LSUHSC-Logo

Office of Compliance Programs

Manager

Information Security Training for Supervisors

Managing the Human Factor in Information Security

December 6, 2017

Why Do Managers and Supervisors Need Additional Security Training?

Information Security Risks Are Business Issues

Security lapses by employees can exacerbate security risks that can lead to:

Flowers Hospital had a data breach that occurred from June 2013 to February 2014 when one of its employees stole forms containing patient information and possibly used the stolen information to file fraudulent income tax returns.

In 2016, NRAD Medical Associates discovered that an employee radiologist had accessed and acquired protected health information from NRAD’s billing systems without authorization. The breach was estimated to be 97,000 records of patient names and addresses, dates of birth, Social Security information, health insurance, and diagnosis information.

According to Microsoft, more than 75% of all network intrusions can be traced back to compromised credentials. The vast majority of those network openings were created innocently through accidental or inadvertent behavior by insiders without any intention of harming their employer. In a number of cases, that vulnerability was, ironically, the result of a trusted employee doing a seemingly run-of-the-mill task like taking files home to work on in their own spare time.

Managers and Supervisors are uniquely situated to mitigate security risks.

In your role as a manager or supervisor, you are the one who is most familiar with the work carried out by your staff. By familiarizing yourself with the information security issues that are inherent in the work of your area of responsibility, you can become an effective part of LSUHSC-NO's strategy against the threat that is increasingly responsible for the data breaches that occur ever year..... Humans.

"We have met the enemy and he is us." -Pogo

There are three types of risky Behavior, each requiring a different approach:

What Can I do to Improve the Security of the Information in My Area?

  1. Understand your data
  2. Be familiar with LSUHSC-NO information security policies
  3. Know your users
  4. Enforcing security policies
  5. Know how to respond to a breach or other security incident
  6. Be aware of the impact grants and contracts can have on the security of your data and on the LSUHSC-NO I.T. infrastructure.
Datatables

Understand Your Data

How well do you know the data used in your area by your employees? Ask yourself the following questions:

  1. What protected and/or restricted information (e.g. PHI, student information, employee information, intellectual property, etc.) do I have in my area?
  2. How does it get to my area? (e.g. email, file transfer, courier, U.S. Mail, interoffice mail, fax, etc.)
  3. Which of my employees handles this information?
  4. Where is it stored in my area? (e.g. local hard drives on desktops and laptops, tablets, smartphones, server drives like O: and T:, One Drive for Business, file cabinets, desk drawers, etc.)
  5. How do my employees access the information?
  6. Where does the information go once it leaves my area?
  7. If someone wanted steal the data from my area, how could they do it?

Don't overlook information in printed formats. Faxes, reports and other printouts, etc. can also be the source of a breach if they fall into the wrong hands.

Policies

LSUHSC-NO Information Security Policies

LSUHSC-NO's information security policies are contained in PM-36 Louisiana State University System Information Security Plan, CM-42 Information Technology (IT) Infrastructure and I.T. department policies. As a manager or supervisor, it is your responsibility to ensure that these policies are followed by your employees. Therefore is is important that you are informed about the policies and how they apply to your area. The best way to familiarize yourself with these policies and their requirements is to complete all of your information security training.

Users

Users

When managing users who have access to LSUHSC-NO's network, it is important to keep the following in mind:

The Minimum Necessary Principle

When requesting access for users under your responsibility, it is important to limit their access to information to the minimum amount necessary to perform their duties and no more. If there is any change in the user's duties due to:

then their access should be reviewed and modified as needed to ensure the user only has access to the information required to perform their duties.

Types of Authorized Users

Requests for user IDs for new employees, modifying access, or terminating access can be handled by simply emailing the Information Security group.

External Affiliates

External Affiliates are any users who are not faculty, staff or students of LSU. Examples include contractors and employees of other state agencies with a business need to access LSUHSC-NO information systems.

How to Request an External Affiliation

Administration from the sponsoring department must submit the following:

Acknowledge the following:

Verifying External Users

A request is sent every 90 days to verify any status changes

If there is no response after 14 days:

User Security Training

Ensure that authorized users in your area understand the importance of:

The easiest way to ensure users have been properly informed of their information security responsibilities is to ensure that all users have completed their HIPAA Security Training.

Behavior

Take note of any sudden change in an employee's behavior or if the employee's behavior manifests any of the following patterns or traits:

Exhibiting any of the above-listed behaviors may be an indication that an employee may be taking actions that may compromise the security of LSUHSC-NO's information systems and data.

Enforcing Security Policies

Periodically walk through work area looking for:

Enforce policies consistently among employees. Ensure authorized users are aware of guidelines for acceptable computer usage:

Mobile Device Security Issues

A mobile device is any device that is both portable and capable of collecting, storing, transmitting or processing electronic data or images. These include but are not limited to:

The convenience of their portability also means there is little in the way of physical safeguards that can be implemented to protect them. As a result, these devices are at a much greater risk of being lost or stolen. To prevent a security incident from the loss or theft of such a device:

Disciplinary Actions and Terminations

In the event that an employee must be disciplined or terminated, their computer access must disabled IMMEDIATELY. Contact the Information Security group in the IT department to disable the employee's access before the employee is notified of the disciplinary action to minimize the opportunity for malicious or retaliatory action on the employee's part.

Incident Response

Dealing with a Possible Crime

If you have reason to believe that a computer or mobile device has information or evidence of wrongdoing, simply secure the device by locking it up. Do not power down or power up the device or otherwise attempt to manipulate it.

Once the device is secured, contact the Helpdesk and describe your concerns. Someone from the I.T. department will be sent to examine and collect the device.

Grants and Contracts

Grants

If the deliverable on a grant are such that they could have an impact on the information technology infrastructure (e.g. new cloud based system, new servers, transfers of large amounts of data, etc.), consult I.T. department during the budget preparation process.

Submit a request to I.T. to evaluate any new hardware or software

If the infrastructure (e.g. networks, servers, etc.) is not in place, include costs for infrastructure and extra personnel in the budget

Failure to notify I.T. can result in:

Contracts

Infrastructure

As with grants, contracts whose deliverables impact LSUHSC-NO's information technology infrastructure must be reviewed by the I.T. department to ensure the I.T. infrastructure has the capacity to accommodate the services required by the contract and that the proper information security controls are in place.

Business Associate Agreement

A business associate (BA) agreement must be executed anytime a contract requires the use or disclosure.

Data Sharing Agreement

Anytime protected or restricted data is shared as part of a collaboration (as opposed to a contractor providing services that require access to data) a data use agreement must be in place which outlines the responsibilities each party has with regard to the protection of the data.

Getting Help

If you have any questions, please contact the Office of Compliance Programs by: