Northwestern University Feinberg School of Medicine

Similar documents
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Information Security for Managers

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Compliance Risk Management IT Governance Assurance

Information Security Program Management Standard

Bridging the HIPAA/HITECH Compliance Gap

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Office of Inspector General

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

10 Smart Ideas for. Keeping Data Safe. From Hackers

Specific observations and recommendations that were discussed with campus management are presented in detail below.

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA

What s New with HIPAA? Policy and Enforcement Update

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

HIPAA Compliance Review Analysis and Summary of Results

Overview of the HIPAA Security Rule

HIPAA Security Alert

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

POSTAL REGULATORY COMMISSION

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Data Loss Prevention Program

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

How To Audit The Mint'S Information Technology

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Data Management & Protection: Common Definitions

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections. Evaluation Report

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

The Impact of HIPAA and HITECH

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

Greenway Marketplace. Hear from GSG Compliance & White Plume November 14, 2013

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

State of South Carolina Policy Guidance and Training

Data Breach and Senior Living Communities May 29, 2015

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

VA Office of Inspector General

STATE OF NEW JERSEY Security Controls Assessment Checklist

Attachment A. Identification of Risks/Cybersecurity Governance

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

Iowa Health Information Network (IHIN) Security Incident Response Plan

Information Security Policy Manual

CHIS, Inc. Privacy General Guidelines

Defending Against Data Beaches: Internal Controls for Cybersecurity

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

I. U.S. Government Privacy Laws

Data Management Policies. Sage ERP Online

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Security Compliance, Vendor Questions, a Word on Encryption

HIPAA Security Rule Compliance

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

AUDIT REPORT. The Energy Information Administration s Information Technology Program

UF IT Risk Assessment Standard

Privacy Impact Assessment. For. Non-GFE for Remote Access. Date: May 26, Point of Contact and Author: Michael Gray

HIPAA Compliance: Are you prepared for the new regulatory changes?

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

HITRUST CSF Assurance Program

INFORMATION SECURITY STRATEGIC PLAN

University System of Maryland University of Maryland, College Park Division of Information Technology

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

2014 Audit of the Board s Information Security Program

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Enabling Research Securely Data Security Plans

Data Security Incident Response Plan. [Insert Organization Name]

VA Office of Inspector General

Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

HIPAA Compliance Guide

Nine Network Considerations in the New HIPAA Landscape

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

How To Improve Nasa'S Security

NASA OFFICE OF INSPECTOR GENERAL

Domain 1 The Process of Auditing Information Systems

Microsoft Services Premier Support. Security Services Catalogue

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

HIPAA DATA SECURITY & PRIVACY COMPLIANCE

GAO INFORMATION SECURITY. Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing. Report to Congressional Requesters

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

Transcription:

Northwestern University Feinberg School of Medicine Information Security at Feinberg School of Medicine Past, Present, Future Advisory Council for Clinical Research Monthly Lecture Series October 18, 2013 Carl Cammarata Chief Information Security Officer, Feinberg School of Medicine, Northwestern Medical Faculty Foundation Interim Chief Information Security Officer, Northwestern Medicine

Information Security at Feinberg School of Medicine Past, Present, Future Learning Objectives Why data security is important in clinical research? What are our most serious security risks? What is Feinberg School of Medicine doing to improve its data security posture? What security services are being planned to support the clinical research process? Who is responsible for data security? Q&A

Information Security at Feinberg School of Medicine Past, Present, Future We live in an age where you are private by effort and public by default Your risks, your consequences Human factors self-disclosure of private information, weak/shared too many passwords Importance of your data Reliance on others for privacy Social Media sites, wrong security, security changed without notice, confidentiality, ex- friends Malicious code viruses, spyware Social engineering phishing, spam, too much data Compromised devices Lost or stolen data Identity theft Reputation Lost job or financial opportunities

Information Security at Feinberg School of Medicine Past, Present, Future Who is responsibility for data security? You are We are Everyone is by Aaron Muszalski

Information Security at Feinberg School of Medicine Past, Present, Future Consequences of unauthorized disclosure can be significant Potentially delayed patient benefits from research Distractions from core mission Real direct and indirect costs resulting from mistakes, lack of awareness, negligence, remediation Public/Internal embarrassment, negative publicity, reputation, furious patients Investigations, fines, penalties Financial Losses (jobs, future/renewed grants, alumni giving)

