HIPAA Identifiers

HIPAA identifiers are 18 points of information that can be used to identify an individual or combined with other information to identify an individual.

HIPAA Hints: Privacy Guidelines

The Washington University HIPAA Privacy Office has created HIPAA Hints to provide guidance for some of the most common privacy issues.

HIPAA Privacy Training

Workforce members at the Medical School are also required to complete HIPAA 101, a set of online training modules that cover the HIPAA Privacy, Security and Breach Notification Rule. Classroom and online refresher training is also available.  Refresher courses include topics such as: HIPAA 101:  Privacy Matters – Protecting Patient Privacy through Data Security Encryption […]

HIPAA Privacy Information

Centered on your privacy Washington University health care providers respect the confidentiality of our patient’s health information by observing the highest standards of ethics and integrity. Our Notice of Privacy Practices describes your rights under HIPAA and how Washington University may use and disclose your protected health information.  If you have not reviewed our Notice of Privacy Practices. […]

HIPAA Forms

Patient Communication Form Email Authorization Form Media Authorization Form Medical Records Release Form Request for Alternative Methods of Communication Request for Restriction to Health Plan (Self-Pay) Request for Amendment of Protected Health Information Form Request for Restrictions on Use or Disclosure of Protected Health Information Form Washington University Business Associate Agreement Request for Accounting of […]

HIPAA Patient Forms and Rights

HIPAA provides patients with several rights, all described in our Notice of Privacy Practices.  The HIPAA Privacy Office works with our clinical departments, physicians, and Health Information Release Services to facilitate requests related to your rights under HIPAA.  These rights include: The right to request a copy of your medical records from Washington University Physicians for yourself or […]

HIPAA Health and Patient Information Policies

Health and Patient Information Policies Washington University expects all employees and contractors who interact with our patients and/or their protected health information to understand and comply with our policies and procedures related to the HIPAA Privacy and Security Rule. These policies and procedures are designed to help our workforce understand the requirements for the appropriate […]

Business Associate Agreement (BAA)

A legally binding agreement between a healthcare provider and a third-party vendor that ensures compliance with HIPAA when handling PHI

Policy 103 Information Security Device Management

This policy outlines the security expectations for all devices (e.g., laptops, mobile phones, thumb drives, external hard drives, etc.) that access WashU information resources or store WashU data.

Policy 112 Information Security Acceptable Use

The Information Security Acceptable Use Policy outlines expectations for the appropriate use of WashU-provided information resources, ensuring that all WashU Community members understand their responsibilities.

WEBINAR: Detecting AI Voice Clones with Dr. Ning Zhang

Curious about potential negative impacts of voice cloning technology? Join our webinar to learn about the cutting-edge deepfake detection research happening at WashU. Ning Zhang, assistant professor of computer science & engineering in the McKelvey School of Engineering at WashU, was one of three winners of the FTC’s Voice Cloning Challenge announced April 8. Zhang’s winning project, DeFake, […]

Meet Your InfoSec Team: Dean Boenzi, Information Security Analyst III

Dean Boenzi

Dean Boenzi, Information Security Analyst III, is one of the newest InfoSec team members. Dean’s primary duties on the InfoSec team revolve around “ensuring data security and compliance.” He supports the Data Loss Prevention (DLP) program by “developing policies, conducting risk assessments, monitoring alerts, and investigating HIPAA violations to maintain patient privacy and to protect […]

InfoSec Alert: PHI not allowed in Adobe AI Assistant

Screenshot of Adobe's AI assistant

Use of Adobe’s AI Assistant with HIPAA Protected Health Information (PHI) is not permitted at WashU. While Adobe’s information security and intellectual property protections are compatible with other uses, federal law requires a Business Associates Agreement (BAA) before HIPAA PHI may be shared with a third party. Non-AI Assistant use of Adobe desktop products keeps […]

Cloud Threats, Opportunities, and Safety  

As more data, identities, and services move to the cloud, they are increasingly targets of threat actors with potentially life-altering consequences. In 2017, a breach of Equifax leaked the Social Security Numbers (SSNs) of 143 million Americans. While writing this article, Ticketmaster and its vendor, Snowflake, suffered a major data breach. Those are just two […]

Control Zone

A control zone is a categorical designation applied to infrastructure . . .

