Presentation is loading. Please wait.

Presentation is loading. Please wait.

QIP Education Session INFORMATION SECURITY Joseph Zurba Information Security & IT Compliance Officer Harvard Medical School February 16, 2015.

Published byBernard Manning Modified over 8 years ago

Similar presentations

Presentation on theme: "QIP Education Session INFORMATION SECURITY Joseph Zurba Information Security & IT Compliance Officer Harvard Medical School February 16, 2015."— Presentation transcript:

1 QIP Education Session INFORMATION SECURITY Joseph Zurba Information Security & IT Compliance Officer Harvard Medical School February 16, 2015

2 2 DEPARTMENT OF Information Technology IT Security Key Contacts Joseph Zurba: Information Security & IT Compliance Officer – HMS (joseph_zurba@hms.harvard.edu) Andy Ross: Information Security Manager – Chan School (aross@hsph.harvard.edu) Ingrid Skoog: Information Security Specialist – HUIT (ingrid_skoog@harvard.edu)

3 3 DEPARTMENT OF Information Technology OVPR: Data Security Key Contacts Ara Tahmassian: Chief Research Compliance Officer (ara_tahmassian@harvard.edu)ara_tahmassian@harvard.edu

4 4 DEPARTMENT OF Information Technology University Data Classification Table (Research) High Risk Confidential and Research Data Level 4 Confidential and Research Data Level 3 Internal Confidential and Research Data Level 2 Public And Research Data Level 1 Information designated as high risk under University policy. Examples* Name plus one or more of below: Social Security number Driver’s license number or state-issued identification card number Financial account, credit or debit card number Identifiable Research subject data Biometric identifier Information that, if disclosed, could cause material harm to persons or the University or risk of legal liability. Examples* Designated institutional information Donor, development or planning information Non-directory student information Limited research data sets Lower risk confidential information which Harvard has chosen to restrict. Examples* School or self designated intellectual property University ID numbers with or without name Results of research where confidentiality was promised but is not required Public information. Examples Published or widely available information about Harvard University course catalogs Campus maps Employment postings De-identified research data *Subject to IRB requirements and third-party contractual agreements (e.g. data use agreement).

5 5 DEPARTMENT OF Information Technology HRDSP Level 5 Level 5 information includes individually identifiable information that could cause significant harm to an individual if exposed, including, but not limited to, serious risk of criminal liability, serious psychological harm or other significant injury, loss of insurability or employability, or significant social harm to an individual or group. º Prison Studies º Gang Studies

6 6 DEPARTMENT OF Information Technology Key Controls per DSL - Progressive Level 2: º Strong password controls º Individual Accounts º No personal email accounts or storage º Policies and Procedures Level 3: º Encryption of data in transit º Host-based firewalls º Security Training º Anti-Virus º Encryption of mobile devices (laptops, smartphones, etc.) º Comprehensive logging and monitoring º Breach notification Level 4 º Network firewalls – inbound and outbound restrictions º Vulnerability Scanning and remediation º No device storage permitted (except IronKey) º Secure facility under University control or contract º Private IP space º Comprehensive documentation

7 7 DEPARTMENT OF Information Technology Key Controls per DSL Level 5 º Dedicated System not connected to external network º Whole disk encryption of all systems º Not permitted on removable media or mobile devices º Secure room No janitorial access º Daily log review

8 8 DEPARTMENT OF Information Technology Security Tools (Harvard Provided) LastPass password manager º Secure storage of passwords º Random password generation º Synchronizes between Mac, PC, and mobile devices º Utilizes MFA º Free from Harvard http://security.harvard.edu/lastpasshttp://security.harvard.edu/lastpass IronKey encrypted thumbdrives º Government certified encryption º Remote wipe capable º Free from Harvard ithelp@harvard.eduithelp@harvard.edu

9 9 DEPARTMENT OF Information Technology Security Tools (Harvard Provided) Secure file transfer º Securely transfer attachments º https://transfer.med.harvard.edu (HMS and HSDM) https://transfer.med.harvard.edu º http://accellion.sph.harvard.edu/ (HSPH) http://accellion.sph.harvard.edu/ Vulnerability Assessments º Scanning of systems and web applications for security vulnerabilities Additional tools and capabilities provided by your IT department: º Network firewalls º Anti-Virus/Anti-Malware software º Etc.

