1. Introduction to Cybersecurity & Information Assurance for FQHCs April 13, 2011 Amelia Muccio Director of Emergency Management amuccio@njpca.org

2. Objectives Cybersecurity Information assurance FQHCs as target Cyber threats/risks Vulnerabilities Countermeasures Safeguarding Promoting a culture of security.

3. Serious Threat Richard Clarke was famously heard to say, "If you spend more on coffee than on IT security, then you will be hacked. What's more, you deserve to be hacked.” The growing number of attacks on our cyber networks has become, in President Obama’s words, “one of the most serious economic and national security threats our nation faces.”

4. Who & What is At Risk? Economy Defense Transportation Medical Government Telecommunications Energy Sector Critical Infrastructure Computers/Cable TV/Phones/MP3/Games.

5. Fundamental Concepts of Information Assurance Confidentiality (privacy) Integrity (quality, accuracy, relevance) Availability (accessibility) CIA triad

6. Internet In 1995, 16 million users (0.4%) In 2010, 1.6 billion users (23.5%) Unable to treat physical and cyber security separately, they are intertwined.

7. How Does an Attack Happen? Identify the target Gather information Plan/Prepare the attack Attack

8. Information Gathering..

9. Attack Trends Increasing sophistication Decreasing costs Increasing attack frequency Difficulties in patching systems Increasing network connections, dependencies, and trust relationships

10. What Threatens Information? Misuse Disasters Data interception Computer theft Identify/Password theft Malicious software Data theft/corruption Vandalism Human error

11. Threats A threat is any potential danger to information and systems 3 levels of cyber threats Unstructured Structured Highly structured

12. Unstructured Threats Individual/small group with little or no organization or funding Easily detectable information gathering Exploitations based upon documented flaws Targets of opportunity Gain control of machines Motivated by bragging rights, thrills, access to resources

13. Structured Threats Well organized, planned and funded Specific targets and extensive information gathering to choose avenue and means of attack Goal-data stored on machines or machines themselves Exploitation may rely on insider help of unknown flaw Target drives attack Organized crime/black hat hackers

14. Highly Structured Threats Extensive organization, funding and planning over an extended time, with goal of having an effect beyond the data or machine being attacked Stealthy information gathering Multiple attacks exploiting unknown flaws or insider help Coordinated efforts from multiple groups “Cyber warfare”

15. Web as Weapon Infrastructure run by computers Government SCADA system Overflow dam, disrupt oil supply Sewage plant in Australia overflowed due to black hat hackers Cyberterrorism (Bin Laden and Aum Shinrikyo) Combined attack Cause power outage and biological attack EMS disruption and nuclear emergency Next war fought with code & computers

16. Hackers and Crackers White hat hacker-curious, explore our own vulnerabilities, bragging rights/just did it. Black hat hacker/cracker-malicious intent, exploit vulnerabilities for monetary profit or gain or perpetrate a crime, organized crime. Gray hat hacker-helpful or ethical hacker, motivated by a sense of good. Cowboys. GHHs find vulnerabilities, notify company of them so they can be fixed and resolved.

17. Gray Hats Adrian Lamo Find vulnerabilities, inform company WorldCom, Google, NYTimes, Bank of America, NASA NYTimes used SSN # as passwords Edited Yahoo Story Robert Lyttle DoD, Pentagon Both got into trouble!

18. Early Days…Phone Phreaking 2600 Hz Tone Captain Crunch Whistle & 4 th E above Middle C Long whistle reset line, then dial w/whistle Tricked phone companies/tone dialing Free long distance and international calls

19. Risk Threat + Vulnerability Likelihood of an undesirable event occurring combined with the magnitude of its impact? Natural Manmade Accidental or Intentional People are the weakest link

20. Risk Management Identifying and assessing risk, reducing it to an acceptable level and implementing mechanisms to maintain that level Protect against: Physical damage Human error Hardware failure Program error Cyber attack

21. Risk Handling Discussion Risk reduction (countermeasures, HVA) Risk transference (insurance) Risk acceptance (may happen) Risk rejection (do nothing) Security assessments are an important part of risk management Penetration testing Identify all vulnerabilities and threats to information, systems and networks

22. Contingency Planning Components How to handle disruption? Business continuity Disaster recovery Incident response

23. Recovery Strategy A recovery strategy provides direction to restore IT operations quickly and effectively Backup methods Alternate sites Equipment replacement Roles and responsibilities Cost considerations

24. BCP A comprehensive written plan to maintain or resume business operations in the event of a disruption Continue critical business operations Jeopardize normal operations Most critical operations May require alternate sites (hot, warm, cold) What do we need to KEEP going?

