2. METHODIST HOSPITAL IT SECURITY ROLLFOLD BROCHURE
THE WHO, WHAT, WHERE, WHEN, WHY, AND HOW OF
PROTECTING SENSITIVE INFORMATION
Device Security
Always keep portable equipment/devices in your sight or
securely locked away when not in use
If using or traveling with a company-owned laptop, request a
cable lock from your IT&S Department
If it is necessary to leave your laptop in your vehicle, make
sure that the laptop is out of sight
Use only encrypted USB drives
Do not store sensitive data on a portable device unless it is
necessary to perform job functions
MALWARE PROTECTION AND
INTERNET BROWSING
Be aware of phishing
Avoid pop-ups that advertise anti-virus or anti-spyware
programs
Do not install unapproved software to your device
Do not plug an unknown USB into your computer
Avoid using your company-owned devices to visit certain
internet sites such as social networking sites (Facebook,
Twitter, etc.)
Electronic
Communications
Think before sending. Ask:
1. Does the communication include sensitive data?
2. Where is it going (internal or external recipients)?
3. Is the recipient authorized to have the data?
4. Is the data protected?
Refer to Electronic Communication policy - IS.SEC.002 for
more information.
EMAIL ENCRYPTION GUIDANCE
Add [Encrypt] anywhere in the Subject Line to encrypt the
email and email attachments
Do not include any sensitive information in the subject line
This encryption technique ONLY works when emailing from an
MHS email address to an external email address. Messages
to internal recipients do not require use of the encryption.
Any of the brackets will work to [Encrypt] the email
including: [], (), {}, <>
ADDITIONAL EMAIL REQUIREMENTS
You should NEVER:
Use personal email accounts (e.g., Gmail or Yahoo) to
conduct company business
Forward company email to a personal address
Access another person’s email
Phishing
Phishing is the unlawful attempt to obtain personal
identifiable information (PII) about you or others.
P Personal Data reference or request
H Hyperlinks or Attachments
I Inaccurate Information
S Suspicious Sender
H Hurry Up and Respond
VERIFY OR REPORT A PHISH
Contact your local Service Desk, your DISO or your FISO
Social Engineering
Social Engineering is an attempt to gather information from
you in order to gain access to systems and/or gain confidential
information. Social Engineering can occur in person, over the
phone or electronically.
Do not share sensitive information with anyone over the phone
or in person even if:
The person appears “friendly”
The person seems to be in a hurry to obtain the information
The person uses an agitated tone
To avoid social engineering, always:
Ask to see a badge
Wear your badge
Social Media
DO NOT post sensitive information, including photos, on
the internet. This includes posting on: discussion groups,
Facebook, LinkedIn, Twitter, MySpace, YouTube, Flickr,
bulletin boards, chat services, non-secured websites and
more.
Refer to MHS Social Media Guidelines
Report suspected violations of company policy regarding
social media
Mobile Devices
Any electronic device that has the potential to store,
process or transmit company information wirelessly and
is designed for mobility or easy transport such as smart
phones and tablets.
Susceptible to the same risks as your computer
Same physical security rules apply
Same email rules apply
Per the Confidentiality and Security Agreement (CSA):
Personally owned devices that synchronize company data
(email on your phone), must be encrypted.
Awareness: Threats
Follow You Home
Your Information Security responsibilities do not stop at
the end of your work day.
Keep your computer, browser, anti-virus and other
critical software up to date
Do not respond to pop-ups and deals that sound too
good to be true
Be aware of
cyber-bullying
19380_MHS IT InfoSec Brochurev7.indd 1 1/10/14 12:23 AM
WHO
EVERYONE
is responsible for
protecting the
security of patients,
customers and staff.
WHAT
What is sensitive
information? It is PHI and
a lot more. As defined
by company privacy
policy IS.SEC.005,
everyone is responsible
for the protection of
sensitive information from
unauthorized disclosure or
use including:
Confidential patient
information
Social security number
Financial account
information
Personnel information
Provider credentialing
information
WHERE
Where can Methodist
Healthcare employees find
key compliance resources?
Visit MHSCentral, click the
Policy and Procedures link
then click Policy Tech.
QUICK REFERENCE:
What happens if I violate an
IT&S policy or standard?
See WS.SWB.03 -
Sanctions Process
Am I using email
appropriately?
See IS.SEC.002
Information
Security - Electronic
Communications
What did I agree to when I
signed a Confidentiality &
Security Agreement?
