Safeguarding Electronic Health Information

Password Management

Choosing a strong password, one not easily guessed by others, is a key measure in securing our protected information. Most Loma Linda University Health (LLUH) entities utilize the “password changer” utility program at https://id.lluh.org and certain criterion must be met when creating your password, the following quality assurance checks are made:

Whether or not your area or department utilizes the “password changer” program, there are some good rules to apply when selecting a strong password and in keeping that password safe:

• Select something that is difficult to guess.Your pet’s name, your favorite sports team, personal names, and dates of birth or marriage can all be easily guessed by anyone who takes a moment to look around at your personal items (social media, sports team logos, children’s pictures) or listen to your personal conversations. There are software programs available, as well, that can guess many other passwords, such as common words found in the dictionary or commonly used names.
• Create a password that represents something to you, and then turn it into a passphrase. An easy way to do this is to select a subject that interests you, such as food, books, movies, music, or games. Think of a title or phrase associated to that subject. Select the first letter of couple of letter of each word in the phrase and replace some of them with numbers and special characters. This will give you a password that appears meaningless to others but is significant to you. For example: If your subject is “food”, and your favorite dessert is cheesecake, your phrase could be “I Love Cheesecake and I could Eat It All Day”. Your password could then become something like:  iLov3CaICEi@d.
• Do not leave your password where others may find it. If you have difficulty remembering your password, write it down and keep it in a secure location that only you can access, such as a purse or wallet. Never leave your password in your desk or on your monitor. If someone finds your password and logs into your computer as you, you most likely will be held accountable for anything that happens as a result.
• Never give your password out to others. This applies to managers and supervisors, as well. Even with the most advanced security features available today, the most common way that a password is compromised is by the owner revealing it to someone. No one, but only you should know your password. Not even LLUH Service Desk representatives should be provided with your password. If a coworker or new employee requests your password for their use, refer them to the Service Desk so that they may receive the appropriate access to the information they need. If someone from outside our organization requests your password, report him or her immediately to the Service Desk or the Information Security Department. If you share your password, you are violating a security policy.
• Change your password regularly. If your area utilizes the “password changer” program you are prompted on a scheduled basis to change your password. If your area does not utilize this program, a good rule of thumb is to change your password every 90 days. Create an entirely new password each time you change your password.

Unique User ID

Similarly, when you were granted your computer access you were issued a unique user ID. This ID usually consists of your first initial and last name, and is used when logging into the network and specific applications. As the name indicates, this is a unique ID and you are the only person in the organization that carries it or that may use it. This ID is used to log and track your activity in our organization’s computer system. A strong password, as mentioned above, is your best defense against unauthorized persons using your user ID.

Workstation Security

Though the security of our information largely depends upon technical measures such as passwords, unique user ids, audit logs and protective software, workstation security also plays an important role. Following are some tips to keep in mind to help ensure workstation security:

• Keep computer monitors tilted or turned away from public areas or doorways to prevent accidental or unauthorized viewing of ePHI. If this is not practical due to workstation design, then be aware of your surroundings. Pay attention to people around you who may be “shoulder surfing” (looking over your shoulder at information on the computer screen) when accessing ePHI. For computer monitors located in public areas, a polarizing device/privacy filter is placed on them. Please do not remove them from the monitors.
• Be sure to keep laptops, iPads, Tablets and other portable devices locked up and secure when not in use. Do not leave portable devices unattended in your vehicle; protection of ePHI does not end when you leave the office.
• Lock your computer when you walk away from your workstation, even if you only intend on being away from your computer for a short period of time. Often, we plan on returning immediately but are distracted or find ourselves in a lengthy conversation with an associate, leaving the computer vulnerable for others to access information under your user ID and password. To lock your workstation press: control + alt + delete. Then, select “lock workstation” or simply press the key with the Windows logo + L.
• Most workstations are equipped with organization-approved screensavers that automatically engage when the computer is left idle. Do not attempt to disable this security function or alter the activation time length, yourself. If you believe that the screensaver directly affects your ability to work, speak to your supervisor and have them contact the Service Desk (ext. 48889) for assistance.
• Practice common-sense security. Make certain that doors and desks are locked as appropriate when no one is present. Do not leave applications open on your computer when you are not using them. Be aware of your surroundings and do not be afraid to ask unauthorized persons to take a step back from any workstation where PHI could be easily or incidentally viewed.
• When working remotely, apply the same precautions to protect information. Do not allow family members or anyone else to use your work computer,  laptop, or other devices used to access the network or work email. If you leave your computer, exit out of applications or log off of the system or network (VPN). Do not share your password with anyone.

Media Destruction and Reuse

Media is any device that is removable, portable and can store information, including laptops, tablets, iPads,DVDs, CDs, external hard drives, removable memory cards, , etc. PHI may only be stored on media if the media is encrypted by an approved encryption methodology.   LLUH entities have in place policies and procedures for the proper disposal and reuse of such media.

The first rule to remember when disposing of these items and others of their kind is to never throw them in the trash. Instead, they should be sent to the LLUMC Data Center for proper destruction. If you are uncertain as to what steps to take, speak to your supervisor or review your entity’s policy for Destruction and Reuse of Media.

