Ethics, Security and Privacy Management of Hospital Data Part 2 (January 24, ...Nawanan Theera-Ampornpunt
Presented at the Hospital IT Quality Development to level 4, 5, 6 Workshop, Thai Medical Informatics Association, Bangkok, Thailand on January 24, 2020
Ethics, Security and Privacy Management of Hospital Data Part 2 (January 24, ...Nawanan Theera-Ampornpunt
Presented at the Hospital IT Quality Development to level 4, 5, 6 Workshop, Thai Medical Informatics Association, Bangkok, Thailand on January 24, 2020
5. How much SECURITY is enough?
How much budget should I allocate for SECURITY?
Which level of SECURITY should my organization consider?
[Military, banks, pharmaceutical or etc.]
Which standard should I use?
How much RISK is acceptable by your organization?
Risk-based Security
7. What is the goal of doing “Risk Management”?
To minimize all possible “Risk”
if unlimited budget and resources can be provided!!!
which is not practical in real life.
With limited budget and resources, then is to
keep “RISK” below the “ACCEPTABLE RISK LEVEL”
Risk-based Security
8. Is there a RISK to consider?
RISK = THREAT x VULNERABILITY
How much is the RISK? (quantification)
RISK = IMPACT x POSSIBILITY
The amount of risk is proportionally varies to the
POSSIBILITY of a THREAT to exploit a VULNERABILITY
and the amount of IMPACT caused by that exploitation.
Risk-based Security
9. Ex: A case study of budgeting for a security solution
Solution Name: Application Patch Management System (APMS)
Why? Now a day, intelligent Internet worm looks for security hole in unpatched or outdated software
within a computer in order to exploit, propagate and take-over such system.
How? APMS will watch for latest update and released version of software used within the enterprise
and make sure that all computer migrate to the latest released version in order to avoid security
incident.
This will help reduce the chance of infection and propagation of computer virus & worm by 80%.
This organization has 1,000 users with average of 1,000 infections reported each year. Each infection
will cost about 2,000THB (productivity and resolution cost)
Question?
1. If the APMS for this enterprise will cost 3 MTHB with 20% MA & subscription, is this a good
investment?
2. If “YES”, how much that the enterprise will gain from investing in this solution?
3. If “NO”, at how much of the investment should the enterprise budget for?
Risk-based Security
10. Ex: A case study of budgeting for a security solution
Solution Name: Application Patch Management System (APMS)
Risk-based Security
Year # 1 2 3 4 5 Total
SGcost APMS Cost 3M 600K 600K 600K 600K 5.4M
AROxSLE
= ALE(before)
RISK Cost?
(before)
1,000x2,000
= 2M
2M 2M 2M 2M 2M 10M
AROxSLE
= ALE(after)
rRISK Cost?
(after)
200x2,000
=400K
400K 400K 400K 400K 400K 2M
Gain/Loss -1.4M +1M +1M +1M +1M +2.6M
11. 1. Pain-point
2. Compliance Requirement
3. Business Best-Practices
Corporate Governance
Risk Management
Now that risk management is part of compliance requirement
to all government agencies and state-enterprises.
Key Drivers to
Security Implementation (in Thailand)
12. Business Aspect
COSO : Enterprise Risk Management Integrated Framework
ISO 31000 : Risk Management
ISO/มอก. 22301 : Business Continuity Management
BS 25999 : Business Continuity Management
IT Aspect
CobiT : IT Governance
ISO 20000 : IT Service Management
ISO 27001 : Information Security Management
ISO 27005 : Information Security Risk Management
BS 25777 : IT Continuity Management
Risk Management Frameworks
27. Understand the paradigm
Before:
If no prove of “not ok” then “ok”.
Assumption: we are clean
until any evidence of compromise is found
Now:
If no prove of “ok” then “not ok”.
Assumption: we are compromised
until none of evidence of compromise can be found
Self-Protection
30. To consider right now:
“prove that you hadn’t been HACKED”
and determine “clean-up strategy”
Self-Protection
You may not be hacked if and only if all below are TRUE:
- no network connectivity
- can address all known threats and unknown threats very
VERY well
- all employees are at high awareness with perfect security
behaviour
- know every bit of the applications being use within your
organization
- know exactly what is passing through your network
31. To consider right now!!!
“prove that you hadn’t been HACKED”
and determine “clean-up strategy”
Self-Protection
32. ระบบ IT ของ
คุณจะอยู่รอด
ปลอดภัยดีถ้า...
ทุกข้อต่อไปนี้
“เป็นจริง”
- ไม่มีการเชื่อมต่อเครือข่าย
Once you are connected, you become a target.
- มีการจัดการภัยคุกคามที่ “รู้” และ “ไม่รู้” อย่างดีเยี่ยม
“known threats” are already hard to handle,
and there are still “unknown threats” out there.
- เจ้าหน้าที่ทุกคนมีความตระหนักสูงและไม่มีพฤติกรรมเสี่ยง
Is you employee still clicking on links sent to their email or
instant messaging?
- รู้ดีว่า software แต่ละตัวทำงานอย่างไรและไม่มีอะไร
แอบแฝงมาด้วย
How certain that there is no backdoor in any of the
software you are using?
- รู้ดีว่ามีอะไรวิ่งผ่านเข้า-ออกเครือข่ายบ้าง
Do you have total awareness of what is it that passed
through your network?
อ.ฝน นรินทร์ฤทธิ์ เปรมอภิวัฒโนกุล
http://www.narinrit.com
33. “Preventive is IDEAL
Detective is a MUST”
Visibility and situational awareness is very important in
order to provide appropriate response and resiliency.
It’s harder to prevent the unknown threat than to detect
the abnormality within your enterprise.
- Do you know your normality? -
Self-Protection
34. 1. Awareness
raise awareness of everyone in the organization from top
management to the very low level workforce within the
organization
2. Educate
provide necessary education to each group of employee
according to their role & responsibility
3. Assess
know your situation and where you are, and use expert when
necessary
4. Improve
close all prioritised gaps, and keep do it better
Self-Protection : Suggest Formula
35. Security Awareness is unavoidably the most
important in implementing a security program in an
organisation
• People always be the weakest link.
• People is the most important factor in any implementation.
• New threats are evolving everyday.
• Proper communication will lead to understanding and finally lead to
behavioural “CHANGE”.
36. Security Awareness Training vs.
Secure-Culture Development Program
• Security awareness training once a year may be
“ENOUGH” for compliance audit, but
“NOT ENOUGH” to be effective
• Effectiveness can be achieved when behaviour of IT users changes in the
measurable way which the once-a-year training can not give you that.
• Whole-year communication program and activities that fit well with the
organizational culture and random assessment to record and compare
statistical change can yield the effective result. This is what we called
”Secure-Culture Development Program”
37. 5 Characteristic of A Good
Secure-Culture Development Program
1. Content is relevant to daily business and life
2. Cover all or most of IT users
3. Regularly and continuously
4. Attractive methodology of content delivery that fit to
the organisational culture
5. Measurable improvement
38. PEOPLE is most essential in the trial of IT
management - [People, Process &
Technology]
Get the RIGHT people to do the RIGHT job.
If you cannot find the RIGHT people,
MAKE him/her the RIGHT people through
training, certification, coaching, mentorship
Self-Protection
39. – Narinrit Prem-apiwathanokul -
“No one can management the RISK that they do not
understand. Continuous learning and improving is essential as
growing the business.”