All employees of Community Care are expected to have an
understanding and awareness of security issues within the Agency. Employees are
encouraged to discuss security concerns, real or potential, with their
supervisors as needed. When an employee is aware of a security issue that rises
to the level of a Security Incident as defined in this procedure employees are
expected to take action according to this procedure in order to mitigate risk
to the Agency and to protect confidential and proprietary information.
Definition:
A Security Incident is defined as the attempted or
successful unauthorized access, use, disclosure, modification, or destruction
of information or interference with system operations within any part of the
Community Care data network.
Security Incident Levels:
Depending on the potential risk to the Agency, our clients
or workforce, specific action will be taken in the following situations. If an
employee is unsure of a situation they should discuss it with their supervisor
or, if the situation may be more urgent, with any available supervisor.
Information and/or systems affected are not limited to those containing
protected health information.
Low or no risk
Description: This security issue does not rise to the
level of a Security Incident and need not be acted on or documented unless it
occurs repeatedly or is of concern for some other reason in which case it
should be treated as a Medium Risk situation.
Examples: Employee inadvertently leaves a workstation
unlocked; a Treatment Plan is delivered to the wrong DHHS worker.
Action: None. Employees should self-correct and/or
speak to their supervisor for assistance. If employees find a low/no risk
security breach, they should bring it to the specific colleague's attention.
Medium risk
Description: This security issue has potential to
cause minor harm to the Agency or a small group or individual.
Examples: Employee inadvertently emails a Treatment
Plan to a party completely unrelated to the client; laptop is stolen with small
amount of confidential data on it; electronic protected health information is
stored on a floppy disk in a manner not consistent with policy; an employee
emails harassing or potentially offensive material.
Action: Notify supervisor and Administrative Services
Manager or designee as soon as possible within 8 hours to assist with
appropriate level assessment. Administrative Services Manager will document the
incident on the appropriate form. Supervisor and Administrative Services
Manager will determine follow-up required, as necessary.
High risk
Description: This security issue has potential to
cause moderate to severe harm to the Agency, providers or clients.
Examples: Our website is defaced by hackers; a member
of the outside community accesses and disseminates sensitive information to an
audience hostile to our Agency or clients; disgruntled employee systematically
deletes Agency data.
Action: Supervisor and Administrative Services
Manager or their designee will be contacted immediately to assist with
appropriate level assessment and action plan. As the supervisor and
Administrative Services Manager or designee determine necessary, the Program
Manager and/or Management Team will be notified as soon as is determined
necessary to assess and mitigate damage. The Administrative Services Manager
will document the incident on the appropriate form.