LSUHealthLogo

Office of Compliance Programs

Information Security for LSUHSC-NO Executive Management

Revised February 10, 2017
VCAdminChancellorsOfficeDeansOffice

Why is Information Security So Important to LSUHSC-NO?

Ignoring Information Security Has Its Costs

According to a report by the Ponemon Institute, the average cost of a data breach to an institution in 2015 was $4 million.

In 2010, a physician employed by Columbia University attempted to deactivate a personally-owned computer server on Columbia's computer network which was shared by New York Presbyterian Hospital. Because of a lack of technical safeguards on the network, the de-activation of the server resulted in the information of New York Presbyterian Hospital patients being accessible on internet search engines. New York Presbyterian and Columbia University settled with the Department of Health and Human Services for $4.8 million.

In 2014, personal information on 146,000 students and recent graduates of Indiana University were exposed to the Internet. The response and mitigation efforts cost the university approximately $130,000.

In 2016, University of Central Florida had personal information on 63,000 employees and students stolen by hackers. Letters were mailed to each of the victims offering free credit monitoring and identity protection services.

Some Laws and Regulations Requiring the Protection of Information

Elements of Information Security

Information security is comprised of three conflicting elements. In order of importance, these elements are:

  1. Integrity, i.e. the information is accurate and complete. If the information is neither accurate nor complete, it does not matter whether it is available and presents no risk if confidentiality is compromised. 
  2. Availability, i.e. being accessible and usable, on demand, by those individuals who have a demonstrated need for the information. If information cannot be made available to those who need it, when they need it, it is useless.
  3. Confidentiality, i.e. being inaccessible to those individuals without a demonstrated need for the information. 
Integrity Availability Confidentiality Triangle

Achieving a Balance

Information can easily be kept confidential by denying access to everyone. However, that means that no one can access the information when they need it nor can anyone update the information to ensure that it is accurate and complete.

Availability can easily be assured by providing access to everyone. However, it is difficult to maintain the integrity of the information when anyone can make changes to it and there is no confidentiality if everyone can access the information.

Integrity can easily be assured by granting access only to those individuals responsible for keeping the information accurate and complete. However, confidentiality suffers a little bit because access is being granted, and wherever access is granted, there is a risk of a breach. Furthermore, availability suffers because those that need to use the information don't have access.

Only by striking a balance that reasonably protects the confidentiality of the information while ensuring its accuracy and its availability to those who need it, will a security program be successful.

Balancing Security and Productivity

Balancing integrity, availability and confidentiality can also be viewed as balancing productivity and security. Individuals who come to work and learn at LSUHSC-NO do so in order to pursue their chosen course of study, conduct their research, care for their patients or to provide services that support these endeavors. Few, if any come with the idea that they will be learning and practicing information security.

Yet our students, our patients and our employees trust that the information they share with us will be kept secure from unwarranted exposure. This trust is vital to the relationship between professor and student, physician and patient, and supervisor and employee.

Studies have shown that if information security requirements are too onerous, employees will, more often than not, circumvent the security measures.  The key to avoiding this situation is developing a risk management program tailored to the University's needs. The risk management program should:

Compliance Does Not Always Equal Security

There is a great temptation to simply run down the list of requirements in a law or regulation and ensure the University has response for each one.

While this approach may be helpful in preparing for an audit, it can create a false sense of security when facing real-world threats to the University's information. In some cases, such an approach can increase the University's exposure. For example, if the completed risk assessment identifies risks to the University's information that are not subsequently mitigated, the University has simply documented that it knew about the threats and did nothing about them.

This approach may also lead to wasted spending on information security. For example, there have been many reports in the press and elsewhere about the insecurity of email transmission and its susceptibility to interception. Many vendors offer email encryption software. Yet, in the over thirty years since email has been in use, there has not been a documented breach caused by an email being intercepted in transit. Information from the Open Security Foundation shows that over 90% of email breaches are due to the sender typing in the wrong email address or attaching the wrong file to the email. Encryption would not provide any protection in either of these instances since the decryption keys would be provided, rightly or wrongly, to the recipient specified in the email. If the goal is to reduce breaches from emails, it would be more effective to invest in strategies that ensure correct email addresses and appropriate attachments.

No law or regulation can accurately anticipate every environment or circumstance. However, a security program built on a thorough risk management process stands the best chance of being effective without unduly burdening the goals and objectives of the University.

Security is Not a Technology Issue, It is a Process Issue

There is an ample supply of vendors who will sell you a "HIPAA compliant" messaging solution or a "GLBA compliant" cloud solution. While technology plays an important role in any information security program, a truly effective program is one that combines technical safeguards with administrative and physical safeguards to address the risks to the University's information identified in the University's risk management process. Another advantage is that while a technology purchased today will, more than likely, become obsolete in two to three years, a well-designed risk management process can drive appropriate changes to the University's information security plan so that it remains effective against new threats.

Spear-Phishing

As an executive of a large organization, you have a target on your back drawn by hackers. Universities are rich repositories of user and research data, with a fluid student body and a user base that demands openness and access. Your authority to take broad, sweeping actions, that in many cases go unquestioned, make you a desirable subject for manipulation. Unlike other forms of social engineering, spear-phishing attacks are well planned and specifically targeted at high ranking individuals. University officials with the authority to transfer large sums or grant broad access to information are identified by hackers. Their backgrounds are thoroughly researched. Communications are carefully crafted to appear as genuine as possible so that the recipient will have no suspicion that the request is a scam.

If successful, the reward is immense. In June of 2015, a spear-phishing campaign against officials of Ubiquiti Networks, an American network technology company,  tricked them into transferring $46.7 million into the hackers accounts.

Sometimes the object is to obtain information. In 2011, the systems of Epsilon, an email marketing services company, were compromised through a spear-phishing attack. The hackers obtained a list of email addresses of the officials at a large number of Fortune 500 companies who were clients of Epsilon. The hackers then used those emails in a subsequent spam campaign that netted them over $2 million.

Spear-Phishing Defense

Whenever you are presented with a request that did not result from a face-to-face encounter, ask yourself the following:

  1. What are the consequences if this request turns out to be a scam? If the answer causes alarm then:
  2. What is the best way to confirm that the request is genuine?

For example, earlier this year, the W-2 information on employees at 55 separate companies was compromised when officials at each company received emails that purported to be from either the CEO or CFO requesting a list of W-2 information for all employees. The emails arrived in January when such a request would not appear out of the ordinary. Had the recipients of those emails considered the possibility of a scam and simply called the presumed originator of the request, the breach of thousands of employees' personal information could have been avoided.

As an LSU Leader

Getting Help

If you have any questions, please contact the Office of Compliance Programs by: