A Practical Guide to IT Security PPI v1.1 · PRACTICAL GUIDE TO IT SECURITY OF PPI-EPR VERSION 1.1...

A P R A C T I C A L G U I D E T O I T S E C U R I T Y

F O R E V E R Y O N E W O R K I N G W I T H

Public-Private Interface

Electronic Patient Record Sharing

Project (PPI-ePR)

Prepared by: Information Technology Department Hospital Authority May 2010

Amendment History Version

No. Date of

Amendment Prepared by Description

1.0 February 2006 IS1 Team, ITD, HA Create the document 1.1 May 2010 AI3Team, ITD, HA Update for USB and mobile computing devices

Table of Contents 1. INTRODUCTION ............................................................................................................................... 4

1.1 PURPOSE OF THE MANUAL ................................................................................................................. 4 1.2 ORGANIZATION OF THE DOCUMENT ................................................................................................... 4 1.3 INTENDED READERS........................................................................................................................... 4 1.4 SPECIAL ACKNOWLEDGEMENT .......................................................................................................... 5

2. RELYING ON YOUR IT SYSTEMS ................................................................................................ 6

3. HOW YOU CAN IMPROVE INFORMATION SECURITY? ....................................................... 8

4. ARE YOU ORGANIZED FOR INFORMATION SECURITY? .................................................... 9

5. PROTECTING THE TECHNOLOGY ........................................................................................... 10

5.1 DOS ................................................................................................................................................. 10 5.2 DON’TS .......................................................................................................................................... 11

6. MANAGING USER ACCESS CONTROL ..................................................................................... 13

6.1 DOS ................................................................................................................................................. 13

7. GUARDING THE INFORMATION ............................................................................................... 15

7.1 DOS ................................................................................................................................................. 15 7.2 DON’TS .......................................................................................................................................... 18

8. DEFENDING AGAINST VIRUSES AND SYSTEM VULNERABILITIES ............................... 20

8.1 DOS ................................................................................................................................................. 21 8.2 DON’TS .......................................................................................................................................... 23

9. USING NETWORK SECURELY .................................................................................................... 24

9.1 DOS ................................................................................................................................................. 24 9.2 DON’TS .......................................................................................................................................... 25

10. LEGAL REQUIREMENTS .............................................................................................................. 26

11. BRINGING ALL INTO ACTION ................................................................................................... 27

12. GUARDING FOR YOU .................................................................................................................... 31

12.1 PRIVACY ..................................................................................................................................... 31 12.1.1 Secure Sessions ................................................................................................................. 31 12.1.2 Encryption ......................................................................................................................... 31 12.1.3 Session Time-out ............................................................................................................... 31

12.2 TECHNOLOGY .............................................................................................................................. 31 12.3 IDENTIFICATION .......................................................................................................................... 32

12.3.1 2-factor authentication for Internet Users ........................................................................ 32 12.3.2 Automatic Lock-out ........................................................................................................... 32 12.3.3 Digital Certificate for Server Authentication by Internet users ........................................ 32

13. CONTACT POINTS .......................................................................................................................... 33

14. REFERENCES ................................................................................................................................... 33

PRACTICAL GUIDE TO IT SECURITY OF PPI-EPR VERSION 1.1 (LAST SAVED 19 MAY, 2010)

HOSPITAL AUTHORITY - INFORMATION TECHNOLOGY DEPARTMENT PAGE 4 OF 33

Practical Guide to IT Security of PPI-ePR

1. INTRODUCTION

1.1 PURPOSE OF THE MANUAL

This document is a guide to the information security of the Public-Private Interface - Electronic Patient Record Sharing Project (PPI-ePR). It aims to give concise and easy-to-understand advice on: • What is Information Security? Why do we need it? • How to protect your computer systems? • How to safeguard information? • How to prevent Information Security incidents? • How to prevent your computer from catching a virus? • How to keep your computer network secure? • How to keep within the Law on Information Technology? • What measures does HA ITD take to safeguard the PPI-ePR on the web?

1.2 ORGANIZATION OF THE DOCUMENT

It begins with three introductory chapters, which give notions about information security and draw your attention to its importance. The remainder of the document is organized to describe what activities, in every possible aspect, you should do and avoid for enforcement of information security. As a finale, an action checklist is provided in the chapter “Bringing All into Action”. We also briefly explain what security measures HA ITD has incorporated in the web platform of the PPI-ePR.

1.3 INTENDED READERS

The handbook is designed for personnel ranging from end user to management. • End User • System Administrator • Network Administrator • Information Security Officer • User Management Person who is responsible for implementing Information Security should retain the handbook and refer to it whenever necessary.

Everyone needs to be aware of the Importance of Information Security. This handbook should help them to be aware.



1.4 SPECIAL ACKNOWLEDGEMENT

This handbook was prepared with reference to the booklet entitled “A Practical Guide to IT Security for Everyone working in Hospital Authority” authored by ITS/NMS/N2 Team, Information Technology Department, Hospital Authority. Appreciation for their advice and help is gratefully acknowledged.



2. RELYING ON YOUR IT SYSTEMS Information Technology (IT) systems comprise computer hardware and software, the communications between them and other means of communicating data, such as FAX machines. The most important component of the systems is of course the data held. Your information systems may hold the following information: • Patient registration records • Patient clinical records • Patient appointments • Details of referrals and treatment • Financial information • Personnel information With IT systems, it should make you quicker and easier to carry out all the functions necessary in the workplace. Once information is entered, it will be readily available whenever you need it.

Once you start to use an Information System, you will come to RELY on it more and more.

Your IT systems rely on: • the correct operation of the computers and on people using them and

treating them correctly; • the data they contain being accurate and up to date; • the information they contain being used properly.



Things can sometimes go wrong, because: • the information can be entered incorrectly; • the computers may not be available due to a power supply or equipment

failure; • some of the computers may be stolen; • some of the computers, PDAs, smart phones and removable storage

devices such as USB flash drives, RAM cards, CDs, DVDs, external hard disks, etc. may be lost or stolen with confidential data stored in them;

• a computer may “catch” a virus which turns the information into nonsense; • intruders or hackers may compromise a computer or mobile computing

device for illegal or malicious purpose such as stealing the confidential data;

• someone may see confidential records on a screen and talk about them; • users are not fully trained and make mistakes as a result. Events like these will mean that your information is no longer accurate, cannot be accessed or that unauthorised people have seen it. This may mean that confidential patient details become public knowledge or that you are relying on out of date information or no information at all when treating patients.



3. HOW YOU CAN IMPROVE INFORMATION SECURITY? SECURITY means: Confidentiality : The information on your Information Systems can be

seen only by those authorised to see it and can be changed only by those allowed to change it.

Integrity : The information is suitable for its purpose and is consistent with the original specification for the system.

Availability : The information can be seen and used by authorised people whenever they need to do so.

Non-Repudiation : The information/message sender cannot deny sending the information/message, and the recipient cannot deny the receipt of the information/message.

Authenticity : The information/message is proven to be sent or accessed by a specific person/party.

By taking the steps outlined in this handbook, you will be able to improve the confidentiality, integrity and availability of your Information Systems. There is no complete defence against something going wrong. However, improved security will reduce the chances of loss or will help recovery from any loss suffered.

BUT remember There is no such thing as 100% security! Too rigid security can cause inflexibility.



4. ARE YOU ORGANIZED FOR INFORMATION SECURITY? Your organization should have an Information Security policy. All staff should read and act upon it. The DOs and DON'Ts in this handbook should act as a reminder of the practical things that YOU could do to keep Information Security at an effective level. Anyone discovering a deficiency in security should tell the person responsible for implementing Information Security. There should be standard procedures in place. These will include: • identifying yourself to the computer; • logging off from the Information System when it is not in use; • blanking the screen when leaving it temporarily; • checking that the system has worked correctly. Everyone should be aware of the need for information security. You can achieve this by passing on this handbook to new members of staff, temporary staff and any part time staff that you may have ... and periodically, read it again yourself. EVERYONE IS RESPONSIBLE FOR INFORMATION SECURITY.



5. PROTECTING THE TECHNOLOGY The equipments (computers, printers, fax machines, etc.) and the supporting facilities (electrical supply, cabling infrastructure) are at risk from various environmental hazards and security threats. They should be physically protected both to reduce the risk of unauthorized access to data and to safeguard against loss and damage.

5.1 DOS

There are a number of things YOU SHOULD DO: DO SECURE ALL COMPUTERS TO DESKS WHEREVER

APPROPRIATE Use suitable locking devices.

DO PROTECT POWER AND TELECOMMUNICATION CABLING Power and telecommunication lines into IT facilities should be underground or in ceiling void, where possible, or subject to adequate alternative protection. Vertical trunk runs across floor should be housed in locked room if applicable. Measures should be taken to protect network cabling within the premises from unauthorized interception or damage, e.g. using conduit, avoiding routes through public areas, etc.

