HIPAA Security Awareness

This month’s focus is the security awareness items highlighted in the Health Insurance Portability and Accountability Act (HIPAA). Even though many employees at Emory do not handle electronic protected health information (ePHI), these guidelines regarding malicious software, log-in monitoring and password management are best practices for everyone to follow.

Protection from malicious software

  • Malicious software in its various forms is one of the single greatest information security problems. Malicious software can find its way onto your computer in a variety of ways, from email attachments to automated downloads from websites. 
  • To protect against this threat, all computers should have anti-virus software installed and kept up to date. The software should automatically check for updates at least once a day.
  • Exercise caution when visiting websites and reading email. If you are suspicious of an attachment or link, do not open it. 
  • Symptoms of malicious software include alerts from your anti-virus software, unusual pop-up windows, sudden loss of speed and unexpected computer restarts. If you think your computer might have malicious software on it, contact your IT Service Desk.

Log-in monitoring

  • While most monitoring for malicious log-in attempts happens behind the scenes, you should be aware of indicators of unauthorized use of your account and limit the chances of someone else using your username and password. 
  • When walking away from your computer, be sure to log off, disconnect, or “lock” the computer so others can’t use your account. 
  • If you observe changes to your email, files, or account information that you did not make, and you suspect someone else used your account, contact your IT Service Desk.
  • If you receive requests to accept a login from Duo multifactor authentication, and you did not try to login to an Emory system immediately prior to receiving the request, you should change your password immediately.

Password management

  • Protecting your account, and its access to information and resources, starts with a good password. One of the most basic, and common, attacks on computing resources is password guessing. 
  • For this reason, every password should be difficult to guess either by someone who knows you or by an automated tool that can rapidly guess common word and letter combinations. 
  • Computer systems often enforce password complexity and length rules to promote the use of strong passwords. 
  • Passwords should never be shared with others, even co-workers and family members. 
  • Do not use the same password for your Emory account that you use for your personal accounts.
  • Everyone at Emory is given a unique login and specific access based on their needs – it is your responsibility to safeguard this information with a strong password and keep the password secret. 
  • To ensure your password stays a secret, commit it to memory rather than writing it down. 
  • If you believe your password is no longer secret, change it immediately and contact your IT Service Desk to check for unauthorized use of your account.

Additional Assistance

Healthcare employees must complete Annual Regulatory, Safety, and Compliance Education that includes HIPAA security information. To complete the required regulatory modules, visit the HealthStream Learning Center (HLC) via EHC Workspace. Start by logging in to EHC Workspace (workspace.emory.org), and in the Applications window, click on the red HLC icon.

University employees can access three online HIPAA training courses under the Office of Research Compliance section of the Emory Learning Management System catalog - just search the catalog for HIPAA.

Learn more information on HIPAA policy and security requirements (login required to view policies).