Docstoc

UAB Information Security Handbook

Document Sample
UAB Information Security Handbook Powered By Docstoc
					Information Security Handbook




    Excellence in Academic Achievement

      Medicine that Touches the World
                  UAB/UABHS Information Security Handbook

                                                   Table of Contents
Confidential Information .................................................................................................. 1
Access Privileges ............................................................................................................ 2
User ID ............................................................................................................................ 3
Password Protection ....................................................................................................... 3
Password Creation .......................................................................................................... 4
Lock or Log Off Your Computer ...................................................................................... 5
Working from Home ........................................................................................................ 5
Personal Use................................................................................................................... 6
E-mail .............................................................................................................................. 6
Internet Access ............................................................................................................... 7
Illegal and Inappropriate Activity ..................................................................................... 7
Auditing and Monitoring................................................................................................... 8
Reporting Security Incidents ........................................................................................... 9
Back Up Confidential Information.................................................................................... 9
Protecting Media ........................................................................................................... 10
Installing Software ......................................................................................................... 10
Mobile Computing Devices............................................................................................ 10
Confidential Information
  Confidential information is any information considered to be private and sensitive.
  Some examples of confidential information at UAB/UABHS include:
        • Patient medical records
        • Employee records
        • Student records
        • Research data and records
        • Social Security numbers
        • Medical record numbers
        • Credit/Debit card numbers
        • Passwords, security codes, and PINs

  Confidential information can be verbal, printed on paper, or stored on a computer, a
  hand-held device such as a PDA, computer media, or voice mail.

  You are responsible for protecting confidential information from unauthorized
  access, disclosure, or modification.

  Do not discuss or share confidential information with coworkers, family, or friends.

  Use only UAB/UABHS-approved procedures when handling confidential information,
  especially when using the Internet, e-mail, or a fax machine. Ask your supervisor for
  specific guidance on how to properly handle confidential information.



                                         Page 1
Access Privileges
  Your access to UAB/UABHS computer systems and information is based on your
  work duties and responsibilities with UAB/UABHS. Access privileges are limited to
  only the minimum necessary information you need to do your work. Your access to
  an information system does not automatically mean that you are authorized to view
  or use all the data in that system.

  Ask your supervisor if you have questions about the information you are allowed to
  view or use.

  Information Technology (IT) and Health System Information Services (HSIS) may
  limit or deny computer access privileges to you at any time. Reasons for denying
  access privileges include, but are not limited to, the following:
      • Change of job duties, termination of employment, or a change in your
          relationship with UAB/UABHS
      • Failure to comply with UAB/UABHS policies, standards, or procedures
      • Conduct that interferes with the normal operations of computer systems
      • Activity that adversely impacts the ability of others to access or use computer
          systems
      • Behavior that violates UAB/UABHS policy or that is harmful, unprofessional,
          or offensive to others




                                       Page 2
User ID
  Your user ID uniquely identifies you. It is your means for accessing a number of
  UAB/UABHS computer services. Other names for your user ID include BlazerID,
  Logon ID, and HorizonID.

  Do not share or allow anyone to use your user ID.

  Do not share or use another person’s user ID.

Password Protection
  Protecting your password is critical in protecting confidential information. Follow
  these precautions:
    • Memorize your password and never write it down.
    • Change your password periodically.
    • Do not share your password with anyone, including your supervisor and
       IT/HSIS representatives.
    • Do not ask for or attempt to learn another person’s password.

  IT/HSIS representatives may ask that you login to a system for performing
  maintenance. Verify that they are authorized to perform the maintenance. Contact
  the appropriate Help Desk if you are unsure. Stay with the IT/HSIS representatives
  while they are logged into the system with your user ID and password.
                               -------------------------------------
  You are responsible for all actions associated with your user ID and password.


                                           Page 3
Password Creation
  Create a “strong” password.

