Data Security at Duke DECEMBER 2015

What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems (e.g. social security numbers) have been exposed. … It is possible that Harvard login credentials (computer and passwords, including Office 365) stored on the compromised FAS and Central Administration networks have been exposed.” – Harvard IT Security Impact: Faculty, staff and students affiliated with the eight affected organizations asked to change their passwords and update access across all devices synced to Harvard accounts. Harvard University Breach reported June 2015 Number of records: unknown

What happened: Penn State was notified in late 2014 of what turned out to be at least 2 cyberattacks carried out by a "threat actor" based in China and using a targeted attack utilizing malware designed to avoid detection to attack several large College of Engineering systems. Impact: College of Engineering's computer network taken offline while systems restored. Passwords were reset for all students, faculty and staff. Breach reported May 2015 Number of records: unknown

What happened: An unencrypted thumb drive containing patient information was stolen from a DUHS administrative office in July The thumb drive contained spreadsheets with patients' names, medical record numbers, physicians' names and some Duke University Hospital locations visited. The spreadsheets did not contain Social Security numbers or clinical and financial information. Impact: The breach resulted in an notifications being sent to affected individuals and an internal investigation. New security controls are being implemented to enforce the internal requirement for encryption of flash drives. Breach reported September 2014 Number of records: unknown

Data breaches Higher Ed All Sensitive data is a target!

Duke’s data security policy  Developed with data stewards across campus over past two years  Includes data classification, responsibility for data and reporting of potential security issues  Published November 2015 (along with FAQ): security.duke.edu -> Policies & Procedures  Applies to all Duke data, including data located on Duke-managed systems or on personally owned devices, in or stored in a cloud service such as Box

You are responsible for:  Accessing only that data which you are authorized to access  Protecting the data  Knowing the appropriate places to store the data  Reporting a breach or compromise of sensitive data

Data classification at Duke Sensitive (High) SSN Credit Card Numbers ePHI (HIPAA) HR data Financial data Contract data Donor data Prospective student data Restricted (Medium) NDA data Library transactions Data restricted to specific individuals or groups Not Public or Sensitive Public (Low) Public websites Campus maps Faculty/staff directory data Public research data

Extra protections needed Student data (FERPA) SSNs Credit card data HIPAA (ePHI) data DFARS

Special issues for research  Research data may go through all classifications during the cycle of research. While a study is in progress, the data may be classified as sensitive, but after the study is closed and the data shared according to NIH or NSF guidelines, it may be public.  Research budgets are always sensitive, but federally funded research proposal are often public (as they may be requested from the funding agency with a FOIA request).

Who’s who? Data steward Determines sensitivity of data, who can access and how it should be protected FERPA data -> Registrar Research project -> PI Data manager Typically an IT administrator responsible for securing data according to the data steward's directives Should have good working knowledge of how to securely manage systems and applications Data users Individuals who have been approved by the data steward to access the data Responsible for their access to the data, including account security

Questions about data stewardship? Duke Registrar (FERPA) Duke EVP (SSNs, DukeCard data) Duke E- Commerce (credit card data) Duke Finance (financial data) Human Resources (employee data)

Questions to consider Storing Sensitive data and SSNs? Sharing data with collaborators? What are my options for encryption? How do I report a security incident? Disposal of systems with Sensitive data?

Questions? security.duke.edu