320 likes | 414 Views
Stephen Lau / Michael Kamerick University of California, San Francisco Gabriel Lawrence University of California, San Diego UCCSC 2008 Santa Barbara, CA. Now UC IT… must notify 60 million that we lost their personal information. Why this matters Laws affecting data Finding the data
E N D
Stephen Lau / Michael Kamerick University of California, San Francisco Gabriel Lawrence University of California, San Diego UCCSC 2008 Santa Barbara, CA Now UC IT…must notify 60 million that we lost their personal information UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Why this matters Laws affecting data Finding the data Reducing your risk Assisting your customers and addressing researchers Overview UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Design Implementation Testing Production Decommissioning Information Security Affects the Entire IT Lifecycle UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Theft can happen in 90 seconds or less. http://link.brightcove.com/services/link/bcpid1407952648/bctid1628232209 Users can be malicious. UCLA employees viewing medical records of celebrities. Information laws can have a substantial impact even without a security breach. e-discovery incidents Even third parties can’t be trusted. UCSF data accidentally exposed by third party. Why Worry? UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Many laws exist. We’re not covering them all. Most relevant (headache causing) ones California SB1386 / AB1298 Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA) Electronic Discovery (e-discovery) Laws Regulating Data UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Created to address crime of Identity Theft. Amended California Civil Code California Civil Code 1798.29 & 1798.82-1798.84 Requires notification of a California resident whose unencrypted Personal Information is acquired, or is reasonably believed to have been acquired, by an unauthorized individual. California Senate Bill 1386 (SB1386) UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Name (First Name or Initial &Last Name) and any of the following: Social Security number Driver's License Number or CA ID Card Number Financial Account Number & PIN/Password Credit Card Number & PIN/Password Debit Card Number & PIN/Password Note: If a credit card or financial account does NOT require or have a PIN/Password, then exposure of the account number requires notification. California Senate Bill 1386 (SB1386) UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Extended SB1386 definition of Personal Information to include: Medical information “Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.” Health insurance information Policy number Subscriber number Any unique identifier used by a health insurer to identify a patient Insurance applications Insurance claims California Assembly Bill 1298 (AB1298) UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Family Education Rights and Privacy Act (FERPA) • Protects a student’s and a parent’s rights for privacy of and access to academic records. • Covers • Academic records • Student records • Does not cover: • Student medical records • Police records • De-identified information UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
E-Discovery • Federal law for preserving and protecting electronic data in Federal civil lawsuits. • Equivalent to existing laws prohibiting shredding of paper documents. • Upon notice of a pending federal civil lawsuit a site must: • Identify, preserve and protect all relevant electronic information. • E-discovery requests can come in at any time and be disruptive. • “Relevant Electronic Information” can consist of: • Email • Files on shared file systems • Backup tapes • DVDs • Data on PDAs (such as BlackBerrys) • Data on home / personal systems • If you haven’t talked to your Campus Counsel, you should. UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Health Insurance Portability and Accountability Act (HIPAA) • Protected Health Information (PHI) • Past, present or future physical or mental health or condition. • Provision of or payment for health care to the individual. • Privacy regulations apply to PHI in any form or media: • Electronic • Paper • Oral UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Choose your “security solution” Encryption Firewall Intrusion prevention / detection Anti-virus / anti-spyware Single sign-on … Won’t [insert buzzword] Protect Me? UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
NO (Is that clear enough? ) Won’t [insert buzzword] Protect Me? UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
No solution will prevent information security incidents. Be skeptical of any “solution”. Be skeptical of anyone claiming they have never had a breach. Most likely they have, they just don’t know about it. There is No Silver Bullet UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Locating Sensitive Data • Need to know where the data is • Policy requirements • Can’t secure what you don’t know about • Proper document retention and disposition • Sources of sensitive data • Business processes • Old legacy data • User data UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Locating Sensitive Data • Strategies for finding sensitive data • Surveys • Business Process Review • Scanning • Challenges • Users are wrong • Resisting change • Polices • Technology UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Changing Business Processes • Case study: Travel reimbursement • SSN collection necessary in case travel transitions into taxable compensation. • Travel form had SSN field on it. • SSN only required for new travelers. • Being collected for all travel. • Assistants stored SSN on computers to facilitate data entry. • Moved to Employee number. • 40% of our travel is to non-employees • Risk still exists in the process, but has been significantly reduced. UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Other Examples: Business