This document outlines a presentation on health information privacy and security. It introduces key topics like protecting information privacy and security, user security, malware, and security standards. It also discusses privacy and security laws. The document contains several slides on introduction to information privacy and security, sources of security threats, consequences of security attacks, privacy and security definitions, and examples of different types of security risks.
This presentation delves into the many cybersecurty risks that plague the healthcare industry and how these risks can be mitigated with the help of security solutions that Seqrite offers.
This presentation talks about the context of developing the Electronic Health records for India. the guidelines as mentioned in the GOI site is described vividly with examples, for better understanding.
N.B: Please download the ppt first, for the animations to work better.
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 8, 2021
This presentation delves into the many cybersecurty risks that plague the healthcare industry and how these risks can be mitigated with the help of security solutions that Seqrite offers.
This presentation talks about the context of developing the Electronic Health records for India. the guidelines as mentioned in the GOI site is described vividly with examples, for better understanding.
N.B: Please download the ppt first, for the animations to work better.
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 8, 2021
This is a slideshow explaining the importance of protecting patient privacy and confidentiality. This slideshow is for education and training purposes only.
What is Health Informatics?
HI Goals
HI stakeholders
HI subfields / subspecialties
Healthcare trends & HI
HI professional environments
HI education / training opportunities & degrees
HI organizations / journals / meetings / events
HI professional certificates
HI books
Confidentiality can be defined as the
ethical principle or legal right that a
physician or other health professional will
hold secret all information relating to a
patient, unless the patient gives consent
permitting disclosure.
This is a slideshow explaining the importance of protecting patient privacy and confidentiality. This slideshow is for education and training purposes only.
What is Health Informatics?
HI Goals
HI stakeholders
HI subfields / subspecialties
Healthcare trends & HI
HI professional environments
HI education / training opportunities & degrees
HI organizations / journals / meetings / events
HI professional certificates
HI books
Confidentiality can be defined as the
ethical principle or legal right that a
physician or other health professional will
hold secret all information relating to a
patient, unless the patient gives consent
permitting disclosure.
Presented at the 11th Healthcare CIO Certificate Program, School of Hospital Management, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on February 9, 2021
Presented at the Data Science for Healthcare Graduate Programs, Section for Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on October 30, 2019
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on October 21, 2020
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docxbagotjesusa
Security Concepts
Dr. Y. Chu
CIS3360: Security in Computing
0R02
Spring 2018
1
Information
Textbook Chapter 1
Some of the slides and figures are from textbook slides distributed by Pearson
2
Computer Security Definition
The NIST Computer Security Handbook Definition
“The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).”
Key points:
Confidentiality, integrity and availability
Confidentiality:
Data confidentiality: confidential information is not disclosed to unauthorized parties
Privacy: personal information should not be collected by unauthorized personnel
Integrity:
Data integrity: information should not be changed by unauthorized parties
System integrity: systems perform as intended free of unauthorized manipulation
Availability:
Systems work promptly and service is not denied to authorized user.
Information resources: hardware, software, firmware, information/data, and telecommunications
3
National Institute of Standards and Technology
Computer Security Objectives
4
CIA triad
FIPS PUB 199 characterization
Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. A loss of confidentiality is the unauthorized disclosure of information.
Integrity: Guarding against improper information modification or destruction, including ensuring information non-repudiation and authenticity. A loss of integrity is the unauthorized modification or destruction of information.
Availability: Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system.
Federal Information Processing Standards
Computer Security Objectives
5
Additional concepts
Authenticity: verifying that users are who they say they are and that each input arriving at the system came from a trusted source.
Accountability: Systems must keep records of their activities to permit later forensic analysis to trace security breaches or to aid in transaction disputes.
Tools for Confidentiality
Encryption
Transform the information using a secrete so it is useful only to the intended recipient
Access Control
Rules and policies that limit access to confidential information
Authentication
Determine identity or role of a user
Authorization
Specify the access rights or privileges to resources
Physical Security
Use physical barriers to deny unauthorized access
For example, lock and security guards
6
Tools for Integrity
Backups
Periodic archiving of data.
