This is the security awareness presentation which I will be giving to Quartz Health Solutions, on October 24, 2018. If focuses in on three areas: information security best practices for work, at home, and also contains some tips for kids. Topics include: PHI, ePHI, HIPAA, Identity Theft, Social Engineering, phishing, password management, malware, insider threats, social networks, and mobile devices.
Information Security Awareness: at Work, at Home, and For Your Kids
1. Information Security Awareness
At Work, At Home, and For Your Kids
Nicholas Davis, CISA, CISSP
CISO, University of Wisconsin System
Presented to Quartz Health Solutions, October 24, 2018
2. Welcome
• Nicholas Davis
• Honored to spend time with you,
today
• Please let me know how may best
be of help to you
• Best practices presentation has
three parts:
– At work
– At home
– For your kids
4. An Important Definition
• Protected Health Information (PHI) is information
created or received by a health care provider,
health plan, public health authority, employer, life
insurer, school or university, or health care
clearinghouse relating to the past, present, or
future physical or mental health or condition of
an individual; the provision of health care to an
individual; or the past, present, or future
payment for the provision of health care to an
individual.
5. Quiz…Which are PHI?
Be Careful!
• Address, date of birth, date of death, sex, e-mail
• Medical record number, account number, or SSN
• Dates of service (date of admission, discharge)
• Patient food allergies you found on the patient’s public
Facebook profile, and are also in their medical record
• Medical records, reports, test results, appointment
dates
6. Summary Advice
• If you accessed the information
at work, due to your access
rights (not a publicly accessible
data source), there is a highly
likely chance that it could
reasonably be considered as
PHI and/or ePHI
• Be prudent, treat it as PHI
and/or ePHI
7. PHI is PHI
No Matter Where it Resides
• Data location does not affect
its classification
• Sent via email
• Copied and pasted into a
document
• On a USB flash drive you
found on the table at Culver’s
• Stolen and placed on a
public Internet site
8. HIPAA
• Requires Quartz to protect
the confidentiality, integrity,
and availability of ePHI
against reasonably
anticipated threats such as
hackers, viruses, and
disasters
• Remember C.I.A.
9. Who is Covered by the
HIPAA Privacy Rule
• Health Plans: Individual and group plans that provide or
pay the cost of medical care are covered entities.
Health plans include health, dental, vision, and
prescription drug insurers, health maintenance
organizations (“HMOs”), Medicare, Medicaid,
Medicare+Choice and Medicare supplement insurers,
and long-term care insurers (excluding nursing home
fixed-indemnity policies). Health plans also include
employer-sponsored group health plans, government
and church-sponsored health plans, and multi-
employer health plans.
10. The Reasonable and Prudent
PHI Test
• Every member of Quartz’s workforce
is responsible for protecting PHI and
ePHI.
• My favorite lawyer always says the
same thing to me when I ask about
various situations. “Did the
employee act in a manner which
was both reasonable and prudent?”
• Compliance with Quartz policies and
local, state, and federal law is
required
11. Don’t Be the Weakest Link
• The security of a system is only as good
as its weakest link. If even one person
does not pay attention to security, the
security of the whole system is
compromised.
• Your goal is not to be perfect. However,
you should strive not to be the weakest
link.
12. The 90/10 Rule
• Good Security Standards follow the
"90/10" Rule:
• 10% of security safeguards are technical
• 90% of security safeguards rely on the
computer user to adhere to good
computing practices
• Example: The lock on the door is the
10%. Remembering to lock, checking to
see if it is closed, ensuring others do not
prop the door open, keeping control of
keys is the 90%. Don’t take shortcuts
13. Potential Threats
• Malicious Software (viruses,
malware, spyware, etc.)
• Instant Messaging
• Peer-to-Peer File Sharing
• Threats from within Quartz
• Phishing/ID theft, and other forms
of Social Engineering
• USB flash drives
14. Indicators of Malware
• Unusual items appearing on the screen (graphics, odd
messages, or system error messages).
• Corrupted or inaccessible program files, hard disks, or
diskettes.
• Programs taking longer to start up, running more
slowly than usual, or not running at all.
• Increased number of pop-up advertisements
• Changed settings that can't be changed back to the
way they were
• Web browser contains additional components that you
don't remember downloading
15. How to Avoid Malware
• Be wary of invitations to download software from unknown
sources; even clicking advertisements can result in malware
downloads like ransomware, spyware, and adware.
• Ransomware is a type of malware that prevents or limits
users from accessing their system—either by locking the
screen or encrypting the user’s files—unless a ransom is
paid
• Spyware records your actions and keystrokes to steal your
passwords, credit card numbers, and other confidential
information
• Adware not only slows your computer, but can track the
sites you visit
16. Instant Messaging
• Instant messaging is the popular method of typing online
conversations in real time.
