2. Objectives
• Explore electronic security issues.
• Describe processes for securing information in a
computer network.
• Identify various methods of user authentication
and relate authentication to security of a
network.
• Explain methods to anticipate and prevent typical
threats to network security.
3. Securing Network Information
• The linking of computers together and to
the outside creates the possibility of a
breach of network security, and exposes
the information to unauthorized use.
• The three main areas of secure network
information are confidentiality, availability,
and integrity.
4. Confidentiality
• Safeguarding all personal information by
ensuring that access is limited to only those
who are authorized.
• “Shoulder surfing” or watching over
someone’s back as they are working, is still
a major way that confidentiality is
compromised.
5. Acceptable Use
• Organizations protect the availability of
their networks with an acceptable use
policy.
• Defines the types of activities that are
acceptable and not acceptable on the
corporate computer network
• Defines the consequences for violations.
6. Information Integrity
• Quality and accuracy of networked
information
• Organizations need clear policies to clarify:
– how data is actually inputted,
– who has the authorization to change such data
and
– to track how and when data are changed and
by whom.
7. Authentication of Users
• Authentication of employees is also used
by organizations in their security policies.
• Organizations authenticate by:
– something the user knows (password),
– something the user has (ID badge), or
– something the user is (biometrics)
8. More About Authentication
• Policies typically include the enforcement
of changing passwords every thirty or sixty
days.
• Biometric devices include recognizing
thumb prints, retina patterns or facial
patterns.
• Organizations may use a combination of
these types of authentication.
9. Threats to Security
• A 2003 nationwide survey by the Computing
Technology Industry Association (CompTIA) found
that human error was the most likely cause of
problems with security breaches.
• The first line of defense is strictly physical.
• The power of a locked door, an operating system
that locks down after five minutes of inactivity,
and regular security training programs are
extremely effective.
10. Threats to Security
• One way to address this physical security
risk is to limit the authorization to ‘write’
files to a device.
• Organizations are also ‘turning’ off the
CD/DVD burners and USB ports on
company desktops.
11. Threats to Security
• The most common threats a corporate
network faces from the outside world are
hackers, malicious code (spyware, viruses,
worms, Trojan horses) and the malicious
insider.
• Spyware is normally controlled by limiting
functions of the browser used to surf the
Internet.
12. Cookies
• A “cookie” is a very small file written to the
hard drive of a user surfing the Internet.
• On the negative side, cookies can also
follow the user’s travels on the Internet.
• Spying cookies related to marketing
typically do not track keystrokes to steal
user ids and passwords.
13. Threats to Security
• Spyware that does steal user ids and
passwords contains malicious code that is
normally hidden in a seemingly innocent
file download.
• Another huge threat to corporate security
is social engineering, or the manipulation of
a relationship based on one’s position in an
organization.
14. Malicious Insider
• The number one security threat to a
corporate network is the malicious insider.
• There is also software available to track
and thus monitor employee activity.
• Depending on the number of employees,
organizations may also employ a full time
electronic auditor who does nothing but
monitor activity logs.
15. Security Tools
• There are a wide range of tools available to
an organization to protect the
organizational network and information.
• These tools can be either a software
solution such as antivirus software or a
hardware tool such as a proxy server.
16. Security Tools
• E-mail scanning software and antivirus
software should never be turned off and
updates should be run weekly, and ideally,
daily.
• Software is also available to scan instant
messages and to automatically delete spam
e-mail.
17. Firewalls
• A firewall can be either hardware or
software or a combination of both.
• A firewall can be set up to examines traffic
to and from the network
• Firewalls are basically electronic security
guards at the gate of the corporate
network.
18. Proxy Servers
• Hardware security tool to help protect the
organization against security breaches by:
– preventing users from directly accessing the
Internet from corporate computers.
– Issuing masks to protect the identity of a
corporation’s employees accessing the World
Wide Web.
– tracking which employees are using which
masks and directing the traffic appropriately.
19. Intrusion detection systems
• Hardware and software to monitor who is
using the organizational network and what
files that user has accessed.
• Corporations must diligently monitor for
unauthorized access of their networks.
• Remember: Any use of a secured network
leaves a digital footprint that can be easily
tracked by electronic auditing software.
20. Offsite Use of Portable Devices
• Off site uses of portable devices such as laptops,
PDA’s, home computing systems, smart phones,
and portable data storage devices can help to
streamline the delivery of health care.
• Some agencies have developed a virtual private
network (VPN) that the user must log in to in
order to reach the network.
• The VPN ensures that all data transmitted via this
gateway is encrypted.
21. Offsite Use of Portable Devices
• Only essential data for the job should be
contained on the mobile device, and other non-
clinical information such as a social security
numbers should never be carried outside the
secure network.
• The agency is ultimately responsible for the
integrity of the data contained on these devices
as required by HITECH and HIPAA regulations.
22. Offsite Use of Portable Devices
• If a device is lost or stolen, the agency must have clear
procedures in place to help insure that sensitive data
does not get released or used inappropriately.
• The Department of Health and Human Services (2006)
identifies potential risks and proposes risk
management strategies for accessing, storing, and
transmitting EPHI. Visit this website for detailed
tabular information (p 4-6) on potential risks and risk
management strategies:
http://www.cms.hhs.gov/SecurityStandard/Download
s/SecurityGuidanceforRemoteUseFinal122806.pdf
23. Thought Provoking Questions
1. Jean, a diabetes nurse educator recently
read an article in an online journal that she
accessed through her health agency’s
database subscription. The article provided
a comprehensive checklist for managing
diabetes in older adults that she prints and
distributes to her patients in a diabetes
education class. Does this constitute fair
use or is this a copyright violation?
24. Thought Provoking Questions
2. Sue is a COPD clinic nurse enrolled in a Master’s
education program. She is interested in writing a
paper on the factors that are associated with poor
compliance with medical regimens and associated
re-hospitalization of COPD patients. She downloads
patient information from the clinic database to a
thumb drive that she later accesses on her home
computer. Sue understands rules about privacy of
information and believes that since she is a nurse
and needs this information for a graduate school
assignment that she is entitled to the information.
Is Sue correct in her thinking?