Enabling Research Securely Data Security Plans



Similar documents
Cyber Security. John Leek Chief Strategist

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

AgriLife Information Technology IT General Session January 2010

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs

HIPAA Security Alert

AT&T Global Network Client for Windows Product Support Matrix January 29, 2015

FINAL May Guideline on Security Systems for Safeguarding Customer Information

HIPAA Compliance Evaluation Report

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Case 2:08-cv ABC-E Document 1-4 Filed 04/15/2008 Page 1 of 138. Exhibit 8

Information Security Policy Manual

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities

Information Technology. Information and Systems Security/Compliance Information Security Vulnerability Assessment Program Version: 1.

Boston Public Schools. Guidelines for Implementation of Acceptable Use Policy for Digital Information, Communication, and. Technology Resources

HIPAA Security Education. Updated May 2016

A practical guide to IT security

Data Loss Prevention Program

Healthcare Cybersecurity Risk Management: Keys To an Effective Plan

BYOD. opos WHAT IS YOUR POLICY? SUMMARY

Phone Fax

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

The Department of Health and Human Services Privacy Awareness Training. Fiscal Year 2015

UF IT Risk Assessment Standard

HIPAA COMPLIANCE AND

McAfee Endpoint Protection Products

Presented by: Mike Morris and Jim Rumph

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

Protecting Sensitive Data Reducing Risk with Oracle Database Security

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt. Monitoring & Audit

Research Information Security Guideline

PII Compliance Guidelines

ACE Advantage PRIVACY & NETWORK SECURITY

Data Management Policies. Sage ERP Online

Information Security It s Everyone s Responsibility

Did you know your security solution can help with PCI compliance too?

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Protecting personally identifiable information: What data is at risk and what you can do about it

Business ebanking Fraud Prevention Best Practices

Whitepaper on AuthShield Two Factor Authentication with ERP Applications

Deep Security Vulnerability Protection Summary

What s New with HIPAA? Policy and Enforcement Update

Policy for Protecting Customer Data

C.T. Hellmuth & Associates, Inc.

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services

HIPAA Security COMPLIANCE Checklist For Employers

Cyber Self Assessment

Cyber Security Threats Shehzad Mirza Director of the MS ISAC SOC

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Consumer ID Theft Total Costs

Deep Security Intrusion Detection & Prevention (IDS/IPS) Coverage Statistics and Comparison

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

TERMS OF REFERENCE FOR THE HUMAN RESOURCES AND COMPENSATION COMMITTEE

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

MAXIMUM PROTECTION, MINIMUM DOWNTIME

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

California State University, Sacramento INFORMATION SECURITY PROGRAM

Transcription:

Carl Cammarata, Senior Director-Chief Information Security Officer & David Kovarik, Director-IT Information & Systems Security/Compliance

Enabling Research Securely Plans New policy announced by Dean Nielson on May 5, 2015. All NU IRB protocols for clinical research studies with principal investigator appointments at FSM now require a documented data security plan. - Plans are required for all new clinical research studies - Plans are required for existing studies at continuing review/renewal Plan will be submitted through the RSS of the IRB/RSS system. All plans submitted to audit and verification. The plan will guard against accidental disclosure of personal data, which could harm not only study participants, but also the university s research efforts. The plan will also help investigators comply with university, state, and federal regulations. Increases awareness of security requirements. Policy, template and examples: http://www.feinberg.northwestern.edu/it/standards-policies/information-security/index.html Questions & support, FSMIT-policy@northwestern.edu

Enabling Research Securely Plans 13 questions checklist or short answer covering the following areas Data sensitivity Data flow & transmission Data storage Data access Data backup & recovery Data retention (archiving)

