Why is this critical?  Deliberate, malicious activity causes its share of security difficulties to be sure, but nothing presents a greater risk than simple human error.

2.  What is information security?

What about "privacy"?  While that term has many common meanings, we use it in this course series to refer to legal and ethical rules about who can access information, and under what conditions.  (For more on the definitions of privacy, click here.)

You may be directed to take some privacy courses if you have not already done so, starting with a general one on federal and state requirements, and then others focused on particular activities -- clinical care, fundraising, marketing, research, training, etc.

4. Don't you know this already?

Perhaps you have received workplace security training elsewhere.  If nothing else, protecting your own possessions gives you some security experience every day. 

That's a good start.  Much of good security comes from just using simple common sense.  But not all security is simple or common-sensical.  Safe computer use sometimes requires attention to details that are complex.  (That's why we have many courses on aspects of safe computer use.)

The greater problem is simply this:  It's so easy to forget common sense when you are busy trying to get your job done.  Very smart people still sometimes do very stupid things when under pressure.

Want some real-life examples?  Click here.

5. What's in it for you?

Nothing in life is free.  Good security requires time, inconvenience and expense -- sometimes a lot of all three.  Learning how to be secure takes time too.  You may well think:  What's the big deal?  Why all this effort? 

As we note in the introduction to the privacy series, health information systems are more efficiently networked together every day.  Consequently, the privacy of each person's health information depends on the security practices of more people every day.  People just like you. 

Someone you care about may have health records stored in your organization's data systems.  Your own health records may be there.  You understand the importance of protecting that, right? 

The time-honored Golden Rule applies here:  Treat the health information under your control with the same respect and care that you'd like for your own.  Being knowledgeable about security practices -- and putting your knowledge into practice -- is the only way to do that.   

As an added benefit, what you learn here about security will also help you protect the information you keep at home, whether on a personal computer or old-fashioned media like paper.  This will help reduce your exposure to crimes like identity theft.

6. Fines, jail time, loss of employment

We assume that most people just want to do the right thing.  This security series aims to provide you with the knowledge to do that.

We do need to mention, though, that as an additional motivation the laws protecting health information include severe penalties for misuse: up to $250,000 and 10 years in jail, for example, if one violates HIPAA.

Such criminal penalties are only for serious, deliberate misuse, where someone intentionally accesses health data in order to do harm or for personal gain.  However, substantial civil fines are possible for negligent behavior, even if violations were unintentional. 

Negligence can -- and usually will -- also lead to suspension or termination of employment.

7. Here come the rules

The rest of part 1, and all of part 2, is a series of rules.   Lots and lots of rules -- all designed to help you avoid problems. 

We will cover:

• physical security of buildings and offices
• oral communications (i.e., talking)
• information on paper
• telephone and fax use
• information on computers
• portable computing devices (e.g., laptops, PDAs)
• email, instant messaging, web browsing and other common computer activities

Don't be discouraged.  We do not expect you to remember every detail.  With time and practice, it will become second nature.  We will also provide you with a printout of all the rules for your future reference (and to help with the quizzes). 

8. Physical security: the foundation

Let's begin with physical security.  While almost every organization relies on technical measures to protect its information systems, physical protections are the first and most important line of defense.

At home, you rely on locks for the security of your house, car and other property.  Maybe you also have an alarm system.  Maybe you have a watch-dog or watch-cat.

At work, it is the same.  It's critical to keep people out of places they're not supposed to be in.  That's why organizations provide ID badges for workers -- so it is easier to spot intruders.  That's why organizations also have door locks, alarms, surveillance cameras, and security officers on patrol. 

>> Rules for physical security

• Locks, alarms and other physical security devices should be installed -- and used -- to keep areas secure when not open for business.
   
• When open for business, unattended areas should still be kept secure with locks and other devices whenever possible.
   
• Access to sensitive equipment and data should be controlled -- that includes access to printers, fax machines, computers and paper files.
   
• Visitors should be appropriately monitored and, as necessary, escorted.  Unidentified persons in restricted areas should be (politely) challenged.
   
• Keys, ID badges and anything else that controls physical access should be kept secure.  Theft or loss of such items should be reported immediately.

9. Oral communications (talking)

We realize you already know how to talk.  You've probably been doing it for years now.  Many of you are superb at it.  But take a walk around the average health care facility, and you quickly learn that not everyone knows how to talk securely.

Sometimes the most familiar things are the most dangerous for security, because we grow casual about our behavior.  Tha's certainly true with talking.

It is not required that you take a vow of silence, or change your whole work routine.  It's only required that you make reasonable efforts to be discreet -- the way you would want others to talk if their conversation was about your health situation or that of a loved one.

>> Rules for oral communications

• Conversations involving sensitive information about patients or their families should not occur where they can be easily overheard.
   
• "Quiet areas" (non-public areas) should be used for such conversations whenever possible.  In a noisy public environment, it's normal to talk loudly so you can be heard -- normal, but bad for security.  Don't take the chance.
   
