InfoSec Management In Healthcare

Uploaded on

A look into infosec management practices in healthcare

A look into infosec management practices in healthcare

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Infosec Management In Healthcare Or why security blankets and Johnny shirts don’t cover your backside HTCIA Atlantic Chapter Annual Conference October 22, 2013
  • 2. About me • Sr. Security Analyst for Capital District Health Authority – The information presented here is my own opinion and not related in anyway whatsoever with my employer • Co-founder of The Atlantic Security Conference • Co-founder of the Halifax Area Security Klatch • Big time fan of Bruce Lee and blues music!
  • 3. Healthcare & The Law • There is no Canadian federal law requiring health care providers to disclose details regarding data loss and breaches. • Bill C-475 seeks to update PIPEDA to include mandatory breach notification and consequences for security breaches • Nova Scotia’s Personal Health information Act has been effective since June 1, 2013 • The only Canadian jurisdiction that currently has made security breach notification mandatory is Alberta
  • 4. Diagnosis • The United States has federal legislation requiring healthcare providers to inform the public of breaches. The Health Information Technology for Economic and Clinical Health (HITECH) effective since 2009 • Top 5 PHI Breaches, 2012 (redspin breach report)
  • 5. Diagnosis • 538 breaches of protected health information (PHI) • 21,408,505 patient health records affected • 21.5% increase in # of large breaches in 2012 over 2011 but… a 77% decrease in # of patient records impacted • 67% of all breaches have been the result of theft or loss • 57% of all patient records breached involved a business associate • 5X historically, breaches at business associates have impacted 5 times as many patient records as those at a covered entity
  • 6. Diagnosis • 38% of incidents were as a result of an unencrypted laptop or other portable electronic device • 63.9% percent of total records breached in 2012 resulted from the 5 largest incidents • 780,000 number of records breached in the single largest incident of 2012
  • 7. Only In Canada eh!
  • 8. Why they want it… • Healthcare records combined with other personal information creates an identity portfolio • These portfolios or “kitz” can be used for multiple fraud types • “kitz” can sell on the underground market for up to $1300.00
  • 9. Prognosis • There is an epidemic of data loss for healthcare • We pretty much stink at handling PHI • Things are getting better but there is still lots of room for improvement
  • 10. Managing Data • Confidentiality refers to preventing the disclosure of information to unauthorized individuals or systems • Integrity is maintaining and assuring the accuracy and consistency of data • For any information system to serve its purpose, the information must be available when it is needed.
  • 11. In the News
  • 12. Hacking Medical Devices • We miss you Barnaby Jack
  • 13. A day in the life... (The mostly boring underbelly of infosec)
  • 14. Browse to Host
  • 15. Looking For The Obvious
  • 16. Great Success!
  • 17. Raising Awareness…
  • 18. Keeping a watchful eye • Network Monitoring – Establish a baseline – Identify anomalies and problem areas – Identify root cause – Historical reporting to help trend and scale services
  • 19. Keeping a watchful eye Network Access Control • Knowing who and what is on the network • Access policies based upon role/requirement • Process for poorly behaving computers (Threats)
  • 20. A day in the life of infosec... continued • Endpoint Protection
  • 21. A day in the life of infosec... continued • What is significant in this list regarding Risk? • Most infections and threats appear to be Trojans… • Key loggers, downloaders, remote administration, screen scrapers
  • 22. A day in the life of infosec... continued • Security Incident Event Management – Monitor activity between client-server, client-client and server-server – Monitored 24x7 365 days a year by Systems Operations Centre – CDHA Support staff are notified when there is traffic of interest
  • 23. Portals Here…Portals There… Portals Everywhere • XSS – Cross Site Scripting • On OWASP top 10 list for 2013
  • 24. XSS Quick Demo • Joe McCray from Strategic Sec has an online site for practicing XSS (Thanks Joe... I owe you a rum and coke) • A quick test for an XSS vulnerability - <script>alert('XSS alert')</script> – This will open a popup alert window with the message XSS Alert • This script will have much more impact to the “C” level folks – <br><br>Your session has expired please login to continue:<form action="destination.asp"><table><tr><td>Login:</td><td><input type=text length=20 name=login></td></tr><tr><td>Password:</td><td><input type=text length=20 name=password></td></tr></table><input type=submit value=LOGIN></form>
  • 25. RISK • Infosec is really about RISK…. The sooner we all realize that the better
  • 26. RISK Management Basics • Qualify - What is the attack surface? What is exposed? Confirmed and potential • Quantify - What is the likelihood and the impact? How does it compare to other exposures • Correct - What measures should we take to Avoid, Accept, Reduce and or Transfer RISK • Stop and ask what is the level of RISK the organization can/will assume
  • 27. What we don't want to do • Security Theater is a term that describes security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security
  • 28. What we should be doing • Security should be baked in... reach out to your Project Managers, let them know what you can do • Be an enabler and help them to introduce new services that are secure • Look at your environment with filters – Classify your data - In healthcare we filter by public, administrative and clinical – Identify systems and applications and rate them by criticality (low, medium, high) • Identify vulnerabilities and gaps in these systems and applications • Apply some RISK management basics to avoid, accept, reduce and/or transfer RISK
  • 29. Security Lifecycle • Balancing security requirements with business needs can be challenging • Strive for continuous improvement • Security is a process not a product
  • 30. The answer... • Why don't security blankets and Johnny shirts cover your backside? – Johnny shirts are designed so that a patient does not have to pull the shirt over their head , it can be put on lying down and of course so they can easily use the washroom. – No single solution can mitigate every threat.... there is always an exposure
  • 31. Thank you • Twitter Handle – @k0z1can • Linkedin Profile – • Parting thoughts – “Absorb what is useful, discard what is not, add what is uniquely your own.” ~ Bruce Lee – See you all at the next Atlantic Security Conference March 27th and 28th, 2014