Information Security at Feinberg School of Medicine Past, Present, Future Why is security important in clinical research? Patient privacy, preventing unauthorized disclosure Patient safety, availability of research data to address adverse events Data integrity from collection to analysis, reporting and regulatory submission Compliance with regulations, contracts/grants criteria & University policy

Information Security at Feinberg School of Medicine Past, Present, Future What are our most serious security risks? Research and PHI data being used as conduit for medical identity theft, compromising research, effecting patient privacy and safety: Data - unencrypted Data - on personal devices Data - on portable devices Data - in the cloud Data - in personal email Data unmanaged, unsecured

Information Security at Feinberg School of Medicine Past, Present, Future Other than data, our risks.. Policies & Procedures require revision to improve clarity, expectations of behavior and compliance posture (Risk: Content varies considerably and are not consistently applied or understood). Technology must be managed to Policy and accepted standards to minimize risk of exposure of PHI and disruption of research (Risk: Security configuration of technology varies considerably. There is a non-trivial risk of PHI being inadvertently disclosed because of a misconfiguration, malware infected device or proliferation of mobile devices). As custodians of Research and Protected Health Information (PHI) we must ensure it be consistently and rigorously secured (Risk: PHI is widely dispersed and is secured to varying degrees. There is a non-trivial risk of research data and PHI being inadvertently disclosed due the absence of adequate protection or an incomplete knowledge of its location).

Northwestern University Feinberg School of Medicine Information Security Management Approach Supporting Clinical Research Past, Present and Future Advisory Council for Clinical Research Monthly Lecture Series October 18, 2013 Carl Cammarata Chief Information Security Officer, Feinberg School of Medicine, Northwestern Medical Faculty Foundation Interim Chief Information Security Officer, Northwestern Medicine

Information Security at Feinberg School of Medicine Improving our Security Posture - Timeline & Projects HIPAA Security Rule Consulting Risk Assessment, September 2010 FISMA / NIST secure projects (source: Warren Kibbe) o National Children's Study (NCS) Information Management Hub, March 2011 o NCS South Regional Operational Center, September 2012 HIPAA Compliance of Research Data Committee, November 2011 CIO appointed, January 2012 IT Security Policy including encryption requirements published, February 2012 IT Security Policy all user acknowledgment initiated, February 2012 Executive IT Steering committee formed, March 2012 NUIT secure disk storage, offered August 2012 Security dashboard reporting (encryption compliance), September 2012 NMFF secure physical facilities, offered January 2013 NMFF secure server farm, offered January 2013 NMFF secure disk storage, offered March 2013 CISO hired, March 2013 IT Leadership and IT Working group committees formed, March 2013 Information Security Strategy and Plan, August 2013 Network Security infrastructure project, complete August 2013 Active Directory, Windows domain project, started August 2013, ongoing Managed secure device project, planning started September 2013 Northwestern Medicine formed, August 2013 Central IT Support environment, anticipated Past Present Policy and technical foundational to reduce risk of exposing research and PHI data

Information Security at Feinberg School of Medicine Information Security Strategy & Plan Improving our Security Posture Establish a managed and secure technology environment Publish revised and synchronized policies and procedures Clinical research information security services Clinical research - data security plans FISMA Clinical partners integration Executive Oversight & IT Security Committee Implement a risk assessment process PHI/PII asset management

Information Security at Feinberg School of Medicine Network Security Infrastructure Project Improving our Security Posture Description Deliver an improved network connection between NU (FSM) and NMFF/NMH 1. Installation of new network hardware 2. Creation of 3 service tiers: Tier 1 - NMFF network extension Tier 2 - FSM Managed Network Tier 3 - Unmanaged Network Project Team Julian Koh Warren Harding Matt Wilson John Brow Ben Nicholson Rocky Xu Brian Griffin Carl Cammarata Jon Lewis Danny Garza Todd Nelson Implementation Julian Koh Warren Harding Matt Wilson John Brow Ben Nicholson Rocky Xu Danny Garza Enable network connectivity from the Northwestern University (NU) network to the Northwestern Medical Faculty Foundation (NMFF) network to improve security and staff productivity through security tiers. Status Completed Benefits Tier 1 Device becomes part of NMFF/NMH network, direct access to clinical resources Tier 2 Direct access to FSM central resources, indirect access to clinical resources Tier 3 Limited access to FSM central resources Security Posture Controls access to clinical resources based upon the integrity of the device and access point on the network.

Information Security at Feinberg School of Medicine Active Directory, Windows Domain Project Improving our Security Posture Description Deliver an upgraded central FSM domain focused on improving security and standardizing endpoint support. Project Team Dong Fu Jignesh Patel Rocky Xu Noah Xu Michael Tittle Brian Griffin Carl Cammarata Jon Lewis Todd Nelson Implementation FSM IT Support Groups Update the existing FSM technical environment to enable centralized management of devices and standardized device configuration and security policy. Status Active Benefits Enables uniform management of devices to software standards and enhanced security policy (e.g., software and security updates, encryption). Allows more efficient cross departmental IT support services Establishes pre-requisite for future two-way device trust with NMFF/NMH. Security Posture Devices can be managed and controlled from central support management consoles (application of security patches, installation and management of software such as encryption.)

Information Security at Feinberg School of Medicine Managed, Secure Device Project Improving our Security Posture Description The migration and standardization of FSM endpoints to the new Tier Managed environment defined by the related Network and Domain projects (Nexus and Zenith). Project Team Tim Hite Alex Cohn Frank Schleicher Bob Valadka Karen Kelly Patrick Canevello Brian Griffin Carl Cammarata Jon Lewis Troy Alexander Matt Newsted Todd Nelson Implementation FSM IT Support Groups Standardize configuration and management of end point devices to allow for security trust (and improved access productivity) between NU and NMFF through network security tiers and managed devices. Status Planning Benefits Deploys standard images to end point devices. Enables central management and more efficient problem resolution. Device software updated and patched from central services. Improved device reliability, serviceability, and integrity. Security Posture Reduced risk of data disclosure resulting from mal-ware infections. Efficient central management of end point device and security software such as encryption.

Information Security at Feinberg School of Medicine Anticipated Technology Initiatives Improving our Security Posture Mobile device security Wireless security Data loss prevention (DLP) Network access control (NAC) Two factor authentication Vulnerability assessment tools Device theft risk mitigation (RFID, LoJack)

Information Security at Feinberg School of Medicine Anticipated Policy Portfolio Improving our Security Posture FSM IT Policy Category Procurement Integration Collaboration Secure Storage Backup & Retention Departmental Support Local Networks Network Architecture IT Security Named Policy IT Goods & Services Device Standards Email File Sharing Secure Storage Backup & Retention Departmental Support Domain Device Lab Device Network Architecture IT Security

Information Security at Feinberg School of Medicine Departmental IT Support Alignment Improving our Security Posture Alex Cohn IPHAM Daniel Erickson Preventive Medicine Dawood Ali Medical Social Sciences Frank Schleicher Medicine, Surgery, a few others Fang Gao Physical Therapy J C Thomas Rogers Anesthesiology Jasmin Shah Obstetrics/Gynecology Jeremy Fox Physical Medicine and Rehabilitation Jeremy Prevost Galter Library Jignesh Patel, Dong Fu NUCATS Matthew Newsted Center for Genetic Medicine Robert Valadka Basic Science Sean Withrow Radiology Troy Alexander Pediatric Research Jonathan Lewis Dean s Administration Neurology Psychiatry Pathology Lurie Cancer Center FSM/NMFF collaboration FSM/NMFF collaboration FSM/NMFF collaboration FSM/NMFF collaboration Otolaryngology Ophthalmology Orthopaedic Surgery Urology Neurological Surgery Emergency Medicine Global Health Radiation Oncology Dermatology

Clinical Research Information Security Services Data Security Plan Review Human Subject Research Data Security Plans Objective: to ensure all personally identifiable information and protected health information which is entered, stored, transmitted, analyzed, and reported as part of an approved IRB research protocol is properly and adequately secured throughout the research process Data Security Plans The plan would describe the data flow and how the data is secured throughout the life of the research project from initial data collection to reporting, publishing, registration and archiving. A plan would include, at least, the following and describe the security capabilities of each. Plans may vary in complexity consistent with the complexity of the research: - How and by whom will data be collected, transmitted and stored. - How will data be secured at each stage in the workflow - How will access be controlled and through what mechanisms - Describe where and how data will be encrypted - How will data be backed up and at what frequency - Where will backup data be stored - Describe the type of computing equipment that will be part of the information work flow and will each type be secured - How will data be disposed and using what disposal mechanism

Clinical Research Information Security Services Data Security Plan Review Challenges - Volume - Workflow impact - Change Critical Success Factors - Agreement among key stakeholders - Fine-tuning a reliable (technology driven) workflow with minimal disruption - Triaging review process based upon subject, data risk, study complexity - Agreement on what approving a data security plan means - Expedited process - Exception process - Staff resources

Clinical Research Information Security Services Data Security Plan Review Integration Considerations - Exempt protocols (non-human subject) - Expedited (low risk, human subject) - Rigor of review - emr data - ephi - consented (PII, research data) - Record of approval linked to research portfolio - Rejection re-review cycle - Technical integration of work flow Next Steps - Data security approaches currently reviewed on a case-by-case basis - Continue to work toward developing a formal plan

Clinical Research Information Security Services - FISMA What is FISMA (Federal Information Security Management Act of 2002)? From Wikipedia, the free encyclopedia The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C. 3541, et seq.) is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 (Pub.L. 107 347, 116 Stat. 2899). The act recognized the importance of information security to the economic and national security interests of the United States. [1] The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. [1] FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a "risk-based policy for costeffective security." [1] FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency s information security program and report the results to Office of Management and Budget (OMB). FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in order to strengthen information system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level. [2] Why FISMA at Northwestern? Required by some Federal agencies (e.g., NIH) as pre-requisite, stipulation of grant awards. This requirement is becoming more common place.

Clinical Research Information Security Services FISMA Required Standards & Guidelines FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, April 2004, 13 pages o Required to determine system category FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, 17 pages o Required to derive impact from system category NIST 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013, 457 pages o Baseline security controls guidance applied to subject system s category and impact NIST 800-53A Revision 1, Guide for Assessing the Security Controls in Federal Systems and Organizations, June 2010, 399 pages outdated as of April 2013 o Guide for building effective security assessment plans

Clinical Research Information Security Services FISMA Categorization & Impact FISMA Life Cycle Categorize Analyze Impact Determine & Apply Minimum Security Standards Assess Risk & Gaps Remediate Re-assess Certify

Clinical Research Information Security Services FISMA Controls Baseline NIST (FISMA) HIPAA HITRUST Crosswalk NIST Control Specification Program Management Access Control HIPAA Security Standard Security Management Process Assigned Security Responsibility Workforce Security Information Access Management Access Control Person or Entity Authentication HITRUST CSF Direct Control Categories NIST Security Baseline Controls by FISMA Category Low Medium High 0,2,3,5,6,7,9,11 16 16 16 1,2,5,6,8,9,10,12 11 35 42 Awareness & Training Security Awareness & Training 1,2,5,6,9,11 4 5 5 Audit & Accountability Audit Controls Integrity 6,9 10 18 28 Security Assessment & Authorization Evaluation 0,3,5,6 7 10 12 Configuration Management Evaluation 0,3,5,6 8 21 31 Contingency Planning Contingency Plan 2,7,9,12 6 22 35 Identification & Authentication Person or Entity Authentication 1 15 22 24 Incident Response Security Incident Procedures 2,11 7 12 16 Maintenance Evaluation 0,3,5,6 4 6 7 Media Protection Device & Media Controls 2,7,8,9,12 4 9 12 Physical & Environmental Protection Facility Access Controls Workstation Use Workstation Security 1,2,5,7,8,9,12 10 18 26 Planning Security Management Process Assigned Security Responsibility 0,2,3,5,6,7,9,11 3 6 6 Personnel Security Workforce Security 1,2,5,8,9 8 8 9 Risk Assessment Evaluation 0,3,5,6 4 7 8 System & Services Acquisition System & Communications Protection System & Information Integrity Business Associate Contracts 2,5,9 7 14 18 Transmission Security 6,9,10 10 24 30 Security Management Process Integrity Security Awareness & Training 0,1,2,3,5,6,7,9,11 6 21 26 Totals 135 Control Specifications 140 274 351 Controls Baselines NIST (FISMA), HITRUST is overarching of HIPAA Small percentage of available supplemental controls NIST (FISMA) are guidelines but driven by ATO contracts Extensive breadth & depth Multi-purpose benefit Broad compliance posture Risk & self assessment baselines drive measurable improvement Drives down ephi risks Drives up Grant intake opportunities

Clinical Research Information Security Services FISMA General Recommendations Institutionalize FISMA capabilities implement FISMA service delivery model o Integral to FSM academic and technology processes o With HITRUST foundation of IT compliance and policy o Competitive advantage o Internal and possibly external service model with revenue and ROI FISMA is an overarching approach while HIPAA security improvements run in parallel o Risk assessment approaches address HIPAA and FISMA requirements o Department self (risk)-assessments become integral to the process o Integrates academic and clinical considerations o Broad approach maximizes compliance coverage Develop initial policies addressing entry-level requirements and synchronize with HIPAA, HITRUST requirements Document the Security Plan and risk assessment process Complete baseline gap analysis and propose remediation efforts

