IT Cybersecurity & Privacy Resource Library - 2022

Animated publication

IT Cybersecurity & Privacy

resource library

2022

2022 IT Cybersecurity and Privacy Roadmap

Quarterly Campaign Materials

IT Cybersecurity and Privacy Ambassadors

From the Desks of...

Pause & Reflect

Resource Library

Health care is being hit by cyber attackers at greater levels than ever before. National agencies, such as the FBI, are sending warnings across our industry alerting us to these situations. Remember, YOU are the first line of defense and our best weapon is education and awareness. We want to provide you with valuable resources in one location to help raise awareness on popular cybersecurity and privacy topics. This library is created for you to learn and share the knowledge both at work and at home. Let’s work together to protect Banner and ourselves.

Dave Schauble, VP Chief Information Security Officer

Privacy and cybersecurity topics go hand in hand, which is why we’ve partnered with the IT Cybersecurity team to create this library for you. The more awareness we create around these important topics, the more prepared you’ll be at work and at home. Protecting Sofia is important, not only because of regulatory standards, but also to protect the trust in the Banner brand. We need to work together to protect Sofia’s information, and one way to do this is to provide resources for you to be more aware.

“Security is better when it’s built in, not bolted on”. - Stephen Yu

Kristen Eversole, Privacy Senior Director/Chief Privacy Officer

2 Resource Library | 2022

Resource Library | 2022 3

2022 Cybersecurity & Privacy Roadmap

2022 Cybersecurity & Privacy Detailed Plan

Campaigns have been identified through the training needs assessment, analysis and stakeholder interview feedback. The roadmap includes training and awareness materials for each area below to be shared through various methods of communication and engagement strategies.

JAN- MAR

APR - JUN

JUL- SEPT

OCT - DEC

JAN FEB MAR APR MAY JUN JUL AUG SEPT OCT NOV DEC Safe Access Securing Assets Safe Surfing Hacking the Human 1 7 4 10

2 1

3 2

5 1

6 2

8 1

9 2

11 1

12 2

Safe Access Supporting topics: • Acceptable Use policy • Bring Your Own Device • Remote work • Secured Banner tools

Securing Assets Supporting topics: • Password hygiene • Physical cybersecurity • Off-boarding • Biomedical devices

Safe Surfing Supporting topics: • Web surfing • Monitoring activity • Unsecured sites • Web risks

Hacking the Human Supporting topics: • Social engineering • Inappropriate access, use and disclosure of PHI • Reporting incidents October • Cybersecurity Awareness Month (CSAM)

Meetings 1. HIPAA Facility Contacts 2. IT Cybersecurity & Privacy Ambassadors

CIOConnect Blog Articles 1. Acceptable Use Policy 2. BYOD 3. Remote Working 4. Password Best Practices 5. Physical Cybersecurity 6. Off-Boarding 7. Web Surfing & Personal Activity 8. Monitoring 9. Unsecured Sites 10. Social Engineering 11. Proper Handling of PHI 12. Reporting Incidents

Simulated Phishing Campaigns CIOConnect Magazine Article Banner Buzz Article Ambassador Recognition Cybersecurity Awareness Month

4 Resource Library | 2022

Resource Library | 2022 5

Flexible working has become part of the norm, but we need to still keep Sofia and Banner safe. Learn more about your part and the Acceptable Use Policy.

Q1 -2022 Safe Access

Supporting materials coming soon! Supporting Topics

Acceptable Use Policy Bring Your Own Device Remote Work Secured Banner tools

6 Resource Library | 2022

Resource Library | 2022 7

Click here to download

Click here to download

Security at Home: Tips and Tricks

Acceptable Use Policy Overview

Use business tools for official business purposes; limited personal use of business tools is acceptable ONLY when it does not interfere with job performance or otherwise violate any Banner policy or introduce risk Ensure the confidientiality of Banner information that may be displayed on your screen in public locations by using discretion and privacy screens Be aware, understand and acknowledge that Banner reserves the right to monitor Banner-owned devices, business tools, electronic communication and network traffic for security, compliance, performance or for other business reason, subject to compliance with applicable privacy laws and regulations Forwarding or sending electronic email with non-public, Internal, Restricited and Confidential information, including PHI, sensitive PII or Card Holder Data (CHD), to the sender’s personal email accounts (including for the purpose of facilitating printing on personally-owned printers unless approved in advance by IT) is prohibited Only use your Banner device for Banner work. Using your personal device increases the risk of exposure and should not be used Report potential IT, Cybersecurity and Privacy issues to the Service Desk immediately by calling 602-747-4444 The IT Acceptable Use Policy is considered the “main” IT policy and applies to all workforce members who use Banner computing devices, data or network(s) to conduct business or interact with internal networks and business systems: 5 6 1 2 3 4

Being online exposes you to cyber criminals and others who commit identity theft, fraud and harrassment. Here is some information to help keep you more cyber secure at home: • Use an anti-virus software on your devices • Keep your devices up-to-date • Set a password on your personal Wi-Fi • Be cautious about what you receive or read online • Back up important information • Limit the amount of personal information you post online • Never share your username or password • Educate your family and friends about internet safety Additional resources to educate you on cybersecurity at home CISA.gov: Explore the resources on the “home and business” section to learn more about cybersecurity and to better secure your home and small-business networks. DHS.gov: The Stop.Think.Connect Campaign is a national public awareness campaign aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online. FTC.gov: Onguardonline.gov is run by the Federal Trade Commission (FTC) and is a one-stop shop for online safety resources available to parents, educators, kids and others.

Review the full Acceptable Use Policy - https://bannerhealth.policytech.com/dotNet/documents/?docid=8367

For more information, please contact ISPTA@bannerhealth.com

8 Resource Library | 2022

Resource Library | 2022 9

Click here to download

Q1 Presentation

Security of customers’ information is your responsibility. We want to provide you with infor - mation and resources to help be cyber secure like this video on Acceptable Use (5:00). As a member of the Banner workforce, it is your job to report any security vulnerabilities you may witness. Please help us keep our customers safe. Click the image below to watch the video. Acceptable Use Video

https://youtu.be/stmGePoL2ps

*Examples from the presentation

10 Resource Library | 2022

Resource Library | 2022 11

Technical and administrative controls are important, but its also important to understand the physical aspect when it comes to cybersecurity. Learn more about securing physical assets, what physical cybersecurity means and what to do when a teammember decides to leave to help keep Sofia and Banner secure.

Q2 -2022 Securing Assets

Supporting materials coming soon! Supporting Topics Password Hygiene Physical Cybersecurity Off-boarding Biomedical Devices

12 Resource Library | 2022

Resource Library | 2022 13

Click here to download

LEADERSHIP GUIDE FOR OFF-BOARDING TEAMMEMBERS

STATEMENT OFWORK (SOW) CONTRACTORS Contractors hired through SOW (statement of work contracts) not in Workday. Contingent (External Contract Labor Temporary Staff) - Vendor Contract not managed by BSS ECL Fulfillment - but assist with onboarding only. Tracking time only. • Email InformationSecu - rityIT Deactivations@ bannerhealth.comwith date to terminate network access (occurs within 15 minutes or upon receipt) • If they had badge access, submit Badge and Security Service Ticket Request ‒ Select Make a Request ‒ Click BadgeorSecurity AccessChangeRequest to terminatebadge

CONTRACTORS AND VENDORS WITH ELEVATEDMyHR ACCESS Contractors hired through SOW (statement of work contracts). Managing Banner employees or working on the Workday application and will be located in Workday.

BANNER EMPLOYEES EXTERNAL CONTRACT LABOR (ECL)

TeamMember (FT or PT) regularly scheduled to work 32 hours or more per pay period on a continuous basis. Eligible for benefits.

ECL (external contract labor) are contractors who go through Banner Staffing Services (BSS) for employment. These may be contract to hire.

