UW MEDICINE WORKFORCE

PERSONAL ACCOUNTABILITY FOR DATA STEWARDSHIP

Agenda

• Define personal and professional accountability

• Explain elements of data stewardship• Tools • Case Studies• DO’s and DON’Ts• Closing the Loop – Your Role

2

Personal and Professional Accountability

• Personal Accountability = Being answerable for the outcome of your actions or inactions

• Professional Accountability = Demonstrating excellence, integrity, respect, compassion, accountability and a commitment to altruism in all your work interactions and responsibilities (UW Medicine Professionalism Policy)http://uwmedicine.washington.edu/Global/policies/Pages/Professional-Conduct.aspx

• As representatives of UW Medicine, you are personally, professionally, ethically and legally responsible for your actions

The public, our patients, employees and students place their trust in us

3

Your Accountability for Data Stewardship

All UW Medicine workforce members are personally responsible for ensuring the security and integrity of all confidential, restricted, and proprietary information (electronic or paper) to which they are given access.• Workforce members include: faculty, staff,

students and trainees, volunteers, and other persons who perform work for UW Medicine

• Workforce members must safeguard the security and integrity of the information entrusted to them

4

• Safeguard and promote privacy of employees, patients and students

• Safeguard access to University and UW Medicine information systems

• Safeguard institutional data, systems, and devices

Data Security

5

• Ensure that data is only accessed by authorized users

• Ensure that data is not changed, corrupted, or tampered with

• Ensure that data is retrievable and usable, backed up and managed in a reliable way

Data Integrity

6

Definition of Confidential Data:• Confidential data and information is very sensitive in nature and typically subject to federal or state regulations.

• Unauthorized disclosure of this information could seriously and adversely impact the University or the interests of individuals and organizations associated with the University.

Confidential Data and Information

7

Examples of Confidential Data/Information• HIPAA – protected health information (PHI), including patient

names, addresses, social security numbers, health conditions and symptoms, prescriptions, medical record numbers

• FERPA – individual student records, including grades, courses taken, schedule, test scores, advising records, educational services received, disciplinary actions, student identification number, social security number

• Gramm-Leach-Bliley (GLB) – employee financial account information, student financial account information (aid, grants, bills), individual financial information, business partner and vendor financial account information

• Export Controls (e.g., EAR, ITAR)• Employee employment records including performance information

applications for employment, resumes and related material• Donor information• Trade secrets, intellectual and/or proprietary research information• Vendor non-disclosure agreements• Information required to be protected by contract• Computer account passwords

Confidential Data and Information

8

Restricted Data and Information

Definition of Restricted Data:• Data and information that is circulated on a

need-to-know basis or sensitive enough to warrant careful management and protection to safeguard its integrity and availability, as well as appropriate access, use, and disclosure.

• Examples of Restricted Information• Telephone billing information• Parking permits• Location of assets• Critical infrastructure blueprints or

schematics• Specific physical security measures• Proprietary research

9

Tools to Assist You in Safeguarding Data

• Privacy, Confidentiality and Information Security Agreement (PCISA) and discussion outline https://security.uwmedicine.org/training/data_stewardship/PCISA.pdfhttps://security.uwmedicine.org/training/data_stewardship/PCISA_discuss_tool.pdf

• Citrix or VPN remote access https://networks.uwmedicine.org/content/secure-remote-access

• Encryption https://security.uwmedicine.org/guidance/technical/encryption/default.asphttp://ciso.washington.edu/site/files/Whole_Disk_Encryption_Guideline.pdf

10

• Complex passwords https://security.uwmedicine.org/guidance/role_based/end_user/default.asp

• Education and training materials https://security.uwmedicine.org/Training/Sec_Aware/default.asp

• Role based guidelines https://security.uwmedicine.org/guidance/role_based/default.asp

• Policies restricting removal of data from worksites https://security.uwmedicine.org/guidance/policy/electronic_data/sp-01%20electronic%20data%20ver%203.0.pdf

• Physical Security: remember to always lock offices and files

Tools - Continued

11

PRIVACY, CONFIDENTIALITY AND INFORMATION SECURITY AGREEMENT

PCISA must be signed by all UW Medicine workforce members annually.

