2. The challenge of building an secure
and safe digital environment in
the health care
Security isn’t just a tech, but
much much more …

4. Nurse
Mom
Researcher
Speaker
@womeninsecurity
@iamthecavalry
@_j3lena_

5. Why are the hospitals so interesting and
attractive for the criminals?
More victims at one place
Who wants the medical data ?
Everyone
What they can do ?
Too much

6. Discrimination private and at work
because of :
disease / chronical disease
gender
religion
race
sexual orientation
making a future profiles
Manipulating the price of insurance

7. Except stubborn medical professionals
• Marketing
• PR
• Phisical security
• Innovations
Sharing is caring
Connected but not protected
• ICT professionals

8. Phisical security

14. Personal experience
employee can download the documents from different links *
IT is giving the password to employee on phone without really checking whit
who they really talk. *
No limited access for temporary workers
PC with medical records connected to public internet
Insecure applications for medical records (why connected to the public
internet)
employee or visitor can use usb or phone charger and connect with PC from
the hospital etz

15. Old device & software
The contracts vendor-hospital
No patch
No update
No antivirus
No proxy
Required 24/7 online
Connected but not protected
#innovations

16. Infosec professional in healthcare

17. Security in the health care
What we think VS reality

20. The System
Same as medical professional need to
know and understand the system of human body,
infosec professionals need to understand the system in
healthcare,
so they can find real vulnerabilities and can solve them

21. The treatment, you make based on diagnostics
The diagnostics, you make based on the result and the
information’s
When criminals manipulate the results and the information’s
You will make wrong diagnostic and wrong treatment’s

22. Communication & Inside Organization of
Security department in organization
Inside organization
Awareness training

24. Security department in organization
• Security department independent department
• Giving the trainings and communicating with all departments
• Mandatory and regular consulting

25. Inside IT organization
• Enough security and IT professionals
• Mandatory and regular pen testing – independent company
• Mandatory and regular testing
1-2 x week using open tools – infosec employee
• Responsible disclosure & Bug bounty program

26. Responsible disclosure & Bugbounties

27. for hospital /vendor/manufacturer - digital and online safety
- almost 24/7 monitoring
- not expensive monitoring
- pay by founding or/and
repairing
- coordinate assist
for ethical hacker - passion
- no 9 – 17 work
- freedom = quality
- payed or possibility

29. • Training and building communication and teamwork with
departments
• Professionals for making the rules for & with departments

30. Awareness Training
• Simplicity and as less possible tech
• Making the connection between employees and IT
• With understanding, employees will easily accept the rules

31. work e-mail ≠ subscribe mail
check link
check e-mail
Oops spoofy e-mail
check on browser
check ….

32. Password
Password manager
Long
Personal
Funny +
be creative

34. Consulting infosecurity by default
All decision at all departments need to be made with consulting of
security department

35. Education & Security by design
Students & teachers/professors @ the conferences
Extra Workshops & lessons at schools by infosecurity
Practicing at Hackerspaces and using CTF
CTF competitions

37. Situation now
The vendor make conditions
that hospital must accept
Should be
The Hospital make conditions
and vendor/everyone must accept

38. The healthcare
The security /privacy
Supported by
IT/Manufacturer/developer
backed by the government
The policy made by the professionals from:

39. Being complain,
doesn’t mean that you are safe and secure

40. Health care without (basic) security
is like surgery without sterile instruments
The operation was (technically) a success, but the
patient died from sepsis …
Thank you 