Information Security for Researchers

1
Information Security for Researchers

• Jason AlexanderInformation Security
  ManagerHealth Care Information Systems

2
Outline

• Responsibility for Security
• Access Restriction of Research Records
• Best Practices for Data Storage
• Additional Measures for Specific Data
• Transmission Security
• Backups
• Common Security Risks
• Procedure to deal with security issues

3
Responsibility for Security

• Responsibility depends on what systems are being
  used.
• HCIS Responsibility
• HCIS Managed Workstations
• HCIS Managed Servers
• Primary Investigator Responsibility
• Investigator Run Workstations
• Investigator Run Servers
• Portable Storage Devices

4
Access Restriction of Paper Research Records

• Develop some type of catalog system
• Paper records should be secure when not in use
• Limit the number of users with access to paper
  records
• Log the access and removal of records
• Executing a retention policy to archive and
  destroy records according to operational needs

5
Access Restriction of Electronic Research Records

• Unique user names / No shared access
• Require passwords that meet University policy
• Develop a folder structure to separate data as
  appropriate
• Only grant access that is necessary to perform
  job function
• Limit the number of accounts with Privileged
  Access

6
Best Practices for Data Storage

• For Servers
• Physical Security
• Access Control Methods
• Patch Management Practices
• Malicious Software Protection
• Removal of Unnecessary Services
• Host-based Firewall Software
• Session Timeout

7
Best Practices for Data Storage

• For Workstations
• Physical Security
• Patch Management Practices
• Malicious Software Protection
• Removal of Unnecessary Services
• Host-based Firewall Software
• Disk Encryption for portable devices
• Locking Screen Savers
• System Backups

8
Additional Measures for Specific Data

• HIPAA Data
• Personally Identifiable Information / Protected
  Health Information
• While Research is not a covered entity by HIPAA
  is still good practice to follow what HIPAA where
  possible.
• The following links provides an overview of the
  HIPAA rules as they apply to systems operations
  (Technical Rule)
• https//thepoint.healthcare.uiowa.edu/sites/HCIS-T
  echOps/Security/Security Presentations/HIPAA
  Securty Rule Matrix.pdf

9
Transmission Security

• Email is NOT secure, Think of email like a
  postcard
• Personally Identifiable Information should be
  encrypted in transmission
• Virtual Private Network (VPN)
• Citrix
• SSL Web Encryption

10
Backups

• The backup of information is governed by the
  University Backup and Recover Policy
• Software and records should be retained so that
  information is fully recoverable
• Backup rate should be determined by the data, At
  least 3 version of the data must be maintained
• Storing workstation data on a file server that is
  backed up is acceptable
• Backups should be stored off-site from original
  location and not at personal dwellings
• The University has an approved list of off-site
  vendors
• Where possible encryption should be used

11
Current Threats

• Phishing Attacks
• Malicious Email Attachments/Links
• Internet Worms

12
Examples of an Incident

• Intrusion of computer systems via the network
  (often referred to as hacking)
• Occurrence of computer viruses (an infection by
  a virus, worm, or Trojan program)
• Probes for vulnerabilities via the network to a
  range of computer systems (often referred to as
  scans)
• Denial of service attacks (lack of network or
  system response)
• Breach of information security (account
  compromise)

13
How to Handle a Security Incident

• The first thing you should keep in mind is that
  security incidents will happen
• The important thing to know is how to deal with
  them properly and when to get help
• The following slides will go over the procedures
  you should follow

14
Dont Panic

• Dont panic, think before you take any actions on
  the system
• If you start looking at the system without
  knowing what your doing you could destroy any
  evidence that might exists as to what happened on
  the system

15
Take Good Notes

• From this point forward keep a record of all
  actions taken on the system
• This record will help the Security Office know
  what actions you took on the system in a later
  investigation
• This allows us to separate the actions of the
  attacker and administrators

16
Assess The System

• Do a quick assessment of the system and the data
  that is stored on the system
• Do not shut the machine off
• Disconnect the machine from the network

17
Contact IT Security

• To report an incident
• Hospital/HCIS
• Call 356-0071
• ITSecurity-HCIS_at_healthcare.uiowa.edu
• ITS
• Call 335-6332
• it-security_at_uiowa.edu

18
Restrict Knowledge of the Incident

• Restrict the knowledge of the incident to the
  minimum number of people
• Often the initial assessment turns out to be
  incorrect
• This prevents incorrect information from being
  distributed outside of the University

19
Use Non-Electronic Communications

• Dont use any communication methods that an
  attacker might be able to intercept
• For example dont send an email from a server you
  believe to be compromised as the attacker might
  intercept this email and cause greater damage to
  the system
• Use the phone, faxes, or other known good systems
  to communicate

20
Contain the Problem

• After the problem has been identified the
  Security Office will help you contain the problem
  to prevent it from becoming worse
• The Security Office will suggest a method of
  containment depending on the specific
  circumstances

21
Image the System

• The Security Office will come in and create an
  image of the system if necessary
• It is necessary to create this image as soon as
  possible to record the state of the system as it
  was found
• This image will be used for further
  investigations of what happened to the machine
  and might also be used by law enforcement

22
Remove the Problem

• After a problem has been identified, take the
  necessary steps to prevent the same thing from
  happening again
• If the specific cause can not be identified the
  system should be restored from backups and
  audited to attempt to harden the system against
  future compromise

23
Get Back in Production

• After the issues have been identified it is
  important to get back into production to return
  service to your users.
• Depending on the incident you may have to
  reallocate hardware, rebuild systems, or use
  other resources to cover for the compromised
  system

24
Follow-up Steps

• Change all passwords on the system
• Confirm the integrity of your backups
• Audit all accounts on the system
• Review Backup Plans
• Review Disaster Recover Plans

25
Questions

• Contact
• Jason AlexanderInformation Security
  ManagerHealthcare Information Systemsjason-alexa
  nder_at_uiowa.edu356-0071