See the Confidentiality &
Security Agreement
Do I use USB drives
appropriately?
See COM.MH.02 -
Information Handling
Procedures
Do I encrypt emails
containing sensitive data?
See COM.EI.01 - Electronic
Transmissions
Do I lock my workstation
when I leave it
unattended?
See AC.UR.02 - Session
Security
If my laptop or mobile
phone was stolen, how
quickly must I report it?
See IR.RISE.01 - Incident
Reporting
What are managers
required to do?
See WS.SWB.01 -
Management
WHEN
When should you report an
information security concern
or incident?
Concerns or incidents must
be reported to one of the
following within 24 hours:
Department director
Facility Privacy Officer
DISO/FISO
Service desk at
210-575-4511 option 2-2
Examples of incidents
include:
Stolen or lost computer or
portable device
Misdirected fax or email
Computer virus alert
Posting of PHI on a
social media site
WHY
Why should you play a role
in Information Security?
You are legally bound to
protect the confidentiality
of patient, company and
employee information
The mission of Methodist
Healthcare is “Serving
Humanity to Honor God.”
Protecting employee and
patient privacy is part of
this mission.
At MHS, we take information
protection seriously.
Protecting privacy reduces
the risk of:
Identity Theft
Loss of Privacy
Loss of Trust
Costly breach notifications
Malware such as viruses,
worms, Trojans, Spyware
HOW
How can you take part
in protecting patient
information?
Password Protection
You should:
Keep all passwords
confidential. Do not share
a password with anyone,
ever.
Use a variety of user
names and passwords for
work and personal use.
Create a strong password.
A strong password uses
a combination of letters,
numbers and special
characters and is both
upper and lower case.
Workstation Security
You should:
Lock or log off computers
when they are not in
use. This will activate the
screensaver.
To lock the computer:
Press CTRL-ALT-DELETE,
select LOCK
To log off the computer:
Select START then select
Logoff
Log out of applications
on shared workstations
when done
To suspend a session in
MEDITECH, press Shift F12
to lock the patient record
Be Aware
You should:
Make sure no one is
watching when entering
information, PIN numbers
or passwords
Immediately lock the
screen and ask the
onlooker if he or she
needs assistance, if
being watched
Information Protection
Assures employees and patients that the integrity,
confidentiality and availability of electronic protected
health information (ePHI) is protected.
PHI – Protected Health Information
ePHI – Electronic Protected Health Information
Methodist Healthcare IT&S staff
will never ask for your password.
DIRECTOR OF INFORMATION
SECURITY OPERATIONS (DISO)
Russell Lane
FACILITY INFORMATION
SECURITY OFFICIAL (FISO)
Carl Jones
Maria Carmona
Martin Rodriguez
Security.Awareness@MHSHealth.com
210-575-2550
MHS SERVICE DESK
210-575-4511
Option 2-2
CONTACTS
Password Reset allows you to reset your password
or unlock the primary account you use from any
computer on the network. To access this tool click
on the Password Reset link on MHSCentral or type
passwordreset into your browser address bar.
To enroll, click PASSWORD RESET.
Protected Health
Information (PHI and ePHI)
PHI and ePHI is defined by information protection as verbal,
written and electronic form that includes one or more of the
following:
Name
Elements of an address
All elements of dates except year (i.e. date of birth,
admission, discharge, expiration)
Telephone and fax number
Email address
Social Security number
Medical record number
Health plan number
Account number
Certificate/license number
Vehicle ID or license plate
Web Addresses or URLs
IP address number
Biometric identifiers, finger or voice print
Photographic image
Any other unique identifying number, characteristic, or code
19380_MHS IT InfoSec Brochurev7.indd 2 1/10/14 12:23 AM
4. D O U B L E T R E E B Y H I LT O N H O T E L | 2 1 0 H O L I D AY C T. | A N N A P O L I S , M D | 4 1 0 . 2 2 4 . 3 1 5 0
Mother's
Day Brunch
May 13, 2012
SEATINGS: 11 AM, 12 PM,
2 PM & 2:30 PM
ADULTS $29.95
SENIORS $25.95
CHILDREN (6-12) $16.95
CHILDREN 5 & UNDER
EAT FREE
18% gratuity and 6% tax
will be added to
the bill.
