Data Managers Interest Group Institute of Clinical and Translational - - PowerPoint PPT Presentation

data managers interest group institute of clinical and
SMART_READER_LITE
LIVE PREVIEW

Data Managers Interest Group Institute of Clinical and Translational - - PowerPoint PPT Presentation

Oct 20, 2022 232 likes •417 views

Data Managers Interest Group Institute of Clinical and Translational Institute of Clinical and Translational Research April 17, 2012 Privacy & Security Contacts Privacy & Security Contacts hipaa@jhmi edu hipaa@jhmi.edu

slide-1
SLIDE 1

Data Managers Interest Group Institute of Clinical and Translational Institute of Clinical and Translational Research

April 17, 2012

slide-2
SLIDE 2

Privacy & Security Contacts Privacy & Security Contacts

  • hipaa@jhmi edu

hipaa@jhmi.edu

  • network.security@jhmi.edu

l k 0 3 3

  • IT Help Desk – 410.735.4357
  • Or you can call me

– Darren Lacey – Chief Information Security Officer – dll@jhu.edu – 410.735.4477

slide-3
SLIDE 3

Let’s start with some numbers Let s start with some numbers

slide-4
SLIDE 4

HIPAA Breaches >500 since 2009 HIPAA Breaches >500 since 2009

Breach Types Number % H ki /IT I id t 44 14 Hacking/IT Incident 44 14 Improper Disposal (Paper) 73 23 Lost /Stolen Computer/Server 41 13 Lost/stolen media or portable electronic devices 47 15 Lost/Stolen Laptops 77 25 Unauthorized access 8 3 Unauthorized access 8 3 Email 6 2 Other 18 6 TOTAL 314 100 http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotification l / db h h l rule/postedbreaches.html

slide-5
SLIDE 5

Ways to think about the numbers Ways to think about the numbers

  • Hacking incidents make up slightly more than

Hacking incidents make up slightly more than half of large incidents related to higher education education

  • Across all industries hacking makes up ¼ of

incidents incidents

  • There are many more incidents related

h i d b h i l f unauthorized access but these involve fewer than 500 patients

slide-6
SLIDE 6

HITECH Act Changes in HIPAA HITECH Act Changes in HIPAA

  • Notification required for any breach not just

Notification required for any breach not just SSN or financial information

  • Increased fines and penalties
  • Increased fines and penalties
  • 150 audits annually of covered entities

i starting next year

  • Meaningful use requires security risk

assessment

slide-7
SLIDE 7

Things the HIPAA Cops Hate Things the HIPAA Cops Hate

  • WEP – Wireless networks

WEP Wireless networks

  • Unencrypted email and insecure transmissions

k f i i f b i i

  • Lack of monitoring of business associates
  • Failure to monitor unauthorized access to

patient records

  • Lack of accurate inventory of devices,

y , applications and services

  • Inadequate training and awareness

Inadequate training and awareness

slide-8
SLIDE 8

Risk areas at Hopkins Risk areas at Hopkins

  • Application complexity

Application complexity

  • Disclosure and use accounting
  • Downstream data sets
  • Downstream data sets
  • Personally owned devices

C ll b ti lti it j t

  • Collaborative multi‐site projects
  • Kudzu‐like web presence
  • Network proximity to defense‐oriented

research

slide-9
SLIDE 9

What can researchers do? What can researchers do?

slide-10
SLIDE 10

Encrypt your laptop, including the one you bring from home!!!

It’s cheap, usually easy

slide-11
SLIDE 11

Laptop Encryption Options Laptop Encryption Options

  • Mac’s

Mac s

– Lion: use FileVault2, whole disk encryption Pre Lion: use FileVault or TrueCrypt folder – Pre‐Lion: use FileVault or TrueCrypt folder encryption

  • Windows XP

Checkpoint encryption through

  • Windows XP – Checkpoint encryption through

Hopkins (often pre‐installed) or TrueCrypt FDE Wi d 7 (E i Ul i ) MS

  • Windows7 – (Enterprise or Ultimate) MS

Bitlocker or TrueCrypt FDE

slide-12
SLIDE 12

Do you have a project Web site? Do you have a project Web site?

No, good. Yes, prepare to do some work and Yes, prepare to do some work and lots of maintenance

slide-13
SLIDE 13

Web Security Threats Web Security Threats

  • Check your server for sensitive files

C ec you se e

  • se s t e

es

  • Database access controls and monitoring
  • Watch your forms and URL’s for potential attacks

Watch your forms and URLs for potential attacks

– SQL Injection – Cross‐site scripting

  • Validate all input
  • Test your error screens

y

  • Monitor any platform vulnerabilities (e.g. PHP)
  • Sound server management practicess

g p

slide-14
SLIDE 14

Write up a short data management and sharing plan

For data security and quality. Think of it as version control

slide-15
SLIDE 15

Parts of the plan Parts of the plan

  • Documented data extractions

Documented data extractions

  • De‐identification and anonymization

d

  • Downstream data use agreements
  • Dynamic access control lists
  • Data sharing approaches – lowest common

denominator

  • Disposal and life cycle management
slide-16
SLIDE 16

Tools you can use Tools you can use

  • Jshare for file sharing (internal and external)

Jshare for file sharing (internal and external)

  • Sharepoint for internal file sharing and version

control (don’t recommend large PHI datasets) control (don t recommend large PHI datasets)

  • Winzip/7zip – encrypted folders
  • JIRA – for collaboration, but it should be

authenticated through SM (don’t recommend large PHI datasets)

slide-17
SLIDE 17

General security controls General security controls

  • Access control for administrative access

Access control for administrative access

  • Log management and monitoring of servers
  • Symantec or Forefront Endpoint protection
  • Symantec or Forefront Endpoint protection
  • Be circumspect about cloud services – but

these are improving rapidly these are improving rapidly

  • Policies against insecure storage –

USB’s not only get stolen but are malware – USB s not only get stolen but are malware magnets – Home machines are generally not to be trusted Home machines are generally not to be trusted