Privacy and Information Security

1
Privacy and Information Security

• Dennis Schmidt, HIPAA Security Officer
• UNC School of Medicine
• Student Laptop Distribution
• August 8, 2006

2
Privacy
3
What is HIPAA?

• HIPAA stands for the Health Insurance Portability
  and Accountability Act, a federal law passed in
  1996 that affects the healthcare and insurance
  industries.

4
What is PHI?

• PHI means Protected Health Information. PHI is
  any health information that can be used to
  identify a patient and which relates to the
  patients past, present, or future physical or
  mental health or condition of the patient,
  healthcare services provided to the patient, or
  the payment for these services.

5
Examples of PHI Identifiers
Any of the following items, when used to identify
a patient and combined with health information,
creates PHI which is subject to HIPAA regulations

• Patients Name
• Relatives Names
• Telephone Numbers
• Fax Numbers
• E-Mail Address
• Medical Record Number
• Employer

• Address (street, city, zip)
• Social Security Number
• Codes
• Fingerprints
• Occupation
• Photographs
• Certificate Numbers

6
Some Basic Privacy Rules of Thumb

• Access to PHI is on a need to know basis.
• Having the password to a medical system does not
  mean that you have a right to view any or all
  records that are in that system.
• Dont discuss PHI in public areas.
• Think of how you would want your own health
  information to be handled.
• Dispose of written patient notes in confidential
  disposal containers (Shred-It bins)
• When in doubt, dont give it out.

7
Information Security
8
The Threat Reality

• There are a lot of bad guys out there trying to
  get to your data!
• Some are organized
• Black Hat Conventions
• Hacker Web Sites
• Terrorists and Information Warfare
• They are motivated by many things
• Technical Challenge
• Politics
• Religion/Ideology
• Vandalism
• Organized Crime/Identity Theft
• We are a target rich environment for them
• Our threat vector is the entire world!

9
Virus and Worm Basics

• A virus typically requires a user to do something
  to allow it to spread. e.g., opening an infected
  email attachment.
• A worm requires no user interaction whatsoever to
  spread. A vulnerable machine simply has to be
  turned on and attached to the network. Worms can
  spread very rapidly, infecting thousands of
  machines in a matter of minutes.

10
How Can We Protect Ourselves?

• Regular Antivirus and Windows Updates
• Your laptops are configured to do these
  automatically.
• Basic Safe Practices
• Dont open executable email attachments.
• Use strong passwords
• Also applies to home systems

11
Current SOM Security Posture

• Protection of the network is our top priority
• Infected machines will be automatically
  disconnected from the network
• Unpatched or vulnerable machines may also be
  taken off of network

12
Security - A Multilayered Approach

• There is no single Silver Bullet for security.
• All protections have weaknesses that can be
  exploited.
• Effective security requires multiple barriers
  from the system level down to the end user.
• A castle has multiple layers of security - a
  moat, a drawbridge, multiple thick walls, boiling
  oil, armed soldiers, armed citizens, etc.
• We need to do the same to protect our castle!

13
Password Change Requirements

• Required by HIPAA, State Auditors, Patriot Act,
  etc.
• It is good security practice.
• Putting your password under your keyboard is like
  leaving your doors unlocked.
• If somebody gets your password they can
• Read your mail
• Send out embarrassing mail in your name
• Read, delete, or modify your documents
• Destroy your valuable data

14
Safe Password Practices

• Dont write your password down
• Dont use the save password function
• Many applications, including Mozilla, save the
  password in a clear text file.
• Dont share your password with anybody
• Use different passwords for work/school, on line
  banking, and junk accounts
• Use strong passwords

15
What is a strong password?

• A strong password is constructed to limit
  vulnerability to dictionary attacks
• A strong password has some of the following
  characteristics
• Is a minimum of 6 characters long (longer is
  better)
• Has at least one number
• Has at least one special character from this
  list !_at_'_
• Does not contain your userid
• Is not a recently used password.

16
But, I cant remember strong passwords!

• Pick one that is easy to remember!
• Example
• Pick a word that means something to you
  surgery
• Change one of the characters to upper case
  Surgery
• Change another character to a non-alpha Surg3ry
• Add a non-alphanumeric character Surg3ry
• You now have a strong password that is hard to
  crack, but easier to remember.

17
Accounts You Need to Know About

• Local account for your Laptop
• You changed that password when you booted up
  today.
• It has administrative rights. In other words,
  you have full power to change (or mess up!)
  anything on the machine.
• School of Medicine ID (SOMid)
• Access to e-mail, on-line curriculum, student web
  space, etc.
• Must be changed every 90 days.
• Strong password required.
• ONYEN (UNC User ID)
• Access to main campus resources.
• Same password requirements as SOMid
• The passwords on these accounts are not
  synchronized!