Policy 100 Information Security Program

The Information Security Program Policy is the foundation of the policy library and provides a rationale for the directives communicated in all other information security policies.

Keeping Information Security Simple – “Using Code Words to Defeat the AI Menace”

Open Letter

Letter from the CISO, Vol 3 Issue 9  Washington University Community:  Artificial Intelligence is a tool  Artificial Intelligence, or AI, has received a lot of attention and interest over the past year, primarily due to the great advances in productivity and quality it seems to promise. WashU IT is excited to be helping the university […]

Security Guidance for Automatic Transcription Services

convert online voice messages into text using neural networks or AI online bot

Many WashU community members create audio and video recordings in research, during meetings, while attending lectures, and in other circumstances. These recordings can be indispensable to a project because they document what was said with perfect fidelity for future reference and analysis. A transcript of the recording is even more helpful, making it easy to […]

Compliance

Compliance in cyber security means meeting certain standards and obeying by regulations…

Business Associate Agreement (BAA) Explained

HIPAA Compliant

If you work with Protected Health Information (PHI), you have probably heard mention of a business associate agreement. At WashU, it is essentially a contract between WashU and a business associate concerning the handling of PHI. Who is a Business Associate? It is a person or entity outside of WashU who creates, receives, maintains, or […]

WEBINAR: Exciting Days in the Office of Information Security with CISO, Chris Shull

Curious about attempted cybercrime at WashU? Join our webinar to learn about how WashU protects its users and systems from online threats.   Chris Shull, Chief Information Security Officer, will talk about the comprehensive preventive, detective, and responsive defenses we are building in response to the wide range of Information Security challenges we face. One […]

WEBINAR: Careers in Cybersecurity with Brian Allen

Did you know that there are more than three million open positions in cybersecurity today? There is a huge demand for cybersecurity professionals today, and the Bureau of Labor Statistics predicts that this trend will continue for the next decade and beyond. This high demand means opportunity, competitive salaries, and job security.  Effective cybersecurity requires […]

WEBINAR: Phishing Incidents and their Impact to the University with Jason Murray

Curious about attempted cybercrime at WashU? Join our webinar to learn about how WashU protects its users and systems from online threats.   Information Security Assistant Director and Architect for Digital Forensics and Incident Response, Jason Murray, will discuss incidents and vulnerabilities detected on the WashU network during the last year and the new tools […]

WEBINAR: Security in Research with Michael Mayer

Do you want to know how security plays into research at WashU?  Please join Michael Mayer, Information Security Analyst III, with the Office of Information Security, and bring your questions about how to secure your research. Mark your calendars and join us via Zoom on October 11 at 12 pm CST. This webinar is exclusively […]

Wonderful OneTrust

The Information Security Governance, Risk, and Compliance (GRC) team, led by Assistant Director, Denise Woodward, handles many types of security-related requests from the WashU community. When researchers need a security review of the tools they’re using for a study, when a department wants to adopt new technology, or when someone requires a specialized solution for […]

Protected Health Information (PHI)

Protected health information (PHI) refers to health data created, kept, or shared by HIPAA-covered entities and their commercial partners in the provision of healthcare, healthcare operations, and payment for such services.

IRB Security Review

In the IRB Security Review process, our team works with research coordinators to evaluate security risks involved in the research process.

Keeping Information Security Simple – Privacy – Free isn’t free: If you aren’t paying for it, you and your data are the product being sold!

