Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Computing Practices Plamen Martinov Chief Information Security Officer.

Published byMarvin Parrish Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Computing Practices Plamen Martinov Chief Information Security Officer."— Presentation transcript:

1 Security Computing Practices Plamen Martinov Chief Information Security Officer

2 Agenda Introduction to Computer Security “Top 10 List” of Good Computing Security Practices How to: – Create a good password – Encrypt sensitive information – Protect your operating system 2

3 What is Computer Security and why is it important? Computer Security allows the University to carry out its mission by: Enabling staff and students to carry out their jobs, education, and research Protecting personal and sensitive information Supporting critical business processes Computer Security is the protection of computing systems and the data that users store or access. 3

4 4 Good Computing Security Practices follow the “90 / 10”Rule: 10% of security safeguards are technical 90% of security safeguards rely on the computer user (“YOU”) to adhere to good computing practices Example: The lock on the door is the 10%. You remembering to lock the door, checking to see if it’s closed, ensuring others do not open the door, and keeping control of the key is the 90%. Why do you need to learn about Computer Security?

5 Ignoring Computer Security leads to security breaches and regulatory fines In 2014 more than 1,500 data breaches occurred nationwide, compromising 1 billion personal records. The Office for Civil Rights has been levying HIPAA fines: Nine settlements since June 1, 2013 have totaled more than $10 million. Examples: – $1,725,220 against Concentra Health Services for an unencrypted laptop that had been stolen from one of its facilities. – $250,000 against QCA Health Plan, Inc. after an unencrypted laptop containing personal health information was stolen from an employee's car. 5

6 "Top 10 List" of Good Computing Security Practices everyone can take to protect computers and data. 1.Password protect your computer and portable devices. 2.Choose good passwords and keep them secret and secure 3.Encrypt any ePHI or PII stored on portable devices or media 4.Keep your operating system patched and up-to-date 5.Install anti-virus and keep it up-to-date 6.Turn on your computer firewall 7.Lock up your devices or take them with you 8.Do not respond to anyone asking you for your password 9.Securely delete ePHI and PII when it is no longer needed 10.Back up critical information 6

7 Password protect your computer and portable devices Creating a good password Combine 2 unrelated words -> Mail + phone = m@!lf0n3 A good password has at least 12 characters = m@!lf0n-2015 Use a password or passphrase manager, such as LastPass to help manage multiple passwords/passphrases LastPass is free for students and can be downloaded from LastPass.com. The table below shows how fast your password can be guessed by a hacker: PatternCalculationResultTime to Guess 8 chars: lower case alpha26 8 2x10 11 < 1 second 8 chars: alphanumeric62 8 2x10 14 3.4 min 8 chars: all keyboard95 8 7x10 15 2 hours 12 chars: alphanumeric62 12 3x10 21 96 years 7

8 ePHI = Electronic Protected Health Information (Personal + Health) – Medical record number and/or account number with SSN – Patient demographic data (e.g. address, date of birth, date of death, sex, e-mail, etc.) – Dates of service (e.g. date of admission, discharge, etc.) – Medical records, reports, test results, or appointment dates PII = Personally Identified Information (Personal only) – Individual’s name, SSN, driver’s license number, or credit card account numbers – Health insurance policy number, subscriber ID, application or claims Encrypt any ePHI and PII stored on portable devices or media 8

9 Encryption vs. Passwords Having a password does not necessarily mean something is encrypted. –Passwords by themselves do not scramble the information. If something is only “password protected,” it is not enough protection - someone could bypass the password and read the information. Original Password Protected Encrypted 9

10 The table below shows the time and costs for handling security incidents for lost and stolen devices. 10 Encrypted Device with ePHI/PII Unencrypted Device with ePHI/PII Unencrypted Device without ePHI/PII Incident DescriptionUser’s computer stolen from his/her car. Device had ~400 patient records. User forgot laptop in cab. Device had ~400 patient records. User left tablet on plane. Device had no patient health information. Investigation time (combined hours for incident response team – legal, HR, IT, security, etc.) 1 Hour50 hours35 hours Security Forensics Costs$ 0$ 2,000$ 800 Reputation Damage Costs$ 0Priceless$ 0 Encryption saves the University both time and money