25. DRP A comprehensive written plan to return business operations to the pre-disruption state following a disruption Restore IT functions (prep and restore) Jeopardize the normal operations Includes all operations RETURN TO NORMAL BUSINESS OPERATIONS WHAT DO WE NEED TO DO IN CASE OF A DISASTER?

26. Plan Testing, Training and Exercising Testing is a critical to ensure a viable contingency capability Conduct plan exercises TTXs are useful

27. Policies and Procedures Establish security culture Establish best security practices Define goals and structure of security program Educate personnel Maintain compliance with any regulations Ex: email policy, Internet usage, physical security

28. Physical Security Countermeasures Property protection (door, locks, lightening) Structural hardening (construction) Physical access control (authorized users) Intrusion detection (guards, monitoring) Physical security procedures (escort visitors, logs) Contingency plans (generators, off site storage) Physical security awareness training (training for suspicious activities)

29. Personal Security Practices established to ensure the safety and security of personnel and other organizational assets It’s ALL about people People are the weakest link Reduce vulnerability to personnel based threats.

30. Personal Security Threat Categories Insider threats-most common, difficult to recognize Includes sabotage and unauthorized disclosure of information Social engineering-multiple techniques are used to gain information from authorized employees and using that info in conjunction with an attack Not aware of the value of information

31. Social Engineering Being fooled into giving someone access when the person has no business having the information.

32. Dumpster Diving and Phishing DD-rummaging through company’s garbage for discarded documents Phishing-usually takes place through fraudulent emails requesting users to disclose personal or financial information Email appear to come from a legitimate organization (PayPal)

33. P & P Acceptable use policy-what actions users may perform while using computers Personnel controls-need to know, separation of duties Hiring and termination practices- background checks, orientation, exit interview, escorting procedure

34. Private Branch Exchange (PBX) Systems Toll fraud Disclosure of information Unauthorized access Traffic analysis Denial of Service (DoS)

35. PBX Threat Countermeasures Implement physical security Inhibit maintenance of port access Enable alarm/audit trails Remove all default passwords Review the configuration of your PBX against known hacking techniques

36. Data Networks For computers to communicate Less expensive to use same network Modems designed to leverage this asset

37. Modem Threats Unauthorized and misconfigured modems Authorized but misconfigured modems

38. Wardialing Hackers use a program that calls a range of telephone numbers until it connects to an unsecured modem and allows them dialup access Identify potential targets

39. Modem Threat Countermeasures Policy Scanning Administrative action Passwords Elimination of modem connections Use a device to protect telephony-based attacks and abuses

40. Voice Over Internet Protocol (VoIP) VoIP is a technology that allows someone to make voice calls using a broadband Internet connection instead of a regular (analog) phone line

41. VoIP Benefits and Threats Less expensive Increased functionality Flexibility and mobility Service theft Eavesdropping Vishing Call tampering

42. VoIP Threat Countermeasures Physical control Authentication and encryption Develop appropriate network architecture Employ VoIP firewall and security devices

43. Data Networks Computers linked together Hosts (computers, servers) Switches and hubs Routers

44. Common Network Terms Local Area Network (LAN)-network grouped in one geographic location Wide Area Network (WAN)-network that spreads over a larger geographic area Wireless LAN (WLAN)-is a LAN with wireless connections

45. Data Network Protocols Transmission Control Protocol (TCP)-moves data across networks with a connection oriented approach User Datagram Protocol (UDP)-moves info across networks with a connectionless oriented approach Internet Control Message Protocol (ICMP)-OS to send error messages across networks Hypertext Transfer Protocol (HTTP)-transfers web pages, hypermedia

46. Data Network Threats Information gathering Denial of Service (DoS) Disinformation Man-in-the-middle Session hijacking

47. Information Gathering Threats/Network Scanning What target is available? Reduces time on wasted effort (attacker) One of the most common pre-attack identification techniques is called scanning Scanning uses ICMP service “PING” PING SWEEP-echo request to range of addresses (provides list of potential targets) Are you there? Yes, I am there. Firewall should protect against

48. Sniffing A sniffer is a program that monitors and analyzes network traffic and is used legitimately or illegitimately to capture data transmitted on a network