DO PROTECT EQUIPMENT FROM POWER FAILURE OR OTHER ELECTRICAL ANOMALIES A suitable and stable electrical supply ideally supported by Emergency Power Generator should be provided that complies with the equipment manufacturer’s specifications.

DO LOCATE EQUIPMENT AWAY FROM PRYING EYES Especially NOT next to outside windows.

DO LOCK ALL DOORS AND WINDOWS WHEN LEAVING

DO ENSURE THAT YOU KNOW WHO IS VISITING WHOM AND FOR WHAT REASON Patients should be booked in and out and other visitors supervised.

DO KEEP KEYS FOR COMPUTERS AND SAFES IN A SECURE PLACE Not inside the lock!

DO IDENTIFY POTENTIAL ENVIRONMENTAL HAZARDS



Typical environmental hazards include: • Fire • Smoke • Water • Dust • Vibration • Chemical effects • Electrical supply interference • Electromagnetic radiation or interference

DO HEED THE ADVICE OF YOUR LOCAL FIRE AND CRIME PREVENTION OFFICERS

DO ENABLE SCREEN LOCKING FEATURE ON YOUR PC AND

NOTEBOOK FOR PREVENTING UNAUTHORIZED ACCESS AND EXPOSURE OF CONFIDENTIAL INFORMATION ON THE SCREEN WHEN UNATTENDED

DO ENABLE AND CONFIGURE PERSONAL FIREWALL

FUNCTION ACCORDING TO THE COMMON WORKSTATION STANDARDS FOR PROTECTING YOUR PC AND NOTEBOOK FROM NETWORK-BASED WORMS AND MALICIOUS ATTACKS

DO UNPLUG ALL REMOVABLE STORAGE DEVICES BEFORE LEAVING YOUR PC AND NOTEBOOK UNATTENDED AND STORE THEM IN A SECURED PLACE AFTER USE

DO KEEP ALL MOBILE COMPUTING DEVICES (E.G NOTEBOOK, PDA or SMART PHONE) THAT MAY CONTAIN CONFIDENTIAL PERSONAL DATA IN A SECURED PLACE TO PREVENT AGAINST LOST OR THEFT

5.2 DON’TS

WHAT YOU SHOULDN'T DO: DON’T LEAVE PORTABLE COMPUTERS IN PLACES WHERE A

THIEF CAN EASILY STEAL THEM Why make it easy for them?

DON’T TRY TO REPAIR ANY IT EQUIPMENT YOURSELF - GET HELP Leave it to the experts - or you might make it worse!



DON’T TRAIL CABLE A plug accidentally pulled out could mean hours of work to recreate the data you previously entered.

DON’T PLACE A COMPUTER RIGHT NEXT TO RADIATORS, WATER PIPES AND OTHER SOURCES OF HEAT AND DAMPNESS Heat, water and computers do not mix!



6. MANAGING USER ACCESS CONTROL

Formal procedures should be established to control the allocation of access rights to users. The procedures should cover all stages in the life cycle of user access, from the initial registration of new users to the formal de-registration of users who no longer require access to IT services. Access rights should be granted to users in accordance to the business access policy.

6.1 DOS

There are a number of things YOU SHOULD DO: DO ESTABLISH FORMAL USER REGISTRATION AND DE-

REGISTRATION PROCEDURE FOR ACCCESS TO IT SERVCIES • check that the user has authorization from the system owner for

the use of the service; • check that the level of access granted is appropriate for the

business purpose and is consistent with the business security policy;

• give users a written statement of their access rights; • require users to sign requests to indicate that they understand the

conditions of access; • ensure that the system custodian does not provide access until

the authorization procedures have been completed; • maintain a formal record of all persons registered to use the IT

service; • immediately delete the accounts of users who have left the

organization; • periodically check for and delete redundant user accounts that

are no longer required; • ensure that redundant user-ids are not re-issued to another user;



DO ABLE TO TRACE COMPUTER ACTIVITIES TO EACH

INDIVIDUAL All users should have a unique identifier (user-id) for their personal and sole use so as to ensure that activities can be subsequently traced to the responsible individual.

DO EDUCATE USERS ABOUT BEST PRACTICE IN PROTECTING USER ACCOUNT

DO SECURELY CONTROL ALLOCATION OF USER PASSWORDS • require users to sign an undertaking to keep personal passwords

confidential; • ensure that users are provided with a secure temporary password

which they are forced to change immediately; • convey temporary passwords to user in a secure manner.