Process http://www.wjla.com/news/stories/0708/536794.html University of Maryland said Thursday they accidentally released the addresses and social security numbers of thousands of students. The University of Maryland's Department of Transportation Services sent all students, a total of more than 23,000, registered for classes a brochure with on-campus parking information. It was sent by U.S. Mail. The University discovered the labels on the mailing had the students‘ social security numbers on it as well. The brochure was sent using third class delivery and some students may still have not received the item. UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Other Examples: Vendors http://www.news-record.com/content/2008/07/16/article/security_breach_affects_patients GREENSBORO - Patients at a Greensboro doctors' office have been notified that their personal information — including Social Security numbers and addresses - was stolen in May. In a letter mailed to patients, Greensboro Gynecology Associates said a backup tape of their computer database was stolen. The letter was dated June 16, but some letters weren’t postmarked until July 9. UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Other Examples: Data Access http://www.kxan.com/Global/story.asp?S=8676383&nav=0s3d SSN Numbers breached at UT AUSTIN, TEXAS (KXAN) -- The personal information of almost 2500 University of Texas students and faculty has been exposed on the Internet. An independent watchdog discovered more than 5 dozen files containing confidential graduate applications, test scores, and social security numbers. The files were inadvertently posted by at least 4 different UT professors to a file server for the School of Biological Sciences. UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Surveys • General • If you have sensitive data you must register it. • What sensitive data do you have on your machine: SSN, CC#, Other • Specific • You must register all instances of files containing sensitive data and get them approved. • Successful? • Drastically reduced known instances of sensitive data. • Created awareness of sensitive data. • Uncovered bad business processes. • Sensitive data lives on. UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Scanning • “Data loss prevention” (DLP) • Spider • Vontu/Symantec • Grep • Power Grep • Other tools, but these are the ones we’ve tried out. UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
ECP Issues • System monitoring • “regularly monitor transmissions for the purpose of ensuring reliability and security” • “process might observe certain transactional information or the contents of electronic communications” • “limited to the least invasive degree of inspection required to perform such duties” • What this means to scanning: • Automated searches should expose only as much information as necessary to locate the PII • Systems staff should then work with the data owner to determine if it is real sensitive data or a false positive • Reports to management should probably not expose anything more than "person X has PII“ • Scanning process and procedures needs to be publicized before and during the activity. • Process in place for people who wish to opt out. UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Vontu • Commercial product • Mounts remote drive to scan engine using CIFS • Scans each file • Multiple strategies • Dictionaries • SSN feed from data warehouse • medical diagnosis terminology • algorithmic recognizers • Regular expressions • Slow, but effective. • Able to encrypt or quarantine files. • ECP issues with the admin interface. UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Grep/PowerGrep • Grep is a Unix tool, PowerGrep is a commercial tool. • Development of recognizers is challenging. • Reporting and automation is up to the end user. UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Cornell Spider • http://www.cit.cornell.edu/security/tools/ • Free, open source tool. • Windows GUI and command line, Unix/Linux/OSX support. • Pushed out using window mgmt tools, reports stored on a central fileserver. UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Academic Research Systems at UCSF Our mission is to provide enterprise scale infrastructure for the research community. Secure Data Environment (SDE) Web based, document management, team collaboration site, very secure. Integrated Data Repository (IDR) Data Warehouse of entire clinical record combined with registry data, public data, genomics/proteomics and research data. Researchers UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Research Issues • Additional Laws and Regulations • FISMA • Federal Information Security Management Act • California Title 22 • Defines the medical record for an institution • 21 CFR Part 11 (Code of Federal Regulations) • FDA regulations for electronic signatures, workflows • NIH Certificate of Confidentiality • Sarbanes-Oxley UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Secure Data Environment UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Integrated Data Repository UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
IT Professionals must consider information security at all steps of the IT lifecycle. Know what types of data your users are handling / processing. Ask them, use tools to find them. Be aware of “regulated” data. Don’t try to hide breaches! Inform someone if you suspect a breach. Summary UCCSC 2008 / July 22, 2008 / Santa Barbara, CA
Stephen Lau University of California, San Francisco Enterprise Information Security / OAAIS Email: stephen.lau@ucsf.edu Phone: +1 (415) 476-3106 PGP: 44C8 C9CB C15E 2AE1 7B0A 544E 9A04 AB2B F63F 748B Michael Kamerick University of California, San Francisco Academic Research Systems / OAAIS Email: Michael.Kamerick@ucsf.edu Phone: +1 (415) 476-3580 Gabriel Lawrence University of California, San Diego Email: glawrence@ucsd.edu Contact Information UCCSC 2008 / July 22, 2008 / Santa Barbara, CA