Chapter 13
Electronic
Security
Objectives
• Explore electronic security issues.
• Describe processes for securing information in a
computer network.
• Id...
Securing Network Information
• The linking of computers together and to
the outside creates the possibility of a
breach of...
Confidentiality
• Safeguarding all personal information by
ensuring that access is limited to only those
who are authorize...
Acceptable Use
• Organizations protect the availability of
their networks with an acceptable use
policy.
• Defines the typ...
Information Integrity
• Quality and accuracy of networked
information
• Organizations need clear policies to clarify:
– ho...
Authentication of Users
• Authentication of employees is also used
by organizations in their security policies.
• Organiza...
More About Authentication
• Policies typically include the enforcement
of changing passwords every thirty or sixty
days.
•...
Threats to Security
• A 2003 nationwide survey by the Computing
Technology Industry Association (CompTIA) found
that human...
Threats to Security
• One way to address this physical security
risk is to limit the authorization to ‘write’
files to a d...
Threats to Security
• The most common threats a corporate
network faces from the outside world are
hackers, malicious code...
Cookies
• A “cookie” is a very small file written to the
hard drive of a user surfing the Internet.
• On the negative side...
Threats to Security
• Spyware that does steal user ids and
passwords contains malicious code that is
normally hidden in a ...
Malicious Insider
• The number one security threat to a
corporate network is the malicious insider.
• There is also softwa...
Security Tools
• There are a wide range of tools available to
an organization to protect the
organizational network and in...
Security Tools
• E-mail scanning software and antivirus
software should never be turned off and
updates should be run week...
Firewalls
• A firewall can be either hardware or
software or a combination of both.
• A firewall can be set up to examines...
Proxy Servers
• Hardware security tool to help protect the
organization against security breaches by:
– preventing users f...
Intrusion detection systems
• Hardware and software to monitor who is
using the organizational network and what
files that...
Offsite Use of Portable Devices
• Off site uses of portable devices such as laptops,
PDA’s, home computing systems, smart ...
Offsite Use of Portable Devices
• Only essential data for the job should be
contained on the mobile device, and other non-...
Offsite Use of Portable Devices
• If a device is lost or stolen, the agency must have clear
procedures in place to help in...
Thought Provoking Questions
1. Jean, a diabetes nurse educator recently
read an article in an online journal that she
acce...
Thought Provoking Questions
2. Sue is a COPD clinic nurse enrolled in a Master’s
education program. She is interested in w...
Upcoming SlideShare
Loading in …5
×

Chapter 13

1,944 views

Published on

Published in: Health & Medicine, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,944
On SlideShare
0
From Embeds
0
Number of Embeds
120
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Chapter 13

