Health Information Privacy and Security

Health Information
Privacy & Security
Nawanan Theera-Ampornpunt, M.D., Ph.D.
Faculty of Medicine Ramathibodi Hospital
Mahidol University
For Ramathibodi M.S. & Ph.D. Programs in Data Science for Health Care
October 17, 2017
http://www.SlideShare.net/Nawanan

 Introduction to Information Privacy & Security
 Protecting Information Privacy & Security
 User Security
 Malware
 Security Standards
 Privacy & Security Laws
Outline

Introduction to
Information Privacy &
Security

Malware
Threats to Information Security

(Top) http://deadline.com/2014/12/sony-hack-timeline-any-pascal-the-interview-north-korea-1201325501/
(Bottom) http://www.bloomberg.com/news/articles/2014-12-07/sony-s-darkseoul-breach-stretched-from-thai-hotel-
to-hollywood
Security Threats & Thailand

http://www.aclu.org/ordering-pizza
Privacy Protections: Why?

Sources of the Threats
 Hackers
 Viruses & Malware
 Poorly-designed systems
 Insiders (Employees)
 People’s ignorance & lack of knowledge
 Disasters & other incidents affecting
information systems

 Information risks
 Unauthorized access & disclosure of confidential information
 Unauthorized addition, deletion, or modification of information
 Operational risks
 System not functional (Denial of Service - DoS)
 System wrongly operated
 Personal risks
 Identity thefts
 Financial losses
 Disclosure of information that may affect employment or other
personal aspects (e.g. health information)
 Physical/psychological harms
 Organizational risks
 Financial losses
 Damage to reputation & trust
 Etc.
Consequences of Security Attacks

Security & Privacy
http://en.wikipedia.org/wiki/A._S._Bradford_House
Privacy & Security

 Privacy: “The ability of an individual or group
to seclude themselves or information about
themselves and thereby reveal themselves
selectively.” (Wikipedia)
 Security: “The degree of protection to safeguard
... person against danger, damage, loss, and
crime.” (Wikipedia)
 Information Security: “Protecting information
and information systems from unauthorized
access, use, disclosure, disruption, modification,
perusal, inspection, recording or destruction”
(Wikipedia)
Privacy & Security

Information Security
 Confidentiality
 Integrity
 Availability

Examples of Confidentiality Risks
http://usatoday30.usatoday.com/life/people/2007-10-10-clooney_N.htm

Examples of Integrity Risks
http://www.wired.com/threatlevel/2010/03/source-code-hacks/
http://en.wikipedia.org/wiki/Operation_Aurora
“Operation Aurora”
Alleged Targets: Google, Adobe, Juniper Networks,
Yahoo!, Symantec, Northrop Grumman, Morgan Stanley,
Dow Chemical
Goal: To gain access to and potentially modify source
code repositories at high tech, security & defense
contractor companies

Examples of Integrity Risks
http://news.softpedia.com/news/700-000-InMotion-Websites-Hacked-by-TiGER-M-TE-223607.shtml
Web Defacements

Examples of Availability Risks
http://en.wikipedia.org/wiki/Blaster_worm
Viruses/worms that led to instability &
system restart (e.g. Blaster worm)

Examples of Availability Risks
http://en.wikipedia.org/wiki/Ariane_5_Flight_501
Ariane 5 Flight 501 Rocket Launch Failure
Cause: Software bug on rocket acceleration due to data conversion
from a 64-bit floating point number to a 16-bit signed integer without
proper checks, leading to arithmatic overflow

บทความใน JAMA เร็วๆ นี้
JAMA. 2015 Apr 14;313(14).

Protecting Information
Privacy & Security

 Attack
 An attempt to breach system security
 Threat
 A scenario that can harm a system
 Vulnerability
 The “hole” that is used in the attack
Common Security Terms

 Identify some possible means an
attacker could use to conduct a
security attack
Class Exercise

Alice
Simplified Attack Scenarios
Server Bob
Eve/Mallory

Alice
Server Bob
- Physical access to client computer
- Electronic access (password)
- Tricking user into doing something
(malware, phishing & social
engineering)
Eve/Mallory

Alice
Server Bob
- Intercepting (eavesdropping or
“sniffing”) data in transit
- Modifying data (“Man-in-the-
middle” attacks)
- “Replay” attacks
Eve/Mallory

