Cyber Security

Awareness Training:
CVI Biomedical Informatics
Core Facility

BMIC Secure Computing Environment

 Introduction
This BMIC Security Awareness course is required of all
individuals utilizing data or applications on BMIC servers.
Careful review of these slides and return of your signed
certification document to David Birtwell (Blockley 1317)
will fulfill your requirement for annual information
security awareness training established under CVI and
University of Pennsylvania policy. Remember that while
the information you review in this course is specific to
the BMIC, many of the principles which are discussed
are also relevant to you as an personal computer user in
other environments.

BMIC Secure Computing Environment

 Introduction
• "Cyber Security Awareness" is the knowledge that
individuals authorized to utilize the BMIC Secure
Computing Environment (BMIC SCE) share the
responsibility to protect the computer system and the
data stored there. Cyber Security Awareness refers to
the personal responsibility each of us assumes for
ensuring:
– the confidentiality and integrity of private data.
– timely and uninterrupted availability of BMIC SCE
resources for all authorized users.
– University and BMIC SCE information systems are
protected from the potential of fraud, waste and
abuse.
BMIC Secure Computing Environment
 Why the BMIC exists
• The BMIC exists to provide a highly secure computing
environment for CVI investigators and their authorized
research staff members.
• As such, the BMIC Secure Computing Environment
provides for the storage and analysis of highly sensitive
biomedical data, including individually identifiable
electronic records, provided by health care systems,
insurers, and/or the federal government.

BMIC Secure Computing Environment

 The Importance of Securing
Federal Data on the BMIC SCE
• Use of federal data (Medicare, Medicaid, etc.) is a
privilege granted by the federal government under strict
Data Use Agreements with University faculty.
• The government is extremely sensitive to misuse or
loss of its data. A recent loss of a portable disk drive by
a research staff member in a VA hospital in Alabama
nearly resulted in the permanent cancellation of all
research activities that use VA data nationwide. The
same could easily happen were Medicare, Medicaid, or
other sensitive federal data to be lost or misused.

BMIC Secure Computing Environment

 Penalties for Violations of
Data Use Agreements
• Breaches of these agreements, including but not limited
to loss of portable storage devices with government
data, computer log evidence of unapproved downloads,
or access or use of data by unauthorized persons, could
lead to:
– Criminal prosecution, including substantial fines and
prison time, for research staff and their principal
investigators.
– Cancellation of ALL research data use agreements at
the University of Pennsylvania by the federal
government, adversely affecting the careers of over
100 faculty and staff.
BMIC Secure Computing Environment
 Key Contacts
• Please be aware of any activity that might violate and/or
compromise the security of UPENN and the BMIC
information systems.
• Report all incidents to:
– David Birtwell, Research Informatics Project Leader
[email protected]
– Nate DiGiorgio, Systems Architect
[email protected]

BMIC Secure Computing Environment

 HIPAA
• The Health Insurance Portability and
Accountability Act was passed by congress in
1996.
• Title II of HIPAA imposes security guidelines on
use of Protected Health Information.
• Researchers at CVI and across the University of
Pennsylvania are bound by HIPAA when
conducting research using Protected Health
Information.

BMIC Secure Computing Environment

 Protected Health Information
• Protected Health Information includes any
personally identifiable health information
including genotype, phenotype, provision of
health care, and payment of health care
information.
• Any data that can be linked, even indirectly, to a
person is considered personally identifiable.
• PHI that is used for research is protected under
HIPAA.

BMIC Secure Computing Environment

 Personal Identifiers
• The following types of data should be considered
personal identifiers:
– Name – Account number
– Address including city and – Certificate/license number
zip code – Device identifiers and serial
– Telephone number number
– Fax number – Vehicle identifiers and
– E-mail address serial number
– Social security number – URL
– Date of birth – IP address
– Medical record number – Biometric identifiers
– Health plan ID number including finger prints
– Dates of treatment – Full face photo and other
comparable image
BMIC Secure Computing Environment
 De-Identified Data
• De-identified data are data that contain no personal
identifiers (see previous slide).
• A de-identified data set may contain data of research
interest including genotype and phenotype data and still
be de-identified.
• A de-identified data set may contain locally generated
patient codes as long as these codes cannot be mapped
to a personal identifier such as a social security number
or medical record number.
• De-identified data are not PHI and their use is not
restricted by HIPAA. However, taking care with all
research data sets is recommended.

