Information security in healthcare - a perspective on EMR Security

1,933 views
1,808 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,933
On SlideShare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Information security in healthcare - a perspective on EMR Security

  1. 1. Information Security in Healthcare - a perspective on EMR Security Presented By : Madhav Chablani @ IIHMR , New Delhi – Feb 12 , 2012 TippingEdge Consulting Pvt. Ltd.CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consultingand may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  2. 2. Recurring Issues • The need for an overall standard in medical / clinical terminology • The need for data privacy, security and confidentiality • The challenges of data entry by physicians • The difficulties of integrating EMRs within the health care setting TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  3. 3. Premise @ US • To encourage adoption of electronic health record (EHR) technology, the Health Information Technology for Economic and Clinical Health (HITECH) Act portion of the US American Recovery and Reinvestment Act (ARRA) of 2009 includes financial incentives for health care providers and professionals who can demonstrate “meaningful use” of electronic health records. • While meaningful use measures cover a wide range of functional and technical capabilities, there is only one measure related to security and privacy: • Organizations implementing EHR technology must “conduct or review a security risk analysis…and implement security updates as necessary,” something they are already required to do under the US Health Insurance Portability and Accountability Act (HIPAA) Security Rule. • The fact that this measure is already an obligation under HIPAA should make it easy to satisfy, but many health care organizations are not prepared to comply. TippingEdge Consulting Pvt. Ltd.CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consultingand may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  4. 4. HITECH: How the Pieces Fit Together Regional Extension Centers Improved Individual & ADOPTION ADOPTION Population Health Workforce Training Outcomes Increased Transparency & Efficiency Medicare and Medicaid Incentives and Penalties MEANINGFUL USE MEANINGFUL USE Improved Ability to Study & Improve Care Delivery State Grants for Health Information ExchangeStandards & Certification Framework EXCHANGE EXCHANGE Privacy & Security Framework Health IT Practice Research TippingEdge Consulting Pvt. Ltd.CONFIDENTIAL: This document is for your companys internal use only 4 Independent Risk & Business Consultingand may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  5. 5. “MEANINGFUL USE” • Hospitals can’t just buy a system • Have to implement and use it “meaningfully” • Three phases, increasing test requirements: 2011, 2013, 2015 • Some examples – Stage 1 – 23 criteria, self attestation • Record vital signs: Ht, Wt, BP, BMI – Stage 2 – not finalized, will require 3rd party certification • record clinical documentation – Stage 3 – still vague • real-time surveillance, clinical dashboards, safety, efficiency TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  6. 6. TippingEdge Consulting Pvt. Ltd.CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consultingand may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  7. 7. STATE HEALTH INFORMATION EXCHANGE THE BEACON COMMUNITY PROGRAM NHIN Visit the ONC Web site: healthit.hhs.gov TippingEdge Consulting Pvt. Ltd.CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consultingand may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  8. 8. TippingEdge Consulting Pvt. Ltd.CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consultingand may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  9. 9. Where are we @ India Terms of Reference of the Committee - Sept. 2010 Objective • The objective of the said Committee will be to recommend a set of EMR Standards for India to be followed by both public and private healthcare providers, implementation of the standards, procedure for dissemination and the procedure for continuous updation of the standards. TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  10. 10. 2. Scope• The standards to be developed will include the following: – Diagnosis coding – Procedure coding – Laboratory coding – Clinical Standards• EDI (Electronic Data Interchange) including¬ – Data flow across hospitals – Integration with Telemedicine program – Integration with National Administrative Labs for data analysis – Middleware for interpreting with proprietary system• Standards for Continuity of Care Records which include administrative, demographic and clinical information• Common drug codes• Guidelines to meet standards set by organizations such as CCHIT, NABH, JCAHO, Meaningful Use etc.• Standards for interoperability both in terms of hardware and software• Security protocols for information security• Data privacy• Legal compliance• Standard formats/templates for clinical information capture including preparation of a data dictionary• As a part of its activities towards the above, the committee will, among other things;• Study the existing standards prevalent in the developed countries¬• Adopt, as far as possible, standards such as ICD 10, HL7, DICOM, LOINC and CPT, wholly or partly as applicable in the Indian environment.• Study the work done by the Task Force on Tele Medicine commissioned by the Ministry of Health and Family welfare in the year 2007.• Study and recommend coding procedures for coding of hospitals, healthcare providers, healthcare professionals, drug manufacturers, healthcare providers and insurance companies.• Develop Standards for reporting• Study guiding standards such as WHO standards for interoperability• TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  11. 11. 3. Deliverables • Draft set of Indian EMR Standards and guidelines.¬ • Organize the workshop with a broad set of stakeholders to deliberate on draft EMR standards and guidelines¬ • Create subcommittees for adoption / implementation of standards¬ 4. Schedule • All activities are to be completed in a timeframe of six months from the date of issue of the OM. The Committee may submit an interim report within 2-3 months. 5. Resources and Budget allocation • MoHFW will provide the requisite resources and budget to the Committee for completing the activities. TippingEdge Consulting Pvt. Ltd.CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consultingand may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  12. 12. NABH Requirements TippingEdge Consulting Pvt. Ltd.CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consultingand may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  13. 13. Guidance on Risk Assessment • NIST Special Publication 800-30. • ISO/IEC 27000 series of international standards covers risk assessment and risk management for information systems, particularly in ISO/IEC 27005and the risk assessment section of ISO/IEC 27002. • Enterprise-level perspectives on assessing and managing risk can find relevant guidance in ISO 31000, • within major IT governance frameworks such as ISACA’s Risk IT: Based on COBIT • or the risk management section of the Information Technology Infrastructure Library (ITIL). TippingEdge Consulting Pvt. Ltd.CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consultingand may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  14. 14. ISO 27799:2008Health informatics -- Information security management in health using ISO/IEC 27002 • ISO 27799:2008 defines guidelines to support the interpretation and implementation in health informatics of ISO/IEC 27002 and is a companion to that standard. • ISO 27799:2008 specifies a set of detailed controls for managing health information security and provides health information security best practice guidelines. By implementing this International Standard, healthcare organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their organizations circumstances and that will maintain the confidentiality, integrity and availability of personal health information. • ISO 27799:2008 applies to health information in all its aspects; whatever form the information takes (words and numbers, sound recordings, drawings, video and medical images), whatever means are used to store it (printing or writing on paper or electronic storage) and whatever means are used to transmit it (by hand, via fax, over computer networks or by post), as the information must always be appropriately protected. TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  15. 15. • The confidentiality of personal health information is often largely subjective, rather than objective. In other words, only the data subject (i.e., the subject of care) can make a proper determination of the relative confidentiality of various fields or groupings of data. For example, a person escaping from an abusive relationship may consider his/her new address and phone number to be much more confidential than clinical data about setting his/her broken arm.• The confidentiality of personal health information is context-dependent. For example, the name and address of a subject of care in a list of admissions to a hospital’s emergency department may not be considered especially confidential by that individual, yet the same name and address in a list of admissions to a clinic treating sexual impotence may be considered highly confidential by the individual.• The confidentiality of personal health information can shift over the lifetime of an individual’s health record. For example, changing societal attitudes over the last 20 years have resulted in many subjects of care no longer considering their sexual orientation to be confidential. Conversely, attitudes toward drug and alcohol dependency have caused some subjects of care to consider addiction-counseling data to be even more confidential today than such data would have been considered 20 years ago. TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  16. 16. Establishing, monitoring, maintaining andimproving its ISMS • Identify information assets and their associated security requirements. • Assess information security risks. • Select and implement relevant controls to manage unacceptable risks. • Monitor, maintain and improve the effectiveness of security controls associated with the organization’s information assets. TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  17. 