LSUHealthLogo

Office of Compliance Programs

Information Security Training for Appropriate Use of Cloud Computing Services

Protecting Yourself and Your University in the Digital World

Revised July 10, 2018
CloudComputing

Introduction

Welcome to the LSUHSC’s Information Security training module on the appropriate use of Cloud Computing Services. It is intended for all employees and students who have access to LSU’s computing resources and must be renewed on an annual basis.

Cloud computing is becoming the norm for managing information. It offers increased opportunities for collaboration, access to extremely large data sets and immense computing power for simulation and problem solving. Along with these opportunities come increased risks to the security of information. If appropriate precautions aren’t taken  information about your students, patients and co-workers, as well as your own personal data can be breached.

example GHS Product Label
(Image credit:By Sam Johnston - Created by Sam Johnston using OmniGroup's OmniGraffle and Inkscape (includes Computer.svg by Sasa Stefanovic)This vector image was created with Inkscape., CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=6080417

(Click or tap image for expanded view)

What is Cloud Computing?

Need to know

What You Need to Know

Goals for This Training

Examples of Cloud Services and How They are Accessed

Accessing Cloud Services

Cloud Services can be accessed in many different ways:

Be aware of any default settings on personally owned devices that may automatically copy information to a cloud drive.

Google Data Center Map

Where's My Data?

Generally speaking, if data is available on multiple devices, it means that data is stored on somewhere other than your personal device (usually on the Internet) and additional  precautions must be taken if that data is to be secure.

Because digital information travels at the speed of light, the actual computer that stores information can be located thousands of miles away from the user. Many cloud service providers have facilities in different countries. It is not unusual for cloud services companies to keep multiple copies of information in different countries as part of their disaster recovery strategy.

If the information on your personal device is copied to a cloud server in another country, it is no longer subject to the protections of U.S. laws. Intellectual property, patient information, employee information and student information would lose their privacy protections.

Unless there is a contract that specifies your data will only be stored on equipment located in the United States, you have no control over where the data is located or who can access it.

Google Data Center Locations

United States

Overseas

Laws Governing the Use of Information at LSUHSC-NO

Laws that govern the use and disclosure of information at LSUHSC-NO include but are not limited to:

These laws have very strict requirements for:

Shadow Computing

Shadow Computing

The availability of free cloud computing services makes it easy to automate many functions and make them available to multiple healthcare providers at multiple locations without having to involve the I.T. department.

The problem with this approach is that the cloud computing services are generally not subject to, nor compliant with, the laws and regulations that apply to information about LSUHSC patients, students, faculty and staff. LSUHSC-NO would need to execute a business associate agreement or other confidentiality agreement before these services could be used by and for LSUHSC-NO employees, patients and students.

Each of the examples described above depending upon the specific circumstances could be considered a breach requiring the patients and the Secretary of the Department of Health and Human Services be notified.

Because such services generally are not subject to and don’t comply with laws applicable to LSUHSC-NO and because such activities occur without oversight by LSUHSC-NO management, these activities are called “shadow computing”.

Using Personal Accounts

When an individual stores LSUHSC-NO related information in a personal email or online storage account, that individual becomes the custodian of that information.  As custodian they become responsible for:

Keeping all your work or school related information on LSUHSC-NO network servers (e.g. "O:" drive, "T:" drive, etc.) or LSUHSC-NO contracted cloud services (e.g. One Drive for business)is the easiest way to comply with all of the above requirements.

Information Classification

To address the requirements of these laws and regulations, Permanent Memorandum 36 Louisiana State University System Information Security Plan (PM-36) provides for three classes of information:

Courts have ruled that for purposes of e-discovery or public records requests, whether the information resides on the agency’s own devices or the personal devices of its employees. LSUHSC-NO bears the responsibility for producing the information under penalty of law. Therefore, faculty, staff and students must understand that there is no expectation of privacy regarding LSUHSC-NO related information, even if it resides on one’s personally owned device or personal email account or personal cloud account.

Cloud Service Providers and the Law

Most cloud service providers are not subject to the information privacy laws applicable to LSUHSC-NO. For that reason, patient or financial information stored on the servers of a cloud services provider without having the appropriate business associate or data confidentiality agreement in place could be considered a breach requiring the notification of the individuals whose information was exposed.

PM-36 requires that Protected and Restricted Information shall not be transmitted outside the confines of the LSUHSC network without the use of appropriate safeguards to preserve its confidentiality and integrity. Protected information shall not be shared with contractors or other business associates without an approved agreement in place governing the use, handling and disclosure of the confidential information.

The LSUHSC-NO I.T. Department maintains the necessary agreements with certain cloud providers. If you need cloud computing services, check with the LSUHSC-NO I.T. department to find out which services can be used securely for Protected and Restricted information.

Cloud Services Carry Their Own Security Risks

Cloud computing services are provided by large Internet companies such as Google, Amazon, and Apple. These companies are the favorite target of hackers.

Mat Honan, a senior staff writer for the publication Wired.com fell victim to a multi-pronged attack by hackers against the cloud services he used. The perpetrators needed only Honan's Apple ID email address, billing address, and the last four digits of his credit card to wreak havoc on his digital life. In the space of one hour, the hackers succeeded in:

Follow this link for more details.

In one respect, Mr. Honan was lucky. There was enough information in his cloud services accounts for someone to steal his identity, clean out his bank account and charge up his credit cards. However, all they wanted was control of his Twitter account.

