Securing Mobile Data
By now you have all probably heard about the theft of personal
information belonging to 26.5 million veterans. An employee authorized to
work with the information had taken it home on a laptop, and the laptop
was stolen from his home. The potential for this kind of exposure scares
the willies (pardon my French) out of Information Security specialists
everywhere, and you can expect to see additional safeguards being
implemented over time, just as we have already seen over the past couple
of years.
It is no longer enough to guard just PHI, Protected Health
Information, as described in HIPAA. States, including North Carolina,
have begun passing legislation mandating the protection of a much wider
scope of personal information, such as social security numbers. To that
end, the security people here at Duke Medical Center are beginning to use
a new acronym, SEI, for "Sensitive Electronic Information."
This increase in the scope of the data we need to protect was the
impetus behind my May 15 email informing you of the update to the
following paragraph in our Secure System Usage Memo:
==========================================================================
Transferring data files
All data files which contain sensitive information or Protected
Health Information (PHI) should be encrypted whether being transferred via
email, ftp, removable, hand held or portable devices. Such devices
include, but are not limited to, flash drives, laptops, notebooks, pda's,
floppy or compact disks.
The PGP (Pretty Good Privacy) program is available on the geri UNIX
system and can be installed on pc. You can also use WinZip on Windows
systems for password protected encryption, however, it is not as secure as
PGP, and does not provide absolute protection against determined
individuals with advanced cryptographic tools.
==========================================================================
You will get another chance to read it when the full memo is emailed
to you on July 1.
Not only do we need to protect personal information, but we must also
include within the scope of "Sensitive Electronic Information" those
electronic assets and resources which keep the Center for Aging viable in
a business sense. Such things include your research documents, email, your
Power Point Presentations, your papers submitted for publications, etc.
How do we protect essentially all of our work related electronic
information in a mobile world? There are quite a few elaborate, sometimes
expensive, sometimes complicated security solutions for mobile computing.
But I am going to recommend one that looks, acts and works the same
whether you are in the office, at home or on the road, provided you have
an internet connection. That's the Center for Aging's file server. When
you are on the road or at home, you connect to the Medical Center's VPN
(Virtual Private Network), and your computer looks and acts just as if you
were in your office. And from there you can connect to the file server.
All of your "Sensitive Electronic Information" can reside on a server
in a secure location, protected by the institution's firewall,
automatically backed up every night, running the mature and relatively
secure UNIX operating system, covered by a thorough security design and
disaster recovery plan. And best of all, it all looks like Windows.
Information on our file server can be seen at:
Announcing the Aging Center's File Server
How to Map Network Drive
How to Change File Server Password
Information on connecting to the Medical Center VPN can be seen at:
How to Get Your VPN Account & Software
How to Configure the VPN Software
How to Connect to the DUHS VPN
Demos with question and answer sessions will be scheduled in the near
future.
Release Date: June 1, 2006
