Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy and Information Security Dennis Schmidt, HIPAA Security Officer UNC School of Medicine UNC School of Medicine Student Orientation August 8, 2012.

Similar presentations


Presentation on theme: "Privacy and Information Security Dennis Schmidt, HIPAA Security Officer UNC School of Medicine UNC School of Medicine Student Orientation August 8, 2012."— Presentation transcript:

1 Privacy and Information Security Dennis Schmidt, HIPAA Security Officer UNC School of Medicine UNC School of Medicine Student Orientation August 8, 2012

2 Agenda Privacy Privacy Information Security Information Security

3 Privacy

4 What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act, a federal law passed in 1996 that affects the healthcare and insurance industries. HIPAA stands for the Health Insurance Portability and Accountability Act, a federal law passed in 1996 that affects the healthcare and insurance industries. HITECH -- Economic stimulus package of 2009 added increased penalties and reporting requirements HITECH -- Economic stimulus package of 2009 added increased penalties and reporting requirements PHI means Protected Health Information. PHI is any health information that can be used to identify a patient and which relates to the patient’s past, present, or future physical or mental health or condition of the patient, healthcare services provided to the patient, or the payment for these services. PHI means Protected Health Information. PHI is any health information that can be used to identify a patient and which relates to the patient’s past, present, or future physical or mental health or condition of the patient, healthcare services provided to the patient, or the payment for these services.

5 Examples of PHI Identifiers Patient’s Name Patient’s Name Relatives’ Names Relatives’ Names Telephone Numbers Telephone Numbers Fax Numbers Fax Numbers Address Address Medical Record Number Medical Record Number Employer Employer Address (street, city, zip) Social Security Number Codes Fingerprints Occupation Photographs Certificate Numbers Any of the following items, when used to identify a patient and combined with health information, creates PHI which is subject to HIPAA regulations:

6 Some Basic Privacy Rules of Thumb Access to PHI is on a “need to know” basis. Access to PHI is on a “need to know” basis. Having the password to a medical system does not mean that you have a right to view any or all records that are in that system. Having the password to a medical system does not mean that you have a right to view any or all records that are in that system. Don’t discuss PHI in public areas. Don’t discuss PHI in public areas. Think of how you would want your own health information to be handled. Think of how you would want your own health information to be handled. Dispose of written patient notes in confidential disposal containers (Cintas bins) Dispose of written patient notes in confidential disposal containers (Cintas bins) “When in doubt, don’t give it out.” “When in doubt, don’t give it out.”

7 Penalties for Violations UNC UNC Written Warning Written Warning Honor Court Honor Court Dismissal Dismissal Civil/Criminal (each violation) Civil/Criminal (each violation) Did not know: $100-$50,000 Did not know: $100-$50,000 Reasonable cause: $1,000-$50,000 Reasonable cause: $1,000-$50,000 Willful Neglect (Corrected) $10,000-$50,000 Willful Neglect (Corrected) $10,000-$50,000 Willful Neglect (Uncorrected) $50,000 Willful Neglect (Uncorrected) $50,000

8 Information Security

9 The Threat Reality “From Fame to Fortune” The threat used to be “script kiddies” looking for bragging rights. Not anymore!! The threat used to be “script kiddies” looking for bragging rights. Not anymore!! We are now dealing with well funded, highly trained professionals whose full time job is to steal your information. We are now dealing with well funded, highly trained professionals whose full time job is to steal your information. Organized Crime Organized Crime Terrorists Terrorists Foreign Governments conducting Information Warfare Foreign Governments conducting Information Warfare There are over 30,000 attempted hacks on the UNC network every day! There are over 30,000 attempted hacks on the UNC network every day! Approximately 1 attack every 3 seconds Approximately 1 attack every 3 seconds Our threat vector is the entire world! Our threat vector is the entire world!

10 Good Security Uses Layered Approach There is no single Silver Bullet for security. There is no single Silver Bullet for security. All protections have weaknesses that can be exploited. All protections have weaknesses that can be exploited. Effective security requires multiple barriers from the network and systems level down to the end user – YOU! Effective security requires multiple barriers from the network and systems level down to the end user – YOU!