041612_DTA_MothersDay Flyer.indd 1 4/23/12 12:09 PM
DOUBLTREE ANNAPOLIS HOTEL EMAIL BLASTS
6. HIGH PEAKS RESORT POSTERS
Easterhas arrived
Celebrate Mom!
Join us for our Mother’s Day Brunch
on May 10 – watch for details!
H I G H P E A K S R E S O R T.C O M | M A I n S T R E E T l A K E P l AC I d
$3495
AdUlTS
plus tax & gratuity
$2295
KIdS 6-11
plus tax & gratuity
BUIld YOUR Own BEnEdICT
Choose croissants, English muffins, polenta rounds, top with Canadian bacon,
smoked salmon, spinach and more...
OMElET STATIOn | wAfflE STATIOn | BlOOdY MARY BAR
EASTER EGG dECORATInG STATIOn
RESERvATIOnS – 518.523.4411
Join us for EastEr BrunCh
sunDay, april 5 | 10aM - 3pM
031115_HPR_Easter Poster.indd 1 3/13/15 11:43 AM
Happy
Mother’s
Day!
HIGHPEAKSRESORT.COM | MAIn STREET lAKE PlACId
Menu
OMElET STATIOn
BEnny’S TO ORdER
CARvInG PRIME RIB And lEG Of lAMB
MAdE TO ORdER WAfflES
with fresh berries
RISOTTO STATIOn
with three types to choose from such as wild mushroom
HIGH PEAKS fAvORITES InCludE
PAn SEAREd SAlMOn
with grilled pineapple salsa
MAPlE dIjOn PORK TEndERlOIn
and much more!
$3495
AdulTS
plus tax & gratuity
$2295
KIdS 6-11
plus tax & gratuity
Join us for mother’s day Brunch
sunday, may 10 | 10am - 3pm
Reservations518.523.4411
040115_HPR_Mothers Day Poster.indd 1 4/10/15 3:14 PM
8. W H E R E B O C A C O M E S A S H O R E
PLATTERS
(serves 12 people) 1 hour advance notice
THE LITTLE DIPPER $65
Hummus served with olives,
Feta cheese and pita,
Fresh guacamole and tortilla chips
MEAT & CHEESE $125
Imported and domestic cheeses with
chef’s assortment of sliced meats;
served with crackers
CHICKEN WING PLATTER $75
3 dozen – honey, jerk seasoned wings
with mojo ranch dipping sauce
SALADS AND
SANDWICHES (TO-GO)
ATHENS GREEK SALAD $15
ADD: SHRIMP $8 OR CHICKEN $6
Olives, Feta cheese, cucumbers,
tomato, stuffed grape leaves, pita
with red wine vinaigrette
CLASSIC CAESAR SALAD $12
ADD: SHRIMP $8 OR CHICKEN $6
Romaine, Parmesan cheese and
croutons
SWORDFISH SANDWICH $17
Grilled Swordfish, dill tartar sauce,
arugula and tomatoes; served with chips
CHEESE BURGER $15
Grilled burger with cheddar cheese,
lettuce, tomato and onion; served
with chips
THE JERK SANDWICH $13
Spicy jerk seasoned chicken breast,
arugula and tomatoes; served with chips
TURKEY BLT WRAP $12
Chipotle mayonnaise; served with chips
DOCK & DASH
“TO-GO” MENU • CHANNEL 71 • 561.413.8281
W H E R E B O C A C O M E S A S H O R EW H E R E B O C A C O M E S A S H O R EW H E R E B O C A C O M E S A S H O R EW H E R E B O C A C O M E S A S H O R E
MAKE IT A “GOOD CATCH COMBO” AND RECEIVE THE BELOW 3 ITEMS
FOR $5.00 ADDED TO ANY ENTRÉE SELECTION
Includes: bottled water, fresh whole fruit, and our famous Doubletree chocolate chip cookie.
