Information Security Awareness and Training: Difference between revisions

From University of Nebraska Medical Center
Jump to navigation Jump to search
mNo edit summary
No edit summary
 
(12 intermediate revisions by 3 users not shown)
Line 20: Line 20:
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"  
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"  
width="20">[[Intellectual Property]]</td>
width="20">[[Intellectual Property]]</td>
<td style="border-bottom:2px solid #A3B1BF" width="3">&#160;</td>
<td style="padding:0.5em; background-color:#e5e5e5; font-size:90%; line-height:0.95em; border:1px solid #A3B1BF; border-bottom:solid 2px #A3B1BF"
width="20">[[Faculty]]</td>
</tr>
</tr>
</table>
</table>
<br />
<br />
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Confidential Information]] | [[Protected Health Information (PHI)]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | Information Security Awareness and Training
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]] | [[Patient Privacy Investigations and Levels of Violation]] | [[Use and Disclosure of PHI for Training Health Care Professionals]] | [[Disclosures of PHI as Permitted or Required by Law]] | [[Disclosure of PHI for Law Enforcement Purposes]]
<br /><br />
<br /><br />
Policy No.: '''6301'''<br />
Policy No.: '''6301'''<br />
Effective Date: '''DRAFT'''<br />
Effective Date: '''07/14/16'''<br />
Revised Date: <br />
Revised Date: '''06/06/24'''<br />
Revised Date: <br />
Revised Date: '''06/06/24'''<br />
<br />
<br />
<big>'''Information Security Awareness and Training Policy'''</big><br /><br />
<big>'''Information Security Awareness and Training Policy'''</big><br /><br />
==Purpose of Policy==
== Basis for Policy ==  
UNMC takes protecting personal or confidential information including, but not limited to, electronic protected health information, education records, and cardholder data that the organization creates, uses, discloses, transmits or stores (collectively, “protected information”) extremely seriously. To help ensure the privacy, security and integrity of protected information, we provide training to the workforce (as defined below). Our goal is to reach a level of security awareness that reduces the risk of improper access to, or use or disclosure of, protected information.
Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53] and the [https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule] outline considerations for the access control family of security controls.
==Policy==
== Policy ==  
UNMC will ensure that its workforce is trained in and understands the organization’s security policies and procedures with respect to protected information in accordance with all applicable laws and mandated standards including, but not limited to, the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act and the regulations promulgated thereunder governing the privacy and security of individually identifiable health information (collectively, “HIPAA”), the Family Educational Rights and Privacy Act (“FERPA”), and the Payment Card Industry Data Security Standard (“PCI DSS”). UNMC will strive to achieve a level of security awareness both to prevent improper access to or use or disclosure of protected information and to ensure detection and reporting of any improper access, use or disclosure that may occur.  
Nebraska Medicine/UNMC implements reasonable and appropriate security awareness and training in alignment with National Institute of Standards and Technology (NIST) standards and guidance.[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53] and the [https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule], the Family Educational Rights and Privacy Act (FERPA), and Payment Card Industry Data Security Standards (PCI/DSS) outline considerations for the security awareness and training family of security controls. Nebraska Medicine/UNMC will strive to reach a level of security awareness both to prevent improper access to or use or disclosure of Protected Information and to ensure detection and reporting of any improper access, use or disclosure that may occur.  
==Required Training==
==Procedure==
Workforce will be required to take security training, usually in the form of on-line video training and/or onsite workshops. Each member of the workforce will be required to take security training within thirty (30) days of commencing his/her position at UNMC and on an annual basis thereafter. Completion of required training will be tracked by Compliance and the Information Security Officer.
===General===
 
Workforce will be required to take security training, usually in the form of on-line video training or onsite workshops. Each member of the Workforce will be required to take security training within thirty (30) days of commencing their position at Nebraska Medicine/UNMC and on an annual basis thereafter.  
Content of training will be role-based and relevant to the type of protected information created, accessed, used or disclosed. For workforce with access to electronic protected health information as defined under HIPAA such training will include, but not be limited to, user education concerning virus protection and malicious software; user education in the importance of monitoring login success/failure, and how to report discrepancies; and user education in password management. The content of training will be periodically reviewed and updated to reflect changes to information security threats, techniques, requirements, and responsibilities.  
===Security Awareness Training Provided By Information Security===
 
*Basic security awareness training to all Workforce (including managers, senior executives, and Board members) as part of initial training during the onboarding process and annually thereafter.
In addition to annual training, UNMC will provide periodic security updates to workforce through newsletters, screensavers, webcasts and other means.  
*Including security awareness training on recognizing and reporting potential indicators of insider threat.
 
