This document discusses network security. It covers risk assessment, controlling unauthorized access through prevention, detection and correction methods, and best practice recommendations. The key threats are disruption, destruction, unauthorized access and financial losses. Controls include firewalls, intrusion detection, access controls, encryption, and disaster recovery plans. The goals of security are confidentiality, integrity and availability of data and systems.
This document discusses internet anonymity and covers different types of anonymity systems like proxy servers, remailers, mix networks, onion routing, and I2P. It provides an overview of I2P, explaining that it is an anonymous network that routes traffic through other peers in an encrypted manner to anonymize users. The conclusion emphasizes that anonymity networks like Tor and I2P cannot solve all anonymity problems and that users still need to be smart to protect their anonymity when using these systems.
This presentation delves into the many cybersecurty risks that plague the healthcare industry and how these risks can be mitigated with the help of security solutions that Seqrite offers.
Information security involves protecting information systems from unauthorized access, modification, or denial of service. It aims to maintain the confidentiality, integrity, and availability of information through measures to detect and counter threats. Common threats include malware like viruses, trojans, and bots; as well as identity theft, password cracking, and denial of service attacks. Ensuring information security requires assessing risks, applying multi-layered security solutions, and promoting ongoing security awareness training across all levels of an organization.
The document discusses information security awareness and cyber attacks. It describes common types of cyber attacks like espionage, phishing, and botnets. Specific examples like Stuxnet, Flame, and the Heartland Payment Systems data breach are examined. The document emphasizes the risks of poor password management, unawareness of data importance, and insider threats. It provides guidance on safeguarding devices and data through measures such as strong passwords, antivirus software, and a business continuity plan.
Network security involves protecting network assets and operations from threats like viruses, Trojan horses, and data interception. Key network security tools include antivirus software, firewalls, intrusion detection systems, VPNs, encryption, and identity services. There are two approaches to security - an open door approach that grants access by default and a close door approach that denies access by default. VLANs (Virtual Local Area Networks) logically group network nodes to reduce broadcast traffic and allow more granular security policies between groups.
In this presentation we have covered the topic Data Security from the subject of Information Security. Where Data, Data Security, Security, Security Policy, Tools to secure data, Security Overview (Availability, Integrity, Authenticity, Confidentiality), Some myths and Dimensions of System Security and Security Issues are discussed.
This document discusses network security. It covers risk assessment, controlling unauthorized access through prevention, detection and correction methods, and best practice recommendations. The key threats are disruption, destruction, unauthorized access and financial losses. Controls include firewalls, intrusion detection, access controls, encryption, and disaster recovery plans. The goals of security are confidentiality, integrity and availability of data and systems.
This document discusses internet anonymity and covers different types of anonymity systems like proxy servers, remailers, mix networks, onion routing, and I2P. It provides an overview of I2P, explaining that it is an anonymous network that routes traffic through other peers in an encrypted manner to anonymize users. The conclusion emphasizes that anonymity networks like Tor and I2P cannot solve all anonymity problems and that users still need to be smart to protect their anonymity when using these systems.
This presentation delves into the many cybersecurty risks that plague the healthcare industry and how these risks can be mitigated with the help of security solutions that Seqrite offers.
Information security involves protecting information systems from unauthorized access, modification, or denial of service. It aims to maintain the confidentiality, integrity, and availability of information through measures to detect and counter threats. Common threats include malware like viruses, trojans, and bots; as well as identity theft, password cracking, and denial of service attacks. Ensuring information security requires assessing risks, applying multi-layered security solutions, and promoting ongoing security awareness training across all levels of an organization.
The document discusses information security awareness and cyber attacks. It describes common types of cyber attacks like espionage, phishing, and botnets. Specific examples like Stuxnet, Flame, and the Heartland Payment Systems data breach are examined. The document emphasizes the risks of poor password management, unawareness of data importance, and insider threats. It provides guidance on safeguarding devices and data through measures such as strong passwords, antivirus software, and a business continuity plan.
Network security involves protecting network assets and operations from threats like viruses, Trojan horses, and data interception. Key network security tools include antivirus software, firewalls, intrusion detection systems, VPNs, encryption, and identity services. There are two approaches to security - an open door approach that grants access by default and a close door approach that denies access by default. VLANs (Virtual Local Area Networks) logically group network nodes to reduce broadcast traffic and allow more granular security policies between groups.
In this presentation we have covered the topic Data Security from the subject of Information Security. Where Data, Data Security, Security, Security Policy, Tools to secure data, Security Overview (Availability, Integrity, Authenticity, Confidentiality), Some myths and Dimensions of System Security and Security Issues are discussed.
How To Learn The Network Security
Slide berikut merupakan slide yang berisikan dasar-dasar bagi kita dalam memahami konsep keamanan jaringan komputer, baik dari sisi inftrastruktur, teknologi dan paradigma bagi pengguna.
Materi yang diberikan sudah disusun oleh Pakar yang merupakan Trainer CEH dan memang berkompeten dibidang keamanan jaringan.
Slide ini saya dapatkan dari beliau saat mengikut training Certified Computer Security Officer (CCSO) dan Certified Computer Security Analyst (CCSA) dari beliau.
Semoga bermanfaat sebagai acuan bagi kita untuk belajar tentang keamanan jaringan komputer.
Terimakasih
Cyber security involves techniques to protect computer networks, programs, and data from unauthorized access or attacks. It faces many challenges including network, application, data, critical infrastructure, cloud, internet of things, and operational security. Common cyber threats are phishing, ransomware, malware, viruses, trojans, spyware, botnets, SQL injection, man-in-the-middle attacks, and denial-of-service attacks. The IT Act of 2000 provides the legal framework to address cyber security issues in India.
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Dinesh O Bareja
Â
Cybersecurity and cybercrime organizations must be created with great planning but that is not happening anywhere. In India we have a plethora of organizations sprouting up in every domain and we all know too many cooks spoil the broth. I make a case for governance at the national and state level and make the case for having a planned structure that will ensure good security, good response and offense too, if needed.
Cyber Security Awareness training outlines key topics to help employees secure MCB information systems and data from cyber attacks. The training covers password security, email security, safe web browsing, social engineering, and MCB security policies. Case studies of real-world cyber attacks show how hackers have stolen millions from banks by exploiting human and technical vulnerabilities. The training emphasizes that security is everyone's responsibility and all employees must follow security protocols to protect MCB networks and data.
