HIPS Series > Basics of Being Secure, part 2

How to take this course

Even if none of these regulatory requirements existed, business necessity would still compel protection of an health care organization's information resources.  And medical ethics would still require it, to protect patients' privacy. 

As we also noted before, your information security training is a critical part of these protections.  We continue that training here, with the rules for computers -- devices that can bring great convenience and efficiency, but also great risk.

There's still a lot of paper floating around health care organizations -- and it's still causing security headaches.  (Hence the focus of part 1.)  But while paper records systems remain, the most important information resources are usually on computer-based systems now.

Accordingly, computer security is essential.  If computer systems are compromised, business operations may be brought to a halt.  Because computers are networked together, a single security problem can put everything at risk.  What you do -- or fail to do -- on your computer can affect many others in your organization.

We have a series of computer security courses that go into the details.  The rules here are sufficient to get you started.

If you're reading this, it's probably because you need access to a computer to get your work done.  In a modern office, so do most of your co-workers.  Keeping you and them secure requires controlling access to workplace computers.

Organizations regulate computer access using different methods:  Passwords are still common.  "Smart" cards and USB keys are getting common.  Biometric identification (e.g., using fingerprinting or retinal scanning) will become common someday.  Correct use of these methods is critical for information security.

Once you are on the computer, you'll also need to know enough to do things safely --whether that's accessing the organization's data systems, email-ing, IM-ing, web surfing, or anything else.  The last part of this course covers the basics for those activities.

>> Rules for computer access

• Most computer systems still rely on user-IDs and passwords.  Be sure to pick good passwords and protect them appropriately.  If you believe a password has been compromised, change it immediately.  And report it.
   
• If computer access tokens are used, such as USB or card keys, these should be kept with you or in a safe place otherwise.  As with passwords, report lost or stolen access tokens immediately.
   
• Log on to computer systems only with your own user-ID, password or token.  These should be "shared" only in true emergencies (and if shared, changed immediately afterward).
   
• Log off or lock your computer any time you leave it unattended, even if just for a short time.  Don't rely on computer timeouts for protection.

"Technical" access control measures like passwords are critical to controlling computer access.  However, just as with paper-based information and the devices that process paper, controlling physical access to a computer is the first line of defense.  

Computers should be kept in secure, non-public locations whenever possible.  If one must be in a public area, it should be positioned to keep it secure from visitors.

It's critical to have backup copies of computer data.  But any storage media used for backups -- floppies, CDs/DVDs, flash memory -- should be in secure locations too.  When no longer needed, secure disposal of any media containing sensitive data is essential.

Basic protective measures should be in place, like antivirus software.  And all the software on a system should be kept current.

At work, you may not need to do these things yourself, but you need to be sure it has been done by someone.  Ask your technical support staff about what is in place, and what you need to do on your own.  (Always ask first!)

>> Basic protective measures for PCs

• Physical protection -- A secure space for your computer, portable and any removable storage media is the first line of defense.
   
• Anti-virus, anti-spyware and firewall software -- Some networks have these protections already, but it's usually still critical to have them on your computer, particularly the anti-virus/anti-spyware.  It's also critical that they be configured correctly.
   
• Software updates -- Keep your anti-virus and other software up-to-date.  That includes keeping up with patches for the operating system itself, and upgrades to whatever browser and email software you use. 
   
• Enable passwords -- A login and screen-saver password are both needed.  If your system can use biometrics or physical tokens to control access, enable those.
   
• If you use a wireless link for communications, enable its security features too.

This list is a bare minimum.  For more suggestions, and instructions on how to put them in place, take the Protecting Your Computer course.

With large, multi-user information systems, there is usually a dedicated technical support staff that attends to all the needed protective measures.  For your personal computer, sometimes you can also rely on others' support  (That's why we stress that you must always ask your technical staff about what is in place, and what you need to do on your own.)

What about the smallest members of the computing family, the portables?  Laptops, palmtops, PDAs, and smart phones now allow computing power to go anywhere.  Many of them use wireless communication to stay connected to the Internet and shared computing resources at all times.   

Such devices are very convenient, but also very dangerous.  If paper files are lost or stolen, it usually puts only a few patients' records at risk.  That's bad, of course.  But a lost or stolen portable computer can risk the information of hundreds or thousands of patients.  That's also true of high-capacity storage media, like flash memory cards and portable hard drives.  It makes the loss of a portable device potentially a security disaster.

Portables require many of the same protections as non-portable computers, such as keeping software current.  They also have special requirements related to their portability.

>> Rules for portables

• Whenever possible, portable devices should be kept inside the office or other facility -- where you have the protections of better physical security.
   
• Avoid storing lots of sensitive information on a portable.  When possible, use secure (encrypted) communication links to on-site databases instead.
  
• Security features -- such as an access password, token or biometric authentication, and encryption of stored data -- should be used if the portable device contains sensitive data.
  
• Report any loss/theft of a portable with sensitive data.  (Even if you get the device back intact, data may have been accessed while it was "away.") 

For more, take the Protecting Your Portables course.

Now we move on to rules for activities on a computer -- what computer specialists refer to as "applications." 

We cover only the most common applications here, and provide only the most important rules.  You are obligated to learn how to do safely whatever it is you do.  That will usually require training beyond what we provide here on applications like email and Web surfing.

It is also critical that you learn how to use safely any shared computer information systems that your organization employs for legally-protected medical or other information.  Such multi-user systems typically have their own unique ways of presenting data -- and use unique commands to manipulate that data.  So you'll need training specifically developed for your work environment's shared systems.

Electronic mail (email) was supposed to replace the fax machine.  As you know, it hasn't -- at least not yet.  But email has become a ubiquitous means of inter- and intra-office communication, and is becoming common as a means of interacting with customers.

Email is such a dangerous medium of communication that we have a two-part course devoted just to it.  How could something so easy and convenient be dangerous?  Because people don't take the time to use it securely!  And it is not a very safe medium even in the best of circumstances, unless you are using a secure email system.  Generally, you're better off using postal mail, telephone or even a fax for anything confidential.

>> Rules for electronic mail

• Be careful about email you receive, especially email containing attached files that may be infected.  Check every attachment with antivirus software before you open it.   Spam, spoofs and hoaxes should just be deleted.
  
• Be careful about clicking on links in emails.  They can be just as dangerous as email attachments.
   
• Be careful about sending information that might be considered confidential in an email, both in the message itself and in any attachments.  You can't assume that most people's email is secure.
   
• If you do send sensitive information via email, include an appropriate confidentiality notice.  (Just as with faxes, it's not clear that these notices have any legal effect.  But they are a standard practice.)
   
• Re-read the email before you send it.  Make sure the content is appropriate for all recipients.  And double-check that you have the correct "to", "cc" and "bcc" addresses.  Once it's gone, you can never get it back.

 For more, take the Safer Emailing and IMing course.

Instant messaging (IM) is generally less common than email in the workplace, but its popularity is growing fast.  Regular users find it hard to live without IM.  (And those who don't use it tend to find all the fuss about IM hard to fathom.)

The rules for IM are essentially the same as for email:  Be careful about what you put in IM, and about where (to whom) you send messages.  Like email, IM is not inherently secure, unless offered via a secure system.  That's why many organizations restrict use of the popular IM clients from AOL, MSN, Yahoo, etc., and limit IM to enterprise (business oriented) systems that include security features.

IM has legal similarities to email too:  Even though informal and quick, workplace IM can still be considered legally-binding correspondence.  And it is subject to inspection by many parties.

>> Rules for Instant Messaging

• Be extremely careful about including confidential information in IM.  You cannot assume that most people's IM is secure.  For the same reasons, be extremely careful about IM attachments containing sensitive data.
   
• If you feel you must send sensitive information via IM you may also need to include language about confidentiality.  (As before, remember that such notices may have no legal effect.)
   
• Even though it's an informal medium, take the extra seconds to re-read IM before you send it.  Make sure content is appropriate.  Remember that, like email, IM content can be legally binding. 
   
• Always (try to) verify that you're communicating with the person you think you are.

For more, take the Safer Emiling and IMing course.

Using a Web browser to "surf" the Internet is a common computer activity both at home and at work.  But at work you are likely to be limited to work-related surfing, and your practices may be monitored or limited. 

That may restrict you to your organization's own Web pages and a few "safe" external sites that have information clearly necessary for your work duties.

The main reason is time: You don't get to use the Internet for amusement at work for the same reason you don't get to watch TV.  There is also a security issue.  If your browser software doesn't have the appropriate security settings, it's possible for a malicious Web site to extract sensitive information from your computer or even damage your computer's functioning.