BMIC Secure Computing Environment

 Outline of Cybersecurity
Best Practices
• Data transfer
• Passwords
• Computer security habits
• Knowledge of what constitutes
misuse/inappropriate use of the server

BMIC Secure Computing Environment

 Data Transfer - Network
• E-mail is NOT a secure method for transferring data
between computers.
• The transfer of PHI by e-mail is strictly prohibited.
• PHI may be transferred over a computer network by
secure methods including:
– HTTPS upload or download
– Secure File Transfer Protocol (SFTP)
– Secure Copy (scp)
• If you have questions about secure network data transfer,
please contact the BMIC IT staff.

BMIC Secure Computing Environment

 Data Transfer - Portable Media
• Transferring data by portable media is sometimes required for large
data due to limited network bandwidth and time constraints.
• Portable media includes flash drives, portable hard drives, CDs, and
DVDs.
• PHI copied to portable media must be encrypted.
• As an alternative to transferring PHI via portable media, it is
recommended that the de-identified data be separated from the PHI
and only the de-identified data be copied to the portable media.
PHI linked to the de-identified data can be transferred using a
secure network connection.
• If you have questions about de-identification or data encryption,
please contact the BMIC IT staff.

BMIC Secure Computing Environment

 Passwords
• Passwords are important tools protecting the
BMIC information systems.
• Your BMIC password should not be the same as
a password used on any other computing
environment.
• Keep your password secret to protect yourself
and your work. If you must record your
password in order to remember it, keep it in a
secure place, to which only you have access.

BMIC Secure Computing Environment

 Passwords
• Passwords must:
– Be constructed of at least eight characters
– Contain at least one each of the following:
- Upper case letters (ABC...Z)
- Lower-case letters (abc...z)
- Numbers (0123456789)
- Special characters (!@#$%^&*-+()=.,?)
• Be changed at least every 120 days.
• Using these rules will provide you with a "strong"
password, which is required by the BMIC.

BMIC Secure Computing Environment

 Passwords
The following is an example on how to create a strong password:
• Think of a sentence that is meaningful to you and that you can
easily remember.
"I like a good cup of coffee in the morning."
• Now take the first letter of each word: Ilagcocitm
• Capitalize one or two letters: iLagcocitM
• Replace a couple letters with numbers that are similar to that letter:
E becomes 3, L or I becomes 1or !, a becomes @, o ("oh") becomes
0 (zero).
• "ILagcocitM" now becomes "1L@gc0c!tM.”
• This is a very strong password because it does not contain any
dictionary words and it contains all 4 types of characters that are
recommended (uppercase, lowercase, numbers and symbols).

BMIC Secure Computing Environment

 Passwords
• Many factors can contribute to poor passwords, which
are easily “hacked.” Some of the most notable are:
– Passwords that are not "strong“—see previous slides.
– Use of common words easily obtained from a
dictionary.
– Passwords referring to your personal life (for
example, names of family members or pets).
• Easily identifiable passwords are an open invitation to
hackers.

BMIC Secure Computing Environment

 Passwords
• Rules of Thumb:
– Follow the rules for strong passwords.
– Don't use personal references (names, birthdays, addresses,
etc.).
– Change your passwords at least every 120 days. If you
suspect that someone is trying or may have obtained your
password, change it immediately and inform the BMIC IT
staff.
– Be sure nobody can observe you while you type your
password. If you are in a shared office, position your
keyboard so that it is not easy to see what you type.
– If you record your passwords, you should store them in a
manner where they cannot be accessed by others.

BMIC Secure Computing Environment

 System Security:
6 Habits of Secure IT Users
There are some simple habits you can adopt that, if performed consistently,
may dramatically reduce the chances that the security of the HSRDC is
compromised.
1.Lock your computer when you are away from it
•Keyboard shortcut: Windows logo key + L
•Enable your screen saver to start after 15 minutes of inactivity and require a
password to sign back in.
2. Log off any application or server that is not in active use
•Even though BMIC applications timeout after 15 minutes of inactivity,
explicitly logging out provides added security.
3. Do not allow others except University information
technology local support providers to access your PC
•You are strongly recommended to limit access any other personal computer
you use to make a remote connection to the BMIC.