This document provides an overview of network security concepts. It discusses the importance of protecting information assets as the most valuable company assets. It then covers key network security topics like the CIA triad of confidentiality, integrity and availability. It defines threats at both the network and application levels, and discusses how to overcome threats through policies, user awareness training, and security technologies like firewalls, IDS/IPS, antivirus software, VPNs, spam filters and web content filtering. The document aims to educate about network threats and appropriate security controls and protections.
This document provides an overview of security awareness training from the University of Memphis' ITS department. It covers topics like password security, email security, safe browsing, ransomware, privacy, data encryption, mobile security, and two-factor authentication. University policies on data access and security are also referenced. Reporting security incidents and additional resources are outlined. The training emphasizes that technology can only address some risks and that users are the primary targets of hackers seeking access to systems and data.
Slideshare that can be used as an educational training tool for employees to be aware of the risks of phishing attacks. This presentation covers the threat of phishing and what strategies can be done to mitigate phishing attacks.
PhishingBox is an online system for organizations to easily conduct simulated phishing attacks and educate their end users through awareness training. This helps identify vulnerabilities and mitigate risk. Our system is simple to use, cost-effective and helps clients reduce risk and achieve cybersecurity objectives.
This document discusses various threats to information security and safeguards organizations can implement. The three main sources of threats are human error, malicious human activity, and natural disasters. Some key threats include hacking, viruses, unauthorized data disclosure through actions like phishing. Technical safeguards include identification & authentication like passwords, encryption, firewalls, malware protection. Human safeguards involve policies, training, account management and monitoring. Senior management must establish security policies, assess risks, and ensure all necessary safeguards are in place to protect the organization's information systems and data. The organization should also have an incident response plan to deal with security breaches when they do occur.
This document provides an overview of information security awareness training from Mount Auburn Hospital. It covers protecting electronic protected health information at work and at home. Key points include understanding what PHI is and why security is important. It describes potential security threats like malware, social engineering, and data theft. Guidelines are provided for secure practices like strong passwords, email safety, and disposing of media properly. Tips for securing data at home involve using antivirus software, backups, and safe internet practices. The goal is to protect patient privacy and comply with HIPAA security requirements.
User awareness and security practices are important for protecting against cyber threats. It is not possible to ensure 100% security through technology alone. Individual responsibility and following best practices are key to a successful security program. The document outlines various cyber threats like viruses, social engineering, and password cracking. It emphasizes the importance of security awareness, strong passwords, keeping systems updated, anti-virus software, and careful handling of personal information. Multiple layers of security through practices like firewalls, access control, and backups can help bolster defenses.
Operational technology (OT) and information technology (IT) security protect devices, networks, systems, and users. Cybersecurity has long been critical in IT and helps organizations keep sensitive data safe, ensure users connect to the internet securely, and detect and prevent potential cyberattacks.
This presentation introduces cybersecurity fundamentals including tools, roles, operating system security, compliance frameworks, network security, and databases. It defines cyber security, discusses security and privacy categories of cyber crimes. It also provides types of cyber attacks and crimes by percentage, advantages of cyber security, and safety tips to prevent cyber crimes. References are included from Wikipedia, antivirus testing organizations, and cybersecurity blogs and forums.
Employee Awareness in Cyber Security - KloudlearnKloudLearn
Â
The goal of employee awareness in cybersecurity is to make employees aware of the procedures, policies, guidelines, and practices for configuring, managing, and executing cybersecurity in the organization.
This document provides an overview of topics related to cybercrime and security that will be covered. It lists the team members and topics to be discussed including the history of cybercrime, authenticity, security and privacy, database security, social engineering, cyber attacking methods, and security tips. Database security features like digital certificates, encryption, firewalls, and proxy servers will be explained. Responsibilities of database administrators and built-in database protections will also be covered. Specific cyber attacks such as Trojan horse attacks, backdoors, keyloggers, DDoS attacks, and man-in-the-middle attacks will be described. The document concludes with safety tips and references.
This document outlines Cybersecurity Awareness Month, which takes place annually in October. It aims to raise awareness of cybersecurity across the nation. The document discusses common cybersecurity threats like malware, ransomware, cybercrime, and social engineering. It provides examples and definitions for these threats. The document also offers tips on how individuals can better protect themselves online, such as using strong and unique passwords, enabling multi-factor authentication, and staying up-to-date on software and security updates. The theme for Cybersecurity Awareness Month 2021 is "Do Your Part. #BeCyberSmart".
Vulnerability and Integrated Risk Assessment,
Christopher G. Burton, GEM Senior Scientist, Social Vulnerability and Disaster Resilience;
Bijan Khazai, CEDIM, Senior Research Scientist
How To Learn The Network Security
Slide berikut merupakan slide yang berisikan dasar-dasar bagi kita dalam memahami konsep keamanan jaringan komputer, baik dari sisi inftrastruktur, teknologi dan paradigma bagi pengguna.
Materi yang diberikan sudah disusun oleh Pakar yang merupakan Trainer CEH dan memang berkompeten dibidang keamanan jaringan.
Slide ini saya dapatkan dari beliau saat mengikut training Certified Computer Security Officer (CCSO) dan Certified Computer Security Analyst (CCSA) dari beliau.
Semoga bermanfaat sebagai acuan bagi kita untuk belajar tentang keamanan jaringan komputer.
Terimakasih
Cyber security involves techniques to protect computer networks, programs, and data from unauthorized access or attacks. It faces many challenges including network, application, data, critical infrastructure, cloud, internet of things, and operational security. Common cyber threats are phishing, ransomware, malware, viruses, trojans, spyware, botnets, SQL injection, man-in-the-middle attacks, and denial-of-service attacks. The IT Act of 2000 provides the legal framework to address cyber security issues in India.
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Dinesh O Bareja
Â
Cybersecurity and cybercrime organizations must be created with great planning but that is not happening anywhere. In India we have a plethora of organizations sprouting up in every domain and we all know too many cooks spoil the broth. I make a case for governance at the national and state level and make the case for having a planned structure that will ensure good security, good response and offense too, if needed.
