Security Computing Practices Plamen Martinov Chief Information Security Officer

Agenda Introduction to Computer Security “Top 10 List” of Good Computing Security Practices How to: – Create a good password – Encrypt sensitive information – Protect your operating system 2

What is Computer Security and why is it important? Computer Security allows the University to carry out its mission by: Enabling staff and students to carry out their jobs, education, and research Protecting personal and sensitive information Supporting critical business processes Computer Security is the protection of computing systems and the data that users store or access. 3

4 Good Computing Security Practices follow the “90 / 10”Rule: 10% of security safeguards are technical 90% of security safeguards rely on the computer user (“YOU”) to adhere to good computing practices Example: The lock on the door is the 10%. You remembering to lock the door, checking to see if it’s closed, ensuring others do not open the door, and keeping control of the key is the 90%. Why do you need to learn about Computer Security?

Ignoring Computer Security leads to security breaches and regulatory fines In 2014 more than 1,500 data breaches occurred nationwide, compromising 1 billion personal records. The Office for Civil Rights has been levying HIPAA fines: Nine settlements since June 1, 2013 have totaled more than $10 million. Examples: – $1,725,220 against Concentra Health Services for an unencrypted laptop that had been stolen from one of its facilities. – $250,000 against QCA Health Plan, Inc. after an unencrypted laptop containing personal health information was stolen from an employee's car. 5

"Top 10 List" of Good Computing Security Practices everyone can take to protect computers and data. 1.Password protect your computer and portable devices. 2.Choose good passwords and keep them secret and secure 3.Encrypt any ePHI or PII stored on portable devices or media 4.Keep your operating system patched and up-to-date 5.Install anti-virus and keep it up-to-date 6.Turn on your computer firewall 7.Lock up your devices or take them with you 8.Do not respond to anyone asking you for your password 9.Securely delete ePHI and PII when it is no longer needed 10.Back up critical information 6

Password protect your computer and portable devices Creating a good password Combine 2 unrelated words -> Mail + phone = A good password has at least 12 characters = Use a password or passphrase manager, such as LastPass to help manage multiple passwords/passphrases LastPass is free for students and can be downloaded from LastPass.com. The table below shows how fast your password can be guessed by a hacker: PatternCalculationResultTime to Guess 8 chars: lower case alpha26 8 2x10 11 < 1 second 8 chars: alphanumeric62 8 2x min 8 chars: all keyboard95 8 7x hours 12 chars: alphanumeric x years 7

ePHI = Electronic Protected Health Information (Personal + Health) – Medical record number and/or account number with SSN – Patient demographic data (e.g. address, date of birth, date of death, sex, , etc.) – Dates of service (e.g. date of admission, discharge, etc.) – Medical records, reports, test results, or appointment dates PII = Personally Identified Information (Personal only) – Individual’s name, SSN, driver’s license number, or credit card account numbers – Health insurance policy number, subscriber ID, application or claims Encrypt any ePHI and PII stored on portable devices or media 8

Encryption vs. Passwords Having a password does not necessarily mean something is encrypted. –Passwords by themselves do not scramble the information. If something is only “password protected,” it is not enough protection - someone could bypass the password and read the information. Original Password Protected Encrypted 9

The table below shows the time and costs for handling security incidents for lost and stolen devices. 10 Encrypted Device with ePHI/PII Unencrypted Device with ePHI/PII Unencrypted Device without ePHI/PII Incident DescriptionUser’s computer stolen from his/her car. Device had ~400 patient records. User forgot laptop in cab. Device had ~400 patient records. User left tablet on plane. Device had no patient health information. Investigation time (combined hours for incident response team – legal, HR, IT, security, etc.) 1 Hour50 hours35 hours Security Forensics Costs$ 0$ 2,000$ 800 Reputation Damage Costs$ 0Priceless$ 0 Encryption saves the University both time and money

Encryption Solutions TypeEncryption SolutionsCost/ImpactPurpose AppleFilevault 2 Free ; native security feature; easy setup; vendor-supported; AES 128 encryption for data protection; can store recover key with Apple; well- documented install guide. Encrypt the contents of your entire drive. Solution will work for personally-owned and BSD-owned laptops. WindowsBitLocker* Free ; native security feature; AES 128-bit and 256-bit; some hardware dependencies. Encrypt the contents of your entire drive. Solution will work for personally-owned and BSD-owned laptops. * To use BitLocker, your laptop must be equipped with a Trusted Platform Module (TPM) chip, and it must be enabled. 11

Encryption Solutions (Cont’d) TypeEncryption SolutionsCost/ImpactPurpose Files/ Volumes AxCrypt Free; has native versions for both Windows and Apple; uses strong compliant encryption. Creates secure disk images and files for data sharing via , cd or cloud External Storage Aegis Secure USB Key $65; unlocks with onboard PIN pad; 256-bit AES hardware-based encryption; PIN activated 7-15 digits -Alphanumeric keypad. Secures the transport of data, documents, and presentations Apple Phone/ Tablet IOS Free; native security feature, enabled by default with the use of passcode; vendor-supported; AES 128 encryption; can store recover key with Apple; well-documented install guide. Encrypts the content of the device; solution will work for personally- owned and BSD-owned devices. Android Phone/ Tablet Android Free; native security feature; easy setup; vendor-supported; AES 128 encryption; well-documented install guide. Encrypts the content of the device; solution will work for personally- owned and BSD-owned devices. 12

A firewall acts as a wall between your computer/private network and the internet. A firewall prevents hackers from entering your computer through the internet. Turn on your firewall 1.Open System Preferences. 2.Click the Security or Security & Privacy icon. 3.Select the Firewall tab. 4.Click the lock icon, then enter an administrator name and password. 5.Click the Firewall Options button. 1.Open Windows Firewall by clicking the Start button, and then clicking Control Panel. 2.In the left pane, click Turn Windows Firewall on. 3.Click Turn on Windows Firewall under each network location, and then click OK. 13 HOW TO

Vendors regularly issues patches or updates to solve security problems in their software. Computers can be set up to automatically download and install updates. When they are not applied, it leaves your computer vulnerable to hackers. Keeping your operating system patched and up-to-date 1.Open Windows Update. 2.Tap or click Choose how updates get installed. 3.Under Important updates, choose install updates every day. 4.Under Recommended updates, select the Give me recommended updates the same way I receive important updates check box. 1.Choose System Preferences from the Apple menu. 2.Click App Store. 3.Select Automatically check for updates. 14 HOW TO

Resources & References BSD Information Security Office – BSD HIPAA Program Office – Apple Encryption – FileVault 2 – Windows Encryption - BitLocker – encryption-overview encryption-overview Files/Volumes Encryption – AxCrypt – External Storage Encryption – Aegis Secure Storage –