Enabling Research Securely NM Enterprise Data Warehouse New policy announced by Dean Nielson on May 5, 2015. Data recorded in Northwestern Medicine electronic medical records systems (e.g., EPIC, Cerner) for clinical care and desired to be used for research must be obtained from the Northwestern Medicine Enterprise Data Warehouse. Chart abstraction for research purposes or chart abstraction for clinical care purposes then later repurposed for research purposes is prohibited. Data not recorded in Northwestern Medicine electronic medical records system (e.g., EPIC, Cerner) but collected for research purposes such as patient reported outcomes and patient/family interview results conducted in a non-clinical care research setting are not in scope of this policy. Policy: http://www.feinberg.northwestern.edu/it/standards-policies/research-use-of-edw-data.html Questions & support, nmedwresearch@northwestern.edu

Enabling Research Securely How can we improve, reduce risk? Encrypt devices Use NU/FSM approved storage Manage and secure servers/devices Know where data is and backup it up Maintain hardware and software to maintenance and patching standards Increase awareness Security is a shared responsibility Work collaboratively with FSM IT Not knowing is not OK Not wanting to is not OK

Enabling Research Securely Current State of Information Security Encryption compliance Migration of servers, desktops & laptops to a secure environment Investing in secure storage, backup, archives; no direct Internet access Knowing where data located: mapped to an approved study Security evolves, is never done The enormity of FSM Diverse, complex, breadth & volume of research Huge volume of research data Technology investments

Information = Asset Budgets HR Data Contracts Research Personal Professional Invoices, receipts, payments, planning, forecasting Compensation, pension, benefits, performance Terms & conditions, nondisclosure, service agreements IP, patents, consent agreements, patient records SSNs, credit cards, DoB, medical/health records, certificates Accomplishments, CV, degrees, awards, reputation If it s worth collecting, it s worth protecting

Threat Landscape Higher Education Mon/Year Entity Cause: Effect Dec 2015 University of Connecticut Breach/Malware: Unknown Oct 2015 University of Oklahoma Stolen laptop: 7693 ephi Sep 2015 Louisiana State Med School Stolen laptop: 5000 ephi Sep 2015 UCLA Health System Stolen laptop: 1200 ephi Aug 2015 University of Virginia Breach (China): Unknown Jul 2015 UCLA Health System Breach: 4.5 million ephi Jul 2015 Harvard University (8 colleges) Breach: Unknown May 2015 Pennsylvania State/Engineering https://www.privacyrights.org/data-breach https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf Breach (China): 18000+

Threat Landscape - Northwestern Mon/Year Entity Cause: Effect Dec 2015 Northwestern IT Misconfigured server: Spamming Nov 2015 FSM IT Open access list: 44 SSNs (no exposure) Sep 2015 WCAS Misconfigured server: No PII or L/CR Aug 2015 MEAS Cause: 2 stolen Effect laptops: No PII or L/CR Jul 2015 Ford Building Stolen server: No PII or L/CR Oct 2014 FSM Stolen laptop: No PII or L/CR Jun 2014 FSM Misconfigured server: 400 ephi, notification Mar 2014 Travel Credit card fraud: $18000

Threat Landscape Highly automated Indiscriminate and targeted attacks 24 X 7 never takes a vacation, never takes a holiday Medical records now more valuable than financial (e.g., credit cards) Hacktivist Criminal Insider Espionage Terrorism Warfare https://www.checkpoint.com/threatportal/livemap.html https://cybermap.kaspersky.com/

Simple Steps to Security Replace password with longer/stronger passphrase Use a PIN on phones & tablets Treat personal information like cash Control changes to your environment Use secure & approved storage Keep systems & applications current Use encryption, anti-malware, anti-virus Phishing: Be aware, don t click on links Trust but verify It just has to be good enough

Security Contacts NUIT - Information & Systems Security/Compliance To report or make inquiries, contact the NUIT Help Desk at 847-491-4357 or 1-HELP (from on campus) Email: security@northwestern.edu Dave Kovarik, Director Email: david-kovarik@northwestern.edu Office: 847-467-5930 FSM IT To report or make inquiries, contact the NUIT Help Desk at 847-491-4357 or 1-HELP (from on campus) Email (end user support): fsmhelp@northwestern.edu Email (IT Security Policy): FSMIT-policy@northwestern.edu Carl Cammarata, Senior Director Chief Information Security Officer Email: carl.cammarata@northwestern.edu Office: 312-503-2822

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information