Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

Similar presentations


Presentation on theme: "1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005."— Presentation transcript:

1 1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005

2 2 Federal, State and UC Rules re Information Security HIPAA Security Rule (45 CFR 160, 162, 164) HIPAA Security Rule (45 CFR 160, 162, 164) California Confidentiality of Medical Information Act (Cal. Civil Code ) California Confidentiality of Medical Information Act (Cal. Civil Code ) California law governing information security breaches (Cal. Civil Code ) California law governing information security breaches (Cal. Civil Code ) California law governing use of social security numbers (Cal. Civil Code ) California law governing use of social security numbers (Cal. Civil Code ) UC electronic information security guidelines (Bus. & Fin. Bulletin IS-3) UC electronic information security guidelines (Bus. & Fin. Bulletin IS-3)

3 3 HIPAA Security Rule – What is It? Federal Rule Federal Rule Requires healthcare providers and businesses to protect the privacy and confidentiality of electronic Protected Health Information (ePHI) Requires healthcare providers and businesses to protect the privacy and confidentiality of electronic Protected Health Information (ePHI)  ePHI is patient health information that is stored, maintained, processed or transmitted in any electronic media, such as computers, laptops, disks, memory stick, PDA, network, .

4 4 HIPAA Security Rule – What’s Required? If you use ePHI in your research, you must meet the Information Security Standards If you use ePHI in your research, you must meet the Information Security Standards What are the Information Security Standards? What are the Information Security Standards?  Confidentiality – Information is not disclosed to unauthorized entities  Integrity – Information is not altered or destroyed in unauthorized manner, and is transmitted accurately  Availability – Information is accessible and useable upon demand by authorized person

5 5 UC Guidelines on Information Security - IS-3 Guidelines for campuses on: Guidelines for campuses on:  Technical, physical and administrative security measures  Disaster recovery  Information Security Program at every campus  

6 6 What are the Risks when Confidentiality is Breached? Risk to Human Subject of: Risk to Human Subject of:  Identity theft, embarrassment, misuse of personal information, victimization in fraudulent scams Risk to Research of: Risk to Research of:  Loss of data and loss of integrity Risk to UC of: Risk to UC of:  Loss of trust; media attention to security lapse; litigation by subject; penalties; prosecution Risk to Investigator of: Risk to Investigator of:  Loss of data, time and money; embarrassment; media attention to security lapse; litigation by subject; internal disciplinary action; penalties; prosecution

7 7 How Do I Protect Electronic Information?  Technical safeguards, e.g., passwords, encryption, archiving, anti-virus software (10% of Information Security) AND  Good Computing Practices, i.e., COMMON SENSE (90% of Information Security)

8 8 What are the Technical Safeguards?  Unique log-in access  Passwords  Workstation security  Portable device security  Data management, e.g., back-up and archive 6. Remote access security  Safe use  Safe Internet Use  Report security incidents and stolen devices  Clean data off computers before recycling

9 9 Technical Safeguard: PASSWORD Don't use a word that is obvious or can be found in a dictionary. Every word in a dictionary can be hacked within minutes. Don't use a word that is obvious or can be found in a dictionary. Every word in a dictionary can be hacked within minutes. Don't share your password. Don't share your password. Don't let your Web browser remember your password. Don't let your Web browser remember your password. Use a minimum of eight characters containing at least one each of the following: Use a minimum of eight characters containing at least one each of the following: Uppercase letters ( A-Z ) Uppercase letters ( A-Z ) Lowercase letters ( a-z ) Lowercase letters ( a-z ) Numbers ( 0-9 ) Numbers ( 0-9 ) Punctuation marks ( ) Punctuation marks ( ) Better yet, use a “pass-phrase” to remember your password: Better yet, use a “pass-phrase” to remember your password:  (My Cat purrs louder than a Dosco Roadheader!)  Jw1n,aDTtr! (Just what I need, another Dumb Thing to remember!)  Jw1n,aDTtr! (Just what I need, another Dumb Thing to remember!)

10 10 Technical Safeguard: WORKSTATION SECURITY LOCK UP offices, windows, workstations, sensitive papers, laptops, PDAs, mobile devices and mobile media. LOCK UP offices, windows, workstations, sensitive papers, laptops, PDAs, mobile devices and mobile media. LOG OFF before leaving a workstation unattended. LOG OFF before leaving a workstation unattended. AUTO LOG-OFF – Configure workstation to automatically log off and require user to re-log in if left unattended for more than 15 minutes. AUTO LOG-OFF – Configure workstation to automatically log off and require user to re-log in if left unattended for more than 15 minutes. SCREEN SAVER - Set to 5 minutes with password protection. SCREEN SAVER - Set to 5 minutes with password protection.

11 11 Technical Safeguard: PORTABLE DEVICE SECURITY In addition to Workstation Security measures:  DELETE identifiable data when no longer needed  Use up-to-date anti-virus software  Install computer software updates  Back-up critical data and software programs  Encrypt and password protect portable devices Refer questions to your Information Security Office

12 12 More PORTABLE DEVICE SECURITY Safeguards Ask your Information Security Office about: Turning off your wireless port if you are not using it. Turning off your wireless port if you are not using it. Using a Virtual Private Network if you are using a wireless connection Using a Virtual Private Network if you are using a wireless connection Installing a firewall Installing a firewall Encrypting data during transmission. Encrypting data during transmission. Refer questions to your Information Security Office

13 13 What are Good Computing Practices? COMMON SENSE Do NOT use a portable device for storing ePHI, e.g., laptop, PDA, memory stick, cell phone Do NOT use a portable device for storing ePHI, e.g., laptop, PDA, memory stick, cell phone If you do store ePHI on a portable device, either de-identify or encrypt the data If you do store ePHI on a portable device, either de-identify or encrypt the data Keep subject identifiers physically separate from de-identified data Keep subject identifiers physically separate from de-identified data Once you are finished using ePHI on the portable device, delete it Once you are finished using ePHI on the portable device, delete it Do NOT use social security numbers as subject identifiers Do NOT use social security numbers as subject identifiers Do NOT transmit ePHI on the Internet Do NOT transmit ePHI on the Internet Do NOT transmit ePHI by Do NOT transmit ePHI by If you must transmit ePHI on the Internet or by be sure it is encrypted If you must transmit ePHI on the Internet or by be sure it is encrypted

14 14 More COMMON SENSE Good Computing Practices Use COMMON SENSE when handling individually identifiable information Use COMMON SENSE when handling individually identifiable information Do not leave sensitive or identifiable information lying around for anyone to read Do not leave sensitive or identifiable information lying around for anyone to read LOCK UP your equipment when not in use LOCK UP your equipment when not in use ENGRAVE a personal ID on your laptop or other transportable device so it is less likely to be stolen ENGRAVE a personal ID on your laptop or other transportable device so it is less likely to be stolen DO NOT share your password with anyone DO NOT share your password with anyone LOG OFF before leaving your computer LOG OFF before leaving your computer

15 15 Campus Resource for IT Help and for Reporting Security Incidents [ security/UC Security Officers HIPPA ]


Download ppt "1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005."

Similar presentations


Ads by Google