WATERSTONE RESORT & MARINA HOTEL COLLATERAL
W H E R E B O C A C O M E S A S H O R E
ACCOMMODATIONS
139 newly renovated guest rooms including 11 suites featuring
private balconies, all with breathtaking views of the water
AMENITIES
Newly redesigned and expanded lobby
270-ft waterfront promenade
Business center
Waterfront swimming pool and sun deck
State-of-the-art fitness center
Dockside water sport activities
1 block to beach
DINING & ENTERTAINMENT
Boca Raton’s only ‘on the water’ dining
Two new exciting restaurant options:
Waterstone Bar & Grill
Boca Landing
MEETINGS & EVENTS
Penthouse level meeting & event space with catering available
Panoramic views of the Boca waterfront
102213_WRM_Retractable Banner.indd 1 10/27/13 10:36 PM
9 9 9 E A S T C A M I N O R E A L , B O C A R A T O N , F L 3 3 4 3 2
5 6 1 . 3 6 8 . 9 5 0 0 | W W W . W A T E R S T O N E B O C A . C O M
VIP BOATER
ON-SITE DOCK MASTER
CHANNEL 7 1 • 561.413.8281
![METHODIST HOSPITAL IT SECURITY ROLLFOLD BROCHURE
THE WHO, WHAT, WHERE, WHEN, WHY, AND HOW OF
PROTECTING SENSITIVE INFORMATION
Device Security
Always keep portable equipment/devices in your sight or
securely locked away when not in use
If using or traveling with a company-owned laptop, request a
cable lock from your IT&S Department
If it is necessary to leave your laptop in your vehicle, make
sure that the laptop is out of sight
Use only encrypted USB drives
Do not store sensitive data on a portable device unless it is
necessary to perform job functions
MALWARE PROTECTION AND
INTERNET BROWSING
Be aware of phishing
Avoid pop-ups that advertise anti-virus or anti-spyware
programs
Do not install unapproved software to your device
Do not plug an unknown USB into your computer
Avoid using your company-owned devices to visit certain
internet sites such as social networking sites (Facebook,
Twitter, etc.)
Electronic
Communications
Think before sending. Ask:
1. Does the communication include sensitive data?
2. Where is it going (internal or external recipients)?
3. Is the recipient authorized to have the data?
4. Is the data protected?
Refer to Electronic Communication policy - IS.SEC.002 for
more information.
EMAIL ENCRYPTION GUIDANCE
Add [Encrypt] anywhere in the Subject Line to encrypt the
email and email attachments
Do not include any sensitive information in the subject line
This encryption technique ONLY works when emailing from an
MHS email address to an external email address. Messages
to internal recipients do not require use of the encryption.
Any of the brackets will work to [Encrypt] the email
including: [], (), {}, <>
ADDITIONAL EMAIL REQUIREMENTS
You should NEVER:
Use personal email accounts (e.g., Gmail or Yahoo) to
conduct company business
Forward company email to a personal address
Access another person’s email
Phishing
Phishing is the unlawful attempt to obtain personal
identifiable information (PII) about you or others.
P Personal Data reference or request
H Hyperlinks or Attachments
I Inaccurate Information
S Suspicious Sender
H Hurry Up and Respond
VERIFY OR REPORT A PHISH
Contact your local Service Desk, your DISO or your FISO
Social Engineering
Social Engineering is an attempt to gather information from
you in order to gain access to systems and/or gain confidential
information. Social Engineering can occur in person, over the
phone or electronically.
Do not share sensitive information with anyone over the phone
or in person even if:
The person appears “friendly”
The person seems to be in a hurry to obtain the information
The person uses an agitated tone
To avoid social engineering, always:
Ask to see a badge
Wear your badge
Social Media
DO NOT post sensitive information, including photos, on
the internet. This includes posting on: discussion groups,
Facebook, LinkedIn, Twitter, MySpace, YouTube, Flickr,
bulletin boards, chat services, non-secured websites and
more.
Refer to MHS Social Media Guidelines
Report suspected violations of company policy regarding
social media
Mobile Devices
Any electronic device that has the potential to store,
process or transmit company information wirelessly and
is designed for mobility or easy transport such as smart
phones and tablets.
Susceptible to the same risks as your computer
Same physical security rules apply
Same email rules apply
Per the Confidentiality and Security Agreement (CSA):
Personally owned devices that synchronize company data
(email on your phone), must be encrypted.
Awareness: Threats
Follow You Home
Your Information Security responsibilities do not stop at
the end of your work day.
Keep your computer, browser, anti-virus and other
critical software up to date
Do not respond to pop-ups and deals that sound too
good to be true
Be aware of
cyber-bullying
19380_MHS IT InfoSec Brochurev7.indd 1 1/10/14 12:23 AM
WHO
EVERYONE
is responsible for
protecting the
security of patients,
customers and staff.
