Configuring Electronic Health Records Privacy and Security in the US Lecture f This material...

Configuring Electronic Health Records

Privacy and Security in the US

Lecture f

This material (Comp11_Unit7f) was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number

IU24OC000015

Privacy and Security in the USLearning Objectives

• Compare and contrast the concepts of privacy and security

(Lecture a)• List the regulatory frameworks for an EHR (Lecture b, c)• Describe the concepts and requirements for risk management

(Lecture d)• Describe authentication, authorization and accounting (Lecture d)• Describe passwords and multi-factor authentication and their

associated issues (Lecture d)• Describe issues with portable devices (Lecture d)• Describe elements of disaster preparedness and disaster recovery

(Lecture e)• Describe issues of physical security (Lecture e)• Describe malware concepts (Lecture f)

2Health IT Workforce Curriculum Version 3.0/Spring 2012

Configuring Electronic Health Records Privacy and Security in the US

Lecture f

Viruses

• Oldest and simple concept: unwanted program that executes when the host program executes

• Copies itself to media



Lecture f

Virus Types

• File• Boot sector• Macro• E-mail• Multi-variant• RFID (theoretical)



Lecture f

Worms

• Self-replicating program that copies itself to other computers across a network

• LAN or Intranet• Web or Internet• E-mail• IM• IRC• P2P



Lecture f

Trojans

• Destructive program that appears to be a other than what it is

• From the Greek myth of the wooden horse brought into the city as a trophy – filled with warriors

• Brought in by the user . . .• Backdoor trojan• Data collecting• Downloader or dropper



Lecture f

Botnets

• Coordinated attack using infected systems• Stages:

– Creation– Configuration– Infection– Control

• Used for:– DDoS– Spam & spreading malware– Information leakage– Click fraud– Identify fraud



Lecture f

Zero-Day Malware

• What to do about a new threat?• Zero-day malware is not detected by existing

anti-virus• May be based on zero-day exploits – newly

discovered vulnerabilities• Are signatures enough?



Lecture f

Rogueware

• Attempts to defraud users by requesting payment to remove non-existent threats

• Indications:– Fake pop-up warnings– Appear similar to real antivirus– Quick scan– May identify different files on each pass

• Highly lucrative• Like a virus, hard to remove



Lecture f

What to Do?• Resource: Malware Threats and Mitigation Strategies by US-CERT• Enclave boundary

– Firewalls– IDS

• Computing environment– Authorized local network devices– O/S patching/updating– O/S hardening– Anti-virus updating– Change control process– Host-based firewall– Vulnerability scanning– Proxy servers and web content filters– E-mail attachment filtering– Monitor logs

• What to do when compromised– If, not when



Lecture f

Why Viruses Exist

• Software engineering limitations• Bugs



Lecture f

2011 Top 25 Mistakes• Improper Neutralization of Special Elements used in an SQL Command

('SQL Injection')

• Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

• Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

• Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

• Missing Authentication for Critical Function

• Missing Authorization

• Use of Hard-coded Credentials

• Missing Encryption of Sensitive Data

• Unrestricted Upload of File with Dangerous Type

• Reliance on Untrusted Inputs in a Security Decision

• Execution with Unnecessary Privileges

• Cross-Site Request Forgery (CSRF)



Lecture f

2011 Top 25 Mistakes (continued)• Improper Limitation of a Pathname to a Restricted Directory ('Path

Traversal')

• Download of Code Without Integrity Check

• Incorrect Authorization

• Inclusion of Functionality from Untrusted Control Sphere

• Incorrect Permission Assignment for Critical Resource

• Use of Potentially Dangerous Function

• Use of a Broken or Risky Cryptographic Algorithm

• Incorrect Calculation of Buffer Size

• Improper Restriction of Excessive Authentication Attempts

• URL Redirection to Untrusted Site ('Open Redirect')

• Uncontrolled Format String

• Integer Overflow or Wraparound

• Use of a One-Way Hash without a Salt



Lecture f

Detection and Prevention

• Automated tools• Policies and procedures• Knowledgeable implementation staff



Lecture f

Privacy and Security in the USSummary – Lecture f

• Malware• Software design issues



Lecture f

Privacy and Security in the USSummary

• Concepts of privacy and security• Regulatory framework• Risk assessment• Portable devices• System access• Security awareness training• Incident response and disaster recovery• Physical security• Malware and software design issues



Lecture f

Privacy and Security in the USReferences – Lecture f

References• Christey, S. (2011). 2011 CWE/SANS Top 25 Most Dangerous Software Errors, from http://cwe.mitre.org/top25 • U.S. Computer Emergency Readiness Team. (2005). Malware Threats and Mitigation Strategies, from

http://www.us-cert.gov/reading_room/malware-threats-mitigation.pdf



Lecture f

http://cwe.mitre.org/top25

http://www.us-cert.gov/reading_room/malware-threats-mitigation.pdf

Configuring Electronic Health Records Privacy and Security in the US Lecture f This material...

Documents

Transcript of Configuring Electronic Health Records Privacy and Security in the US Lecture f This material...