Ch15 power point

Chapter 15Information Copyright and Fair

Use and Network Security

Objectives

• Explore information fair use and copyright restrictions.

• Describe processes for securing information in a computer network.

• Identify various methods of user authentication and relate authentication to security of a network.

• Explain methods to anticipate and prevent typical threats to network security.

Fair Use of Information and Sharing

• Copyright laws in the world of technology are notoriously misunderstood.

• The same copyright laws that cover physical books, artwork, and other creative material are still applicable in the digital world.

Fair Use of Information and Sharing

• Almost all software, music CDs, and movie DVDs come with restrictions of how and when copies may be made.

• Most computer software developers allow for a backup copy of the software without restriction.

• Technology advances have made the sharing of information easy and extremely fast, thus open to violations of copyright and fair use.

Fair Use of Information and Sharing

• Avoid downloading music illegally from the Internet and do not use information from the Internet without permission to do so or citing the reference appropriately.

• Health care organizations that allow access to the Internet from a network computer should ensure that users are well aware of and compliant with copyright and fair use principles.

Fair use• Permits the limited use of original works

without copyright holder’s permission.• An example would be quoting or citing an

author in a scholarly manuscript.• The user is responsible for developing

appropriate citations. • Citing inappropriately or not at all is

plagiarism.

Securing Network Information

• The linking of computers together and to the outside creates the possibility of a breach of network security, and exposes the information to unauthorized use.

• The three main areas of secure network information are confidentiality, availability, and integrity.

Confidentiality

• Safeguarding all personal information by ensuring that access is limited to only those who are authorized.

• “Shoulder surfing” or watching over someone’s back as they are working, is still a major way that confidentiality is compromised.

Acceptable Use

• Organizations protect the availability of their networks with an acceptable use policy.

• Defines the types of activities that are acceptable and not acceptable on the corporate computer network

• Defines the consequences for violations.

Information Integrity

• Quality and accuracy of networked information

• Organizations need clear policies to clarify:– how data is actually inputted, – who has the authorization to change such data

and – to track how and when data are changed and

by whom.

Authentication of Users

• Authentication of employees is also used by organizations in their security policies.

• Organizations authenticate by:– something the user knows (password), – something the user has (ID badge), or – something the user is (biometrics)

More About Authentication• Policies typically include the enforcement

of changing passwords every thirty or sixty days.

• Biometric devices include recognizing thumb prints, retina patterns or facial patterns.

• Organizations may use a combination of these types of authentication.

Threats to Security

• A 2003 nationwide survey by the Computing Technology Industry Association (CompTIA) found that human error was the most likely cause of problems with security breaches.

• The first line of defense is strictly physical. • The power of a locked door, an operating system

that locks down after five minutes of inactivity, and regular security training programs are extremely effective.

Threats to Security

• One way to address this physical security risk is to limit the authorization to ‘write’ files to a device.

• Organizations are also ‘turning’ off the CD/DVD burners and USB ports on company desktops.

Threats to Security

• The most common threats a corporate network faces from the outside world are hackers, malicious code (spyware, viruses, worms, Trojan horses) and the malicious insider.

• Spyware is normally controlled by limiting functions of the browser used to surf the Internet.

Cookies

• A “cookie” is a very small file written to the hard drive of a user surfing the Internet.

• On the negative side, cookies can also follow the user’s travels on the Internet.

• Spying cookies related to marketing typically do not track keystrokes to steal user ids and passwords.

Threats to Security

• Spyware that does steal user ids and passwords contains malicious code that is normally hidden in a seemingly innocent file download.

• Another huge threat to corporate security is social engineering, or the manipulation of a relationship based on one’s position in an organization.

Malicious Insider

• The number one security threat to a corporate network is the malicious insider.

• There is also software available to track and thus monitor employee activity.

• Depending on the number of employees, organizations may also employ a full time electronic auditor who does nothing but monitor activity logs.

Security Tools

• There are a wide range of tools available to an organization to protect the organizational network and information.

• These tools can be either a software solution such as antivirus software or a hardware tool such as a proxy server.

Security Tools

• E-mail scanning software and antivirus software should never be turned off and updates should be run weekly, and ideally, daily.

• Software is also available to scan instant messages and to automatically delete spam e-mail.

Firewalls

• A firewall can be either hardware or software or a combination of both.

• A firewall can be set up to examines traffic to and from the network

• Firewalls are basically electronic security guards at the gate of the corporate network.

Proxy Servers• Hardware security tool to help protect the

organization against security breaches by:– preventing users from directly accessing the

Internet from corporate computers. – Issuing masks to protect the identity of a

corporation’s employees accessing the World Wide Web.

– tracking which employees are using which masks and directing the traffic appropriately.

Intrusion detection systems• Hardware and software to monitor who is

using the organizational network and what files that user has accessed.

• Corporations must diligently monitor for unauthorized access of their networks.

• Remember: Any use of a secured network leaves a digital footprint that can be easily tracked by electronic auditing software.

Offsite Use of Portable Devices

• Off site uses of portable devices such as laptops, PDA’s, home computing systems, smart phones, and portable data storage devices can help to streamline the delivery of health care.

• Some agencies have developed a virtual private network (VPN) that the user must log in to in order to reach the network.

• The VPN ensures that all data transmitted via this gateway is encrypted.

Offsite Use of Portable Devices

• Only essential data for the job should be contained on the mobile device, and other non-clinical information such as a social security numbers should never be carried outside the secure network.

• The agency is ultimately responsible for the integrity of the data contained on these devices as required by HITECH and HIPAA regulations.

Offsite Use of Portable Devices• If a device is lost or stolen, the agency must have clear

procedures in place to help insure that sensitive data does not get released or used inappropriately.

• The Department of Health and Human Services (2006) identifies potential risks and proposes risk management strategies for accessing, storing, and transmitting EPHI. Visit this website for detailed tabular information (p 4-6) on potential risks and risk management strategies: http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf

Thought Provoking Questions

1. Jean, a diabetes nurse educator recently read an article in an online journal that she accessed through her health agency’s database subscription. The article provided a comprehensive checklist for managing diabetes in older adults that she prints and distributes to her patients in a diabetes education class. Does this constitute fair use or is this a copyright violation?

Thought Provoking Questions2. Sue is a COPD clinic nurse enrolled in a Master’s

education program. She is interested in writing a paper on the factors that are associated with poor compliance with medical regimens and associated re-hospitalization of COPD patients. She downloads patient information from the clinic database to a thumb drive that she later accesses on her home computer. Sue understands rules about privacy of information and believes that since she is a nurse and needs this information for a graduate school assignment that she is entitled to the information. Is Sue correct in her thinking?