INFORMATION SECURITY FOR HUMAN SERVICE AGENCIES
By William Holmes
Having secure information is essential to assuring that a client’s privacy is protected and that they are not exposed to needless risk. It is an essential aspect of protecting clients from harm. In addition, it protects a human service agency from malicious use of its data and promotes appropriate use. Policies for promoting information security also document that the organization is following contemporary professional standards for protecting its data.
BASIC PRINCIPLES
This review
of
information security emphasizes eight principles. These
principles can help protect your information and reduce the
risk that it will be used for malicious purposes. There
certainly are more things you can do to protect the
security of information than following these eight principles, but
following
these principles will significantly improve the security of your
information. These principles address
issues of confidentiality, notification, access, data purging, data
auditing,
software updating, browser security, and e-mail use.
1.
Use Confidentiality Policies
For staff to know what they are supposed to do to protect the confidentiality of client data, there needs to be a policy regarding confidential information. The HIPA statute (Health Information Protection Act) specifies federal mandates regarding health information. The policy should also protect a client’s Social Security numbers or any information that might prove embarrassing or injurious if released. A confidentiality policy typically restricts access to sensitive information to those staff who need know the information to provide the service requested by the client, the administrators who supervise such staff, and those required by law to have access to such information. The policy often has an explicit statement that information will not be shared with others without the consent of the client.
2.
Notify Targets of Security
Breaches
If the information system of an agency or program is breached and confidential informational of a client is obtained by unauthorized persons, then the agency should notify those clients whose information has been stolen. The agency should also tell the clients what information has been lost, how the agency will attempt to minimize harm to the client, and what the agency will do to prevent future breaches.
3.
Restrict Sensitive Information Access
Protecting the confidentiality of information requires restricting access to that information. There are several ways to do this. Certain tables or fields in a database can be password protected, so that they can be displayed only by those authorized. Access can also be limited to specific computers, either by not having a computer linked to a network and password protecting the computer or by having the network security program limit access to a computer on the network.
4.
Sunset Old Data
An agency may no longer need for information regarding a particular client. The person or family may have left the program or be no longer available to the program. There should be periodic archiving of old records and purging those records from the active information system. This helps protect confidentiality of information and improves operation of the network from becoming clogged with old needless data.
5.
Audit Data Access and Changes
Detecting unauthorized access to information or inappropriate changes to the information is much easier if there is an audit trail for who enters new data and who changes existing data. If users have to logon to the computer network, then software can identify their username and create a tracking file that identifies the user and the date and time of access. This allows identifying whether users accessed unauthorized information.
6.
Update Security and System
Software Automatically
Security software (such as, antivirus and anti-spyware programs) should be set to update virus definitions and spyware definitions automatically. Viruses and spyware change frequently. The only way to keep abreast of the challenges they represent is by updating the software as soon as new definitions are available.
Viruses, worms, and other malware often attack an agency’s computer system by taking advantage of the weaknesses in its operating system. Such operating systems, like Microsoft Windows, are periodically updated with “patches” to remove the weaknesses. These patches, like antivirus and anti-spyware programs, should be installed as soon as they are available. The only way to assure this is by selecting an automatic update option for the software.
7.
Review Browser Security
Levels
When an agency’s computers have an Internet connection, they can be at greater risk of invasion if the security settings on the browser used by the agency’s computers is set too low. The level of security set for the browser is a tradeoff between the annoyance of constant popups and warnings produced by very high security settings versus the risk of invasion by very low security settings. The popups and warnings, however, can be reduced if they are produced by repeated access to known Internet sites. In such a case, it is possible to designate some URLs as trusted addresses so that they do not produce warnings when they are accessed.
8.
Secure E-mail Use
E-mail can compromise an agency’s information system in several ways. Most notably, attachments to e-mails may contain viruses, worms, or other malware. Links embedded in email may activate the downloading of malware. The preview pane (a window that can display partial contents of an e-mail before the e-mail is opened) can itself initiate programs embedded in the e-mail. Lastly, photo or graphic images in e-mail can contain malware that is activated if the images are opened or accessed.
There are strategies for dealing with these risks. First, don’t open or download attachments from sources you don’t know or expect. If someone you don’t know sends you an attachment, contact the sender to verify that they sent you the email with an attachment. Second, never open attachments to e-mail without first downloading and saving it on the computer. If there are antivirus programs running on the computer, they will scan the attachment and check it for viruses, worms, and Trojan horses. Third, do not click on e-mail links unless you know it connects to a safe destination. One way of checking this is to put the cursor over the link and read the target URL displayed. If you are familiar with that destination and know the sender of the e-mail, it may be safe to click on the link. Although, it is generally better to copy the link into a browser and go to the destination by that means. The solution for preview pane risks is to simply not use the preview pane. If the subject line of an unknown sender does not give you enough information to tell whether it’s reasonable to open the e-mail, then the e-mail should be deleted. Most browsers allow you to suppress display of images in an email. If the images are suppressed by default and only displayed after reading the e-mail and being convinced it is safe, the risks from images are greatly reduced.
SOFTWARE
A variety of software can help protect an agency’s information. These include programs for handling adware, spyware, viruses, worms, Trojan horses, encryption of information, firewalls, and password protection.
Anti-adware
Adware is a program put on your computer that displays advertisements. It may also collect information on websites used. They may hide in cookies, downloaded internet files, or as system files. Such programs slow down the computer operations. A decline in how fast web pages are retrieved may indicate the presence of adware.
