USF IT Security
HIPAA Practice
Ensuring IT Security:
Policies, Training &Technology
• All USF workforce members utilizing/ coming in
contact with HIPAA Protected Health Information
(PHI) must complete this training program and pass
the security quiz at the end of Part 4.
• Employees directly involved in research with PHI
must complete one additional module describing
the relationship of HIPAA to the research process.
The purpose of this training is to provide USF
faculty & staff information on:
•
USF data security requirements & procedures
•
The Privacy Rule of the Health Insurance
Portability and Accountability Act (HIPAA)
•
The HITECH provisions of the ARRA Act
Part 1
General Network
Information and
Security Procedures
Accessing
the
USF
Network
USF Computer Network
USF employees work
on computers that are
linked through a network
that connects all
computers at the university
 The network allows users to share computing
resources and increases efficiency for all computer
users.
 A log-in ID and a secure password are needed to
allow you to access this system.
USF Computer Network
With an ID and password, you are able to:
 Use email
 Access shared files & information stored in databases
 Use hardware such as printers and scanners
 Use software such as web browsers & virus protection
programs.
Secure Log-in ID
The USF Information Technologies (IT) Office will
help you establish a log-in ID that will be a unique
identifier linking you to all of your computer
transactions.
Secure Log-in ID
Like a fingerprint, your
ID can be traced for all
authorized and
unauthorized activities
conducted on the USF
network.
Secure Password
 You will need to establish a secure password to
ensure that you and only you can access your
network account and files.
 Your secure password should NEVER be shared with
others, including co-workers or family members.
Secure Password
To maximize security, passwords must be at least
eight characters long and contain 3 of the following
4 types of characters: upper case letters, lower case
letters, numbers; or special characters such as ! # &.
Example: GoBulls2!
Please don’t select this as your
own password – make up one yourself!
Password Aging
 All users will be asked to change their network
password every 6 months.
 You will be prompted by email when it is time to
change your password.
 If you do not change your password in a timely
manner, your account will be temporarily locked.
Appropriate Use
All USF users sign a statement
agreeing to use the USF
computers and network only to
conduct activities related to the
mission and business purposes
of the University.
Closing Accounts
All USF computer accounts are automatically
closed when employment ends. Some transitional
services (such as auto-forwarding of e-mail
messages) may be offered as allowed by USF
policy.
USF
Network
Security
General Network Security
 It is very important to protect all computer users at
USF from loss or corruption of files and data on the
network.
 Network security is maintained through procedures
and technical tools designed to prevent negative
events like viruses, intrusion, and data loss.
 These negative events have the potential to harm
everyone connected within our computer network.
What is a computer virus?
 A computer virus is a bit of computer
programming code that instructs the computer to
do something you did not intend for it to do.
 The virus is usually invisible to the user until
AFTER it has attached itself to the computer.
How do you get a computer virus?
Most computer viruses enter a computer from
program or file “downloads” (for example, e-mail
attachments) or from transfers from external disks
(floppies, USB drives).
Although all USF PCs have a virus protection
program installed, we all must be VERY CAREFUL
about what we download to our computers.
Are viruses dangerous?
 Some viruses are simply a nuisance, but others
can seriously harm the network and permanently
damage computers and data.
 The cost of restoring the system after a virus
attack is very high in both time and money.
How do viruses work?
•Some viruses open
pathways or holes in the
system to provide access
for later intrusion into
the network.
Some viruses and intrusions are more damaging
than others, but all of them represent a hole in
the security of the network.
 An intruder may not be interested in what is on your
computer, but may be searching for an unprotected
point of access to the network.
 A virus may even send sensitive information from
your computer to another unauthorized location.
USF
E-mail
Policies
Access to E-mail
 USF has established an electronic mail (e-mail)
system to improve communication and facilitate
the important work at USF.
 E-mail may be accessed directly from USF
network computers, or remotely from other
locations (e.g. home computer) through the USF
web-server, using a log-in ID and secure
password.
Appropriate Use
All communications using the USF e-mail system
should be courteous and professional and should
comply with USF anti-harassment policies, i.e.,
unwelcome, offensive or otherwise inappropriate
messages are prohibited.
The USF e-mail system may not be used for:
• lobbying activities
• political or religious causes
• private, commercial ventures
E-mail Messages are Public
Records
 All e-mail created, transmitted,
and stored in the USF e-mail
system are the property of USF
and become part of the public
record of the University.
 Your e-mail messages may be
released by the University upon
receipt of a public records
request.
 If you don’t want to read about it
in the newspaper, don’t put it in
email.
E-mail Monitoring
 USF reserves the right to review, audit, intercept,
access, and disclose email.
 However, your email will be treated as confidential
and will be accessed only when necessary.
Remote
Access
Remote Access
 Employees who need remote access to the USF
Network for purposes other than email must use
Microsoft Remote Access or for HIPAA access the
GoToMyPC remote access software.
 GoToMyPC uses “encryption” to transfer information
in a secure manner.
 An application to establish a GoToMyPC account may
be obtained from the CBCS Administrative Office.
What is encryption?
 Encryption is the conversion of data into a form that
cannot be easily understood by unauthorized people.
 An encrypted computer will require you to enter one
additional password as the PC or laptop boots up.
Laptop Security
 All USF owned laptops (i.e., those that have a USF
Property barcode tag) must have their entire hard
disk drive encrypted.
 Laptops will be encrypted by the IT staff during the
initial setup of all new purchases.
Why is laptop encryption required?
 Because of the
portability of laptops, the
chances of a lost or
stolen laptop are higher
than an office-based
work station.
 Thus, laptop encryption
is used to protect our
confidential data.
If only it had been encrypted…
•A thief who stole a laptop from UC Berkeley might have walked off with
more than a computer. The thief wandered into a building and snatched
the laptop off a desk. The laptop contained personal data, on more than
100,000 UC Berkeley alumni or applicants, such as their Social Security
numbers, birth dates and addresses.
•The school had to notify ALL 100,000 consumers who might have had their
data compromised, some whom had graduated as long ago as 1976!
•Adapted from article by:
• MICHAEL LIEDTKE, AP Business Writer
What do I do if my laptop is stolen or lost?
 Immediately contact
the IT Help Desk at
USF and report the
loss.
 The IT staff will help
you secure sensitive
data, investigate and
document the loss,
and report the
incident to the proper
authorities.
Adding
New Equipment
to the Network
If you purchase new
computer equipment and
want it connected to the
USF network, it must
comply with USF
standards and be
approved prior to
purchase by the IT
department.
If you purchase new equipment..
•Contact the IT Help Desk at USF for additional
information or go to the policy section of the IT
website:
•http://it.usf.edu/policies.cfm
Part 2
USF Security
Policies and
Procedures
Part 2 of this training program
provides an overview of USF
computer security
policies and procedures.
Basic Principles
Faculty and staff at USF
often use sensitive and
confidential data to
conduct research and
evaluation studies.
Data security is not only
an obligation of
individual researchers,
but also of the University,
it’s Colleges and
Institutes as academic
entities.
Potential Dangers
Because USF stores confidential information,
our data systems must be protected against:
 Internet hackers
 Access by unauthorized users
 Improper printing or distribution of protected
electronic information
 Inappropriate use or access by employees
 Other threats to protected information
Risk Assessment
 To enhance the security of our data, USF
systematically monitors its network for intrusions,
security incidents, and inappropriate activity.
 USF also conducts periodic audits of all PC’s and
network devices.
Security Infrastructure
Our security infrastructure includes:
 clear policies and procedures
 secure facilities and equipment
 shared responsibility for information security among
faculty and staff
Information Security
The USF security infrastructure includes the:
• Information Security Officer (ISO)
• Information Security Coordinator (ISC)
• Data Network Committee
• Information Liaison to each College and Dean
USF IT Liaison
• Rick Jones acts as the liaison between USF IT and
CBCS for all issues needing escalation between
the two entities
Part 3
HIPAA:
Basic Information
for All Employees
What is HIPAA?
 HIPAA stands for the Health Insurance Portability
and Accountability Act.
