Your Role in Information Security
Center on Human Development and
Disability
January 2005
Rev12/08
Overview
Information Security is not just about
computers, it is how we go about our
business here at UW & UW Medicine.
 We have a set of standards and policies
that define our Information Security
requirements
 Information Security is a responsibility of
all the UW & UW Medicine Workforce*
* Faculty, employees, trainees, volunteers, and
other persons who perform work for UW
Medicine
UW Medicine
Version: 20041105
2
Users
Any individual using a computer
connected to UW &/or UW Medicine
networks or those who have been
granted privileges and access to UW
Medicine computing and network
services, applications, resources, and
information.
Version: 20041105
3
UW Medicine
User Responsibilities
The customary ones:
 Comply with UW and UW
Medicine policies,
 Comply with federal and state
law , and
 Restrict use to authorized
purposes.
Version: 20041105
4
UW Medicine
User Responsibilities
continued…
Directly related to information security:





Report all suspected security and/or
policy breaches to an appropriate
authority
Don’t Disable your firewall and/or antivirus;
Protect access accounts, privileges, and
associated passwords;
Accept accountability for their individual
user accounts;
Maintain confidentiality.
Version: 20041105
5
UW Medicine
Information Security Training
-- Dependent on Your Role
Everyone:
Privacy, Confidentiality, and
Information Security Agreement
If you access PHI:
New Employee Orientation and/or HCCS
on-line HIPAA Training
If their system has PHI:
System Owner and System Operator
Training
Version: 20041105
6
UW Medicine
UW Medicine Clear
Workspace Standard
Reduce the risks of unauthorized
access, loss of, and damage to
information during and outside of
normal working hours by putting away
RESTRICTED and/or CONFIDENTIAL
information in your workspace.
Clear it or Secure it . . .




Lock away protected health information or critical
business information when not in use. Store
paper and computer media containing
RESTRICTED AND/OR CONFIDENTAIL information
in suitable locked cabinets or desks when not in
use or when unattended.
Clear RESTRICTED AND/OR CONFIDENTAIL
information or critical business information from
printers immediately.
Protect mail and fax machines from unauthorized
access.
Locked doors count
Version: 20041105
8
UW Medicine
Log off or secure your workstations
when not in use or unattended


Terminate active computing
sessions when unattended, unless
they can be secured by an
appropriate locking mechanism, like
a password protected screen saver
(Ctrl+Alt+Delete) (Lock Computer)
Log-off networked systems when
the computing session is finished
Version: 20041105
9
UW Medicine
Workstation Requirements

Screen saver activation
Workstations with PHI in areas where
patients or the public have access to a
workstation require one minute activation

After Hours


AMC domain PCs are required to be
logged off and powered on after hours
Otherwise follow the direction of those
responsible for your computer support
Version: 20041105
10
UW Medicine
Reusing electronic media
Example: Surplus or redistribute a computer


Media Intended for Reuse - Specific Processes
Overwriting method Overwriting uses a
software program to write (1s, 0s, or a
combination) onto the media. Common practice
is to overwrite the media three times. Four times
is better.
Degausing method magnetically erases data
from magnetic media. Two types of degausser
exist: strong, permanent magnet degaussers and
electric degaussers.
Version: 20041105
11
UW Medicine
Physical Space Security



Use appropriate measures – like
locked doors
Question individuals without badges
Make sure that vendors check in and
are escorted in your department
Version: 20041105
12
UW Medicine
Taking UW Medicine Equipment
from the Premises

Obtain authorization to take equipment offsite

Log out the equipment

When returned, log the equipment back in


Be aware of department expectations about offsite use of that equipment
Secure the information with controls comparable
to those of equipment on-site
Version: 20041105
13
UW Medicine
Who can install software on my
workstation?
 Only
designated system
administrators are to install
software,
and
 Only licensed and authorized*
software is used.
* Authorized means that the System
Owner approves.
Version: 20041105
14
UW Medicine
Appropriate Password Management
 Where
PHI is accessed, each
user is issued a unique
username and password.
 It is against UW & UW Medicine
Policy to share userID and/or
password (this includes logging
in for others…)
Version: 20041105
15
UW Medicine
Comply with Copyright Law