BMIC Secure Computing Environment

 System Security:
6 Habits of Secure IT Users
4. Do not use public PCs (e.g. library PCs with an internet
connection) or other shared devices to make remote
connections to the BMIC
•For example, if you are in a cafe in a new city and your computer reports
that 4 wireless networks are in range ("Starbucks1", "Sbux", "Star-bucks",
"Tmobile"), there is a chance you might accidentally select a malicious
network that is named in such a way to fool you into trusting it. It may be
designed to intercept your traffic or redirect your network packets
somewhere else.
5. Lock your office door when you leave your office
6. Enable host security software
•Install an AntiVirus client and enable automatic updates (Penn provides
Norton for Mac OS X and Symantec for Windows at
http://www.upenn.edu/computing/virus/).
•Make sure the host firewall is on ("Windows Firewall" for Windows users and
"Sharing" tab for Mac OS X users).
•Make sure Automatic Updates are enabled for Windows users.
BMIC Secure Computing Environment
 System Security:
Social Engineering
• Social engineering is an unauthorized person's
manipulation of your trust to get you to share
information or resources that you should not share.
• Allowing someone else to use your BMIC server or
application credentials is strictly prohibited. If someone
you know requires access to BMIC servers or
applications, please contact the BMIC IT staff.

BMIC Secure Computing Environment

 System Security:
Backups and Downloads
• Downloading of any data on a BMIC server to your own
PC, laptop, or portable storage devices is prohibited,
unless you have specific permission to do so in a Data Use
Agreement executed between the Principal Investigator of
your project and the Federal Government, State
Government, or other owner of the data.
• BMIC systems managers have implemented a redundant
system to ensure your work is saved in several places
(backed up) so it will not be lost in the event of a hardware
or software failure. There is therefore no reason to
keep backups of your BMIC data files on your own
PC or other personal computing equipment.
• If you have any questions about the backup procedures or
procedure to follow for data restoration, contact the BMIC
IT staff.
BMIC Secure Computing Environment
 Working With Data
• It is sometimes necessary to download data to a local computer
for analysis.
• Only download data to trusted computers with proper network
security in place (firewalls, etc..).
• Do not download data to laptops for analysis or persistent
storage.
• Whenever possible, work with de-identified data.
– Most analyses can be performed on de-identified data sets. Resist the
temptation to download PHI when it is not required.
• Delete local data sets when they are no longer needed.
– Snapshots of data sets which have permanent storage on BMIC
servers should not be persistently stored anywhere else.
• If you have any questions about procedures for working with
data locally, contact the BMIC IT staff.

BMIC Secure Computing Environment

 Misuse or Inappropriate Use/1
• Any use of the server for activities that are not
related to IRB and CVI approved research
projects or formal educational activities under
the direct supervision of a faculty member at the
University of Pennsylvania is expressly
prohibited.
• Use of the server for commercial purposes, or in
support of "for profit" activities, or in support of
other outside employment or business activity
(e.g. consulting for pay) is also prohibited.

BMIC Secure Computing Environment

 Misuse or Inappropriate Use/2
• The unauthorized acquisition, use,
reproduction, transmission, or distribution
of any controlled information including
computer software; copyrighted,
trademarked, or material with other
intellectual property rights beyond fair
use; proprietary data; or export-controlled
software or data is also prohibited.

BMIC Secure Computing Environment

 Misuse or Inappropriate Use/3
• The creation, uploading, storage, or
transmission of sexually explicit or sexually
oriented materials.
• The creation, uploading, storage, or
transmission of materials related to gambling,
illegal weapons, terrorist activities, and any
other illegal activities or activities otherwise
prohibited.
• Uploading unapproved software, unapproved
data, or any peer-to-peer file sharing (e.g.,
Kazaa) is also prohibited on the BMIC servers.
BMIC Secure Computing Environment
 Questions?
• Questions from students regarding these policies
should be directed to supervising faculty in your
degree programs .
• Questions from University staff should be
directed to your supervising principal
investigator.
• Questions from Principal Investigators and other
faculty members can be directed to:
– David Birtwell ([email protected])
– Thomas Cappola, MD, ScM
([email protected])
BMIC Secure Computing Environment
 Summary
• This brief presentation has outlined the policies for
secure use of the BMIC Secure Computing Environment
that must be followed to ensure this valuable resource is
protected and will continue to be available for health
services research at Penn.
• Please print and sign the accompanying certification
sheet indicating that you have reviewed and agree to
abide by the policies presented here.
• This form should be returned to David Birtwell by:
– Delivering the hard copy to 1317 Blockley Hall
– Scanning the form and e-mailing to
[email protected]
– Faxing a copy attention Christine Malloy to 215-898-3473.
BMIC Secure Computing Environment