Checksums
Computation of a function that maps the contents of a file to a numerical value
Data correcting codes
methods for storing data in such.
CYBER SECURITY PRIMERCYBER SECURITY PRIMERA brief inOllieShoresna
CYBER SECURITY PRIMER
CYBER SECURITY PRIMER
A brief introduction to cyber security for students who are new to the field.
Network outages, data compromised by hackers, computer viruses and other incidents affect our lives
in ways that range from inconvenient to life-threatening. As the number of mobile users, digital
applications and data networks increase, so do the opportunities for exploitation.
WHAT IS CYBER SECURITY?
Cyber security, also referred to as information technology security, focuses on protecting computers,
networks, programs and data from unintended or unauthorized access, change or destruction.
WHY IS CYBER SECURITY IMPORTANT?
Governments, military, corporations, financial institutions, hospitals and other businesses collect,
process and store a great deal of confidential information on computers and transmit that data across
networks to other computers. With the growing volume and sophistication of cyber attacks, ongoing
attention is required to protect sensitive business and personal information, as well as safeguard
national security.
During a Senate hearing in March 2013, the nation's top intelligence officials warned that cyber attacks
and digital spying are the top threat to national security, eclipsing terrorism.
CYBER SECURITY GLOSSARY OF TERMS
Learn cyber speak by familiarizing yourself with cyber security terminology.1
Access −
The ability and means to communicate with or
otherwise interact with a system, to use system
resources to handle information, to gain
knowledge of the information the system
contains or to control system components and
functions.
Active Attack −
An actual assault perpetrated by an intentional
threat source that attempts to alter a system, its
resources, its data or its operations.
Blacklist −
A list of entities that are blocked or denied
privileges or access.
Bot −
A computer connected to the Internet that has
Information Assurance −
The measures that protect and defend
information and information systems by
ensuring their availability, integrity and
confidentiality.
Intrusion Detection −
The process and methods for analyzing
information from networks and information
systems to determine if a security breach or
security violation has occurred.
Key −
The numerical value used to control
cryptographic operations, such as decryption,
encryption, signature generation or signature
verification.
Malware −
http://www.umuc.edu/cybersecurity/about/#
http://www.umuc.edu/cybersecurity/about/#
http://www.umuc.edu/cybersecurity/about/#
http://www.umuc.edu/cybersecurity/about/#
http://www.umuc.edu/cybersecurity/about/#
http://www.umuc.edu/cybersecurity/about/#
http://www.umuc.edu/cybersecurity/about/#
http://www.umuc.edu/cybersecurity/about/#
been surreptitiously/secretly compromised with
malicious logic to perform activities under the
remote command and control of a remote
administrator.
Cloud Computing −
A model for enabling on-demand network
access to a shared pool of configurab ...
Oracle UCM Security: Challenges and Best PracticesBrian Huff
Information on how to "harden" your content server to make it less susceptible to security attacks. Covers risks, vulnerabilities, and countermeasures.
Mobile Security Training, Mobile Device Security TrainingTonex
Mobile Security Training course will investigate venture mobile security and show you the mobile security shortcomings and dangers. Figure out how aggressors can use mobile devices to manhandle and assault associations. For what reason would it be a good idea for you to pick TONEX for your Mobile Security Training? We indicate you different mobile security concerns, specialized issues with mobile stages, remediation systems, security strategies, and arrangements on assortment of mobile devices, shrewd devices and stages including iOS (iPhone and iPad), Android, Blackberry and Windows Phone.
Take in more about:
Application Security and SDLC Fundamentals
Mobile systems and advancements
Mobile risk models
Mobile Device Management (MDM) and BYOD
Secure Java, C# and Objectives C coding
iOS and Android SDK, APIs, and Security Features
Web Service and Network Security
Information Security and Implementing Encryption
Application solidifying and figuring out
Investigate the systems to secure Mobile devices and cell phones since mobile dangers are unique. Figure out how the mobile devices and stages work and coordinate with IT framework inside the undertaking. Comprehend the part of Mobile device security strategy and how it can affect the mobile security. Find out about mobile security and MDM arrangements and how to broaden assurance past mobile devices, applications, and information.