*Including training on recognizing and reporting phishing.  
===Content ===
Content of training will be role-based and relevant to the type of Protected Information created, accessed, used or disclosed. For Workforce with access to electronic Protected Health Information (PHI) as defined under HIPAA such training will include, but not be limited to, user education concerning virus protection and malicious software; user education in the importance of monitoring login success/failure, and how to report discrepancies; and user education in password management. The content of training will be periodically reviewed and updated to reflect changes to information security threats, techniques, requirements, and responsibilities which includes information about, but is not limited to, the following:
*Personal device access to the network,
*Removal of sensitive information,
*Acceptable use of USB devices,
*Protection from malicious software,  
*User authorized access, 
*Password management and requirements,
*WiFi usage,
*Use of social media, and   
*Security incident reporting.
In addition to training, the security awareness and training program will include the following:
In addition to training, the security awareness and training program will include the following:
*Scheduled awareness surveys.
*Scheduled awareness surveys
*Unscheduled awareness assessments periodically to assure compliance with the training
*Unscheduled awareness assessments periodically to assure compliance with the training
*Feedback surveys to improve the security awareness and training program.
*Feedback surveys to improve the security awareness and training program
A record of training completion and results of assessments will be maintained for each member of the workforce within the campus training tracking database.   
===Security Training Records ===
 
A record of training completion and results of assessments will be maintained for each member of the Workforce. For employees, the record will be maintained in the personnel files by Human Resources, as part of the permanent record. Records for faculty, volunteers, students, trainees and others will be maintained by the responsible administrative department.
===Security Reminders ===
*Information Security or Information Technology shall provide Workforce members with periodic security reminders and updates.
*Information Security will provide role-based security training to personnel with assigned security roles and responsibilities, including but not limited to procedures for guarding against, detecting and reporting malicious software; monitoring log-in attempts and reporting discrepancies; and creating, changing and safeguarding passwords.   
*Security updates and reminders shall be communicated through various methods, including but not limited to: emails, newsletters, electronic banners and posters.
==Compliance==
==Compliance==
Failure to comply with this policy by employees will be subject to UNMC Policy 1098, [https://wiki.unmc.edu/index.php/Corrective/Disciplinary_Action Corrective and Disciplinary Action Policy]. Legal action may be taken for violations of any applicable law.
Failure to comply with this policy by employees will be subject to UNMC Policy 1098, [https://wiki.unmc.edu/index.php/Corrective/Disciplinary_Action Corrective and Disciplinary Action Policy]. Legal action may be taken for violations of any applicable law.
==Record Retention==
==Record Retention==
UNMC will retain a copy of this policy and any revisions thereto, all training materials, and all training records in accordance with UNMC Policy 6056, [https://wiki.unmc.edu/index.php/Retention_and_Destruction/Disposal_of_Private_and_Confidential_Information Retention and Destruction/Disposal of Private and Confidential Information].
UNMC will retain a copy of this policy and any revisions thereto, all training materials and all training records in accordance with UNMC Policy 6056, [https://wiki.unmc.edu/index.php/Retention_and_Destruction/Disposal_of_Private_and_Confidential_Information Retention and Destruction/Disposal of Private and Confidential Information] and the [http://www.sos.ne.gov/records-management/schedule_170.html UNMC Record Retention Schedule].
 