49. Denial of Service (DoS) Degrade and prevent operations/functionality Distributed denial of service (DDoS) attack uses multiple attack machines simultaneously Vast number of ICMP echo request packets are sent to the target, overwhelming its capability to process all other traffic

50. Ping Flood/Ping of Death Ping flood-too much ping traffic drowns out all other communication Ping of Death-oversized or malformed ICMP packets cause target to reboot or crash Host cannot cope with ping packets Ping of Death relies on a vulnerability of buffer overflow Buffer overflow-size of input exceeds the size of storage intended to be received

51. Smurf Attack (Ping Flood) Large stream of spoofed Ping packets sent to a broadcast address Source address listed as the target’s IP address (spoofed) Broadcast host relays request to all hosts on network Hosts reply to victim with Ping responses If multiple requests sent to broadcast host, target gets overloaded with replies

52. DDOS with Zombies/Botnet Zombies-infected computers Botnet-bunch of infected computers (same time)- massive traffic DDoS attack where a multitude of compromised systems attack a single target Flood of incoming messages to target system and force a shut down Google was target

53. Man-In-The-Middle Attacks Instead of shutting down target networks, attackers may want access Access information between authorizes parties and observes it Uses a sniffer and gains information Digital wiretapping Types of attacks Eavesdropping Session hijacking

54. Network Attack Countermeasures Countering the threats Scans/Sniffing/Ping sweeps DoS/DDoS Smurf attack Session hijacking Eavesdropping

55. Ways to Recognize Scanning System log file analysis Network traffic Firewall and router logs Intrusion Detection Systems (IDSs) –NIDS “Snort” or HIDS “OSSEC” Recognize as soon as possible Perform regular monitoring

56. Defending Against Scanning-Use More than 1 Block ports at routers and firewalls Block ICMP, including echo Segment your network properly Hide private, internal IP addresses Change default account settings and remove or disable unnecessary services Restrict permissions Keep applications and operating systems patched

57. Sniffing Countermeasures Strong physical security Proper network segmentation Communication encryption To guard against sniffing, make sure attacker cannot access a legitimate communication stream

58. DoS and DDoS Countermeasures Stop the attack before it happens Block “marching orders” Patch systems Implement IDS Harden TCP/IP Avoid putting “all eggs in 1 basket” Adjust state limits Keep us from being targeted and lock down assets

59. Snort (Network IDS) Snort’s open source network-based intrusion detection system has the ability to perform real- time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching, and content matching. The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans. FREE

60. Other Countermeasures Encrypted session negotiation (ensure handshake process) Repeating credential verification during the session (kick out hijackers) Partitions User training (all personnel can understand security)

61. Defense-In-Depth Defense-in-depth is an information assurance (IA) strategy in which multiple layers of defense are placed throughout an information technology (IT) system. It addresses security vulnerabilities in personnel, technology and operations for the duration of the system's life cycle.

62. Perimeter Defense Countermeasures Router security Demilitarized Zone Bastion host Firewalls Intrusion Detection Systems Intrusion Prevention Systems Virtual Private Network (Defensive technologies)

63. Routers First line of perimeter defense Connects external environment to internal network Securely configured Audit regularly Keep patched and updated

64. DMZ Machine or machines accessible by the Internet, but not located on the internal network or the Internet Web server Email server Should not contain much valuable data IDS sensor to detect malicious traffic

65. Bastion Host “Harden/Locked Down” Highly exposed to attacks in DMZ Web server Email server Locked down/hardened system Unnecessary services disabled No unnecessary applications Fully patched Unnecessary ports closed Unnecessary accounts disabled

66. Firewalls Control connections from one network (or portion of network) to another (restrict Internet access) Enforce security policy Hardware or software Firewalls DO NOT monitor connections not passing directly through it—not a magic bullet Even perfectly configured is still vulnerable Packet filtering Proxies Stateful inspection

67. Intrusion Detection System (IDS) Detects suspicious activity Alerts upon discovery of possible compromise attempts Compromised of several components Sensors Analyzers Administrator interfaces IDS can search for attacks, terminate connections, send real time alerts, protect system files, expose hacking techniques, illustrate vulnerabilities and even assist in tracking down hackers

68. Common Types of IDS Host based-mail server, web server or individual PC Network based-network itself,

69. Virtual Private Networks (VPN) A secure, private data connection through a non-secure public network Often through the Internet Uses encryption and tunneling protocols

70. Wireless Technology Allows communication between multiple systems/devices without physical connection Much less expensive than wired solutions WLAN.

