Ethics, Security and Privacy Management of Hospital Data Part 2 (January 24, ...Nawanan Theera-Ampornpunt
Presented at the Hospital IT Quality Development to level 4, 5, 6 Workshop, Thai Medical Informatics Association, Bangkok, Thailand on January 24, 2020
Ethics, Security and Privacy Management of Hospital Data Part 2 (January 24, ...Nawanan Theera-Ampornpunt
Presented at the Hospital IT Quality Development to level 4, 5, 6 Workshop, Thai Medical Informatics Association, Bangkok, Thailand on January 24, 2020
Overview of Apache Fink: the 4 G of Big Data Analytics FrameworksSlim Baltagi
Slides of my talk at the Hadoop Summit Europe in Dublin, Ireland on April 13th, 2016. The talk introduces Apache Flink as both a multi-purpose Big Data analytics framework and real-world streaming analytics framework. It is focusing on Flink's key differentiators and suitability for streaming analytics use cases. It also shows how Flink enables novel use cases such as distributed CEP (Complex Event Processing) and querying the state by behaving like a key value data store.
Presented at The New Generation IT Doctor for Hospital Development Training Program, Thai Medical Informatics Association, Nonthaburi, Thailand on August 26, 2019
Presented at the 7th Healthcare CIO Certificate Program, Hospital Administration School, Faculty of Medicine Ramathibodi Hospital, Mahidol University on August 10, 2016
Presented at the BDMS Golden Jubilee Scientific Conference 2022 "BDMS Beyond 50 years: Looking towards the centennial," Bangkok Dusit Medical Services Public Company Limited (BDMS), Bangkok, Thailand on October 19, 2022
Presented at The Thai Medical Informatics Association Annual Conference and The National Conference on Medical Informatics (TMI-NCMedInfo) 2021, Bangkok, Thailand on November 26, 2021
Presented at the Master of Science Program in Medical Epidemiology and the Doctor of Philosophy Program in Clinical Epidemiology, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 25, 2021
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 15, 2021
Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...Nawanan Theera-Ampornpunt
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 10, 2021
5. Sources of the Threats
Hackers
Viruses & Malware
Poorly-designed systems
Insiders (Employees)
People’s ignorance & lack of knowledge
Disasters & other incidents affecting
information systems
6. Information risks
Unauthorized access & disclosure of confidential information
Unauthorized addition, deletion, or modification of information
Operational risks
System not functional (Denial of Service - DoS)
System wrongly operated
Personal risks
Identity thefts
Financial losses
Disclosure of information that may affect employment or other
personal aspects (e.g. health information)
Physical/psychological harms
Organizational risks
Financial losses
Damage to reputation & trust
Etc.
Consequences of Security Attacks
11. Alice
Simplified Attack Scenarios
Server Bob
- Physical access to client computer
- Electronic access (password)
- Tricking user into doing something
(malware, phishing & social
engineering)
Eve/Mallory
12. Alice
Simplified Attack Scenarios
Server Bob
- Intercepting (eavesdropping or
“sniffing”) data in transit
- Modifying data (“Man-in-the-
middle” attacks)
- “Replay” attacks
Eve/Mallory
13. Alice
Simplified Attack Scenarios
Server Bob
- Unauthorized access to servers through
- Physical means
- User accounts & privileges
- Attacks through software vulnerabilities
- Attacks using protocol weaknesses
- DoS / DDoS attacks Eve/Mallory
15. Alice
Safeguarding Against Attacks
Server Bob
Administrative Security
- Security & privacy policy
- Governance of security risk management & response
- Uniform enforcement of policy & monitoring
- Disaster recovery planning (DRP) & Business continuity
planning/management (BCP/BCM)
- Legal obligations, requirements & disclaimers
16. Alice
Safeguarding Against Attacks
Server Bob
Physical Security
- Protecting physical access of clients & servers
- Locks & chains, locked rooms, security cameras
- Mobile device security
- Secure storage & secure disposition of storage devices
17. Alice
Safeguarding Against Attacks
Server Bob
User Security
- User account management
- Strong p/w policy (length, complexity, expiry, no meaning)
- Principle of Least Privilege
- “Clear desk, clear screen policy”
- Audit trails
- Education, awareness building & policy enforcement
- Alerts & education about phishing & social engineering
18. Alice
Safeguarding Against Attacks
Server Bob
System Security
- Antivirus, antispyware, personal firewall, intrusion
detection/prevention system (IDS/IPS), log files, monitoring
- Updates, patches, fixes of operating system vulnerabilities &
application vulnerabilities
- Redundancy (avoid “Single Point of Failure”)
- Honeypots
19. Alice
Safeguarding Against Attacks
Server Bob
Software Security
- Software (clients & servers) that is secure by design
- Software testing against failures, bugs, invalid inputs,
performance issues & attacks
- Updates to patch vulnerabilities
20. Alice
Safeguarding Against Attacks
Server Bob
Network Security
- Access control (physical & electronic) to network devices
- Use of secure network protocols if possible
- Data encryption during transit if possible
- Bandwidth monitoring & control
21. Alice
Safeguarding Against Attacks
Server Bob
Database Security
- Access control to databases & storage devices
- Encryption of data stored in databases if necessary
- Secure destruction of data after use
- Access control to queries/reports
- Security features of database management systems (DBMS)
24. Need for Strong Password Policy
So, two informaticians
walk into a bar...
The bouncer says,
"What's the password."
One says, "Password?"
The bouncer lets them
in.
Credits: @RossMartin & AMIA (2012)
25. Access control
Selective restriction of access to the system
Role-based access control
Access control based on the person’s role
(rather than identity)
Audit trails
Logs/records that provide evidence of
sequence of activities
User Security
26. Identification
Identifying who you are
Usually done by user IDs or some other unique codes
Authentication
Confirming that you truly are who you identify
Usually done by keys, PIN, passwords or biometrics
Authorization
Specifying/verifying how much you have access
Determined based on system owner’s policy & system
configurations
“Principle of Least Privilege”
User Security
27. Recommended Password Policy
Length
8 characters or more (to slow down brute-force attacks)
Complexity (to slow down brute-force attacks)
Consists of 3 of 4 categories of characters
Uppercase letters
Lowercase letters
Numbers
Symbols (except symbols that have special uses by the
system or that can be used to hack system, e.g. SQL Injection)
No meaning (“Dictionary Attacks”)
Not simple patterns (12345678, 11111111) (to slow down brute-
force attacks & prevent dictionary attacks)
Not easy to guess (birthday, family names, etc.) (to prevent
unknown & known persons from guessing)
Personal opinion. No legal responsibility assumed.
28. Recommended Password Policy
Expiration (to make brute-force attacks not possible)
6-8 months
Decreasing over time because of increasing computer’s
speed
But be careful! Too short duration will force users to write
passwords down
Secure password storage in database or system
(encrypted or store only password hashes)
Secure password confirmation
Secure “forget password” policy
Different password for each account. Create variations
to help remember. If not possible, have different sets of
accounts for differing security needs (e.g., bank
accounts vs. social media sites) Personal opinion. No legal responsibility assumed.
30. Techniques to Remember Passwords
http://www.wikihow.com/Create-a-Password-You-Can-
Remember
Note that some of the techniques are less secure!
One easy & secure way: password mnemonic
Think of a full sentence that you can remember
Ideally the sentence should have 8 or more words, with
numbers and symbols
Use first character of each word as password
Sentence: I love reading all 7 Harry Potter books!
Password: Ilra7HPb!
Voila!
Personal opinion. No legal responsibility assumed.
43. แบ่งเป็น 11 หมวด (Domains)
Security policy
Organization of information security
Asset management
Human resources security
Physical and environmental security
Communications and operations management
Access control
Information systems acquisition, development and
maintenance
Information security incident management
Business continuity management
Regulatory compliance
มาตรฐาน Security ตามวิธีการแบบปลอดภัย