17. EMR Security ! • The solution to many of the security problems facing EMRs today can be found already solved, like internet protocols which support secure transfer of data between hosts (https, ssh, etc.) • The reason for this is that, from a computer science perspective, EMRs are no different than other data being transferred across a network. Therefore, the problems associated with keeping the information secure are problems which were for the most part already in existence, and thus already countered. TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  18. 18. Frauds in Healthcare ! • Fraud in the health care sector can happen at any point, from the services’ providers to the payers, employers, sponsors, users /patients and third-party vendors. • Motivation : – Pursuit of money – Avoidance of liability – Malicious harm – Competitive advantage – Research and product market advantage – Addiction – Theft of personal effects – Theft of individual and/or corporate identity TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  19. 19. • The legal elements of fraud, according to this definition, are – Misrepresentation of a material fact – Knowledge of the falsity of the misrepresentation or ignorance of its truth – Intent – A victim acting on the misrepresentation – Damage to the victim• Healthcare fraud differs from healthcare abuse. Abuse refers to – Incidents or practices that are not consistent with the standard of care (substandard care) – Unnecessary costs to a program, caused either directly or indirectly – Improper payment or payment for services that fail to meet professional standards – Medically unnecessary services – Substandard quality of care (e.g., in nursing homes) – Failure to meet coverage requirements• Healthcare fraud, typically takes one or more of these forms: – False statements or claims – Elaborate schemes – Cover-up strategies – Misrepresentations of value – Misrepresentations of service TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  20. 20. Insider’s Threat • A recent Insider Threat Study Challenges by CERT found that 86 percent Medical Device Service and Maintenance of insider attacks in enterprises Visibility Gaps in Healthcare originated from people who are or were previously full-time Merging IT Operations and Medical Device employees in a technical Service and Maintenance Platforms position within the enterprise. • Insiders typically have access to IT Operations Visibility Gaps in Healthcare privileged data beyond their authorization and are far more capable of exploiting loopholes in a network than outsiders. Control : Implementation, automation and validation of controls for privileged users TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  21. 21. Control :Implementation, automation and validation of controls for privileged users • Understanding “ Privileged User “ • Security Architecture – Layered / Defense in Depth • Know the Access Model • Secure Sockets Layer (SSL) or IP Security (IPSec) protocol • “deny all, permit by exception” (DAPE). • Separation of Duties Through Compartmentalization • Eg. - port-based access provisioning provide highly granular control • Containment to Authorized Access Areas • Tracking and Reporting of User Activities • Centralized Reporting for Testing of Controls • E.g security information management (SIM)/security event management (SEM) systems TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  22. 22. You can have security without Privacy , But you can’t have Privacy without Security TippingEdge Consulting Pvt. Ltd.CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consultingand may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  23. 23. Privacy and Security Expectations • Ensure privacy and security protections for confidential information through operating policies, procedures and technologies, and compliance with applicable law • Provide transparency of data sharing to patient • Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. • These capabilities correspond to certification criteria for EHR technology and are summarized in figure 1. TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  24. 24. TippingEdge Consulting Pvt. Ltd.CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consultingand may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  25. 25. TippingEdge Consulting Pvt. Ltd.CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consultingand may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  26. 26. Techniques and methods and the implementation effortTechnologies Methods Classification Implementation Effort Computational CostAuthentication One-factor authentication Basic Few Few Two-factor Basic Few/moderate Few Anonymous Enhanced Moderate/expensive Moderate/expensiveAuthorization Server-based Basic Few Few User-based Enhanced Moderate Moderate Anonymous Enhanced Expensive ModerateConfidentiality Transmission Basic Few Moderate Server-based Basic Few Few User-based Enhanced Moderate ModerateIntegrity Transmission Basic Few Few Storage Basic Moderate FewData anonymity Anonymous communication Enhanced Few Moderate/expensive Obfuscation Enhanced Moderate Moderate Unlinkability Enhanced Expensive ModerateInformation hiding Pseudo-information hiding Basic Few Few Information hiding with plausible deniability Enhanced Expensive Few TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  27. 