Cyber Security Awareness training outlines key topics to help employees secure MCB information systems and data from cyber attacks. The training covers password security, email security, safe web browsing, social engineering, and MCB security policies. Case studies of real-world cyber attacks show how hackers have stolen millions from banks by exploiting human and technical vulnerabilities. The training emphasizes that security is everyone's responsibility and all employees must follow security protocols to protect MCB networks and data.
This document provides an overview of network security concepts. It discusses the importance of protecting information assets as the most valuable company assets. It then covers key network security topics like the CIA triad of confidentiality, integrity and availability. It defines threats at both the network and application levels, and discusses how to overcome threats through policies, user awareness training, and security technologies like firewalls, IDS/IPS, antivirus software, VPNs, spam filters and web content filtering. The document aims to educate about network threats and appropriate security controls and protections.
This document provides an overview of security awareness training from the University of Memphis' ITS department. It covers topics like password security, email security, safe browsing, ransomware, privacy, data encryption, mobile security, and two-factor authentication. University policies on data access and security are also referenced. Reporting security incidents and additional resources are outlined. The training emphasizes that technology can only address some risks and that users are the primary targets of hackers seeking access to systems and data.
Slideshare that can be used as an educational training tool for employees to be aware of the risks of phishing attacks. This presentation covers the threat of phishing and what strategies can be done to mitigate phishing attacks.
PhishingBox is an online system for organizations to easily conduct simulated phishing attacks and educate their end users through awareness training. This helps identify vulnerabilities and mitigate risk. Our system is simple to use, cost-effective and helps clients reduce risk and achieve cybersecurity objectives.
This document discusses various threats to information security and safeguards organizations can implement. The three main sources of threats are human error, malicious human activity, and natural disasters. Some key threats include hacking, viruses, unauthorized data disclosure through actions like phishing. Technical safeguards include identification & authentication like passwords, encryption, firewalls, malware protection. Human safeguards involve policies, training, account management and monitoring. Senior management must establish security policies, assess risks, and ensure all necessary safeguards are in place to protect the organization's information systems and data. The organization should also have an incident response plan to deal with security breaches when they do occur.
This document provides an overview of information security awareness training from Mount Auburn Hospital. It covers protecting electronic protected health information at work and at home. Key points include understanding what PHI is and why security is important. It describes potential security threats like malware, social engineering, and data theft. Guidelines are provided for secure practices like strong passwords, email safety, and disposing of media properly. Tips for securing data at home involve using antivirus software, backups, and safe internet practices. The goal is to protect patient privacy and comply with HIPAA security requirements.
User awareness and security practices are important for protecting against cyber threats. It is not possible to ensure 100% security through technology alone. Individual responsibility and following best practices are key to a successful security program. The document outlines various cyber threats like viruses, social engineering, and password cracking. It emphasizes the importance of security awareness, strong passwords, keeping systems updated, anti-virus software, and careful handling of personal information. Multiple layers of security through practices like firewalls, access control, and backups can help bolster defenses.
Operational technology (OT) and information technology (IT) security protect devices, networks, systems, and users. Cybersecurity has long been critical in IT and helps organizations keep sensitive data safe, ensure users connect to the internet securely, and detect and prevent potential cyberattacks.
This presentation introduces cybersecurity fundamentals including tools, roles, operating system security, compliance frameworks, network security, and databases. It defines cyber security, discusses security and privacy categories of cyber crimes. It also provides types of cyber attacks and crimes by percentage, advantages of cyber security, and safety tips to prevent cyber crimes. References are included from Wikipedia, antivirus testing organizations, and cybersecurity blogs and forums.
Employee Awareness in Cyber Security - KloudlearnKloudLearn
Â
The goal of employee awareness in cybersecurity is to make employees aware of the procedures, policies, guidelines, and practices for configuring, managing, and executing cybersecurity in the organization.
This document provides an overview of topics related to cybercrime and security that will be covered. It lists the team members and topics to be discussed including the history of cybercrime, authenticity, security and privacy, database security, social engineering, cyber attacking methods, and security tips. Database security features like digital certificates, encryption, firewalls, and proxy servers will be explained. Responsibilities of database administrators and built-in database protections will also be covered. Specific cyber attacks such as Trojan horse attacks, backdoors, keyloggers, DDoS attacks, and man-in-the-middle attacks will be described. The document concludes with safety tips and references.
This document outlines Cybersecurity Awareness Month, which takes place annually in October. It aims to raise awareness of cybersecurity across the nation. The document discusses common cybersecurity threats like malware, ransomware, cybercrime, and social engineering. It provides examples and definitions for these threats. The document also offers tips on how individuals can better protect themselves online, such as using strong and unique passwords, enabling multi-factor authentication, and staying up-to-date on software and security updates. The theme for Cybersecurity Awareness Month 2021 is "Do Your Part. #BeCyberSmart".
Vulnerability and Integrated Risk Assessment,
Christopher G. Burton, GEM Senior Scientist, Social Vulnerability and Disaster Resilience;
Bijan Khazai, CEDIM, Senior Research Scientist
This document discusses datasets from the Global Earthquake Model (GEM) that can be used to assess global seismic hazard and risk. It describes GEM's fault, earthquake catalog, and strain rate datasets which provide information on active faults, historical and instrumental earthquakes, and crustal strain rates worldwide. It highlights efforts through workshops organized by the USGS Powell Center to bring together the earthquake hazard modeling community and address weaknesses in models through collaborative projects and testing of models.
The document outlines five golden rules for teaching language through a lexical approach:
1. Use lexical materials like texts that students want to discuss, and exploit texts through lexical exercises focusing on words, collocations, expressions, and grammar as lexis.
2. Foster linguistic awareness by encouraging students to notice word combinations and typical expressions, and warn about direct translation.
3. View errors as opportunities to reformulate language rather than punitive correction, allowing student interlanguage to guide the class.
4. Use the "triple X" approach of explain, exemplify, and expand when teaching vocabulary.
5. Have students regularly practice language through revision questionnaires and discussion questions.
#MCN2014 - Risk Management, Security, and Getting Things Done: Creating Win-W...Jane Alexander
Â
Jane Alexander,CIO,Cleveland Museum of Art
Brian Dawson, CDO, Canada Science and Technology Museums Corporation
Yvel Guelce, Director of Infrastructure Technology
Children's Museum of Indianapolis
IT staff are often seen as the "Bad Guys," naysayers to anything new and exciting, in the quest to protect the organization from security breaches. In this session, four museum IT leaders will show how common struggles in security can be turned around to develop positive partnerships with other departments for pro-active risk management.