WHAT
What is sensitive
information? It is PHI and
a lot more. As defined
by company privacy
policy IS.SEC.005,
everyone is responsible
for the protection of
sensitive information from
unauthorized disclosure or
use including:
Confidential patient
information
Social security number
Financial account
information
Personnel information
Provider credentialing
information
WHERE
Where can Methodist
Healthcare employees find
key compliance resources?
Visit MHSCentral, click the
Policy and Procedures link
then click Policy Tech.
QUICK REFERENCE:
What happens if I violate an
IT&S policy or standard?
See WS.SWB.03 -
Sanctions Process
Am I using email
appropriately?
See IS.SEC.002
Information
Security - Electronic
Communications
What did I agree to when I
signed a Confidentiality &
Security Agreement?
See the Confidentiality &
Security Agreement
Do I use USB drives
appropriately?
See COM.MH.02 -
Information Handling
Procedures
Do I encrypt emails
containing sensitive data?
See COM.EI.01 - Electronic
Transmissions
Do I lock my workstation
when I leave it
unattended?
See AC.UR.02 - Session
Security
If my laptop or mobile
phone was stolen, how
quickly must I report it?
See IR.RISE.01 - Incident
Reporting
What are managers
required to do?
See WS.SWB.01 -
Management
WHEN
When should you report an
information security concern
or incident?
Concerns or incidents must
be reported to one of the
following within 24 hours:
Department director
Facility Privacy Officer
DISO/FISO
Service desk at
210-575-4511 option 2-2
Examples of incidents
include:
Stolen or lost computer or
portable device
Misdirected fax or email
Computer virus alert
Posting of PHI on a
social media site
WHY
Why should you play a role
in Information Security?
You are legally bound to
protect the confidentiality
of patient, company and
employee information
The mission of Methodist
Healthcare is “Serving
Humanity to Honor God.”
Protecting employee and
patient privacy is part of
this mission.
At MHS, we take information
protection seriously.
Protecting privacy reduces
the risk of:
Identity Theft
Loss of Privacy
Loss of Trust
Costly breach notifications
Malware such as viruses,
worms, Trojans, Spyware
HOW
How can you take part
in protecting patient
information?
Password Protection
You should:
Keep all passwords
confidential. Do not share
a password with anyone,
ever.
Use a variety of user
names and passwords for
work and personal use.
Create a strong password.
A strong password uses
a combination of letters,
numbers and special
characters and is both
upper and lower case.
Workstation Security
You should:
Lock or log off computers
when they are not in
use. This will activate the
screensaver.
To lock the computer:
Press CTRL-ALT-DELETE,
select LOCK
To log off the computer:
Select START then select
Logoff
Log out of applications
on shared workstations
when done
To suspend a session in
MEDITECH, press Shift F12
to lock the patient record
Be Aware
You should:
Make sure no one is
watching when entering
information, PIN numbers
or passwords
Immediately lock the
screen and ask the
onlooker if he or she
needs assistance, if
being watched
Information Protection
Assures employees and patients that the integrity,
confidentiality and availability of electronic protected
health information (ePHI) is protected.
PHI – Protected Health Information
ePHI – Electronic Protected Health Information
Methodist Healthcare IT&S staff
will never ask for your password.
DIRECTOR OF INFORMATION
SECURITY OPERATIONS (DISO)
Russell Lane
FACILITY INFORMATION
SECURITY OFFICIAL (FISO)
Carl Jones
Maria Carmona
Martin Rodriguez
Security.Awareness@MHSHealth.com
210-575-2550
MHS SERVICE DESK
210-575-4511
Option 2-2
CONTACTS
Password Reset allows you to reset your password
or unlock the primary account you use from any
computer on the network. To access this tool click
on the Password Reset link on MHSCentral or type
passwordreset into your browser address bar.
To enroll, click PASSWORD RESET.
Protected Health
Information (PHI and ePHI)
PHI and ePHI is defined by information protection as verbal,
written and electronic form that includes one or more of the
following:
Name
Elements of an address
All elements of dates except year (i.e. date of birth,
admission, discharge, expiration)
Telephone and fax number
Email address
Social Security number
Medical record number
Health plan number
Account number
Certificate/license number
Vehicle ID or license plate
Web Addresses or URLs
IP address number
Biometric identifiers, finger or voice print
Photographic image
Any other unique identifying number, characteristic, or code
19380_MHS IT InfoSec Brochurev7.indd 2 1/10/14 12:23 AM](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)