DEFINITIONS

1. Go to MyHR 2. Go to My Team Management 3. Select Terminate

• The Banner Staffing Services (BSS) Supplemental Labor Team processes the End Contigent Worker Contract transaction in MyHR/ Workday • This will inactivate them in ELMM (connected to KRONOS) ‒ BIM (Banner Identity Management) and terminate their access and badge

• Leader processes End Contingent worker Contract in MyHR • Email InformationSecurityIT Deactivations@bannerhealth.comwith date to terminate network access • If they had badge access, submit Badge and Security Service Ticket Request

TURNOFF NETWORK AND BADGE ACCESS

XXXXXX XXXXXX XXXX XXX XX XXX XXXXX

4. Follow the prompts ... Click here to viewMyHR Termination Instructions.

• For an employee or ECL, as noted above, the process should still be followed; however, during business hours (8 a.m. - 5 p.m.), an email should be sent to InformationSecurityITDeactivations@bannerhealth.com as well and the dedicated IAM Analyst will address it. If the separation happens after hours, then an incident must be created to the Cybersecurity: Identity & Access Management assignment group and the on-call member will be paged to act on it promptly. • For contractors or vendors, there’s no difference in the process, as noted above, for business hours. If after hours, then an incident must be created to the Cybersecurity: Identity & Access Management assignment group and the on-call member will be paged to act on it promptly. TeamMembers Working at Banner Facility Submit the Return/Pickup Computer Equipment form IT Service Delivery will coordinate with the manager and employee for equipment pick-up Return to IT Service Group for asset management and clean-up and re-distribution within your team if re-posting the position TeamMembers Working Remotely Submit the Work Your Way Equipment Return form Return Options a) Employee returns equipment to a Banner facility (please contact IT Service Delivery prior to arrival at a Banner facility with equipment) b) Employee returns equipment to their manager, then manager return to a Banner facility c) IT Service Delivery will send the laptop box if needed Note: Manager is responsible for the return of Banner equipment. Please have your teammember submit the Work Your Way Equipment Return form

URGENT AND SENSITIVE

RETURNOF COMPUTER ANDOTHER BANNER EQUIPMENT

14 Resource Library | 2022

Resource Library | 2022 15

Click here to download

Click here to download

Password Hygiene Securing Assets Series

Did you know?

Repeating passwords makes it easier for the hacker to access multiple accounts at home and/or at work.

61% of breaches involved credentials*

*2021 Data Breach Investigations Report

Protect your logins:

Never share your username and/or passwords

Don’t use the same password for external systems or personal use (i.e. social media)

Check emails before forwarding to ensure no login information is in the email string

Use passphrases instead of passwords

Reset your password immediately if you suspect it to be compromised

Contact the Service Desk at 602-747-4444 for assistance

Use a reputable password manager instead of writing it down

Don’t reuse passwords

For more information, please contact ISPTA@bannerhealth.com

16 Resource Library | 2022

Resource Library | 2022 17

Click here to download

Q2 Presentation

Security of customers’ information is your responsibility. We want to provide you with infor - mation and resources to help be cyber secure like this video on Physical Cybersecurity (6:14). As a member of the Banner workforce, it is your job to report any security vulnerabilities you may witness. Please help us keep our customers safe. Click the image below to watch the video. Physical Cybersecurity Video

https://youtu.be/c6DsWF5tUqU

*Examples from the presentation

18 Resource Library | 2022

Resource Library | 2022 19

The internet is filled with a lot of information - some useful, some not. However, surfing the web could potentially put your system and information at risk. Learn more about these risks when surfing the web. Supporting Topics Web Surfing Monitoring Activity Unsecured Sites Web Risks

Q3 -2022 Safe Surfing

20 Resource Library | 2022

Resource Library | 2022 21

Safe Social Media Practices Safe Surfing Series Social media in the workplace Think twice about what you post on social media. What we share about Banner can quickly be misunderstood, taken out of context or become a HIPAA violation. 72%of the public uses some type of social media* *2021 Pew Research Center, Social Media Fact Sheet