• Reminder of what and how to safeguard confidential and restricted information

• Circumstances change and this gives supervisors and managers an opportunity to review and update

• Provides units with information that can be used in asset management (e.g. what systems have confidential or restricted data)

• May help identify needed resources to help people do their jobs (e.g. can someone use VPN instead of transporting data to their home to work at night?)

https://security.uwmedicine.org/training/data_stewardship/PCISA.pdf

12

SAFEGUARDING RESEARCH

INFORMATION

The following slide is key to protecting research information

13

Safeguarding Research Information

• Proprietary research data, at a minimum, is considered restricted

• University policy (GIM 37) requires research data be preserved, protected and sharable in accordance with academic, scientific and legal norms

http://www.washington.edu/research/osp/gim/gim37.html

• Research data that includes protected health information, personally identifiable data or student data must follow federal requirements for data security and privacy

http://depts.washington.edu/comply/training_hipaa.shtml

• Consequences of lost research data can be significant:

• May negatively impact the research team, department or University

• Human subjects may be affected

14

SAFEGUARDING PATIENT INFORMATION

The following set of slides are key to protecting patient information

15

UW Medicine Healthcare components include the following:•UW Medical Center and Clinics•Harborview Medical Center and Clinics•Northwest Hospital and Medical Center and Clinics•Valley Medical Center and Clinics•UW Neighborhood Clinics•Airlift Northwest•Hall Health Primary Care Center•UW Medicine Sports Medicine Clinic•The Association of University Physicians (UWP)

UW Medicine Healthcare Components

16

Safeguarding Patient Information

• Consequences of lost patient information (PHI) are significant, costly and can tarnish our reputation.

• Comply with UW and UW Medicine policies:Privacy: http://depts.washington.edu/comply/privacy.shtml

Information Security: http://security.uwmedicine.org/guidance/policy/default.asp

• Privacy Policy PP-30

http://depts.washington.edu/comply/docs/PP_30.pdf

17

HIPAA Breach Notification Rules

• Definition of Breach: “acquisition, access, use or disclosure of PHI … that compromises the security or privacy of the PHI.”

• Notification requirements apply only to “unsecured” PHI. PHI is deemed unsecured unless rendered “unusable, unreadable, or indecipherable” to unauthorized individuals by technologies or methodologies identified by HHS (currently limited to encryption or destruction).

• Notification of affected individuals required if the breach poses a “significant risk of financial, reputational or other harm to the individual.”

• Beginning September 23, 2013, there will be a new standard to determine whether a breach occurred. A breach will be presumed and there will be a more objective test to determine whether PHI has been compromised and notification required.

18

HIPAA Breach Notification Rules

• All breaches must be reported annually to the Office of Civil Rights.

• If a breach involves 500 or more individuals, it must be reported to media that reach location(s) in which the individuals reside.

• If a breach involves more than 10 individuals for whom an address is not available, the covered entity must place notice of the breach on its website for 90 days. 19

Institutional Consequences of a Breach

• Potential loss of public trust in UW Medicine and UW

• Significant time and resources to investigate, conduct forensics, analyze findings and determine appropriate course of action

• Involvement of legal counsel, risk management, executive directors, unit heads

• Exposure to civil liability• Protected Health Information (PHI) only:

• Patient notification• Call center for each case requiring patient

notification• Office of Civil Rights Investigation • Possible imposition of civil/criminal penalties,

fines and sanction 20

Personal Consequences of a Breach

• Loss of public, patients, employees and students trust• Your name is reported to

• Your program director, department chair, executive director and/or unit head

• CEO, UW Medicine and Dean of the School of Medicine, University of Washington

• UW Medicine Chief Health System Officer• UW Health Sciences Risk Management• UW Chief Information Security Officer• Federal and State regulatory agencies

• The time you will spend cooperating with investigations, being retrained, and other remedial activities

• Imposition of sanctions, disciplinary actions, and potential civil/criminal penalties

• Your personal and professional reputation

21

CASE STUDIES

The following national and UW Medicine case studies are

examples of lessons learned in the stewardship of confidential or

restricted data

22

National Case Studies

National Events• $1 million settlement with General Hospital

Corp. and Massachusetts General Physicians Organization, Inc.--February 14, 2011

• University of Hawaii settles class action data breach involving personal information of 100,000 students, faculty, staff and alumni – January 2012

• American company had all of its data from a 10-year, $1 billion research program copied by hackers in one night- April 2012

• Alaska DHHS settles HIPAA security case for $1,700,000--June 26, 2012

23

UW Medicine Case Study #1

A medical student working on an IRB-approved study whose residence was broken into and his laptop was stolen

• PHI of 1200 patients (study data) was stored on the stolen laptop

• Laptop and files containing PHI were password protected, but not encrypted

• Research data considered unsecured since not encrypted

• Possible notification of patients• Lessons Learned

• Password protect and encrypt

24

A UW file cabinet was sent to surplus without removing all documents

A member of the public purchased a surplused file cabinet at a second-hand store. She found grant applications and research data and information in the drawers. Grant applications contained proprietary information and Investigators’ social security numbers.

