Email is not secure Email is not secure..

Slides:



Advertisements
Similar presentations
Overview of the Privacy Act
Advertisements

Privacy and Information Security Training ( ) VUMC Privacy Website
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
1 The University of Texas at Tyler Protecting the Confidentiality of Social Security Numbers UTS165 Information Resources Use and Security Policy.
Computer and Ethics. Ethical Problems Proliferation of computers and their networks have created new ethical problems The ACM has issued a Code of Ethics.
HIPAA Health Insurance Portability & Accountability Act of 1996.
DEED WorkForce Center Reception and Resource Area Certification Program Module 2 Unit 1b: WorkForce Center System II Learning Objectives III.
HIPAA PRIVACY AND SECURITY AWARENESS.
Data Protection and You Your Rights & The Law Registration Basics Other Activities Disclaimer: This presentation only provides an introductory info. Please.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.
MAINTAINING PRIVACY & DATA SECURITY IN THE VIRTUAL PRACTICE OF LAW.
Introduction to Computer Security PA Turnpike Commission.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
Tad and Terry Legal Issues in ILP. 28 CFR Part 23 The federal rule that governs or provides guidance for these issues. § 23.3 Applicability: These policy.
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
Welcome….!!! CORPORATE COMPLIANCE PROGRAM Presented by The Office of Corporate Integrity 1.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
LEFIS ROVANIEMI MEETING 19TH 20TH JANUARY 2007 Privacy In The Web TATYANA STEFANOVA LEX.BG BULGARIA.
HIPAA for Students Health Insurance Portability and Accountability Act.
Protection of Personal Information Act An Analysis on the impact.
The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.
Visibook is instant, simple, and dynamic appointment booking We're headquartered in San Francisco, California "Visibook is awesome. My entire studio was.
STATE BAR OF TEXAS JULY 25, 2016 Section Chairs and Treasurers.
Information Security and Privacy in HRIS
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Why Does The Site Need an SSL Certification?. Security should always be a high concern for your website, but do you need an SSL certificate? A secure.
UC Riverside Health Training and Development
Health Insurance Portability and Accountability Act
AUDITING Elysa Hartati.
Top Compliance Topics.
Surveillance around the world
Indiana Access to Public Records Act (APRA) Training
Data Protection GCSE ICT Mrs N Steventon-2005.
Protection of CONSUMER information
Privacy principles Individual written policies
HIPAA Administrative Simplification
Password Management Limit login attempts Encrypt your passwords
Health Insurance Portability and Accountability Act
An Introduction to Public Records Office of the General Counsel
Citi fraud/identity theft TRAINING
Societal Issues in Computing (COMP466)
Disability Services Agencies Briefing On HIPAA
D3 Confidentiality.
Computer Programming I
Policies for Information Sharing
Lesson 1  7 Basic Components of an Effective Compliance Plan
How to upgrade your RSFORM!PRO forms for GDPR compliance
National Congress on Health Care Compliance
HIPAA Overview.
The Health Insurance Portability and Accountability Act
Lesson 1: Introduction to HIPAA
Government Data Practices & Open Meeting Law Overview
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
HIPAA Do’s and Don'ts: What is Really Behind Protected Health Information (PHI) and Health Care Privacy Rules Paul Sisler, Director, Information Services;
Electronic Fund Transfers
UC Riverside Chairs 201 Workshop
The Health Insurance Portability and Accountability Act
Presentation transcript:

Email is not secure Email is not secure.

Gary Scott Senior Business Systems Developer Administrative & Residential Information Technology I’m Gary Scott, a senior business systems developer in ARIT. I’ve been at UCSB for over 4 years, but my real claim to fame is 13 years at Santa Barbara Bank & Trust. There I worked in software development and information security. Banks have to be secure, by law. I’ve learned a thing or two during my time there.

The Cloud This is the cloud in all its awesome glory.

The Cloud But really it is a dark and gloomy place.

Full of lions and bears. Surprisingly... no tigers.

Here is the cloud again. I’m going to walk you thru how many web apps operate including several here at UCSB. The customer is up there on the left and our servers are down there on the right. A big dark cloud in between.