 Congress passed HIPAA in 1996 to make health
insurance eligibility “portable” from one employer
to the next when employees change jobs or have a
change in family status.
 Congress passed HITECH in 2005 significantly
affected HIPAA, including changes to security and
privacy rules, increased enforcement and more
severe penalties
HIPAA establishes a civil
right to the protection of
personal health information
through the U.S.
Department of Health and
Human Services.
Health Information is any information created or
received that relates to the past, present, or
future physical or mental health of an individual.
What is Protected Health Information?
Protected Health
Information (PHI) is any
information that contains
data that may be used to
directly or indirectly
identify an individual.
Elements that can make Health Information identifiable:
Address/geographic info
Name
Telephone #
Email address
Finger or voice prints
Social Security #
Vehicle I.D./device serial #
Health plan #
Certificate/license #
Name of employer
Names of relatives
Fax number
Birthdate; other dates
Photo image/x-rays
Internet IP address
Web URL
Medical record #
Account #
Does USF Have PHI data?
Yes, we house private
information for individuals
receiving services through
Medicaid, Medicare, as well
as mental health and
substance abuse services.
These data sets
contain names, Social Security numbers, addresses,
patient ID numbers, and other identifiers and are
protected health information.
PHI is protected in any form:
 database or computer files
 email
 conversations
 documents
 hand-written notes
 student logs
Can PHI be used in research?
Yes. PHI may be used for
research with the express
authorization of the
individual or through
other measures designed
to protect the privacy of
the individual.
What is the impact on USF?
USF must provide as good, or better, security for
sensitive data than the agencies and providers from
whom we obtain the data.
Non-compliance with HIPAA can
result in:
Minimum Penalties
“Did not know”
› Tier A $100
Maximum Penalties
› Tier A $25,000
“Reasonable cause”
› Tier B $1,000
› Tier B $100,000
“Willful neglect”
› Tier C $10,000
› Tier C $250,000
“Uncorrected violation”
› Tier D $50,000
› Tier D $1,500,000
How does USF protect PHI data?
Information security is the key to protecting PHI
data. USF has developed
1. policies and procedures on Information Technology
& Security through a HIPAA Practice established in
the IT Security Department
2. training activities for employees
3. secure technology enhancements and risk
assessment procedures.
Breach Notification
• Breach generally is the unauthorized
acquisition, access, use or disclosure of PHI.
• Breach Notification – must provide notice, via
first class mail, to the affected person(s) within
60 days of the breach.
• In any case in which 500 or more persons are
affected by a breach, notice to major media
outlets must occur.
Policies
•USF has security policies addressing:
•Data procurement and use
•Data access and security
•Security incident reporting
•Regular review of systems activity
•For more information on specific policies, please
contact USF IT or go to the policy webpage:
•http://it.usf.edu/security
USF Training
 We provide training
through mandatory,
periodic, basic training
for all USF faculty and
staff on security
procedures and through
 Specialized training for USF faculty and staff who
use data that are subject to HIPAA guidelines.
USF Technology Security
USF has implemented several technological
enhancements to address security concerns.
USF Technology Security
We have installed a Firewall to protect our network. A
firewall is computer hardware and/or software that
limit access to a computer network from an outside
source. Firewalls are used to prevent computer
hackers from getting into computer systems.
USF Technology Security
 Restructured the USF computer network to increase
security
 Implemented the use of the GoToMyPC software for
external data access to HIPAA ePHI
Part 4
Protected
Data
Who can be an Authorized User ?
An authorized user is a person who has:
• completed this USF training module;
• received permission to use the sensitive data (including collecting
such data themselves);
• been approved by the IT Security Office to use the USF secure data
servers.
Becoming an Authorized User
 To become an authorized user,
submit an application to the
HIPAA Security Director. The form
may be obtained from USF IT.
 A complete application will
include supporting documentation
of appropriate training as shown
on next slide.
Application Documentation
1.
The certificate indicating that the applicant has
completed the training on Human
Subjects/Institutional Review Board (IRB) procedures
required by the USF Division of Research Compliance.
2.
