THC 105: Telehomecare & Information Security

Why is Information Security Important to Patient Safety?

Confidentiality: Privacy of patients depends

upon maintaining the confidentiality of personal health information (PHI) at all times.

Integrity: Patient safety depends upon maintaining the integrity of PHI (e.g. ensure no systematic errors exist). Failure to maintain integrity can result in illness,injury or even death.

Availability: In order to provide safe care, THC nurses must have ready access to important PHI before, during and after providing care.

Integrity

Confidentiality

Availability

Information Security

Approach Links in Email Messages with Caution.

Links in email messages can often take you to fake sites that encourage you to provide personal information or infect your computer when clicked. Before you click a link, make sure to read the target address by hovering your mouse pointer over the link. If the target is different from the displayed text, DO NOT CLICK ON THE LINK!

Example of a malicious link hidden behind what appears to be a safe URL:

There are many reasons to be wary of emails that seem suspicious. Some emails might be phishing scams designed to trick you into divulging personal information, while others might contain viruses and other malicious software designed to infect your system. If an email looks suspicious, don’t risk your personal information by opening or responding to the message.

Keeping Your Technology Secure: Beware of Phishing Email Scams!

Keeping Your Technology Secure: Beware of Phishing Email Scams!

Do Not Open Attachments from Unknown or Unexpected Senders.

Attachments might be malware that downloads to your machine when you open the file. If you don’t know who the attachment is from, or if you weren’t expecting it, DO NOT OPEN THE FILE!

Do Not Reply to Messages asking for Personal Information.

OTN and most other reputable organizations will never use email to request that you reply with a password, OHIP, SIN or any other personal information.

Keeping Your Technology Secure: Security Administrative Safeguards

Administrative safeguards provide overall coverage to further reduce risk

Follow any policies and procedures in place at your organization to ensure the collection, use, disclosure, retention and destruction of PHI is done in accordance with PHIPA and any other applicable law and regulation

Follow any policies and procedures in place at your own organization to ensure the physical, technical, and administrative security of sensitive assets (e.g. PHI, workstations, etc.)

Follow “Clean Desk” practices especially in unattended workspaces as per organizational policies

Dispose of hardcopy PHI properly; e.g. use a shredding machine that meets Ontario IPC security standards such as confetti cut

Keeping Your Technology Secure: Mobile Equipment Security

Mobile devices such as Smartphones and Tablets can be easily lost or stolen due to their small and compact size. Loss of a mobile device will not only result in the loss of the data, but it may also potentially lead to unauthorized disclosure of this information, if the phone or the tablet ends up in the wrong hands

Guard your phone as you would a wallet – do not leave it unattended at any time and keep it locked and out of sight when not using it.

Think of the mobile device and protect it the same way you would your wallet. Leaving it unattended and in plain sight will attract potential thieves and opportunists with a readily available target. Whenever finished using the mobile device keep it in your pocket or otherwise lock it in a drawer or a safe.

Keeping Your Technology Secure: Mobile Equipment Security

Do not interfere with or disable the security features of your device.

Most mobile devices come equipped with various security features to minimize the risk of unauthorized disclosure, modification, or destruction of personal information. “Jailbreaking” or “rooting” a smartphone or otherwise interfering with the mobile device’s security features will increase the risk of a breach.

In particular, mobile devices should always:

✓ Be secured with a PIN or a password

✓ Lock automatically after a period of inactivity

✓ Have malware protection installed

✓ Be up to date and have the latest versions of the software installed

✓ Have encryption enabled

Keeping Your Technology Secure: Workstation Security

Despite rapidly increasing popularity of mobile devices, workstations remain a popular and widely adopted option to conduct work and business, particularly in the healthcare field. The following practices will help prevent breaches and increase the security of your workstation:

✓ Stay up-to-date with Operating System (Windows, Linux, OS X) software patches and updates

✓ Install Anti-Virus and Anti-Spyware Software keeping updates current

✓ Enable Firewall Software

✓ Use strong passwords to protect access to the workstation

✓ Use secure system configuration (including browser settings) based on recommendation from the vendor

✓ Configure the system to automatically lock after a few minutes if not in use

✓ To prevent power failure related interruptions, connect your workstation to an Uninterruptible Power Supply (UPS)

✓ Ensure that any sensitive data stored locally on the hard drive is encrypted

✓ Make periodic backup copies of data, especially if this data is essential to business functions

✓ Ensure physical security of workstations and related peripherals (disks, USBs, etc.)

