To report a security breach remember, report promptly!

(916) 734-8808 during the day, (916) 734-HELP after hours

abuse@ucdavis.edu or (530) 757-5795

Call the compliance hotline: (877) 384-4272

Laws

• Security rule text — the HIPAA security rule. NIST: National Institute of Standards and Technology: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, provides a technical dissection of the rule.
• California legal requirement to report certain security breaches — name with SSN, driver's license, or financial account (e.g., credit card, bank account) numbers — recommended practices on notification of security breach involving personal information

Policies

• UC policy IS-3: Electronic Information Security, and implementing guidelines
• UC Electronic Communications Policy
• UC Davis Electronic Communications Policy (policy 310-24)
• UC Davis Acceptable Use Policy (policy 310-23a)

Advice

• Protect confidential information — UC Davis HIPAA security information sheet
• Cyber Security Tips — good nontechnical advice on e-mail, Web browsing, passwords, etc, from a government-private industry partnership. Five most recent tips:
  • ST06-006: Understanding Hidden Threats: Corrupted Software Files
  • ST06-005: Dealing with Cyberbullies
  • ST06-004: Avoiding the Pitfalls of Online Trading
  • ST06-003: Staying Safe on Social Network Sites
  • ST06-002: Debunking Some Common Myths

Assistance

• UC Davis Health System
  • Technical assistance (e.g., "How do I install virus checking?"): (916) 734-HELP
  • UC Davis Health System Security (accessible via intranet only)
• UC Davis
  • Technical assistance: (530) 754-HELP
  • Questions about security rule requirements: (916) 734-8808
  • UC Davis Computer and Network Security

Single user workbook (pdf) — for computers used by a single person. Also available in Microsoft Word document format if you wish to save a copy of your answers: single user workbook, .doc format.

Workbook for multiuser systems (pdf). Also available in Microsoft Word document format if you wish to save a copy of your answers: multi-user workbook, .doc format.

Online security training — required for UC Davis Health System workforce who:

• Maintain databases with ePHI or social security numbers or financial account numbers (e.g., credit card numbers) on computers not managed by UC Davis Health System IS;
• Carry ePHI or social security numbers or financial account numbers (e.g., credit card numbers) on portable devices (laptops, PDAs, USB drives, etc.); or
• Maintain ePHI or social security numbers or financial account numbers (e.g., credit card numbers) on home computers (information in Lotus Notes or Citrix excluded).

When you submit the form at the end of the online training, you will receive a message that the information has been sent. If that does not appear, you may have a computer compatibility problem or an earlier version of Acrobat Reader. In that case, print only the roster form page, fill it out and send to:

In addition to taking precautions to protect your portable devices, it is important to add another layer of security by protecting the data itself.

Why do you need another layer of protection?

Although there are ways to physically protect your laptop, PDA, or other portable device (see Protecting Portable Devices: Physical Security for more information), there is no guarantee that it won't be stolen. After all, as the name suggests, portable devices are designed to be easily transported. The theft itself is, at the very least, frustrating, inconvenient, and unnerving, but the exposure of information on the device could have serious consequences. Also, remember that any devices that are connected to the internet, especially if it is a wireless connection, are also susceptible to network attacks.

What can you do?

• Use passwords correctly — In the process of getting to the information on your portable device, you probably encounter multiple prompts for passwords. Take advantage of this security. Don't choose options that allow your computer to remember passwords, don't choose passwords that thieves could easily guess, and use different passwords for different programs (see Choosing and Protecting Passwords for more information).
• Consider storing important data separately — There are many forms of storage media, including floppy disks, zip disks, CDs, DVDs, and removable flash drives (also known as USB drives or thumb drives). By saving your data on removable media and keeping it in a different location (e.g., in your suitcase instead of your laptop bag), you can protect your data even if your laptop is stolen. You should make sure to secure the location where you keep your data to prevent easy access.
• Encrypt files — By encrypting files, you ensure that unauthorized people can't view data even if they can physically access it. You may also want to consider options for full disk encryption, which prevents a thief from even starting your laptop without a passphrase. When you use encryption, it is important to remember your passwords and passphrases; if you forget or lose them, you may lose your data.
• Install and maintain anti-virus software — Protect laptops and PDAs from viruses the same way you protect your desktop computer. Make sure to keep your virus definitions up to date (see Understanding Anti-Virus Software for more information).
• Install and maintain a firewall — While always important for restricting traffic coming into and leaving your computer, firewalls are especially important if you are traveling and utilizing different networks. Firewalls can help prevent outsiders from gaining unwanted access (see Understanding Firewalls for more information).
• Back up your data — Make sure to back up any data you have on your computer onto a CD-ROM, DVD-ROM, or network. Not only will this ensure that you will still have access to the information if your device is stolen, but it could help you identify exactly which information a thief may be able to access. You may be able to take measures to reduce the amount of damage that exposure could cause.

(Above section copyright 2004 Carnegie Mellon University.)

Inclusion on this list only indicates that the program is inexpensive and can meet certain security needs. Many other programs are available that adequately perform these tasks. These programs are not supported by the health system.

From the security rule: Information must be deleted when disposing the computer (see 164.310(d)(2)(i)).

Caution. This program will remove everything from the hard drive, including the operating system. An operating system (e.g., Microsoft Windows) must be reinstalled before the computer is again usable.

Darik's Boot and Nuke. This utility is free of charge.

Erase individual files, or erase free space on drive (previously "deleted" files) when giving computer media or the computer to another person:

From the security rule: Information must be deleted when reusing the computer or computer media (e.g., disks) elsewhere if the recipient should not receive the information (see 164.310(d)(2)(ii)).

Eraser This free utility integrates into Windows Explorer. It also includes "Darik's Boot and Nuke", so can be used to erase entire hard drives.