Your SlideShare is downloading. ×
Six health privacy experiments that should *NEVER* be caried out
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Six health privacy experiments that should *NEVER* be caried out

246

Published on

In April 2004, a bold experiment by the Infosecurity Tradeshow in London proved what everyone suspected, over 70% of people passing through Liverpool Street Station would reveal their password in …

In April 2004, a bold experiment by the Infosecurity Tradeshow in London proved what everyone suspected, over 70% of people passing through Liverpool Street Station would reveal their password in exchange for candy (http://news.bbc.co.uk/2/hi/technology/3639679.stm). Some commentators applauded this validation of a previously unproven assumption about Londoner’s attitudes towards password secrecy. Other commentators had serious ethical concerns with the experiment.

This candy-for-password experiment got me thinking about health privacy/security experiments. Many suspect that the healthcare system has serious human and technical privacy vulnerabilities, but how can we validate this suspicion? Would a patient hand over their provincial health number for a chocolate bar? Would a medical professional hand over a patient’s information for a chai latte? The more I thought about it, the more extreme – and both frightening and funny – the research projects became.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
246
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Thesis: Patients will trust claims of anonymity when the technicalities of disclosure of personally identifying information is not immediately obvious.Experiment: A group of patients with a common diagnosis are separately invited to call into a support group conference call where they do not divulge their identities. What proportion of patients will make the call? Will that proportion increase with incentives? Do patients understand that the phone number from which they made the call is disclosed to multiple parties?Photo credit: http://www.flickr.com/photos/seattlemunicipalarchives/Turn on your phone. Turn the volume way up. Now dial this number…
  • Thesis: Patients are exposing their medical history in ways that may negatively impact their long term future – employment, insurance, etc.Scenario: Conduct deep open source research on a population to determine what proportion have exposed potentially damaging – in terms of employment, insurance, etc. – health information. A follow-up research effort could include understanding how difficult it is to remove such material.Photo credit: http://www.flickr.com/photos/khalidalbaih/
  • This woman blogged about her heart surgery in grueling detail and provided this photograph of her wrist bands.Photo credit: http://mayajoyfully.blogspot.ca/2012/09/my-incision-decision.html
  • Not all patient groups seem ignorant of their online privacy.The issue of the disclosure of PHI in social media is clearly more complicated than it seems on the surface.
  • What about auditing the medical social networking sites?
  • Thesis: Healthcare facilities relying on Wi-Fi are vulnerable to very simple Wi-Fi attacks.Scenario: Establish a rogue free Wi-Fi access point covering the target facility.DoS the legit Wi-Fi network.Monitor the rogue network for PHI.
  • Thesis: As demonstrated by the “candy for password” story, patients will readily part with sensitive personal information with minimal incentive.Scenario: Nothing more than a health sector phishing campaign. It could be QR code driven, but need not be.
  • You know that link in that suspicious email? The one that if you follow it, it will infect your computer with a virus?Every QR code is just like that link, except that you cannot even analyze it before following it.Ran a QR code campaign two years in a row at the Red Deer career fair under the auspices of the Canadian Information Processing Society.In 2012, scattered about 200 QR codes around the venue and received 80 views. 45 of these followed the map to our booth.In 2013, we were not allowed to scatter the codes around so they put it in the fair’s flyer. We received 6 views (one was my colleague) and no one claimed to have followed the map to our booth.
  • Thesis: Canadian acute care networks are not capable of withstanding a sustained remote attack. If validated, there are policy implications ranging from a.) determining the magnitude of the risk, to b.) privacy compliance questions, to c.) the exposure of critical infrastructure to terrorist attack.Scenario: Carry out a military style red team vs. blue team exercise on operational acute care networks – or at least create a realistic simulation of an operational acute care network as the battlespace.Photo credit: http://www.social-engineer.org/wp-content/uploads/2010/01/se-3d-mesh-by-DigiP.jpg
  • Do the bad guys follow this prohibition of not “breaking the rules” on airplanes or acute care networks?Until you test it, all that you know is that it is theoretically secure. So, what do you do when it matters, but you cannot test it?
  • Thesis: A mystical practitioner – psychic, fortune teller, numerologist, etc. – not only could make a lot of money in a healthcare facility but would be a significant privacy risk while doing so.Scenario: A psychic entertainer “reads minds” in a hospital lobby or cafeteria and comes away with a pocket full of PHI.
  • Credit to Dr. Khaled El EmamThesis: Physicians are at least as vulnerable to cyber-attack vectors based on user naïveté and social engineering as other groups. If this hypothesis can be validated it has significant impact on health privacy policy due to the privileged access to PHI afforded to physicians.Experiment: Distribute specially crafted malware to physicians via USB sticks at medical conferences, by direct mail and other targeted methods. This malware is designed to be innocuous and its only function is to “call home” to the researcher’s simulated command and control server. How many physicians will run the malware?Image creditshttp://www.flickr.com/photos/williamhook/http://www.flickr.com/photos/medithit/
  • Thesis: An individual perceived as non-threating and therapeutic in a clinical setting could gather significant PHI.Scenario: A balloon twisting clown visits acute care wards and with either overt or hidden cameras photographs charts, wrist bands, monitors, nursing station boards, etc. while going about his entertainment activities.Just as everyone trusts someone in a lab coat holding a clipboard, no one suspects a clown.Photo credit: http://www.flickr.com/photos/wonker/
  • Photo credit: Fujitsu
  • Rusty Capps, "The Spy Who Came to Work," Security Management, February 1997.
  • http://www.flickr.com/photos/molotalk/
  • Transcript

    • 1. © Fujitsu CanadaSix Health Privacy ExperimentsThat Should Never Be ConductedWCHIPS 2013, WinnipegChris Hammond-ThrasherAssociate DirectorSecurity, Privacy and ComplianceFujitsu Canadachris.hammond-thrasher@ca.fujitsu.com
    • 2. 1
    • 3. © Fujitsu CanadaPhone Disclosure
    • 4. © Fujitsu CanadaConference NumberDial into the XYZ Disease / Syndrome / DysfunctionConference Call Now!204-800-55803
    • 5. 2
    • 6. © Fujitsu Canada5Social Media
    • 7. © Fujitsu Canada6
    • 8. © Fujitsu CanadaLong Memory7
    • 9. © Fujitsu CanadaLong Memory8• Version 1.0 of theNCSA Mosiacbrowser wasreleased inNovember 1993• Netscape Navigatorwas released inDecember 1994• TELUS launchedcommercial Internetservices in 1995• Facebook launchedin February 2004
    • 10. © Fujitsu CanadaTeens on Facebook“Self-definition is about identity, one’s needs and attitudes, andthe presentation of the self to others. Teenage patients presentthemselves on Facebook as regular teenagers. They do notwrite public status updates about their stays at CHEO or thetreatments they receive.”- Van der Velden and El Emam, 20129
    • 11. © Fujitsu Canada10
    • 12. 3
    • 13. © Fujitsu Canada12A Simple Wi-Fi Attack
    • 14. © Fujitsu CanadaThe Demonstration NetworkJoin now!SSID: wchips2013Password: wchips201313
    • 15. © Fujitsu CanadaCountermeasuresThe basics: Any Wi-Fi network with significant securityrequirements must be configured to use WPA2-Enterprise. Noexceptions.VPNs are excellent defenses when moving sensitive dataacross non-trusted networks, but there is no completely safeway to connect to and use a hostile Wi-Fi network.There is no good defense to Wi-Fi denial of service. The bestthat you can do is have a good wireless incident responseteam on hand.14
    • 16. 4
    • 17. © Fujitsu CanadaWin an iPad Mini!16
    • 18. © Fujitsu Canada17
    • 19. © Fujitsu CanadaPhishing DiscussionUse HTTPS and put the survey on your own domain i.e. https://primarycaresurvey.albertahealthservices.caWithout HTTPS I can try to impersonate the site and phish forpersonal health informationAs of last night, primarycaresurveys.ca is available forpurchase (they used primarycaresurvey.ca) butalbertahealthservice.ca has been purchased by a domainsquatter18
    • 20. © Fujitsu CanadaQR Code Phishing19
    • 21. 5
    • 22. © Fujitsu Canada21Hospital Netwars
    • 23. © Fujitsu Canada22
    • 24. 6
    • 25. © Fujitsu Canada24Healthcare Mysticism
    • 26. 7
    • 27. © Fujitsu Canada26Medical Malware
    • 28. © Fujitsu CanadaA Common Malware Model27CommandandControlServerInfectedLaptopInfectedTabletInfectedSmartphone
    • 29. 8
    • 30. © Fujitsu Canada29Balloon Clown Audit
    • 31. 9
    • 32. © Fujitsu Canada31Elicitation