  1. 1. Chapter 13 Electronic Security
  2. 2. Objectives • Explore electronic security issues. • Describe processes for securing information in a computer network. • Identify various methods of user authentication and relate authentication to security of a network. • Explain methods to anticipate and prevent typical threats to network security.
  3. 3. Securing Network Information • The linking of computers together and to the outside creates the possibility of a breach of network security, and exposes the information to unauthorized use. • The three main areas of secure network information are confidentiality, availability, and integrity.
  4. 4. Confidentiality • Safeguarding all personal information by ensuring that access is limited to only those who are authorized. • “Shoulder surfing” or watching over someone’s back as they are working, is still a major way that confidentiality is compromised.
  5. 5. Acceptable Use • Organizations protect the availability of their networks with an acceptable use policy. • Defines the types of activities that are acceptable and not acceptable on the corporate computer network • Defines the consequences for violations.
  6. 6. Information Integrity • Quality and accuracy of networked information • Organizations need clear policies to clarify: – how data is actually inputted, – who has the authorization to change such data and – to track how and when data are changed and by whom.
  7. 7. Authentication of Users • Authentication of employees is also used by organizations in their security policies. • Organizations authenticate by: – something the user knows (password), – something the user has (ID badge), or – something the user is (biometrics)
  8. 8. More About Authentication • Policies typically include the enforcement of changing passwords every thirty or sixty days. • Biometric devices include recognizing thumb prints, retina patterns or facial patterns. • Organizations may use a combination of these types of authentication.
  9. 9. Threats to Security • A 2003 nationwide survey by the Computing Technology Industry Association (CompTIA) found that human error was the most likely cause of problems with security breaches. • The first line of defense is strictly physical. • The power of a locked door, an operating system that locks down after five minutes of inactivity, and regular security training programs are extremely effective.
  10. 10. Threats to Security • One way to address this physical security risk is to limit the authorization to ‘write’ files to a device. • Organizations are also ‘turning’ off the CD/DVD burners and USB ports on company desktops.
  11. 11. Threats to Security • The most common threats a corporate network faces from the outside world are hackers, malicious code (spyware, viruses, worms, Trojan horses) and the malicious insider. • Spyware is normally controlled by limiting functions of the browser used to surf the Internet.
  12. 12. Cookies • A “cookie” is a very small file written to the hard drive of a user surfing the Internet. • On the negative side, cookies can also follow the user’s travels on the Internet. • Spying cookies related to marketing typically do not track keystrokes to steal user ids and passwords.
  13. 13. Threats to Security • Spyware that does steal user ids and passwords contains malicious code that is normally hidden in a seemingly innocent file download. • Another huge threat to corporate security is social engineering, or the manipulation of a relationship based on one’s position in an organization.
  14. 14. Malicious Insider • The number one security threat to a corporate network is the malicious insider. • There is also software available to track and thus monitor employee activity. • Depending on the number of employees, organizations may also employ a full time electronic auditor who does nothing but monitor activity logs.
  15. 15. Security Tools • There are a wide range of tools available to an organization to protect the organizational network and information. • These tools can be either a software solution such as antivirus software or a hardware tool such as a proxy server.
  16. 16. Security Tools • E-mail scanning software and antivirus software should never be turned off and updates should be run weekly, and ideally, daily. • Software is also available to scan instant messages and to automatically delete spam e-mail.
  17. 17. Firewalls • A firewall can be either hardware or software or a combination of both. • A firewall can be set up to examines traffic to and from the network • Firewalls are basically electronic security guards at the gate of the corporate network.
  18. 18. Proxy Servers • Hardware security tool to help protect the organization against security breaches by: – preventing users from directly accessing the Internet from corporate computers. – Issuing masks to protect the identity of a corporation’s employees accessing the World Wide Web. – tracking which employees are using which masks and directing the traffic appropriately.
  19. 19. Intrusion detection systems • Hardware and software to monitor who is using the organizational network and what files that user has accessed. • Corporations must diligently monitor for unauthorized access of their networks. • Remember: Any use of a secured network leaves a digital footprint that can be easily tracked by electronic auditing software.
  20. 20. Offsite Use of Portable Devices • Off site uses of portable devices such as laptops, PDA’s, home computing systems, smart phones, and portable data storage devices can help to streamline the delivery of health care. • Some agencies have developed a virtual private network (VPN) that the user must log in to in order to reach the network. • The VPN ensures that all data transmitted via this gateway is encrypted.
  21. 21. Offsite Use of Portable Devices • Only essential data for the job should be contained on the mobile device, and other non- clinical information such as a social security numbers should never be carried outside the secure network. • The agency is ultimately responsible for the integrity of the data contained on these devices as required by HITECH and HIPAA regulations.
  22. 22. Offsite Use of Portable Devices • If a device is lost or stolen, the agency must have clear procedures in place to help insure that sensitive data does not get released or used inappropriately. • The Department of Health and Human Services (2006) identifies potential risks and proposes risk management strategies for accessing, storing, and transmitting EPHI. Visit this website for detailed tabular information (p 4-6) on potential risks and risk management strategies: http://www.cms.hhs.gov/SecurityStandard/Download s/SecurityGuidanceforRemoteUseFinal122806.pdf
  23. 23. Thought Provoking Questions 1. Jean, a diabetes nurse educator recently read an article in an online journal that she accessed through her health agency’s database subscription. The article provided a comprehensive checklist for managing diabetes in older adults that she prints and distributes to her patients in a diabetes education class. Does this constitute fair use or is this a copyright violation?
  24. 24. Thought Provoking Questions 2. Sue is a COPD clinic nurse enrolled in a Master’s education program. She is interested in writing a paper on the factors that are associated with poor compliance with medical regimens and associated re-hospitalization of COPD patients. She downloads patient information from the clinic database to a thumb drive that she later accesses on her home computer. Sue understands rules about privacy of information and believes that since she is a nurse and needs this information for a graduate school assignment that she is entitled to the information. Is Sue correct in her thinking?

×