Successfully reported this slideshow.
Your SlideShare is downloading. ×

The challenge of building a secure and safe digital environment in healthcare

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 41 Ad

The challenge of building a secure and safe digital environment in healthcare

Download to read offline

Jelena Milosevic in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The videos and other presentations can be found on https://def.camp/archive

Jelena Milosevic in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The videos and other presentations can be found on https://def.camp/archive

Advertisement
Advertisement

More Related Content

Similar to The challenge of building a secure and safe digital environment in healthcare (20)

More from DefCamp (20)

Advertisement

Recently uploaded (20)

The challenge of building a secure and safe digital environment in healthcare

  1. 1. The challenge of building an secure and safe digital environment in the health care Security isn’t just a tech, but much much more …
  2. 2. Nurse Mom Researcher Speaker @womeninsecurity @iamthecavalry @_j3lena_
  3. 3. Why are the hospitals so interesting and attractive for the criminals? More victims at one place Who wants the medical data ? Everyone What they can do ? Too much
  4. 4. Discrimination private and at work because of : disease / chronical disease gender religion race sexual orientation making a future profiles Manipulating the price of insurance
  5. 5. Except stubborn medical professionals • Marketing • PR • Phisical security • Innovations Sharing is caring Connected but not protected • ICT professionals
  6. 6. Phisical security
  7. 7. Personal experience employee can download the documents from different links * IT is giving the password to employee on phone without really checking whit who they really talk. * No limited access for temporary workers PC with medical records connected to public internet Insecure applications for medical records (why connected to the public internet) employee or visitor can use usb or phone charger and connect with PC from the hospital etz
  8. 8. Old device & software The contracts vendor-hospital No patch No update No antivirus No proxy Required 24/7 online Connected but not protected #innovations
  9. 9. Infosec professional in healthcare
  10. 10. Security in the health care What we think VS reality
  11. 11. The System Same as medical professional need to know and understand the system of human body, infosec professionals need to understand the system in healthcare, so they can find real vulnerabilities and can solve them
  12. 12. The treatment, you make based on diagnostics The diagnostics, you make based on the result and the information’s When criminals manipulate the results and the information’s You will make wrong diagnostic and wrong treatment’s
  13. 13. Communication & Inside Organization of Security department in organization Inside organization Awareness training
  14. 14. Security department in organization • Security department independent department • Giving the trainings and communicating with all departments • Mandatory and regular consulting
  15. 15. Inside IT organization • Enough security and IT professionals • Mandatory and regular pen testing – independent company • Mandatory and regular testing 1-2 x week using open tools – infosec employee • Responsible disclosure & Bug bounty program
  16. 16. Responsible disclosure & Bugbounties
  17. 17. for hospital /vendor/manufacturer - digital and online safety - almost 24/7 monitoring - not expensive monitoring - pay by founding or/and repairing - coordinate assist for ethical hacker - passion - no 9 – 17 work - freedom = quality - payed or possibility
  18. 18. • Training and building communication and teamwork with departments • Professionals for making the rules for & with departments
  19. 19. Awareness Training • Simplicity and as less possible tech • Making the connection between employees and IT • With understanding, employees will easily accept the rules
  20. 20. work e-mail ≠ subscribe mail check link check e-mail Oops spoofy e-mail check on browser check ….
  21. 21. Password Password manager Long Personal Funny + be creative
  22. 22. Consulting infosecurity by default All decision at all departments need to be made with consulting of security department
  23. 23. Education & Security by design Students & teachers/professors @ the conferences Extra Workshops & lessons at schools by infosecurity Practicing at Hackerspaces and using CTF CTF competitions
  24. 24. Situation now The vendor make conditions that hospital must accept Should be The Hospital make conditions and vendor/everyone must accept
  25. 25. The healthcare The security /privacy Supported by IT/Manufacturer/developer backed by the government The policy made by the professionals from:
  26. 26. Being complain, doesn’t mean that you are safe and secure
  27. 27. Health care without (basic) security is like surgery without sterile instruments The operation was (technically) a success, but the patient died from sepsis … Thank you 

Editor's Notes

  • You ask ur self why nurse but my colleague more surprised we have best security ever, but that hard truth is ….
  • More victims at one place the patient
    the employee
    the visitor/ third side
    The data online

    The targeted assignment the patient
    the employee
    the hospital
  • Talk about the problems there marketing and pr putting fotos sharing info no need innovation data collectors + no one have idea how it works
  • Even phisicaly security wasn’t good
  • The problems : Passwords, awareness, connections, informations devices

  • employee can download the documents from different links *

    IT is giving the password to employee on phone without really checking whit who they really talk. *

    No limited access for temporary workers

    PC with medical records connected to public internet

    Insecure applications for medical records (why connected to the public internet)

    employee or visitor can use usb or phone charger and connect with PC from the hospital etz
  • No infosec professional
    Even if they are there

  • About, what we’re thinking , smthng like this –(next slide)
  • Talk about system patinets – administration/medical staf, different lab for analyzis , rontgen
  • Conection medical patients,
    Go to department ask them how they work, CISO Same as Chris said – learn their waya of communication
  • Training - about
  • One of the last messages in my previous presentation was
    Build
  • Organisation
    Ppl for testing
    Ppl for training
  • What may happen or not
  • Blaming user while maybe it was spoofy email – almost not one hospital have good email configuration DMARC on reject
  • You can’t expect that everyone have enough money to have 2fa
    Password messenger or expect hospital to pay all of it

    If use mobile phone, need to be secuere phone

    No money for it – but then not connect evrthng you don’t need
  • Including teachers and IT schools/universities at the conferences

    Workshops /lesson at schools

    Use CTF school and companies

    CTF competitions between schools / companies
  • Build security that fit with the system of the company

×