18
Change Your Passwords Immediately

• SOMid
• http//somid.med.unc.edu
• ONYEN
• http//onyen.unc.edu

19
E-mail viruses

• Currently the most common source of virus
  infection
• Spread through executable e-mail attachments
• Users are tricked into opening attachment which
  runs malicious code
• Infects computer with virus
• Sends out infected messages to others in their
  address book
• May spoof the From line with another address
  from the infected machines address book
• Machine must be cleaned to remove virus
• SOM blocks dangerous extensions (.exe, .com,
  .bat, etc.) and scans for virus messages, but
  some could still get through.

20
Spam Blocking

• All incoming mail to the School of Medicine is
  scanned for spam and given a spam score.
• All messages with scores above a set threshold
  are rejected.
• Messages below a set threshold are delivered to
  your inbox.
• Messages in between are marked as Probable Spam
  and delivered to your Spam folder.
• The Spam folder is periodically cleaned of
  messages over 30 days old.

21
Peer to Peer (P2P) File Sharing

• Kazaa, Morpheus, etc.
• Shares your system out to the world
• Allows virtually anybody to read and write to
  your hard drive!
• Installs trojans, spyware, malware, keyboard
  readers
• Real problem with machines accessing PHI
• UNC HCS Policy bans P2P use in UNC HCS, including
  School of Medicine

22
Skype

• Peer to Peer internet telephone network
• Written by developers of Kazaa
• Can turn your machine into a super node
• Generates excessive network traffic through your
  machine
• Blocked within the SOM network.
• Acceptable alternative Gizmo

23
Access From Home

• Home systems face the same threats as systems on
  campus
• Home systems tend to be more vulnerable because
  home users tend to be more complacent
• If connected to internet with broadband (DSL,
  cable modem) you should have a firewall/router
  installed
• Homes with wireless capability are particularly
  vulnerable.
• It is critical that your wireless is configured
  for encryption (WEP, etc.) to prevent intrusion

24
Disabled is Dangerous
25
Phishing

• (fishing) (n.) The act of sending an e-mail to a
  user falsely claiming to be an established
  legitimate enterprise in an attempt to scam the
  user into surrendering private information that
  will be used for identity theft.
• The e-mail directs the user to visit a Web site
  where they are asked to update personal
  information, such as passwords and credit card,
  social security, and bank account numbers, that
  the legitimate organization already has.
• The Web site, however, is bogus and set up only
  to steal the users information.
• www.webopedia.com

26
Note the difference between the URL Label and the
Actual URL
27
(No Transcript)
28
(No Transcript)
29
Spyware and Adware

• Software that tracks usage and reports it to
  others, such as advertisers. Usually the
  tracking is concealed from the user of the
  software.
• Can be installed when
• Visiting web sites
• Installing and running free software programs
• Playing internet games
• About 91 percent of PCs today are infected with
  spyware programs that send information from your
  PC to an unauthorized third party.

30
Problems with Spyware

• Gives unknown entities some control over
  information on your computer without your
  knowledge or consent
• Uses cookies to capture and report sensitive
  information
• User IDs and Passwords
• Keystrokes
• Credit card information
• Possible source of viruses and trojan horses
• Eats up system resources (slows down your
  machine)
• Recently linked to organized crime and ID theft
• CoolWebSearch is particularly dangerous.

31
How do I protect myself?

• Install and run anti-spyware programs
• Use more than one to make sure you catch more.
• Many are available free of charge
• Adaware
• Spybot
• Spyblaster
• Your laptops have Spybot installed
• Update signatures and run scans regularly

32
Mobile Computing Devices

• If you use a Palm/Pocket PC (PDA) device or a
  laptop PC, you must employ the following security
  controls
• power-on passwords
• automatic logoff
• data encryption or a comparable approved
  safeguard to protect the data
• Never leave mobile computing devices unattended
  in unsecured areas.
• Immediately report the loss or theft of any
  mobile computing device to your entitys
  Information Security Officer.

33
PDA Security

• Unprotected PHI on PDAs is a huge security risk.
• In the School of Medicine, there have been at
  least two lost PDAs containing PHI.
• SOM policy requires PDAs to have a power on
  password.
• Sensitive data on PDA memory cards must be
  encrypted.
• Strongly recommended that PDAs also be configured
  to erase memory after a set number of
  unsuccessful login attempts.

34
Web Security

• Data placed in directories on a web site may be
  accessible, even if not linked any where.
• Search engines can locate files in directories
  that do not have a welcome.htm file in them.
• Rule of thumb Dont put anything in your web
  space that you wouldnt want the entire world to
  see!

35
The Bottom LineSecurity is Everybodys Job!

• Systems and network people provide outer layers
  of protection.
• Patches and Antivirus software provide a middle
  layer of defense.
• End-Users (You!) are the final layer of defense.
• Make sure you protect yourself!

36
Questions?