Unauthorized use of software, images,
music, or files is regarded as a serious
matter and any such use is without the
consent of UW & UW Medicine
If abuse of computer software, images,
music, or files occurs, those responsible for
such abuse may be held legally accountable
as well as be held accountable for violation
of UW & UW Medicine Policy
It is against UW & UW Medicine for
workforce members to copy or reproduce
any licensed software except as expressly
permitted by the software license.
Version: 20041105
16
UW Medicine
Use of Departmental Computers
(RCW 42.52.360, WAC 292-110-010)
In 1997, the State of Washington Executive Ethics Board
defined permitted personal activities on State owned
computers. This policy was amended in 2002 to permit
limited Internet use. Aside from occasional and de minimus
(e.g., of minimal cost to the State) use, the policy prohibits
the personal use of computers, email and the Internet. This
limitation is similar to permitted personal use of noncomputer resources, such as telephone calls. The State
allows limited personal use of computer resources provided
the use:






Results in little or no cost to the State;
Does not interfere with the employee’s official duties;
Is brief in duration, occurs infrequently, and is the effective use of
time and resources;
Does not disrupt or distract from the conduct of State business
due to volume or frequency;
Does not compromise the security or integrity of State property,
information or software;
Does not disrupt other State employees and does not obligate
them to make personal use of State resources.
Version: 20041105
17
UW Medicine
Your Email is NOT Private
Before you freely email any extremely
personal thoughts or information, please
consider unlike telephone conversations,
email and its archives are subject to legal
and public inspection and that many
computers retain old emails in archives for
years.
Private watchdog groups, outside UW and
Washington State, monitor email for abuse,
and lawyers subpoena email as a part of
evidence gathering. If you do not want to
see your most sensitive and/or private
email printed in newspapers, do not send it.
Version: 20041105
18
UW Medicine
More:
Using Washington State Equipment
Washington State law also prohibits the use of UW
computers for personal business-related, commercial,
campaign or political purposes, or to promote an outside
business or group or to conduct illegal activities.
Additionally, employees are prohibited from allowing any
member of the public to make personal use of state
computers and computing resources.
Washington State specifically prohibits use of the
computer for all political and commercial activities.
The following items have been additionally called
out in detail.


Notices for selling of personal items on any State owned
computer system.
Notices for charity/fund raising events whether selling an
item or raising money unless the activity is University
sponsored.
Version: 20041105
19
UW Medicine
Many Internet Activities Expressly Prohibited
Although de minimus personal Internet use is now allowable,
many Internet activities are still prohibited. Downloading
copyrighted files, such as MP3 music files, may violate
copyright law, and subject UW and you to penalties and
fines. Other examples of improper or excessive use are
included in the Executive Ethics Board web site:
http://www.wa.gov/ethics
and the UW Administrative Policy web site
http://www.washington.edu/admin/adminpro/APS/47.02.htm
l
Some examples of permitted activities may be prohibited in
Lab Medicine because of their potential impacts. For
example, extensive use of streaming video or streaming
audio can overload the capacity of the network and interfere
with the laboratory information system.
Version: 20041105
20
UW Medicine
Understanding Information Classification
Information classification is designated by the
System Owner or Data Custodian.
Classification ensures the appropriate level of
security is applied for information and
information systems, based on the identified
level of impact to confidentiality, integrity, and
availability.
Definitions of Confidentiality,
Integrity, & Availability



Confidentiality: ensuring that information is
accessible only to those authorized to have
access;
Integrity: safeguarding the accuracy,
completeness, and control of information and
processing methods;
Availability: ensuring that authorized users
have access to information and associated
assets when required.
Version: 20041105
22
UW Medicine
PUBLIC Information



Information that is intended for, or can be
viewed by, the public or for the University
community. Information can be verbal,
electronic, or printed materials.
Access to this information is usually anticipated
or planned.
Examples include university web pages, course
descriptions, faculty profiles, individual and
departmental announcements, or other general
information that can be viewed by the public.
Version: 20041105
23
UW Medicine
RESTRICTED Information