DO REVIEW USER ACCESS RIGHTS AT REGULAR INTERVALS

DO MONITOR SYSTEM ACCESS AND USE • Procedures for monitoring system use are necessary to ensure

that users are only performing processes that have been explicitly authorized. Areas to consider including but not limited to:

• Logon failures • Patient enrolment & patient enquiry transactions



7. GUARDING THE INFORMATION Without proper safeguards, both patient data and user information may be disclosed to and manipulated by someone who is unauthorized to do so.

7.1 DOS

There are a number of things YOU SHOULD DO: DO PROTECT YOUR USER ACCOUNT

Effective system security requires the co-operation of authorized users. Every user should be responsible for enforcing security control over his/her own user account: • keep your user ID and password confidential; • secure your Secure Token Device if you are assigned; • avoid keeping a paper record of your user ID and password; • change password whenever there is any indication of possible

system or password compromise; • avoid basing password on any of the followings:

o months of the year, days of the week or any other aspect of the date

o family names, initials or car registration numbers o organization names, identifiers or references o telephone numbers (or similar all-numeric groups) o user-id, username, group-id or other system identifier o more than two consecutive identical characters o all numeric or all alphabet characters.

• change password at regular intervals (about 30 days) and avoid reusing or "cycling" old passwords.

• change password upon the first successful logon; • change password right after password has been reset.



DO BE DISCREET WITH PATIENT AND PERSONNEL DATA - AT ALL TIMES There is a duty of confidentiality. In the context of clinical information, you are ONLY allowed to access the patients’ record on the “need to know” and “patient is under your care” principles. You also need to have the patients’ explicit consent (access key) for your access to his/her record. In the PPI-ePR pilot project, patient will receive SMS message each time his/her record is retrieved.

DO ENCRYPT THE CONFIDENTIAL DATA CREATED BY YOU Encrypt all files containing confidential personal data on your PCs, removable storage devices (e.g. USB flash drives, RAM card, external hard disk, DVD/VCD, floppy disk, MP3 etc.) and mobile computing devices (e.g. notebooks, PDAs, smart phones etc.) that are created by you.

DO WHEN YOU SEND A FAX CONTAINING PATIENT IDENTIFIABLE INFORMATION, TELEPHONE THE RECIPIENT TO ENSURE THAT HE/SHE IS PRESENT TO COLLECT IT Otherwise, unauthorized people could see the fax.

DO LOG OUT LAST PATIENT'S RECORD BEFORE THE NEXT PATIENT COMES INTO YOUR CONSULTING OR TREATMENT ROOM It is a breach of doctor-patient confidentiality and it may induce risk in mixing up the patients' records.

DO DISPOSE OF CONFIDENTIAL PRINT-OUTS PROPERLY Unwanted printouts that contain personal data must be disposed of appropriately (shredding, incineration, etc).

DO KEEP PAPER RECORD PRINTED FROM THE SYSTEM SECURELY Information generated from the system also requires proper security access management.

DO ERASE ALL FILES CONTAINING CONFIDENTIAL PERSONAL DATA ON YOUR PCs, STORAGE DEVICES AND MOBILE COMPUTING DEVICES IMMEDIATELY WHEN THEY ARE NO LONGER NEEDED

DO ERASE ALL CONFIDENTIAL PERSONAL DATA FROM YOUR

PCs, REMOVABLE STORAGE DEVICES AND MOBILE COMPUTING DEVICES BEFORE DISPOSING OR REPAIRING



THEM DO REPORT TO YOUR MANAGEMENT IF LOSS OF

CONFIDENTIAL DATA HAS HAPPENED



7.2 DON’TS

What YOU SHOULDN’T DO: DON’T DIVULGE ANY PATIENT OR OTHER PERSONAL

INFORMATION TO ANYONE WITHOUT AUTHORITY Your log-in in the system and any record retrieval are logged for audit and analysis purpose. You may be held responsible for improper disclosure of confidential patient information to unauthorized parties.

DON’T LEAVE REMOVABLE STORAGE DEVICES, DISKS, TAPES, PRINT-OUTS, FAX MESSAGES LYING AROUND Lock them away - they could get lost or be picked up by a visitor or even an inquisitive patient.

DON’T DOWNLOAD OR USE ANY UNAUTHORISED OR UNKNOWN SOFTWARE SUCH AS PEER-TO-PEER APPLICATIONS (E.G. FOXY) IN YOUR PC OR NOTEBOOK WHEN CONNECTED TO PPI-ePR web site Some software may have spyware or malicious code embedded. Some functions of the software may not be known to you and could cause leaking of confidential data including your username and password.

DON’T SHARE FILES AND FOLDERS IN YOUR PC AND NOTEBOOK

WHICH CONTAINING CONFIDENTIAL PERSONAL DATA TO OTHERS COLLEAGUES OVER THE NETWORK If it is necessary to do so, ensure that the shared file folders are only shared with the appropriate personnel and the access is protected by password

DON’T SHARE FILES IN YOUR PC AND NOTEBOOK WITH “EVERYONE” OPTION TO AVOID UNNECESSARY EXPOSURE OF CONFIDENTIAL PERSONAL DATA

DON’T USE USB FLASH DRIVES FOR STORING CONFIDENTIAL

PERSONAL DATA UNLESS THEY SUPPORT MANDATORY ENCRYPTION AND PASSWORD “LOCKDOWN”

DON’T DOWNLOAD, COPY OR STORE CONFIDENTIAL DATA INTO STAFFS’ OWN PCS, REMOVABLE STORAGE DEVICES OR MOBILE COMPUTING DEVICES

DON’T SEND INTRANET AND INTERNET EMAILS CONTAINING

CONFIDENTIAL PERSONAL DATA UNLESS THE DATA IS ENCRYPTED



DON’T ASSUME THAT JUST BECAUSE IT IS ON THE COMPUTER IT

IS CORRECT Ensure that you have retrieved the correct record from the system before you use it. Also, the record could have been further updated or amended after it is retrieved.

DON’T LEAVE YOUR COMPUTER LOGGED-ON WHEN YOU HAVE FINISHED USING IT OR WHEN YOU MOVE AWAY FROM THE SCREEN Someone could perform improper and illegal transaction on the system under your name (log-on).

DON’T START USING THE SYSTEM UNTIL YOU KNOW HOW TO USE IT Read user manual or attend training course before using the system.

DON’T PRINT PATIENT RECORD DIRECTLY FROM THE SYSTEM TO PATIENTS Patient record copy should be applied formally from you or your organization and should be given to the patient in the context of detailed explanation by doctors to avoid misunderstanding and misinterpretation.

REMEMBER

Technology can be replaced. But Information CANNOT!



8. DEFENDING AGAINST VIRUSES AND SYSTEM VULNERABILITIES Computer software is vulnerable to unauthorized modification. A range of malicious techniques have been developed to exploit this vulnerability, with names such as computer viruses, network worms, Trojan horses and logic bombs. Managers of IT facilities should be alert to the dangers of malicious software. Detection and prevention measures and appropriate user awareness procedures should be implemented. In particular, it is essential that precautions should be taken to prevent and detect computer viruses on personal computers. Viruses are small items of rogue software hidden within what appears to be a normal piece of software, electronic mails and downloaded files from the Internet, which can damage your systems and data. Computer viruses are like biological viruses: • They are infectious spreading through networks from one machine to

another. • They can remain hidden in parts of the computer’s memory, where you

would not normally look. • They can have disastrous effects such as deleting a whole hard disc of data. Viruses can spread from program to program, and from system to system, without direct human intervention. These programs spread faster than they are being stopped or killed. You must be conscious of virus. It is also important to remember that new viruses are continually being developed. So you have to stay up to date for new species.



8.1 DOS

There are a number of things YOU SHOULD DO: DO RUN REAL-TIME PROTECTION ANTI-VIRUS (AV)

SOFTWARE PROGRAM WITH THE LATEST VIRUS SIGNATURE Anti-virus software program helps to protect the computer against most viruses, worms, Trojans and other unwanted attacks. It can only be effective if the latest virus signature is used.

DO APPLY THE LATEST SYSTEM PATCHES Most of the Internet threat comes after the release of known system vulnerability. Operating System vendors usually release system patch or work around when they announce the problem. Keeping the system updated will help to protect the computer from vulnerabilities and viruses which could be exploited by the attackers. It is recommended to enable automatic system update whenever possible.

DO USE ANTI-SPY SOFTWARE WHERE APPLICABLE Spyware is any technology that aids in gathering information about a person or organization without their knowledge. On the Internet, spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties. It can lead to security issues such as "Keylogging", "Confidential Information Leakage" and "Compromise Computer Security".

DO USE PERSONAL FIREWALL WHERE APPLICABLE A Firewall is either a software or hardware product that creates a protective barrier between user computer and potentially harmful network connection from the Internet. It helps to guard the computer against hackers and computer viruses/worms.

DO USE WITH CARE WHEN READING EMAIL WITH ATTACHMENTS Before opening any email attachments, the source of the attachment must be known. It is not enough that the mail originated from a recognised email address. Many email-based viruses spread because they originated from a familiar address. Malicious code might be distributed in amusing or enticing programs. If it is necessary to open an attachment before the source can be verified, the following procedure is suggested: • ensure that virus definitions and system patches are up-to-date;



• save the file to hard disk; • scan the file using Anti-virus software; • open the file if it is virus free. For additional protection, disconnect the computer from network before opening the file.

DO USE WITH CARE WHEN DOWNLOADING AND INSTALLING PROGRAM Never run a program unless it is known to be authorized by a person or department that is trusted.

DO CHECK IF THE AUTHOR / PUBLISHER IS TRUSTWORTHY BEFORE RUNNING ANY ACTIVE CONTENT Active contents refer to active scripting or executables (e.g. ActiveX controls, Java Applets) which run in real-time mode during user browsing Internet websites. These active contents may gain access to the computer's local main memory and hardware such as hard disk. User need to check the trustworthiness of the author / publisher before allowing those active contents to run on the computer.

DO ENSURE THAT ANY DISC COMING INTO THE ORGANIZATION IS CHECKED Viruses have started life in all sorts of "reliable" places, such as government offices, accountancy firms, software houses, computer engineering organization, computer training course, etc. Do not assume that because the discs hold no software they are free of viruses.

DO ENSURE THAT THERE IS A "QUARANTINE" PC WHICH YOU CAN USE TO TEST ALL FILES (DATA & SOFTWARE) FOR VIRUSES The quarantine PC should be totally isolated from any other computer.

DO ENSURE THAT ANY REMOVABLE STORAGE DEVICES INCLUDE BUT ARE NOT LIMITED TO USB FLASH DRIVES, RAM DISK, CD, DVD OR FLOPPY DISK ARE VIRUS FREE – NO MATTER WHERE IT CAME FROM Viruses have started life in all sorts of “reliable” places, such as government offices, accountancy firms, software houses, computer training course, etc. Do not assume that because the discs hold no software they are free of viruses.



8.2 DON’TS

What YOU SHOULDN’T DO: DON’T USE ANY NON-STANDARD SOFTWARE FROM VIRUS

PRONE SOURCES: • universities • enthusiast clubs • magazine covers • a friend or neighbour • the Internet It is possible that a virus could spread from one of these sources. They have all been responsible from spreading viruses in the past. Why take risks!

DON’T SEND FILES OF UNKNOWN ORIGIN TO ANYONE ELSE They may contain a Trojan horse program.

DON’T OPEN ANY EMAIL MESSAGES OR ATTACHMENTS FROM UNEXPECTED SOURCES

DON’T CLICK ON THE HTTP LINKS OR WEB SITES WITHIN EMAIL

MESSAGES FROM UNEXPECTED SOURCES DON’T VISIT UNKNOWN INTERNET WEB SITES DON’T USE YOUR REMOVABLE STORAGE DEVICES OUTSIDE

YOUR OFFICE Unless you are very sure that the computer that you are using is safe

DON’T PANIC IF YOU THINK YOU HAVE A VIRUS You may not have one, but don’t take any chances. • switch your computer off; • get help from your Information Security Officer or IT

Department; • only restore from backup if you know that it is clean and if write

protect is set.



9. USING NETWORK SECURELY Computers are of greater value when they are connected together via networks. You may have a network within the organization. Networks are of great value and as such need to be used carefully, if their full potential is to be maximised and the risks of using them, minimised. Network access control should be established to ensure the security of data transmitted over the network, the protection of connected services from unauthorized access and the network itself against the spread of computer viruses.

9.1 DOS

There are number of things YOU SHOULD DO: DO ENFORCE PASSWORD DISCIPLINE FOR CONNECTING TO

THE NETWORK

DO LIMIT NETWORK SERVICES User should only be able to gain access to the services that they are authorized to use.