11 Encryption Solutions TypeEncryption SolutionsCost/ImpactPurpose AppleFilevault 2 Free ; native security feature; easy setup; vendor-supported; AES 128 encryption for data protection; can store recover key with Apple; well- documented install guide. Encrypt the contents of your entire drive. Solution will work for personally-owned and BSD-owned laptops. WindowsBitLocker* Free ; native security feature; AES 128-bit and 256-bit; some hardware dependencies. Encrypt the contents of your entire drive. Solution will work for personally-owned and BSD-owned laptops. * To use BitLocker, your laptop must be equipped with a Trusted Platform Module (TPM) chip, and it must be enabled. 11

12 Encryption Solutions (Cont’d) TypeEncryption SolutionsCost/ImpactPurpose Files/ Volumes AxCrypt Free; has native versions for both Windows and Apple; uses strong compliant encryption. Creates secure disk images and files for data sharing via email, cd or cloud External Storage Aegis Secure USB Key $65; unlocks with onboard PIN pad; 256-bit AES hardware-based encryption; PIN activated 7-15 digits -Alphanumeric keypad. Secures the transport of data, documents, and presentations Apple Phone/ Tablet IOS Free; native security feature, enabled by default with the use of passcode; vendor-supported; AES 128 encryption; can store recover key with Apple; well-documented install guide. Encrypts the content of the device; solution will work for personally- owned and BSD-owned devices. Android Phone/ Tablet Android Free; native security feature; easy setup; vendor-supported; AES 128 encryption; well-documented install guide. Encrypts the content of the device; solution will work for personally- owned and BSD-owned devices. 12

13 A firewall acts as a wall between your computer/private network and the internet. A firewall prevents hackers from entering your computer through the internet. Turn on your firewall 1.Open System Preferences. 2.Click the Security or Security & Privacy icon. 3.Select the Firewall tab. 4.Click the lock icon, then enter an administrator name and password. 5.Click the Firewall Options button. 1.Open Windows Firewall by clicking the Start button, and then clicking Control Panel. 2.In the left pane, click Turn Windows Firewall on. 3.Click Turn on Windows Firewall under each network location, and then click OK. 13 HOW TO

14 Vendors regularly issues patches or updates to solve security problems in their software. Computers can be set up to automatically download and install updates. When they are not applied, it leaves your computer vulnerable to hackers. Keeping your operating system patched and up-to-date 1.Open Windows Update. 2.Tap or click Choose how updates get installed. 3.Under Important updates, choose install updates every day. 4.Under Recommended updates, select the Give me recommended updates the same way I receive important updates check box. 1.Choose System Preferences from the Apple menu. 2.Click App Store. 3.Select Automatically check for updates. 14 HOW TO

15 Resources & References BSD Information Security Office – http://security.bsd.uchicago.edu http://security.bsd.uchicago.edu BSD HIPAA Program Office – http://hipaa.bsd.uchicago.edu http://hipaa.bsd.uchicago.edu Apple Encryption – FileVault 2 – http://support.apple.com/kb/ht4790 http://support.apple.com/kb/ht4790 Windows Encryption - BitLocker – http://windows.microsoft.com/en-us/windows-vista/bitlocker-drive- encryption-overview http://windows.microsoft.com/en-us/windows-vista/bitlocker-drive- encryption-overview Files/Volumes Encryption – AxCrypt – http://www.axantum.com/axcrypt/ http://www.axantum.com/axcrypt/ External Storage Encryption – Aegis Secure Storage – http://www.apricorn.com/aegis-secure-key.html http://www.apricorn.com/aegis-secure-key.html 15

Download ppt "Security Computing Practices Plamen Martinov Chief Information Security Officer."

Similar presentations

Financial Services Workshop Margaret Umphrey ECU Information Security Officer March 12, 2014 1IT Security, East Carolina University.

Financial Services Workshop Margaret Umphrey ECU Information Security Officer March 12, IT Security, East Carolina University.
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.

Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.
Encryption – First line of defense Plamen Martinov Director of Systems and Security.

Encryption – First line of defense Plamen Martinov Director of Systems and Security.
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.

BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
1 of 2 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.

1 of 2 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.
Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.

Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.

SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.

1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
ENCRYPTION Coffee Hour for August 2014. HISTORY OF ENCRYPTION Scytale Ciphers – paper wrapped around rod, receiver needed same size rod to get the message.

ENCRYPTION Coffee Hour for August HISTORY OF ENCRYPTION Scytale Ciphers – paper wrapped around rod, receiver needed same size rod to get the message.
Windows Tutorial 9 Maintaining Hardware and Software

Windows Tutorial 9 Maintaining Hardware and Software

Similar presentations

Ads by Google