More topics to be covered in this training :
Mobile Security Fundamentals, Mobile Network Security, iOS SDK, APIs, and Security Features, iOS Data protection API, iOS Security Framework, Web Service and Network Security, Common threats to Web services, Implementation of session security, Data Security and Implementing Encryption and more.
This class is prescribed for mobile device producers, application designers, mobile system administrators, programming organizations, special forces, secretive operations work force, FBI, CIA, NSA, DoD hostile security experts, and different experts from the Intel people group.
Learn more about Mobile Security Training
https://www.tonex.com/training-courses/mobile-security-training/
Presented at the BDMS Golden Jubilee Scientific Conference 2022 "BDMS Beyond 50 years: Looking towards the centennial," Bangkok Dusit Medical Services Public Company Limited (BDMS), Bangkok, Thailand on October 19, 2022
Presented at The Thai Medical Informatics Association Annual Conference and The National Conference on Medical Informatics (TMI-NCMedInfo) 2021, Bangkok, Thailand on November 26, 2021
Presented at the Master of Science Program in Medical Epidemiology and the Doctor of Philosophy Program in Clinical Epidemiology, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 25, 2021
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 15, 2021
Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...Nawanan Theera-Ampornpunt
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 10, 2021
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
1. Health Information
Privacy & Security
Nawanan Theera-Ampornpunt, M.D., Ph.D.
Faculty of Medicine Ramathibodi Hospital
Mahidol University
For Ramathibodi M.S. & Ph.D. Programs in Data Science for Health Care
October 17, 2017
http://www.SlideShare.net/Nawanan
2. Introduction to Information Privacy & Security
Protecting Information Privacy & Security
User Security
Malware
Security Standards
Privacy & Security Laws
Outline
7. Sources of the Threats
Hackers
Viruses & Malware
Poorly-designed systems
Insiders (Employees)
People’s ignorance & lack of knowledge
Disasters & other incidents affecting
information systems
8. Information risks
Unauthorized access & disclosure of confidential information
Unauthorized addition, deletion, or modification of information
Operational risks
System not functional (Denial of Service - DoS)
System wrongly operated
Personal risks
Identity thefts
Financial losses
Disclosure of information that may affect employment or other
personal aspects (e.g. health information)
Physical/psychological harms
Organizational risks
Financial losses
Damage to reputation & trust
Etc.
Consequences of Security Attacks
10. Privacy: “The ability of an individual or group
to seclude themselves or information about
themselves and thereby reveal themselves
selectively.” (Wikipedia)
Security: “The degree of protection to safeguard
... person against danger, damage, loss, and
crime.” (Wikipedia)
Information Security: “Protecting information
and information systems from unauthorized
access, use, disclosure, disruption, modification,
perusal, inspection, recording or destruction”
(Wikipedia)
Privacy & Security
13. Examples of Integrity Risks
http://www.wired.com/threatlevel/2010/03/source-code-hacks/
http://en.wikipedia.org/wiki/Operation_Aurora
“Operation Aurora”
Alleged Targets: Google, Adobe, Juniper Networks,
Yahoo!, Symantec, Northrop Grumman, Morgan Stanley,
Dow Chemical
Goal: To gain access to and potentially modify source
code repositories at high tech, security & defense
contractor companies
14. Examples of Integrity Risks
http://news.softpedia.com/news/700-000-InMotion-Websites-Hacked-by-TiGER-M-TE-223607.shtml
Web Defacements
15. Examples of Availability Risks
http://en.wikipedia.org/wiki/Blaster_worm
Viruses/worms that led to instability &
system restart (e.g. Blaster worm)
16. Examples of Availability Risks
http://en.wikipedia.org/wiki/Ariane_5_Flight_501
Ariane 5 Flight 501 Rocket Launch Failure
Cause: Software bug on rocket acceleration due to data conversion
from a 64-bit floating point number to a 16-bit signed integer without
proper checks, leading to arithmatic overflow
19. Attack
An attempt to breach system security
Threat
A scenario that can harm a system
Vulnerability
The “hole” that is used in the attack
Common Security Terms
20. Identify some possible means an
attacker could use to conduct a
security attack
Class Exercise
22. Alice
Simplified Attack Scenarios
Server Bob
- Physical access to client computer
- Electronic access (password)
- Tricking user into doing something
(malware, phishing & social
engineering)
Eve/Mallory
23. Alice
Simplified Attack Scenarios
Server Bob
- Intercepting (eavesdropping or
“sniffing”) data in transit
- Modifying data (“Man-in-the-
middle” attacks)
- “Replay” attacks
Eve/Mallory
24. Alice
Simplified Attack Scenarios
Server Bob
- Unauthorized access to servers through
- Physical means
- User accounts & privileges
- Attacks through software vulnerabilities
- Attacks using protocol weaknesses
- DoS / DDoS attacks Eve/Mallory
26. Alice
Safeguarding Against Attacks
Server Bob
Administrative Security
- Security & privacy policy
- Governance of security risk management & response
- Uniform enforcement of policy & monitoring
- Disaster recovery planning (DRP) & Business continuity
planning/management (BCP/BCM)
- Legal obligations, requirements & disclaimers
27. Alice
Safeguarding Against Attacks
Server Bob
Physical Security
- Protecting physical access of clients & servers
- Locks & chains, locked rooms, security cameras
- Mobile device security
- Secure storage & secure disposition of storage devices
28. Alice
Safeguarding Against Attacks
Server Bob
User Security
- User account management
- Strong p/w policy (length, complexity, expiry, no meaning)
- Principle of Least Privilege
- “Clear desk, clear screen policy”
- Audit trails
- Education, awareness building & policy enforcement
- Alerts & education about phishing & social engineering
29. Alice
Safeguarding Against Attacks
Server Bob
System Security
- Antivirus, antispyware, personal firewall, intrusion
detection/prevention system (IDS/IPS), log files, monitoring
- Updates, patches, fixes of operating system vulnerabilities &
application vulnerabilities
- Redundancy (avoid “Single Point of Failure”)
- Honeypots
30. Alice
Safeguarding Against Attacks
Server Bob
Software Security
- Software (clients & servers) that is secure by design
- Software testing against failures, bugs, invalid inputs,
performance issues & attacks
- Updates to patch vulnerabilities
31. Alice
Safeguarding Against Attacks
Server Bob
Network Security
- Access control (physical & electronic) to network devices
- Use of secure network protocols if possible
- Data encryption during transit if possible
- Bandwidth monitoring & control
32. Alice
Safeguarding Against Attacks
Server Bob
Database Security
- Access control to databases & storage devices
- Encryption of data stored in databases if necessary
- Secure destruction of data after use
- Access control to queries/reports
- Security features of database management systems (DBMS)
36. Access control
Selective restriction of access to the system
Role-based access control
Access control based on the person’s role
(rather than identity)
Audit trails
Logs/records that provide evidence of
sequence of activities
User Security
37. Identification
Identifying who you are
Usually done by user IDs or some other unique codes
Authentication
Confirming that you truly are who you identify
Usually done by keys, PIN, passwords or biometrics
Authorization
Specifying/verifying how much you have access
Determined based on system owner’s policy & system
configurations
“Principle of Least Privilege”
User Security
38. Nonrepudiation
Proving integrity, origin, & performer of an
activity without the person’s ability to refute
his actions
Most common form: signatures
Electronic signatures offer varying degrees of
nonrepudiation
PIN/password vs. biometrics
Digital certificates (in public key
infrastructure - PKI) often used to ascertain
nonrepudiation
User Security
39. Multiple-Factor Authentication
Two-Factor Authentication
Use of multiple means (“factors”) for authentication
Types of Authentication Factors
Something you know
Password, PIN, etc.
Something you have
Keys, cards, tokens, devices (e.g. mobile phones)
Something you are
Biometrics
User Security
40. Need for Strong Password Policy
So, two informaticians
walk into a bar...
The bouncer says,
"What's the password."
One says, "Password?"
The bouncer lets them
in.
