Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 8, 2021
Presented at the Health Informatics and Health Information Technology Course, Doctor of Philosophy and Master of Science Programs in Data Science for Health Care (International Program), Faculty of Medicine Ramathibodi Hospital, Mahidol University on October 17, 2017
Presented at the Data Science for Healthcare Graduate Programs, Section for Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on October 30, 2019
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on October 4, 2021
Doug Copley presented on cybersecurity challenges in healthcare including threats, trends in healthcare, practical steps and building security without boundaries.
Presented at the Health Informatics and Health Information Technology Course, Doctor of Philosophy and Master of Science Programs in Data Science for Health Care (International Program), Faculty of Medicine Ramathibodi Hospital, Mahidol University on October 17, 2017
Presented at the Data Science for Healthcare Graduate Programs, Section for Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on October 30, 2019
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on October 4, 2021
Doug Copley presented on cybersecurity challenges in healthcare including threats, trends in healthcare, practical steps and building security without boundaries.
Public Health informatics, Consumer health informatics, mHealth & PHRs (Novem...Nawanan Theera-Ampornpunt
Presented at the M.S. and Ph.D. Programs in Data Science for Health Care, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 11, 2019
This presentation talks about the context of developing the Electronic Health records for India. the guidelines as mentioned in the GOI site is described vividly with examples, for better understanding.
N.B: Please download the ppt first, for the animations to work better.
Overview of Electronic Medical Records - Sanjoy SanyalSanjoy Sanyal
Gives an overview of Electronic Medical Records (EMR) / Electronic Health records (EHR) / Patient Health records (PHR), with company screenshots and specialty specific EMR examples. Presented at a seminar in Seychelles in 2008.
Very useful for Informatics professional, Medical professionals, Healthcare administrators. This is a constantly evolving issue, and some things mentioned here may have undergone modification since the time of their original publication.
Tags: emr, mapping engine, Electronic Medical Record, EMR, Electronic Health record, HER, Patient Health record, PHR, Sanjoy Sanyal,
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on October 21, 2020
Public Health informatics, Consumer health informatics, mHealth & PHRs (Novem...Nawanan Theera-Ampornpunt
Presented at the M.S. and Ph.D. Programs in Data Science for Health Care, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 11, 2019
This presentation talks about the context of developing the Electronic Health records for India. the guidelines as mentioned in the GOI site is described vividly with examples, for better understanding.
N.B: Please download the ppt first, for the animations to work better.
Overview of Electronic Medical Records - Sanjoy SanyalSanjoy Sanyal
Gives an overview of Electronic Medical Records (EMR) / Electronic Health records (EHR) / Patient Health records (PHR), with company screenshots and specialty specific EMR examples. Presented at a seminar in Seychelles in 2008.
Very useful for Informatics professional, Medical professionals, Healthcare administrators. This is a constantly evolving issue, and some things mentioned here may have undergone modification since the time of their original publication.
Tags: emr, mapping engine, Electronic Medical Record, EMR, Electronic Health record, HER, Patient Health record, PHR, Sanjoy Sanyal,
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on October 21, 2020
Presented at the 11th Healthcare CIO Certificate Program, School of Hospital Management, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on February 9, 2021
Refugees on Rails Berlin - #2 Tech Talk on SecurityGianluca Varisco
#2 Tech Talk on Security @ Refugees on Rails Berlin (Tue 8 Dec 2015)
A Cyber Security walk-through focused on current threats, trends and few predictions for 2016.
CS155 introduction at Standford.