    • 33. © Fujitsu CanadaDefinition: “Elicitation”“In the spy trade, elicitation is the term applied to subtleextraction of information during an apparently normal andinnocent conversation. Most intelligence operatives are welltrained to take advantage of professional or socialopportunities to interact with persons who have access toclassified or other protected information.Conducted by a skillful intelligence collector, elicitation appearsto be normal social or professional conversation and can occuranywhere – in a restaurant, at a conference, or during a visit toone’s home. But it is conversation with a purpose, to collectinformation about your work or to collect assessmentinformation about you or your colleagues.”32
    • 34. © Fujitsu CanadaElicitation PlanGoal Elicit personal information on at least one individualMethod Seek advice on when teenage girls should start dating as a way to get aparent talking about their own childrenObjectives Parent’s Name __________________ Target’s Name __________________ Relationship __________________ Target’s Gender __________________ Target’s Birthday __________________Achieved _________ of five objectives33
    • 35. C
    • 36. © Fujitsu CanadaBibliography Capps, Rusty. "The Spy Who Came to Work," SecurityManagement, February 1997. *Celent. Using Social Data In Claims andUnderwriting, http://www.celent.com/reports/using-social-data-claims-and-underwriting Hadnagy, Chris. Social Engineering: The Art of Human Hacking.Wiley, 2011. Li, Jingquan. “Privacy Policies for Health Social Networking Sites,”Journal of the American Medical Information Association, March2013. Malin, El Emam and O’Keefe. “Biomedical Data Privacy:Problems, Perspectives, and Recent Advances,” Journal of theAmerican Medical Information Association, January 2013. Van der Velden, El Emam. “’Not All My Friends Need to Know’: AQualitative Study of Teenage Patients, Privacy, and Social Media,”Journal of the American Medical Information Association, July 2012.*Subscription required.Hammond-Thrasher, Six Health Privacy Experiments, 2013
    • 37. © Fujitsu CanadaConclusionsThere are significant challenges facing privacy professionalsand academic researchers who want to understand real riskincluding, Research ethics Research funding and The reputational concerns of personal health information custodians.The reality of the real risk scenarios examined today is that thethreat agents – whether insiders or outsiders – are not boundby the constraints that govern privacy and securityprofessionals.Van der Velden and El Emam’s paper on sick teens usingFacebook is a warning to the complexity of real risk – ourassumptions about how good or bad things may be need to betested.36
    • 38. © Fujitsu CanadaChallenge QuestionsFor you, is the title of this talk a true statement? Should experiments like these *NEVER* be performed? Are some acceptable and not others? And if so why?Please email your answers to:chris.hammond-thrasher@ca.fujitsu.com37
    • 39. Chris Hammond-ThrasherAssociate Director, ConsultingSecurity, Privacy and ComplianceFujitsu Canadachris.hammond-thrasher@ca.fujitsu.com

    ×