Alice
Server Bob
- Unauthorized access to servers through
- Physical means
- User accounts & privileges
- Attacks through software vulnerabilities
- Attacks using protocol weaknesses
- DoS / DDoS attacks Eve/Mallory

Alice
Server Bob
Other & newer forms of
attacks possible
Eve/Mallory

Alice
Safeguarding Against Attacks
Server Bob
Administrative Security
- Security & privacy policy
- Governance of security risk management & response
- Uniform enforcement of policy & monitoring
- Disaster recovery planning (DRP) & Business continuity
planning/management (BCP/BCM)
- Legal obligations, requirements & disclaimers

Alice
Server Bob
Physical Security
- Protecting physical access of clients & servers
- Locks & chains, locked rooms, security cameras
- Mobile device security
- Secure storage & secure disposition of storage devices

Alice
Server Bob
User Security
- User account management
- Strong p/w policy (length, complexity, expiry, no meaning)
- Principle of Least Privilege
- “Clear desk, clear screen policy”
- Audit trails
- Education, awareness building & policy enforcement
- Alerts & education about phishing & social engineering

Alice
Server Bob
System Security
- Antivirus, antispyware, personal firewall, intrusion
detection/prevention system (IDS/IPS), log files, monitoring
- Updates, patches, fixes of operating system vulnerabilities &
application vulnerabilities
- Redundancy (avoid “Single Point of Failure”)
- Honeypots

Alice
Server Bob
Software Security
- Software (clients & servers) that is secure by design
- Software testing against failures, bugs, invalid inputs,
performance issues & attacks
- Updates to patch vulnerabilities

Alice
Server Bob
Network Security
- Access control (physical & electronic) to network devices
- Use of secure network protocols if possible
- Data encryption during transit if possible
- Bandwidth monitoring & control

Alice
Server Bob
Database Security
- Access control to databases & storage devices
- Encryption of data stored in databases if necessary
- Secure destruction of data after use
- Access control to queries/reports
- Security features of database management systems (DBMS)

Privacy Safeguards
Image: http://www.nurseweek.com/news/images/privacy.jpg
 Security safeguards
 Informed consent
 Privacy culture
 User awareness building & education
 Organizational policy & regulations
 Enforcement
 Ongoing privacy & security assessments, monitoring,
and protection

https://www.thaicert.or.th/downloads/files/BROCHURE_security_awareness.png

 Access control
 Selective restriction of access to the system
 Role-based access control
 Access control based on the person’s role
(rather than identity)
 Audit trails
 Logs/records that provide evidence of
sequence of activities
User Security

 Identification
 Identifying who you are
 Usually done by user IDs or some other unique codes
 Authentication
 Confirming that you truly are who you identify
 Usually done by keys, PIN, passwords or biometrics
 Authorization
 Specifying/verifying how much you have access
 Determined based on system owner’s policy & system
configurations
 “Principle of Least Privilege”
User Security

 Nonrepudiation
 Proving integrity, origin, & performer of an
activity without the person’s ability to refute
his actions
 Most common form: signatures
 Electronic signatures offer varying degrees of
nonrepudiation
 PIN/password vs. biometrics
 Digital certificates (in public key
infrastructure - PKI) often used to ascertain
nonrepudiation
User Security

 Multiple-Factor Authentication
 Two-Factor Authentication
 Use of multiple means (“factors”) for authentication
 Types of Authentication Factors
 Something you know
 Password, PIN, etc.
 Something you have
 Keys, cards, tokens, devices (e.g. mobile phones)
 Something you are
 Biometrics
User Security

Need for Strong Password Policy
So, two informaticians
walk into a bar...
The bouncer says,
"What's the password."
One says, "Password?"
The bouncer lets them
in.
Credits: @RossMartin & AMIA (2012)

Recommended Password Policy
 Length
 8 characters or more (to slow down brute-force attacks)
 Complexity (to slow down brute-force attacks)
 Consists of 3 of 4 categories of characters
 Uppercase letters
 Lowercase letters
 Numbers
 Symbols (except symbols that have special uses by the
system or that can be used to hack system, e.g. SQL Injection)
 No meaning (“Dictionary Attacks”)
 Not simple patterns (12345678, 11111111) (to slow down brute-
force attacks & prevent dictionary attacks)
 Not easy to guess (birthday, family names, etc.) (to prevent
unknown & known persons from guessing)
Personal opinion. No legal responsibility assumed.

