PREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO JBaskin@nshs.

PREP Course #25: Hot Topics in Cyber Security and Database Security Presented by: Joe Baskin Manager, Information Security, OCIO JBaskin@nshs.edu

Objectives Discuss hot topics in cyber security and database security.

CME Disclosure Statement The North Shore LIJ Health System adheres to the ACCME s new Standards for Commercial Support. Any individuals in a position to control the content of a CME activity, including faculty, planners, and managers, are required to disclose all financial relationships with commercial interests. All identified potential conflicts of interest are thoroughly vetted by the North Shore-LIJ for fair balance and scientific objectivity and to ensure appropriateness of patient care recommendations. Course Director and Course Planner, Kevin Tracey, MD and Tina Chuck, MPH have nothing to disclose. Joe Baskin is the speaker and has nothing to disclose

What are today s Hot Topics in IT Security? Cyber Security Encryption Social Engineering Cloud Storage Mobile Security Database Security

Drivers

Cyber Security Agenda What is Cyber Security? Industry Statistics Sources and Types of Cyber Attacks 6

Cyber Security What is Cyber Security? Cyber security refers to the technologies and processes designed to protect computers, networks and data from unauthorized access, vulnerabilities and attacks delivered via the Internet by cyber criminals. A cyber attack is an attempt to damage, disrupt, or gain unauthorized access to a computer, computer system, data or electronic communications network. A cyber crime is the illegal use of computer technology and the Internet, e.g. Target credit card breach (~110M records), CA Health System unencrypted laptop loss (~729K records). 7

Cyber Security Sources & Types of Cyber Attacks Malware & Malicious Code (Viruses, Worms, Trojans) software that is intended to damage or disable computers and computer systems. Botnets a network of private computers infected with malicious software and controlled as a group without the owners' knowledge. Phishing Phishing is an e-mail fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients Web based attacks means by which malicious code exploits a system's security safeguards. Denial of Service attack on a computer system or website, aimed at disrupting its normal functionality. Malicious insiders malicious threat that comes from people within the organization such as employees, former employees, contractors or business associates. 8

Cyber Security

Cyber Security Patient Records Breached per Day (avg.) Medical record data is worth $50 on the black market. Much more than Social Security numbers ($3), credit card information ($1.50), date of birth ($3), or mother's maiden name ($6). Sources: 1. DHC: EHR Data Target for Identity Thieves - MedPage Today - 12/07/2011 2. http://www.welivesecurity.com/2013/08/14/healthcare-it-security-infographic-stats-point-to-big-privacy-holes/ 10

Cyber Security Primary Causes of Breaches Source: http://www.backgroundcheck.org 11

Information Security Myths versus Reality Myth: If I have antivirus software installed, I m safe. Reality: Studies show that a third of all PCs with up-to-date antivirus software have a virus right now 1. Myth: I don't need to worry; I have no vital documents on my home computer, just music, photos, and videos. Reality: Hackers are increasingly focused on home computers, regardless of their contents. The strategy is to use your PC as a toehold into your digital life. Modern malware can sit on your computer for months, building a profile of your identity, finances, passwords, and sensitive documents. 1 National Security Institute, Inc.

Information Security Myths versus Reality Myth: Cybercrime isn't any worse now than it s been in the past. Reality: Cybercrime is up sharply in the last year. Experts have noted staggering growth in the number and sophistication of attacks home/work computers are now the weak point. Myth: I would know if I had a virus on my computer. Reality: Most viruses and malware don't slow down or crash your computer. It may surprise you to learn that most people who have a virus or malware have no idea they ve been compromised.