11 How Can We Protect Ourselves? Regular Antivirus and Windows Updates Regular Antivirus and Windows Updates Your laptops are configured to do these automatically. Your laptops are configured to do these automatically. Regular third party software updates Regular third party software updates Firefox, Thunderbird, Adobe, etc. Firefox, Thunderbird, Adobe, etc. Do updates when popups recommend it. Do updates when popups recommend it. Basic Safe Practices Basic Safe Practices Don’t open executable attachments or click on questionable links. Don’t open executable attachments or click on questionable links. Use strong passwords Use strong passwords Also applies to home systems Also applies to home systems

12 Network Access Control Agents installed on machines connected to SOM network Agents installed on machines connected to SOM network Checks for certain security features Checks for certain security features Antivirus Antivirus Firewall Firewall Patches Patches Peer to Peer software Peer to Peer software Blocks access to network until remediated Blocks access to network until remediated Routes browsers to remediation page Routes browsers to remediation page

13 Those “Annoying” Windows Security Alerts Alerts tell you that a process wants to run on your machine. Alerts tell you that a process wants to run on your machine. Designed to alert you if a virus or worm tries to execute a command. Designed to alert you if a virus or worm tries to execute a command. You should only see these if you initiated something, like installing new software or doing updates. You should only see these if you initiated something, like installing new software or doing updates. Make sure you read each alert. Don’t ignore them if they pop up unexpectedly. Make sure you read each alert. Don’t ignore them if they pop up unexpectedly.

14 Protect your ONYEN Password If somebody gets your password they can: Change your password and Change your password and Take control of your account Take control of your account Read your mail Read your mail Send out embarrassing mail in your name Send out embarrassing mail in your name Read, delete, or modify your documents Read, delete, or modify your documents Destroy your valuable data Destroy your valuable data Turn your account into a spam engine Turn your account into a spam engine Access your student data Access your student data

15 Safe Password Practices Use strong passwords Use strong passwords Don’t write your password down Don’t write your password down Don’t use the “save password” function Don’t use the “save password” function Many applications save the password in clear text Many applications save the password in clear text Don’t share your password with anybody Don’t share your password with anybody Don’t use the same password for different accounts Don’t use the same password for different accounts Use password vaults (Roboform, KeePass, etc.) Use password vaults (Roboform, KeePass, etc.)

16 Use strong passwords A strong password has some of the following characteristics: A strong password has some of the following characteristics: Is a minimum of 8 characters long (longer is better) Is a minimum of 8 characters long (longer is better) Has at least one number Has at least one number Has at least one special character from this list: Has at least one special character from this list: Does not contain your userid Does not contain your userid Is not a recently used password. Is not a recently used password. Example: Surg3ry# Example: Surg3ry# OmmU OmmU OmmU OmmU

17 Password Vaults Allow you to store your IDs and passwords in a secure encrypted file that is accessible with a master strong password. Allow you to store your IDs and passwords in a secure encrypted file that is accessible with a master strong password. Automatically or semiautomatically logs you into your accounts without having to type in ID and password. (Protects from key loggers, too!) Automatically or semiautomatically logs you into your accounts without having to type in ID and password. (Protects from key loggers, too!) Some have strong password generators and encrypted storage of other data (e.g., Credit card numbers.) Some have strong password generators and encrypted storage of other data (e.g., Credit card numbers.)

18 Password Vault Products KeePass – keepass.info KeePass – keepass.info Open source – Free! Open source – Free! Available for most platforms Available for most platforms Roboform – roboform.com Roboform – roboform.com Commercial - $9.95 per year (Free for up to 10 passwords) Commercial - $9.95 per year (Free for up to 10 passwords) 1Password – agilebits.com/onepassword 1Password – agilebits.com/onepassword Commercial - $49 (Free trial version available) Commercial - $49 (Free trial version available)

19 KeePass Interface

20 Secure The campus mail system is cleared for processing and storing sensitive . The campus mail system is cleared for processing and storing sensitive . To send encrypted messages to addresses outside of campus, put (secure) at the beginning of subject line. To send encrypted messages to addresses outside of campus, put (secure) at the beginning of subject line. Example: (secure) This is an encrypted message! Example: (secure) This is an encrypted message! You should get a confirmation message that your message went through the encryption system. You should get a confirmation message that your message went through the encryption system. Test the procedures by sending a test message to your outside account (gmail, etc.). Test the procedures by sending a test message to your outside account (gmail, etc.).

21 Access From Home Home systems face the same threats as systems on campus Home systems face the same threats as systems on campus Home systems tend to be more vulnerable because home users tend to be more complacent Home systems tend to be more vulnerable because home users tend to be more complacent If connected to internet with broadband (DSL, cable modem) you should have a firewall/router installed If connected to internet with broadband (DSL, cable modem) you should have a firewall/router installed Homes with wireless capability are particularly vulnerable. Homes with wireless capability are particularly vulnerable. It is critical that your wireless is configured for encryption (WEP, WPA, etc.) to prevent intrusion. It is critical that your wireless is configured for encryption (WEP, WPA, etc.) to prevent intrusion.