71. Wireless Threats and Countermeasures Access point mapping Service Set Identifier (SSID) broadcasting Default SSID Radio frequency management Default settings Authentication Bluetooth security

72. Access Point Mapping WLAN version of wardialing An AP is a device connecting a wired network to wireless devices using radio frequency Software (net stumbler, air snort, void11) Warchalking (available access points).

73. Service Set Identifier (SSID) Broadcasting “Beaconing”-this is the continuous announcement by a Wi-Fi access point that it is available. SSID is name assigned to the wireless connection Default SSIDs poses a security risk even if the AP is not broadcasting b/c default names are widely known

74. Radio Frequency Management The signal should die out before it reaches the physical boundaries of the property This helps unauthorized users from driving by and intercepting confidential wireless signals

75. Default Settings Many access points arrive with no security mechanism in place Changing the default settings before deployment should be a matter of organizational practice

76. Authentication Issues Open system-SSID, subject to sniffing Shared key-SSID plus WEP encrypted key required, subject to man-in-the middle attacks Many wireless networks do not contain adequate authentication mechanisms Both Open and Shared are considered weak

77. Authentication Issues WEP standard proven insufficient Replaced with Wi-Fi Protected Access (WPA) WPA demonstrates its own weaknesses Replaced by WPA2 which is viewed as more secure.

78. Bluetooth Security Popular short-range technology Used for many personal electronic devices including phones, music players, etc. Threats Bluejacking-sending unsolicited messages to Bluetooth devices Bluesnarfing-unauthorized access of information from a wireless device through a Bluetooth connection Bluebugging-unauthorized control of Bluetooth assets

79. Operating System A program that acts as an intermediary between a computer user and the computer hardware “GUI” Graphical User Interface Process management Main memory management File management I/O system management Secondary storage management Network management Protection system management User interface management

80. Operating System Security Confidentiality: only let authorized entities access computer and information Integrity: only allow authorized changes to information Availability: manage resources to permit access to information and system at all required times

81. Authorization and Authentication WHO IS AUTHORIZED? Authorized by policy of organization and operational requirements HOW DO WE KNOW? Accounts (identification) Known systems Passwords Secure communication channel

82. Access Control Verifying the identity of entities before granting access and restricting access Controls how users and systems communicate and interact with other systems and resources First line of defense Authenticate before allowing access to authorized resources Policies, locks, passwords Social media policies??

83. Auditing A trail to follow Creation of logs A log is a record of events or activities that occur Detectable events Collect and save in secure information Analyze results.

84. Threats to OS The basic problem with OS and computers is that a system allows unauthorized users to compromise the system to gain unauthorized access to system resources Weak/Broken identification Weak internal security structures Programming errors in operating system

85. Once Identified, Authorize User accounts are the mechanism used to identify and authorize people Access control is based on identification Most common authentication is a password Password and account policies help improve security

86. Implementing Policies The whole access control process is driven by policies and procedures One part of the implementation is policies is to implement a password policy that makes it less likely that an attacker can break into computer systems by compromising a password

87. Password Policy What makes a good password policy? New password Reuse of old passwords Length of validity When can it be changed Minimum length of password Complexity requirements Should password be stored.

88. Specific OS Attacks Dos: attack on availability, consume resources Hack: exploit a vulnerability to gain unauthorized access to the system Backdoor: An access method that bypasses the normal security of the system Memory issues: Memory is not erased before given to another program Escalation of privileges: user exploits vulnerability to gain unauthorized access Default settings: most OS ship with simplest configuration, security disabled

89. Securing Systems Perform system hardening Find out what vulnerabilities are still present Fix them

90. Countermeasures: DoS Set network and host firewall filters for known bad traffic Apply OS patches for know vulnerabilities Limit time and resources to processes Monitor for threat activity on the network and host using IDS “Detect and block”

91. Countermeasures: Hack the System Use account and password policies Change default accounts, settings, passwords Use restricted accounts for services Apply OS patches for known vulnerabilities Turn off unnecessary services Watch for social engineering

92. Countermeasures: Backdoor Backdoors are installed by the developer Disable any unnecessary default accounts Apply OS patches for known vulnerabilities Scan system periodically Monitor system

93. Countermeasures: Memory Issues Memory management is an issues that has a severe impact on performance Apply OS patches for known vulnerabilities Turn on security features Reclaim memory on process termination

