1 Hot Topics in IT Security PREP#28 May 1, 2014 David Woska, Ph.D. OCIO Security
2 CME Disclosure Statement The North Shore LIJ Health System adheres to the ACCME s new Standards for Commercial Support. Any individuals in a position to control the content of a CME activity, including faculty, planners, and managers, are required to disclose all financial relationships with commercial interests. All identified potential conflicts of interest are thoroughly vetted by the North Shore-LIJ for fair balance and scientific objectivity and to ensure appropriateness of patient care recommendations. Course Director and Course Planners, Kevin Tracey, MD, Cynthia Hahn, Emmelyn Kim, MPH, Tina Chuck, MPH have nothing to disclose. David Woska, Ph.D. is the speaker and has nothing to disclose.
4 Where do we Start? 4
5 What are today s Hot Topics in IT Security? Cyber Security Encryption Social Engineering Cloud Storage Mobile Security Database Security
6 Cyber Security Agenda What is Cyber Security? Industry Statistics Sources and Types of Cyber Attacks 6
7 Cyber Security What is Cyber Security? Cyber security refers to the technologies and processes designed to protect computers, networks and data from unauthorized access, vulnerabilities and attacks delivered via the Internet by cyber criminals. A cyber attack is an attempt to damage, disrupt, or gain unauthorized access to a computer, computer system, data or electronic communications network. A cyber crime is the illegal use of computer technology and the Internet, e.g. Target credit card breach (~110M records), CA Health System unencrypted laptop loss (~729K records). 7
8 Cyber Security Sources & Types of Cyber Attacks Malware & Malicious Code (Viruses, Worms, Trojans) software that is intended to damage or disable computers and computer systems. Botnets a network of private computers infected with malicious software and controlled as a group without the owners' knowledge. Phishing the activity of defrauding an online account holder of financial information by posing as a legitimate company. Web based attacks means by which malicious code exploits a system's security safeguards. Denial of Service attack on a computer system or website, aimed at disrupting its normal functionality. Malicious insiders malicious threat that comes from people within the organization such as employees, former employees, contractors or business associates. 8
9 Cyber Security Patient Records Breached per Day (avg.) Medical record data is worth $50 on the black market. Much more than Social Security numbers ($3), credit card information ($1.50), date of birth ($3), or mother's maiden name ($6). Sources: 1. DHC: EHR Data Target for Identity Thieves - MedPage Today - 12/07/
10 Cyber Security Primary Causes of Breaches Source: 10
11 Information Security Myths versus Reality Myth: If I have antivirus software installed, I m safe. Reality: Studies show that a third of all PCs with up-to-date antivirus software have a virus right now 1. Myth: I don't need to worry; I have no vital documents on my home computer, just music, photos, and videos. Reality: Hackers are increasingly focused on home computers, regardless of their contents. The strategy is to use your PC as a toehold into your digital life. Modern malware can sit on your computer for months, building a profile of your identity, finances, passwords, and sensitive documents. 1 National Security Institute, Inc.
12 Information Security Myths versus Reality Myth: Cybercrime isn't any worse now than it s been in the past. Reality: Cybercrime is up sharply in the last year. Experts have noted staggering growth in the number and sophistication of attacks home computers are now the weak point. Myth: I would know if I had a virus on my computer. Reality: Most viruses and malware don't slow down or crash your computer. It may surprise you to learn that most people who have a virus or malware have no idea they ve been compromised.