Credits: @RossMartin & AMIA (2012)
41. Recommended Password Policy
Length
8 characters or more (to slow down brute-force attacks)
Complexity (to slow down brute-force attacks)
Consists of 3 of 4 categories of characters
Uppercase letters
Lowercase letters
Numbers
Symbols (except symbols that have special uses by the
system or that can be used to hack system, e.g. SQL Injection)
No meaning (“Dictionary Attacks”)
Not simple patterns (12345678, 11111111) (to slow down brute-
force attacks & prevent dictionary attacks)
Not easy to guess (birthday, family names, etc.) (to prevent
unknown & known persons from guessing)
Personal opinion. No legal responsibility assumed.
42. Recommended Password Policy
Expiration (to make brute-force attacks not possible)
6-8 months
Decreasing over time because of increasing computer’s
speed
But be careful! Too short duration will force users to write
passwords down
Secure password storage in database or system
(encrypted or store only password hashes)
Secure password confirmation
Secure “forget password” policy
Different password for each account. Create variations
to help remember. If not possible, have different sets of
accounts for differing security needs (e.g., bank
accounts vs. social media sites) Personal opinion. No legal responsibility assumed.
44. Techniques to Remember Passwords
http://www.wikihow.com/Create-a-Password-You-Can-
Remember
Note that some of the techniques are less secure!
One easy & secure way: password mnemonic
Think of a full sentence that you can remember
Ideally the sentence should have 8 or more words, with
numbers and symbols
Use first character of each word as password
Sentence: I love reading all 7 Harry Potter books!
Password: Ilra7HPb!
Voila!
Personal opinion. No legal responsibility assumed.
48. Poor grammar
Lots of typos
Trying very hard to convince you to open
attachment, click on link, or reply without
enough detail
May appear to be from known person (rely on
trust & innocence)
Signs of a Phishing Attack
49. Don’t be too trusting of people
Always be suspicious & alert
An e-mail with your friend’s name & info doesn’t have
to come from him/her
Look for signs of phishing attacks
Don’t open attachments unless you expect them
Scan for viruses before opening attachments
Don’t click links in e-mail. Directly type in browser
using known & trusted URLs
Especially cautioned if ask for passwords, bank
accounts, credit card numbers, social security numbers,
etc.
Ways to Protect against Phishing
57. Consider a log-in form on a web page
Example of Weak Input Checking:
SQL Injection
Source code would look
something like this:
statement = "SELECT * FROM users
WHERE name = '" + userName + "';"
Attacker would enter as username:
' or '1'='1
Which leads to this always-true query:
statement = "SELECT * FROM users
WHERE name = '" + "' or '1'='1" + "';"
statement = "SELECT * FROM users WHERE name = '' or '1'='1';"
http://en.wikipedia.org/wiki/SQL_injection
58. Defense in Depth
Multiple layers of security defense are placed
throughout a system to provide redundancy
in the event a security control fails
Secure the weakest link
Promote privacy
Trust no one
Some Security Principles
Saltzer & Schroeder (1975), Viega & McGraw (2000)
Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
http://en.wikipedia.org/wiki/Defense_in_depth_(computing)
59. Modular design
Check error conditions on return values
Validate inputs (whitelist vs. blacklist)
Avoid infinite loops, memory leaks
Check for integer overflows
Language/library choices
Development processes
Secure Software Best Practices
Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
62. Virus
Propagating malware that requires user action
to propagate
Infects executable files, data files with
executable contents (e.g. Macro), boot sectors
Worm
Self-propagating malware
Trojan
A legitimate program with additional, hidden
functionality
Malware
63. Spyware
Trojan that spies for & steals personal
information
Logic Bomb/Time Bomb
Malware that triggers under certain conditions
Backdoor/Trapdoor
A hole left behind by malware for future access
Malware
64. Rogue Antispyware (Ransomware)
Software that tricks or forces users to pay before fixing
(real or hoax) spyware detected
Rootkit
A stealth program designed to hide existence of
certain processes or programs from detection
Botnet
A collection of Internet-connected computers that have
been compromised (bots) which controller of the
botnet can use to do something (e.g. do DDoS attacks)
Malware
65. Installed & updated antivirus, antispyware, &
personal firewall
Check for known signatures
Check for improper file changes (integrity failures)
Check for generic patterns of malware (for unknown
malware): “Heuristics scan”
Firewall: Block certain network traffic in and out
Sandboxing
Network monitoring & containment
User education
Software patches, more secure protocols
Defense Against Malware
66. Social media spams/scams/clickjacking
Social media privacy issues
User privacy settings
Location services
Mobile device malware & other privacy risks
Stuxnet (advanced malware targeting certain
countries)
Advanced persistent threats (APT) by
governments & corporations against specific
targets
Newer Threats
68. • ISO/IEC 27000 — Information security management systems — Overview and
vocabulary
• ISO/IEC 27001 — Information security management systems — Requirements
• ISO/IEC 27002 — Code of practice for information security management
• ISO/IEC 27003 — Information security management system implementation guidance
• ISO/IEC 27004 — Information security management — Measurement
• ISO/IEC 27005 — Information security risk management
• ISO/IEC 27031 — Guidelines for information and communications technology readiness
for business continuity
• ISO/IEC 27032 — Guideline for cybersecurity (essentially, 'being a good neighbor' on
the Internet)
• ISO/IEC 27033-1 — Network security overview and concepts
• ISO/IEC 27033-2 — Guidelines for the design and implementation of network security
• ISO/IEC 27033-3:2010 — Reference networking scenarios - Threats, design techniques
and control issues
• ISO/IEC 27034 — Guideline for application security
• ISO/IEC 27035 — Security incident management
• ISO 27799 — Information security management in health using ISO/IEC 27002
Some Information Security Standards
69. US-CERT
U.S. Computer Emergency Readiness Team
http://www.us-cert.gov/
Subscribe to alerts & news
Microsoft Security Resources
http://technet.microsoft.com/en-us/security
http://technet.microsoft.com/en-
us/security/bulletin
Common Vulnerabilities & Exposures
http://cve.mitre.org/
More Information
71. Respect for Persons (Autonomy)
Beneficence
Justice
Non-maleficence
Ethical Principles in Bioethics
72. Hippocratic Oath
...
What I may see or hear in the course of
treatment or even outside of the
treatment in regard to the life of men,
which on no account one must spread
abroad, I will keep myself holding such
things shameful to be spoken about.
...
http://en.wikipedia.org/wiki/Hippocratic_Oath
75. Health Insurance Portability and Accountability Act of
1996 http://www.gpo.gov/fdsys/pkg/PLAW-
104publ191/pdf/PLAW-104publ191.pdf
More stringent state privacy laws apply
HIPAA Goals
To protect health insurance coverage for workers &
families when they change or lose jobs (Title I)
To require establishment of national standards for
electronic health care transactions and national
identifiers for providers, health insurance plans, and
employers (Title II: “Administrative Simplification”
provisions)
Administrative Simplification provisions also address
security & privacy of health data
U.S. Health Information Privacy Law
http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
76. Title I: Health Care Access, Portability, and
Renewability
Title II: Preventing Health Care Fraud and
Abuse; Administrative Simplification;
Medical Liability Reform
Requires Department of Health & Human
Services (HHS) to draft rules aimed at increasing
efficiency of health care system by creating
standards for use and dissemination of health
care information
HIPAA (U.S.)
77. Title III: Tax-Related Health Provisions
Title IV: Application and Enforcement
of Group Health Plan Requirements
Title V: Revenue Offsets
HIPAA (U.S.)
79. Covered Entities
A health plan
A health care clearinghouse
A healthcare provider who transmits any health
information in electronic form in connection with a
transaction to enable health information to be exchanged
electronically
Business Associates
Some HIPAA Definitions
80. Protected Health Information (PHI)
Individually identifiable health information transmitted or
maintained in electronic media or other form or medium
Individually Identifiable Health Information
Any information, including demographic information collected from
an individual, that—
(A) is created or received by a CE; and
(B) relates to the past, present, or future physical
or mental health or condition of an individual, the provision of
health care to an individual, or the past, present, or future payment
for the provision of health care to an individual, and—
(i) identifies the individual; or
(ii) with respect to which there is a reasonable basis to believe that
the information can be used to identify the individual.
