InfoSec Management In Healthcare


Published on

A look into infosec management practices in healthcare

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

InfoSec Management In Healthcare

  1. 1. Infosec Management In Healthcare Or why security blankets and Johnny shirts don’t cover your backside HTCIA Atlantic Chapter Annual Conference October 22, 2013
  2. 2. About me • Sr. Security Analyst for Capital District Health Authority – The information presented here is my own opinion and not related in anyway whatsoever with my employer • Co-founder of The Atlantic Security Conference • Co-founder of the Halifax Area Security Klatch • Big time fan of Bruce Lee and blues music!
  3. 3. Healthcare & The Law • There is no Canadian federal law requiring health care providers to disclose details regarding data loss and breaches. • Bill C-475 seeks to update PIPEDA to include mandatory breach notification and consequences for security breaches • Nova Scotia’s Personal Health information Act has been effective since June 1, 2013 • The only Canadian jurisdiction that currently has made security breach notification mandatory is Alberta
  4. 4. Diagnosis • The United States has federal legislation requiring healthcare providers to inform the public of breaches. The Health Information Technology for Economic and Clinical Health (HITECH) effective since 2009 • Top 5 PHI Breaches, 2012 (redspin breach report)
  5. 5. Diagnosis • 538 breaches of protected health information (PHI) • 21,408,505 patient health records affected • 21.5% increase in # of large breaches in 2012 over 2011 but… a 77% decrease in # of patient records impacted • 67% of all breaches have been the result of theft or loss • 57% of all patient records breached involved a business associate • 5X historically, breaches at business associates have impacted 5 times as many patient records as those at a covered entity
  6. 6. Diagnosis • 38% of incidents were as a result of an unencrypted laptop or other portable electronic device • 63.9% percent of total records breached in 2012 resulted from the 5 largest incidents • 780,000 number of records breached in the single largest incident of 2012
  7. 7. Only In Canada eh!
  8. 8. Why they want it… • Healthcare records combined with other personal information creates an identity portfolio • These portfolios or “kitz” can be used for multiple fraud types • “kitz” can sell on the underground market for up to $1300.00
  9. 9. Prognosis • There is an epidemic of data loss for healthcare • We pretty much stink at handling PHI • Things are getting better but there is still lots of room for improvement
  10. 10. Managing Data • Confidentiality refers to preventing the disclosure of information to unauthorized individuals or systems • Integrity is maintaining and assuring the accuracy and consistency of data • For any information system to serve its purpose, the information must be available when it is needed.
  11. 11. In the News
  12. 12. Hacking Medical Devices • We miss you Barnaby Jack
  13. 13. A day in the life... (The mostly boring underbelly of infosec)
  14. 14. Browse to Host
  15. 15. Looking For The Obvious
  16. 16. Great Success!
  17. 17. Raising Awareness…
  18. 18. Keeping a watchful eye • Network Monitoring – Establish a baseline – Identify anomalies and problem areas – Identify root cause – Historical reporting to help trend and scale services
  19. 19. Keeping a watchful eye Network Access Control • Knowing who and what is on the network • Access policies based upon role/requirement • Process for poorly behaving computers (Threats)
  20. 20. A day in the life of infosec... continued • Endpoint Protection
  21. 21. A day in the life of infosec... continued • What is significant in this list regarding Risk? • Most infections and threats appear to be Trojans… • Key loggers, downloaders, remote administration, screen scrapers
  22. 22. A day in the life of infosec... continued • Security Incident Event Management – Monitor activity between client-server, client-client and server-server – Monitored 24x7 365 days a year by Systems Operations Centre – CDHA Support staff are notified when there is traffic of interest
  23. 23. Portals Here…Portals There… Portals Everywhere • XSS – Cross Site Scripting • On OWASP top 10 list for 2013
  24. 24. XSS Quick Demo • Joe McCray from Strategic Sec has an online site for practicing XSS (Thanks Joe... I owe you a rum and coke) • A quick test for an XSS vulnerability - <script>alert('XSS alert')</script> – This will open a popup alert window with the message XSS Alert • This script will have much more impact to the “C” level folks – <br><br>Your session has expired please login to continue:<form action="destination.asp"><table><tr><td>Login:</td><td><input type=text length=20 name=login></td></tr><tr><td>Password:</td><td><input type=text length=20 name=password></td></tr></table><input type=submit value=LOGIN></form>
  25. 25. RISK • Infosec is really about RISK…. The sooner we all realize that the better
  26. 26. RISK Management Basics • Qualify - What is the attack surface? What is exposed? Confirmed and potential • Quantify - What is the likelihood and the impact? How does it compare to other exposures • Correct - What measures should we take to Avoid, Accept, Reduce and or Transfer RISK • Stop and ask what is the level of RISK the organization can/will assume
  27. 27. What we don't want to do • Security Theater is a term that describes security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security
  28. 28. What we should be doing • Security should be baked in... reach out to your Project Managers, let them know what you can do • Be an enabler and help them to introduce new services that are secure • Look at your environment with filters – Classify your data - In healthcare we filter by public, administrative and clinical – Identify systems and applications and rate them by criticality (low, medium, high) • Identify vulnerabilities and gaps in these systems and applications • Apply some RISK management basics to avoid, accept, reduce and/or transfer RISK
  29. 29. Security Lifecycle • Balancing security requirements with business needs can be challenging • Strive for continuous improvement • Security is a process not a product
  30. 30. The answer... • Why don't security blankets and Johnny shirts cover your backside? – Johnny shirts are designed so that a patient does not have to pull the shirt over their head , it can be put on lying down and of course so they can easily use the washroom. – No single solution can mitigate every threat.... there is always an exposure
  31. 31. Thank you • Twitter Handle – @k0z1can • Linkedin Profile – • Parting thoughts – “Absorb what is useful, discard what is not, add what is uniquely your own.” ~ Bruce Lee – See you all at the next Atlantic Security Conference March 27th and 28th, 2014