Six health privacy experiments that should *NEVER* be caried out


Published on

In April 2004, a bold experiment by the Infosecurity Tradeshow in London proved what everyone suspected, over 70% of people passing through Liverpool Street Station would reveal their password in exchange for candy ( Some commentators applauded this validation of a previously unproven assumption about Londoner’s attitudes towards password secrecy. Other commentators had serious ethical concerns with the experiment.

This candy-for-password experiment got me thinking about health privacy/security experiments. Many suspect that the healthcare system has serious human and technical privacy vulnerabilities, but how can we validate this suspicion? Would a patient hand over their provincial health number for a chocolate bar? Would a medical professional hand over a patient’s information for a chai latte? The more I thought about it, the more extreme – and both frightening and funny – the research projects became.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Thesis: Patients will trust claims of anonymity when the technicalities of disclosure of personally identifying information is not immediately obvious.Experiment: A group of patients with a common diagnosis are separately invited to call into a support group conference call where they do not divulge their identities. What proportion of patients will make the call? Will that proportion increase with incentives? Do patients understand that the phone number from which they made the call is disclosed to multiple parties?Photo credit: on your phone. Turn the volume way up. Now dial this number…
  • Thesis: Patients are exposing their medical history in ways that may negatively impact their long term future – employment, insurance, etc.Scenario: Conduct deep open source research on a population to determine what proportion have exposed potentially damaging – in terms of employment, insurance, etc. – health information. A follow-up research effort could include understanding how difficult it is to remove such material.Photo credit:
  • This woman blogged about her heart surgery in grueling detail and provided this photograph of her wrist bands.Photo credit:
  • Not all patient groups seem ignorant of their online privacy.The issue of the disclosure of PHI in social media is clearly more complicated than it seems on the surface.
  • What about auditing the medical social networking sites?
  • Thesis: Healthcare facilities relying on Wi-Fi are vulnerable to very simple Wi-Fi attacks.Scenario: Establish a rogue free Wi-Fi access point covering the target facility.DoS the legit Wi-Fi network.Monitor the rogue network for PHI.
  • Thesis: As demonstrated by the “candy for password” story, patients will readily part with sensitive personal information with minimal incentive.Scenario: Nothing more than a health sector phishing campaign. It could be QR code driven, but need not be.
  • You know that link in that suspicious email? The one that if you follow it, it will infect your computer with a virus?Every QR code is just like that link, except that you cannot even analyze it before following it.Ran a QR code campaign two years in a row at the Red Deer career fair under the auspices of the Canadian Information Processing Society.In 2012, scattered about 200 QR codes around the venue and received 80 views. 45 of these followed the map to our booth.In 2013, we were not allowed to scatter the codes around so they put it in the fair’s flyer. We received 6 views (one was my colleague) and no one claimed to have followed the map to our booth.
  • Thesis: Canadian acute care networks are not capable of withstanding a sustained remote attack. If validated, there are policy implications ranging from a.) determining the magnitude of the risk, to b.) privacy compliance questions, to c.) the exposure of critical infrastructure to terrorist attack.Scenario: Carry out a military style red team vs. blue team exercise on operational acute care networks – or at least create a realistic simulation of an operational acute care network as the battlespace.Photo credit:
  • Do the bad guys follow this prohibition of not “breaking the rules” on airplanes or acute care networks?Until you test it, all that you know is that it is theoretically secure. So, what do you do when it matters, but you cannot test it?
  • Thesis: A mystical practitioner – psychic, fortune teller, numerologist, etc. – not only could make a lot of money in a healthcare facility but would be a significant privacy risk while doing so.Scenario: A psychic entertainer “reads minds” in a hospital lobby or cafeteria and comes away with a pocket full of PHI.
  • Credit to Dr. Khaled El EmamThesis: Physicians are at least as vulnerable to cyber-attack vectors based on user naïveté and social engineering as other groups. If this hypothesis can be validated it has significant impact on health privacy policy due to the privileged access to PHI afforded to physicians.Experiment: Distribute specially crafted malware to physicians via USB sticks at medical conferences, by direct mail and other targeted methods. This malware is designed to be innocuous and its only function is to “call home” to the researcher’s simulated command and control server. How many physicians will run the malware?Image credits
  • Thesis: An individual perceived as non-threating and therapeutic in a clinical setting could gather significant PHI.Scenario: A balloon twisting clown visits acute care wards and with either overt or hidden cameras photographs charts, wrist bands, monitors, nursing station boards, etc. while going about his entertainment activities.Just as everyone trusts someone in a lab coat holding a clipboard, no one suspects a clown.Photo credit:
  • Photo credit: Fujitsu
  • Rusty Capps, "The Spy Who Came to Work," Security Management, February 1997.
  • Six health privacy experiments that should *NEVER* be caried out