DO ENFORCE NETWORK PATH IF APPLICABLE The route from the user terminal to the computer service may need to be controlled. The objective of an enforced path is to prevent any undesirable "staying" by users outside the route between the user terminal and the services that the user is authorized to access. The general idea is to limit the routing options at each point in the network through predefined choices, e.g. • allocate dedicated lines or telephone numbers; • control route from user terminal to application system by address

filtering; • prevent unlimited network roaming.



9.2 DON’TS

What YOU SHOULDN’T DO DON’T FORGET TO SET UP THE LAN WITH APPROPRIATE

CONTROLS SUCH AS THE FORCING OF PASSWORD CHANGES, LIMITATION OF NUMBER OF TRIES AT GUESSING A PASSWORD ETC.

DON’T USE MODEMS TO CONNET TO YOUR PC DIRECTLY Once the remote PC can access your PC, it can access any service in the network via your PC.

DON’T ALLOW ACCESS FROM EXTERNAL BUSINESS PARTNER WITHOUT PROPER SECURITY CONTROLS IMPLEMENTED External business partners are required to implement proper security controls on their remote PCs: • run real-time protection anti-virus software program with the

latest virus signature; • apply the latest system patches; • use personal firewall software where applicable; • enforce strong password discipline; • logoff when not using the network and ensure that the network

connection is terminated; • stop computer sharing when connecting to your network; • disconnect other network connection when connected to your

network; • be vigilant when reading email with attachments; • be vigilant when downloading and installing programs; • enable password-protected screensaver with an adequate idle

time and lock the screen with password while away from the computer;

• clear cache and delete temporary file after accessing sensitive information;

• install and use a file encryption program and access controls on restricted resources;

• secure the PC physically.



10. LEGAL REQUIREMENTS People using information systems are subject to specific laws. Personal Data (Privacy) Ordinance The Personal Data (Privacy) Ordinance sets out six principles which must be followed by anyone collecting, processing, storing or using personal information. DO PERSONAL DATA BE OBTAINED LAWFULLY AND FAIRLY

FOR LAWFUL PURPOSES RELATED TO THE DATA USER'S FUNCTIONS, AND MUST NOT BE EXCESSIVE IN RELATION TO THE PURPOSES FOR WHICH THEY ARE HELD.

DO PERSONAL DATA BE USED OR DISCLOSED ONLY FOR THESE OR COMPATIBLE PURPOSES, FOR WHICH IT IS OBTAINED.

DO PERSONAL DATA BE ACCURATE AND HELD NO LONGER THAN IS NECESSARY FOR THOSE PURPOSES.

DO PERSONAL DTA MUST BE KEPT SECURE - FROM UNAUTHORIZED ACCESS, ALTERATION, DISCLOSURE, LOSS OR DESTRUCTION.

DO INFORMATION ON THE DATA USER'S POLICIES, PRACTICES, THE TYPES OF DATA HELD AND PURPOSES FOR WHICH THEY ARE HELD MUST BE READILY AVAILABLE.

DO PERSONAL DATA MUST BE MADE AVAILABLE TO THE INDIVIDUAL CONCERNED ON REQUEST, AND PROVISION MADE FOR CORRECTIONS.



11. BRINGING ALL INTO ACTION Information Technology is ever changing. From time to time, new security attacks are discovered. The window of time between the disclosure of a new vulnerability and the emergence of unique threats that operate against it continues to diminish. It is important that everyone should be extra vigilant in enforcing security measures. With collaborative efforts by all parties, we improve our state of awareness and preparedness for defending against security attacks and threats. ACTION NOW AND KEEP FIGHTING THE BATTLE !!! Action checklist for EVERYONE

Action EveryoneProtect your user account

Conform to Personal Data (Privacy) Ordinance Be discreet with patient and personnel data at all times • Log out last patient’s record before the next patient comes • Dispose of confidential print-outs properly • Keep paper record printed from the system securely

Lock all doors and windows when leaving Ensure that you know who is visiting whom and for what reason Ensure that any disc coming into the organization is checked Keep all mobile computing devices (e.g. notebook, PDA Or smart phone) that may contain confidential personal data in a secured place



Encrypt the confidential data created by you

Don’t share files and folders in your PC and notebook which containing confidential personal data to others colleagues over the network

Don’t visit unknown internet web sites

Report security incidents through correct channels as quickly as possible.