Banner’s watching you ... for a good reason Health care organizations are trusted not only with patient care, but also keeping their information and privacy safe. One way this is done is through user monitoring, an important tool to keep networks running optimally and secure. Benefits from monitoring computer use:

Stay safe while surfing the web Be aware of your surroundings and ensure no patient information is visible in the background. Photographs

Creates a baseline Minimizes data breaches Improves attack response time Addresses security vulnerabilities

Monitors compliance Reduces downtime Increases productivity Prevents illegal/dangerous activity

Think twice before friending a patient. Anything you share on social media can quickly become public. “Friending” a patient

As always, if you see something, say something. The sooner we know about a potential incident, the safer we can keep Sofia and our teammembers.

Don’t discuss patients on social media; even the slightest identifier matters. Discussing patient information ensure no sensitive or confidential information is accidentally shared. All media requests need to go through Public Relations and Corporate Communications to Talking to the media

Never share any patient and/or sensitive information in any forum. Commenting on a public story

Avoid taking any photos of patients, even photos that don’t show a patient’s face. Sharing patient photos

For more information, please contact: ISPTA@bannerhealth.com

22 Resource Library | 2022

Resource Library | 2022 23

Click here to download

Q3 Presentation

Security of customers’ information is your responsibility. We want to provide you with infor - mation and resources to help be cyber secure like this video on Safe Surfing (3:30). ‘Surfing the web’ has many benefits, but also carries risk. Learn about some of the web risks and you can stay safe while ‘surfing the web’. Click the image below to watch the video. Safe Surfing Video

https://youtu.be/9mxGy3umJx8

*Examples from the presentation

24 Resource Library | 2022

Resource Library | 2022 25

Cyber criminals have learned how to manipulate people through impersonation of a trusted entity, generating a sense of urgency and many other methods. The easiest way for a cyber criminal to gain access to confidential systems and information is through teammembers that already have access. Learn more about what to be aware of

Q4 -2022 Hacking the Human

and how to report a potential incident. Supporting materials coming soon! Supporting Topics Social Engineering Inappropriate Access, Use and Disclosure of PHI Reporting Incidents

26 Resource Library | 2022

Resource Library | 2022 27

Click here to download

Click here to download

Identifying Phishing and Ransomware Attacks

There’s a new 3-second rule Some people use the “three-second rule” to apply when they drop food they’re eating on the ground – if you pick it up within three seconds, it’s “safe” to eat. Now we’re applying a similar rule to how you should react when you receive a suspicious email. Let’s protect Sofia, Banner and our team members by following three simple steps. THE NEW3-SECOND RULE 1. Pause before responding when you get a suspicious email 2. Reflect on the context and links 3. Click the Report Phish button if you believe the email is suspicious

What Sensitive Information Do Cyber Criminals Want?

Financial Information

Protected Health Information

Money

Passwords

Identity

Ransomware is a malicious software that can a�ect our ability to access computer programs and data, generally started through a phishing email. The intent of phishing messages is typically to get the recipient to click a link or to open an attachment.

What Bait is Used to Hook You?

Fear

Desire to Please

Current Trends

Urgency

Curiosity

Signs of a Suspicious Email

To: employee@bannerhealth.com Subject: URGENT!!!!! Respond Now!!!!! Hello, Your pssword is about to expire. You will locked out if you do not respond today!!!

Urgency

Spelling & Grammar errors Request for Log In Credentials

Please send your username and password to ITS@bh.com or click this link to update your password.

Unusual Sender / Reply To Address Suspicious Links

Thank You, Help Desk

Identifying phishing emails and NOT clicking on links or opening attached documents is critical since the majority of ransomware attacks start from these emails.