27. HIPAA Security • Security should not be confused with Privacy or Confidentiality – Privacy: The rights of an individual to control his/her personal information without risk of divulging or misuse by others against his or her wishes – Confidentiality only becomes an issue when the individuals personal information has been received by another entity. Confidentiality is then a means of protecting this information – Security refers to the spectrum of physical, technical and administrative safeguards used for this protection TippingEdge Consulting Pvt. Ltd.CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consultingand may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  28. 28. HIPAAHeath Information Portability and Accountability Act • Final Security Rule Published in the Federal Register on February 20, 2003 (effective 60 days) – http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp • Designation: 45 CFR 160, 162, 164 • Compliance Dates: April 20, 2005 – Covered Entities: 24 months after effective date – Small Health Plans: 36 months after effective date TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  29. 29. HIPAA Security • Addresses 3 tiers of protection: – Administrative Safeguards – Physical Safeguards – Technical Safeguards TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  30. 30. Administrative Safeguards • Institutional level – Develop security management process where potential “threats” to PHI are determined – Provide training to all employees about HIPAA – Provides appropriate level of authorization based on a protocol for granting access – Violations should be clearly documented and investigated – A disaster recovery plan should be in place TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  31. 31. Physical Safeguards • Applies to 3 elements of the PHI data storage infrastructure: – Facility where PHI data is stored – Workstations on which it is stored – Media on which it is stored TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  32. 32. Physical Safeguards • Require that the facility have access control • Contingency plans need to be in place in case an intruder gains access • Workstation security measures be in place – Automatic logoff – Screen is placed away from potential viewers – PDAs should be password protected • Devices and media should be appropriately disposed of in case they are no longer needed and data should be erased properly TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  33. 33. Technical Safeguards • Applies to how information is stored, verified, accessed and transmitted/received • Access and audit controls • Emergency access to information when needed • Automatic logoff is enforced • Data is encrypted and decrypted during transmission • Verify integrity of the storage and transmission (digital signatures) TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  34. 34. Am I HIPAA Compliant? Questions to ask yourself and your institution TippingEdge Consulting Pvt. Ltd.CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consultingand may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  35. 35. Questions to ask your institution 1. Was a security audit done and if so what are the results? 2. Did I get the appropriate HIPAA training and do I have a certificate to prove this? 3. Are there procedures in place to grant access to PHI to authorized users? 4. What are the procedures in place in case of disaster, data loss or data theft? Are Backups made frequently? TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  36. 36. Facility, Workstation, Media • 1. What are the procedures in place to safeguard the facility from intruders? Are there contingency plans for dealing with intruders, data theft or other event? • 2. How do protect the safety of workstations? Are they password protected? • 3. Can bystanders view the screens on which PHI may potentially be displayed? TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  37. 37. Facility, Workstation, Media • 4. Is an automatic logoff mechanism enforced? What time limits are provided before this occurs? • 5. What types of data are stored on PDA devices and if PHI is stored is it password protected or encrypted? • 6. What procedures are used when disposing of, reusing or archiving data on hard disks, CDs, floppys and Zip disks? Are PHI data erased properly if the disks are to be disposed of or reused? TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  38. 38. Data Level • 1. Are there audit mechanisms for checking who is accessing the PHI data and is this done on a regular basis by authorized personnel? • 2. Are there procedures in place to grant emergency access to information if needed? • 3. Is data integrity checked when the data is transmitted or received? (digital signatures, digital certificates, checksums etc.) • 4. Is the data encrypted and decrypted during the transmission process? TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  39. 39. HIPAA Wireless Security TippingEdge Consulting Pvt. Ltd.CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consultingand may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  40. 40. Before you Begin • Do I really need to be wireless of can I get by with a wired connection? – Is space limitation a problem? – Is mobility absolutely necessary? • Do I have the permission of my institution to install wireless networks? • Do I have adequate IT support to do this? TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  41. 41. 11 Steps to Wireless Security • Wireless is inherently unsecure • Many Many ways of hacking into wireless networks • Technology base is there to make it secure • Some simple steps can be taken to maximize the security of your wireless network TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  42. 42. 11 Steps to Wireless Security • 1. Change the default SSID (network name) on the router so that your name/location is kept secret • 2. Disable the SSID broadcast, if your router supports it. This will prevent hackers from seeing you • 3. Change the administrator’s password on your router. TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  43. 43. 11 Steps to Wireless Security • 4. Turn on the highest level of security supported by your hardware (i.e. Wireless Equivalent Privacy – WEP, which is older or WPA which is the latest and most secure) • 5. Make sure you have the latest firmware updates. Implement MAC (media access control), which specifies exactly which WLAN PC cards can access the network and excludes others TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  44. 44. 11 Steps to Wireless Security • 6. Place the Wireless Access Point (WAP) towards the middle of the building, keeping the zone of potential access within the building. • 7. Do your own security audit. Use Network Stumbler (www.netstumbler.com) on your Tablet PC, laptop of PDA and walk around the perimeter of your building to see where and what a would-be hacker may see TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  45. 45. 11 Steps to Wireless Security • 8. If you have a limited number of wireless clients (Tablet PC’s), provide them with static IP addresses, and disable DHCP on your router. This ensures that only “authorized” machines can “see” your network. TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  46. 46. 11 Steps to Wireless Security • 9. If we are in an enterprise setting, use VPN’s (Virtual Private Networks). You can isolate your WLAN from the wired network using products such as the Netgear FVM318 or the SonicWall SOHO TZW. Then you can use the VPN to tunnel directly into the wired network securely TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  47. 47. 11 Steps to Wireless Security • 10. Avoid using public hotspots, areas that are insecure and open for general use. • 11. Turn off file and print sharing on your Tablet PCs. Most devices do not prevent client-to-client traffic, so people sitting across the street from you can be looking at your shared directory remotely. TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  48. 48. Conclusion • Health-informatics systems must meet unique demands to remain operational in the face of natural disasters, system failures and denial- of-service attacks. • At the same time, the data they contain are confidential and their integrity must be preserved. • Because of these critical requirements, and regardless of their size, location and model of service delivery, all health care organizations need to have stringent controls in place to protect the health information entrusted to them. TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  49. 49. Thanks & Let us collaborate Presented by : Madhav Chablani Founder CEO & Principal Consultant | TippingEdge Consulting Pvt. Ltd Member - India Growth Task Force – ISACA HQ ( US ) | Founder Member ( NCR ) – Cloud Security Alliance | www.tippingedge.in | E: madhav.chablani@tippingedge.in | madhav.chablani@gmail.com | M: +91-9313749494 Twitter: @tippingedge | Join me on Linkedin ! TippingEdge Consulting Pvt. Ltd.CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consultingand may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  50. 50. Madhav Chablani Founder CEO & Principal ConsultantContact Information :Mobile : +91 9313749494Direct : 0120-4284374 Professional ExperienceE-Mail madhav.chablani@tippingedge.in I am Innovative , passionate , customer focused , committed for value delivery and a professional with madhav.chablani@gmail.com over twenty years experience in IT Services and consulting industry , with proven success in developing, managing and advising global enterprise clients on strategy and solutions that minimizeIndustry LinesIT Services / ITES risks in an enterprise, caused due to business environment, people, process, technology andHealthcare , Life-sciences & Pharma extended relationshipsBFSI I have worked with Protiviti , HP Consulting, NIIT Technologies , Agilent , Xansa , PCS, WIPRO,Education/Qualifications on both Domestic and Global Offshore Projects & Consulting assignments.B.E. (Electronics and telecommunications)PG-ADM (PG Advanced Diploma in Management) I have worked at various layers, with engagement in lead roles and varied domain projects,MASTER CNE – also accrtd as Novell’s Professional developer contributing in value creation, reinforcing Organizational Process & Project ManagementQPMP – Qualified Project Management Professional ( IPMA )CISA - Certified Information System Auditor– ISACA ( US ) excellence and agility, Enterprise Risk Management / IT Governance , IS audits /control andCISM - Certified Information