Ranging from simple to complex, the issues each museum faces transcends cost and institution size. The presenters work at wildly diverse organizations but face surprisingly similar issues. Among the topics they will address are how federal policy requirements and PCI compliance affect their organizations, finding budget-conscious ways to meet the rules, encouraging safe practices by end users, using IT risk management to assist senior staff in making informed decisions, and educating employees at all levels. Attention will be given to the everyday struggles common to all IT professionals--for example, changing passwords, Bring Your Own Device, and securely managing information in the cloud. The discussion will then open up to a roundtable format for sharing of successes and frustrations, questions, and comments.
Risk Management Strategy is an approach to dealing with global risks focused to anticipate the events, designing and implementing procedures to minimize the occurrence of the event or its impact if it occurs.
In era of globalization and interconnected world the task to protect the company from global risks became complicated. Any kind of internally or externally risk can cause distortion to its usual business activities. The source of potential risk can be human being, technology failure, sabotage or Mother Nature. All the risks must be considered individually since they overlap to a large degree. Then our Global Risk Management consulting focuses on: terrorism, internal sabotage, external espionage, technology failure.
The Significance of IT Security Management & Risk AssessmentBradley Susser
Â
The Significance of IT Security Management & Risk Assessment
An overview of IT Security Management, which is comprised of standards, policies, plans, and procedures as well as risk assessment and the various techniques and approaches to minimize an organizationâs financial impact due to the exploitation of numerous organizational assets.
Risk Management and Security in Strategic PlanningKeyaan Williams
Â
This content was originally presented to the DFW chapter of the Society for Information Management. The presentation evaluates the role of risk management and security in the strategic planning process that defines the direction and prioritization of resources used by an organization.
The document outlines the stages of a risk assessment process for a chemical company. It begins with defining harm, hazard, and risk. It then describes the six main stages of risk assessment: 1) describing the system, 2) defining safe process conditions, 3) identifying hazards, 4) assessing hazards by impact and probability, 5) evaluating risks, and 6) establishing measures and assessing residual risk. The risk assessment process helps ensure safety by identifying risks and implementing targeted safety measures before new processes are started.
Review of Enterprise Security Risk ManagementRand W. Hirt
Â
The document discusses enterprise security risk management and provides details on the risk assessment process. It defines risk as the likelihood of an adverse event occurring multiplied by the impact. Risk management aims to identify and mitigate risks to acceptable levels. The risk assessment process involves determining scope, gathering information, assessing risks, recommending controls, and determining residual risk. Controls can reduce risk through preventative, detective or corrective measures. Ongoing monitoring ensures the organization's risk posture remains consistent over time.
This document discusses the evolution of security management and solutions. It makes three key points:
1) Security infrastructures are evolving due to factors like regulations, standards, and the large percentage of IT budgets spent on operations rather than security. Most security incidents are also due to human error.
2) Security best practices have changed from a disorganized approach to following processes like incident management, problem management, and change management. Tools now help with tasks like log management, event management, and change management.
3) The document provides examples of security best practices such as getting a clear network topology, using central rule management, testing configurations before implementing them, and automating threat detection and remediation through collaborative processes.
The document provides an overview of the Indian securities market, including its key segments and participants. It discusses the primary market process for floating new issues through public offerings, rights issues, and private placements. It also summarizes the roles of various intermediaries like merchant bankers and registrars involved in the issuance process. Additionally, it covers secondary market trading and settlement, and describes the structure and regulation of the Indian financial system.
The document discusses various aspects of securities markets and financial markets. It describes the key components and participants in primary and secondary markets. The primary market, also called the new issue market, deals with the initial sale of new securities to investors. Major functions of the primary market include origination, underwriting, and distribution of new securities issues. Common methods to float new issues include public issues, rights issues, and private placements. The secondary market provides for the trading of previously-issued securities among investors.
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...SlideShare
Â
This document provides a summary of the analytics available through SlideShare for monitoring the performance of presentations. It outlines the key metrics that can be viewed such as total views, actions, and traffic sources over different time periods. The analytics help users identify topics and presentation styles that resonate best with audiences based on view and engagement numbers. They also allow users to calculate important metrics like view-to-contact conversion rates. Regular review of the analytics insights helps users improve future presentations and marketing strategies.
Presented at The New Generation IT Doctor for Hospital Development Training Program, Thai Medical Informatics Association, Nonthaburi, Thailand on August 26, 2019
Presented at the Bureau of Policy and Strategy (āļŠāļģāļāļąāļāļāđāļĒāļāļēāļĒāđāļĨāļ°āļĒāļļāļāļāļĻāļēāļŠāļāļĢāđ), Ministry of Public Health on April 29, 2016.
Ethics, Security and Privacy Management of Hospital Data Part 2 (January 24, ...Nawanan Theera-Ampornpunt
Â
Presented at the Hospital IT Quality Development to level 4, 5, 6 Workshop, Thai Medical Informatics Association, Bangkok, Thailand on January 24, 2020
Presented at the Bureau of Policy and Strategy (āļŠāļģāļāļąāļāļāđāļĒāļāļēāļĒāđāļĨāļ°āļĒāļļāļāļāļĻāļēāļŠāļāļĢāđ), Ministry of Public Health on April 21, 2016.
Presented at the BDMS Golden Jubilee Scientific Conference 2022 "BDMS Beyond 50 years: Looking towards the centennial," Bangkok Dusit Medical Services Public Company Limited (BDMS), Bangkok, Thailand on October 19, 2022
Telemedicine provides healthcare at a distance using telecommunications technology. It has grown from focusing on increasing access to now emphasizing convenience and cost reduction. Store-and-forward and home-based telemedicine have evidence for treating chronic diseases, while office/hospital telemedicine is effective for verbal interactions in specialties like neurology and psychiatry. Current trends include expanding telemedicine to more chronic conditions and migrating services from clinical settings to homes and mobile devices. However, reimbursement remains limited and fragmented while quality of remote care compared to in-person visits requires more evidence. Proper guidelines, standards, training and balancing innovation with risk-based regulation can maximize telemedicine's benefits while minimizing harms.
This document discusses digital health transformation and the role of health information technology. It begins by exploring concepts like artificial intelligence, blockchain, cloud computing and big data. It then examines the potential for "smart" machines in healthcare while acknowledging the complexities of digitizing such a system. The document emphasizes that clinical judgment is still necessary given variations in patients. It outlines components of healthcare systems and forms of health IT both within and beyond hospitals. Finally, it discusses using health IT to support clinical decision making and reduce errors.
Presented at The Thai Medical Informatics Association Annual Conference and The National Conference on Medical Informatics (TMI-NCMedInfo) 2021, Bangkok, Thailand on November 26, 2021
The document discusses the field of health informatics and provides definitions and examples. It defines health informatics as the application of information science to healthcare and biomedical research. It describes the relationships between health informatics and other fields like computer science, engineering, and the medical sciences. The document also discusses different areas of health informatics like clinical informatics, public health informatics, and consumer health informatics. It provides examples of common health information technologies used in healthcare settings like electronic health records, computerized physician order entry, and picture archiving systems.
This document provides an introduction to research ethics and ethics for health informaticians. It begins with definitions of ethics, morals, and norms. It then discusses the role of law, professional codes of conduct, and ethics in establishing standards of acceptable behavior. Key topics in research ethics are introduced through discussions of historic cases like the Nazi human experiments, Beecher's research ethics violations, and the Tuskegee Syphilis Study. The document outlines the Belmont Report's three ethical principles of respect for persons, beneficence, and justice. Ethical issues in health informatics like alerts fatigue from clinical decision support systems and unintended consequences of health IT are also discussed.
Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...Nawanan Theera-Ampornpunt
Â
Presented at the Master of Science and Doctor of Philosophy Programs in Data Science for Healthcare and Clinical Informatics, Department of Clinical Epidemiology and Biostatistics, Faculty of Medicine Ramathibodi Hospital, Mahidol University, Bangkok, Thailand on November 10, 2021
2. 2003 M.D. (First-Class Honors) (Ramathibodi)
2009 M.S. in Health Informatics (U of MN)
2011 Ph.D. in Health Informatics (U of MN)
âĒ Faculty of Medicine Ramathibodi Hospital
Mahidol University
o Deputy Executive Director for Informatics
(CIO/CMIO), Chakri Naruebodindra Medical
Institute
o Lecturer, Department of Community Medicine
âĒ Member, TMI Executive Board
nawanan.the@mahidol.ac.th
SlideShare.net/Nawanan
http://groups.google.com/group/ThaiHealthIT
Introduction
4. âĒ TMI HITQIF Framework
âĒ IT Governance
âĒ Strategic Planning & IT Master Plan
âĒ Structure, Roles, Team Development &
Roadmap to IT Quality
âĒ IT Policy, Regulation, Risk & Security
Management
âĒ Service Level Management, IT Service Desk &
Data Center Management
âĒ Data Management
âĒ IT Process, Metrics & Control
âĒ Continuous & Sustainable IT Quality
Improvement
Overall Topics of HITQIF Course
9. Sources of the Threats
ï§ Hackers
ï§ Viruses & Malware
ï§ Poorly-designed systems
ï§ Insiders (Employees)
ï§ Peopleâs ignorance & lack of knowledge
ï§ Disasters & other incidents affecting information
systems
10. ï§ Information risks
ï§ Unauthorized access & disclosure of confidential information
ï§ Unauthorized addition, deletion, or modification of information
ï§ Operational risks
ï§ System not functional (Denial of Service - DoS)
ï§ System wrongly operated
ï§ Personal risks
ï§ Identity thefts
ï§ Financial losses
ï§ Disclosure of information that may affect employment or other
personal aspects (e.g. health information)
ï§ Physical/psychological harms
ï§ Organizational risks
ï§ Financial losses
ï§ Damage to reputation & trust
ï§ Etc.
Consequences of Security Attacks
11. ï§ Privacy: âThe ability of an individual or group to
seclude themselves or information about
themselves and thereby reveal themselves
selectively.â (Wikipedia)
ï§ Security: âThe degree of protection to safeguard
... person against danger, damage, loss, and
crime.â (Wikipedia)
ï§ Information Security: âProtecting information
and information systems from unauthorized
access, use, disclosure, disruption,
modification, perusal, inspection, recording or
destructionâ (Wikipedia)
Privacy & Security
14. Examples of Integrity Risks
http://www.wired.com/threatlevel/2010/03/source-code-hacks/
http://en.wikipedia.org/wiki/Operation_Aurora
âOperation Auroraâ
Alleged Targets: Google, Adobe, Juniper Networks,
Yahoo!, Symantec, Northrop Grumman, Morgan Stanley,
Dow Chemical
Goal: To gain access to and potentially modify source
code repositories at high tech, security & defense
contractor companies
15. Examples of Integrity Risks
http://news.softpedia.com/news/700-000-InMotion-Websites-Hacked-by-TiGER-M-TE-223607.shtml
Web Defacements
16. Examples of Availability Risks
http://en.wikipedia.org/wiki/Blaster_worm
Viruses/worms that led to instability &
system restart (e.g. Blaster worm)
17. Examples of Availability Risks
http://en.wikipedia.org/wiki/Ariane_5_Flight_501
Ariane 5 Flight 501 Rocket Launch Failure
Cause: Software bug on rocket acceleration due to data conversion
from a 64-bit floating point number to a 16-bit signed integer without
proper checks, leading to arithmatic overflow
21. ï§ Attack
ï§ An attempt to breach system security
ï§ Threat
ï§ A scenario that can harm a system
ï§ Vulnerability
ï§ The âholeâ that is used in the attack
Common Security Terms
22. ï§ Identify some possible means an
attacker could use to conduct a
security attack
Class Exercise
24. Alice
Simplified Attack Scenarios
Server Bob
- Physical access to client computer
- Electronic access (password)
- Tricking user into doing something
(malware, phishing & social
engineering)
Eve/Mallory
25. Alice
Simplified Attack Scenarios
Server Bob
- Intercepting (eavesdropping or
âsniffingâ) data in transit
- Modifying data (âMan-in-the-middleâ
attacks)
- âReplayâ attacks
Eve/Mallory
26. Alice
Simplified Attack Scenarios
Server Bob
- Unauthorized access to servers through
- Physical means
- User accounts & privileges