WHAT CAN I DO? If you suspect an email is a phish- ing attempt, report it by clicking the report email button in Outlook OR forward the email to: Phishing@bannerhealth.com

© Copyright 2020 Banner Health 28 Resource Library | 2022

Resource Library | 2022 29

Click here to download

Q4 Presentation

Security of customers’ information is your responsibility. We want to provide you with infor - mation and resources to help be cyber secure like this video on Hacking the Human (2:55). Learn more about social engineering, phishing and how you can help protect Sofia and your information. Please help us keep our customers safe. Click the image below to watch the video. Hacking the Human Video

https://youtu.be/b1bd22IKTE4

*Examples from the presentation

30 Resource Library | 2022

Resource Library | 2022 31

“The reason I volunteered to be on the Ambassador Security teamwas to assist in correcting behavior that puts our company at risk. Since I am onsite at the facilities I am able to educate our customers that weak IT security can cause malware, large fines for the organization, and most importantly puts our patients at risk. Providing pamphlets and walk through with staff increases awareness on best practices for Banner and also in their personal lives. By joining the Ambassador Security team in 2017, I am also able to provide updates on cybersecurity with our Tucson Service Delivery team on policy and procedures. Our priority is to maintain best practices with Banner security standards that reduce the risk to Sofia.” Priscilla Martinez IT Coordinator IV, IT Service Delivery

Keeping us secure Thank you, IT Cybersecurity and Privacy Ambassadors

by Paul Lockwood IT Training Consultant

It’s been another successful year for our IT Cybersecurity and Privacy Ambassador program. Our ambassadors continue to do an amazing job with getting the word out about cybersecurity and privacy topics that are important for all of our Banner team members to be aware of. These volunteers share information through teammeetings (virtual and/or in person), department town - halls and emails. Not only are they sharing great information, but they also provide the IT training programwith valuable input on cybersecurity and privacy topics they encounter in their daily experiences. This helps guide us on what topics to discuss for quarterly campaigns or if additional communication needs to be done on a particular topic. To show our appreciation for our ambassadors, we thanked them with a special challenge coin (pictured above) designed specifically for this group. A challenge coin started as a military tradition. Only members of a specific group were able to carry the coin. They were given out for special contributions or accomplishments as recognition or to boost morale. If you see a teammember in the office with one of these coins, feel free to ask them any questions you may have about these topics. Interested in becoming an ambassador? Learn more here.

Become an ambassador Protect Sofia. Protect Banner. Protect you.

Have a passion for cybersecurity and privacy? Want to help spread awareness on important topics? Join the IT Cybersecurity and Privacy ambassadors! By being an ambassador, you play a vital role to help ensure our teammembers are cyber and privacy savvy. This helps protect Sofia, protect Banner and even protect you. The information we share can be applied both at work and at home. Our ambassadors are volunteers across a variety of different teams at Banner. What we have in common is the interest and excitement to be more cyber and privacy aware.

Reasons to become an ambassador: • Collaborate with the training team bringing your ideas and topics on cybersecurity and privacy • Be the first to know on quarterly campaigns and ad-hoc topics • Receive specialized training on being an ambassador and topics • Communicate with other ambassadors • Receive recognition for helping keep Banner secure

Email us at ISPTA@bannerhealth.com to become an ambassador today! P ictured below at BUMC-T, left to right : F ontana L avetter , S herry G imlin , P riscilla M artinez , P aul L ockwood .

P ictured above at BUMC-P, left to right : M organ R aimo , B eau M c G avran , W ayne F oster

“One of my most rewarding commitments at Banner has been participating in the IT Cybersecurity and Privacy Ambassador program. Data breaches and security incidents have become recurring stories in the news, demonstrating the need for individuals to be vigilant about their information security hygiene. I’m grateful Banner offers this program where teammembers can participate in meaningful and interactive settings centered around how we can keep ourselves and Sofia safe.” JasonWilkes Senior Manager, CPO & Treasury Operations