Anti-adware programs search for such programs. When they find adware, the programs give one a choice of deleting the program, quarantining the program (preventing it from being accessed or used), of doing nothing. Malicious adware should be deleted. If one is unsure as to whether it is malicious, quarantining prevents it from doing harm while one figures out if the program is harmful. Adware may be necessary to access some websites. If a user needs to access such a site and the adware is not actively harmful, one may decide to just let it be.
One anti-adware program is called “Ad-Aware” and is produced by Lavasoft. It is fairly effective at finding adware; but, like all such programs, the definitions must be periodically updated or it will gradually become less effective at finding adware.
Anti-spyware
Spyware is a program designed to collect information from your computer without you knowing it. The least harmful tracks what websites you visit and then reports it to someone else. Other spyware is designed to steal the id names and passwords you use to access secure sites, such as bank accounts. Even the least harmful slows down the computer.
More on spyware programs can be found at http://find.pcworld.com/49420 . Some of the more common programs are: Spy Sweeper by Webroot, Antispyware by McAfey, Spybot by Safer Networking, AntiSpyware by Symantec, and Anti-Spyware by Microsoft. Of the anti-spyware programs, Spy Sweeper is currently the most effective program at detecting and deleting spyware. However, no program finds everything. If one’s computer is slowed down by spyware, it may be necessary to try more than one program to eliminate a problem.
Antivirus
Antivirus programs protect against a variety of malicious programs. Principally, it protects against viruses, worms, and Trojan horses. Such programs may display an innocuous message on one’s computer. They may hijack a computer to send copies of themselves to users in one’s e-mail address list. They may also steal information on one’s computer and mail it to another address. They may corrupt system’s files that shut down the computer or they may hijack an Internet browser program to redirect it to sites other than those requested.
A comparison of antivirus programs may be found at http://find.pcworld.com/49708 . The two most common antivirus programs are the McAfey Antivirus program and The Symantec Antivirus program. There are numerous other programs, some available for free on the Internet. There are also virus programs that disguise themselves as antivirus programs, so that one’s computer becomes infected in the process of purging other virus programs from the computer.
Encryption and Digital Signing
Human service providers often have needs to share information between staff or with personnel at other agencies. It is common to transmit this information as attached files. Such attachments should be encrypted so that confidentiality is maintained in case malicious programs on the Internet should intercept the e-mail.
Encrypt transmitted data, especially email and wireless data. Many of the e-mail programs have the option of encrypting outgoing e-email. Attachments can also be encrypted. Two of the more common encryption schemes conform to standards known as PGP and GNU, named for the software that originally encrypted files using those procedures. These procedures require sending a password separately that is used to authorize the decryption of the files.
A third encryption procedure does not require sending separate passwords. It uses procedures referred to as digital signing and Certificates of Authenticity. Digital signing encrypts files and identifies it as having been sent by a particular user. To decrypt such files the recipient must arrange to receive a password that is stored on the computer. When a file encrypted with a digital signature is received, one’s computer looks for a corresponding Certificate file and uses the password contained therein to automatically decrypt the file. Certificates are often time limited. They may expire after a specified date; no longer decrypting files after the expiration date unless the Certificate is renewed. In contrast, files encrypted with PGP or GNU procedures may always be decrypted with the password used to encrypt them.
Firewall
A firewall is software that screens communication between one’s computer and other computers. They try to prevent network and Internet computers from being taken over by unauthorized users. They also block external malicious software that is trying to communicate directly with systems software.
Anyone whose computer is connected to a network or to the Internet needs a Firewall. Hackers have become very proficient at finding computers in the Internet that don’t have a firewall. While the risk to dial-up users is less because their connection to the Internet tends to be shorter, even a short connection can be long enough for a hacker to find a vulnerable port and send malicious software through it.
Computers with broadband and DSL connections, which are live twenty-four hours a day, are in even greater need of firewall software. Most computers today have a “wakeup” capacity in which an external computer can send a message to another computer’s port that turns on the other computer. The default setting for many computers is to turn off the wakeup feature, but sometimes it is left on. A malicious virus may also activate the wakeup feature and send an e-mail to an external user that it has been turned on, allowing the hacker to then turn on the computer late at night when it is unlikely to be observed and take over the computer. Prudent users will verify that the wakeup feature of their computer is turned off unless there is a compelling need for the user to access their own computer externally. If that is the case, there is special software and hardware that can allow it to be done only by authorized users.
Four of the more common firewalls are: Symantec/Norton Firewall, McAfey Firewall, Windows Firewall, and AOL firewall. Newer Windows based computers come with the Windows Firewall installed. This serves man generic purposes. However, the Windows Firewall can create problems for other firewall programs if it is left on. Only one firewall program should be running at a time. If you wish to use the Norton, McAfey, or AOL firewalls, the Windows firewall should be turned off. Similarly, if one has an AOL account and wants to use the Norton of McAfey firewalls, the AOL firewall should be turned off.
Password Protection
Passwords can be used to secure access to files, databases, and individual fields within a database. Choosing a good password is not so easy because it must be easily remembered, but not easily guessed. In addition, it is desirable to have upper and lower case letters, as well as numbers. That makes it harder to guess the password or for software that searches for passwords to hit upon it randomly. Passwords should also be changed periodically to prevent individuals who have gained unauthorized access from continuing to exploit the system.
© 2005 William Holmes