Clinical Research Information Security Services FISMA Current Commitments National Children's Study Information Management Hub, in use by 15 study centers across the country. In production (Warren) National Children's Study South Regional Operations Center, overseeing 10 study centers across the country (a different 10 centers than the Hub). Institute for Healthcare Studies. In operation. National Children's Study Adaptive Test Design. Part of the National Children's Study Health Measurement Network. Medical Social Sciences. Planned to go live by Jan 2014. Cancer Prevention Agent Development Program: Early Phase Clinical Research. Creating a FISMA version of the RHLCCC NOTIS clinical trials management system. Lurie Cancer Center. Go Live July 2013

Clinical Research Information Security Services FISMA Critical Success Factors Managed technology environments are basic prerequisites to FISMA (and HIPAA) baseline requirements Documented FISMA polices and risk assessment procedures Department ability to define baseline control requirements Viable risk measurement tool Acceptance and adoption of FISMA requirements FSM-wide service delivery model with sufficient resources to meet projected capacity

Clinical Research Information Security Services Clinical Partners Integration NUCATS 2.0 Leadership Structure Clinical Partners Information Security Partner Governance Best Practices Sponsorship Accountability Clinical Partners Information Security Integrated Leadership Group Collaboration Service Management Objectives (Charter) Unify information security principles Integrate security for cross-partner clinical research activities Contribute to grant award applications Resolve complex security issues Proactively address emerging threats and security technology evolution Process Improvement

Clinical Research Information Security Services Clinical Partners Integration Align information security strategy with clinical partners Northwestern University Feinberg School of Medicine NUCATS Northwestern Medicine Lurie Children s Hospital Rehabilitation Institute of Chicago NM EDW Establish Leadership Group comprised of partner representation Proactive collaboration and exchange of strategy formulating information Active participant of NUCATS Organization and Governance Accountable to the NUCATS Steering Committee Leadership Group Charter Establish unified information security principles and federated policies to support collaborative initiatives Define and support an information security integration strategy for cross-partner clinical research activities (e.g., CTSA, FISMA) Contributing author of information security material for grant award applications Evaluate and propose common resolutions to complex security issues Proactively evaluate emerging threats and security technology evolution

Clinical Research Information Security Services Clinical Partners Integration Leadership Group Northwestern University Feinberg School of Medicine NUCATS Northwestern Medicine Lurie Children s Hospital Rehabilitation Institute of Chicago NM EDW Anticipated outcomes Unified information security principles (e.g., federated policy structure) Information security integration strategy for cross-partner clinical research activities Structured information security material for grant award applications Leverage best practices & experience to resolve complex security issues Ongoing educational forum which discuss risks, threats, technology evolution Proactively evaluate emerging threats and security technology evolution

May I steal your data please? Clinical Research Information Security Services Security responsibilities Use only encrypted memory sticks and portable devices Keep your computer and antivirus software up-to-date Never store PHI or PII on portable devices unless encrypted Never share memory sticks Reportable breaches can occur As USB drives become cheaper and information is distributed freely, the possibility of Trojans and other malware increases http://www.itbusinessedge.com/slideshows/show.aspx?c=87289

I am free and easy Clinical Research Information Security Services Security responsibilities Unparalleled technological and educational advancement opportunity Equally unparalleled security risks Understand the risks before putting your own personal data (e.g. tax data) into the cloud Keep PHI and PII off cloud computing platforms unless there is a NU approved legal contract Reportable breaches can occur The incredible cost savings and flexibility cloud computing affords also opens up a superhighway for cybercrime. As cloud use increases, so, too, will the number of opportunities for data infection or theft. http://www.itbusinessedge.com/slideshows/show.aspx?c=87289

I just stole your data The Insider Threat Clinical Research Information Security Services Security responsibilities this is the way we ve always done it I didn t know I couldn t wait security takes time I care about my personal data but why should I care of that belonging to others Lack of separation of responsibilities, management oversight and consequences of actions, excess access, mistakes, lack of training, non-compliance with policies and procedures, under utilization of existing security technology, laziness, convenience and covert activities increase data risks to the University. http://www.itbusinessedge.com/slideshows/show.aspx?c=87289

May I steal your data please? Clinical Research Information Security Services Security responsibilities Who is responsibility for data security? Everyone is We are You are

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information