Cyber Security Healthcare Statistics Hospitals and physician practices were responsible for 32% and 28% of the total breaches in healthcare, respectively. Since July 2011, physician practices have become the most breached organization type, surpassing hospitals/health systems. Government institutions (including VA hospitals) have experienced the greatest loss of records (40%). Insiders were responsible for 23% of breaches, accounting for 13% of records breached. In addition to causing potential harm to patients such as financial and medical identity theft, security breaches result in significant financial expenses to the organization. The average cost of a data breach over a two-year period was $2.4 million, a 15% increase compared to 2010. Source: http://networking exchangeblog.att.com/enterprise-business/cyber-attacks-and-security-in-healthcare 14

Cyber Security IT Safeguards at NSLIJ IT Security Safeguards Perimeter Controls and Firewall Technologies that protect against external threats. Mobile Device Protection (Encryption) for phones, tablets and portable devices. Antivirus and Anti-spam to protect computers, laptops and servers. Intrusion Detection/Prevention that inspects dataflow sending alerts of potential threats. Security Event Monitoring to proactively detect suspicious activity. Patient Privacy Monitoring and Application Breach Detection to detect suspicious activity on our clinical applications. Segregated Cardholder Data Environment providing an additional layer of security for payment transactions. Employee Training & Awareness Annual Compliance Training throughout the Health System on proper security and privacy practices. Security Awareness and Alerts published on HealthPort. Periodic security reminders, Email alerts, newsletters and posters. 15

Encryption

How Encryption Works Encryption Encryption is a method to keep your personal information secure. Encryption scrambles the information you send over the internet into a code so that it s not accessible to others. How to Tell If a Website is Encrypted To determine if a website is encrypted, look for https at the beginning of the web address (the s is for secure). When completing online transactions, some websites use encryption only on the sign-in page, but if any part of your session isn t encrypted, your entire account could be vulnerable. Therefore, look for https on every page you visit.

Removable Media Confidential information must not be saved on removable media such as CDs, DVDs, and USB flash drives unless absolutely necessary and you must encrypt it! Follow Health System policies for Encryption (900.25 Data Encryption and Integrity) Handling media (900.26 Device and Media Control) Disposal of media (900.29 Equipment Disposal) Handling of PHI (800.02 Use, Access and Disclosure of PHI with Valid Authorization) Need assistance with encryption or disposal, call the IS Help Desk!

Social Engineering What is Phishing? Is a psychological attack used by cyber criminals to trick you into giving up information or taking an action. What does a typical attack look like? An attack begins with a cyber criminal sending a message pretending to be from someone or something that you know, such as a friend, your bank or a well-known store. These messages then entice you into taking an action, such as clicking on a malicious link, opening an infected attachment, or responding to a scam.

Social Engineering What is Spear Phishing? A targeted attack to a very few select individuals. Cyber attackers research their intended targets, such as by reading the intended victims LinkedIn or Facebook accounts or any messages posted on public blogs or forums. Why should I Care? You may not realize it, but you are a target at work and at home. You and your devices are worth a tremendous amount of money to cyber criminals, and they will do anything they can to hack them. YOU are the most effective way to detect and stop phishing.

Social Engineering Anatomy of a phishing email A Check email addresses B Generic Salutation C Grammar or Spelling Mistakes D Immediate Action E URL Link F Suspicious Attachment

Cloud Computing What is Cloud Computing? Information processing residing on remote systems maintained by a third-party vendor, and accessed from the Internet. What is our policy for Cloud Based Storage? Internet/Cloud based storage must not be used to store or disseminate Sensitive and Highly Sensitive information such as PHI or PII without proper approval processes that include IT Contracts, Office of Procurement, OCIO Security, and Research Administration when appropriate. Users must follow proper procedures by saving Sensitive and Highly Sensitive information on a shared drive.

Save it to your Network Drive Confidential information should be saved on your network home drive or a shared drive designated for this purpose. Files are physically secured in our corporate data centers Files are backed up regularly and can be restored Limited access Your network home drive can only be accessed by you. Shared drives set up for confidential information allow users to collaborate and share files only with those users specifically granted access Need a shared drive? Call the IS Help Desk or request one on HealthPort

Local Drives Confidential information must not be saved on local hard drives except when necessary Your C: drive is your local drive which is in your computer Local drives have: Less physical security Are not backed up May be accessible to others that use your computer Shared computers are common throughout the Health System, but you should not save files to your local drive unless absolutely necessary Note where you save the file Delete and empty your recycle bin when done with the file

Mobile Devices Risks to Health Information Risks vary based on the mobile device and its use. Some risks include: A lost or stolen mobile device Inadvertently downloading viruses or other malware Unintentional disclosure to unauthorized users Using an unsecured Wi-Fi network Encryption is required!

