1. Data Security and Encryption
Plamen Martinov
Chief Information Security Officer, BSD

2. Agenda Who is Hacking Us and Why
“Top 10 List” of Good Computing Security Practices
How to:
Setup 2-Factor Authentication (2FA)
Set a good password
Encrypt sensitive information

3. Healthcare mega-breaches
Who is Hacking Us and Why
2013
800,000,000+ records breached, with no signs of decreasing in the future
2014
1,000,000,000 records
breached, while CISOs cite increasing risks from external threats
Healthcare mega-breaches
set the trend for high value targets of sensitive information
Price for sensitive data on the black-market per record:
$1 for Credit Card Numbers
$10 for Social Security Numbers
$50 for Partial Heath Credentials
$300 for Patient Health Information
Source: IBM X-Force Threat Intelligence Report

4. Who is Hacking Us and Why
Cyber Criminals
Broad-based and targeted
Financially motivated
Getting more sophisticated
Hacktivists
Targeted and destructive
Unpredictable motivations
Generally less sophisticated
Nation States
Targeted and multi-stage
Motivated by data collection
Highly sophisticated with endless sources
Insiders
Targeted and destructive
Unpredictable motivations
Sophistication varies

5. "Top 10 List" of Good Computing Security Practices
to Protect Computers and Data.
Choose good passwords and keep them secure
Sign-up and use 2 Factor Authentication
Encrypt all ePHI or PII stored on portable devices (e.g. laptops, usb etc)
Password protect your computer and portable devices.
Do not respond to anyone asking you for your password
Keep your operating system patched and up-to-date
Install anti-virus and keep it up-to-date
Turn on your computer firewall
Back up your data to a secure location
Securely delete ePHI and PII when it is no longer needed

6. Setup Two-Factor Authentication (2FA)
What is Two-Factor Authentication (2FA)?
When a user logs into an account, that account uses one or more authentication factors in order to verify the identity of an authorized user.
BSD and UChicago 2FA available for employees:
UChicago:
Secures your CNet account for cVPN and other secured applications
Sign up at
BSD:
Secures your BSDAD account for BSD VPN and other secured applications
Sign up at
FAQ sheet is on the BSD ISO website at
You are required to enroll in 2FA.
Applications you can’t access without 2FA: Workday, UChicagoBox, VPN

7. Set a Good Password Creating a good password
Combine 2 unrelated words -> Mail + phone =
A good password has at least 12 characters =
Use a password or passphrase manager, such as LastPass to help manage multiple passwords/passphrases
The table below shows how fast your password can be guessed by a hacker:
Pattern
Calculation
Result
Time to Guess
8 chars: lower case alpha
268
2x1011
< 1 second
8 chars: alphanumeric
628
2x1014
3.4 min
8 chars: all keyboard
958
7x1015
2 hours
12 chars: alphanumeric
6212
3x1021
96 years

8. Encryption vs. Passwords
Having a password does not necessarily mean something is encrypted.
Passwords by themselves do not scramble the information.
If something is only “password protected,” it is not enough protection - someone could bypass the password and read the information.
Original
Password Protected
Encrypted

9. Encrypt Any Restricted and or Sensitive Information
Stored on Portable Devices
Restricted / Confidential
ePHI or electronic Protected Health Information (Personal + Health)
Names, Medical Record Numbers, reports, test results, or appointment dates etc.
PII or Personally Identified Information
Name, SSN, driver’s license number etc.
Clinical Research Data
Privileged & Confidential Information (legal)
Sensitive / Internal Use Only
Policies and Procedures
IT schematics, diagrams, configuration documents
Contracts not subject to confidentiality agreements
Public
Content approved for posting to the web
Directory Information listed on a public website
When the classification is not clearly defined, default to Sensitive unless defined in writing by your supervisor.

10. Encryption saves the University both time and money
The table below shows the time and costs for handling security incidents for lost and stolen devices.
Encrypted Device with ePHI/PII
Unencrypted Device with ePHI/PII
Unencrypted Device without ePHI/PII
Incident Description
User’s computer stolen from his/her car. Device had ~400 patient records.
User forgot laptop in cab. Device had ~400 patient records.
User left tablet on plane. Device had no patient health information.
Investigation time (combined hours for incident response team – legal, HR, IT, security, etc.)
1 Hour
50 hours
35 hours
Security Forensics Costs
$ 0
$ 2,000
$ 800
Reputation Damage Costs
Priceless

11. Encrypt Portable Devices to Protect Sensitive Information (cont’d)
Type
Encryption Solutions
Cost/Impact
How
Apple
File Vault 2
Encrypt the contents of your entire drive.
Solution will work for personally-owned and BSD-owned laptops.
Strong AES 128 based encryption.
can store recover key with Apple; well-documented install guide.
Choose Apple menu () > System Preferences, then click Security & Privacy.
Click the FileVault tab.
Click the Lock  button, then enter an administrator name and password.
Click Turn On FileVault.
Windows
BitLocker
Strong encryption for data protection.
Some hardware and software dependencies.
Click Start, click Control Panel, click Security, and then click BitLocker Drive Encryption.
On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume.
If your TPM is not initialized, you will see the Initialize TPM Security Hardware wizard. Follow the directions to initialize the TPM and restart your computer.
Select one of the following recover options from the recovery password page, you will see the following options:
Saves the password to a USB flash drive.
Saves the password to a network drive or other location.
Print the password

12. Encrypt Portable Devices to Protect Sensitive Information (cont’d)
Type
Encryption Solutions
Use/Features
How
External Storage
Apricorn Aegis USB
Secures the transport of data, documents, and presentations.
Strong, 256-bit AES hardware-based encryption;
unlocks with onboard PIN pad;
PIN activated 7-15 digits -Alphanumeric keypad.
Purchase through University procurement or on you own from Amazon, Staples or any other major IT equipment provider.
Apple Phone/ Tablet
IOS
Work for personally- owned and BSD-owned devices
Native security feature, enabled by default with the use of passcode; vendor-supported
Strong, 256-bit AES hardware-based encryption
Can store recover key with Apple
Set a passcode on phone
Scroll down to the bottom of the Passcode settings page. You should see a message that says “Data protection enabled.” This means that the device's encryption is now tied to your passcode.
Android Phone/ Tablet
Android
Easy setup, but not enabled by default
Well-documented install guide.
Your device’s battery must be at least 80% charged or won’t start.
Your device must be plugged in throughout the entire process.
Unroot phone if rooted before continuing.
Following your manufacture’s steps to complete the encryption.

13. Summary How to reach us: Web Site: http://security.bsd.uchicago.edu
Everyone has a part in safeguarding Protected Information.
Good Computing Security Practices follow the “90 /10”Rule:
10% of security safeguards are technical
90% of security safeguards rely on the computer user (“YOU”) to adhere to good computing practices
How you can help:
Encrypt your portable devices and any sensitive information.
Sign up for 2 Factor Authentication
Following good hygiene security practices i.e. "Top 10 List" of Good Computing Security Practices
Report security incidents including lost/stolen devices to the BSD Information Security teams.
How to reach us:
Web Site:
BSD ISO Team
UCM ISO Team
Plamen Martinov
(773)