Post on 28-Jun-2020
transcript
Security Fundamentals:What is Information Security
Managing risks, threats and vulnerabilities to preserve confidentiality, integrity, availability of information assets and systems
Ontario Hospitals are
responsible under Ontario’s
Personal Health Information
Protection Act (PHIPA) for
protecting our patients’
personal health information
(PHI)
Threats to Information Security
• Weak passwords & shared accounts
• Computer Virus/Malware
• Phishing emails & Social Engineering
• Theft/Loss of unencrypted end point devices
• PHI or confidential data sent by unencrypted e-mail
• Other natural disaster events
Strong Passwords Mandatory…
• on desktops, laptops, mobile devices & removable storage media –do not share or store passwords on equipment; use locked storage if written down
• STRONG: combination of letters, numbers, symbols, minimum of 8 characters & no dictionary words
• NEVER let anyone use your login and password to access Hospital computers/applications - they serve as your electronic signature
Always log off
• ALWAYS log off systems to prevent anyone accessing or changing confidential information under your electronic signature
• If you are the only user of a device, use the password locking feature when the computer is unattended
Virus and Malware
• A computer virus is a type of malicious software program (“malware”) that when clicked on, replicates itself and modifies other programs and inserts malicious code. The infected computer then spreads the virus.
• NYGH installs antivirus software on all computers which scan daily and look for viruses and vulnerabilities. They are flagged and investigated.
Computer Hygiene
Computer patch : a piece of software used to update a computer program and fix security holes. To keep computers “clean” and secure, patches must be kept up-to-date.
NYGH applies computer patches on
the 2nd Thursday of each month. On
“Patch Thursday”:
• Keep computers onsite
• Save your data and follow the
process
• Reboot the computer to allow the
patches to take effect
Phishing Emails Everyone is responsible for protecting hospital data from hackers. Be vigilant! Don’t click on suspicious emails, links or websites. If you don’t know the sender or the sender is asking for private information, i.e. passwords or financial info. DO NOT RESPOND
• clicking on a link could infect computers with a virus/malware so be careful
• an unsafe click could allow personal health information and hospital data to be accessed or stolen
Only if you
are sure
Physical Security
• All staff, physicians and volunteers are required to wear their NYGH ID badge at all times when on hospital premises
• Always be aware who is accessing computers in your area and don’t be afraid to question their identity and actions
• If you are unsure or suspect any suspicious activity, report to your supervisor or Security immediately.
Security Safeguards: encrypted, limited storage
• Information & Privacy Commissioner: confidential data must “never be stored or transmitted outside of secure institutional servers unless encrypted”
• End point devices - laptops, tablets, smartphones used to access, store, record or transmit confidential data must meet approved NYGH Information Services security/ encryption standards
• Storage of confidential data - limited to that which is absolutely necessary
Security Safeguards: Locked secure data
Cabinets, desks, offices, any areas containing confidential data must be locked when unattended. Keep keys with you or in secure location
Don't take confidential info out of hospital unless absolutely necessary.
Use secure remote access instead.
If you must leave the hospital with confidential data, lock it in the trunk of your car at the beginning of the trip and neverleave it overnight in the car
Saving your documents
Save your data properly: Information Services (IS) has provided every department/staff with shared network drive(s) which are secure and backed up nightly to help prevent against lost files, data etc.
Any information stored on your Local Disk (C:\ Drive) is NOT backed up, nor transferred to replaced devices. If you need access or help with saving to your home or shared drive, please contact the IS Helpdesk.
Secure email
NYGH’s email system protects confidential data and you - secure encrypted transmission between NYGH sites: General, Branson, Senior's Health Centre - if intercepted, it cannot be read
without encryption: it's like sending a postcard
Never send confidential info from or to a personal email account e.g. Hotmail, Gmail or Yahoo - transmission is not encrypted; can be intercepted & read
What you can do (1)• Maintain private and strong
passwords all the time
• Follow NYGH “Patch Thursday” practices to safeguard computer devices
• Save documents on shared drives
• Be vigilant as to what you click/open on a computer device.
What you can do (2)
• Minimize storage of confidential info on any end point devices
• Ensure encryption enabled on your end point devices
• Never send confidential information from/to personal email address (Gmail, Hotmail, Yahoo etc.)
Information Security Summary
• Combine physical, administrative & technical protections
• Avoid “What’s the risk?” thinking
• See Something, Say Something!
• Security is not complete
without “U”!
Reporting IncidentsYour speed in reporting a problem, or suspected problem, is critical to incident management
Immediately report theft or loss of a laptop, mobile device, USB stick, or paper records
to NYGH’s Chief Privacy Officer (CPO), Rita Reynolds, Security AND IS Helpdesk
Immediately report unauthorized access, collection, use, disclosure, copying or
modification of PHI to our CPO
If it doesn’t go as planned… just call!
Rita ReynoldsChief Privacy Officer
416-756-6448
IS Helpdesk
416-756-6074
Information & Privacy Commissioner/Ontario (IPC)
Provides oversight of compliance with the Personal Health Information Protection Act. In this role the Commissioner:
• adjudicates access appeals, investigates privacy complaints and may issue public reports
• may enter and inspect premises, records, information management practices and require evidence under oath, affirmation
• has Order making power;
Prosecution by Attorney GeneralIf found guilty of an offence under PHIPA, an individual may be fined up to $100,000; organizations may be fined up to $500,000
IPC Contact: 416-326-3333 www.ipc.on.ca
For more information please contact Rita Reynolds Chief Privacy Officer at 416-756-6448
For more information please contact Rita Reynolds Chief Privacy Officer at 416-756-6448
Thank you for completing the Security FundamentalsThank you for completing the Security Fundamentals