Archive for the ‘Security Issues’ Category
To improve security and privacy, and to comply with a Federal government mandate, NCBI is moving all of its Web sites and services, including Web APIs, to HTTPS only by September 30, 2016, which was subsequently extended to November 9. At that point, HTTP traffic for GET and HEAD requests will be redirected. All other requests will be rejected. This change will provide users with greatly increased privacy and security on the NCBI site. To prepare for this change, NCBI ran a series of tests, which are now completed.
To comply with new government-wide security standards, all NCBI Web pages and API services will switch to the secure HTTPS protocol on September 30. At that time, when you visit NCBI web pages, you will see a green lock and https:// in the address bar instead of http://. This lets you know that you are really on an NCBI page; that the server identity is confirmed and that communication with the server is encrypted and private. General users of NCBI web pages need not update or change anything. You don’t need to clear your cache or update any links to NCBI pages that you’ve put on your own webpages or shared with anyone. All pages will automatically redirect to https://.
To help users transition smoothly with this change, registration is available for the 15-minute NCBI Minute webinar Important Changes to NCBI Web Protocols, on Wednesday, July 27, at 9:00 AM PDT. The session will cover details about how this change will affect access to NCBI pages and services. After the live presentation, the webinar will be archived on the NCBI YouTube channel for future viewing.
Beginning January 7, 2016, DOCLINE account passwords will need to meet new complexity requirements. On January 6, all DOCLINE libraries will receive email instructions on how to change passwords to meet the new requirements. The notification will include the specifics of what constitutes a valid password, as will the “change password” dialog. The specific instructions will not be made publically available. Passwords should be changed on January 7 or shortly thereafter. Passwords not changed by February 1, 2016, will be automatically changed. The DOCLINE system must be changed to accept the new password requirements, and these changes will not be made until January 7. Therefore, passwords changed prior to January 7 will not meet the new requirements and will need to be changed again. As part of this security update, User IDs not used to log in during 2015 will be deleted on February 1, 2016, and libraries without User IDs active in 2015 will be set to non-participant status.
Due to recent software updates on nnlm.gov, Internet Explorer 8 is no longer supported. Some read-only sections of nnlm.gov will continue to be available via IE8. However, anyone using IE8 will probably not be able to submit assignments in online courses utilizing the NN/LM Moodle framework, and may not even be able to access and log into Moodle courses. Other nnlm.gov services that require data to be posted to the server are also likely to fail. In addition, DOCLINE will not support IE8 after the end of 2014. Please visit the NN/LM System Requirements page to see a complete list of supported browsers. For best usability, NLM recommends that libraries should begin talking to their local IT departments about upgrading their browsers to at least Internet Explorer 10.
Starting January 12, 2016, Microsoft will drop support, including security updates, for older Internet Explorer browser versions. Only the most recent version of IE for a supported operating system will receive technical support and security updates. Microsoft’s Stay up-to-date with Internet Explorer blog page provides a good explanation of why IE users should upgrade to the most current version.
The Office of the National Coordinator for Health Information Technology’s (ONC) Office of the Chief Privacy Officer (OCPO) has released its second web-based security training module, CyberSecure: Your Medical Practice. This latest game focuses on disaster planning, data backup and recovery, and other elements of contingency planning. Contingency planning helps providers and staff prepare for power outages, floods, fires, or weather related events such as hurricanes or tornadoes. These events can damage patient health information or make it unavailable. Planning for these events can help ensure that patient health information is protected and that patient information can be accessed when the disaster is over. This training module uses a game format that requires users to respond to privacy and security challenges often faced in a typical small medical practice. Users choosing the right response earn points and see their virtual medical practices flourish. But users making the wrong security decisions can hurt their virtual practices.
October is National Cyber Security Awareness Month, and is an opportunity for ONC to remind providers about the need to create contingency plans to assure a safe and secure cyber environment. Contingency Planning is also required by the HIPAA Security Rule.
The Office of the National Coordinator for Health Information Technology (ONC), Office of the Chief Privacy Officer (OCPO), recently launched a Privacy & Security Mobile Device project, in conjunction with the HHS Office for Civil Rights (OCR). The project goal is to develop an effective and practical way to bring awareness and understanding to those in the clinical sector to help them better secure and protect health information while using mobile devices (e.g., laptops, tablets, and smartphones). Building on the existing HHS HIPAA Security Rule – Remote Use Guidance, the project is designed to identify privacy and security good practices for mobile devices. Identified good practices and use cases will be communicated in plain, practical, and easy to understand language for health care providers, professionals, and other entities.
HHS will be looking for input. There will be a public roundtable event in Spring 2012. Information about other HHS mHealth activities is available on the mHealth Initiative web site.
The National Library of Medicine (NLM) wants to warn you about an Internet scam that uses the NLM name. The fraud involves scammers claiming to represent the NLM. They are promising employment with MedlinePlus if victims send money to them. The scammers say that the money will be used to purchase software and computer equipment to use in the position. NLM does not require prospective employees to make purchases for any reason. Do not send money to these individuals. NLM job listings are located online at: http://www.nlm.nih.gov/about/jobs/jobs.html and http://www.usajobs.gov/.
If you see a posting online offering work on MedlinePlus, please contact the Internet Crime Complaint Center and file a complaint with the proper government authorities.
Alison Aldrich, Technology Coordinator for the NN/LM Pacific Northwest Region, wrote an interesting blog post called, “(Fire)Wallflowers Invited to Dance?” She presents some evidence that firewall rules against Web 2.0 tools (such as blogs, wikis, etc.) are beginning to relax a bit at hospital libraries. Her blog post is available at: http://nnlm.gov/pnr/dragonfly/2009/01/27/firewallflowers/
Well worth reading! Note also the comment below the blog post.