Florencio Cano - Patient data security in a wireless and mobile world

576 views

Published on

Presentation of Workshop on Technology for Healthcare and Healthy Lifestyle 2011

Thursday 1st Dec 2011
Session III

http://www.tsb.upv.es/wths2011

Published in: Health & Medicine
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
576
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Florencio Cano - Patient data security in a wireless and mobile world

  1. 1. Patient data security in awireless and mobile world Florencio Cano Gabarda SEINHE CISA, IRCA 27001 Lead Auditor
  2. 2. 120 % more Smartphones sold insmartphones millionsin 2015 982 472 298 173,8 2009 2010 2011 … 2015 Source: IDG
  3. 3. Mobile devicesare inside ournetwork Photo from gizmologia.com
  4. 4. Whether IT like itor not Photo from www.exalli.com
  5. 5. USER usedto be…
  6. 6. …far faraway
  7. 7. Now the USER ininside thenetwork
  8. 8. Network administratorsused to have control overthe devices connected tothe network… 2 laptops 3 switches 10 workstations 3 servers
  9. 9. …but now userswant to use theirown devices
  10. 10. Whether IT like itor not Photo from www.exalli.com
  11. 11. Securing onlythe perimeter isno longerpossible Photo by itjournalist
  12. 12. We have toevaluate deeply the new risks
  13. 13. A riskassessment isthe right tool
  14. 14. A riskassessment isthe right toolRecommended by LOPD
  15. 15. A riskassessment isthe right tool Mandated byRecommended the Esquema by LOPD Nacional de Seguridad
  16. 16. A riskassessment isthe right tool Mandated by Required by theRecommended the Esquema spanish critical by LOPD Nacional de infrastructure Seguridad protection law
  17. 17. A riskassessment isthe right tool Mandated by Required by the Necessary toRecommended the Esquema spanish critical be certified by LOPD Nacional de infrastructure against ISO/IEC Seguridad protection law 27001
  18. 18. Multiple methodologies exist Magerit Octave ISO/IEC 27005 CRAMM
  19. 19. 1. Identify information assets
  20. 20. 2. Identify threats
  21. 21. 3. Identify vulnerabilities
  22. 22. Risk evaluation
  23. 23. Criticalassets
  24. 24. User
  25. 25. DataUser
  26. 26. Devices Data User
  27. 27. Internal network Devices Data User
  28. 28. Internal network Devices DataDEFENSE IN DEPTH User
  29. 29. Classicalthreats
  30. 30. Classical threats Access to patient data Interruption of critical systems
  31. 31. Classical threats Access to patient data Interruption of critical systems
  32. 32. Newvulnerabilities
  33. 33. New vulnerabilities Wireless vulnerabilities Network vulnerabilities Device vulnerabilities User vulnerabilities
  34. 34. Insecure accessprotocols
  35. 35. New vulnerabilities Wireless vulnerabilities Network vulnerabilities Device vulnerabilities User vulnerabilities
  36. 36. Improper networksegmentation
  37. 37. Plain textprotocols
  38. 38. New vulnerabilities Wireless vulnerabilities Network vulnerabilities Device vulnerabilities User vulnerabilities
  39. 39. Malware
  40. 40. New vulnerabilities Wireless vulnerabilities Network vulnerabilities Device vulnerabilities User vulnerabilities
  41. 41. Extraction ofdata withoutauthorization
  42. 42. Improperdeletion of data
  43. 43. Lack of controlsagainst notauthorized access
  44. 44. New and oldsolutions
  45. 45. A soundinformationsecuritypolity
  46. 46. Policyenforcement
  47. 47. Networksecurity
  48. 48. Network security Security by design
  49. 49. Network security Proper segmentation
  50. 50. Proper segmentation  Demilitarized zone  A segment for malicious or non- trusted devices with access to Internet  A segment for low risk assets on the internal network  A segment for critical devices
  51. 51. Network security VLANs and Firewalls
  52. 52. Network security Intrusion detection
  53. 53. Network security Honeypots
  54. 54. Network security Data loss prevention
  55. 55. Network security Virtual Private Networks
  56. 56. Wirelesssecurity
  57. 57. Wireless security Proper protocols
  58. 58. Mobiledevicesecurity
  59. 59. Mobile device security Network Access Control (NAC)
  60. 60. Conclusions  Health environments are facing new risks  Organizations patient data and allow mobile devices should review the new risks and act  There exist solutions to mitigate the new risks
  61. 61. Thanks! Florencio Cano Gabarda SEINHE fcano@seinhe.com @florenciocano

×