Course # 155 CPU 911! A Guide to Office Computer Security
DISCLOSURE STATEMENT No disclosures. SECO 2012 February 29-March 4, 2012 Course Title: CPU 911! A Guide to Office Computer Security A Guide to Office Computer Security Lecturer: Adam Parker, O.D. Please silence all mobile devices At the conclusion of this course, please properly dispose of your trash as you leave this room Supported by an educational grant from VSP Technically inclined? What's the risk? Data/Privacy Leak Data Corruption Data theft Hardware/software corruption Wasted staff time Wasted $$$ What do data thieves want? Medical Records?? Eye Color? NO! Names Birthdates SSNs Addresses Email Phone Number "Identity Theft" Consequences? You must notify every patient about the data breach. Individual notices First class mail Email Website posting Notify local media Major print or Broadcast media Include 1-800 phone number Notify the Secretary of the Health & Human Services 1
Measure Your Risk Low Risk Office What level risk is any one OD office? Low? Med? Rural Stand alone Low volume No internet High? High Risk Office How to reduce Risk Connected Urban Mall Office Park High Volume Security Smaller Target Security encompasses... Individual Computers Computers/Hardware Network Internet People 2
Even your equipment! Antivirus Software Now much more than antivirus Virus Spyware Malware Identity Protection Antiphishing Parental Controls And more Free AV is for me Plenty of free AV programs on the market work just fine Antivir AVG Avast Panda And more Basic rules of email security Never blindly open attachments without scanning them first - ever. Keep your AV updated Inspect links inside emails Never follow links asking you to log in Just insert! Turn off autorun http://support.microsoft.com/kb/967715 3
Disable access to exam room PC Risks - can be your patients LOCK COMPUTER WHEN YOU LEAVE THE ROOM! Windows + L Hacker profiling... Network Security Who would you trust more? OpenDNS Use router s filter settings Runs all of your traffic through a filter Protects against phishing or other blacklisted URLs Does not require hardware One option is free opendns.com Block websites by URL Facebook Twitter Myspace Block all but Doctors IP address Block by keyword Whatever you want ESPN Gossip fashion 4
Wireless Security Free Wifi? DO NOT USE OPEN WIRELESS DO NOT USE WEP! Crackable in 5 mins Use WPA encryption Crackable, but usually not worth hassle Enable wireless MAC filter Not a good idea Most people have 3g or even 4g now Why strain your network bandwidth? Puts you at risk Best defense? Do not use wireless at all Free Wifi What could possibly happen? TURN OFF DHCP in Router Bank-level security Manually give specific IP Use non-default gateway Example: 192.168.333.1-100 Phishing, what is it? Someone is posting pictures of you on Twitter Phishing alerts OpenDNS or current browsers will alert you to dangers ltwitter.com 5
Update your browsers! Internet Filters (Parental Control) Internet Explorer 6 = Bad o The swiss cheese of browsers IE 10 at very least Chrome Firefox They work fairly well Must be installed on each PC Can block legitimate sites There are some free 3rd party software Built into WIndows Vista and higher Most modern browsers now keep track of blacklisted sites. Dedicated web security appliance Personnel Security Simple URL filtering Anti virus/phishing Blocks blacklisted sites Allow personal surfing during certain times Will produce reports on web activity for each computer Staff Other doctors Service personnel Optical managers Anyone with access to your network Employee Theft Can you ever really trust another human being, Greg? Hospital secretary 'accessed cancer patients' personal data and stole over $100,000 to fund her lavish lifestyle. Sept 13, 2011 6
No, you cannot, Greg. Background Checks Quick Legal Google background checks Fairly cheap Save yourself the headache Current Employees Acceptable Use policy Protect and monitor your assets! Acceptable Use policy Log all website traffic Save all chat logs Let staff know they are being monitored Teach them dos and don ts of computer use Download from the internet Personalize Add as part of employee contract UltraVNC Direct Data Security Allows you to see the monitor of an employee secretly Backups Offline Fireproof hard drives Lock server room door if possible Redundant hardware Real servers have multiple everything Mirrored Hard Drives (Raid) 7
Backups 101 Use redundant hardware Rule #1: Make more than one copy on more than one computer Rule #2: Use online backup in case of fire or theft Rule #3: Take the time to test backup! Raid = Multiple Hard Drives Fire/water proof backups Identical Reliable Fast $200 - $700 Fireproof to 1550F Waterproof to 10ft One BIG Problem Online backup Easy to steal! Cheap Easy Fireproof Waterproof Theftproof HIPAA Compliant DO IT! 8
Data Destruction Use admin-only passwords Never donate, sell, or give away a hard drive Data must be either wiped Dban WipeDrive Or completely destroyed Call for local shred services Give staff one password, "Admin" has another Complex Unique DO NOT SHARE Lock up your server room Computers are stolen often Do not make it easy 9
Office Computer Security Cheat Sheet Individual Computer Security o Antivirus at a minimum or whole Security Suite (AVG, Antivir, Avast, Norton) o Disable autorun, http://support.microsoft.com/kb/967715 o Password and lock PC when leaving exam room (Windows + L) o Set screensaver with password for 3 mins or less Data Security o Backup! (and test your backups) Fireproof hard drives Online backup Lock door to server room o Enable redundant hardware Raid mirror, backup server, etc o Data Destruction Encrypt all important folders or entire hard drive (TrueCrypt is free) Destroy all old hard drives by wiping them clean or hire shred service Wireless Security o Do not use WEP encryption (use WPA instead) o Use a strong (and secret) main password for router o Enable wireless mac filter o If possible, do not use wireless at all Wired Security o Use OpenDNS to filter web activity and protect network o Turn off DHCP is possible o Look into a web security appliance (Barracuda, Cisco, Blue Coat) Internet/Browsing Security o Enable parental controls in Vista or higher o Install NetNanny or comparable parental control app o Update all instances of Internet Explorer Use an alternative browser such as Chrome or Firefox My office is Low Risk Medium Risk High Risk Personnel Security o Background checks o Force an Acceptable Use Policy (free from internet) add it to employee contract o Teach staff security basics, (never open attachments, inspect email links) o Never fully trust anyone