The Guide for Reporting Security Issues (below) was developed for our Information Technology Team, but is applicable to everyone. Reporting potential information security issues is necessary to protect our computer systems/network. Seemingly harmless actions can compromise patient, student and other confidential data.
Examples of Information Security Issues
- Installation of unapproved software
- Passwords shared or left in obvious locations
- Unlocked, unattended workstations
- Alteration of UW School of Dentistry installed software
- Computer viruses
Guide for Reporting Security Issues
This document does not constitute or replace HIPAA training requirements. Please refer to HIPAA Security Polices for official policies and processes.
Most likely security issues
- Installation of unapproved software on computers
- Virus or rootkit infected computers.
- Alteration of University of Washington School of Dentistry installed software on computers
- Passwords written down in non‐secure locations
- Shared passwords
- Computer desktops left unlocked
Assessment of software‐related violations
- Software violations should be identified by finding install date and responsible person.
- Offline virus and rootkit scans should be run if there is suspicion of malware.
Reporting
All incidents must be reported to the IT Director, or Compliance Director if IT Director is not available, if
- It results in a system compromise (virus or rootkit).
- It creates a situation where non‐authorized users are able to access private information, such as patient records or student Examples include:
- Unlocked terminal allows people to access patient information
- Passwords clearly visible in unsecured areas (e.g. clinics, reception areas)
- It directly violates signed confidentiality agreements,
If the assessment reveals that a violation did not pose any risk of compromise, then the incident must be reported to the IT Director, and then recorded in helpdesk or the current incident reporting tool (currently a note in helpdesk). Examples include:
- Unauthorized software such as iTunes, Word Perfect, Microsoft Money, games,
- Modification or removal of non‐security software, such as Word or Excel
Corrective Actions
Any reported violations will be investigated and sanctioned by the Dean of the School of Dentistry, the Compliance Director, and other appropriate individuals.
If a virus or rootkit is confirmed
- Computer must be removed from network, but no further action should be taken except on direction of IT Director, Compliance Director, or investigative
- Tech working on computer must immediately change all network passwords used to access the
- User for whom machine belongs needs to change all network passwords used to access the
For other minor violations, the corrective action depends on the nature of the violation.
Please contact the Director of Information Technology at 206.221.4007 or the Director of Compliance at 206.543.5331 with questions or concerns.