==Definitions==
==Definitions==
'''Affiliated Covered Entity (ACE)''' means legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current Nebraska Medical ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center, and Nebraska Pediatric Practice, Inc. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members.
===Information Security===
 
The ability to control access and protect information from unauthorized alteration, destruction, loss or accidental or intentional disclosure to unauthorized persons.
'''Protected Health Information (PHI)''' is individually identifiable health information. Individually identifiable health information is a subset of health information including demographic information, collected from an individual, whether oral or recorded in any medium that:
===Protected Health Information (PHI)===
*is created or received by ACE and
Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:
*relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual.
*is created or received by UNMC/ACE; and
 
*relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.
'''Workforce''' refers to faculty, full and part-time employees (management and staff), volunteers, trainees, students, and any other persons whose conduct, in the performance of work for UNMC, is under the direct control of UNMC, whether or not they are paid by UNMC.
PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):
*an Individual’s genetic tests;
*the genetic tests of an Individual’s family members; or
*the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history); or
*any request for, or receipt of, genetic services (e.g., genetic test, genetic counseling, genetic education), or participation in clinical research which includes genetic services by the Individual or any family member of the Individual.
PHI excludes:
*individually identifiable health information of a person who has been deceased for more than fifty (50) years.
*education records covered by the Family Educational Rights and Privacy Act (FERPA); and  
*employment records held by UNMC in its role as employer.
===Workforce===
Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC.
==Additional Information==
==Additional Information==
*Contact [mailto:infosecurity@unmc.edu infosecurity@unmc.edu] or 402.559.2545.
*Contact [https://support.security.unmc.edu Office of Information Security] or 402-559-2545.
*UNMC Policy No. 6045, [http://wiki.unmc.edu/index.php?title=Privacy/Confidentiality Privacy, Confidentiality and Information Security]
*UNMC Policy No. 6045, [https://wiki.unmc.edu/index.php/Privacy/Confidentiality Privacy/Confidentiality]
*UNMC Policy 1098, [https://wiki.unmc.edu/index.php/Corrective/Disciplinary_Action Corrective and Disciplinary Action Policy]
*UNMC Policy 1098, [https://wiki.unmc.edu/index.php/Corrective/Disciplinary_Action Corrective and Disciplinary Action Policy]
*UNMC Policy No. 6051, [http://wiki.unmc.edu/index.php?title=Computer_Use/Electronic_Information Computer Use and Electronic Information Security]
*UNMC Policy No. 6051, [https://wiki.unmc.edu/index.php/Computer_Use/Electronic_Information Computer Use/Electronic Information]
*UNMC Policy 6056, [https://wiki.unmc.edu/index.php/Retention_and_Destruction/Disposal_of_Private_and_Confidential_Information Retention and Destruction/Disposal of Private and Confidential Information]
*UNMC Policy 6056, [https://wiki.unmc.edu/index.php/Retention_and_Destruction/Disposal_of_Private_and_Confidential_Information Retention and Destruction/Disposal of Private and Confidential Information]
*[http://www.sos.ne.gov/records-management/schedule_170.html UNMC Record Retention Schedule]
*[http://www.sos.ne.gov/records-management/schedule_170.html UNMC Record Retention Schedule]
*[https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53]
*[https://www.cdc.gov/phlp/publications/topic/hipaa.html#security-rule HIPAA Security Rule]


This page maintained by [mailto:dpanowic@unmc.edu dkp].
This page maintained by [mailto:mhurlocker@unmc.edu mh].

Latest revision as of 09:25, July 9, 2024

Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property   Faculty


Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Retention and Destruction/Disposal of Private and Confidential Information | Use and Disclosure of Protected Health Information | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Information Security Awareness and Training | Patient Privacy Investigations and Levels of Violation | Use and Disclosure of PHI for Training Health Care Professionals | Disclosures of PHI as Permitted or Required by Law | Disclosure of PHI for Law Enforcement Purposes

Policy No.: 6301
Effective Date: 07/14/16
Revised Date: 06/06/24
Revised Date: 06/06/24

Information Security Awareness and Training Policy

Basis for Policy

Nebraska Medicine/UNMC implements reasonable and appropriate access controls in alignment with National Institute of Standards and Technology (NIST) standards and guidance to maintain the minimum necessary access. NIST Special Publication 800-53 and the HIPAA Security Rule outline considerations for the access control family of security controls.

