Your SlideShare is downloading. ×
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
It security in healthcare
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

It security in healthcare

251

Published on

IT Security For People in Healthcare and Research Environments.

IT Security For People in Healthcare and Research Environments.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
251
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Information SecurityIn HealthcareEnvironments Nicholas A. Davis, CISA, CISSP Information Security Architect University of Wisconsin-Madison Division of Information Technology (DoIT)
  • 2. Introduction• Background• Thank you for the invitation• Today’s Topic: Information Security in Healthcare Environments• HIPAA and PHI Controls• Healtcare Environment Vulnerability• Social Engineering• Precautions You Can Take• Q&A Session
  • 3. HIPAA and PHI Controls
  • 4. HIPAA ObligationsInformation covered by HIPAA mustbe protected:1.Confidentiality: Only those with aneed to know, can see theinformation.2.Integrity: Only those authorized toalter information, can do so.3.Availability: The information canbe accessed by those who areauthorized to view it.
  • 5. Protected IdentifiersName, (full or partial)AddressSpecific dates (day and month), but not yearTelephoneFaxEmailWebpage addressComputer IP addressSocial Security NumberAccount identification numbersLicense identification numbersMedical record numbersHealth plan beneficiary numbersMedical device identifiers, such as serial numberAssociated vehicle VINs and other vehicle identificationinformationAny biometric identifier (fingerprint, eye scan, etc.)Photos and imagesAnything else which can be used to identify a person
  • 6. Types of ControlsTechnical controlsAdministrative controlsSome examples, consider your facilityBenefits and drawbacks of each
  • 7. Types of ControlsAdministrative Controls:•Easy to implement•Inexpensive•FlexibleWork best in environments in whichpeople want to do the “right thing”Technical Controls:•Complex to implement•Costly•StringentWork best in environments in whichadherence by everyone is critical
  • 8. Information LeakageCommon points of HIPAA informationleakage are:•Video monitors•Printers•Fax machines•Copiers•Unprotected trash binsThe best way to prevent information leakageis to practice the The Minimum NecessaryStandard, which means that you shouldonly access the minimum amount of HIPAArelated information necessary to performyour job.
  • 9. Preventing Information Leakage • Create and use a data storage policy, including lifecycle management • Never leave HIPAA information unprotected, electronically, or physically • Don’t make un-necessary copies • Destroy electronic media and paper copies containing HIPAA related information according to appropriate standards, before disposing
  • 10. HIPAA Sensitive BehaviorsLockdown cables for computersLocked office area, lock desk drawersUse strong passwords, which adhere to best practicesLogout, when not in useConsider using a screen protector, tolimit visibilityAntivirus, patching of OperatingSystem, etc.Don’t install unauthorized software onyour computerDon’t use file sharing services
  • 11. Portable Devices• Any mobile device containing HIPAA information, should be encrypted and access protected• This includes portable USB hard disks, flash drives, etc.• Best idea is not to use mobile devices for HIPAA related work
  • 12. How Computers Become Vulnberable to e-PHI leaks• Infected email attachments• Computer software from non- secure sources• Websites• Files stored on external electronic or magnetic storage media
  • 13. HIPAA Security Summary • Avoid risks associated with malicious computer software • Protect against unauthorized use of system user IDs and passwords • Protect portable devices • Adhere to policies and procedures • Consider using dedicated computers • Report suspected incidents
  • 14. Availability -Having a Plan B• Systems must be available when needed• When things don’t work as planned, there must be an alternate method of access• No single point of failure is appropriate when it comes to healthcare system access• Plan your systems for the worst case scenario
  • 15. Healthcare Environment Vulnerability
  • 16. EquipmentDiagnostic EquipmentWorkstationsAnything with an inputAnything connected via anetwork
  • 17. Theoretical ExampleNick’s visit to Immediate Care,last nightStaff member locks screen,leaves roomAlone in exam room withcomputerThe computer appears secured,but is it?
  • 18. How Is the Computer Vulnerable?USB PortCD Drive
  • 19. Keyloggers• Tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored• Software or hardware based
  • 20. Lesson LearnedPhysically limit number ofmethods for machine inputUSB portsCD/DVD drive•When possible machine itselfshould be physically secured /encased•When possible, do not leavemachine unattended
  • 21. Social Engineering
  • 22. Technology Is Not The Entire AnswerStrong computer security has twocomponents:The Technology: passwords,encryption, endpoint protectionsuch as anti-virus.The People: You, yourcustomers, your businesspartners
  • 23. Social EngineeringThe art of manipulatingpeople into performing actionsor divulging confidentialinformationIt is typically trickery ordeception for the purpose ofinformation gathering, fraud,or computer system access
  • 24. Most Popular Type of Social EngineeringPretexting: An individual lies to obtainprivileged data. A pretext is a falsemotive.Pretexting is a fancy term forimpersonationA big problem for computer HelpDesks, in all organizationsExample:
  • 25. Let’s Think of a Common Pretexting Example Dear Windows User, It has come to our attention that your Microsoft windows Installation records are out of date. Every Windows installation has to be tied to an email account for daily update. This requires you to verify the Email Account. Failure to verify your records will result in account suspension. Click on the Verify button below and enter your login information on the following page to Confirm your records. Thank you, Microsoft Windows Team.
  • 26. Warming Signs of Social Engineering• You are made to feel as if you are doing something wrong• You are being pressured into performing an action• There is a sense of urgency and immediacy• There is no way to confirm veracity of that which is claimed
  • 27. Phishing• Deception, but not just in person• Email• Websites• Facebook status updates• Tweets• Phishing, in the context of the healthcare working environment is extremely dangerous
  • 28. Don’t Touch That QR Code• Just as bad as clicking on an unknown link• Looks fancy and official, but is easy to create
  • 29. What Phishing Looks Like• As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows.• They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.
  • 30. Techniques For Phishing• Employ visual elements from target site• DNS Tricks:• www.ebay.com.kr• www.ebay.com@192.168.0.5• www.gooogle.com• JavaScript Attacks• Spoofed SSL lock Certificates• Phishers can acquire certificates for domains they own• Certificate authorities make mistakes
  • 31. Let’s Talk About Facebook• So important, it gets its own slide!• Essentially unauthenticated – discussion• Three friends and you’re out! - discussion• Privacy settings mean nothing – discussion• Treasure Trove of identity information• Games as information harvesters
  • 32. Socially Aware Phishing
  • 33. Context Aware“Your bid on eBay has won!”“The books on your Amazon wish listare on sale!”
  • 34. Seems Suspicious
  • 35. Too Good to be True, Even When It Is Signed
  • 36. Detecting Fraudulent EmailInformation requested is inappropriate for thechannel of communication:"Verify your account."nobody should ask youto send passwords, login names, SocialSecurity numbers, or other personalinformation through e-mail.Urgency and potential penalty or loss areimplied:"If you dont respond within 48 hours, youraccount will be closed.”
  • 37. Detecting Fraudulent Email"Dear Valued Customer."Phishing e-mail messagesare usually sent out in bulk and often do not containyour first or last name.
  • 38. A Note on Spear Phishing• Designed especially for you• Includes your name• May reference an environment or issue you are aware of and familiar with• Asks for special treatment, with justification for the request
  • 39. PasswordsYour password is your electronic key tovaluable resources.Sharing – Toothbrush DiscussionTheft – DiscussionPassword Rotation - Discussion
  • 40. Creating a Strong PasswordFollowing two rules are bare minimal that youshould follow while creating a password.Rule 1 – Password Length: Stick withpasswords that are at least 8 characters inlength. The more character in the passwordsis better, as the time taken to crack thepassword by an attacker will be longer. 10characters or longer are better.Rule 2 – Password Complexity: At least 4characters in your passwords should be eachone of the following:
  • 41. Creating a Strong Password1.Lower case alphabets2.Upper case alphabets3.Numbers4.Special CharactersUse the “8 4 Rule”8 = 8 characters minimum length4 = 1 lower case + 1 upper case + 1 number + 1special character.Do not use a passwordstrength checking website!Any ideas why thisis a bad idea?
  • 42. Adware, Malware, SpywareAdware – unwanted ad software which isnoticedMalware – unwanted software which isnoticed and potentially causes harmSpyware – unwanted software which goesun-noticed and harvests your personalinformationUse endpoint protection!
  • 43. Adware, Malware, SpywareHow these get on your computer:EmailWeb pagesDownloaded softwareCD, USB flash driveSometimes, out of the box
  • 44. Trojan Malware
  • 45. BaitingHey, look! A free USB drive!I wonder what is on this confidential CD which I foundin the bathroom?These are vectors for malware!Play on your curiousity or desire to get something fornothingDon’t be a piggy!
  • 46. Precautions You Can Take
  • 47. A Note About Out of Office AssistantUsing the Out of Office responder in aresponsible manner – minimumnecessary information
  • 48. Physical Security• The UW is a fairly open and shared physical environment• Seeing strangers is normal, we won’t know if they are here as friend or foe• Lock your office• Lock your desk• Lock your computer• Criminals are opportunistic• Even if you are just gone for a moment• Report suspicious activity to your administration and UW Police• If you have an IT related concern, contact the Office of Campus Information Security
  • 49. Sharing Information With The Public• The University of Wisconsin is an open environment• However, on occasion, this open nature can be exploited by people with nefarious intent• Don’t volunteer sensitive information• Only disclose what is necessary• Follow records retention policies• When in doubt, ask for proof, honest people will understand, dishonest people will become frustrated
  • 50. Looking In the Mirror• Which types of sensitive information do you have access to?• What about others who share the computer network with you?• The threat from within may exceed external threats• File sharing software and services• Think about the implications associated that data being stolen and exploited!
  • 51. Traveling With Sensitive Information• Minimum amount necessary• Don’t send as checked baggage• When going through security at the airport, place computer as last item on conveyer belt and time your walk through concurrently
  • 52. Questions and DiscussionNicholas Davisndavis1@wisc.edu608-262-3837facebook.com/nicholas.a.davis

×