IT Cybersecurity & Privacy Resource Library - 2022
Animated publication
IT Cybersecurity & Privacy
resource library
2022
2022 IT Cybersecurity and Privacy Roadmap
Quarterly Campaign Materials
IT Cybersecurity and Privacy Ambassadors
From the Desks of...
Pause & Reflect
Resource Library
Health care is being hit by cyber attackers at greater levels than ever before. National agencies, such as the FBI, are sending warnings across our industry alerting us to these situations. Remember, YOU are the first line of defense and our best weapon is education and awareness. We want to provide you with valuable resources in one location to help raise awareness on popular cybersecurity and privacy topics. This library is created for you to learn and share the knowledge both at work and at home. Let’s work together to protect Banner and ourselves.
Dave Schauble, VP Chief Information Security Officer
Privacy and cybersecurity topics go hand in hand, which is why we’ve partnered with the IT Cybersecurity team to create this library for you. The more awareness we create around these important topics, the more prepared you’ll be at work and at home. Protecting Sofia is important, not only because of regulatory standards, but also to protect the trust in the Banner brand. We need to work together to protect Sofia’s information, and one way to do this is to provide resources for you to be more aware.
“Security is better when it’s built in, not bolted on”. - Stephen Yu
Kristen Eversole, Privacy Senior Director/Chief Privacy Officer
2 Resource Library | 2022
Resource Library | 2022 3
2022 Cybersecurity & Privacy Roadmap
2022 Cybersecurity & Privacy Detailed Plan
Campaigns have been identified through the training needs assessment, analysis and stakeholder interview feedback. The roadmap includes training and awareness materials for each area below to be shared through various methods of communication and engagement strategies.
JAN- MAR
APR - JUN
JUL- SEPT
OCT - DEC
JAN FEB MAR APR MAY JUN JUL AUG SEPT OCT NOV DEC Safe Access Securing Assets Safe Surfing Hacking the Human 1 7 4 10
2 1
3 2
5 1
6 2
8 1
9 2
11 1
12 2
Safe Access Supporting topics: • Acceptable Use policy • Bring Your Own Device • Remote work • Secured Banner tools
Securing Assets Supporting topics: • Password hygiene • Physical cybersecurity • Off-boarding • Biomedical devices
Safe Surfing Supporting topics: • Web surfing • Monitoring activity • Unsecured sites • Web risks
Hacking the Human Supporting topics: • Social engineering • Inappropriate access, use and disclosure of PHI • Reporting incidents October • Cybersecurity Awareness Month (CSAM)
Meetings 1. HIPAA Facility Contacts 2. IT Cybersecurity & Privacy Ambassadors
CIOConnect Blog Articles 1. Acceptable Use Policy 2. BYOD 3. Remote Working 4. Password Best Practices 5. Physical Cybersecurity 6. Off-Boarding 7. Web Surfing & Personal Activity 8. Monitoring 9. Unsecured Sites 10. Social Engineering 11. Proper Handling of PHI 12. Reporting Incidents
Simulated Phishing Campaigns CIOConnect Magazine Article Banner Buzz Article Ambassador Recognition Cybersecurity Awareness Month
4 Resource Library | 2022
Resource Library | 2022 5
Flexible working has become part of the norm, but we need to still keep Sofia and Banner safe. Learn more about your part and the Acceptable Use Policy.