- Attacks through software vulnerabilities
- Attacks using protocol weaknesses
- DoS / DDoS attacks Eve/Mallory
28. Alice
Safeguarding Against Attacks
Server Bob
Administrative Security
- Security & privacy policy
- Governance of security risk management & response
- Uniform enforcement of policy & monitoring
- Disaster recovery planning (DRP) & Business continuity
planning/management (BCP/BCM)
- Legal obligations, requirements & disclaimers
29. Alice
Safeguarding Against Attacks
Server Bob
Physical Security
- Protecting physical access of clients & servers
- Locks & chains, locked rooms, security cameras
- Mobile device security
- Secure storage & secure disposition of storage devices
30. Alice
Safeguarding Against Attacks
Server Bob
User Security
- User account management
- Strong p/w policy (length, complexity, expiry, no meaning)
- Principle of Least Privilege
- âClear desk, clear screen policyâ
- Audit trails
- Education, awareness building & policy enforcement
- Alerts & education about phishing & social engineering
31. Alice
Safeguarding Against Attacks
Server Bob
System Security
- Antivirus, antispyware, personal firewall, intrusion
detection/prevention system (IDS/IPS), log files, monitoring
- Updates, patches, fixes of operating system vulnerabilities &
application vulnerabilities
- Redundancy (avoid âSingle Point of Failureâ)
- Honeypots
32. Alice
Safeguarding Against Attacks
Server Bob
Software Security
- Software (clients & servers) that is secure by design
- Software testing against failures, bugs, invalid inputs,
performance issues & attacks
- Updates to patch vulnerabilities
33. Alice
Safeguarding Against Attacks
Server Bob
Network Security
- Access control (physical & electronic) to network devices
- Use of secure network protocols if possible
- Data encryption during transit if possible
- Bandwidth monitoring & control
34. Alice
Safeguarding Against Attacks
Server Bob
Database Security
- Access control to databases & storage devices
- Encryption of data stored in databases if necessary
- Secure destruction of data after use
- Access control to queries/reports
- Security features of database management systems (DBMS)
37. ï§ Access control
ï§ Selective restriction of access to the system
ï§ Role-based access control
ï§ Access control based on the personâs role
(rather than identity)
ï§ Audit trails
ï§ Logs/records that provide evidence of
sequence of activities
User Security
38. ï§ Identification
ï§ Identifying who you are
ï§ Usually done by user IDs or some other unique codes
ï§ Authentication
ï§ Confirming that you truly are who you identify
ï§ Usually done by keys, PIN, passwords or biometrics
ï§ Authorization
ï§ Specifying/verifying how much you have access
ï§ Determined based on system ownerâs policy & system
configurations
ï§ âPrinciple of Least Privilegeâ
User Security
39. ï§ Nonrepudiation
ï§ Proving integrity, origin, & performer of an
activity without the personâs ability to refute
his actions
ï§ Most common form: signatures
ï§ Electronic signatures offer varying degrees of
nonrepudiation
ï§ PIN/password vs. biometrics
ï§ Digital certificates (in public key infrastructure
- PKI) often used to ascertain nonrepudiation
User Security
40. ï§ Multiple-Factor Authentication
ï§ Two-Factor Authentication
ï§ Use of multiple means (âfactorsâ) for authentication
ï§ Types of Authentication Factors
ï§ Something you know
ï§ Password, PIN, etc.
ï§ Something you have
ï§ Keys, cards, tokens, devices (e.g. mobile phones)
ï§ Something you are
ï§ Biometrics
User Security
41. Need for Strong Password Policy
So, two informaticians
walk into a bar...
The bouncer says,
"What's the password."
One says, "Password?"
The bouncer lets them
in.
Credits: @RossMartin & AMIA (2012)
42. Recommended Password Policy
ï§ Length
ï§ 8 characters or more (to slow down brute-force attacks)
ï§ Complexity (to slow down brute-force attacks)
ï§ Consists of 3 of 4 categories of characters
ï§ Uppercase letters
ï§ Lowercase letters
ï§ Numbers
ï§ Symbols (except symbols that have special uses by the
system or that can be used to hack system, e.g. SQL
Injection)
ï§ No meaning (âDictionary Attacksâ)
ï§ Not simple patterns (12345678, 11111111) (to slow down brute-
force attacks & prevent dictionary attacks)
ï§ Not easy to guess (birthday, family names, etc.) (to prevent
unknown & known persons from guessing)Personal opinion. No legal responsibility assumed.
43. Recommended Password Policy
ï§ Expiration (to make brute-force attacks not possible)
ï§ 6-8 months
ï§ Decreasing over time because of increasing computerâs
speed
ï§ But be careful! Too short duration will force users to write
passwords down
ï§ Secure password storage in database or system
(encrypted or store only password hashes)
ï§ Secure password confirmation
ï§ Secure âforget passwordâ policy
ï§ Different password for each account. Create variations
to help remember. If not possible, have different sets of
accounts for differing security needs (e.g., bank
accounts vs. social media sites) Personal opinion. No legal responsibility assumed.
44. Techniques to Remember Passwords
ï§ http://www.wikihow.com/Create-a-Password-You-Can-
Remember
ï§ Note that some of the techniques are less secure!
ï§ One easy & secure way: password mnemonic
ï§ Think of a full sentence that you can remember
ï§ Ideally the sentence should have 8 or more words, with
numbers and symbols
ï§ Use first character of each word as password
ï§ Sentence: I love reading all 7 Harry Potter books!
ï§ Password: Ilra7HPb!
ï§ Voila!
Personal opinion. No legal responsibility assumed.
45. Dear mail.mahidol.ac.th Email Account User,
We wrote to you on 11th January 2010 advising that you change the password on
your account in order to prevent any unauthorised account access following
the network instruction we previously communicated.
all Mailhub systems will undergo regularly scheduled maintenance. Access
to your e-mail via the Webmail client will be unavailable for some time
during this maintenance period. We are currently upgrading our data base
and e-mail account center i.e homepage view. We shall be deleting old
[https://mail.mahidol.ac.th/l accounts which are no longer active to create
more space for new accountsusers. we have also investigated a system wide
security audit to improve and enhance
our current security.
In order to continue using our services you are require to update and
re-comfirmed your email account details as requested below. To complete
your account re-comfirmation,you must reply to this email immediately and
enter your account
details as requested below.