A certificate from the IT Security Department
indicating that this USF training on data security and
HIPAA guidelines has been completed (may be
submitted electronically)
3.
If applicable, a signed Data Confidentiality Procedures
agreement from the source from which the data were
received (e.g., DCF, AHCA)
What is a Data Custodian?
The custodian of the data set is an authorized user who has
primary responsibility for:
• Developing the data use agreement with the source
• Approving the scientific use of the data
• Communicating with the IT HIPAA Security Director regarding
the storage of data on a secure server
• Ensuring that individuals who access data are appropriate coinvestigators and have the approval of the data source (e.g.,
AHCA) to use these data.
All research data at USF,
including data from active
projects and archived data
from inactive projects, are
potentially subject to the
regulation.
Three categories of data are subject to regulation:
• Protected Health Information (see previous
section)
• Sensitive, personally identified data
• Non-sensitive or de-identified data
Sensitive, Personally Identified Data
 Sensitive, personally identified data are:
 Any research data (such as demographic
characteristics) that contain information that might
allow an individual’s identity to become known to
others (who do not have authorization to see the
data).
 In brief, sensitive data is all non-PHI data that
allows the identification of participants
Non-sensitive or de-identified
data
 Non-sensitive or de-identified research data is any
data where all identifiers have been removed or
individual persons/entities cannot be identified.
 Non-sensitive or de-identified data should be
secured in a manner that the data owner or
investigator determines is reasonable and
appropriate.
Protecting Data at USF
•Any data obtained or maintained by USF
faculty or staff that include sensitive and/or
PHI data, should be protected from
unauthorized disclosure.
•It is recommended that all such data be
stored on USF secure data servers.
•Any data not stored on an USF secure
server should be stored according to the
Generally Accepted System Security
Principles (GASSP) of the International
Information Security Foundation.
Sharing data with other users…
If the source of the
sensitive data asks you to
provide or share sensitive
data with specific
individuals, specific
procedures must be used
(continued on next slide).
• The request from the source should be in writing (or via
confirmed e-mail) and kept on file
• The request should be specific as to what data sets are to
be given the person
• The person who will gain access to the data must complete
the process to become an authorized user
• No authorized user can allow anyone else to access or use
data without following credentialing/approval by the USF IT
HIPAA Security Director.
Archived Data
If you have data that are no longer needed:
• Determine if the data can
be destroyed or deleted
from server (this should
comply with any data use
agreements);
• Maintain documentation
on file that the PI has
removed the data from
his/her PC or other form
of data storage and
secured it appropriately.
Paper Copies of Data
 If you print copies of
sensitive/PHI data, the printed
documents should never leave
the USF premises and should
be secured promptly.
 Non-secured printouts should
be shredded – never
discarded or recycled.
Notification of Data Acquisition
 The department chair or other designated
authority should notify the HIPAA Security
Director when a research project that will use
sensitive data is approved at the departmental
level.
 Any USF investigator acquiring sensitive data
should send a brief description of the data to the
HIPAA Security Director.
•The investigator may request that the
data be kept on a Data Server under
high security.
• The investigator may also choose to keep sensitive,
primary data (data collected by the researcher for a
specific research project) outside of a secure data
server providing that the researcher demonstrates
adequate proof of security. That proof must be
filed with the HIPAA Security Director.
Data Access by Non-Authorized Users
•All disclosures of
sensitive/PHI data to
non-authorized users
must be approved by
the custodian, with
notice provided to the
HIPAA Security
Director.
Project Closure
Custodians for sensitive data sets should inform the
HIPAA Security Director when:
• Projects have ended and the data can be
archived
• Computers are to be removed from the network
and inactivated
•
We hope this training program has increased your
understanding of the importance of utilizing secure
procedures in your job.
•
All employees will need to complete a short quiz to reinforce
your knowledge of critical security procedures.
HIPAA Training
•
Individuals who will be conducting research
projects or who will be working with PHI data
should also complete the training module on the
impact of HIPAA on research at USF.
•Please proceed to the security quiz.
•Click on the following link, print and complete the quiz, and
send it to the USF IT HIPAA Security Office, SVC 4010.
•LINK