13 Cyber Security Healthcare Statistics Hospitals and physician practices were responsible for 32% and 28% of the total breaches in healthcare, respectively. Since July 2011, physician practices have become the most breached organization type, surpassing hospitals/health systems. Government institutions (including VA hospitals) have experienced the greatest loss of records (40%). Insiders were responsible for 23% of breaches, accounting for 13% of records breached. In addition to causing potential harm to patients such as financial and medical identity theft, security breaches result in significant financial expenses to the organization. The average cost of a data breach over a two-year period was $2.4 million, a 15% increase compared to Source: exchangeblog.att.com/enterprise-business/cyber-attacks-and-security-in-healthcare 13
14 IT Security Safeguards Cyber Security IT Safeguards at NSLIJ Perimeter Controls and Firewall Technologies that protect against external threats. Mobile Device Protection (Encryption) for phones, tablets and portable devices. Antivirus and Anti-spam to protect computers, laptops and servers. Intrusion Detection/Prevention that inspects dataflow sending alerts of potential threats. Security Event Monitoring to proactively detect suspicious activity. Patient Privacy Monitoring and Application Breach Detection to detect suspicious activity on our clinical applications. Segregated Cardholder Data Environment providing an additional layer of security for payment transactions. Employee Training & Awareness Annual Compliance Training throughout the Health System on proper security and privacy practices. Security Awareness and Alerts published on HealthPort. Periodic security reminders, alerts, newsletters and posters. 14
16 How Encryption Works Encryption Encryption is a method to keep your personal information secure. Encryption scrambles the information you send over the internet into a code so that it s not accessible to others. How to Tell If a Website is Encrypted To determine if a website is encrypted, look for https at the beginning of the web address (the s is for secure). When completing online transactions, some websites use encryption only on the sign-in page, but if any part of your session isn t encrypted, your entire account could be vulnerable. Therefore, look for https on every page you visit.
17 Encryption Safe Guard Media Device Exchange 1. Media Passphrase Password Requirements: a. Minimum of 6 characters b. May not be the username c. May not have three consecutive characters such as 123 or qwe 2. Media Passphrase Password Changes and Resets: Password Changes a. Client must use the computer the password was created on b. Use the Sophos icon on the tool bar to reset the password i. Right click the icon and select Change Media Passphrase. In the Change Media Passphrase the client must enter their existing password and specify a new password following the same password requirements. ii. In the Change Media Passphrase the client must enter their existing password password and specify a new password following the same password requirements.
18 Encryption Safe Guard Media Device Exchange (Cont d) Password Resets 3. The first Password reset is completed by typing in the current password and then entering the new password and confirming. 4. If a client has forgotten their password, they can reset it on the computer the password was initially created on. The client MUST log off the computer and then log back in for the change to take effect.
19 Encryption Safe Guard Media Device Exchange (Cont d) How to Access File on the USB Drive Client s Computer- Utilizing the computer that they created the key and can plug the USB device into the drive and access the files through MY COMPUTER. They will not be prompted for a Passphrase. Another Computer- The client can access their files on another computer that they did not log into utilizing the SGPortable client. a. The client will need to open MY COMPUTER b. Launch the SGPORTABLE.exe from the SGPortable folder.
20 Encryption Safe Guard Media Device Exchange (Cont d) c. The SafeGuard Portable applet will load. The client can select the file that they need to open. They will be prompted for the password to open the file.
21 Encryption Safe Guard Media Device Exchange (Cont d) d. The file will then show as NOT ENCRYPTED e. To unencrypt all files on the drive select EDIT then SELECT ALL
22 Removable Media Confidential information must not be saved on removable media such as CDs, DVDs, and USB flash drives unless absolutely necessary and you must encrypt it! Follow Health System policies for Encryption ( Data Encryption and Integrity) Handling media ( Device and Media Control) Disposal of media ( Equipment Disposal) Handling of PHI ( Use, Access and Disclosure of PHI with Valid Authorization) Need assistance with encryption or disposal, call the IS Help Desk!
23 Social Engineering What is Phishing? Is a psychological attack used by cyber criminals to trick you into giving up information or taking an action. What does a typical attack look like? An attack begins with a cyber criminal sending a message pretending to be from someone or something that you know, such as a friend, your bank or a well-known store. These messages then entice you into taking an action, such as clicking on a malicious link, opening an infected attachment, or responding to a scam.