Q1 -2022 Safe Access
Supporting materials coming soon! Supporting Topics
Acceptable Use Policy Bring Your Own Device Remote Work Secured Banner tools
6 Resource Library | 2022
Resource Library | 2022 7
Click here to download
Click here to download
Security at Home: Tips and Tricks
Acceptable Use Policy Overview
Use business tools for official business purposes; limited personal use of business tools is acceptable ONLY when it does not interfere with job performance or otherwise violate any Banner policy or introduce risk Ensure the confidientiality of Banner information that may be displayed on your screen in public locations by using discretion and privacy screens Be aware, understand and acknowledge that Banner reserves the right to monitor Banner-owned devices, business tools, electronic communication and network traffic for security, compliance, performance or for other business reason, subject to compliance with applicable privacy laws and regulations Forwarding or sending electronic email with non-public, Internal, Restricited and Confidential information, including PHI, sensitive PII or Card Holder Data (CHD), to the sender’s personal email accounts (including for the purpose of facilitating printing on personally-owned printers unless approved in advance by IT) is prohibited Only use your Banner device for Banner work. Using your personal device increases the risk of exposure and should not be used Report potential IT, Cybersecurity and Privacy issues to the Service Desk immediately by calling 602-747-4444 The IT Acceptable Use Policy is considered the “main” IT policy and applies to all workforce members who use Banner computing devices, data or network(s) to conduct business or interact with internal networks and business systems: 5 6 1 2 3 4
Being online exposes you to cyber criminals and others who commit identity theft, fraud and harrassment. Here is some information to help keep you more cyber secure at home: • Use an anti-virus software on your devices • Keep your devices up-to-date • Set a password on your personal Wi-Fi • Be cautious about what you receive or read online • Back up important information • Limit the amount of personal information you post online • Never share your username or password • Educate your family and friends about internet safety Additional resources to educate you on cybersecurity at home CISA.gov: Explore the resources on the “home and business” section to learn more about cybersecurity and to better secure your home and small-business networks. DHS.gov: The Stop.Think.Connect Campaign is a national public awareness campaign aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online. FTC.gov: Onguardonline.gov is run by the Federal Trade Commission (FTC) and is a one-stop shop for online safety resources available to parents, educators, kids and others.
Review the full Acceptable Use Policy - https://bannerhealth.policytech.com/dotNet/documents/?docid=8367
For more information, please contact ISPTA@bannerhealth.com
8 Resource Library | 2022
Resource Library | 2022 9
Click here to download
Q1 Presentation
Security of customers’ information is your responsibility. We want to provide you with infor - mation and resources to help be cyber secure like this video on Acceptable Use (5:00). As a member of the Banner workforce, it is your job to report any security vulnerabilities you may witness. Please help us keep our customers safe. Click the image below to watch the video. Acceptable Use Video
https://youtu.be/stmGePoL2ps
*Examples from the presentation
10 Resource Library | 2022
Resource Library | 2022 11
Technical and administrative controls are important, but its also important to understand the physical aspect when it comes to cybersecurity. Learn more about securing physical assets, what physical cybersecurity means and what to do when a teammember decides to leave to help keep Sofia and Banner secure.
Q2 -2022 Securing Assets
Supporting materials coming soon! Supporting Topics Password Hygiene Physical Cybersecurity Off-boarding Biomedical Devices
12 Resource Library | 2022
Resource Library | 2022 13
Click here to download
LEADERSHIP GUIDE FOR OFF-BOARDING TEAMMEMBERS
STATEMENT OFWORK (SOW) CONTRACTORS Contractors hired through SOW (statement of work contracts) not in Workday. Contingent (External Contract Labor Temporary Staff) - Vendor Contract not managed by BSS ECL Fulfillment - but assist with onboarding only. Tracking time only. • Email InformationSecu - rityIT Deactivations@ bannerhealth.comwith date to terminate network access (occurs within 15 minutes or upon receipt) • If they had badge access, submit Badge and Security Service Ticket Request ‒ Select Make a Request ‒ Click BadgeorSecurity AccessChangeRequest to terminatebadge
CONTRACTORS AND VENDORS WITH ELEVATEDMyHR ACCESS Contractors hired through SOW (statement of work contracts). Managing Banner employees or working on the Workday application and will be located in Workday.
BANNER EMPLOYEES EXTERNAL CONTRACT LABOR (ECL)
TeamMember (FT or PT) regularly scheduled to work 32 hours or more per pay period on a continuous basis. Eligible for benefits.
ECL (external contract labor) are contractors who go through Banner Staffing Services (BSS) for employment. These may be contract to hire.
