HSyE HIPAA Training
Q1: What does the federal government legally require we do vs what are the HSyE rules?
A1: The basic law is that we (as a company) cannot allow a breach of PII/PHI and you (as a data user) cannot breach PII/PHI. The HSyE guidelines are ways to prevent breaches and the training is to teach you how breaches can occur because in most cases, once you know how a breach can occur, all it takes to prevent that breach is common sense. The training is legally required as per HIPAA law.
Q2: How can I tell what is PII or not?
A2: Is there a way any person could figure out who the person is from the row of data? What if the data was from someone in our office; we know a lot of info about that person but can we link the person to the row? If it is possible to link a person to the data then there is still some PII. The PII must be removed before the data can be classified as "desensitized". Examples of PII fields include names, addresses, phone numbers, social security numbers, zip codes, credit card numbers/billing information, email addresses, and workplace/job. When in doubt, ask!
Q3: I'm doing a project that requires some of the PII fields (like zip code or address). What do I do?
A3: Remove all PII not required for the project (eg: delete those columns in excel that contain PII data) and encrypt all associated files. As this data is sensitive, make sure not to leave your computer unlocked, be careless with the password, or allow others to linger behind your screen. Remember that it is your ethical responsibility to use this file only for what the data use agreement allows and nothing else. Generally, DUAs allow for a project's data to be used for the scope of the project and nothing further.
Q4: Why do I have to worry about the security of things on my HSyE desk and computer? Aren't the offices locked/secure?
A4: The offices have locks, but there are often visitors, including people like the janitorial, IT staff, and contractors that do not have signed contracts with us. Our computers have a feature where the screens turn off after 5-15 min, but the computers do not lock automatically. If you leave and don't lock your computer or just turn off the monitor manually, it wouldn't be hard for a person to turn the screen back on and email some of the files off to non-HSyE people. Also, if a virus gets on your desktop, it can send off files/passwords to hackers or worse, it can encrypt all HSyE files and the institute will be in big trouble with a lot of people.
Q5: Why can't I work on projects from home? I have a secured network!
A5: Most home wireless networks are not fully secured because they don't have to be. Also, even if your home router was secure enough for normal use, it would use WPA2 and not WPA2-Enterprise and therefore is not secure enough for our data. The difference between these is that in WPA2, all computers use the same password to connect to the network. Those computers then sit on the same blanket of Wi-Fi and share it. WPA2-Enterprise uses different usernames/passwords for each person and keeps each connection separate so your connection has no way to talk to your neighbor's connection. This means that if someone gets into your home network, they can go to your computer and get files/passwords/etc. These networks, even secure ones, are becoming the target of criminals. One man recently got arrested for downloading child pornography when in reality, it was his neighbor who hacked into his Wi-Fi. Home networks are not secure enough for sensitive data.
Q6: I only work part time so it's easier to use my laptop, why can't I do that?
A6: Personal laptops are the largest security risk at HSyE. For example, Samy is a computer technician and knows how to prevent most viruses, but still has to clean out an infection every 2 years. This is not just from illegal downloading or trolling the seedy underbelly of the internet: the ads on the side of Facebook, for example, have some SERIOUS viruses embedded in them: all it takes is one stray click to kill your computer. Also, a new phishing scheme with URL spoofing/disguising is becoming common. For example, if you try to download Adobe Reader or Java, the actual link to get them may be the 3rd or 4th google result, but numbers 1 and 2 look correct until you analyze the URLs closely. Also, when you are installing those programs, during the install process there are things you have to uncheck or click a button to avoid downloading. This means if you don't pay attention, you could easily get a virus.
Q7: Why are you so concerned about malware/viruses? I thought our network was secure? Aren't viruses just those annoying pop-up ads?
A7: Most malware runs secretly and you would never know it was there. There are malware that can record every keystroke you make (therefore stealing your passwords to every account you have like email, bank account, etc.). There are others that can encrypt each file on your machine and any network or external drives connected to it and force you to pay close to $1K to hackers so they will consider giving you the key to decrypt them. Some use your computer as a shared computing resource to get them money and in return, can physically damage your machine. Northeastern's network can prevent all of these, but not if you forcibly allow them in by using an infected personal machine or install malicious software on a Northeastern machine.
Q8: What if I need to access files wirelessly on campus/at a conference?
A8: You should be able to access the data server on campus using NUwave. At a conference, you should not be presenting anything sensitive and so you can upload it to SharePoint in advance to access it from there. As we cannot guarantee the security of external wireless networks, you will not be able to access the data server.
.pdf (requires Adobe Acrobat, does not work in Adobe Reader)