Keeping Your Technology Secure: Security Physical Safeguards

As clinicians interacting with the Telehomecare software, it is important to note that physical safeguards is one way to reduce risk of unauthorized use of sensitive information:

✓ Locate computer device(s) in a secure location to minimize the risks of modification, loss, access, theft, view and disclosure by unauthorized individuals

✓ Connect computers to an uninterruptable power supply (UPS)

✓ If you are using laptops, do not leave them unattended

✓ Keep the laptop locked by attaching it to a heavy object via a cable lock or out of sight. If neither of these are available, the laptop isnot to be left behind

✓ Secure confidential information (e.g. charts, forms) when it is outside the normal work area

Keeping Your Technology Secure: Password SecurityPasswords provide the first line of defense against unauthorized access. The stronger and more complex your password, the more protected your information will be from hackers and malicious software.

Some of the best practices around password use:

✓ Use strong passwords that are a minimum of 8 characters long andare a combination of uppercase and lowercase letters, numbers and special characters

✓ Change passwords with access to confidential information (e.g. PHI) regularly (e.g. every six months)

✓ Do not share your credentials (i.e. User ID and password) with anyone, including trusted colleagues, family members, and support technicians

✓ Do not write down your password and then store it where it is easy to find

✓ Do not provide your password in an email response. Such “Phishing” scams are very common, and no matter how legitimate looking, will result in your password in the hands of cyber-criminals

Always be aware of your surroundings when doing work or accessing sensitive information.

Do not perform sensitive tasks in public areas, such as airports, coffee shops, or business lounges where there is an opportunity for strangers to see over your shoulder, or watch you type in your password.

Keeping Your Technology Secure: Beware of Public Areas!

Information Security Incident Response

Information Security Incident:

An occurrence that has, or potentially may, jeopardize the confidentiality, integrity, or availability of an information system or the information that it processes, stores, or transmits

A violation or imminent threat of violation of security policies, security procedures, or acceptable use policies

Confidentiality

Integrity

Availability

Information Security Policies & Procedures

Denial of Service• an attack that prevents or impairs the authorized use

of networks, systems or applications by exhausting resources

Malicious Code• a virus, worm, Trojan horse, or other code-based

entity that successfully infects a host

Unauthorized Access• a person gains logical or physical access without permission

to a network, system, application, data or other IT resource

Inappropriate Usage• a person violates acceptable use of any network or

computer policies

Equipment Theft/Loss• a piece of equipment containing sensitive

information has been lost or stolen

Types of Incidents

Integrity

Confidentiality

Integrity Availability

Confidentiality Availability

Information Security Policies, Guidelines and Procedures

Availability

Potential Violations:

Potential Violations:

Potential Violations:

Potential Violations:

Potential Violations:

Incident Response Process

OTN’s Information Security Team takes a number of preventive measures to minimize the number of incidents

However, not all incidents can be prevented, early detection and acknowledgement of a security incident will greatly aid in its mitigation and containment

Any suspicious or unusual activity or finding should be immediately reported through OTN’s Service Desk or directly to the Information Security Team, if the situation requires immediate attention:

Detecting & Reporting

Preparation & Minimization

Analysis & Categorization

Containment, Eradication &

Recovery

Post-incident Analysis & Reporting

Email: servicedesk@otn.ca or security@otn.caPhone: 1-855-654-0888 or 416-446-4110

Thank You!

For additional security tips and guidance, please see Information Security – Best Practice Guidelines

Finally, should you have any security related questions, please contact OTN’s Information Security Department:

Information Security - Ontario Telemedicine Network

105 Moatfield Drive, Suite 1100, Toronto, ON M3B 0A2

Email: security@otn.ca | Tel: 416-446-4110