Ahmed Al Barrak - Staff information security practices - a latent threat


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Ahmed Al Barrak - Staff information security practices - a latent threat

  1. 1. The 3rd Kuwait Infosecurity Conference Staff Information Security Practices: a latent threat P ti l t t th t Dr. Ahmed Albarrak Associate. Professor of Medical Informatics, Chairman, Medical Informatics Dept. Director, E-learning and knowledge management College of Medicine, King Saud University g , g yThe 3rd ksuahmed@yahoo.com Kuwait Infosecurity Conferencealbarrak@ksu.edu.sa Albarrak@ksu.edu.sa
  2. 2. Agenda • Introduction • Security threats • User behaviors • International findings in security threats • Security study S – Objectives – methods and settings – Results • Conclusions and recommendationsThe 3rd Kuwait Infosecurity Conference 2albarrak@ksu.edu.sa
  3. 3. Introduction • Information security is a permanent challenge for any organization especially governmental health and especially, governmental, health, academic organizations • While the risk of external threats can be assessed and accounted for by intrusion detection and other relevant tools • Insider threats are difficult to detect and manage threats, because they primarily emerge from the authorized user malicious practices.The 3rd Kuwait Infosecurity Conference 3albarrak@ksu.edu.sa
  4. 4. Introduction • The enforcement of strict information security polices therefore has become one of the top p p priorities for organizations to protect data against hacking and unauthorized access • It is well understood that technolog alone cannot ell nderstood technology provide all aspects of information security required by any organizations • Technology can help in preventing security threats and breaches of security in the organization infrastructure, computer system security compromises, and insecure compromises transmission of informationThe 3rd Kuwait Infosecurity Conference 4albarrak@ksu.edu.sa
  5. 5. Introduction • But not or little effect in cases due to the unwanted disclosure of information take place in several ways, such as acts of disloyal employees • Due to the nature of the users threats being latent and cannot easily be detected by the ordinary intrusion or access control mechanisms, and because users behaviour is not consistent across different organization, this issue become a subject of many research and investigations.The 3rd Kuwait Infosecurity Conference 5albarrak@ksu.edu.sa
  6. 6. Introduction • Information security and privacy, and confidentiality of p patients data in healthcare work environment should not regarded as only policies, procedures, and practices • Information security includes culture, mores and should be considered to be part of the healthcare process and y medical ethnicity • Information security of healthcare systems is particularly vital due to the sensitive nature of information stored in these systems as well as the cost associated with the loss of patient’ data patientThe 3rd Kuwait Infosecurity Conference 6albarrak@ksu.edu.sa
  7. 7. Introduction • The loss of sensitive patients’ or students’ data may p y cause a huge damage to the organization reputation • It can reduce customer confidence, undermine the organization reliability and jeopardize its competitiveness in the market • In some cases, can result even in legal consequences, fines and penaltiesThe 3rd Kuwait Infosecurity Conference 7albarrak@ksu.edu.sa
  8. 8. Security threats • Information damage might take p g g place in many forms y such as: – intrusion into the systems, – thefts of organization data, – fraudulent use of data, – defacement of organizational websites websites, – other forms of information loss or damage. Such damages are caused by hackers virus writers as hackers, writers, well as AUTHORIZED usersThe 3rd Kuwait Infosecurity Conference 8albarrak@ksu.edu.sa
  9. 9. Information security and user behavior • Organizations sometimes consider information security g y as something that can be achieved only by enhanced technologies (such as, firewalls and intrusion detection software), software) and well trained IT personals …………… personals, • While ignoring or giving little attention to the role of systems’ users who represent a critical factor in the implementation and protection of the systems and data securityThe 3rd Kuwait Infosecurity Conference 9albarrak@ksu.edu.sa
  10. 10. Information security and user behavior y • The utilization of IT in the healthcare delivery, where y, services are provided by multidisciplinary teams of healthcare professionals and trainees in a shared environment, environment has been accompanied by several challenges and threats related to the privacy and confidentiality of patients’ information. Lekkas, 2007 • The breech of electronic patients’ information is particularly associated with unbearable high loss. It does not only lead to financial losses, but it may lead to threatening patients’ safety and jeopardize their lives.The 3rd Kuwait Infosecurity Conference 10albarrak@ksu.edu.sa
