Security lapses by employees can exacerbate security risks that can lead to:
Flowers Hospital had a data breach that occurred from June 2013 to February 2014 when one of its employees stole forms containing patient information and possibly used the stolen information to file fraudulent income tax returns.
In 2016, NRAD Medical Associates discovered that an employee radiologist had accessed and acquired protected health information from NRAD’s billing systems without authorization. The breach was estimated to be 97,000 records of patient names and addresses, dates of birth, Social Security information, health insurance, and diagnosis information.
According to Microsoft, more than 75% of all network intrusions can be traced back to compromised credentials. The vast majority of those network openings were created innocently through accidental or inadvertent behavior by insiders without any intention of harming their employer. In a number of cases, that vulnerability was, ironically, the result of a trusted employee doing a seemingly run-of-the-mill task like taking files home to work on in their own spare time.
In your role as a manager or supervisor, you are the one who is most familiar with the work carried out by your staff. By familiarizing yourself with the information security issues that are inherent in the work of your area of responsibility, you can become an effective part of LSUHSC-NO's strategy against the threat that is increasingly responsible for the data breaches that occur ever year..... Humans.
"We have met the enemy and he is us." -Pogo
There are three types of risky Behavior, each requiring a different approach:
How well do you know the data used in your area by your employees? Ask yourself the following questions:
Don't overlook information in printed formats. Faxes, reports and other printouts, etc. can also be the source of a breach if they fall into the wrong hands.
LSUHSC-NO's information security policies are contained in PM-36 Louisiana State University System Information Security Plan, CM-42 Information Technology (IT) Infrastructure and I.T. department policies. As a manager or supervisor, it is your responsibility to ensure that these policies are followed by your employees. Therefore is is important that you are informed about the policies and how they apply to your area. The best way to familiarize yourself with these policies and their requirements is to complete all of your information security training.
When managing users who have access to LSUHSC-NO's network, it is important to keep the following in mind:
When requesting access for users under your responsibility, it is important to limit their access to information to the minimum amount necessary to perform their duties and no more. If there is any change in the user's duties due to:
Requests for user IDs for new employees, modifying access, or terminating access can be handled by simply emailing the Information Security group.
External Affiliates are any users who are not faculty, staff or students of LSU. Examples include contractors and employees of other state agencies with a business need to access LSUHSC-NO information systems.
Administration from the sponsoring department must submit the following:
Acknowledge the following:
A request is sent every 90 days to verify any status changes
If there is no response after 14 days:
Ensure that authorized users in your area understand the importance of:
The easiest way to ensure users have been properly informed of their information security responsibilities is to ensure that all users have completed their HIPAA Security Training.
Take note of any sudden change in an employee's behavior or if the employee's behavior manifests any of the following patterns or traits:
Periodically walk through work area looking for:
Enforce policies consistently among employees. Ensure authorized users are aware of guidelines for acceptable computer usage:
A mobile device is any device that is both portable and capable of collecting, storing, transmitting or processing electronic data or images. These include but are not limited to:
The convenience of their portability also means there is little in the way of physical safeguards that can be implemented to protect them. As a result, these devices are at a much greater risk of being lost or stolen. To prevent a security incident from the loss or theft of such a device:
In the event that an employee must be disciplined or terminated, their computer access must disabled IMMEDIATELY. Contact the Information Security group in the IT department to disable the employee's access before the employee is notified of the disciplinary action to minimize the opportunity for malicious or retaliatory action on the employee's part.
If you have reason to believe that a computer or mobile device has information or evidence of wrongdoing, simply secure the device by locking it up. Do not power down or power up the device or otherwise attempt to manipulate it.
Once the device is secured, contact the Helpdesk and describe your concerns. Someone from the I.T. department will be sent to examine and collect the device.
If the deliverable on a grant are such that they could have an impact on the information technology infrastructure (e.g. new cloud based system, new servers, transfers of large amounts of data, etc.), consult I.T. department during the budget preparation process.
Submit a request to I.T. to evaluate any new hardware or software
If the infrastructure (e.g. networks, servers, etc.) is not in place, include costs for infrastructure and extra personnel in the budget
Failure to notify I.T. can result in:
As with grants, contracts whose deliverables impact LSUHSC-NO's information technology infrastructure must be reviewed by the I.T. department to ensure the I.T. infrastructure has the capacity to accommodate the services required by the contract and that the proper information security controls are in place.
A business associate (BA) agreement must be executed anytime a contract requires the use or disclosure.
Anytime protected or restricted data is shared as part of a collaboration (as opposed to a contractor providing services that require access to data) a data use agreement must be in place which outlines the responsibilities each party has with regard to the protection of the data.
If you have any questions, please contact the Office of Compliance Programs by: