Duke University
Center for the Study of Aging and Human Development

Computing & Statistics Lab

Subject: Secure System Usage
         Center For Aging
         Duke University School of Medicine
From: Information Security Manager, Center for Aging
      irv@geri.duke.edu
To:   All Center for Aging Computer (CFA) Users
Updated: Jul 3, 2006

Purpose
     This memo is sent to all Center for Aging Computer users every twelve
months to remind them of their security responsibilities with particular 
regard to confidential data and Protected Health Information (PHI) stored 
on and transmitted to and from departmental computers. You will also 
receive a message with instructions on how to change your UNIX password 
and guidelines on how to create and protect strong passwords that can be 
used on any computer system.
     It is possible that, during the certification of the department's 
Security Design Plan (SDP), you may be questioned on the contents of these 
two documents.

General Security
     Always close and lock your office door whenever you leave your 
office. Police reports have referred to valuables such as laptops, pda's, 
purses, wallets, cash and even an office chair being stolen from offices.
     When someone from the Aging Center terminates their employment, 
please be sure to let the system administrators know so their account can 
be removed. Remember that their email can be forwarded, and all files in 
their directory can be permanently archived or transferred to the 
directory of an active user.

Required HIPAA Training
     All Duke Medical Center faculty and staff are required to participate
in training on the privacy an security regulations of the Health 
Insurance Portability and Accountablility Act (HIPAA). The general 
workforce training and other information regarding HIPAA is available 
online at http://hipaa.dukehealth.org.

Security Incident Reporting
     Security incidents for all Center for Aging computer systems, also 
known as the geri system, must be reported to the CFA Incident Manager, 
Irv Eisen, via email, irv@geri.duke.edu, or phone, 660-7527.
     A security incident includes, but is not limited to, any attempted
or successful breach of policy or law involving any of the following: 
misuse of proprietary information; misuse of patient information; misuse 
of information on or about staff, faculty, students, or other members or 
associates (including contractors) of Duke University; unauthorized use of 
information systems in ways that compromise system availability, 
performance, or integrity.

Anti-Virus Protection
     All CFA computers are required to have an anti-virus program with 
virus definition data files kept current. Schedule your AV software to 
automatically update these files daily. Medical Center security policies 
also require that you run a virus scan on your entire hard drive at least 
once a week. This could take a long time, so schedule it to run after 
hours and remember to leave your computer on.
     The best protection against virus laden email attachements is to 
personally contact the sender to make certain that they actually sent the 
attachement to you. Disable the auto-preview option, if your email 
software offers it. This can open virus infected files before you even 
have a chance to do anything with them.
     Do not download freeware from the internet as such programs
frequently contain spyware. Contact the Aging Center pc support staff if 
you feel your pc has become infected with spyware. Downloading free 
anti-spyware software can itself infect your machine with more spyware, 
and anti-virus programs typically do not scan for spyware.

Operating Systems
     Operating systems must be those for which the vendor is still 
providing support, ie. still distributing patches and updates. As a
rule of thumb, that time period is five years from the date of general 
availability. For Windows products you can find this information at
http://support.microsoft.com/.
     Vendors of operating systems periodically distribute patches and
updates for their products which close major bugs and security holes. It 
is very important to apply these as soon as they come up. Your Windows 
computers should be configured to install the Windows Critical Updates 
automatically. If you wish to confirm that your system is up to date, you 
can run the Windows Update manually at any time. The Duke Arts & Sciences
Department has good instructions at 
http://www.aas.duke.edu/comp/documentation/win-up/.
     
     WARNING: Do not install patches or updates other than the Critical 
     Updates without consulting a systems administrator or your 
     department support staff. Other updates are not necessary to keep 
     your computer secure and may cause conflicts on some computer 
     configuratons. 

Connecting to the geri UNIX system
     Secure Shell (SSH) and Secure ftp (SFTP) are available for pc's and
are the preferred programs to use for connecting to all UNIX computers. 
Note the date and time of your last logon and ensure that it is 
reasonable.
     New accounts can be created by requesting and filling out an Account 
Request form. Accounts can be removed by filling out the proper form. 
These forms are available from the geri system manager. 

Transferring data files
     All data files which contain sensitive information or Protected 
Health Information (PHI) should be encrypted whether being transferred via 
email, ftp, removable, hand held or mobile computing device. Such devices 
include, but are not limited to, flash drives, laptops, notebooks, pda's, 
floppy or compact disks. The reason for this is due to the increased risk 
of such devices falling into the hands of people not authorized to see 
this data.
     The PGP (Pretty Good Privacy) program is available on the geri UNIX
system and can be installed on pc. You can also use WinZip on Windows
systems for password protected encryption, however, it is not as secure as
PGP, and does not provide absolute protection against determined
individuals with advanced cryptographic tools.
     You can get instructions for using the UNIX version of PGP by 
entering the command 'pgp -h'. Using PGP can be fairly complicated. A 
tutorial is located at:
http://www.acm.org/crossroads/xrds6-5/pgptutorial.html.
     Contact your system administrator to have PGP or WinZip installed on 
your pc.

Workstation Use
     Do not leave your workstation unattended with a session logged on. 
Each time you log on, observe whether the date and time of last logon is 
reasonable. Do not share your password with anyone and guard against 
"shoulder surfers." If your operating system supports this (eg. Windows 
NT, 2000 and XP Pro), create a user account for yourself that requires 
an id and password every time you start the computer.
     Configure your pc to start a screensaver with password protection 
after no more than fifteen minutes of inactivity. NEVER turn on the 
'Remember Password' option in any program that offers it. If possible, 
note that the date/time of your last logon is reasonable. Arrange your 
monitor so that as much as possible, it is facing only the individual 
working on it. Ensure that any mobile workstation (e.g. a laptop,  
handheld, or tablet) is returned to a physically secure environment when 
not in use by the user.

Media Disposal
     All stand-alone (removable) media that contains Protected Health 
Information or other confidential information should be brought to the
CFA Information Security Manager for secure disposal as soon as it is 
deemed to be no longer needed. Stand-Alone Media is any media that is not 
integrated into equipment. Examples of Stand-Alone Media include CD’s, 
Floppies, Tapes, Memory Sticks, and Zip Drives. The CFA ISM will clean the 
media and place it in the proper disposal bins.

Equipment Disposal
     All equipment must be disposed of or resold through the Duke Surplus 
office, even if you have pre-arranged with a buyer. In such a case, Duke 
Surplus may need to make an adjustment to their inventory, and they will 
ensure that you are getting a fair price.

========================================================================

                 Acknowledgement of Receipt and Review 
                        of the Center for Aging
                        Secure System Usage Memo

     To ensure that all computer users take ownership of security issues, 
the Duke U. School of Medicine Compliance Office requires a hand signed, 
hard copy acknowledgment of the receipt and review of this memo each time 
it is distributed.
     By signing this form, you acknowledge that you have received and 
reviewed the Center for Aging's Secure System Usage Memo and agree to 
abide by its terms.

Signature: ____________________________________ Date: ___________________

Name (Please Print): __________________________________

Please complete, sign and return this page to:
Irvin Eisen, Center for Aging Information Security Manager
DUMC Box 3003
Room 1501, Busse Bldg., Duke South Blue Zone
Durham, NC 27710

Thank you,