Concepts - Research Information Science & Computing



Encryption – Data in TransitConceptsEncryptionEncryption is a security measure that scrambles information on a device. It changes information from a readable form into something that cannot be read unless you have the decryption key. Encryption adds another layer of security to the information and is especially important for mobile devices that could be easily lost or stolen.Encryption at restEncryption at rest means applying encryption to where your data is stored, being a hard drive, a flash drive, a CD, your mobile phone, etc. This is usually also known as disk encryption.Encrypted communicationsNot only it is important to secure where your data is stored, but also while it is being transmitted. This is also referenced as encryption in motion. For more information on secure/encrypted communications, please see this document. [attach]Wi-FiOn the Data Protection Road Map you’ll see email, faxes, and texts. Another type of data in motion is through wireless internet (or Wi-Fi) hotspots which are found just about everywhere these days. Available at coffee shops, airports, libraries, hotels, bookstores and more, people access public Wi-Fi hotspots on their mobile devices without realizing the risks these networks pose to personal and confidential data.If you are connected to an unsecured/ unencrypted Wi-Fi network, hackers can:Steal usernames and passwordsSnoop on email messages you send and receiveIntercept documents and files that are accessed or sent over the unsecured networkInstall malware on your deviceHow do I protect myself?Avoid using unsecured networksDouble check the hotspot connection details to make sure it is a legitimate network-- hackers are known to set upfake networks to trick you into connectingOnly connect to encrypted websites-- check for the lock or HTTPS in your browser’s search barSet Network Type to ‘Public’ when connecting to new networks (laptop setting)If possible, use a Virtual Private Network (VPN) -- A VPN encrypts any data sent to and from your device, so itcannot be read by anyone snooping on your network trafficUse your smartphone’s Hotspot to access the internet. Ensure the Hotspot is password protected.Wi-Fi best practicesAvoid online banking and other sites that require private login information on public Wi-FiAlways opt-out of saving passwords if asked by your browser/ websiteLog out of accounts immediately after you are finished using themChange the settings on your device so it does not automatically connect to available Wi-Fi hotspotsKeep up-to-date antivirus software running on your deviceVPNVPN (Virtual Private Network) is a way for Partners employees to access the internal network remotely (i.e., when travelling for work or when working remotely – ConnectedWork). In order to access our network remotely, you need to ensure that the device you’re using (laptop, workstation, phone, etc) is properly secure according to Partners policies (including, but not limited to encryption, antivirus, software updates, etc). If you need help to ensure your device is properly secure, please contact the HelpDesk or your Information Security Officer.After you ensure your device is properly protected, you can request VPN access using the following link:HOWTO: Request VPN Access: Configure and connect using Phone-based VPN on Windows 10 VPN Client Installation and Setup for OS X to setup VPN on iOS with RSA SecurID Software Token (iPhone, iPad, iPod Touch) the Data Protection Road Map you encounter different types of data in motion. One method, email, often includes sending or receiving confidential or institutional information. It is your responsibility to protect your data by securing your email communications.First, when sending email for business purposes, you must use your Partners-issued email account. Do not use your personal email account for business purposes (e.g., Gmail, Yahoo, Comcast, etc.).Unencrypted email is not like mailing a sealed letter or package, it is more like sending a postcard—people are not supposed to read it while in transit, but it passes through many hands, and you can never be sure that someone is not reading it along the way. There are multiple ways to encrypt your email, the table below provides helpful use icProcedureSending Email Inside PartnersEmail sent from one address to another is secureSending Email Outside PartnersSecure TunnelsEmail sent from one address to an organization with which we have secure tunnels is already encrypted. Check this list prior to sending data.SendSecureEmail sent from a address to an external email address, with which we do not have a secure tunnel, is not encrypted (e.g., Gmail, Yahoo, Comcast, Medtronics etc.). You must use Send Secure. Send Secure encrypts the body of the message. To use Send Secure, type “Send Secure” in the Subject Line of the email. External Recipient will receive a request to sign up for an account to see their email. Note: Send Secure does not encrypt the Subject Line. Do not include confidential information in the subject line.Patient GatewayPatient Gateway is the Partners patient portal, the preferred patient communication tool and the secure alternative to email.Workforce Emailing Protected Health Information (PHI)Email containing PHI sent to patients must be sent by encrypted email (Partners Patient Gateway, Send Secure (see above)). Patients may request to opt out of PHI being sent in an encrypted e-mail format. Please contact your site Privacy Officer for details on correct procedures including informing patients of the security risk.Email Security Policy: NotDouble check before using “Reply All”Always check that you have selected the correctrecipientsRegularly update group email lists; removeparticipants who are no longer neededUse Blind Carbon Copy (BCC) when emailingmultiple patientsorresearchsubjectsType “Send Secure” anywhere in the Subject Linewhen Confidential data is transmitted outside thehospital network.Only send the minimum necessarySend or forward email containing Partners confidential or institutional information to personal email accounts (e.g., Gmail, Yahoo, Comcast, etc.).Use your personal email account for business purposesPut any confidential information in the Subject LineLet the Outlook “auto complete” option add the wrongnamePagingThe required best practice is to limit information sent via pages and texts to the minimum necessary to accomplish the intended goal.Enterprise paging enables users to receive pages directly to their cell phones or smartphones via SMS text messaging.While encryption requirements apply for all smartphones used for business purposes, this type of encryptionsecures data at rest (directly on the phone) only.When using a smartphone’s native texting solution, data is not secured in transit. It can be backed up to a cloudstorage solution that you may not have any control over.Smartphone auto-alerts can display text message details while the phone is locked.Again, limit information sent via pages and texts to the minimum necessary to accomplish the intended goal.Secure TextingPartners HealthCare is introducing a new secure messaging application to be used on employee smart phones and tablets. The new secure messaging application is called Imprivata Cortext, and will be the new Partners standard for messaging your co-workers with secure texting and paging on your mobile devices, tablets and desktops. We ask that you download the Imprivata Cortex application on your mobile device by following the instructions accessed via the links below. A prerequisite for installing the Imprivata Cortex application is that you have already downloaded the Partners MobileIron application. If you have not downloaded MobileIron yet, please follow the attached document named “EMM Setup Guide” prior to installing Cortex.What is Imprivata Cortext?The Imprivata Cortext solution is HIPAA-verified for communication of Patient Health Information (PHI) among co-workers. The application is compatible with iOS (iPhone) and Android devices, including phones and tablets. There is the capability to use Imprivata Cortext on multiple devices so that care providers can use whichever device is most useful at that time. How do I get it?Once you have installed MobileIron, Imprivata Cortext will be available from the Partners App store. Once the application is installed you can log in with your Partners network username with “@” added on the end and your Partners network password (Username Example: jd34@). If you are interested or need Secure Texting (Imprivata Cortext), contact Toby Tsuchida (ttsuchida@) or Shawn Donahue (sdonahue@) Imprivata Cortext Overview (and How to Enroll): Imprivata MobileIron is a prerequisite to use Cortext. Go here for instruction to enroll: there is a business reason for which you can’t use encryption, please submit a variance using the link bellow.ISPO Cybersecurity Variance Request Form References:Safeguarding ePHI:: Encryption and Security Policies: IT Access Control Security Policy Communications Information Security Policy (EISP-13.1)sMinimal technical encryption requirements? 256-bit key strength;? Use of the Advanced Encryption Standard (AES) or other FIPS 140-2 validated algorithm;? Full disk encryption for all files (the entire disk must be a private partition); and? Support for strong password enforcement. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download