• Make sure your browser has appropriate security settings for the kind of browsing you do.  (If you don't know how to do that, consult with someone who does.)
   
• Be careful where you go.  As in the physical world, not all Web neighborhoods are equally safe.
   
• Links in Web pages can initiate software installations and other dangerous things.  Be careful what you click on, unless you are absolutely certain about the security of the site you're visiting.
   
• Remember that almost all organizations monitor your Web surfing.  Have a work-related reason for the places you browse at work. 

For more, take the Safer Web Surfing course.

Because of security risks, most organizations simply prohibit use of workplace computers for file-sharing via peer-to-peer (P2P) networks.  Shared files are commonly infected with malicious software.  File sharing software can expose files on your computer -- beyond the ones you were planning to share! -- and make your system unstable or worse.

It is also legally risky.  Many file exchanges violate copyright laws.  And, last but not least, file exchanges can consume significant computing and communications resources. 

For all these reasons, there's really only one rule for file sharing at work:  Don't.  (If you do it at home, on your own computer, be mindful of the legal and security risks.)

Most organizations also prohibit use of workplace computers for games.  What's a "game"?  One answer is that it's any computer use that doesn't relate directly to work.

Three reasons again:  First, installation of game software on a workplace machine may violate copyright laws.  Second, any software you install could be infected, and so presents a security risk.  Third, games can consume significant computing and communications resources, not to mention the cost of human time.  (Even if you just play over the Internet, with no installed software, you ca't get around #3.)

So once again the rule for the workplace is simple:  Don't.  (What you do at home, on your own computer, is your business. )

Technical vulnerabilities are one source of security problems -- such as when hackers are able to exploit defects in software.  But human vulnerabilities are equally important.

What do we mean by "human vulnerabilities"?   That's a polite way of saying "when humans do something stupid."  In part 1, we provided some examples of that, caused by combinations of ignorance and inattention to the basic rules of information security. 

Humans can also be deliberately "conned" into doing things that cause security problems.  This is called social engineering.  A less polite name for social engineers is con artists, and they are as common in the virtual world as they are in the physical one.

>> Rules for avoiding the "con"

• It's much harder to confirm someone's identity in the virtual world, so extra caution is required.
   
• Be cautious any time you are asked for sensitive information, whether by phone, fax, email or even in person.  It could be a phishing scam.
   
• Be particularly cautious if asked to "confirm" a password, PIN, account number or other personal data that is critical to establishing identity.  Make sure that you're really communicating with the person/organization you think you are, and not an phishing imposter.
   
• If you're not sure about the appropriateness of a communication, just say no.

 For more on social engineering, and defenses against it, take the Protecting Your Identity course.

Beyond all the detailed rules, one rule is always worth remembering: It's the Golden Rule. 

What does that mean here?   As we noted at the beginning of part 1, it means treating health information under your control the way you would want your own treated, or that of someone you care about.  If you're lucky, whoever is handling your records or those of a loved one will do the same.

A big part of "doing right" by others is getting enough training to make good day-to-day choices.  (It's also important to be able to recognize when you're in over your head, and need to ask for help.) 

There's a saying that a security system is only as strong as its weakest link.  Don't let that be you.

As we noted at the end of part 1, sooner or later you're going to come across someone who isn't following the rules.  Usually that's unintentional -- and a gentle reminder will be enough to fix things.  If that doesn't work, contact a supervisor.  

Most supervisors are eager to fix security problems, and will welcome your report.  But if you prefer, you can report problems to your organization's privacy official or information security official.  (Every organization is legally required to have such persons.) 

Remember that HIPAA regulations forbid intimidation or retaliation for reporting a problem or filing a complaint.  But if you doubt your organization's good will, or its ability to prevent harm to you, report the problem anonymously to a state or federal government agency.

As we said at the beginning, we don't expect you to remember all these rules right away.  With practice, they will become second nature.

We do urge you to print out a copy of the rules before you leave, to have for future reference and for the quiz.  Click here for a PDF-format download.

If all these security rules seem a bit over-whelming, remember that driving a car once seemed overwhelming too.  For that, you must manage a very complex piece of machinery, following traffic rules that are also complex.  And yet you do it every day.

With time and practice, information security will become just as routine.  The payoff is that it will make you safer, both at work and in your personal life.

•  •  •  •  •

Help us make this course better -- take the online course evaluation. The quiz for this course is here.

•  •  •  •  •