24 Social Engineering What is Spear Phishing? A targeted attack to a very few select individuals. Cyber attackers research their intended targets, such as by reading the intended victims LinkedIn or Facebook accounts or any messages posted on public blogs or forums. Why should I Care? You may not realize it, but you are a target at work and at home. You and your devices are worth a tremendous amount of money to cyber criminals, and they will do anything they can to hack them. YOU are the most effective way to detect and stop phishing.
25 Social Engineering Anatomy of a phishing A Check addresses B Generic Salutation C Grammar or Spelling Mistakes D Immediate Action E URL Link F Suspicious Attachment
26 Cloud Computing What is Cloud Computing? Information processing residing on remote systems maintained by a third-party vendor, and accessed from the Internet. What is our policy for Cloud Based Storage? Internet/Cloud based storage must not be used to store or disseminate Sensitive and Highly Sensitive information such as PHI or PII without proper approval processes that include IT Contracts, Office of Procurement, OCIO Security, and Research Administration when appropriate. Users must follow proper procedures by saving Sensitive and Highly Sensitive information on a shared drive.
27 Save it to your Network Drive Confidential information should be saved on your network home drive or a shared drive designated for this purpose. Files are physically secured in our corporate data centers Files are backed up regularly and can be restored Limited access Your network home drive can only be accessed by you. Shared drives set up for confidential information allow users to collaborate and share files only with those users specifically granted access Need a shared drive? Call the IS Help Desk or request one on HealthPort
28 Local Drives Confidential information must not be saved on local hard drives except when necessary Your C: drive is your local drive which is in your computer Local drives have: Less physical security Are not backed up May be accessible to others that use your computer Shared computers are common throughout the Health System, but you should not save files to your local drive unless absolutely necessary Note where you save the file Delete and empty your recycle bin when done with the file
29 Mobile Devices Risks to Health Information Risks vary based on the mobile device and its use. Some risks include: A lost or stolen mobile device Inadvertently downloading viruses or other malware Unintentional disclosure to unauthorized users Using an unsecured Wi-Fi network Encryption is required!
30 Take the Steps to Protect and Secure Health Information When Using a Mobile Device Protect and secure health information when using mobile devices In a public space On site At a remote location Regardless of whether the mobile device is Personally owned, bring your own device (BYOD) Provided by our organization Dispose of USB drives and other media that may contain PHI Call the Help Desk for assistance
31 Mobile Devices & Health Information Sharing your mobile device password or user authentication Allowing the use of your mobile device by unauthorized users Storing or sending unencrypted health information with your mobile device Ignoring mobile device security software updates Downloading applications (apps) without verifying they are from a trusted source Leaving your mobile device unattended Using an unsecured Wi-Fi network Discarding your mobile device without first deleting all stored information Ignoring our mobile device policies and procedures
32 Bring Your Own Device (BYOD) What is BYOD? Any non-health System device owned by a workforce member that is used for business purposes. Examples include personal laptops, smartphones, or handheld devices. Securing Mobile Devices Use Passcodes Avoid SMS Phishing Update Your Devices Use Mobile Applications Wisely Limit Your Use of Bluetooth
33 Database Security What is Database Security? The practice of providing security controls for vendor databases such as Oracle, Microsoft SQL, and Microsoft Access. NSLIJHS data contained in Microsoft spreadsheets or other system applications may be loosely defined as a database. Security Controls associated include: Limited access to database systems Strong password usage Physical security for database server infrastructure Secure central network storage of data Monitoring of database systems and audit logs Isolate Production data to production environments
34 Know Your Policies Computer Use Policy Internet Usage Policy User Password Policy Electronic Mail Acceptable Use Policy Data Classification and Handling Policy Data Encryption and Integrity Policy Information Systems Review and Audit Controls Policy Equipment Disposal Policy HealthPort Information Services Policies
35 For More Information Have questions? Call the IS Helpdesk at (718, 516, 631) Get IT Security tips: See NSLIJ IT Security Policies: Office of Research Compliance guidance on electronic security: Tools and Guidance Electronic Security Ashish Narayan: Director, Information Systems, FIMR David Woska: Director, Information Security, OCIO