Customers want to communicate with us thru this dark scary cloud.

But we can use encryption to keep that conversation safe But we can use encryption to keep that conversation safe! They send us private information and no one can see it. We protect their privacy.

The web app stores that private information but then creates an email with that same information.

Then sends it to the customer.

In the clear as plain text.

For any big-eyed dude in the cloud to see.

Those dudes could be gangstas Those dudes could be gangstas. We don’t know what nefarious purpose these folks have for that data. Probably identity theft, maybe social engineering. Anyways, they should not have it! So all the data we protected by the secured web connection was just compromised by sending it back out in an unencrypted email. Why did we even bother putting encryption on the site in the first place. Well at least we protected their password, so we have have that going for us.

University of California, Office of the President Office of Ethics, Compliance and Audit Services has a page: Privacy principles & practices at UC at this url: http://www.ucop.edu/ethics-compliance-audit-services/compliance/privacy/ with ... UCOP office of ethics, compliance, and audit services has a web page titled, “Privacy principles and practices at UC” which contains....

RULES OF CONDUCT FOR UNIVERSITY EMPLOYEES INVOLVED WITH INFORMATION REGARDING INDIVIDUALS A. Employees responsible for the collection, maintenance, use, and dissemination of information about individuals which relates to their personal life, including their employment and medical history, financial transactions, marital status and dependents, shall comply with the provisions of the State of California Information Practices Act. B. Employees shall not require individuals to disclose personal or confidential information about themselves which is not necessary and relevant to the purposes of the University or to the particular function for which the employee is responsible. C. Employees shall make every reasonable effort to see that inquiries and requests by individuals for their personal or confidential records are responded to quickly, courteously, and without requiring the requester to repeat the inquiry to others unnecessarily. D. Employees shall assist individuals who seek information pertaining to themselves in making their inquiries sufficiently specific and descriptive so as to facilitate locating the records. E. Employees shall not disclose personal or confidential information relating to individuals to unauthorized persons or entities. The intentional disclosure of such information to such persons or agencies may be cause for disciplinary action. F. Employees shall not seek out or use personal or confidential information relating to others for their own interest or advantage. The intentional violation of this rule may be cause for disciplinary action. G. Employees responsible for the maintenance of personal and confidential records shall take all necessary precautions to assure that proper administrative, technical, and physical safeguards are established and followed in order to protect the confidentiality of records containing personal or confidential information. Rules of conduct for university employees involved with information regarding individuals. There are three sections I want to point out to you.

A. Employees responsible for the collection, maintenance, use, and dissemination of information about individuals which relates to their personal life, including their employment and medical history, financial transactions, marital status and dependents, shall comply with the provisions of the State of California Information Practices Act. Reference (State of California Information Practices Act): https://leginfo.legislature.ca.gov/faces/codes_displayexpandedbranch.xhtml?tocC ode=CIV&division=3.&title=1.8.&part=4.&chapter=1. Section A. Lists out some types of data. There is the reference to the law, I looked it up.

E. Employees shall not disclose personal or confidential information relating to individuals to unauthorized persons or entities. The intentional disclosure of such information to such persons or agencies may be cause for disciplinary action. Section E. We know that email is sent in the clear, or at least you know now. We don’t know who is intercepting that email. I say sending an email with personal information is intentional disclosure.

G. Employees responsible for the maintenance of personal and confidential records shall take all necessary precautions to assure that proper administrative, technical, and physical safeguards are established and followed in order to protect the confidentiality of records containing personal or confidential information. Section G speaks to me as an IT professional. I don’t want to take business requirements that say to send personal info in an email.

What can you do? Review each system that sends email. Identify the systems that send personal information. Craft generic confirmation emails “Thank you for submitting XYZ”. Update those systems to send the new email copy. Action items!

B. Employees shall not require individuals to disclose personal or confidential information about themselves which is not necessary and relevant to the purposes of the University or to the particular function for which the employee is responsible. I also want to point out section B. Think about the information you ask for. Don’t collect it if you don’t need. If we don't have it, we can't lose it.

Thank You There is no cloud. It’s just someone else’s computer. Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.