Some HIPAA Definitions
81. Name
Address
Phone number
Fax number
E-mail address
SSN
Birthdate
Medical Record No.
Health Plan ID
Treatment date
Account No.
Certificate/License No.
Device ID No.
Vehicle ID No.
Drivers license No.
URL
IP Address
Biometric identifier
including fingerprints
Full face photo
Protected Health Information –
Personal Identifiers in PHI
82. Establishes national standards to protect PHI; applies to CE &
business associates
Requires appropriate safeguards to protect privacy of PHI
Sets limits & conditions on uses & disclosures that may be made
without patient authorization
Gives patients rights over their health information, including
rights to examine & obtain copy of health records & to request
corrections
HIPAA Privacy Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
83. Timeline
November 3, 1999 Proposed Privacy Rule
December 28, 2000 Final Privacy Rule
August 14, 2002 Modifications to Privacy Rule
April 14, 2003 Compliance Date for most CE
Full text (as amended)
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/
adminsimpregtext.pdf
HIPAA Privacy Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
84. Some permitted uses and disclosures
Use of PHI
Sharing, application, use, examination or
analysis within the entity that maintains the
PHI
Disclosure of PHI
Release or divulgence of information by an
entity to persons or organizations outside of
that entity.
HIPAA Privacy Rule
85. A covered entity may not use or disclose
PHI, except
with individual consent for treatment,
payment or healthcare operations (TPO)
with individual authorization for other
purposes
without consent or authorization for
governmental and other specified
purposes
HIPAA Privacy Rule
86. Treatment, payment, health care operations
(TPO)
Quality improvement
Competency assurance
Medical reviews & audits
Insurance functions
Business planning & administration
General administrative activities
HIPAA Privacy Rule
87. Uses & disclosures without the need for patient
authorization permitted in some circumstances
Required by law
For public health activities
About victims of abuse, neglect, or domestic
violence
For health oversight activities
For judicial & administrative proceedings
For law enforcement purposes
About decedents
HIPAA Privacy Rule
88. Uses & disclosures without the need for patient
authorization permitted in some circumstances
For cadaveric organ, eye, or tissue donation purposes
For research purposes
To avert a serious threat to health or safety
For workers’ compensation
For specialized government functions
Military & veterans activities
National security & intelligence activities
Protective services for President & others
Medical suitability determinants
Correctional institutions
CE that are government programs providing public benefits
HIPAA Privacy Rule
89. Control use and disclosure of PHI
Notify patients of information practices (NPP, Notice of Privacy
Practices)
Specifies how CE can use and share PHI
Specifies patient’s rights regarding their PHI
Provide means for patients to access their own record
Obtain authorization for non-TPO uses and disclosures
Log disclosures
Restrict use or disclosures
Minimum necessary
Privacy policy and practices
Business Associate agreements
Other applicable statutes
Provide management oversight and response to minimize threats and
breaches of privacy
Responsibilities of a CE
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
90. Individually identifiable health information
collected and used solely for research IS NOT PHI
Researchers obtaining PHI from a CE must obtain
the subject’s authorization or must justify an
exception:
Waiver of authorization (obtain from the IRB)
Limited Data Set (with data use agreement)
De-identified Data Set
HIPAA Privacy supplements the Common Rule
and the FDA’s existing protection for human
subjects
HIPAA & Research
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
91. De-identified Data Set
Remove all 18 personal identifiers of subjects,
relatives, employers, or household members
OR biostatistician confirms that individual cannot be
identified with the available information
Limited Data Set
May include Zip, Birthdate, Date of death, date of
service, geographic subdivision
Remove all other personal identifiers of subject, etc.
Data Use Agreement signed by data recipient that
there will be no attempt to re-identify the subject
Research Data Sets
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
92. Assure the CE that all research-initiated HIPAA
requirements have been met
Provide letter of approval to the researcher to
conduct research using PHI
OR, Certify and document that waiver of
authorization criteria have been met
Review and approve all authorizations and data
use agreements
Retain records documenting HIPAA actions for 6
years
IRB’s New Responsibility
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
93. Establishes national standards to protect
individuals’ electronic PHI that is created,
received, used, or maintained by a CE.