  Care should be taken when creating your individual password. Follow these simple
  tips:
      1. Use 6-8 characters. The longer your password is, the
         harder it is to break.
      2. Use a combination of letters and numbers. Using special
         characters such as *, ?, #, @, &, or $ will also make your
         password stronger.
      3. Do not use common words that can be guessed or found
         in the dictionary.
      4. Do not use personal information that can be easily
         associated with you such as your child’s name, favorite
         sports team, or pets.

  Consider this method for creating a strong password:

  Use the first letter of each word found in a favorite quote or song lyric. For example,
  for the song, “Oh, When the Saints Go Marching In,” the password would be:
  OWTSGMI. The strength of the password is improved by simply changing one of the
  letters to a special character so that the password becomes: OWT$GMI. The
  password can be made even stronger by adding a number at the end: OWT$GMI4.




                                          Page 4
Lock or Log Off Your Computer
  Log off or lock your computer when it is left unattended.

  Position your computer monitor so that it can not be viewed by unauthorized
  persons. If necessary, use a privacy filter on your monitor or laptop screen.

Working from Home
  Ask your supervisor for permission to work from home or other remote location.

  If permission is granted, contact your IT or HSIS department and ask them to work
  with you to securely configure the computer workstation. You must implement
  appropriate safeguards on your home computer, such as antivirus, anti-spyware,
  software firewalls, and software patches, and make a secure connection using VPN
  software.

  Remote access does not in any way convey a transfer
  of ownership of information. Any business-related
  information created or downloaded by you belongs to
  UAB/UABHS and must be protected.

  When remote access is no longer required, inform
  AskIT or HSIS so that your remote access can be
  removed and arrangements can be made for returning
  UAB/UABHS computer equipment and media.



                                        Page 5
Personal Use
  UAB/UABHS’s computer systems are for business purposes.

  Incidental personal use may be permitted as long as it is approved by your
  supervisor, does not interfere with your job, does not deny others access to any
  UAB/UABHS computer system, and does not result in significant cost to
  UAB/UABHS.

  Ask your supervisor before using any UAB/UABHS system or workstation for
  personal use.
E-mail
  Use e-mail for conducting work-related business communications.

  Exercise good judgment when accessing or opening e-mail. Do not open an e-mail
  or e-mail attachment from an unknown, suspicious, or untrustworthy source or if the
  subject line is questionable or unexpected.

  Contact AskIT or HSIS for instruction about encryption if you must send confidential
  information over the Internet.

  You are responsible for all activity on your assigned e-mail account.

  Note: Some e-mail systems used at UAB/UABHS may not be maintained by IT or
  HSIS; therefore, they may lack some of the information security controls needed to
  protect your e-mail account. Ask your supervisor if you are unsure.


                                        Page 6
Internet Access
  Use the Internet (World Wide Web) only for legitimate
  UAB/UABHS business such as education, research, and
  business-related electronic mail, data, and file
  exchanges.

  Note: Internet access is limited in some Health System
  areas. You may not be able to reach sites outside of UAB/UABHS.

Illegal and Inappropriate Activity
  Follow all applicable federal, state, and local laws and regulations, as well as
  UAB/UABHS policies.

  Violations of applicable laws, regulations, and our policies may result in
  disciplinary action up to and including termination of employment. Violations can
  result in civil or criminal penalties.

  Do not use UAB/UABHS resources to access, distribute, or store materials,
  comments, pictures, or other communications that are of a sexual nature,
  obscene, intimidating, offensive, or which create a hostile work environment.

  Ask your supervisor for clarification if you have questions about legal or
  regulatory requirements and UAB/UABHS policies.




                                       Page 7
Auditing and Monitoring
   Computer systems are for official business use. UAB/UABHS perform periodic
   monitoring and auditing to ensure appropriate use of data, files, applications, e-
   mail, and the Internet. Some electronic communications such as e-mail, voice
   mail, and files stored on the network may be retained on backup media even
   after you have deleted them.



                          No Expectation of Privacy
       Personal Privacy: Do not store personal information on UAB/UABHS
       computer systems.