Hackers are not the only concern. If you are using a cloud computing service that is also being used by individuals targeted by law enforcement, you may lose access to your data. In 2011, the FBI seized 62 servers in a raid on the offices of a Swiss company DigitalOne in Reston, VA as part of an investigation into the LulzSec hacker group. As a result of the seizure, cloud services for 120 companies, unrelated to the hacker group, were taken offline and remained offline for several days.

In 2009, the FBI seized all the servers in  Dallas data center operated by CoreIP. The raid shut down the servers of 50 businesses.

In 2012, Hurricane Sandy caused outages in several online services including the Huffington Post, Buzzfeed and Gawker.

In September 2015, a new feature of Amazon Web Services called DynamoDB overloaded servers with metadata requests knocking Reddit, Tinder, Netflix, IMDB and many other websites and apps offline for seven hours.

Email

Chancellor’s Memorandum #42 (CM – 42) Information Technology (IT) Infrastructure states:

“All users of the SYSTEM IT infrastructure shall NOT use non-LSUHSC E-mail to conduct official LSUHSC business unless authorized by the Chancellor.”

All faculty, staff and students are responsible for information sent to and from their lsuhsc.edu email addresses. Do not use any email system other than “@lsuhsc.edu” to send or receive LSUHSC-NO related information including protected or restricted information. Emails from one “@lsuhsc.edu” email address to another are protected by a variety of security measures and are considered safe for protected and restricted information. Emails can be sent securely from the lsuhsc.edu to other domains using a form of encryption called Transport Layer Security (TLS). To find out if the intended destination of your email supports this encryption refer to the Encrypted Email - Site to Site List.

Outgoing encrypted email connections rated at 100% are secure.

If the domain is not secure, the information can be transferred using LSU Health FileS. (Add this link to your browser favorites! )

Do not automatically forward email from your lsuhsc.edu account to a non-LSU email system. Email in your LSUHSC inbox may contain sensitive information. If it is sent to a non-LSU email system that does not have the appropriate security precautions in place, a data breach may result.

LSUHSC-NO Servers are:

Requirements for Using Cloud Services for LSUHSC-NO Data

A written contract must be executed with the cloud service provider to ensure that:

The Cloud vs LSU

(Click or tap image for expanded view.)

Use LSUHSC-NO I.T. Services

The safest thing to do is use LSUHSC-NO IT services for your data needs.

Keep Personal and Work Activities Separate

If you access your email accounts on your phone:

Meet Sara

student

Sara has started a student group to help individuals with transportation to their healthcare appointments. Her volunteers need to access a schedule showing the patient’s name, address, clinic address, and reason for the visit so they can get the patients to their appointments on time.

Should Sara?

The answer is . . .

Contact her IT supporter for help in setting up an on-line calendar on the LSUHSC network.

Because the information includes the reason for the visit, the information could be PHI and therefore it is Protected Information under PM-36. Sara needs to ensure that appropriate protections are in place for that information. The easiest way to do that is to keep the information on the LSUHSC network.

Meet Dr. Jadarius

Jadarius

Dr.Jadarius is chief resident this year. To help with the communications with all the residents in the program he’d like to set up an email address called Chief Resident that can be used to send out announcements and to serve as a central point for scheduling requests, etc.

Should Dr. Jadarius?

The answer is . . .

Contact LSUHSC Information Security to set up the email account, ChiefResident@lsuhsc.edu.

Even though the email account will only be used for administrative purposes, those purposes are related to Jadarius’ duties as an LSUHSC chief resident and as such are official business of the university. In accordance with CM-42, that must be done using an lsuhsc.edu account.

Meet Dr. Lapayerre

Doctor

Dr. Lapayerre is a member of the LSUHSC-NO faculty. To help him with his busy schedule, he relies heavily on his state-of-the-art smartphone.

One day a colleague, Dr. Smith, to whom he had referred a patient, asked for some additional information. Dr. Lapayerre sent a detailed reply including the H&P, test results, and current medications from his smartphone. Dr. Smith replied by saying, “Who is lapdog1975@prodigy.com and why does he know so much about your patient?”

Dr. Lapayerre is aghast! lapdog1975@prodigy.com is his personal account. He could have sworn he sent the email from his lsuhsc.edu account. What went wrong?

What Went Wrong?

To ensure he did not miss anything, Dr. Lapayerre combined the inboxes of both his personal email account and his lsuhsc.edu account.

When Dr. Smith’s inquiry arrived, Dr. Lapayerre had been in the middle of responding to an email from his wife. When he switched to respond to Dr. Smith, he forgot to check the “From:” address to ensure it said “@lsuhsc.edu.”

As a result, the information on his patient has been stored on the prodigy.com servers.

What does he do now?

Immediately:

The privacy officer will conduct a risk assessment to determine if the patient will need to be notified of the disclosure in accordance with the HIPAA Breach Notification Rule.

To prevent a recurrence, Dr. Lapayerre should install separate mail apps on his phone, one set up to access only his personal email account and one set up to access only his LSUHSC email account.

Data Breaches

A data breach occurs when sensitive information is accessed by unauthorized persons.Federal and State laws require that persons whose personal, financial, or health information is compromised by a data breach must be notified that their information has been disclosed.

Information that is encrypted is exempt from these notification requirements.

Data breaches can expose LSUHSC and its employees to civil and criminal penalties.

Civil monetary penalties for data breaches range from $100 to $50,000 per record.

Criminal penalties include imprisonment for up to ten years.

The employee’s or student’s department will be held responsible for any data breaches that occur and will bear the expenses incurred in mitigating a breach.

Getting Help

If you have any questions, please contact the Office of Compliance Programs by: