Data Security and Encryption Plamen Martinov Chief Information Security Officer, BSD

Agenda Who is Hacking Us and Why “Top 10 List” of Good Computing Security Practices How to: Setup 2-Factor Authentication (2FA) Set a good password Encrypt sensitive information

Healthcare mega-breaches Who is Hacking Us and Why 2013 800,000,000+ records breached, with no signs of decreasing in the future 2014 1,000,000,000 records breached, while CISOs cite increasing risks from external threats 2015-16 Healthcare mega-breaches set the trend for high value targets of sensitive information Price for sensitive data on the black-market per record: $1 for Credit Card Numbers $10 for Social Security Numbers $50 for Partial Heath Credentials $300 for Patient Health Information Source: IBM X-Force Threat Intelligence Report - 2016

Who is Hacking Us and Why Cyber Criminals Broad-based and targeted Financially motivated Getting more sophisticated Hacktivists Targeted and destructive Unpredictable motivations Generally less sophisticated Nation States Targeted and multi-stage Motivated by data collection Highly sophisticated with endless sources Insiders Targeted and destructive Unpredictable motivations Sophistication varies

"Top 10 List" of Good Computing Security Practices to Protect Computers and Data. Choose good passwords and keep them secure Sign-up and use 2 Factor Authentication Encrypt all ePHI or PII stored on portable devices (e.g. laptops, usb etc) Password protect your computer and portable devices. Do not respond to anyone asking you for your password Keep your operating system patched and up-to-date Install anti-virus and keep it up-to-date Turn on your computer firewall Back up your data to a secure location Securely delete ePHI and PII when it is no longer needed

Setup Two-Factor Authentication (2FA) What is Two-Factor Authentication (2FA)? When a user logs into an account, that account uses one or more authentication factors in order to verify the identity of an authorized user. BSD and UChicago 2FA available for employees: UChicago: Secures your CNet account for cVPN and other secured applications Sign up at https://2fa.uchicago.edu BSD: Secures your BSDAD account for BSD VPN and other secured applications Sign up at https://2fa.bsd.uchicago.edu/ FAQ sheet is on the BSD ISO website at http://security.bsd.uchicago.edu/bsd2fa/ You are required to enroll in 2FA. Applications you can’t access without 2FA: Workday, UChicagoBox, VPN

Set a Good Password Creating a good password Combine 2 unrelated words -> Mail + phone = m@!lf0n3 A good password has at least 12 characters = m@!lf0n-2015 Use a password or passphrase manager, such as LastPass to help manage multiple passwords/passphrases The table below shows how fast your password can be guessed by a hacker: Pattern Calculation Result Time to Guess 8 chars: lower case alpha 268 2x1011 < 1 second 8 chars: alphanumeric 628 2x1014 3.4 min 8 chars: all keyboard 958 7x1015 2 hours 12 chars: alphanumeric 6212 3x1021 96 years

Encryption vs. Passwords Having a password does not necessarily mean something is encrypted. Passwords by themselves do not scramble the information. If something is only “password protected,” it is not enough protection - someone could bypass the password and read the information. Original Password Protected Encrypted

Encrypt Any Restricted and or Sensitive Information Stored on Portable Devices Restricted / Confidential ePHI or electronic Protected Health Information (Personal + Health) Names, Medical Record Numbers, reports, test results, or appointment dates etc. PII or Personally Identified Information Name, SSN, driver’s license number etc. Clinical Research Data Privileged & Confidential Information (legal) Sensitive / Internal Use Only Policies and Procedures IT schematics, diagrams, configuration documents Contracts not subject to confidentiality agreements Public Content approved for posting to the web Directory Information listed on a public website When the classification is not clearly defined, default to Sensitive unless defined in writing by your supervisor.

Encryption saves the University both time and money The table below shows the time and costs for handling security incidents for lost and stolen devices. Encrypted Device with ePHI/PII Unencrypted Device with ePHI/PII Unencrypted Device without ePHI/PII Incident Description User’s computer stolen from his/her car. Device had ~400 patient records. User forgot laptop in cab. Device had ~400 patient records. User left tablet on plane. Device had no patient health information. Investigation time (combined hours for incident response team – legal, HR, IT, security, etc.) 1 Hour 50 hours 35 hours Security Forensics Costs $ 0 $ 2,000 $ 800 Reputation Damage Costs Priceless

Encrypt Portable Devices to Protect Sensitive Information (cont’d) Type Encryption Solutions Cost/Impact How Apple File Vault 2 Encrypt the contents of your entire drive. Solution will work for personally-owned and BSD-owned laptops. Strong AES 128 based encryption. can store recover key with Apple; well-documented install guide. Choose Apple menu () > System Preferences, then click Security & Privacy. Click the FileVault tab. Click the Lock  button, then enter an administrator name and password. Click Turn On FileVault. Windows BitLocker Strong encryption for data protection. Some hardware and software dependencies. Click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption. On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume. If your TPM is not initialized, you will see the Initialize TPM Security Hardware wizard. Follow the directions to initialize the TPM and restart your computer. Select one of the following recover options from the recovery password page, you will see the following options: Saves the password to a USB flash drive. Saves the password to a network drive or other location. Print the password

Encrypt Portable Devices to Protect Sensitive Information (cont’d) Type Encryption Solutions Use/Features How External Storage Apricorn Aegis USB Secures the transport of data, documents, and presentations. Strong, 256-bit AES hardware-based encryption; unlocks with onboard PIN pad; PIN activated 7-15 digits -Alphanumeric keypad. Purchase through University procurement or on you own from Amazon, Staples or any other major IT equipment provider. Apple Phone/ Tablet IOS Work for personally- owned and BSD-owned devices Native security feature, enabled by default with the use of passcode; vendor-supported Strong, 256-bit AES hardware-based encryption Can store recover key with Apple Set a passcode on phone Scroll down to the bottom of the Passcode settings page. You should see a message that says “Data protection enabled.” This means that the device's encryption is now tied to your passcode. Android Phone/ Tablet Android Easy setup, but not enabled by default Well-documented install guide. Your device’s battery must be at least 80% charged or won’t start. Your device must be plugged in throughout the entire process. Unroot phone if rooted before continuing. Following your manufacture’s steps to complete the encryption.

Summary How to reach us: Web Site: http://security.bsd.uchicago.edu Everyone has a part in safeguarding Protected Information. Good Computing Security Practices follow the “90 /10”Rule: 10% of security safeguards are technical 90% of security safeguards rely on the computer user (“YOU”) to adhere to good computing practices How you can help: Encrypt your portable devices and any sensitive information. Sign up for 2 Factor Authentication Following good hygiene security practices i.e. "Top 10 List" of Good Computing Security Practices Report security incidents including lost/stolen devices to the BSD Information Security teams. How to reach us: Web Site: http://security.bsd.uchicago.edu BSD ISO Team Email: security@bsd.uchicago.edu UCM ISO Team Email: security@uchospitals.edu Plamen Martinov (773) 834-1714 pmartinov@bsd.uchicago.edu