• Risks of Externally Hosted Instant Messaging:
• May not include virus protection
• Hijacking and impersonation
• Malicious code
• Poor password security
• The data is sent to an external host before going to the
intended recipient
•
17. Peer to Peer File Sharing
• Some P2P programs share everything on
your computer with anyone by default.
• Some P2P programs themselves contain
"spyware".
• Much of the P2P activity is automatic, and
its use is unmonitored.
• Creating multiple copies of a copyrighted
work, music or videos and sharing them is
illegal.
18. Insider Threat
• “The call is coming from inside the
house!”
• Many insiders have the access and
knowledge to compromise or shut down
entire systems and networks.
• You should report information that comes
to your attention and that raises potential
concerns about computer security.
19. Potential Signs of
Insider Threats
• Poor performance appraisals
• Voicing disagreement with policies
• Disagreements with co-workers
• Financial distress
• Unexplained financial gain
• Odd working hours
• Unexplained overseas travel
• Leaving the company
20. Signs of Identity Theft
• Unexplained bank statements, charges on
phone, credit cards or other consumer
accounts
• Being denied a loan you qualify for
• Unexplained changes in your bank
access codes
• Missing credit card bills or other mail
• Unusual calls regarding your personal or
financial information
21. Social Engineering
• Social engineering is the practice of obtaining
confidential information by manipulation of legitimate
users. A social engineer will commonly use the telephone
or Internet to trick people into revealing sensitive
information or getting them to do something that is
against typical policies.
• Social engineering is more successful than all other
techniques, to access sensitive information. Do not
dismiss its power! If you can recognize it, you can stop it.
22. Social Engineering Tactics
You Can Learn to Recognize
• Excessive flattery, kindness, offering favors to you, etc.
• Using a sense of urgency to get you to bypass normal
controls within the company
• Refusal to give you proof of identity, when requested
• Name-dropping, indicating the person has a position of
influence
• Intimidation: Threating you with potential punishment for
not helping
• Small mistakes in interaction with you, such as
misspellings, misnomers, and odd questions
• Requesting forbidden information
23. Counter Social Engineering
Tactics
• Be suspicious of ALL unexpected and/or
inappropriate contact with you: phone,
email, in person.
• Ask for proof of the person’s identity and
then verify it with their company through
and independent channel not directly
provided or associated with the person.
• Don’t provide any information until
proper protocol and policy has been
followed—without exception.
24. Tips to Avoid Phishing Attacks
• Be skeptical of messages that require “immediate action” or threaten
that you will lose something.
• Instead of clicking, type website addresses in your browser to
access sites directly.
• Before clicking, hover over or long tap a link to display the true URL
and see if it is linking to a reputable website.
• Think before clicking email and website links and never click a link
that you don’t trust.
• Do not open attachments you aren’t expecting—especially ZIP
files—and NEVER run .exe files.
• Avoid providing personal information over the phone, especially from
an unsolicited call.
• Never send credit card or other sensitive information via email.
• Use common sense. If it looks like spam, then it probably is spam.
26. Social Media Tips
• Be careful about what you share. Don’t reveal sensitive
personal information ie: home address, financial
information, phone number. The more you post the
easier it is to have your identity stolen.
• Become familiar with the privacy policies of the social
media channels you use and customize your privacy
settings to control who sees what.
• Protect your computer by installing antivirus software to
safeguard. Also ensure that your browser, operating
system, and software are kept up to date.
• Remember to log off when you’re done.
27. Social Media Tips
• Use a strong password. The longer it is, the more secure it will be.
• Use a different password for each of your social media accounts.
• Set up your security answers. This option is available for most
social media sites.
• If you have social media apps on your phone, be sure to password
protect your device.
• Be selective with friend requests. If you don’t know the person, don’t
accept their request. It could be a fake account.
• Click links with caution. Social media accounts are regularly
hacked. Look out for language or content that does not sound like
something your friend would post.
28. Popular Social Media
Privacy Settings
• Facebook: https://www.facebook.com/settings?tab=privacy
• Snapchat: https://support.snapchat.com/en-US/a/privacy-settings
• Google: https://myaccount.google.com/intro/privacycheckup
• LinkedIn: https://www.linkedin.com/psettings/privacy
• Twitter: https://twitter.com/settings/safety
• Apple: https://www.apple.com/ca/privacy/manage-your-privacy/
• Microsoft: https://account.microsoft.com/account/privacy
29. Let’s Talk About Passwords
• Common password mistakes made:
• Too short
• Too common
• Too old
• Easy to guess
• Default
• Reused
• Poorly stored
• Unsecured Device
• Shared
30. Passwords Should Be
Treated Like Toothbrushes
• Choose a good one
• Don’t share it
• Replace it often
• Don’t recycle an old one
31. Choosing a Good Password
• Use a long password:
• 12 characters or more
• Use a combination of:
• Lowercase letters
• Uppercase letters
• Numbers
• Symbols
• Don’t use a common password:
32. Protecting PHI and ePHI
at Work
• Use strong passwords
• Logout of applications when you are not
using them, and lock your screen when
you move away from your computer,
always.