DEFINITIONS
1. Go to MyHR 2. Go to My Team Management 3. Select Terminate
• The Banner Staffing Services (BSS) Supplemental Labor Team processes the End Contigent Worker Contract transaction in MyHR/ Workday • This will inactivate them in ELMM (connected to KRONOS) ‒ BIM (Banner Identity Management) and terminate their access and badge
• Leader processes End Contingent worker Contract in MyHR • Email InformationSecurityIT Deactivations@bannerhealth.comwith date to terminate network access • If they had badge access, submit Badge and Security Service Ticket Request
TURNOFF NETWORK AND BADGE ACCESS
XXXXXX XXXXXX XXXX XXX XX XXX XXXXX
4. Follow the prompts ... Click here to viewMyHR Termination Instructions.
• For an employee or ECL, as noted above, the process should still be followed; however, during business hours (8 a.m. - 5 p.m.), an email should be sent to InformationSecurityITDeactivations@bannerhealth.com as well and the dedicated IAM Analyst will address it. If the separation happens after hours, then an incident must be created to the Cybersecurity: Identity & Access Management assignment group and the on-call member will be paged to act on it promptly. • For contractors or vendors, there’s no difference in the process, as noted above, for business hours. If after hours, then an incident must be created to the Cybersecurity: Identity & Access Management assignment group and the on-call member will be paged to act on it promptly. TeamMembers Working at Banner Facility Submit the Return/Pickup Computer Equipment form IT Service Delivery will coordinate with the manager and employee for equipment pick-up Return to IT Service Group for asset management and clean-up and re-distribution within your team if re-posting the position TeamMembers Working Remotely Submit the Work Your Way Equipment Return form Return Options a) Employee returns equipment to a Banner facility (please contact IT Service Delivery prior to arrival at a Banner facility with equipment) b) Employee returns equipment to their manager, then manager return to a Banner facility c) IT Service Delivery will send the laptop box if needed Note: Manager is responsible for the return of Banner equipment. Please have your teammember submit the Work Your Way Equipment Return form
URGENT AND SENSITIVE
RETURNOF COMPUTER ANDOTHER BANNER EQUIPMENT
14 Resource Library | 2022
Resource Library | 2022 15
Click here to download
Click here to download
Password Hygiene Securing Assets Series
Did you know?
Repeating passwords makes it easier for the hacker to access multiple accounts at home and/or at work.
61% of breaches involved credentials*
*2021 Data Breach Investigations Report
Protect your logins:
Never share your username and/or passwords
Don’t use the same password for external systems or personal use (i.e. social media)
Check emails before forwarding to ensure no login information is in the email string
Use passphrases instead of passwords
Reset your password immediately if you suspect it to be compromised
Contact the Service Desk at 602-747-4444 for assistance
Use a reputable password manager instead of writing it down
Don’t reuse passwords
For more information, please contact ISPTA@bannerhealth.com
16 Resource Library | 2022
Resource Library | 2022 17
Click here to download
Q2 Presentation
Security of customers’ information is your responsibility. We want to provide you with infor - mation and resources to help be cyber secure like this video on Physical Cybersecurity (6:14). As a member of the Banner workforce, it is your job to report any security vulnerabilities you may witness. Please help us keep our customers safe. Click the image below to watch the video. Physical Cybersecurity Video
https://youtu.be/c6DsWF5tUqU
*Examples from the presentation
18 Resource Library | 2022
Resource Library | 2022 19
The internet is filled with a lot of information - some useful, some not. However, surfing the web could potentially put your system and information at risk. Learn more about these risks when surfing the web. Supporting Topics Web Surfing Monitoring Activity Unsecured Sites Web Risks
Q3 -2022 Safe Surfing
20 Resource Library | 2022
Resource Library | 2022 21
Safe Social Media Practices Safe Surfing Series Social media in the workplace Think twice about what you post on social media. What we share about Banner can quickly be misunderstood, taken out of context or become a HIPAA violation. 72%of the public uses some type of social media* *2021 Pew Research Center, Social Media Fact Sheet
Banner’s watching you ... for a good reason Health care organizations are trusted not only with patient care, but also keeping their information and privacy safe. One way this is done is through user monitoring, an important tool to keep networks running optimally and secure. Benefits from monitoring computer use:
Stay safe while surfing the web Be aware of your surroundings and ensure no patient information is visible in the background. Photographs
Creates a baseline Minimizes data breaches Improves attack response time Addresses security vulnerabilities
Monitors compliance Reduces downtime Increases productivity Prevents illegal/dangerous activity
Think twice before friending a patient. Anything you share on social media can quickly become public. “Friending” a patient
As always, if you see something, say something. The sooner we know about a potential incident, the safer we can keep Sofia and our teammembers.