Recommended Password Policy
 Expiration (to make brute-force attacks not possible)
 6-8 months
 Decreasing over time because of increasing computer’s
speed
 But be careful! Too short duration will force users to write
passwords down
 Secure password storage in database or system
(encrypted or store only password hashes)
 Secure password confirmation
 Secure “forget password” policy
 Different password for each account. Create variations
to help remember. If not possible, have different sets of
accounts for differing security needs (e.g., bank
accounts vs. social media sites) Personal opinion. No legal responsibility assumed.

{
Dictionary Attack:
A story from a
computer security course

Techniques to Remember Passwords
 http://www.wikihow.com/Create-a-Password-You-Can-
Remember
 Note that some of the techniques are less secure!
 One easy & secure way: password mnemonic
 Think of a full sentence that you can remember
 Ideally the sentence should have 8 or more words, with
numbers and symbols
 Use first character of each word as password
 Sentence: I love reading all 7 Harry Potter books!
 Password: Ilra7HPb!
 Voila!
Personal opinion. No legal responsibility assumed.

 Poor grammar
 Lots of typos
 Trying very hard to convince you to open
attachment, click on link, or reply without
enough detail
 May appear to be from known person (rely on
trust & innocence)
Signs of a Phishing Attack

 Don’t be too trusting of people
 Always be suspicious & alert
 An e-mail with your friend’s name & info doesn’t have
to come from him/her
 Look for signs of phishing attacks
 Don’t open attachments unless you expect them
 Scan for viruses before opening attachments
 Don’t click links in e-mail. Directly type in browser
using known & trusted URLs
 Especially cautioned if ask for passwords, bank
accounts, credit card numbers, social security numbers,
etc.
Ways to Protect against Phishing

The Day We All
WannaCry’ed
http://www.mirror.co.uk/news/uk-news/ransomware-nhs-cyber-attack-live-10409420

Infected with WannaCry
https://cdn.securelist.com/files/2017/05/wannacry_05.png

WannaCry: Infection Flow
http://blog.trendmicro.com/trendlabs-security-intelligence/files/2017/05/WannaCry-infection-flow02.jpg

WannaCry
WannaCry &
Medical Devices

Petya/Petwrap/NotPetya
https://www.bleepstatic.com/images/news/ransomware/p/notpetya/mbr-ransom-note.jpg

 Consider a log-in form on a web page
Example of Weak Input Checking:
SQL Injection
 Source code would look
something like this:
statement = "SELECT * FROM users
WHERE name = '" + userName + "';"
 Attacker would enter as username:
' or '1'='1
 Which leads to this always-true query:
 statement = "SELECT * FROM users
WHERE name = '" + "' or '1'='1" + "';"
statement = "SELECT * FROM users WHERE name = '' or '1'='1';"
http://en.wikipedia.org/wiki/SQL_injection

 Defense in Depth
 Multiple layers of security defense are placed
throughout a system to provide redundancy
in the event a security control fails
 Secure the weakest link
 Promote privacy
 Trust no one
Some Security Principles
Saltzer & Schroeder (1975), Viega & McGraw (2000)
Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
http://en.wikipedia.org/wiki/Defense_in_depth_(computing)

 Modular design
 Check error conditions on return values
 Validate inputs (whitelist vs. blacklist)
 Avoid infinite loops, memory leaks
 Check for integer overflows
 Language/library choices
 Development processes
Secure Software Best Practices
Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271

 Malicious software - Any code with intentional,
undesirable side effects
 Virus
 Worm
 Trojan
 Spyware
 Logic Bomb/Time Bomb
 Backdoor/Trapdoor
 Rootkit
 Botnet
Malware

 Virus
 Propagating malware that requires user action
to propagate
 Infects executable files, data files with
executable contents (e.g. Macro), boot sectors
 Worm
 Self-propagating malware
 Trojan
 A legitimate program with additional, hidden
functionality
Malware

 Spyware
 Trojan that spies for & steals personal
information
 Logic Bomb/Time Bomb
 Malware that triggers under certain conditions
 Backdoor/Trapdoor
 A hole left behind by malware for future access
Malware

 Rogue Antispyware (Ransomware)
 Software that tricks or forces users to pay before fixing
(real or hoax) spyware detected
 Rootkit
 A stealth program designed to hide existence of
certain processes or programs from detection
 Botnet
 A collection of Internet-connected computers that have
been compromised (bots) which controller of the
botnet can use to do something (e.g. do DDoS attacks)
Malware

 Installed & updated antivirus, antispyware, &
personal firewall
 Check for known signatures
 Check for improper file changes (integrity failures)
 Check for generic patterns of malware (for unknown
malware): “Heuristics scan”
 Firewall: Block certain network traffic in and out
 Sandboxing
 Network monitoring & containment
 User education
 Software patches, more secure protocols
Defense Against Malware

 Social media spams/scams/clickjacking
 Social media privacy issues
 User privacy settings
 Location services
 Mobile device malware & other privacy risks
 Stuxnet (advanced malware targeting certain
countries)
 Advanced persistent threats (APT) by
governments & corporations against specific
targets
Newer Threats

• ISO/IEC 27000 — Information security management systems — Overview and
vocabulary
• ISO/IEC 27001 — Information security management systems — Requirements
• ISO/IEC 27002 — Code of practice for information security management
• ISO/IEC 27003 — Information security management system implementation guidance
• ISO/IEC 27004 — Information security management — Measurement
• ISO/IEC 27005 — Information security risk management
• ISO/IEC 27031 — Guidelines for information and communications technology readiness
for business continuity
• ISO/IEC 27032 — Guideline for cybersecurity (essentially, 'being a good neighbor' on
the Internet)
• ISO/IEC 27033-1 — Network security overview and concepts
• ISO/IEC 27033-2 — Guidelines for the design and implementation of network security
• ISO/IEC 27033-3:2010 — Reference networking scenarios - Threats, design techniques
and control issues
• ISO/IEC 27034 — Guideline for application security
• ISO/IEC 27035 — Security incident management
• ISO 27799 — Information security management in health using ISO/IEC 27002
Some Information Security Standards

 US-CERT
 U.S. Computer Emergency Readiness Team
 http://www.us-cert.gov/
 Subscribe to alerts & news
 Microsoft Security Resources
 http://technet.microsoft.com/en-us/security
 http://technet.microsoft.com/en-
us/security/bulletin
 Common Vulnerabilities & Exposures
 http://cve.mitre.org/
More Information

 Respect for Persons (Autonomy)
 Beneficence
 Justice
 Non-maleficence
Ethical Principles in Bioethics

Hippocratic Oath
...
What I may see or hear in the course of
treatment or even outside of the
treatment in regard to the life of men,
which on no account one must spread
abroad, I will keep myself holding such
things shameful to be spoken about.
...
http://en.wikipedia.org/wiki/Hippocratic_Oath

 Health Insurance Portability and Accountability Act of
1996 http://www.gpo.gov/fdsys/pkg/PLAW-
104publ191/pdf/PLAW-104publ191.pdf
 More stringent state privacy laws apply
 HIPAA Goals
 To protect health insurance coverage for workers &
families when they change or lose jobs (Title I)
 To require establishment of national standards for
electronic health care transactions and national
identifiers for providers, health insurance plans, and
employers (Title II: “Administrative Simplification”
provisions)
 Administrative Simplification provisions also address
security & privacy of health data
U.S. Health Information Privacy Law
http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act

 Title I: Health Care Access, Portability, and
Renewability
 Title II: Preventing Health Care Fraud and
Abuse; Administrative Simplification;
Medical Liability Reform
 Requires Department of Health & Human
Services (HHS) to draft rules aimed at increasing
efficiency of health care system by creating
standards for use and dissemination of health
care information
HIPAA (U.S.)

 Title III: Tax-Related Health Provisions
 Title IV: Application and Enforcement
of Group Health Plan Requirements
 Title V: Revenue Offsets
HIPAA (U.S.)

 HHS promulgated 5 Administrative
Simplification rules
 Privacy Rule
 Transactions and Code Sets Rule
 Security Rule
 Unique Identifiers Rule
 Enforcement Rule
HIPAA (U.S.)

