1 / 15

Electronic Information Security – What Researchers Need to Know

Electronic Information Security – What Researchers Need to Know. University of California Office of the President Office of Research May 2005. Federal, State and UC Rules re Information Security. HIPAA Security Rule (45 CFR 160, 162, 164)

hazina
Download Presentation

Electronic Information Security – What Researchers Need to Know

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005

  2. Federal, State and UC Rules re Information Security • HIPAA Security Rule (45 CFR 160, 162, 164) • California Confidentiality of Medical Information Act (Cal. Civil Code 56 - 56.16) • California law governing information security breaches (Cal. Civil Code 1798.29) • California law governing use of social security numbers (Cal. Civil Code 1798.85) • UC electronic information security guidelines (Bus. & Fin. Bulletin IS-3)

  3. HIPAA Security Rule – What is It? • Federal Rule • Requires healthcare providers and businesses to protect the privacy and confidentiality of electronic Protected Health Information (ePHI) • ePHI is patient health information that is stored, maintained, processed or transmitted in any electronic media, such as computers, laptops, disks, memory stick, PDA, network, email.

  4. HIPAA Security Rule – What’s Required? • If you use ePHI in your research, you must meet the Information Security Standards • What are the Information Security Standards? • Confidentiality – Information is not disclosed to unauthorized entities • Integrity – Information is not altered or destroyed in unauthorized manner, and is transmitted accurately • Availability – Information is accessible and useable upon demand by authorized person

  5. UC Guidelines on Information Security - IS-3 • Guidelines for campuses on: • Technical, physical and administrative security measures • Disaster recovery • Information Security Program at every campus • <http://www.ucop.edu/ucophome/policies/bfb/is3.pdf>

  6. What are the Risks when Confidentiality is Breached? • Risk to Human Subject of: • Identity theft, embarrassment, misuse of personal information, victimization in fraudulent scams • Risk to Research of: • Loss of data and loss of integrity • Risk to UC of: • Loss of trust; media attention to security lapse; litigation by subject; penalties; prosecution • Risk to Investigator of: • Loss of data, time and money; embarrassment; media attention to security lapse; litigation by subject; internal disciplinary action; penalties; prosecution

  7. Technical safeguards, e.g., passwords, encryption, archiving, anti-virus software (10% of Information Security) AND Good Computing Practices, i.e., COMMON SENSE (90% of Information Security) How Do I Protect Electronic Information?

  8. Unique log-in access Passwords Workstation security Portable device security Data management, e.g., back-up and archive What are the Technical Safeguards? 6. Remote access security • Safe e-mail use • Safe Internet Use • Report security incidents and stolen devices • Clean data off computers before recycling

  9. Technical Safeguard: PASSWORD • Don't use a word that is obvious or can be found in a dictionary. Every word in a dictionary can be hacked within minutes. • Don't share your password. • Don't let your Web browser remember your password. • Use a minimum of eight characters containing at least one each of the following: • Uppercase letters ( A-Z ) • Lowercase letters ( a-z ) • Numbers ( 0-9 ) • Punctuation  marks ( !@#$%^&*()_+=- ) • Better yet, use a “pass-phrase” to remember your password: • MCp1t@DR! (My Cat purrs louder than a Dosco Roadheader!) • Jw1n,aDTtr! (Just what I need, another Dumb Thing to remember!) 

  10. Technical Safeguard: WORKSTATION SECURITY • LOCK UP offices, windows, workstations, sensitive papers, laptops, PDAs, mobile devices and mobile media. • LOG OFF before leaving a workstation unattended. • AUTO LOG-OFF – Configure workstation to automatically log off and require user to re-log in if left unattended for more than 15 minutes. • SCREEN SAVER - Set to 5 minutes with password protection.

  11. Technical Safeguard: PORTABLE DEVICE SECURITY In addition to Workstation Security measures: • DELETE identifiable data when no longer needed • Use up-to-date anti-virus software • Install computer software updates • Back-up critical data and software programs • Encrypt and password protect portable devices Refer questions to your Information Security Office

  12. More PORTABLE DEVICE SECURITY Safeguards Ask your Information Security Office about: • Turning off your wireless port if you are not using it. • Using a Virtual Private Network if you are using a wireless connection • Installing a firewall • Encrypting data during transmission. Refer questions to your Information Security Office

  13. What are Good Computing Practices? COMMON SENSE • Do NOT use a portable device for storing ePHI, e.g., laptop, PDA, memory stick, cell phone • If you do store ePHI on a portable device, either de-identify or encrypt the data • Keep subject identifiers physically separate from de-identified data • Once you are finished using ePHI on the portable device, delete it • Do NOT use social security numbers as subject identifiers • Do NOT transmit ePHI on the Internet • Do NOT transmit ePHI by email • If you must transmit ePHI on the Internet or by email be sure it is encrypted

  14. More COMMON SENSE Good Computing Practices • Use COMMON SENSE when handling individually identifiable information • Do not leave sensitive or identifiable information lying around for anyone to read • LOCK UP your equipment when not in use • ENGRAVE a personal ID on your laptop or other transportable device so it is less likely to be stolen • DO NOT share your password with anyone • LOG OFF before leaving your computer

  15. Campus Resource for IT Help and for Reporting Security Incidents [http://www.ucop.edu/research/policies/datasecurity/UC Security Officers HIPPA]

More Related