• Names or other information that could identify individuals should be avoided whenever possible, in case a conversation is overheard despite your best efforts.
   
• Only patients' names should be called out in waiting rooms or used on intercom/paging systems.  And avoid even that when you can.

10. Information on paper

It may surprise you to learn that careless handling of paper documents remains one of the biggest security problems. 

Computers are everywhere now; but so is paper.  Why?  The problem is the PRINT key.  Everyone still loves getting a paper copy, and it's easy to do.  Ever-cheaper laser and ink-jet printers -- not to mention photocopiers and fax machines -- seem to make the paper problem worse every year.

The most important thing to remember is that paper documents containing sensitive information need to be kept secure, from the moment they are created to the moment they are destroyed. 

>> Rules for paper information

• Sensitive documents should be kept in secure places, like a locked filing cabinet.  They shouldn't be left in unsecured areas -- or on unattended computer printers, photocopiers, or fax machines.
  
• Documents that are no longer needed should be shredded immediately -- or placed in an secure container for disposal in the near future.
   
• Sensitive documents should never be left in plain view in areas where visitors are present.  If such materials must be kept in public areas, they should be face down or otherwise concealed.
   
• Sign-in sheets should ask for only limited information -- ideally, only patient names.  Patient schedules should not be left in public areas or where they can be easily viewed by non-staff.

11. Telephone use

You use a telephone every day.  What could there be to learn about telephone security?  Probably not much new.  But because phones are so familiar, it is easy to get careless when you are using them. 

As we noted when we were talking about talking, some of the biggest security problems come from familiar, every-day things: ... an unlocked office door, an un-shredded piece of paper, or a carelessly-used telephone or voicemail system.

Cell phones are a special menace.  People now are "on the phone" in public places all the time -- commonly talking too loud and annoying almost everyone around them.  Aside from the rudeness, that poses a security problem.

>> Rules for telephone use

• Telephone conversations involving sensitive information should be conducted in non-public areas, where they cannot be overheard.
   
• When discussing confidential information on the phone, the other person's identity should always be confirmed before proceeding with the conversation.
   
• If the person you are trying to reach is not available, only names and callback numbers should be left on voicemail or answering machines (or with the person that takes the message).
   
• Turn the speaker volume down on answering machines or voicemail systems so that incoming messages cannot be overheard when left or played back.  If your system uses a password or PIN, protect it and change it periodically.

12. Fax machine use

You may also use a fax machine regularly.  It may seem as simple a machine as its cousin the telephone.  It is precisely because fax machines are easy, convenient and common that they cause so many problems.

One of the biggest security headaches comes from faxes sent to the wrong number.  Another comes from faxes sent to the right number, but without a cover sheet to hide sensitive information.  These are simple, totally preventable mistakes -- but ones that get made all the time.  (Fax-related complaints are #1 on the list of HIPAA violations.)

The most important rule here is simple too:   Be sure you've got the number right.  Once you've sent a fax, there's no getting it back.

>> Rules for fax machine use

• Tested, pre-programmed fax numbers should be used whenever possible, to reduce dialing errors when sending.  All new fax numbers should be confirmed by voice call before first use.
   
• Whenever possible, faxes should be sent only to machines at known locations, where the security of the receiving machine can be assured.
   
• All faxes containing sensitive information should include a cover sheet with a confidentiality notice -- requesting that faxes sent to an incorrect destination be destroyed, and also requesting notification to the sender of such errors.  (Note that it's not clear whether these notices have any legal effect, but they are a standard practice.)
   
• Sensitive faxes -- inbound or outbound -- should not be left sitting in or around the machine.
   
• Whenever you can, use postal mail instead.  (It's generally more secure, and there are clearer legal protections for it.)

13. What to do if you find a problem

Sooner or later, you're going to come across someone who isn't following these basic information security rules.  Just as with violations of privacy rules, usually that's not intentional.  Accordingly, a gentle reminder will usually fix the problem.  If that doesn't work, contact a supervisor.  

Most supervisors are eager to fix security problems, and will welcome your report.  But if you prefer, you can report problems to your organization's privacy official or information security official.  (Every organization is legally required to have such persons.) 

Always remember this:  You are obligated to report security problems that you cannot fix yourself.

Note that HIPAA regulations forbid intimidation or retaliation for reporting a problem or filing a complaint.  But if you doubt your organization's good will, or its ability to prevent harm to you, report your concerns anonymously -- either to your local officials or to the government.

14. If you remember nothing else

You were probably expecting that a course on information security would focus on computers.  Don't worry.  We'll be getting to that, in detail, in part 2 of the course.  

If a computer containing health information is compromised, that can put hundreds or thousands of records at risk.  The stakes are very high.  But the stakes are also high with old-fashioned office equipment like photocopiers, fax machines and telephones.  Failure to use these things securely may only put a few records at risk on an average day.  But day in and day out, that adds up.

And if it happens to be information about you, or about someone you care about, a risk to even a single record is a big deal.

•  •  •  •  •

Help us make this course better -- take the online course evaluation. The second part of this course is here.

•  •  •  •  •