  11. 11. International Findings In SecurityThreatsTh t • In a study by North 2006, of 465 students at Clark y y , Atlanta University, – 23% of students replied that they have used other people’s computers without authorization. l ’ t ith t th i ti • A research conducted by CISCO in 2008, – 2000 users in 10 countries showed that at least one of every 3 employees leave their computers logged on and unlocked when they are away from their desk to t k t take a lunch or go h l h home after working h ft ki hours.The 3rd Kuwait Infosecurity Conference 11albarrak@ksu.edu.sa
  12. 12. International Findings In SecurityThreats • In a survey of 381 employees of a medium sized p y p y public sector agency, – 16% of the respondents shared passwords with other people. Woodhouse 2007 l • A survey study of students on password practices and attitudes, it was found that, – 22% of respondents share their webmail password with others. Hart 2008 – Similar conclusion was also reported by CISCO 2008, that 18% of the surveyed employees share passwords with co-workers. co workers.The 3rd Kuwait Infosecurity Conference 12albarrak@ksu.edu.sa
  13. 13. International Findings In SecurityThreats • Research and Studies have shown that users are generally reluctant to change their passwords as well. In a survey given to university students at Plattsburgh about their attitudes and practices regarding passwords passwords, – Over than 80% of them rarely change their password. (Hart 2008) – Comparable results were reported in a study by Stanton et al. that 23% of the employees surveyed sometimes disclose their passwords to colleagues and staff members. (Stanton et al. 2004)The 3rd Kuwait Infosecurity Conference 13albarrak@ksu.edu.sa
  14. 14. International Findings In Security Threats g y • A totally secured system from a technical p y y point of view can become totally insecure by the users’ mal practices. Bardram 2005 • The promotion of security culture to comply with security policies and raising the end-user awareness on security end user issue through education as the best practices to reduce security threats in the working place environment. D’Arcy D’Arc 2007The 3rd Kuwait Infosecurity Conference 14albarrak@ksu.edu.sa
  15. 15. Security study • A study examined breaches of information security y y originating from the staff mal practices at KSU College of Medicine and two University Hospitals The bj ti Th objectives of th study were: f the t d • to assess, evaluate, and analyze the security behavior of users at King Saud University Hospitals, Riyadh, Saudi Arabia, • to examines whether such behavior differ across employee categories l t iThe 3rd Kuwait Infosecurity Conference 15albarrak@ksu.edu.sa
  16. 16. Study methods and settings • Data collection was done by a means of a q y questionnaire distributed to a random sample of 2000 employees (220 administrative staff, 380 physicians, 900 nursing staff and 500 allied health and technical staff) • The questions were set to address the security behavior of users and explore their awareness on some basics security and privacy issues. • The (SPSS 16©) was used for all data analysis. Comparison was held statistically significant if (p≤ 0.05).The 3rd Kuwait Infosecurity Conference 16albarrak@ksu.edu.sa
  17. 17. Results • In total, 554 questionnaires were completed on which , q p analysis was based • Demographics: – 73% females, 27% male – Saudis constituted 18% – age (40 +/ 0 5 yrs; mean+/ SE) age, +/- 0.5 mean+/- – period of employment at the hospitals, (7 +/- 0.3 yrs; mean+/- SE) ) – time since employee started using the hospital IT system, (6 +/- 0.2; mean+/- SE) years.The 3rd Kuwait Infosecurity Conference 17albarrak@ksu.edu.sa
  18. 18. Results Respondents were distributed between p p professions as follows; • 62 Physicians (consultants, specialists and general practitioners), titi ) • 49 administrative staff, • 354 nursing staff staff, • 84 allied health staff (laboratory, x-ray and other technicians).The 3rd Kuwait Infosecurity Conference 18albarrak@ksu.edu.sa
  19. 19. Results Respondents ( p (users) access the hospital IT system to ) p y perform at least one of the following tasks; • viewing and editing of medical records and accessing the h th hospital i f it l information system (HIS) (47%) ti t (47%), • investigating laboratory results (LAB system) (15%), • retrieving of x-rays (22%), (22%) • internet and e-mail services (15%).The 3rd Kuwait Infosecurity Conference 19albarrak@ksu.edu.sa
  20. 20. • 81% of hospital staff use shared computers, and the p p , proportion of nursing and allied health staff using shared computers is significantly higher than in other job categories personal, 19% shared , 81%The 3rd Kuwait Infosecurity Conference 20albarrak@ksu.edu.sa
  21. 21. Working environment (shared work stations)  100 90 80 70 60 50 Personal  Personal Shared  40 30 20 10 0 Physicians% Administrative% Nursing% Allied health staff%The 3rd Kuwait Infosecurity Conference 21albarrak@ksu.edu.sa
  22. 22. • 16% of respondents do not sign out applications after p g pp working sessions • Older employees tend to be more aware about such a practice th th i younger counterparts ( 0 01) ti than their t t (p=0.01). • Communication of passwords between office mates and friends was reported by 27% of respondents. More frequent among females than among males (p=0.0001). higher among nursing staff than other job categories (p=0.0001) (p=0 0001)The 3rd Kuwait Infosecurity Conference 22albarrak@ksu.edu.sa