Don’t discuss patients on social media; even the slightest identifier matters. Discussing patient information ensure no sensitive or confidential information is accidentally shared. All media requests need to go through Public Relations and Corporate Communications to Talking to the media
Never share any patient and/or sensitive information in any forum. Commenting on a public story
Avoid taking any photos of patients, even photos that don’t show a patient’s face. Sharing patient photos
For more information, please contact: ISPTA@bannerhealth.com
22 Resource Library | 2022
Resource Library | 2022 23
Click here to download
Q3 Presentation
Security of customers’ information is your responsibility. We want to provide you with infor - mation and resources to help be cyber secure like this video on Safe Surfing (3:30). ‘Surfing the web’ has many benefits, but also carries risk. Learn about some of the web risks and you can stay safe while ‘surfing the web’. Click the image below to watch the video. Safe Surfing Video
https://youtu.be/9mxGy3umJx8
*Examples from the presentation
24 Resource Library | 2022
Resource Library | 2022 25
Cyber criminals have learned how to manipulate people through impersonation of a trusted entity, generating a sense of urgency and many other methods. The easiest way for a cyber criminal to gain access to confidential systems and information is through teammembers that already have access. Learn more about what to be aware of
Q4 -2022 Hacking the Human
and how to report a potential incident. Supporting materials coming soon! Supporting Topics Social Engineering Inappropriate Access, Use and Disclosure of PHI Reporting Incidents
26 Resource Library | 2022
Resource Library | 2022 27
Click here to download
Click here to download
Identifying Phishing and Ransomware Attacks
There’s a new 3-second rule Some people use the “three-second rule” to apply when they drop food they’re eating on the ground – if you pick it up within three seconds, it’s “safe” to eat. Now we’re applying a similar rule to how you should react when you receive a suspicious email. Let’s protect Sofia, Banner and our team members by following three simple steps. THE NEW3-SECOND RULE 1. Pause before responding when you get a suspicious email 2. Reflect on the context and links 3. Click the Report Phish button if you believe the email is suspicious
What Sensitive Information Do Cyber Criminals Want?
Financial Information
Protected Health Information
Money
Passwords
Identity
Ransomware is a malicious software that can a�ect our ability to access computer programs and data, generally started through a phishing email. The intent of phishing messages is typically to get the recipient to click a link or to open an attachment.
What Bait is Used to Hook You?
Fear
Desire to Please
Current Trends
Urgency
Curiosity
Signs of a Suspicious Email
To: employee@bannerhealth.com Subject: URGENT!!!!! Respond Now!!!!! Hello, Your pssword is about to expire. You will locked out if you do not respond today!!!
Urgency
Spelling & Grammar errors Request for Log In Credentials
Please send your username and password to ITS@bh.com or click this link to update your password.
Unusual Sender / Reply To Address Suspicious Links
Thank You, Help Desk
Identifying phishing emails and NOT clicking on links or opening attached documents is critical since the majority of ransomware attacks start from these emails.