22 “Disabled” is Dangerous

23 Cloud Applications Outside accounts (gmail, yahoo, etc.) Outside accounts (gmail, yahoo, etc.) Not secure, not approved for sensitive information Not secure, not approved for sensitive information Not approved for official School communication Not approved for official School communication Cloud storage (Google Docs, Dropbox, iCloud, etc.) Cloud storage (Google Docs, Dropbox, iCloud, etc.) Not approved for sensitive information Not approved for sensitive information

24 viruses – So 2000’s! Not as common as it used to be, but still a threat. (We block virus messages per day.) Not as common as it used to be, but still a threat. (We block virus messages per day.) Spread through “executable” attachments Spread through “executable” attachments Users are tricked into opening attachment which runs malicious code Users are tricked into opening attachment which runs malicious code Infects computer with virus Infects computer with virus Sends out infected messages to others in their address book Sends out infected messages to others in their address book May spoof the “From” line with another address from the infected machine’s address book May spoof the “From” line with another address from the infected machine’s address book Machine must be “cleaned” to remove virus Machine must be “cleaned” to remove virus Our mail system is very effective at blocking viruses, but some could still get through. Our mail system is very effective at blocking viruses, but some could still get through.

25 Social Engineering The New Frontier It is easier to trick somebody into giving you their information than to try breaking into their systems. It is easier to trick somebody into giving you their information than to try breaking into their systems. Tools of the trade: Tools of the trade: Phishing messages Phishing messages Facebook links Facebook links Compromised web sites Compromised web sites Fake Antivirus Fake Antivirus Phone calls Phone calls

26 Phishing An attempt to trick you into providing sensitive information An attempt to trick you into providing sensitive information Common Themes: Common Themes: “You have exceeded your quota, please verify your account information” “You have exceeded your quota, please verify your account information” System malfunction or upgrades, we need you to verify your information. System malfunction or upgrades, we need you to verify your information. Fake vendor web sites. Fake vendor web sites. Major political elections Major political elections Holidays Holidays IRS scams IRS scams Health Scares Health Scares Extortion, death threats. Extortion, death threats.

27 Notice the Difference

28 Dots, not slashes after.com.info not.com Fake Site

29 Bad password still brings you to this page

30 Real Site Slashes after.com

31 Bad password gives you this error! That’s good!

32

33

34

35

36 Same Message, Different Subject

37 Death Threat

38 Protect Yourself! Be suspicious of unsolicited s or phone calls. Be suspicious of unsolicited s or phone calls. Don’t provide personal information. Don’t provide personal information. Don’t reveal personal or financial information in . Do not respond to solicitations for this information. Includes following links. Don’t reveal personal or financial information in . Do not respond to solicitations for this information. Includes following links. Check website’s security before submitting sensitive information. Check website’s security before submitting sensitive information. Pay attention to URLs. Look for variations in spelling. Pay attention to URLs. Look for variations in spelling. If suspicious, try to contact company directly. (Don’t use contact information in the !) If suspicious, try to contact company directly. (Don’t use contact information in the !)

39 If You are a Phishing Victim If you believe you might have revealed sensitive information, report it to IT Security immediately. Immediately change any passwords that you might have revealed, including other accounts that used the same password. Don’t reuse them later. If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.

40 Fake Antivirus * Symantec Web Site

41 *Microsoft Web Site

42 Fake A/V “Virus Alert” will pop up without your initiating it.

43 Fake A/V (cont.) All of the alerts will be within your web browser!

44 Fake A/V (cont.) Do NOT click anywhere on the image. Close the BROWSER window and run a full virus scan on your machine immediately.

45 * Symantec Web Site

46 Watch Out for These! (from

47 Peer to Peer (P2P) File Sharing Shares your system out to the world (Kazaa, Morpheus, Gnutella, eDonkey, BitTorrent, etc.) Shares your system out to the world (Kazaa, Morpheus, Gnutella, eDonkey, BitTorrent, etc.) Allows virtually anybody to read and write to your hard drive! Allows virtually anybody to read and write to your hard drive! Installs trojans, spyware, malware, keyboard readers Installs trojans, spyware, malware, keyboard readers UNC HCS Policy bans P2P use in UNC HCS, including School of Medicine UNC HCS Policy bans P2P use in UNC HCS, including School of Medicine UNC Information Security Policy forbids installing P2P applications on machines that handle sensitive information UNC Information Security Policy forbids installing P2P applications on machines that handle sensitive information NAC blocks P2P on SOM network NAC blocks P2P on SOM network

48 Copyright Issues Downloading and sharing copyrighted material (songs, movies, TV episodes, etc.) is illegal. Downloading and sharing copyrighted material (songs, movies, TV episodes, etc.) is illegal. If you do illegally download or share files, the chances are good that you will get caught. If you do illegally download or share files, the chances are good that you will get caught. If you get caught, there will be consequences. If you get caught, there will be consequences. Temporary loss of network access. Temporary loss of network access. Several UNC students have been fined $3000 to $5000 by the RIAA Several UNC students have been fined $3000 to $5000 by the RIAA