More IF YOU ALSO PLAY THESE BUSINESS ROLES

Action

End

Use

r

Syst

em

Adm

inis

trat

or

Net

wor

k A

dmin

istr

ator

Info

rmat

ion

Secu

rity

O

ffic

er

Use

r M

anag

emen

t

Secure all computers to desks wherever appropriate Run real-time protection anti-virus software program with the latest virus signature Apply the latest system patches Use anti-spy software where applicable Use personal firewall where applicable Use with care when reading email with attachments Use with care when downloading and installing program Protect power and telecommunication cabling

Identify potential environmental hazards to IT equipments & facilities



Action

End

Use

r

Syst

em

Adm

inis

trat

or

Net

wor

k A

dmin

istr

ator

Info

rmat

ion

Secu

rity

O

ffic

er

Use

r M

anag

emen

t

Limit network services

Enforce network path if applicable

Enforce password discipline for connecting to the network

Establish formal user registration and de-registration procedure for access to IT services

Securely control allocation of user passwords

Educate users about best practice in protecting user account

Able to trace computer activities to each individual

Review user access rights at regular interval

Monitor system access and use

Ensure that there is a "quarantine" PC which you can use to test all files for viruses



12. GUARDING FOR YOU

As the technical provider of the Public-Private Interface - Electronic Patient Record Sharing Project, HA Information Technology Department strives to safeguard the security of this business application platform. We use industry standard security technology and practices to addresses three key areas, namely privacy, technology and identification.

12.1 PRIVACY

12.1.1 SECURE SESSIONS

If you log in to the system from the Internet, you are said to be in a secure session. It is indicated by: • the URL address begins with https://, or • a padlock symbol appears in the lower right hand corner of your

browser.

12.1.2 ENCRYPTION

We use 128-bit Secure Socket Layer (SSL) Encryption, which is accepted as the industry standard, to encrypt data before it is sent over the network. This prevents no one else from reading the information as it passes between us.

12.1.3 SESSION TIME-OUT

If you forget to log off the system, or if your computer remains inactive for a period of time during a session, then the system would automatically log you off.

12.2 TECHNOLOGY

We use many layers of security. For obvious reasons, we would not disclose all of them, but the followings are typically used: • All our operating systems are updated with latest security patches. • Our anti-virus software is kept updated. • Firewalls are used to prevent unauthorized intruders. • Digital certificates are used.



12.3 IDENTIFICATION

12.3.1 2-FACTOR AUTHENTICATION FOR INTERNET USERS

Online access to the system is only possible once you have authenticated yourself using the correct login ID, password and one-time security code generated by your Secure Token Device.

12.3.2 AUTOMATIC LOCK-OUT

After a number of incorrect attempts to log in, we would suspend your user account. To re-activate your account, you should contact your usual helpdesk support.

12.3.3 DIGITAL CERTIFICATE FOR SERVER AUTHENTICATION BY INTERNET USERS

In order to assure you that you are dealing with the correct PPI-ePR web site, we provide a digital certificate at the beginning of the session. At the bottom of the browser window, there will be an icon telling you if the page has been encrypted. Don't type your password on a page that isn't encrypted. Simply click on the Encrypted Icon and you will see our security certificate. You may check the validity of the certificate as follows:

Issued to: ppi.ha.org.hk Issued by: Hongkong Post e-Cert CA 1 Valid from … to … is a valid date range



13. CONTACT POINTS For further information, please contact: • Your IT Department or Information Security Officer • HA Information Technology Department at 2300-6501 • HA PPI-ePR Program Office at 2300-6654

14. REFERENCES • A Practical Guide to IT Security for Everyone Working in Hospital

Authority Information Technology Department of Hospital Authority

• Information Security Policy and Procedure Manual for IT Department,

Hospital Authority Information Technology Department of Hospital Authority

• Security Guidelines for Medical Networks and Other Departmental Networks. Information Technology Department of Hospital Authority

• What is Information Security?

http://www.infosec.gov.hk/english/information/information.html The Government of Hong Kong Special Administration Region

• CERT: Home Computer Security

http://www.cert.org/homeusers/HomeComputerSecurity Software Engineering Institute, Carnegie Mellon University

• CERT: Home Network Security http://www.cert.org/tech_tips/home_networks.html Software Engineering Institute, Carnegie Mellon University

A Practical Guide to IT Security PPI v1.1 · PRACTICAL GUIDE TO IT SECURITY OF PPI-EPR VERSION 1.1...

Documents

Transcript of A Practical Guide to IT Security PPI v1.1 · PRACTICAL GUIDE TO IT SECURITY OF PPI-EPR VERSION 1.1...