Take the Steps to Protect and Secure Health Information When Using a Mobile Device Protect and secure health information when using mobile devices In a public space On site At a remote location Regardless of whether the mobile device is Personally owned, bring your own device (BYOD) Provided by our organization Dispose of USB drives and other media that may contain PHI Call the Help Desk for assistance

Mobile Devices & Health Information Sharing your mobile device password or user authentication Allowing the use of your mobile device by unauthorized users Storing or sending unencrypted health information with your mobile device Ignoring mobile device security software updates Downloading applications (apps) without verifying they are from a trusted source Leaving your mobile device unattended Using an unsecured Wi-Fi network Discarding your mobile device without first deleting all stored information Ignoring our mobile device policies and procedures

Bring Your Own Device (BYOD) What is BYOD? Any non-health System device owned by a workforce member that is used for business purposes. Examples include personal laptops, smartphones, or handheld devices. Securing Mobile Devices Use Passcodes Avoid SMS Phishing Update Your Devices Use Mobile Applications Wisely Limit Your Use of Bluetooth

What is Database Security? Database Security The practice of providing security controls for databases such as REDCap, BUDDY, and other applications that have been approved by IS Security. Security Controls associated include: Limited access to database systems (Role Based Access) Strong password usage Secure central network storage of data Monitoring of database systems and audit logs Isolate Production data to production environments

Database Security Limited access to database systems (Role Based Access) Define user roles Administrator (full access read, write, delete) Editor (read, write) Reviewer (read only) Access rights should be granted to a group, then place the user in the appropriate group.

Strong Password Usage Database Security

Strong Password Usage Database Security The NSLIJHS Standard for applications passwords Setting Minimum password length Standard 8 characters Password complexity Passwords should contain characters from at least three of the following 4 categories: o Lower case letter [a z]. o Upper case letter [A Z]. o Numeric [0 9]. o Special character [! @ # $ % ^ & * ( ) _ + ~ - = \ ` { } [ ] : " ; ' < >?,. / space]. Password expiration 90 days History (generations) 12 Lockout threshold Five (5) consecutive failed login attempts within 15 minutes result in a user s account being locked.

Database Security Physical security for database server infrastructure Locked room or cage Cooling Redundant power Record access to room Log book ID card reader Never allow anyone unattended Backup media must be secured (and encrypted)

Database Security Secure central network storage of data Encrypt! Encrypt! Encrypt! Encrypt the storage system Full disk encryption Encrypt the database Build in or 3 rd party tools can provide DB encryption Encrypt tables within the database Encrypt tables that might contain ephi or sensitive or confidential information

Database Security Monitoring of database systems and audit logs Monitoring and review of audit logs is required to maintain the integrity of the data

Example of a REDCap audit log Database Security

Database Security Isolate Production data to production environments Development, test and QA environments should not have production data Developers, vendors, other 3 rd parties should not see ephi Use de-identified or dummy data for development work If a vendor or other 3 rd party requires access to production a Business Associates Agreement (BAA) must be in place

For More Information Have questions? Call the IS Helpdesk at (718, 516, 631) 470-7272 Get IT Security tips: https://nslijhp.northshorelij.com/employees/computersecuritytips/pages/default.aspx See NSLIJ IT Security Policies: https://nslijhp.northshorelij.com/nslij/departments/is/toolbox/pages/default.aspx Office of Research Compliance guidance on electronic security: http://nslij.com/orc Tools and Guidance Electronic Security Ashish Narayan: Director, Information Systems, FIMR Joe Baskin : Manager, Information Security, OCIO