Security Manager – ISACA ( US ) Assurance, IT Service and Performance Management , contributing in “ GRCS “ – Governance ,SEI CMM / PCMM-Trained/Certified ( Internally ) Risk Management , Compliance and Sustainability initiatives , involved in organizational changeISO 27000 LA - BSI management program’s, enriched outsourced delivery capabilities , Practice-level competencyITIL Service Management 2.0 / 3.0 – Trained 700+ professionals towards Foundation’s/ Service Manager’s requirements and Enterprise ArchitecturesISO/IEC 20000 Consultant – Certified ITSMF • I have contributed from Concept to Delivery - Designing & implementing enterprise-wideBS 25999-2:2007 - RABQSA certified Lead Auditor competency technical architectures ,involvement in applications lifecycle management – achieving maturity levels desired .Industry association / Professional MembershipsMember of ISACA ( US) • Designed and implemented solutions for enterprise infrastructure, security, identity management /Member - Indian Growth Task force – ISACA HQ ( 2010-11) entitlement, disaster recovery, business continuity strategy and planning, fault tolerantMember of Project Management Associates (India) & infrastructure, contingency planning, crisis management, application / infrastructure integrity.IPMA ( Switzerland )Member – DSCIMember – GRAPA • Consulted and provided solutions in the areas of enterprise business / technology strategy,Founder Member – CSA ( Cloud Security Alliance ) – NCR business process optimization / re-engineering, enterprise infrastructure design & optimization,ISACA – Knowledge Board – Subject Matter Expert establishing and managing global business and technology operations and change management I have also been , involved in initiatives of “ Thought Leadership “ for technology strategies , investments and M&A ( also Separations / Disinvestments ) , focused on building and enriching “ Business Value “ and “ keeping stride in remaining competitive “. TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory
  51. 51. Involvement in Healthcare Initiatives • Captive Projects with US Medical University ( 1992 -95 ) for development of HIMS integration components , used standards – now DICOM / PACS • A Major Heart Hospital and Research Institute in NCR ( 2000-02 ) - Involved as “ Program Director / Principal “ for Implementation of HIMS / ERP • Agilent Technologies – A Global major in Life-sciences & Test / Measuring equipments ( 2002 -2004 ) – Participated in articulating Enterprise vision , strategy , principles , guidelines and standards for Enterprise application integration and architecture for supporting Major Business Process - Product Generation , Order Generation , Order Management , Planning , Sourcing / Procurement , Manufacturing / Production , Shipping & Delivery / Logistics , Customer Service Delivery , Financial Management and Reporting • Member of “ India Growth Task Force “ – ISACA HQ ( 2007 – Present ) , Also Involved as part of Knowledge Board in co-creating IT Governance framework adaptation and Audit / Assurance Work Programs for Ecosystem players in Healthcare and Life-sciences verticals. • Ranbaxy Laboratories - A leading Indian MNC in Pharmaceutical and Healthcare (2006 ) – A leadership role for responsibilities in Global Information Systems Audits and control ( includes Applications and Infrastructure ) Involved in Enterprise Risk Management , Information Security and Privacy- established IT controls for compliance related to – ISO 27001 , Clause 49 , SOX 404 & FDA’s requirements. • Protiviti Consulting - US Headquartered MNC in Independent Risk / Solutions Consulting Organization - 6th Largest Risk Consulting Firm , Over 3,300 personnel globally , 60 offices in 23 countries (Originated from Auther Anderson’s Practice - Partner Advisor ( 2007-2009 ) - Specializing in Strategy & Transformation Consulting in Healthcare and life-sciences vertical • Presently Specializing in Strategy & Transformation Consulting in Medical / Healthcare Informatics , Sales & Marketing and Managed Care – with over decade of experience in Strategy & transformation consulting , delivered projects with Fortune 500 companies , helping clients boost sales , accelerate revenue generation and improve their bottom-line , includes projects such as corporate and business unit strategy , Merger and Acquisitions , Go-to-market strategy , growth strategy & product launch , business planning , cost reduction and sales and marketing effectiveness . • Recent projects have demonstrated the power of digital transformation for life sciences companies , through better understanding of customer behavior ( such as root causes for non-adherance ) and design of innovative outreach programs ( social CRM and Patient Opinion communities ) . • Been passionately involved in practice and learning from new dimension projects on - m-Health/ e-Health , Data-Analytics , Role of IT Governance in Healthcare , IT Audit and Assurance – EMR Security audits for meaningful use . TippingEdge Consulting Pvt. Ltd. CONFIDENTIAL: This document is for your companys internal use only Independent Risk & Business Consulting and may not be copied nor distributed to another third party. Information Systems Audit and Assurance Advisory Enterprise Architecture and Integration Advisory

×