Intro to computer and network security
Some challenging fun projects
Learn about attacks
Learn about preventing attacks
Lectures on related topics
Application and operating system security
Web security
Network security
Presented at the BDMS Golden Jubilee Scientific Conference 2022 "BDMS Beyond 50 years: Looking towards the centennial," Bangkok Dusit Medical Services Public Company Limited (BDMS), Bangkok, Thailand on October 19, 2022
Presented at The Thai Medical Informatics Association Annual Conference and The National Conference on Medical Informatics (TMI-NCMedInfo) 2021, Bangkok, Thailand on November 26, 2021
Presented at the Master of Science Program in Medical Epidemiology and the Doctor of Philosophy Program in Clinical Epidemiology, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 25, 2021
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 15, 2021
Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...Nawanan Theera-Ampornpunt
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 10, 2021
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
9. National Healthcare’s Worst Nightmare
https://www.straitstimes.com/singapore/personal-info-of-15m-singhealth-
patients-including-pm-lee-stolen-in-singapores-most
10. Ransomware Attack in Thai Hospitals
https://www.facebook.com/SaraburiHospital/photos/a.255929423747
8100/4366815263392646/
11. Sources of the Threats
▪ Hackers
▪ Viruses & Malware
▪ Poorly-designed systems
▪ Insiders (Employees)
▪ People’s ignorance & lack of knowledge
▪ Disasters & other incidents affecting information
systems
12. ▪ Information risks
▪ Unauthorized access & disclosure of confidential information
▪ Unauthorized addition, deletion, or modification of information
▪ Operational risks
▪ System not functional (Denial of Service - DoS)
▪ System wrongly operated
▪ Personal risks
▪ Identity thefts
▪ Financial losses
▪ Disclosure of information that may affect employment or other
personal aspects (e.g. health information)
▪ Physical/psychological harms
▪ Organizational risks
▪ Financial losses
▪ Damage to reputation & trust
▪ Etc.
Consequences of Security Attacks
13. ▪ Privacy: “The ability of an individual or group to
seclude themselves or information about
themselves and thereby reveal themselves
selectively.” (Wikipedia)
▪ Security: “The degree of protection to safeguard
... person against danger, damage, loss, and
crime.” (Wikipedia)
▪ Information Security: “Protecting information
and information systems from unauthorized
access, use, disclosure, disruption,
modification, perusal, inspection, recording or
destruction” (Wikipedia)
Privacy & Security
16. Examples of Integrity Risks
http://news.softpedia.com/news/700-000-InMotion-Websites-Hacked-by-TiGER-M-TE-223607.shtml
Web Defacements
17. Examples of Availability Risks
http://en.wikipedia.org/wiki/Blaster_worm
Viruses/worms that led to instability &
system restart (e.g. Blaster worm)
18. Examples of Availability Risks
http://en.wikipedia.org/wiki/Ariane_5_Flight_501
Ariane 5 Flight 501 Rocket Launch Failure
Cause: Software bug on rocket acceleration due to data conversion
from a 64-bit floating point number to a 16-bit signed integer without
proper checks, leading to arithmatic overflow
24. Measures to Protect Privacy
• Informed consent
• Privacy culture
• User awareness building & education
• Organizational policy & regulations
▪ Enforcement
▪ Ongoing privacy & security
assessments, monitoring, and protection
25. ▪ Attack
▪ An attempt to breach system security
▪ Threat
▪ A scenario that can harm a system
▪ Vulnerability
▪ The “hole” that is used in the attack
Common Security Terms
26. ▪ Identify some possible means an
attacker could use to conduct a
security attack
Class Exercise
28. Alice
Simplified Attack Scenarios
Server Bob
- Physical access to client computer
- Electronic access (password)
- Tricking user into doing something
(malware, phishing & social
engineering)
Eve/Mallory
29. Alice
Simplified Attack Scenarios
Server Bob
- Intercepting (eavesdropping or
“sniffing”) data in transit
- Modifying data (“Man-in-the-middle”
attacks)
- “Replay” attacks
Eve/Mallory
30. Alice
Simplified Attack Scenarios
Server Bob
- Unauthorized access to servers through
- Physical means
- User accounts & privileges
- Attacks through software vulnerabilities
- Attacks using protocol weaknesses
- DoS / DDoS attacks
Eve/Mallory
32. Alice
Safeguarding Against Attacks
Server Bob
Administrative Security
- Security & privacy policy
- Governance of security risk management & response
- Uniform enforcement of policy & monitoring
- Disaster recovery planning (DRP) & Business continuity
planning/management (BCP/BCM)
- Legal obligations, requirements & disclaimers
33. Alice
Safeguarding Against Attacks
Server Bob
Physical Security
- Protecting physical access of clients & servers
- Locks & chains, locked rooms, security cameras
- Mobile device security
- Secure storage & secure disposition of storage devices
34. Alice
Safeguarding Against Attacks
Server Bob
User Security
- User account management
- Strong p/w policy (length, complexity, expiry, no meaning)
- Principle of Least Privilege
- “Clear desk, clear screen policy”
- Audit trails
- Education, awareness building & policy enforcement
- Alerts & education about phishing & social engineering
35. Alice
Safeguarding Against Attacks
Server Bob
System Security
- Antivirus, antispyware, personal firewall, intrusion
detection/prevention system (IDS/IPS), log files, monitoring
- Updates, patches, fixes of operating system vulnerabilities &
application vulnerabilities
- Redundancy (avoid “Single Point of Failure”)
- Honeypots
36. Alice
Safeguarding Against Attacks
Server Bob
Software Security
- Software (clients & servers) that is secure by design
- Software testing against failures, bugs, invalid inputs,
performance issues & attacks
- Updates to patch vulnerabilities
37. Alice
Safeguarding Against Attacks
Server Bob
Network Security
- Access control (physical & electronic) to network devices
- Use of secure network protocols if possible
- Data encryption during transit if possible
- Bandwidth monitoring & control
38. Alice
Safeguarding Against Attacks
Server Bob
Database Security
- Access control to databases & storage devices
- Encryption of data stored in databases if necessary
- Secure destruction of data after use
- Access control to queries/reports
- Security features of database management systems (DBMS)
- Data backups (online vs. offline)
40. ▪ Access control
▪ Selective restriction of access to the system
▪ Role-based access control
▪ Access control based on the person’s role
(rather than identity)
▪ Audit trails
▪ Logs/records that provide evidence of
sequence of activities
User Security
41. ▪ Identification
▪ Identifying who you are
▪ Usually done by user IDs or some other unique codes
▪ Authentication
▪ Confirming that you truly are who you identify
▪ Usually done by keys, PIN, passwords or biometrics
▪ Authorization
▪ Specifying/verifying how much you have access
▪ Determined based on system owner’s policy & system
configurations
▪ “Principle of Least Privilege”
User Security
42. ▪ Nonrepudiation
▪ Proving integrity, origin, & performer of an
activity without the person’s ability to refute
his actions
▪ Most common form: signatures
▪ Electronic signatures offer varying degrees of
nonrepudiation
▪ PIN/password vs. biometrics
▪ Digital certificates (in public key infrastructure
- PKI) often used to ascertain nonrepudiation
User Security
43. ▪ Multiple-Factor Authentication
▪ Two-Factor Authentication
▪ Use of multiple means (“factors”) for authentication
▪ Types of Authentication Factors
▪ Something you know
▪ Password, PIN, etc.
▪ Something you have
▪ Keys, cards, tokens, devices (e.g. mobile phones)
▪ Something you are
▪ Biometrics
User Security
44. Need for Strong Password Policy
So, two informaticians
walk into a bar...
The bouncer says,
"What's the password."
One says, "Password?"
The bouncer lets them
in.
Credits: @RossMartin & AMIA (2012)
45. Unknown Internet sources, via
http://pikabu.ru/story/interesno_kakoy_zhe_u_nikh_parol_4274737,
via Facebook page “สอนแฮกเว็บแบบแมวๆ”
What’s the Password?
47. Recommended Password Policy
▪ Length
▪ 8 characters or more (to slow down brute-force attacks)
▪ Complexity (to slow down brute-force attacks)
▪ Consists of 3 of 4 categories of characters
▪ Uppercase letters
▪ Lowercase letters
▪ Numbers
▪ Symbols (except symbols that have special uses by the
system or that can be used to hack system, e.g. SQL
Injection)
▪ No meaning (“Dictionary Attacks”)
▪ Not simple patterns (12345678, 11111111) (to slow down brute-
force attacks & prevent dictionary attacks)
▪ Not easy to guess (birthday, family names, etc.) (to prevent
unknown & known persons from guessing)
Personal opinion. No legal responsibility assumed.
48. Recommended Password Policy
▪ Expiration (to make brute-force attacks not possible)
▪ 6-8 months
▪ Decreasing over time because of increasing computer’s
speed
▪ But be careful! Too short duration will force users to write
passwords down
▪ Secure password storage in database or system
(encrypted or store only password hashes)
▪ Secure password confirmation
▪ Secure “forget password” policy
▪ Different password for each account. Create variations
to help remember. If not possible, have different sets of
accounts for differing security needs (e.g., bank
accounts vs. social media sites) Personal opinion. No legal responsibility assumed.
50. Techniques to Remember Passwords
▪ http://www.wikihow.com/Create-a-Password-You-Can-
Remember
▪ Note that some of the techniques are less secure!
▪ One easy & secure way: password mnemonic
▪ Think of a full sentence that you can remember
▪ Ideally the sentence should have 8 or more words, with
numbers and symbols
▪ Use first character of each word as password
▪ Sentence: I love reading all 7 Harry Potter books!
▪ Password: Ilra7HPb!
▪ Voila!
Personal opinion. No legal responsibility assumed.
53. Dear mail.mahidol.ac.th Email Account User,
We wrote to you on 11th January 2010 advising that you change the password on
your account in order to prevent any unauthorised account access following
the network instruction we previously communicated.
all Mailhub systems will undergo regularly scheduled maintenance. Access
to your e-mail via the Webmail client will be unavailable for some time
during this maintenance period. We are currently upgrading our data base
and e-mail account center i.e homepage view. We shall be deleting old
[https://mail.mahidol.ac.th/l accounts which are no longer active to create
more space for new accountsusers. we have also investigated a system wide
security audit to improve and enhance
our current security.
In order to continue using our services you are require to update and
re-comfirmed your email account details as requested below. To complete
your account re-comfirmation,you must reply to this email immediately and
enter your account
details as requested below.
Username :
Password :
Date of Birth:
Future Password :
Social Engineering Examples
Real social-engineering e-mail received by Speaker
62. ▪ Poor grammar
▪ Lots of typos
▪ Trying very hard to convince you to open
attachment, click on link, or reply without
enough detail
▪ May appear to be from known person (rely on
trust & innocence)
Signs of a Phishing Attack
63. ▪ Don’t be too trusting of people
▪ Always be suspicious & alert
▪ An e-mail with your friend’s name & info doesn’t have to
come from him/her
▪ Look for signs of phishing attacks
▪ Don’t open attachments unless you expect them
▪ Scan for viruses before opening attachments
▪ Don’t click links in e-mail. Directly type in browser using
known & trusted URLs
▪ Especially cautioned if ask for passwords, bank
accounts, credit card numbers, social security numbers,
etc.
Ways to Protect against Phishing
66. ▪ Virus
▪ Propagating malware that requires user action
to propagate
▪ Infects executable files, data files with
executable contents (e.g. Macro), boot
sectors
▪ Worm
▪ Self-propagating malware
▪ Trojan
▪ A legitimate program with additional, hidden
functionality
Malware
67. ▪ Spyware
▪ Trojan that spies for & steals personal
information
▪ Logic Bomb/Time Bomb
▪ Malware that triggers under certain conditions
▪ Backdoor/Trapdoor
▪ A hole left behind by malware for future
access
Malware
68. ▪ Rogue Antispyware
▪ Software that tricks or forces users to pay before
fixing (real or hoax) spyware detected
▪ Rootkit
▪ A stealth program designed to hide existence of
certain processes or programs from detection
▪ Botnet
▪ A collection of Internet-connected computers that
have been compromised (bots) which controller of the
botnet can use to do something (e.g. do DDoS
attacks)
Malware
69. ▪ Installed & updated antivirus, antispyware, &
personal firewall
▪ Check for known signatures
▪ Check for improper file changes (integrity failures)
▪ Check for generic patterns of malware (for unknown
malware): “Heuristics scan”
▪ Firewall: Block certain network traffic in and out
▪ Sandboxing
▪ Network monitoring & containment
▪ User education
▪ Software patches, more secure protocols
Defense Against Malware
70. ▪ Social media spams/scams/clickjacking
▪ Social media privacy issues
▪ User privacy settings
▪ Location services
▪ Mobile device malware & other privacy risks
▪ Stuxnet (advanced malware targeting certain
countries)
▪ Advanced persistent threats (APT) by
governments & corporations against specific
targets
Newer Threats
76. ▪ Most common reason for security bugs is
invalid programming assumptions that attackers
will look for
▪ Weak input checking
▪ Buffer overflow
▪ Integer overflow
▪ Race condition (Time of Check / Time of Use
vulnerabilities)
▪ Running programs in new environments
Software Security
Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
77. ▪ Defense in Depth
▪ Multiple layers of security defense are
placed throughout a system to provide
redundancy in the event a security
control fails
▪ Secure the weakest link
▪ Promote privacy
▪ Trust no one
Secure Software Design Principles
Saltzer & Schroeder (1975), Viega & McGraw (2000)
Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
http://en.wikipedia.org/wiki/Defense_in_depth_(computing)
78. ▪ Modular design
▪ Check error conditions on return values
▪ Validate inputs (whitelist vs. blacklist)
▪ Avoid infinite loops, memory leaks
▪ Check for integer overflows
▪ Language/library choices
▪ Development processes
Secure Software Best Practices
Adapted from Nicholas Hopper’s teaching slides for UMN Computer Security Class Fall 2006 CSCI 5271
79. ▪ Consider a log-in form on a web page
Example of Weak Input Checking:
SQL Injection
▪ Source code would look
something like this:
statement = "SELECT * FROM users
WHERE name = '" + userName + "';"
▪ Attacker would enter as username:
' or '1'='1
▪ Which leads to this always-true query:
▪ statement = "SELECT * FROM users
WHERE name = '" + "' or '1'='1" + "';"
statement = "SELECT * FROM users WHERE name = '' or '1'='1';"
http://en.wikipedia.org/wiki/SQL_injection
84. ▪ Respect for Persons (Autonomy)
▪ Beneficence
▪ Non-maleficence
▪ Justice
Ethical Principles in Bioethics
85. Hippocratic Oath
...
What I may see or hear in the course of
treatment or even outside of the
treatment in regard to the life of men,
which on no account one must spread
abroad, I will keep myself holding such
things shameful to be spoken about.
...
http://en.wikipedia.org/wiki/Hippocratic_Oath
87. ▪ Health Insurance Portability and Accountability Act of 1996
http://www.gpo.gov/fdsys/pkg/PLAW-104publ191/pdf/PLAW-
104publ191.pdf
▪ More stringent state privacy laws apply
▪ HIPAA Goals
▪ To protect health insurance coverage for workers & families
when they change or lose jobs (Title I)
▪ To require establishment of national standards for electronic
health care transactions and national identifiers for providers,
health insurance plans, and employers (Title II: “Administrative
Simplification” provisions)
▪ Administrative Simplification provisions also address security &
privacy of health data
U.S. Health Information Privacy Law
http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
88. ▪ Title I: Health Care Access, Portability, and
Renewability
▪ Title II: Preventing Health Care Fraud and
Abuse; Administrative Simplification; Medical
Liability Reform
▪ Requires Department of Health & Human
Services (HHS) to draft rules aimed at
increasing efficiency of health care system by
creating standards for use and dissemination of
health care information
HIPAA (U.S.)
89. ▪ Title III: Tax-Related Health Provisions
▪ Title IV: Application and Enforcement of
Group Health Plan Requirements
▪ Title V: Revenue Offsets
HIPAA (U.S.)
91. ▪ Covered Entities
▪ A health plan
▪ A health care clearinghouse
▪ A healthcare provider who transmits any health
information in electronic form in connection with a
transaction to enable health information to be exchanged
electronically
▪ Business Associates
Some HIPAA Definitions
92. ▪ Protected Health Information (PHI)
▪ Individually identifiable health information transmitted or maintained
in electronic media or other form or medium
▪ Individually Identifiable Health Information
▪ Any information, including demographic information collected from
an individual, that—
▪ (A) is created or received by a CE; and
▪ (B) relates to the past, present, or future physical
▪ or mental health or condition of an individual, the provision of health
care to an individual, or the past, present, or future payment for the
provision of health care to an individual, and—
▪ (i) identifies the individual; or
▪ (ii) with respect to which there is a reasonable basis to believe that
the information can be used to identify the individual.
Some HIPAA Definitions
93. ▪ Name
▪ Address
▪ Phone number
▪ Fax number
▪ E-mail address
▪ SSN
▪ Birthdate
▪ Medical Record No.
▪ Health Plan ID
▪ Treatment date
▪ Account No.
▪ Certificate/License No.
▪ Device ID No.
▪ Vehicle ID No.
▪ Drivers license No.
▪ URL
▪ IP Address
▪ Biometric identifier
including fingerprints
▪ Full face photo
Protected Health Information –
Personal Identifiers in PHI
94. ▪ Establishes national standards to protect PHI; applies to CE &
business associates
▪ Requires appropriate safeguards to protect privacy of PHI
▪ Sets limits & conditions on uses & disclosures that may be made
without patient authorization
▪ Gives patients rights over their health information, including
rights to examine & obtain copy of health records & to request
corrections
HIPAA Privacy Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
95. ▪ Timeline
▪ November 3, 1999 Proposed Privacy Rule
▪ December 28, 2000 Final Privacy Rule
▪ August 14, 2002 Modifications to Privacy Rule
▪ April 14, 2003 Compliance Date for most CE
▪ Full text (as amended)
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/
adminsimpregtext.pdf
HIPAA Privacy Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
96. ▪ Some permitted uses and disclosures
▪ Use of PHI
▪ Sharing, application, use, examination or
analysis within the entity that maintains the
PHI
▪ Disclosure of PHI
▪ Release or divulgence of information by an
entity to persons or organizations outside of
that entity.
HIPAA Privacy Rule
97. ▪ A covered entity may not use or disclose
PHI, except
▪ with individual consent for treatment,
payment or healthcare operations (TPO)
▪ with individual authorization for other
purposes
▪ without consent or authorization for
governmental and other specified
purposes
HIPAA Privacy Rule
98. ▪ Treatment, payment, health care operations
(TPO)
▪ Quality improvement
▪ Competency assurance
▪ Medical reviews & audits
▪ Insurance functions
▪ Business planning & administration
▪ General administrative activities
HIPAA Privacy Rule
99. ▪ Uses & disclosures without the need for patient
authorization permitted in some circumstances
▪ Required by law
▪ For public health activities
▪ About victims of abuse, neglect, or domestic
violence
▪ For health oversight activities
▪ For judicial & administrative proceedings
▪ For law enforcement purposes
▪ About decedents
HIPAA Privacy Rule
100. ▪ Uses & disclosures without the need for patient
authorization permitted in some circumstances
▪ For cadaveric organ, eye, or tissue donation purposes
▪ For research purposes
▪ To avert a serious threat to health or safety
▪ For workers’ compensation
▪ For specialized government functions
▪ Military & veterans activities
▪ National security & intelligence activities
▪ Protective services for President & others
▪ Medical suitability determinants
▪ Correctional institutions
▪ CE that are government programs providing public benefits
HIPAA Privacy Rule
101. ▪ Control use and disclosure of PHI
▪ Notify patients of information practices (NPP, Notice of Privacy
Practices)
▪ Specifies how CE can use and share PHI
▪ Specifies patient’s rights regarding their PHI
▪ Provide means for patients to access their own record
▪ Obtain authorization for non-TPO uses and disclosures
▪ Log disclosures
▪ Restrict use or disclosures
▪ Minimum necessary
▪ Privacy policy and practices
▪ Business Associate agreements
▪ Other applicable statutes
▪ Provide management oversight and response to minimize threats and
breaches of privacy
Responsibilities of a CE
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
102. ▪ Individually identifiable health information collected
and used solely for research IS NOT PHI
▪ Researchers obtaining PHI from a CE must obtain
the subject’s authorization or must justify an
exception:
▪ Waiver of authorization (obtain from the IRB)
▪ Limited Data Set (with data use agreement)
▪ De-identified Data Set
▪ HIPAA Privacy supplements the Common Rule
and the FDA’s existing protection for human
subjects
HIPAA & Research
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
103. ▪ De-identified Data Set
▪ Remove all 18 personal identifiers of subjects,
relatives, employers, or household members
▪ OR biostatistician confirms that individual cannot be
identified with the available information
▪ Limited Data Set
▪ May include Zip, Birthdate, Date of death, date of
service, geographic subdivision
▪ Remove all other personal identifiers of subject, etc.