WHAT CAN I DO? If you suspect an email is a phish- ing attempt, report it by clicking the report email button in Outlook OR forward the email to: Phishing@bannerhealth.com
© Copyright 2020 Banner Health 28 Resource Library | 2022
Resource Library | 2022 29
Click here to download
Q4 Presentation
Security of customers’ information is your responsibility. We want to provide you with infor - mation and resources to help be cyber secure like this video on Hacking the Human (2:55). Learn more about social engineering, phishing and how you can help protect Sofia and your information. Please help us keep our customers safe. Click the image below to watch the video. Hacking the Human Video
https://youtu.be/b1bd22IKTE4
*Examples from the presentation
30 Resource Library | 2022
Resource Library | 2022 31
“The reason I volunteered to be on the Ambassador Security teamwas to assist in correcting behavior that puts our company at risk. Since I am onsite at the facilities I am able to educate our customers that weak IT security can cause malware, large fines for the organization, and most importantly puts our patients at risk. Providing pamphlets and walk through with staff increases awareness on best practices for Banner and also in their personal lives. By joining the Ambassador Security team in 2017, I am also able to provide updates on cybersecurity with our Tucson Service Delivery team on policy and procedures. Our priority is to maintain best practices with Banner security standards that reduce the risk to Sofia.” Priscilla Martinez IT Coordinator IV, IT Service Delivery
Keeping us secure Thank you, IT Cybersecurity and Privacy Ambassadors
by Paul Lockwood IT Training Consultant
It’s been another successful year for our IT Cybersecurity and Privacy Ambassador program. Our ambassadors continue to do an amazing job with getting the word out about cybersecurity and privacy topics that are important for all of our Banner team members to be aware of. These volunteers share information through teammeetings (virtual and/or in person), department town - halls and emails. Not only are they sharing great information, but they also provide the IT training programwith valuable input on cybersecurity and privacy topics they encounter in their daily experiences. This helps guide us on what topics to discuss for quarterly campaigns or if additional communication needs to be done on a particular topic. To show our appreciation for our ambassadors, we thanked them with a special challenge coin (pictured above) designed specifically for this group. A challenge coin started as a military tradition. Only members of a specific group were able to carry the coin. They were given out for special contributions or accomplishments as recognition or to boost morale. If you see a teammember in the office with one of these coins, feel free to ask them any questions you may have about these topics. Interested in becoming an ambassador? Learn more here.
Become an ambassador Protect Sofia. Protect Banner. Protect you.
Have a passion for cybersecurity and privacy? Want to help spread awareness on important topics? Join the IT Cybersecurity and Privacy ambassadors! By being an ambassador, you play a vital role to help ensure our teammembers are cyber and privacy savvy. This helps protect Sofia, protect Banner and even protect you. The information we share can be applied both at work and at home. Our ambassadors are volunteers across a variety of different teams at Banner. What we have in common is the interest and excitement to be more cyber and privacy aware.
Reasons to become an ambassador: • Collaborate with the training team bringing your ideas and topics on cybersecurity and privacy • Be the first to know on quarterly campaigns and ad-hoc topics • Receive specialized training on being an ambassador and topics • Communicate with other ambassadors • Receive recognition for helping keep Banner secure
Email us at ISPTA@bannerhealth.com to become an ambassador today! P ictured below at BUMC-T, left to right : F ontana L avetter , S herry G imlin , P riscilla M artinez , P aul L ockwood .
P ictured above at BUMC-P, left to right : M organ R aimo , B eau M c G avran , W ayne F oster
“One of my most rewarding commitments at Banner has been participating in the IT Cybersecurity and Privacy Ambassador program. Data breaches and security incidents have become recurring stories in the news, demonstrating the need for individuals to be vigilant about their information security hygiene. I’m grateful Banner offers this program where teammembers can participate in meaningful and interactive settings centered around how we can keep ourselves and Sofia safe.” JasonWilkes Senior Manager, CPO & Treasury Operations
32 Resource Library | 2022
Resource Library | 2022 33
IT Cybersecurity and Privacy Ambassadors List
Ambulatory - Tucson Carlos V Lee
IT Svc Delivery Sr Mgr IT Coordinator IV
Steve Templeton
Banner Boswell Medical Center Ernesto Rosales
Banner Health Corporate - Phoenix Elizabeth J Agredano
IT Desktop Technician III
IT Clin Systems Consult Associate Director, IT Cybersecurity IT Svc Delivery Sr Mgr Cybersecurity Architect CPO/Treasury Ops Sr Dir Manager, IT Cybersecurity Cybersecurity Technical Analyst I CPO/Treasury Ops Analyst CPO/Treasury Ops Consult IT Systems Eng Consult Senior HIMS Technician IT Systems Eng Consult Associate Director, IT Cybersecurity
Banner Churchill Community Hospital - Nevada Jackie Warburton HIMS Mgr Banner Desert Medical Center Tesia G Liggins-Ross HIMS Sr Mgr Banner Medical Group - Peoria/Sun City West Debra Stout RN Phys Pract
Ryan Artz Timothy Burris Alan Christian Toni Elliott-Manuel Kevin Keydoszius Mark Kiriacos Christian Longway Mandy Marrujo Beau McGavran Deanna J Patch Victoria A Pulido Carlos I Rivera Henrietta Sackey Amanda Salazar Dan Sharnhorst Jon Smith Nisreen I Tawil Jason SWilkes BoWan
Banner Research Yoga Pandya
Associate Director, Regulatory
HIMS Mgr IT Director
Banner University Medical Center - Tucson Fontanna LaVetter IT Cust Relns Coord III Paige P Rowley IT Coordinator II
IT Systems Eng Consult Cybersecurity Engineer I Systems Consult Sr-spv IT Desktop Technician III CPO/Treasury Ops Prog Mgr
East Morgan Community Hospital Peter Sisneros
Food Nutrition & EVS Sr Mgr
Banner Health Corporate - In Home Karie L Truong North Colorado Medical Center Jeff Housden IT Ops Dir Banner Health Corporate Center - Mesa Jessica Bojorquez Cust Exp Tech coord IT Bus Analyst II
Remote - Chandler Lucinda Campos Remote - Tucson Doug Porter Riad Sbai
Senior Admin Assistant IT Pop Health Solutions Analyst I
IT Solution Analyst III
Sun City West Primary Care Clinic Sascha Blasko
Denise Lister AndrewMMoore
IT Coordinator III IT Desktop Technician II
PAS Educator
Tucson
Priscilla Martinez
IT Coordinator IV
Ambulatory – Central Phoenix Robert RWhitten
Western Region
IT Coordinator IV
Jessica B Cesare-Torres
IT Bus Analyst III
34 Resource Library | 2022
Resource Library | 2022 35
Become an ambassador Protect Sofia. Protect Banner. Protect you .
Click here for the Classic view of PUBLIC folder The classic view will take you to our SharePoint site where you can browse the folders for the materials included in this library.
Have a passion for cybersecurity and privacy? Want to help spread awareness on important topics? Join the IT Cybersecurity and Privacy ambassadors! By being an ambassador, you play a vital role to help ensure our teammembers are cyber and privacy savvy. This helps protect Sofia, protect Banner and even protect you. The information we share can be applied both at work and at home. Our ambassadors are volunteers across a variety of different teams at Banner. What we have in common is the interest and excitement to be more cyber and privacy aware.
Reasons to become an ambassador: • Collaborate with the training team bringing your ideas and topics on cybersecurity and privacy • Be the first to know on quarterly campaigns and ad-hoc topics • Receive specialized training on being an ambassador and topics • Communicate with other ambassadors • Receive recognition for helping keep Banner secure
Click here if you have feedback or comments on the tools, would like to request a special training for your team or have any questions.
Email us at ISPTA@bannerhealth.com to become an ambassador today!
28 Resource Library | 2022
Resource Library | 2022 29
Banner Health Information Technology We are dedicated to the Mission of Banner Health to make health care easier, so life can be better. We are focused on hiring and retaining the best IT talent, driving innovation, providing legendary service and delivering successful outcomes.
30 Resource Library | 2022
Made with FlippingBook - professional solution for displaying marketing and sales documents online