Viruses and Malicious Software

A virus is a program or piece of computer code that is installed on your computer without your knowledge with the intention to  destroy information stored there, to spread to other computers within the network and to exfiltrate information to the bad actors. Many viruses are transmitted via e-mail attachments. Protecting your computer against malicious software and viruses is important for our organization and is the responsibility of each of us. Though all workstations have anti-virus protection installed (and all laptops connecting to our network are required to have IT approved anti-virus protection on them) viruses may still get through. Following are some tips that will help you guard against malicious software:

• Do not open any attachments from unknown sources. Some files are “executable” software programs, that download to your local computer hard drive once it is opened. Executable (.exe, .bat) files are the most common means for sending viruses or malicious software. 
• If you receive an unrecognizable or suspicious email do not open it; instead, forward it to “emailabuse@llu.edu” where it can be logged, analyzed, and disposed of properly. By reporting to emailabuse@llu.edu, you will assist Information Services to prevent other email users from receiving the same message by blocking the sender.
• Report any suspicious activity immediately, such as unfamiliar programs that appear on your computer.

Unauthorized Software and Hardware

Another common source of security problems is software or hardware that is installed without the approval of the Information Services department.

Music sharing software, remote access software, games and other freeware programs can disable your computer, threaten the organization’s network, and can contain malicious software that would allow someone to take control over  your computer. Installation of these and similar programs is a direct violation of policy for all LLUH entities.

Similarly, installation of hardware or devices attached to our organization’s network or your computer needs to be installed with the appropriate security precautions in mind. For that reason, you should never connect other devices, such as computers, laptops or CD burners, to the network without authorization from the Information Services department.

Transmission of PHI via E-mail/ Encryption

Information that is sent via e-mail to external recipients (those outside of our organization) is typically not secure. It can be intercepted, read and, ultimately, altered by a third party. For that reason, all LLUH entities have policies requiring all email messages containing PHI or other confidential information to be encrypted prior to being transmitted by approved encryption methodology.

By encrypting an email message, the information contained within it, including any attachments, will be sent to the recipient in a secure manner.  If you are uncertain as to what information needs to be encrypted, it is advisable to encrypt it than facing the risk of it being sent as plain text. In order to encrypt an email message, simply type the term [encrypt] in the subject line along with the subject. Please noticed that the [square brackets] are required. For more information about email encryption please contact the Service Desk.

iPads, Tablets and Laptops

More and more people are taking advantage of new and convenient technology such as iPads, Tablets, and laptops. But, with convenience comes added risks. All LLUH entities have in place policies regarding requirements in the use of these devices in order to protect both the information contained in them  as well as the devices and our system from potential harm. If you have questions concerning these usage requirements you should speak to your supervisor or contact the Service Desk at Ext. 48889. Following are some tips for using laptops and other portable devices safely:

Despite these precautions, the most frequent risk still remains, the loss or theft of the device. This results not only in a loss of the equipment but a potential loss of data. To minimize this risk, portable devices should be password protected, encrypted, and put away in a secure location when not in use. Portable devices must never be left unattended in a car, or any other location accessible/viewable by the general public. If your laptop or other portable device is stolen, an incident report should be filed with the Security Department and Information Security as soon as possible.

Portable Devices and Viruses

Portable devices usually come with their own virus protection programs, but users often do not enable or use them. If ePHI will be used, transmitted to, or kept on a portable device, you should make sure that virus protection and any other security feature is in place and up to date.

Portable devices pose an additional problem with respect to viruses. Not only can portable devices be disabled by viruses, but other viruses that target computers can easily reside undetected on a portable device without affecting the portable device itself. The virus can eventually be transmitted to a computer or to the network during syncing and damage the computer and network.

Facility Access Control

Protection of PHI does not stop with our computers. Our safeguards must extend to the facility physical space and surrounding work areas, as well. Though we do have a Security department who is tasked with enforcing our policies and procedures regarding access to our facilities, it is the responsibility of each of us to assist in facility control.

• Never prop doors open, even for a short time
• Be aware of unknown individuals trying to piggyback behind you to gain access to restricted areas 
• Keep your badge and keys that provide access to campus buildings in your possession or in a secure location

Badges

It is extremely important that all workforce members wear their badge during work hours. There are over 16,000 employees, staff members, physicians, residents, volunteers, researchers, student workers, etc. in our organization. It is impossible to know everyone. Our badges help to distinguish us from visitors and patients. Should an unfamiliar person be found wandering in restricted areas, near workstations or other areas where they are not permitted, it is essential that we be able to assess quickly if that person belongs there or if intervention is required. Badges allow us, at a glance, to make an initial assessment of a situation.

Be aware of your environment and the people in it

We all work hard and our responsibilities increase almost daily. It is easy to become so focused on our tasks that everything around us fades away. It is important that we stay aware of our environment. Throughout our organization we have areas that are restricted, contain PHI or contain other confidential information or materials. Knowing who is accessing these areas and ensuring that they are authorized to do so is key to safeguarding the protection of our information. It is your right and your responsibility as a workforce member to ask anyone without proper badge identification if they need assistance or direction. This serves two distinct purposes: 1) Visitors who are lost will appreciate the guidance; and 2) This lets anyone with malicious intent know you are aware of their presence which may act as a deterrent to inappropriate behavior.

Know the policies

Many policies are in place to guide us in the appropriate steps needed to control visitor access to our facilities. Organizational policies are found at the One Portal site https://one.lluh.org/vip/Institutional-Documents. Tours, contractors, site evaluation teams and other visitors must have clearance prior to entering the medical center or clinic facilities. Reviewing these policies and ensuring that the right steps are taken helps to protect our environment and the information therein. Do not be afraid to ask visitors if they have received appropriate clearance. If they have not, direct them to the appropriate department to receive clearance or contact Security for assistance.