32 Resource Library | 2022

Resource Library | 2022 33

IT Cybersecurity and Privacy Ambassadors List

Ambulatory - Tucson Carlos V Lee

IT Svc Delivery Sr Mgr IT Coordinator IV

Steve Templeton

Banner Boswell Medical Center Ernesto Rosales

Banner Health Corporate - Phoenix Elizabeth J Agredano

IT Desktop Technician III

IT Clin Systems Consult Associate Director, IT Cybersecurity IT Svc Delivery Sr Mgr Cybersecurity Architect CPO/Treasury Ops Sr Dir Manager, IT Cybersecurity Cybersecurity Technical Analyst I CPO/Treasury Ops Analyst CPO/Treasury Ops Consult IT Systems Eng Consult Senior HIMS Technician IT Systems Eng Consult Associate Director, IT Cybersecurity

Banner Churchill Community Hospital - Nevada Jackie Warburton HIMS Mgr Banner Desert Medical Center Tesia G Liggins-Ross HIMS Sr Mgr Banner Medical Group - Peoria/Sun City West Debra Stout RN Phys Pract

Ryan Artz Timothy Burris Alan Christian Toni Elliott-Manuel Kevin Keydoszius Mark Kiriacos Christian Longway Mandy Marrujo Beau McGavran Deanna J Patch Victoria A Pulido Carlos I Rivera Henrietta Sackey Amanda Salazar Dan Sharnhorst Jon Smith Nisreen I Tawil Jason SWilkes BoWan

Banner Research Yoga Pandya

Associate Director, Regulatory

HIMS Mgr IT Director

Banner University Medical Center - Tucson Fontanna LaVetter IT Cust Relns Coord III Paige P Rowley IT Coordinator II

IT Systems Eng Consult Cybersecurity Engineer I Systems Consult Sr-spv IT Desktop Technician III CPO/Treasury Ops Prog Mgr

East Morgan Community Hospital Peter Sisneros

Food Nutrition & EVS Sr Mgr

Banner Health Corporate - In Home Karie L Truong North Colorado Medical Center Jeff Housden IT Ops Dir Banner Health Corporate Center - Mesa Jessica Bojorquez Cust Exp Tech coord IT Bus Analyst II

Remote - Chandler Lucinda Campos Remote - Tucson Doug Porter Riad Sbai

Senior Admin Assistant IT Pop Health Solutions Analyst I

IT Solution Analyst III

Sun City West Primary Care Clinic Sascha Blasko

Denise Lister AndrewMMoore

IT Coordinator III IT Desktop Technician II

PAS Educator

Tucson

Priscilla Martinez

IT Coordinator IV

Ambulatory – Central Phoenix Robert RWhitten

Western Region

IT Coordinator IV

Jessica B Cesare-Torres

IT Bus Analyst III

34 Resource Library | 2022

Resource Library | 2022 35

Become an ambassador Protect Sofia. Protect Banner. Protect you .

Click here for the Classic view of PUBLIC folder The classic view will take you to our SharePoint site where you can browse the folders for the materials included in this library.

Have a passion for cybersecurity and privacy? Want to help spread awareness on important topics? Join the IT Cybersecurity and Privacy ambassadors! By being an ambassador, you play a vital role to help ensure our teammembers are cyber and privacy savvy. This helps protect Sofia, protect Banner and even protect you. The information we share can be applied both at work and at home. Our ambassadors are volunteers across a variety of different teams at Banner. What we have in common is the interest and excitement to be more cyber and privacy aware.

Reasons to become an ambassador: • Collaborate with the training team bringing your ideas and topics on cybersecurity and privacy • Be the first to know on quarterly campaigns and ad-hoc topics • Receive specialized training on being an ambassador and topics • Communicate with other ambassadors • Receive recognition for helping keep Banner secure

Click here if you have feedback or comments on the tools, would like to request a special training for your team or have any questions.

Email us at ISPTA@bannerhealth.com to become an ambassador today!

28 Resource Library | 2022

Resource Library | 2022 29

Banner Health Information Technology We are dedicated to the Mission of Banner Health to make health care easier, so life can be better. We are focused on hiring and retaining the best IT talent, driving innovation, providing legendary service and delivering successful outcomes.

30 Resource Library | 2022

Made with FlippingBook - professional solution for displaying marketing and sales documents online