    1. 1. © Fujitsu CanadaSix Health Privacy ExperimentsThat Should Never Be ConductedWCHIPS 2013, WinnipegChris Hammond-ThrasherAssociate DirectorSecurity, Privacy and ComplianceFujitsu
    2. 2. 1
    3. 3. © Fujitsu CanadaPhone Disclosure
    4. 4. © Fujitsu CanadaConference NumberDial into the XYZ Disease / Syndrome / DysfunctionConference Call Now!204-800-55803
    5. 5. 2
    6. 6. © Fujitsu Canada5Social Media
    7. 7. © Fujitsu Canada6
    8. 8. © Fujitsu CanadaLong Memory7
    9. 9. © Fujitsu CanadaLong Memory8• Version 1.0 of theNCSA Mosiacbrowser wasreleased inNovember 1993• Netscape Navigatorwas released inDecember 1994• TELUS launchedcommercial Internetservices in 1995• Facebook launchedin February 2004
    10. 10. © Fujitsu CanadaTeens on Facebook“Self-definition is about identity, one’s needs and attitudes, andthe presentation of the self to others. Teenage patients presentthemselves on Facebook as regular teenagers. They do notwrite public status updates about their stays at CHEO or thetreatments they receive.”- Van der Velden and El Emam, 20129
    11. 11. © Fujitsu Canada10
    12. 12. 3
    13. 13. © Fujitsu Canada12A Simple Wi-Fi Attack
    14. 14. © Fujitsu CanadaThe Demonstration NetworkJoin now!SSID: wchips2013Password: wchips201313
    15. 15. © Fujitsu CanadaCountermeasuresThe basics: Any Wi-Fi network with significant securityrequirements must be configured to use WPA2-Enterprise. Noexceptions.VPNs are excellent defenses when moving sensitive dataacross non-trusted networks, but there is no completely safeway to connect to and use a hostile Wi-Fi network.There is no good defense to Wi-Fi denial of service. The bestthat you can do is have a good wireless incident responseteam on hand.14
    16. 16. 4
    17. 17. © Fujitsu CanadaWin an iPad Mini!16
    18. 18. © Fujitsu Canada17
    19. 19. © Fujitsu CanadaPhishing DiscussionUse HTTPS and put the survey on your own domain i.e.Without HTTPS I can try to impersonate the site and phish forpersonal health informationAs of last night, is available forpurchase (they used has been purchased by a domainsquatter18
    20. 20. © Fujitsu CanadaQR Code Phishing19
    21. 21. 5
    22. 22. © Fujitsu Canada21Hospital Netwars
    23. 23. © Fujitsu Canada22
    24. 24. 6
    25. 25. © Fujitsu Canada24Healthcare Mysticism
    26. 26. 7
    27. 27. © Fujitsu Canada26Medical Malware
    28. 28. © Fujitsu CanadaA Common Malware Model27CommandandControlServerInfectedLaptopInfectedTabletInfectedSmartphone
    29. 29. 8
    30. 30. © Fujitsu Canada29Balloon Clown Audit
    31. 31. 9
    32. 32. © Fujitsu Canada31Elicitation
    33. 33. © Fujitsu CanadaDefinition: “Elicitation”“In the spy trade, elicitation is the term applied to subtleextraction of information during an apparently normal andinnocent conversation. Most intelligence operatives are welltrained to take advantage of professional or socialopportunities to interact with persons who have access toclassified or other protected information.Conducted by a skillful intelligence collector, elicitation appearsto be normal social or professional conversation and can occuranywhere – in a restaurant, at a conference, or during a visit toone’s home. But it is conversation with a purpose, to collectinformation about your work or to collect assessmentinformation about you or your colleagues.”32
    34. 34. © Fujitsu CanadaElicitation PlanGoal Elicit personal information on at least one individualMethod Seek advice on when teenage girls should start dating as a way to get aparent talking about their own childrenObjectives Parent’s Name __________________ Target’s Name __________________ Relationship __________________ Target’s Gender __________________ Target’s Birthday __________________Achieved _________ of five objectives33
    35. 35. C
    36. 36. © Fujitsu CanadaBibliography Capps, Rusty. "The Spy Who Came to Work," SecurityManagement, February 1997. *Celent. Using Social Data In Claims andUnderwriting, Hadnagy, Chris. Social Engineering: The Art of Human Hacking.Wiley, 2011. Li, Jingquan. “Privacy Policies for Health Social Networking Sites,”Journal of the American Medical Information Association, March2013. Malin, El Emam and O’Keefe. “Biomedical Data Privacy:Problems, Perspectives, and Recent Advances,” Journal of theAmerican Medical Information Association, January 2013. Van der Velden, El Emam. “’Not All My Friends Need to Know’: AQualitative Study of Teenage Patients, Privacy, and Social Media,”Journal of the American Medical Information Association, July 2012.*Subscription required.Hammond-Thrasher, Six Health Privacy Experiments, 2013
    37. 37. © Fujitsu CanadaConclusionsThere are significant challenges facing privacy professionalsand academic researchers who want to understand real riskincluding, Research ethics Research funding and The reputational concerns of personal health information custodians.The reality of the real risk scenarios examined today is that thethreat agents – whether insiders or outsiders – are not boundby the constraints that govern privacy and securityprofessionals.Van der Velden and El Emam’s paper on sick teens usingFacebook is a warning to the complexity of real risk – ourassumptions about how good or bad things may be need to betested.36
    38. 38. © Fujitsu CanadaChallenge QuestionsFor you, is the title of this talk a true statement? Should experiments like these *NEVER* be performed? Are some acceptable and not others? And if so why?Please email your answers
    39. 39. Chris Hammond-ThrasherAssociate Director, ConsultingSecurity, Privacy and ComplianceFujitsu