 Covered Entities
 A health plan
 A health care clearinghouse
 A healthcare provider who transmits any health
information in electronic form in connection with a
transaction to enable health information to be exchanged
electronically
 Business Associates
Some HIPAA Definitions

 Protected Health Information (PHI)
 Individually identifiable health information transmitted or
maintained in electronic media or other form or medium
 Individually Identifiable Health Information
 Any information, including demographic information collected from
an individual, that—
 (A) is created or received by a CE; and
 (B) relates to the past, present, or future physical
 or mental health or condition of an individual, the provision of
health care to an individual, or the past, present, or future payment
for the provision of health care to an individual, and—
 (i) identifies the individual; or
 (ii) with respect to which there is a reasonable basis to believe that
the information can be used to identify the individual.
Some HIPAA Definitions

 Name
 Address
 Phone number
 Fax number
 E-mail address
 SSN
 Birthdate
 Medical Record No.
 Health Plan ID
 Treatment date
 Account No.
 Certificate/License No.
 Device ID No.
 Vehicle ID No.
 Drivers license No.
 URL
 IP Address
 Biometric identifier
including fingerprints
 Full face photo
Protected Health Information –
Personal Identifiers in PHI

 Establishes national standards to protect PHI; applies to CE &
business associates
 Requires appropriate safeguards to protect privacy of PHI
 Sets limits & conditions on uses & disclosures that may be made
without patient authorization
 Gives patients rights over their health information, including
rights to examine & obtain copy of health records & to request
corrections
HIPAA Privacy Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html

 Timeline
 November 3, 1999 Proposed Privacy Rule
 December 28, 2000 Final Privacy Rule
 August 14, 2002 Modifications to Privacy Rule
 April 14, 2003 Compliance Date for most CE
 Full text (as amended)
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/
adminsimpregtext.pdf
HIPAA Privacy Rule

 Some permitted uses and disclosures
 Use of PHI
 Sharing, application, use, examination or
analysis within the entity that maintains the
PHI
 Disclosure of PHI
 Release or divulgence of information by an
entity to persons or organizations outside of
that entity.
HIPAA Privacy Rule

 A covered entity may not use or disclose
PHI, except
 with individual consent for treatment,
payment or healthcare operations (TPO)
 with individual authorization for other
purposes
 without consent or authorization for
governmental and other specified
purposes
HIPAA Privacy Rule

 Treatment, payment, health care operations
(TPO)
 Quality improvement
 Competency assurance
 Medical reviews & audits
 Insurance functions
 Business planning & administration
 General administrative activities
HIPAA Privacy Rule

 Uses & disclosures without the need for patient
authorization permitted in some circumstances
 Required by law
 For public health activities
 About victims of abuse, neglect, or domestic
violence
 For health oversight activities
 For judicial & administrative proceedings
 For law enforcement purposes
 About decedents
HIPAA Privacy Rule

 Uses & disclosures without the need for patient
authorization permitted in some circumstances
 For cadaveric organ, eye, or tissue donation purposes
 For research purposes
 To avert a serious threat to health or safety
 For workers’ compensation
 For specialized government functions
 Military & veterans activities
 National security & intelligence activities
 Protective services for President & others
 Medical suitability determinants
 Correctional institutions
 CE that are government programs providing public benefits
HIPAA Privacy Rule

 Control use and disclosure of PHI
 Notify patients of information practices (NPP, Notice of Privacy
Practices)
 Specifies how CE can use and share PHI
 Specifies patient’s rights regarding their PHI
 Provide means for patients to access their own record
 Obtain authorization for non-TPO uses and disclosures
 Log disclosures
 Restrict use or disclosures
 Minimum necessary
 Privacy policy and practices
 Business Associate agreements
 Other applicable statutes
 Provide management oversight and response to minimize threats and
breaches of privacy
Responsibilities of a CE
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz

 Individually identifiable health information
collected and used solely for research IS NOT PHI
 Researchers obtaining PHI from a CE must obtain
the subject’s authorization or must justify an
exception:
 Waiver of authorization (obtain from the IRB)
 Limited Data Set (with data use agreement)
 De-identified Data Set
 HIPAA Privacy supplements the Common Rule
and the FDA’s existing protection for human
subjects
HIPAA & Research

 De-identified Data Set
 Remove all 18 personal identifiers of subjects,
relatives, employers, or household members
 OR biostatistician confirms that individual cannot be
identified with the available information
 Limited Data Set
 May include Zip, Birthdate, Date of death, date of
service, geographic subdivision
 Remove all other personal identifiers of subject, etc.
 Data Use Agreement signed by data recipient that
there will be no attempt to re-identify the subject
Research Data Sets

 Assure the CE that all research-initiated HIPAA
requirements have been met
 Provide letter of approval to the researcher to
conduct research using PHI
 OR, Certify and document that waiver of
authorization criteria have been met
 Review and approve all authorizations and data
use agreements
 Retain records documenting HIPAA actions for 6
years
IRB’s New Responsibility

