Chapter 13
- 2. Objectives • Explore electronic security issues. • Describe processes for securing information in a computer network. • Identify various methods of user authentication and relate authentication to security of a network. • Explain methods to anticipate and prevent typical threats to network security.
- 3. Securing Network Information • The linking of computers together and to the outside creates the possibility of a breach of network security, and exposes the information to unauthorized use. • The three main areas of secure network information are confidentiality, availability, and integrity.
- 4. Confidentiality • Safeguarding all personal information by ensuring that access is limited to only those who are authorized. • “Shoulder surfing” or watching over someone’s back as they are working, is still a major way that confidentiality is compromised.
- 5. Acceptable Use • Organizations protect the availability of their networks with an acceptable use policy. • Defines the types of activities that are acceptable and not acceptable on the corporate computer network • Defines the consequences for violations.
- 6. Information Integrity • Quality and accuracy of networked information • Organizations need clear policies to clarify: – how data is actually inputted, – who has the authorization to change such data and – to track how and when data are changed and by whom.
- 7. Authentication of Users • Authentication of employees is also used by organizations in their security policies. • Organizations authenticate by: – something the user knows (password), – something the user has (ID badge), or – something the user is (biometrics)
- 8. More About Authentication • Policies typically include the enforcement of changing passwords every thirty or sixty days. • Biometric devices include recognizing thumb prints, retina patterns or facial patterns. • Organizations may use a combination of these types of authentication.
- 9. Threats to Security • A 2003 nationwide survey by the Computing Technology Industry Association (CompTIA) found that human error was the most likely cause of problems with security breaches. • The first line of defense is strictly physical. • The power of a locked door, an operating system that locks down after five minutes of inactivity, and regular security training programs are extremely effective.
- 10. Threats to Security • One way to address this physical security risk is to limit the authorization to ‘write’ files to a device. • Organizations are also ‘turning’ off the CD/DVD burners and USB ports on company desktops.
- 11. Threats to Security • The most common threats a corporate network faces from the outside world are hackers, malicious code (spyware, viruses, worms, Trojan horses) and the malicious insider. • Spyware is normally controlled by limiting functions of the browser used to surf the Internet.
- 12. Cookies • A “cookie” is a very small file written to the hard drive of a user surfing the Internet. • On the negative side, cookies can also follow the user’s travels on the Internet. • Spying cookies related to marketing typically do not track keystrokes to steal user ids and passwords.
- 13. Threats to Security • Spyware that does steal user ids and passwords contains malicious code that is normally hidden in a seemingly innocent file download. • Another huge threat to corporate security is social engineering, or the manipulation of a relationship based on one’s position in an organization.
- 14. Malicious Insider • The number one security threat to a corporate network is the malicious insider. • There is also software available to track and thus monitor employee activity. • Depending on the number of employees, organizations may also employ a full time electronic auditor who does nothing but monitor activity logs.
- 15. Security Tools • There are a wide range of tools available to an organization to protect the organizational network and information. • These tools can be either a software solution such as antivirus software or a hardware tool such as a proxy server.
- 16. Security Tools • E-mail scanning software and antivirus software should never be turned off and updates should be run weekly, and ideally, daily. • Software is also available to scan instant messages and to automatically delete spam e-mail.
- 17. Firewalls • A firewall can be either hardware or software or a combination of both. • A firewall can be set up to examines traffic to and from the network • Firewalls are basically electronic security guards at the gate of the corporate network.
- 18. Proxy Servers • Hardware security tool to help protect the organization against security breaches by: – preventing users from directly accessing the Internet from corporate computers. – Issuing masks to protect the identity of a corporation’s employees accessing the World Wide Web. – tracking which employees are using which masks and directing the traffic appropriately.
- 19. Intrusion detection systems • Hardware and software to monitor who is using the organizational network and what files that user has accessed. • Corporations must diligently monitor for unauthorized access of their networks. • Remember: Any use of a secured network leaves a digital footprint that can be easily tracked by electronic auditing software.
- 20. Offsite Use of Portable Devices • Off site uses of portable devices such as laptops, PDA’s, home computing systems, smart phones, and portable data storage devices can help to streamline the delivery of health care. • Some agencies have developed a virtual private network (VPN) that the user must log in to in order to reach the network. • The VPN ensures that all data transmitted via this gateway is encrypted.
- 21. Offsite Use of Portable Devices • Only essential data for the job should be contained on the mobile device, and other non- clinical information such as a social security numbers should never be carried outside the secure network. • The agency is ultimately responsible for the integrity of the data contained on these devices as required by HITECH and HIPAA regulations.
- 22. Offsite Use of Portable Devices • If a device is lost or stolen, the agency must have clear procedures in place to help insure that sensitive data does not get released or used inappropriately. • The Department of Health and Human Services (2006) identifies potential risks and proposes risk management strategies for accessing, storing, and transmitting EPHI. Visit this website for detailed tabular information (p 4-6) on potential risks and risk management strategies: http://www.cms.hhs.gov/SecurityStandard/Download s/SecurityGuidanceforRemoteUseFinal122806.pdf
- 23. Thought Provoking Questions 1. Jean, a diabetes nurse educator recently read an article in an online journal that she accessed through her health agency’s database subscription. The article provided a comprehensive checklist for managing diabetes in older adults that she prints and distributes to her patients in a diabetes education class. Does this constitute fair use or is this a copyright violation?
- 24. Thought Provoking Questions 2. Sue is a COPD clinic nurse enrolled in a Master’s education program. She is interested in writing a paper on the factors that are associated with poor compliance with medical regimens and associated re-hospitalization of COPD patients. She downloads patient information from the clinic database to a thumb drive that she later accesses on her home computer. Sue understands rules about privacy of information and believes that since she is a nurse and needs this information for a graduate school assignment that she is entitled to the information. Is Sue correct in her thinking?