49 Problems: Spyware and Adware Gives unknown entities some control over information on your computer without your knowledge or consent Gives unknown entities some control over information on your computer without your knowledge or consent Uses “cookies” to capture sensitive information Uses “cookies” to capture sensitive information User IDs and Passwords User IDs and Passwords Keystrokes Keystrokes Credit card information Credit card information Possible source of viruses and trojan horses Possible source of viruses and trojan horses Eats up system resources (slows down your machine) Eats up system resources (slows down your machine) Recently linked to organized crime and ID theft Recently linked to organized crime and ID theft Can be installed when: Can be installed when: Visiting web sites Visiting web sites Installing and running “free” software programs Installing and running “free” software programs Playing internet games Playing internet games

50 How do I protect myself? Install and run anti-spyware programs Install and run anti-spyware programs Use more than one to make sure you catch more. Use more than one to make sure you catch more. Many are available free of charge Many are available free of charge Malwarebytes Malwarebytes Microsoft Forefront (Microsoft Security Essentials) Microsoft Forefront (Microsoft Security Essentials) Super Antispyware Super Antispyware Your laptops have Malwarebytes and Forefront Your laptops have Malwarebytes and Forefront Update signatures and run scans regularly Update signatures and run scans regularly

51 Mobile Computing Devices Campus Security recommendations for securing smart phones:- Campus Security recommendations for securing smart phones:- Covers iPhone, Blackberry and Android. Covers iPhone, Blackberry and Android. Unprotected PHI on PDAs is a huge security risk Unprotected PHI on PDAs is a huge security risk Never leave mobile computing devices unattended in unsecured areas. Never leave mobile computing devices unattended in unsecured areas. Immediately report the loss or theft of any mobile computing device to your entity’s Information Security Officer. Immediately report the loss or theft of any mobile computing device to your entity’s Information Security Officer.

52 Facebook Security Don’t blindly accept default privacy settings. Don’t blindly accept default privacy settings. Facebook “security” is very weak. Hacking is easy! Facebook “security” is very weak. Hacking is easy! Beware of Facebook applications. There might be more than meets the eye. Beware of Facebook applications. There might be more than meets the eye. Assume anything posted on the web is out there forever. Don’t be too generous with your information. Bad people might find it very useful. Assume anything posted on the web is out there forever. Don’t be too generous with your information. Bad people might find it very useful. Rule of thumb: Don’t post anything on Facebook that you wouldn’t feel comfortable seeing on the news – EVER! Rule of thumb: Don’t post anything on Facebook that you wouldn’t feel comfortable seeing on the news – EVER!

53

54

55 Profile Viewer Scam

56 Are We Still Friends?

57 “Help a Friend” Scam You receive a Facebook message from one of your friends saying, “I’m stuck in London and have been mugged. Can you wire money to help me get back home?” You receive a Facebook message from one of your friends saying, “I’m stuck in London and have been mugged. Can you wire money to help me get back home?” Your friend’s account has likely been compromised Your friend’s account has likely been compromised Don’t send money! Don’t send money! Ask friend to call collect so you can identify his/her voice. Ask friend to call collect so you can identify his/her voice. Ask a question that only your friend will know and is not posted on Facebook. Ask a question that only your friend will know and is not posted on Facebook.

58 Big Brother? Max Schrems asked Facebook for copy of his data. He received 1,200 pages including: Max Schrems asked Facebook for copy of his data. He received 1,200 pages including: Data and photos that he had deleted years before Data and photos that he had deleted years before Rejected friend requests, defriends Rejected friend requests, defriends All Facebook chats that he ever had All Facebook chats that he ever had Names of everybody he had ever “poked” Names of everybody he had ever “poked” All likes All likes All logins including times and IP addresses All logins including times and IP addresses s s

59 The Bottom Line: Security is Everybody’s Job! Systems and network people provide outer layers of protection. Systems and network people provide outer layers of protection. Patches and Antivirus software provide a middle layer of defense. Patches and Antivirus software provide a middle layer of defense. Laptop encryption protects data on your laptop. Laptop encryption protects data on your laptop. You are the final layer of defense for your data! You are the final layer of defense for your data! Make sure you protect yourself!

60 Questions? 5/2/


Download ppt "Privacy and Information Security Dennis Schmidt, HIPAA Security Officer UNC School of Medicine UNC School of Medicine Student Orientation August 8, 2012."

Similar presentations


Ads by Google