Letter from the CISO, Vol 1 Issue 8 Washington University Community: This is the National Cybersecurity Alliance’s Data Privacy Week (https://staysafeonline.org/data-privacy-week/), and because security is closely related to privacy, I thought I’d say a few things about it. The “right to privacy” was defined by Justice Louis Brandeis in an 1890 article as the right […]

Threats to Your Research Data and Intellectual Property

World intellectual property day and education concept

Your research data and intellectual property are valuable, not only in the pursuit of knowledge for the betterment of society but also to cybercriminals who seek to steal it or hold it for ransom. According to the Federal Bureau of Investigation , intellectual property theft is a growing threat in the digital era, and much […]

Meet Your InfoSec Team: James Gagliarducci, Information Security Director

James Photo

James Gagliarducci, Director of Information Security, an electrical engineer by training and a security whiz by experience and certification, started out designing radar systems for the Department of Defense. He joined WashU IT as a network engineer in the 90s. Remembering those days, James says, “I loved it.” When the Health Insurance Portability and Accountability […]

Protected Data

Protected data refers to data regulated by federal, state, and local legislation.

Phishing 101

Email phishing has long been the method of choice for many cybercriminals who seek to exploit vulnerabilities for personal gain. These attacks are continually revised and refreshed to take advantage of current trends and new strategies used to socially engineer their victims.  Phishing works so well because it takes advantage of human emotion, convincing unsuspecting […]

Thank You for Participating in Cybersecurity Awareness Month 2020

The Office of Information Security extends its gratitude to the faculty, staff, and students who participated in the events and activities of Cybersecurity Awareness Month 2020! During the month of October, we hosted a slate of webinars and presentations to help our community stay informed and empowered in the digital era. This year, our program […]

WEBINAR: Securely Managing Protected Information

The HIPAA Privacy Office, WashU IT, and the Office of Information Security invite you to attend a one-hour discussion and Q&A about safely handling protected data and using WUSTLBox to develop a secure workflow. Hosts will include Christine Schorb, HIPAA Privacy Officer, Eric Suiter, Systems Engineer with expertise in WUSTLBox, and Kevin Hardcastle, Chief Information […]

Protect Yourself from Social Engineering

The Office of Information Security continuously works to protect our community from a wide variety of phishing activity and other security threats. Currently, the majority of the phishing threats we see involve some form of social engineering. What is social engineering? Social engineering attempts to manipulate people by exploiting psychology and emotions such as fear, […]

Tax Deadline Extension and Phishing Scams

As a result of the COVID-19 pandemic, the deadline for filing state and federal tax returns is postponed until July 15, 2020. As the deadline approaches, we want to make you aware of the more common tax fraud scams that our office sees each year. We have also compiled some helpful resources to assist you […]

Tax Time is Open Season for Phishing Scams

Tax season is here again, and with it comes an uptick in scammers using phishing emails designed to steal personal information from their victims in order to commit tax fraud. We encourage you to use extreme caution with any email correspondences requesting personal information. Please refrain from opening any attachments or following any links in […]

NCSAM Retrospective

The Office of Information Security recently wrapped up a month of exciting activities and events across Washington University campuses for National Cybersecurity Awareness Month. We are grateful to everyone who took the time to participate in this year’s events, and we are already looking forward to next year’s program. During October 2019, the Office of […]

Security Controls

The Office of Information Security  (OIS) will review and identify the applicable security frameworks – International Organization for Standardization, National Institute of Standards and Technology (NIST) Security Controls (SP800-53) and other identified industry standards to be applied and tailored within Washington University (WashU) departments and schools. Controls will be assigned to create protection levels. Control […]

Recommended IT Services for Confidential or Protected Information

Before using external websites or cloud services to store, create or transmit WashU Confidential or Protected information please review the tables below for approved services. If what you are looking for is not listed, the following reviews are needed. Collaboration Reference the tables below to determine which collaboration service is best for storing and sharing your data. […]

Vulnerability Assessment

The scanner is capable of meeting all the requirements outlined for RA-5 priorities low, medium, high. The appliance performs assessments against system security policies and identifies vulnerabilities with CVE scoring. It has customizable templates that measure compliance with SOX, PCI DSS, HIPAA, ISO 27002, FISMA, and FDCC (Federal Desktop Core Configuration) baseline. It supports content […]