Information used by the UW & UW Medicine
workforce with an established need-to-know
relationship.
Unauthorized data disclosure could impede the
ability of UW & UW Medicine employees to
conduct business, but does not violate any
federal, state or UW regulations (e.g. poor
business practices).
Examples include proprietary information, such
as business plans, intellectual property,
financial information or other sensitive
materials that may affect workforce or
organizational operations.
Version: 20041105
24
UW Medicine
CONFIDENTIAL Information



Information that is very sensitive in nature,
where access requires careful controls and
protection.
Unauthorized disclosure of this data could
seriously and adversely impact UW & UW
Medicine, the interests of employees, students,
patients, or other individuals, and organizations
associated with UW & UW Medicine.
Examples include: personally identifiable, and
protected health information (PHI), workforce
records, sensitive student records, social security
numbers, legally protected University records,
and passwords.
Version: 20041105
25
UW Medicine
Follow Department Processes
Dispose of RESTRICTED and/or CONFIDENTIAL
information in a secure manner.
All floppy disks, hard drives, CDs, etc. have to
be wiped before retasked to another use.
Contact your computer support person to help
you. CHDD personnel can contacted at
chddtech@u.washington.edu
Autism Center – Susan Conarroe
CTDS – Jeff Witzel
Version: 20041105
26
UW Medicine
Disposing of protected health information, proprietary documents,
and confidential information in a secure and confidential manner
When PHI and proprietary
information are included:

Paper Documentation – need to
be shredded, pulped or otherwise
obliterated in a manner that
prevents reconstruction.

Microfilm and Microfiche - must
be pulverized [1] .

Laser Disks - used in write onceread many (WORM) document
imaging applications shall be
pulverized.

Floppy Disks - shall be pulverized.

Compact Discs - shall be
pulverized.

Magnetic Tape & Video Tape preferred method for destroying
computerized data is magnetic
degaussing. If destruction is not
achieved by degaussing, it must
be executed in an alternative
manner that assures that the
information cannot be
reconstructed.
Version: 20041105
27


Hard Drives - To assure that
computerized data is destroyed
when equipment is
decommissioned, use a three pass
binary overwrite of the entire disk
will reasonably assures that the
information cannot be
reconstructed. An alternative to
this process is that the hard drive is
removed from the device and
pulverized.
Carbon Rolls (from printers or fax
machines) The method for
destroying carbon rollers removed
from printers or fax machines is to
send them to Environmental
Services for destruction by
autoclaving.
[1] Pulverized: Reduced (as by
crushing, beating, or grinding) to
very small particles that can not be
reconstructed or used in any
combination to reconstruct the
original.
UW Medicine
Report Events, Incidents and/or
Malfunctions
An occurrence or event that conflicts
with or interrupts normal process.

Contact your Supervisor, System
Operator and CHDD Administrator,
Christene James
206-221-5496
Version: 20041105
28
UW Medicine
Priorities of Incident Response
Protect human life and people's safety; human life
always has precedence over all other considerations.
Protect RESTRICTED and/or CONFIDENTIAL data.
Prevent exploitation of RESTRICTED and/or
CONFIDENTIAL systems, networks or sites. Inform
affected RESTRICTED and/or CONFIDENTIAL systems,
networks or sites about already occurred penetrations.
Protect RESTRICTED and/or CONFIDENTIAL
Information.
1.
2.
3.
•
Prevent exploitations of other systems, networks or sites
and inform already affected systems, networks or sites
about successful penetrations.
Version: 20041105
29
UW Medicine
Priorities
- continued
Prevent damage to systems (loss or
alteration of system files, damage to disk
drives). Damage to systems can result in
costly down time and recovery.
Minimize disruption of computing resources
- including processes.
4.
5.
•
Version: 20041105
It is better in many cases to shut a system
down or disconnect from a network than to
risk damage to data or systems.
30
UW Medicine
Protect Against Malicious Software