94. Countermeasures: Escalation of Privileges Apply OS patches for known vulnerabilities Monitor system Establish restricted accounts for services (don’t run everything as administrator)

95. Countermeasures: Default Settings Disable unnecessary accounts and services Apply OS patches for known vulnerabilities Follow lockdown procedures when possible Monitor the system

96. Common Application Security Threats Unauthorized access to applications: first line of defense is access control Cross-Site Scripting: browser allows code injection SQL injection: inserts independent queries into a database Buffer flow: input from a user exceeds the length or other characteristics of an expected input Arbitrary code execution: one of the common methods used by attackers to execute commands to take over or crash the targeted machine

97. Unauthorized Access Countermeasures Determines what object can access application Can be implemented based on users, permissions, and folder structures UserID and password Honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

98. XSS Countermeasures Vulnerability in web applications Web server owner should: Keep web server updated Scan for XSS vulnerabilities Configure applications and servers properly User should: Keep web browser updated Practice safe web surfing Attend awareness training

99. SQL Injection Countermeasures Database vulnerability (credit card info/patient information) Input validation Manual code review Least privilege When not required, disable privileges to stored procedures, tables, etc. Limit execution privileges to SELECT, UPDATE, DELETE and user-stored procedures

100. Buffer Overflow Countermeasures Software vulnerability and programming (C and C++) Stack buffer overflow “Morris Worm” Write secure code Use compiler tools to detect unsafe instruction sets in application Have a limited number of processes running Keep your application updated with latest patches from software vendor Control privilege

101. Arbitrary Code Execution Countermeasures Software bug Install latest updates and Service Packs Disable scripting and ActiveX (Drive by) Configure application securely Use alternate, safer applications

102. Drive by Download Drive by Download is an unintended download of computer software from the Internet: 1.Downloads which a person authorized but without understanding the consequences (e.g. downloads which install an unknown or counterfeit executable program, ActiveX component, or Java applet). 2.Any download that happens without a person's knowledge. 3.Download of spyware, a computer virus or any kind of malware that happens without a person's knowledge.

103. Personal Information Threats Unauthorized access to personal information Loss of personal information Unauthorized disclosure of personal information Spoofing Malicious software (Malware)

104. Unauthorized Access to Personal Information Commonly done by cracking user passwords Recovering passwords from data that has been stored in or transmitted by a computer system Password cracking methods Dictionary Hybrid Brute force (every password WILL be cracked)

105. Password Cracking (1-11) andy helen2008 Computer Jonas_Puente marykay htimsnosaj b1@nc@&l33 cold*beer 020973 n1h0nj1n *pdbmc12

106. Loss of Personal Information Human error, 32% Software corruption, 25% Virus attack (malware), 22% Hardware failure, 13% Sabotage, 6% Natural disasters, 2%

107. Spoofing A situation in which a person/program successfully masquerades as another by presenting false information.

108. Malicious Software (Malware) Designed to damage/disrupt a system without the owner’s consent. Software that gets installed on your system and performs unwanted tasks. Pop ups to virus deployment.

109. Virus Individual programs that propagate by first infecting executable files or the system and then makes copies of itself. Can operate without your knowledge (visit website, you open attachment). WE OPEN IT

110. Worm Designed to replicate and spread from computer to computer (attach to file and run on their own) WE DON’T HAVE TO OPEN IT

111. Trojan Horse Designed and written like normal programs but have hidden code that can compromise your system from remote user/computer.

112. Logic/Time Bomb Program that lies dormant until it is activated by something (date, message).

113. Spyware Computer software that gathers information about a computer user and transmits it without your knowledge (benign or malignant, websites or credit card information).

114. Adware Advertising supported software in which advertisements are displayed while the program is running.

115. Malware Goals Malicious code threatens three primary security goals: Confidentiality: Programs like spyware can capture sensitive data while it is being created and pass it on to an outside source. Availability: Many viruses are designed to modify operating system and program files, leading to computer crashes. Internet worms have spread so widely and so quickly that they have overloaded Internet connections and email systems, leading to effective denial-of-service attacks. Integrity: Protecting information from unauthorized or inadvertent modification. For example, without integrity, your account information could be changed by someone else.