  23. 23. • The practice of NOT changing the p p g g password after being g known to unauthorized persons was stated by 45% of participants • M l are significantly d i b tt concerning thi h bit Males i ifi tl doing better i this habit than females • Nursing staff appears to be the least aware group about changing their passwords when released to others than any other group of staff (p=0.0001)The 3rd Kuwait Infosecurity Conference 23albarrak@ksu.edu.sa
  24. 24. • 70% of respondents had never changed their default p g system generated passwords. This practice is also more frequent among females compared to males and among nursing staff compared to other professions yes 30% no 70% Changing the password after first being  generated by administratorThe 3rd Kuwait Infosecurity Conference 24albarrak@ksu.edu.sa
  25. 25. Changing the password after first being generated by administrator 80 70 60 50 40 Yes No 30 20 10 0 Physicians% Administrative% Nursing% Allied health staff%The 3rd Kuwait Infosecurity Conference 25albarrak@ksu.edu.sa
  26. 26. 60 53% 50 40 33% 30 20 14% 10 0% 0 Alphabets Digits only Alphabets & Alphabets, only digits digits & symbols Password structureThe 3rd Kuwait Infosecurity Conference 26albarrak@ksu.edu.sa
  27. 27. Parameter Response No. % Use of personal or shared computer Personal 99 19 Shared 418 81 Logging off the application after yes 448 84 work sessions no 83 16 Allowing others to use the account yes 213 40 without giving them the password no 317 60 Allowing office mates and friends yes All i ffi t d f i d 145 27 to know the password no 394 73 Changing the password after being yes 290 55 known to other people no 240 45 Changing the password after first yes 158 30 being generated by administrator no 370 70  The 3rd Kuwait Infosecurity Conference 27albarrak@ksu.edu.sa
  28. 28. Allowing office mates and friends to know the password 100 90 80 70 60 50 Yes No 40 30 20 10 0 Physicians% Administrative% Nursing% Allied health staff%The 3rd Kuwait Infosecurity Conference 28albarrak@ksu.edu.sa
  29. 29. Changing the password after being known to others 80 70 60 50 40 Yes No 30 20 10 0 Physicians% Administrative% Nursing% Allied health staff%The 3rd Kuwait Infosecurity Conference 29albarrak@ksu.edu.sa
  30. 30. Allowing others to use the account without giving them the  password 80 70 60 50 40 Yes No 30 20 10 0 Physicians% Administrative% Nursing% Allied health staff%The 3rd Kuwait Infosecurity Conference 30albarrak@ksu.edu.sa
  31. 31. Findings • Although sharing of workstations is not a user choice g g and it is more likely attributed to the nature of hospital or work environment, however it represents a latent security threats • It be can argued that compliance with security policies and procedures is very hard in a multiuser shared environment than in other places where each user login to a dedicated personal computer • In such a multiuser environment security practice and environment, awareness of users constitutes the first defense line to safeguard patient dataThe 3rd Kuwait Infosecurity Conference 31albarrak@ksu.edu.sa
  32. 32. Findings • Studies have shown that users are generally reluctant to g y change their passwords • Users should be initiated and encouraged to change their th i passwords when f lt f any reasons it b d h felt for become unsafe • Change of password, as a precautionary security measure, is highly recommended, mainly in three situations; after being issued by system administrator, after feeling that it was known by others and after every others, regular time intervalsThe 3rd Kuwait Infosecurity Conference 32albarrak@ksu.edu.sa
  33. 33. Findings • This study further reveals that the staff are varying in y y g complying with security measures • Understanding privacy, and security threats and challenges facing organization is essential for building a holistic security process and avoiding loss and threats to patient information • Besides, users should be instructed to strictly comply with policies and procedures th t prevent communication ith li i d d that t i ti of passwords, using others accounts and keeping of p passwords unchanged for long time intervals g gThe 3rd Kuwait Infosecurity Conference 33albarrak@ksu.edu.sa
  34. 34. Recommendations • Organizations should build a sense of information security awareness among all staff to g y g gain their support pp in protecting sensitive data • Continuous educations and evaluation of the security processes are major elements in that context • Other measures such as, auto locking & logging off when are not in use for predefined period.The 3rd Kuwait Infosecurity Conference 34albarrak@ksu.edu.sa
  35. 35. Conclusions • It is clearly proofed that the technical security measures alone can NOT prevent security breaches. • Insider threats, are difficult to detect and manage because they primarily emerge from the authorized user malicious practices • Which emphasized that awareness training and education of users on information security issues are very i important for achieving a reliable l t tf hi i li bl level of l f information security in any organizationsThe 3rd Kuwait Infosecurity Conference 35albarrak@ksu.edu.sa
  36. 36. The 3rd Kuwait Infosecurity Conference 36albarrak@ksu.edu.sa