Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The challenge of building a secure and safe digital environment in healthcare


Published on

Jelena Milosevic in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The videos and other presentations can be found on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The challenge of building a secure and safe digital environment in healthcare

  1. 1. The challenge of building an secure and safe digital environment in the health care Security isn’t just a tech, but much much more …
  2. 2. Nurse Mom Researcher Speaker @womeninsecurity @iamthecavalry @_j3lena_
  3. 3. Why are the hospitals so interesting and attractive for the criminals? More victims at one place Who wants the medical data ? Everyone What they can do ? Too much
  4. 4. Discrimination private and at work because of : disease / chronical disease gender religion race sexual orientation making a future profiles Manipulating the price of insurance
  5. 5. Except stubborn medical professionals • Marketing • PR • Phisical security • Innovations Sharing is caring Connected but not protected • ICT professionals
  6. 6. Phisical security
  7. 7. Personal experience employee can download the documents from different links * IT is giving the password to employee on phone without really checking whit who they really talk. * No limited access for temporary workers PC with medical records connected to public internet Insecure applications for medical records (why connected to the public internet) employee or visitor can use usb or phone charger and connect with PC from the hospital etz
  8. 8. Old device & software The contracts vendor-hospital No patch No update No antivirus No proxy Required 24/7 online Connected but not protected #innovations
  9. 9. Infosec professional in healthcare
  10. 10. Security in the health care What we think VS reality
  11. 11. The System Same as medical professional need to know and understand the system of human body, infosec professionals need to understand the system in healthcare, so they can find real vulnerabilities and can solve them
  12. 12. The treatment, you make based on diagnostics The diagnostics, you make based on the result and the information’s When criminals manipulate the results and the information’s You will make wrong diagnostic and wrong treatment’s
  13. 13. Communication & Inside Organization of Security department in organization Inside organization Awareness training
  14. 14. Security department in organization • Security department independent department • Giving the trainings and communicating with all departments • Mandatory and regular consulting
  15. 15. Inside IT organization • Enough security and IT professionals • Mandatory and regular pen testing – independent company • Mandatory and regular testing 1-2 x week using open tools – infosec employee • Responsible disclosure & Bug bounty program
  16. 16. Responsible disclosure & Bugbounties
  17. 17. for hospital /vendor/manufacturer - digital and online safety - almost 24/7 monitoring - not expensive monitoring - pay by founding or/and repairing - coordinate assist for ethical hacker - passion - no 9 – 17 work - freedom = quality - payed or possibility
  18. 18. • Training and building communication and teamwork with departments • Professionals for making the rules for & with departments
  19. 19. Awareness Training • Simplicity and as less possible tech • Making the connection between employees and IT • With understanding, employees will easily accept the rules
  20. 20. work e-mail ≠ subscribe mail check link check e-mail Oops spoofy e-mail check on browser check ….
  21. 21. Password Password manager Long Personal Funny + be creative
  22. 22. Consulting infosecurity by default All decision at all departments need to be made with consulting of security department
  23. 23. Education & Security by design Students & teachers/professors @ the conferences Extra Workshops & lessons at schools by infosecurity Practicing at Hackerspaces and using CTF CTF competitions
  24. 24. Situation now The vendor make conditions that hospital must accept Should be The Hospital make conditions and vendor/everyone must accept
  25. 25. The healthcare The security /privacy Supported by IT/Manufacturer/developer backed by the government The policy made by the professionals from:
  26. 26. Being complain, doesn’t mean that you are safe and secure
  27. 27. Health care without (basic) security is like surgery without sterile instruments The operation was (technically) a success, but the patient died from sepsis … Thank you 