• Use email safely
• Use the Internet responsibly and securely
• Dispose of media properly
• Physically secure devices containing
ePHI
• Don’t use USB flash drives
33. Get to Know the IT Security
People at Quartz
• Work with your IT manager before
implementing new cybersecurity measures
• Talk with your IT manager about what
cybersecurity measures are in place in
your department
• Read Quartz’s information security policies
and ask for clarification is anything is
uncertain
34. A Note About Printed
Information
• Use a cross-cut shredder to destroy documents
containing sensitive information
• If the information is protected electronically, then
it should also be protected in printed form. Don’t
leave sensitive information on your desk, or in
public view
• Print only what is necessary. Collect it from the
printer, immediately
36. Protecting Your Computing
Environment at Home
• Always use trustworthy anti-virus software, (not
Kaspersky)
• Apply patches regularly
• Perform regular backups, keep them offline and/or with
TRUSTED cloud service providers, which use
encryption of data in transit AND data at rest
• Shutdown your computer when not in use for an
extended time period
• Work securely from home, using corporate VPN
• Make wireless networks secure (change default
password, ensure encryption is used, flash hardware
updates regularly
37. Tips For Backups
• Create offline back-up copies of your files to reduce the risk
of losing important files to ransomware, a virus, computer
crash, theft or disaster
• Save copies of your important documents and files to a
flash drive, external hard drive or online back up service
• Store your back-up files in a secure place away from your
computer, in case of fire, theft or ransomware
• Test your back up files periodically to make sure the files
are accessible and readable
38. Broad Ideas to Keep in Mind
• Always think like a computing minimalist
• Always be suspicious of anything that is
“Free”. 95% of the time you get what you
pay for. The other 5% you get less.
• Stop: Before you use the Internet;
understand the risks and potential threats
• Think: How will your online activities impact
your privacy, security and safety
• Connect: Enjoy the Internet knowing you’ve
taken steps to ensure a safe experience
• Trust your intuition
39. Thoughts on Mobile Devices
• If possible, never leave your portable computing devices
unattended. Lock them up, when not in use
• Send mobile devices as the last of your personal
possessions through airport X-Ray security machines
• Implement a screen lock on your mobile devices, enable
remote tracking and remote wipe capability
• Don't store sensitive information, such as usernames,
passwords, social security numbers, bank account
numbers, or credit card numbers, unencrypted.
• Keep data backed up on a PC or server in case your
mobile device is gone forever.
• Don’t use your mobile device in a foreign country. If you
do, reformat it upon return to the US
40. Don’t Mix Business
With Pleasure
• Avoid doing personal activities on work
computers, when possible.
• Avoid doing work activities on personally
owned devices, when possible.
• Co-mingling of information is bad for you,
and bad for your employer
41. Don’t Assume ANYTHING
• Report suspected malware and phishing
incidents
• Report suspected social engineering
• Report suspicious behavior of insiders
• Report anything that seems odd or out of
place, including the circumvention of
physical, technical and administrative
controls
43. Stop-Think-Connect
• In 2009, the Department of Homeland
Security created the “Stop-Think-Connect”
Campaign to help Americans understand
the dangers that come with being online
and the things we can do to protect
ourselves from cyber threats.
44. The Digital Lives of Children
• Kids ages 8-18 spend 7 hours and 38
minutes per day online
• Some common online issues kids face
include:
• Cyber Predators
• Cyber Bullying
• Identity Theft
45. Tips to Share With Your Kids
• Keep your personal information private; avoid
sharing your name, address, telephone number,
birthday, passwords, and the name of your
school when using the Internet.
• Think twice before you post or say anything
online; once it is in cyberspace, it’s out there
forever.
• Treat others like you want to be treated.
• Speak up. If you see something inappropriate,
let the website know and tell an adult you trust.
Don’t stand for bullying—online or off.
46. Tips to Share With Your Kids
• Choose a screen name or email address that
isn't your real name to protect your identity. For
instance, instead of "Jack Smith," why not
choose "Sk8boardKing?"
• Don’t share your passwords with anyone.
• Think before you click – don’t open emails from
strangers and don’t click on links for unfamiliar
sites.
• Use and check your privacy settings on social
networking sites like Facebook and Twitter.
47. Thank You
Q&A Session
Please feel free to contact me, if you have
questions, or if I may be of help in any way.
• Nicholas Davis
• ndavis@uwsa.edu