Username :
Password :
Date of Birth:
Future Password :
Social Engineering Examples
Real socialâengineering eâmail received by Speaker
47. ï§ Poor grammar
ï§ Lots of typos
ï§ Trying very hard to convince you to open
attachment, click on link, or reply without
enough detail
ï§ May appear to be from known person (rely on
trust & innocence)
Signs of a Phishing Attack
48. ï§ Donât be too trusting of people
ï§ Always be suspicious & alert
ï§ An e-mail with your friendâs name & info doesnât have to
come from him/her
ï§ Look for signs of phishing attacks
ï§ Donât open attachments unless you expect them
ï§ Scan for viruses before opening attachments
ï§ Donât click links in e-mail. Directly type in browser using
known & trusted URLs
ï§ Especially cautioned if ask for passwords, bank
accounts, credit card numbers, social security numbers,
etc.
Ways to Protect against Phishing
51. ï§ Virus
ï§ Propagating malware that requires user action
to propagate
ï§ Infects executable files, data files with
executable contents (e.g. Macro), boot
sectors
ï§ Worm
ï§ Self-propagating malware
ï§ Trojan
ï§ A legitimate program with additional, hidden
functionality
Malware
52. ï§ Spyware
ï§ Trojan that spies for & steals personal
information
ï§ Logic Bomb/Time Bomb
ï§ Malware that triggers under certain conditions
ï§ Backdoor/Trapdoor
ï§ A hole left behind by malware for future
access
Malware
53. ï§ Rogue Antispyware (Ransomware)
ï§ Software that tricks or forces users to pay before
fixing (real or hoax) spyware detected
ï§ Rootkit
ï§ A stealth program designed to hide existence of
certain processes or programs from detection
ï§ Botnet
ï§ A collection of Internet-connected computers that
have been compromised (bots) which controller of the
botnet can use to do something (e.g. do DDoS
attacks)
Malware
54. ï§ Installed & updated antivirus, antispyware, &
personal firewall
ï§ Check for known signatures
ï§ Check for improper file changes (integrity failures)
ï§ Check for generic patterns of malware (for unknown
malware): âHeuristics scanâ
ï§ Firewall: Block certain network traffic in and out
ï§ Sandboxing
ï§ Network monitoring & containment
ï§ User education
ï§ Software patches, more secure protocols
Defense Against Malware
55. ï§ Social media spams/scams/clickjacking
ï§ Social media privacy issues
ï§ User privacy settings
ï§ Location services
ï§ Mobile device malware & other privacy risks
ï§ Stuxnet (advanced malware targeting certain
countries)
ï§ Advanced persistent threats (APT) by
governments & corporations against specific
targets
Newer Threats
72. âĒ āđāļāđāļāđāļāđāļ 11 āļŦāļĄāļ§āļ (Domains)
â Security policy
â Organization of information security
â Asset management
â Human resources security
â Physical and environmental security
â Communications and operations management
â Access control
â Information systems acquisition, development and
maintenance
â Information security incident management
â Business continuity management
â Regulatory compliance
āļĄāļēāļāļĢāļāļēāļ Security āļāļēāļĄāļ§āļīāļāļĩāļāļēāļĢāđāļāļāļāļĨāļāļāļ āļąāļĒ
79. ïąPolicy & Guidelines/Work Instructions on
o Data completeness & integrity
o System security
o Patient information privacy & confidentiality
protections
o Secure data storage, retention & destruction
o Monitoring, evaluation & enforcement
ïąCommunication of Policy & Guidelines
IT Security & Privacy Policy Checklist
81. ï§ Project failures
ï§ Waste investments
ï§ Security breaches
ï§ System crashes
ï§ Failures by service providers to understand and
meet customer requirements
ï§ System errors or bugs
Examples of IT Risks