 Establishes national standards to protect
individuals’ electronic PHI that is created,
received, used, or maintained by a CE.
 Requires appropriate safeguards to ensure
confidentiality, integrity & security of
electronic PHI
 Administrative safeguards
 Physical safeguards
 Technical safeguards
HIPAA Security Rule

 Timeline
 August 12, 1998 Proposed Security Rule
 February 20, 2003 Final Security Rule
 April 21, 2005 Compliance Date for most CE
 Full Text
http://www.hhs.gov/ocr/privacy/hipaa/
administrative/securityrule/securityrulepdf.pdf
HIPAA Security Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html

 The HIPAA Security Rule is:
 A set of information security “best practices”
 A minimum baseline for security
 An outline of what to do, and what procedures
should be in place
 The HIPAA Security Rule is not:
 A set of specific instructions
 A set of rules for universal, unconditional
implementation
 A document outlining specific implementations
(vendors, equipment, software, etc.)
HIPAA Security Rule: Meaning

 Many rules are either Required or Addressable
 Required:
 Compliance is mandatory
 Addressable:
 If a specification in the Rule is reasonable and
appropriate for the CE, then the CE must implement
 Otherwise, documentation must be made of the
reasons the policy cannot/will not be implemented,
and when necessary, offer an alternative
HIPAA Security Rule: Meaning

 Breach notification
 Extension of complete Privacy & Security
HIPAA provisions to business associates of
covered entities
 New rules for accounting of disclosures of a
patient’s health information
New in HITECH Act of 2009

 Conflicts between federal vs. state laws
 Variations among state laws of different
states
 HIPAA only covers “covered entities”
 No general privacy laws in place, only a few
sectoral privacy laws e.g. HIPAA
Health Information Privacy Law:
U.S. Challenges

 Canada - The Privacy Act (1983), Personal
Information Protection and Electronic Data
Act of 2000
 EU Countries - EU Data Protection Directive
 UK - Data Protection Act 1998
 Austria - Data Protection Act 2000
 Australia - Privacy Act of 1988
 Germany - Federal Data Protection Act of
2001
Health Information Privacy Law:
Other Western Countries

Thailand’s Health
Information Privacy
Law

 The Official Information Act, B.E.
2540
 Requires official information within
the government (with exceptions
such as some personal information)
to be disclosed to the public up front
or upon request
 “Disclose by default, protect by
exceptions”
Thai Privacy Laws

 No universal personal data privacy law
(Draft law has been proposed)
 National Health Act, B.E. 2550
 Provision 7 provides protection of
health information from disclosures
that could be damaging to an
individual without his/her consent or
as required by law.
Thai Privacy Laws

 Computer-Related Crimes Act, B.E. 2550 & 2560
 Focuses on prosecuting computer crimes &
computer-related crimes
 Responsibility of organizations as IT service
provider: Logging & provision of access data
to authorities
Thai ICT Laws

 Electronic Transactions Acts, B.E. 2544 & 2551
 Affirms legal status of electronic data
 Addresses how electronic transactions and
electronic signatures work in the legal context
 Security & privacy requirements for
 Determining legal validity & integrity of
electronic transactions and documents, print-
outs, & paper-to-electronic conversions
 Governmental & public organizations
 Critical infrastructures
 Financial sectors
 Electronic certificate authorities
Thai ICT Laws

Security Requirements for Critical Infrastructure in Thailand
Domain Basic Medium
(In addition to Basic)
High
(In addition to Medium)
Security policy 1 Item 1 Item -
Organization of information security 5 Items 3 Items 3 Items
Asset management 1 Item 4 Items -
Human resources security 6 Items 1 Item 2 Items
Physical and environmental security 5 Items 2 Items 6 Items
Communications & operations management 18 Items 5 Items 9 Items
Access control 9 Items 8 Items 8 Items
Information systems acquisition,
development and maintenance
2 Items 6 Items 8 Items
Information security incident management 1 Item - 3 Items
Business continuity management 1 Item 3 Items 1 Item
Regulatory compliance 3 Items 5 Items 2 Items
รวม 52 Items 38 Items (90 Items Total) 42 Items (132 Items Total)

Health Information Privacy and Security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Health Information Privacy and Security

Similar to Health Information Privacy and Security (20)

More from Nawanan Theera-Ampornpunt

More from Nawanan Theera-Ampornpunt (20)

Recently uploaded

Recently uploaded (20)

Health Information Privacy and Security