       For purposes of managing information systems, troubleshooting
       problems, and enforcing security policies, the IT or HSIS department may
       periodically monitor your computer activity. Therefore, when using
       UAB/UABHS computer systems, be aware that your personal privacy is
       NOT guaranteed.

       Business Privacy: Do not send confidential information in, or attached to,
       e-mails. If you have a need to transfer confidential information, contact
       your IT or HSIS representative for assistance.




                                         Page 8
Reporting Security Incidents
  Notify your supervisor or the AskIT or HSIS Help Desk of any unusual or suspicious
  incident.
  Security incidents include the following:
     • Theft of or damage to equipment
     • Unauthorized use of a password
     • Unauthorized use of a system
     • Violations of standards or policy
     • Computer hacking attempts
     • Malicious code
     • Security weaknesses
     • Breaches to patient, employee, or student privacy
  UAB and UABHS do not take retaliatory action against an individual who reports
  behavior that is illegal and/or violates policy.

Back Up Confidential Information
  Keep confidential information in a directory on a secure network file
  server.
  Ask your supervisor or Help Desk how to do this. IT and HSIS back
  up network drives daily. They do not back up data stored on the
  hard drive (C: drive) of computer workstations, laptops, or other
  mobile computing devices.
  Do not store or back up UAB/UABHS sensitive information to ANY
  website even if the site, such as google.com, offers file backup and sharing.


                                          Page 9
Protecting Media
  Media includes paper documents, disk drives (internal and external), USB flash
  drives, diskettes, CDs, PDAs, and any other means used to store data.
  Protect media containing confidential information to prevent its disclosure or
  damage.
  When not in use, secure media containing confidential information in approved
  ways. Supervisors will specify where and how media will be stored.
  Dispose of media properly when no longer needed. Approved methods of disposal
  are described at http://www.hipaa.uab.edu/pdfs/memdiareallocationdisporalcor6.pdf.

Installing Software
  Do not download or install software without management approval and IT or HSIS
  assistance.
  Submit a request for new software to your supervisor for approval, then forward the
  request to AskIT or HSIS. Unauthorized software found on computers may be
  removed and may lead to disciplinary action.

Mobile Computing Devices
  Mobile computing devices include hand-held, notebook, and laptop computers,
  personal digital assistants (PDAs), and pocket PCs.
  Do not use mobile devices without appropriate security protection. Contact AskIT or
  HSIS for help.
  Do not use your personal portable devices for UAB/UABHS business.

                                        Page 10
                       Quick Reference Information

For questions about information security contact:

My Information Security Coordinator/Officer:

               ___________________________________________________

               Phone number: _____________________________________

My Privacy Coordinator/Officer:

               ___________________________________________________

               Phone number: _____________________________________



UAB/UABHS Privacy Officer:                                         Joan Hicks
UAB HIPAA/UABHS Security Officer:                                Terrell Herzig
UAB IT Data Security Specialist:                                  Chris Green

UAB HIPAA Coordinator’s Office:                                   205-996-5051
Ask IT Help Desk:                               205-996-5555 or askit@uab.edu
HSIS Help Desk:                                                   205-934-8888
This handbook is periodically revised. To view the most recent copy, log on to
the UAB/UABHS HIPAA website at www.hipaa.uab.edu.

This handbook contains a condensed version of UAB/UABHS standards,
policies, and guidelines on information security. Although the content relates
primarily to HIPAA and protected health information, it reflects best business
practices for accessing, storing, and transporting all types of confidential and
sensitive information. Additional information on UAB/UABHS information
security policies is available from the following websites:

        UAB Information Technology Policies:
        www.uab.edu/it/policies/index.html

        UAB Information Security Standards:
        https://scr.hs.uab.edu

        UAB/UABHS HIPAA Core Standards and Additional
        Health System HIPAA Standards:
        www.hipaa.uab.edu/standards.htm

We wish to acknowledge the assistance of Tom Walsh Consulting, LLC, for the
development of this handbook.

October 2007

				
DOCUMENT INFO