116. Personal Information Security Countermeasures Password policies Backup Cryptography Spoofing countermeasures Malware detection and prevention

117. Password Policies History- 10 passwords Max age- 120 days Min age- 5 days or 0 for shoulder surfing Min length- 15 characters (at least 8) Complexity- enabled Combo of upper & lower case & special character & number La2!xxxx No dictionary words/patterns No easily obtainable information No birthdays, pet names, fictional character, proper noun, etc Use of mnemonics

118. Backup Copying files to a second medium for later retrieval as a precaution in case the first medium fails Perform frequently Keep in a separate location 93% of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster 50% of businesses that found themselves without data management for this same period filed for bankruptcy immediately

119. Spoofing Countermeasures Practice safe email usage and web surfing Attend security awareness training

120. Malware Countermeasures Only run software you can trust Install antivirus software Scan file attachments with antivirus software before opening Verify critical file integrity BACKUP

121. Electronic Health/Medical Records An electronic health record (EHR) is an evolving concept defined as a systematic collection of electronic health information about individual patients or populations It is a record in digital format that is capable of being shared across different health care settings, by being embedded in network-connected enterprise-wide information systems Such records may include a whole range of data in comprehensive or summary form, including demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal stats like age and weight, and billing information

122. Health Insurance Portability and Accountability Act of 1996 (HIPAA) The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.

123. EHR Advantages Reduction of cost Improve quality of care Promote evidence- based medicine Record keeping and mobility Disadvantages Costs Time.

124. Are EHRs Vulnerable? YES! Vulnerabilities discovered, reported to eHealth vendor and then patched Patches take A LOT of time to fix 2,211 days (vendor) vs. 284 days (Microsoft) No one eHealth vendor in charge

125. Possible Issues Unauthorized users can compromise integrity and confidentiality Unauthorized access to computer networks Password protection (hacks and policies) Subversive software (malware) Disaster

126. Privacy and Security Issues Data breaches Theft Lost devices Social networking

127. Personally Identifiable Information (PII) Information that permits the identity of an individual to be inferred directly or indirectly PII includes any information that is linked or linkable to that individual, regardless of whether the individual is a U.S. citizen, a legal permanent resident, or a visitor to the United States Apply the "need to know" principle before disclosing PII to other personnel Challenge the need for the requested PII before sharing Consider PII materials for official use only Limit the collection of PII for authorized purposes only

128. Examples of PII Name Date of birth Biometrics Mailing address Phone # Email address Zip code Account numbers License information Social Security # Place of birth License plate Photos

129. Sensitive Data Confidentiality of patient records Mental health Sexual health Drug/alcohol Minors Intimate partner violence/sexual violence Genetic information

130. Privacy and Security of EHR Security program components and regulatory requirements (HITECH, HIPAA, Breach Notification Laws, State Laws) Risk assessment and mitigation plans Security program evaluation Privacy and security awareness training for all staff Disclosure logs

131. Privacy and Security Security audit programs will be under the purview of the OCR (Office of Civil Rights) which is expected to begin with existing programs in 2011. CIA Triad

132. Data Segmentation Structured data fields Common data definitions Data entry Locating data Technology and codes Building intelligence

133. Safeguarding PII Store sensitive information in a room or area that has access control measures to prevent unauthorized access by visitors or members of the public (e.g., locked desk drawers, offices, and file cabinets) Never email sensitive information to unauthorized individuals. Never leave sensitive information on community printers Take precautions to avoid the loss or theft of computer devices and removable storage media Destroy all sensitive information by appropriate methods (paper shredder) when it is no longer needed Notify your immediate supervisor if you suspect or confirm that a privacy incident has occurred

134. Security Vulnerabilities and Countermeasures Safeguard data Monitor control on key systems and check inadequate logging Protect access control Data encryption Privacy awareness training Create strong vendor management Develop business continuity and incident response plans

135. Security and Assurance Program Protective measures to address potential cyber security threats include: Firewalls and virus protection systems Password procedures Information encryption software Computer access control systems Computer security staff background checks (at initial hire and periodically) Computer security staff training & 24/7 on-call technical support Computer system recovery and restoration plans Intrusion detection systems Redundant & backup systems, & offsite backup data storage

136. In Summary… Identify vulnerabilities Human error is biggest threat Fix vulnerabilities (patches, etc.) Have policies and procedures Computer maintenance program Educate staff Stay informed of latest and greatest

137. References Voice & Data Security: An Introduction to Information Assurance (FEMA/DHS) IS 906: Workplace Security Awareness (FEMA) EHR PPT, Nina Robinson, NJPCA