206.616.5248 866.964.7744 (toll free)
31
Questions ?
32