Policy

Nebraska Medicine/UNMC implements reasonable and appropriate security awareness and training in alignment with National Institute of Standards and Technology (NIST) standards and guidance.NIST Special Publication 800-53 and the HIPAA Security Rule, the Family Educational Rights and Privacy Act (FERPA), and Payment Card Industry Data Security Standards (PCI/DSS) outline considerations for the security awareness and training family of security controls. Nebraska Medicine/UNMC will strive to reach a level of security awareness both to prevent improper access to or use or disclosure of Protected Information and to ensure detection and reporting of any improper access, use or disclosure that may occur.

Procedure

General

Workforce will be required to take security training, usually in the form of on-line video training or onsite workshops. Each member of the Workforce will be required to take security training within thirty (30) days of commencing their position at Nebraska Medicine/UNMC and on an annual basis thereafter.

Security Awareness Training Provided By Information Security

  • Basic security awareness training to all Workforce (including managers, senior executives, and Board members) as part of initial training during the onboarding process and annually thereafter.
  • Including security awareness training on recognizing and reporting potential indicators of insider threat.
  • Including training on recognizing and reporting phishing.

Content

Content of training will be role-based and relevant to the type of Protected Information created, accessed, used or disclosed. For Workforce with access to electronic Protected Health Information (PHI) as defined under HIPAA such training will include, but not be limited to, user education concerning virus protection and malicious software; user education in the importance of monitoring login success/failure, and how to report discrepancies; and user education in password management. The content of training will be periodically reviewed and updated to reflect changes to information security threats, techniques, requirements, and responsibilities which includes information about, but is not limited to, the following:

  • Personal device access to the network,
  • Removal of sensitive information,
  • Acceptable use of USB devices,
  • Protection from malicious software,
  • User authorized access,
  • Password management and requirements,
  • WiFi usage,
  • Use of social media, and
  • Security incident reporting.

In addition to training, the security awareness and training program will include the following:

  • Scheduled awareness surveys
  • Unscheduled awareness assessments periodically to assure compliance with the training
  • Feedback surveys to improve the security awareness and training program

Security Training Records

A record of training completion and results of assessments will be maintained for each member of the Workforce. For employees, the record will be maintained in the personnel files by Human Resources, as part of the permanent record. Records for faculty, volunteers, students, trainees and others will be maintained by the responsible administrative department.

Security Reminders

  • Information Security or Information Technology shall provide Workforce members with periodic security reminders and updates.
  • Information Security will provide role-based security training to personnel with assigned security roles and responsibilities, including but not limited to procedures for guarding against, detecting and reporting malicious software; monitoring log-in attempts and reporting discrepancies; and creating, changing and safeguarding passwords.
  • Security updates and reminders shall be communicated through various methods, including but not limited to: emails, newsletters, electronic banners and posters.

Compliance

Failure to comply with this policy by employees will be subject to UNMC Policy 1098, Corrective and Disciplinary Action Policy. Legal action may be taken for violations of any applicable law.

Record Retention

UNMC will retain a copy of this policy and any revisions thereto, all training materials and all training records in accordance with UNMC Policy 6056, Retention and Destruction/Disposal of Private and Confidential Information and the UNMC Record Retention Schedule.

Definitions

Information Security

The ability to control access and protect information from unauthorized alteration, destruction, loss or accidental or intentional disclosure to unauthorized persons.

Protected Health Information (PHI)

Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:

  • is created or received by UNMC/ACE; and
  • relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.

PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):

  • an Individual’s genetic tests;
  • the genetic tests of an Individual’s family members; or
  • the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history); or
  • any request for, or receipt of, genetic services (e.g., genetic test, genetic counseling, genetic education), or participation in clinical research which includes genetic services by the Individual or any family member of the Individual.

PHI excludes:

  • individually identifiable health information of a person who has been deceased for more than fifty (50) years.
  • education records covered by the Family Educational Rights and Privacy Act (FERPA); and
  • employment records held by UNMC in its role as employer.

Workforce

Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC.

Additional Information


This page maintained by mh.