Do not disable the anti-virus
software
Do not install or run unknown
software
Report virus incident to your Help
Desk
Version: 20041105
31
UW Medicine
Protect Against Malicious Software (2)




Use anti-virus software to scan all diskettes and
files provided to you by others or after using
them on another computer
Do not open email attachments from unknown
senders.
Verify attachments from known senders and
scan them before opening. If the user expects
an attachment, make sure that the
attachment's file type and sender are consistent
with what was expected
Follow this same process for Internet
downloads.
Version: 20041105
32
UW Medicine
Sanctions


The regulation requires that we apply
appropriate sanctions against individuals if
you fail to comply with the security policies
and procedures that are based upon our
security policies and the relative severity of
the violation.
UW has sanctions for the failure to follow
policy and/or for a breach of patient
confidentiality or information security.
Version: 20041105
33
UW Medicine
Five Levels/Categories of Actions
and/or Sanctions
After an investigation, a sanction level is applied [0] No Breach of Information Security
Although someone reported a suspected breach, upon investigation it
is realized that an exception was granted
[1] Unable to Determine Whether a Breach Occurred
A breach or potential breach was discovered after the system in
question was redeployed and evidence of the breach has been mostly
or completely destroyed.
[2] Policy Violation with Mitigating Circumstances
The workforce member attempted to implement or
supplement security controls believing them to be in be in
compliance or improving security.
Version: 20041105
34
UW Medicine
Five Levels/Categories
continued….
[3] Policy Violation without Reasonable
Appearance of Malicious Intent
Unauthorized use of another employee's username
and/or password.
[4] Policy Violation with Reasonable
Appearance of Malicious Intent
1.
2.
Member of workforce intentionally alters or destroys
data or equipment.
Failure to implement standards after repeated
notification.
Version: 20041105
35
UW Medicine
DEFINITIONS:
System Owner & System Operator


System Owners are individuals within
the UW & UW Medicine community
accountable for the management and use
of one or more electronic information
systems, electronic databases, or
electronic applications that are associated
with UW & UW Medicine or EPHI
System Operators administer and/or
manage the daily activities of one or more
electronic information systems, electronic
databases, or electronic applications
Version: 20041105
36
UW Medicine
Data Custodian &
Department Administrator/Manager


Data Custodians are the individuals who
have been officially designated as
accountable for protecting the
confidentiality of specific data that is
transmitted, used, and stored on a system
or systems within a department, college,
school, or administrative unit of UW
Medicine
Department Administrator/Manager
individual who manages the users of UW
Medicine systems
Version: 20041105
37
UW Medicine
The Life Cycle of User privileges



Manager/Supervisor request user
privileges
Manager/Supervisor updates any
information on user or privileges
during workforce engagement
Manager/Supervisor disables user
privileges when workforce member
is separated or transferred
Version: 20041105
38
UW Medicine
Minimum Information Security
Requirements
 Approved
Operating System that is
patched in a timely manner
 Protection Against Malicious Software
(i.e. anti-virus protection)
 Filtering or Firewall Protection
 Enabled Logging and Auditing
 Approved Network Media & Protocols
Version: 20041105
39
UW Medicine
Advanced Information Security
Requirements
Systems with RESTRICTED & CONFIDENTIAL
Information must meet the Advanced
Information Security Requirements

Implementation of Minimum Information Security
Requirements with additional controls

Additional data protection required based on high risk
analysis (higher level administration):
 Strict
data access policies and procedures
 System
access audit logs
 Physical
 Servers
Version: 20041105
protection includes privacy mandates
need certification
40
UW Medicine
Questions?
Please let Christene James know if
you have any questions.
206-221-5496 or
cajames@u.washington.edu
Version: 20041105
41
UW Medicine
UW Medicine
Resource for Questions
Richard Meeks
HIPAA Compliance Officer
HIPAA Program Office
UW Medicine
206-543-0300
meeksr@u.washington.edu
Reference Materials
1. UW Medicine Policies:
https://security.uwmedicine.org/securitypolicies.asp