Requires appropriate safeguards to ensure
confidentiality, integrity & security of
electronic PHI
Administrative safeguards
Physical safeguards
Technical safeguards
HIPAA Security Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
94. Timeline
August 12, 1998 Proposed Security Rule
February 20, 2003 Final Security Rule
April 21, 2005 Compliance Date for most CE
Full Text
http://www.hhs.gov/ocr/privacy/hipaa/
administrative/securityrule/securityrulepdf.pdf
HIPAA Security Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html
95. The HIPAA Security Rule is:
A set of information security “best practices”
A minimum baseline for security
An outline of what to do, and what procedures
should be in place
The HIPAA Security Rule is not:
A set of specific instructions
A set of rules for universal, unconditional
implementation
A document outlining specific implementations
(vendors, equipment, software, etc.)
HIPAA Security Rule: Meaning
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
96. Many rules are either Required or Addressable
Required:
Compliance is mandatory
Addressable:
If a specification in the Rule is reasonable and
appropriate for the CE, then the CE must implement
Otherwise, documentation must be made of the
reasons the policy cannot/will not be implemented,
and when necessary, offer an alternative
HIPAA Security Rule: Meaning
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
97. Breach notification
Extension of complete Privacy & Security
HIPAA provisions to business associates of
covered entities
New rules for accounting of disclosures of a
patient’s health information
New in HITECH Act of 2009
98. Conflicts between federal vs. state laws
Variations among state laws of different
states
HIPAA only covers “covered entities”
No general privacy laws in place, only a few
sectoral privacy laws e.g. HIPAA
Health Information Privacy Law:
U.S. Challenges
99. Canada - The Privacy Act (1983), Personal
Information Protection and Electronic Data
Act of 2000
EU Countries - EU Data Protection Directive
UK - Data Protection Act 1998
Austria - Data Protection Act 2000
Australia - Privacy Act of 1988
Germany - Federal Data Protection Act of
2001
Health Information Privacy Law:
Other Western Countries
101. The Official Information Act, B.E.
2540
Requires official information within
the government (with exceptions
such as some personal information)
to be disclosed to the public up front
or upon request
“Disclose by default, protect by
exceptions”
Thai Privacy Laws
102. No universal personal data privacy law
(Draft law has been proposed)
National Health Act, B.E. 2550
Provision 7 provides protection of
health information from disclosures
that could be damaging to an
individual without his/her consent or
as required by law.
Thai Privacy Laws
103. Computer-Related Crimes Act, B.E. 2550 & 2560
Focuses on prosecuting computer crimes &
computer-related crimes
Responsibility of organizations as IT service
provider: Logging & provision of access data
to authorities
Thai ICT Laws
104. Electronic Transactions Acts, B.E. 2544 & 2551
Affirms legal status of electronic data
Addresses how electronic transactions and
electronic signatures work in the legal context
Security & privacy requirements for
Determining legal validity & integrity of
electronic transactions and documents, print-
outs, & paper-to-electronic conversions
Governmental & public organizations
Critical infrastructures
Financial sectors
Electronic certificate authorities
Thai ICT Laws
105. Security Requirements for Critical Infrastructure in Thailand
Domain Basic Medium
(In addition to Basic)
High
(In addition to Medium)
Security policy 1 Item 1 Item -
Organization of information security 5 Items 3 Items 3 Items
Asset management 1 Item 4 Items -
Human resources security 6 Items 1 Item 2 Items
Physical and environmental security 5 Items 2 Items 6 Items
Communications & operations management 18 Items 5 Items 9 Items
Access control 9 Items 8 Items 8 Items
Information systems acquisition,
development and maintenance
2 Items 6 Items 8 Items
Information security incident management 1 Item - 3 Items
Business continuity management 1 Item 3 Items 1 Item
Regulatory compliance 3 Items 5 Items 2 Items
รวม 52 Items 38 Items (90 Items Total) 42 Items (132 Items Total)