▪ Data Use Agreement signed by data recipient that
there will be no attempt to re-identify the subject
Research Data Sets
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
104. ▪ Assure the CE that all research-initiated HIPAA
requirements have been met
▪ Provide letter of approval to the researcher to
conduct research using PHI
▪ OR, Certify and document that waiver of
authorization criteria have been met
▪ Review and approve all authorizations and data
use agreements
▪ Retain records documenting HIPAA actions for 6
years
IRB’s New Responsibility
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
105. ▪ Establishes national standards to protect
individuals’ electronic PHI that is created,
received, used, or maintained by a CE.
▪ Requires appropriate safeguards to ensure
confidentiality, integrity & security of
electronic PHI
▪ Administrative safeguards
▪ Physical safeguards
▪ Technical safeguards
HIPAA Security Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
106. ▪ Timeline
▪ August 12, 1998 Proposed Security Rule
▪ February 20, 2003 Final Security Rule
▪ April 21, 2005 Compliance Date for most CE
▪ Full Text
http://www.hhs.gov/ocr/privacy/hipaa/
administrative/securityrule/securityrulepdf.pdf
HIPAA Security Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html
107. ▪ The HIPAA Security Rule is:
▪ A set of information security “best practices”
▪ A minimum baseline for security
▪ An outline of what to do, and what procedures
should be in place
▪ The HIPAA Security Rule is not:
▪ A set of specific instructions
▪ A set of rules for universal, unconditional
implementation
▪ A document outlining specific implementations
(vendors, equipment, software, etc.)
HIPAA Security Rule: Meaning
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
108. ▪ The HIPAA Security Rule is designed to be:
▪ Technology-neutral
▪ Scalable (doesn’t require all CEs to apply the same
policies)
▪ Flexible (allows CEs to determine their own needs)
▪ Comprehensive (covers technical, business, and
behavioral issues)
HIPAA Security Rule: Meaning
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
109. ▪ Many rules are either Required or Addressable
▪ Required:
▪ Compliance is mandatory
▪ Addressable:
▪ If a specification in the Rule is reasonable and
appropriate for the CE, then the CE must implement
▪ Otherwise, documentation must be made of the
reasons the policy cannot/will not be implemented,
and when necessary, offer an alternative
HIPAA Security Rule: Meaning
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
110. ▪ Breach notification
▪ Extension of complete Privacy & Security
HIPAA provisions to business associates of
covered entities
▪ New rules for accounting of disclosures of a
patient’s health information
New in HITECH Act of 2009
111. ▪ Conflicts between federal vs. state laws
▪ Variations among state laws of different
states
▪ HIPAA only covers “covered entities”
▪ No general privacy laws in place, only a few
sectoral privacy laws e.g. HIPAA
Health Information Privacy Law:
U.S. Challenges
112. ▪ Canada - The Privacy Act (1983), Personal
Information Protection and Electronic Data
Act of 2000
▪ EU Countries - EU General Data Protection
Regulation (GDPR)
▪ Australia - Privacy Act of 1988
Health Information Privacy Law:
Other Western Countries
113. ▪ General Data Privacy Law
▪ There exists general law protecting privacy
of all types of information (financial,
educational, health, etc.)
▪ Sectoral Data Privacy Law
▪ Each sector (e.g. health sector) has its
own information privacy laws without a
general law
Two Systems of Privacy Laws
114. Pros & Cons
General Data
Privacy Law
▪ Pros: Covers all types
of information with
uniform standard of
protection
▪ Cons: May not be
flexible for specific
requirements in each
industry or for each
type of information
(e.g. health)
Sectoral Data
Privacy Law
▪ Pros: Protections
specific to each type
of information (e.g.
health information) or
nature of each
industry
▪ Cons: Not covering
other types of
information or those
kept by other
organizations outside
the sector, and no
uniform standard of
protections