10 10 DEPARTMENT OF Information Technology Encryption Encryption should be used everywhere possible – required for DSL 3 and above º BitLocker – Windows º Filevault – Macintosh º IronKey – Harvard provided º Mobile devices – Most modern smartphones are capable of encryption – PIN or password required º Secure File Transfer – Harvard provided

11 11 DEPARTMENT OF Information Technology Security Training CITI Health Information Privacy and Security for Clinical Investigators (HIPS) º https://www.citiprogram.org https://www.citiprogram.org NIH Security Training º http://irtsectraining.nih.gov/publicUser0.aspx http://irtsectraining.nih.gov/publicUser0.aspx Harvard Information Security Training º http://eureka.harvard.edu http://eureka.harvard.edu Affiliate Security and Privacy Training Contact your local ISO for more training options

12 12 DEPARTMENT OF Information Technology Certified Facilities Certified Facilities are facilities that have been assessed by HUIT IT Security at a specific DSL. In order for a facility to become certified, the facility must demonstrate consistent, repeatable security controls, processes, documentation, and training. These facilities are reviewed annually for compliance with the specific DSL. Certified Facilities require no data security review for their approved level or lower DSL º Chan School – POP Center Data Enclave – DSL 4 º HMS – Health Care Policy – DSL 4 Certified facilities are compliant only with the HRDSP and not automatically compliant with FISMA, HIPAA, etc. º Facilities must undergo a separate assessment in order to meet additional requirements

13 13 DEPARTMENT OF Information Technology Approval Process DSL 3 IRB DSL 3 Determination Approval to PI PI Follows up with ISO ISO Review with PI Approval to IRB

14 14 DEPARTMENT OF Information Technology Approval Process DSL 4-5 IRB DSL 4-5 Determination Ancillary DSL Review to ISO ISO Follows up with PI ISO Approval to IRB IRB Approval to PI

15 15 DEPARTMENT OF Information Technology Approval Certified Facility (DSL 4) IRB DSL 1-4 Determination DSL 4 Certified Facility Approval

16 16 DEPARTMENT OF Information Technology Data Use Agreements Sponsored programs offices are authorized to sign on behalf of Harvard Contract must be reviewed by SPA and school ISO May contain data security and data sharing provisions, including restrictions on publication

17 17 DEPARTMENT OF Information Technology Building Requirements HRDSP Requirements Level 3Level 4Level 5 DUA Requirements Center for Medicare and Medicaid Services (CMS) Center for Health Information and Analysis (CHIA) National Institutes of Health (NIH) Legal Requirements MA 201 CMR 17.00FERPAHIPAA (HSDM)

18 18 DEPARTMENT OF Information Technology Closing Questions and Comments Contact information: º Joseph Zurba: joseph_zurba@hms.harvard.edu or iso@hms.harvard.edu iso@hms.harvard.edu º 617-998-6697

Download ppt "QIP Education Session INFORMATION SECURITY Joseph Zurba Information Security & IT Compliance Officer Harvard Medical School February 16, 2015."

Similar presentations

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Welcome to the SPH Information Security Learning Module.

Welcome to the SPH Information Security Learning Module.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Clinical Trial Agreements

Clinical Trial Agreements
Informed Consent.

Informed Consent.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
Information Security Awareness April 13, 2003. Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.

Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
1 Outsourcing Contract and Service Level Issues Sharon O’Bryan Week 5 November 2, 2004.

1 Outsourcing Contract and Service Level Issues Sharon O’Bryan Week 5 November 2, 2004.
Security Controls – What Works

Security Controls – What Works
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University

Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Data Security Overview ORSP Staff AT Desktop Service Team November 18th, 2014.

Data Security Overview ORSP Staff AT Desktop Service Team November 18th, 2014.

Similar presentations

Ads by Google