82. Risk Strategies
âĒ Accept/ignore
âĒ Avoid completely
âĒ Reduce risk
likelihood or
impact
âĒ Transfer risk to
someone else (e.g.
insurance)
Marchewka (2006)
Risk = f(likelihood x impact)
Risk Management
85. 2.1 āļāļąāļāđāļŦāđāļĄāļĩ Data center
âĒ Data center āļāļāļāđāļĢāļāļāļĒāļēāļāļēāļĨ āđāļāđāđāļāđāļāļĩāđāļāļąāđāļāļāļāļ servers āđāļĨāļ°āļāļļāļāļāļĢāļāđāļāļĩāđ
āđāļāļĩāđāļĒāļ§āļāđāļāļ āđāļāđāļ āļĢāļ°āļāļāļŠāđāļēāļĢāļāļāļāđāļāļĄāļđāļĨ āļāļļāļāļāļĢāļāđāļŠāđāļēāļĢāļāļ redundant system
āļĢāļ°āļāļāļĢāļąāļāļĐāļēāļāļ§āļēāļĄāļāļĨāļāļāļ āļąāļĒ āđāļāđāļāļāđāļ data center āļāļĩāđāļāđāļāļāļĄāļĩāļāļēāļĢāļāļąāļāļāļēāļĢ
āļāļĒāđāļēāļāđāļŦāļĄāļēāļ°āļŠāļĄ āđāļāļ·āđāļāđāļŦāđāđāļāđāđāļāļ§āđāļē āļāļ°āļŠāļēāļĄāļēāļĢāļāđāļāđāļāļēāļāļĢāļ°āļāļāđāļāđāļāļĒāđāļēāļāļāļĨāļāļāļ āļąāļĒ
āļāļĢāļēāļĻāļāļēāļāļāļēāļĢāļŦāļĒāļļāļ āļŦāļĢāļ·āļāļŠāļ°āļāļļāļāļāļāļāļĢāļ°āļāļ āļāļķāđāļāļāđāļāļāļāđāļēāļāļķāļāļāļķāļāļŠāļīāđāļāļāđāļāđāļāļāļĩāđ
1) āļŦāđāļāļ āļŠāļāļēāļāļāļĩāđ āđāļĨāļ°āļŠāļīāđāļāđāļ§āļāļĨāđāļāļĄ āļāđāļāļāļāļąāļāđāļŦāđāļĄāļĩāļāļ§āļēāļĄāļāļĨāļāļāļ āļąāļĒ āđāļāđāļ āļĄāļĩ
āļāļēāļĢāļāļĢāļąāļāļāļēāļāļēāļĻāļāļĩāđāļāļĩ āļĢāļąāļāļĐāļēāļāļ§āļēāļĄāļāļĨāļāļāļ āļąāļĒāļāļēāļāļāļļāļāļāļĨāļ āļēāļĒāļāļāļ āļāļēāļĢ
āļāđāļāļāļāļąāļāļāļąāļāļāļĩāļ āļąāļĒ (āļĢāļ§āļĄāļāļķāļāļĢāļ°āļāļāļāļĢāļ§āļāļāļąāļāļāļ§āļąāļāđāļĨāļ°āļĢāļ°āļāļāđāļāļ·āļāļāļ āļąāļĒ
āđāļāļĢāļ·āđāļāļāļāļąāļāđāļāļĨāļīāļ āđāļĨāļ°āļĢāļ°āļāļāļāļąāļāđāļāļĨāļīāļāļāļąāļāđāļāļĄāļąāļāļī)
TMI HITQIF v1.1: Technology
86. 2.1 āļāļąāļāđāļŦāđāļĄāļĩ Data center
2) āļĄāļĩāļĢāļ°āļāļāļāđāļāļāļāļąāļāļāļēāļĢāđāļŠāļĩāļĒāļŦāļēāļĒāļāļāļāļāđāļāļĄāļđāļĨāđāļĨāļ°āļĢāļ°āļāļ (data integrity
and fault tolerance) āļāļķāđāļāļĢāļ§āļĄāļāļķāļ UPS āđāļĨāļ°āļĢāļ°āļāļāđāļāļāđāļēāļŠāđāļēāļĢāļāļ,
āļĢāļ°āļāļ RAID, redundant power supply āđāļĨāļ° redundant
servers
3) āļĄāļĩāļĢāļ°āļāļāļŠāđāļēāļĢāļāļāļāđāļāļĄāļđāļĨ āļāļąāđāļāļ āļēāļĒāđāļ āđāļĨāļ°āļ āļēāļĒāļāļāļ data center
4) āļĄāļĩāļāļēāļĢāļāļąāļāļāļēāļĢ network āļāļĩāđāđāļŦāļĄāļēāļ°āļŠāļĄ
TMI HITQIF v1.1: Technology
87. 2.1 āļāļąāļāđāļŦāđāļĄāļĩ Data center
âĒ āļĢāļ°āļāļąāļ 0 āđāļĄāđāļĄāļĩ Data Center
âĒ āļĢāļ°āļāļąāļ 1 āļĄāļĩāļāļēāļĢāđāļĢāļīāđāļĄāļāļąāļāļāļąāđāļ Data Center āļāļēāļāļŠāđāļ§āļ āļāļĒāđāļēāļāļāđāļāļĒ 1 āđāļ 4
āļāļāļāđāļāļĢāļ°āļāļāļāļŠāđāļēāļāļąāļ (āļāļđāļāļĢāļāļāļāļēāļĢāļāļąāļāļāļē)
âĒ āļĢāļ°āļāļąāļ 2 āļĄāļĩāļāļēāļĢāđāļĢāļīāđāļĄāļāļąāļāļāļąāđāļ Data Center āļāļēāļāļŠāđāļ§āļ āļāļĒāđāļēāļāļāđāļāļĒ 2 āđāļ 4
āļāļāļāđāļāļĢāļ°āļāļāļāļŠāđāļēāļāļąāļ
âĒ āļĢāļ°āļāļąāļ 3 āļĄāļĩāļāļēāļĢāđāļĢāļīāđāļĄāļāļąāļāļāļąāđāļ Data Center āļāļēāļāļŠāđāļ§āļ āļāļĒāđāļēāļāļāđāļāļĒ 3 āđāļ 4
āļāļāļāđāļāļĢāļ°āļāļāļāļŠāđāļēāļāļąāļ
âĒ āļĢāļ°āļāļąāļ 4 āļĄāļĩ Data Center āļāļĩāđāļĄāļĩāļāļāļāđāļāļĢāļ°āļāļāļāļŠāđāļēāļāļąāļāļāļĢāļāļāđāļ§āļ
TMI HITQIF v1.1: Technology
96. 4.4 āļĄāļĩāļāļēāļĢāļāļāļāđāļāļāļĢāļ°āļāļāļāļāļāļāļāđāļāļāļ§āļēāļĄāļāļīāļāļāļĨāļēāļ (fault
tolerance) āļĄāļĩāļāļēāļĢāļāđāļēāļĢāļļāļāļĢāļąāļāļĐāļēāļāļĒāđāļēāļāļŠāļĄāđāđāļēāđāļŠāļĄāļ (Availability
Management) āļĄāļĩāļāļēāļĢāļāļąāļāļāļēāļĢāđāļāļ·āđāļāđāļŦāđāļĢāļ°āļāļāđāļāļāđāļāđāļĨāļĒāļĩāļŠāļēāļĢāļŠāļāđāļāļĻ
āļāđāļēāđāļāļīāļāļāļēāļāđāļāđāļāļĒāđāļēāļāļāđāļāđāļāļ·āđāļāļ āđāļĨāļ°āļŠāļēāļĄāļēāļĢāļāļāļđāđāļāļ·āļāļĢāļ°āļāļāđāļāđāđāļĄāđāļāļ°āļĄāļĩ
āđāļŦāļāļļāļāļēāļĢāļāđāđāļĄāđāļāļēāļāļāļąāļāđāļāļīāļāļāļķāđāļ (IT Service Continuity
Management) āđāļāļĒāļĄāļĩāļāļēāļĢāļ§āļīāđāļāļĢāļēāļ°āļŦāđāđāļĨāļ°āļāļąāļāļāđāļēāđāļāļāļŠāđāļēāļĢāļāļāļāļļāļāđāļāļīāļāđāļ
āļāļēāļĢāļāļđāđāļāļ·āļāļĢāļ°āļāļ āļĢāļ§āļĄāļāļąāđāļāļĄāļĩāļāļēāļĢāļāļāļāļ§āļāđāļĨāļ°āļāļąāļāļāđāļāļāđāļāļāļāļĒāđāļēāļ
āļŠāļĄāđāđāļēāđāļŠāļĄāļ
(To be covered in an upcoming lecture by the same speaker)
TMI HITQIF v1.1: Process