•No PHI•Risk analysis done and concluded risk of identity theft and/or harm low

•Investigators were notified

Case Study #2

25

UW Medicine Case Study #3

A staff member’s laptop was stolen while shopping

• No confidential or restricted data on hard drive, device was password protected AND encrypted, department inventory details were up to date and centrally available

• Outcome: loss of physical asset, no breach, no notification of patients, no notification to federal agencies

• Lessons Learned• Importance of not storing confidential or

restricted information on hard drive, password protection, encryption

• Value of central controls, device configuration and inventory 26

UW Medicine Case Study #4

A Resident’s log book left in backpack and locked in trunk of car was stolen

• PHI: patient name, EMR number, dates of service, date of birth, clinic and procedures

• 487 patients notified• Self-reported to OCR; intense OCR follow-up

investigation• Lessons Learned

• Written PHI may not be taken off site without authorization from supervisor, chair or program director

• Written PHI taken off site should not leave physical possession at any time

• Required hundreds of hours over more than a year and substantive policy changes

27

UW Medicine Case Study #5

A Fellow’s unencrypted hard drive stolen from unlocked office

• PHI and QI data• 3,948 patients involved; 324 patients notified due

to risk of harm; notification to OCR; posted on UW Medicine website; likely OCR investigation forthcoming

• Lessons Learned• Do not remove PHI from protected location• Password protect AND encrypt• Ensure physical security of devices at all

times

28

Basic DO’s and DON’Ts

• Avoid taking confidential data off site or downloading to portable or mobile devices

• Use the VPN to connect remotely• If taking confidential data with you,

you MUST obtain supervisor or department head approval

• Secure confidential data (locking file drawer, safe, or other locked device)

• Never leave confidential data in your car

• Confidential data stored on mobile devices must be encrypted and your device password protected

29

Closing the Loop – Your Role

30

INDIVIDUAL MANAGERS, SUPERVISORS, DIRECTORS

UNIT HEADS, SENIOR LEADERS

COMPLIANCE IT SECURITY

Personal, professional, ethical and legal accountability

Convey expectations for accountability to direct reports; accountable for ensuring compliance

Provide active leadership; establish accountability expectations and professional standards; allocate resources for compliance and security program activities

Maintain effective compliance programs to prevent, detect, and resolve noncompliance with federal/state laws governing privacy and UW policies

Maintain effective information security program

Understand role-specific responsibilities and applicable policies and procedures; complete all required training

Develop and implement effective new employee orientation to ensure direct reports understand their roles and responsibilities, and applicable policies and procedures; enforce training requirements Annually reinforce role-specific responsibilities using PCISA toolkit

Approve UW Medicine policies; support education/outreach activities; convey implementation expectations to operational areas

Establish UW Medicine privacy policies, education and outreach strategies, and implementation tools

Establish UW Medicine Information Technology and security policies, education and outreach strategies, technical resources, and implementation tools

Comply with policies and procedures

Monitor compliance; accountable for improving audit results

Enforce compliance; evaluate audit findings and convey expectations for improved results

Audit compliance with UW Medicine privacy policies and internal controls; report findings; analyze trends

Audit information security controls; report findings; analyze trends

Implement appropriate safeguards, maintain physical security and utilize appropriate technical controls; observe access rights and restrictions

Actively manage information access rights upon hire, job change, and termination; monitor use of appropriate safeguards and controls; comply with risk management decisions

Participate in risk assessment process; evaluate results; determine system-wide risk tolerance; make risk management decisions

Assess compliance risks using internal/external data, trends and regulatory developments; recommend program modifications

Conduct information security risk assessments

Report concerns, potential breaches and suspected noncompliance to supervisor, manager, unit head or compliance; cooperate fully with investigations

Address concerns and/or refer to compliance; implement corrective actions and sanctions

Receive investigative reports; evaluate findings and determine appropriate corrective actions and sanctions

Investigate noncompliance with federal and state laws, and UW Medicine policies; notify affected unit heads and senior leaders; report findings; analyze trends

Conduct forensic analysis associated with potential breaches and suspected noncompliance

CONTACT INFORMATION AND RESOURCES

UW Medicine ITS Security Teamuwmed-security@uw.edu 206.543.7012

IT Services Help Desk mcsos@uw.edu

DOM IT Help Deskdomhelp@uw.edu 206.221.2459

UW Medicine Compliance comply@uw.edu 206.543.3098

UW Medicine Compliance-Anonymous Hotlinecomply@uw.edu 206.616.5248 866.964.7744 (toll free)

31

Questions ?

32