Healthcare Information Security: What Healthcare Executives Need ...
It security in healthcare
-
Upload
nicholas-davis -
Category
Documents
-
view
225 -
download
2
description
Transcript of It security in healthcare
![Page 1: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/1.jpg)
Information SecurityIn Healthcare Environments
Nicholas A. Davis, CISA, CISSPInformation Security ArchitectUniversity of Wisconsin-MadisonDivision of Information Technology (DoIT)
![Page 2: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/2.jpg)
Introduction
• Background• Thank you for the invitation• Today’s Topic: Information Security
in Healthcare Environments• HIPAA and PHI Controls• Healtcare Environment
Vulnerability• Social Engineering• Precautions You Can Take• Q&A Session
![Page 3: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/3.jpg)
HIPAA and PHI Controls
![Page 4: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/4.jpg)
Information covered by HIPAA must be protected:1.Confidentiality: Only those with a need to know, can see the information.2.Integrity: Only those authorized to alter information, can do so.3.Availability: The information can be accessed by those who are authorized to view it.
HIPAA Obligations
![Page 5: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/5.jpg)
Name, (full or partial)AddressSpecific dates (day and month), but not yearTelephoneFaxEmailWebpage addressComputer IP addressSocial Security NumberAccount identification numbersLicense identification numbersMedical record numbersHealth plan beneficiary numbersMedical device identifiers, such as serial numberAssociated vehicle VINs and other vehicle identification informationAny biometric identifier (fingerprint, eye scan, etc.)Photos and imagesAnything else which can be used to identify a person
Protected Identifiers
![Page 6: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/6.jpg)
Technical controlsAdministrative controlsSome examples, consider your facilityBenefits and drawbacks of each
Types of Controls
![Page 7: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/7.jpg)
Administrative Controls:•Easy to implement•Inexpensive•FlexibleWork best in environments in which people want to do the “right thing”Technical Controls:•Complex to implement•Costly•StringentWork best in environments in which adherence by everyone is critical
Types of Controls
![Page 8: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/8.jpg)
Common points of HIPAA information leakage are:•Video monitors•Printers•Fax machines•Copiers•Unprotected trash binsThe best way to prevent information leakage is to practice the The Minimum Necessary Standard, which means that you should only access the minimum amount of HIPAA related information necessary to perform your job.
Information Leakage
![Page 9: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/9.jpg)
• Create and use a data storage policy, including lifecycle management
• Never leave HIPAA information unprotected, electronically, or physically
• Don’t make un-necessary copies• Destroy electronic media and
paper copies containing HIPAA related information according to appropriate standards, before disposing
Preventing Information Leakage
![Page 10: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/10.jpg)
Lockdown cables for computersLocked office area, lock desk drawersUse strong passwords, which adhere to best practicesLogout, when not in useConsider using a screen protector, to limit visibilityAntivirus, patching of Operating System, etc.Don’t install unauthorized software on your computerDon’t use file sharing services
HIPAA Sensitive Behaviors
![Page 11: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/11.jpg)
• Any mobile device containing HIPAA information, should be encrypted and access protected
• This includes portable USB hard disks, flash drives, etc.
• Best idea is not to use mobile devices for HIPAA related work
Portable Devices
![Page 12: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/12.jpg)
• Infected email attachments• Computer software from non-
secure sources• Websites• Files stored on external
electronic or magnetic storage media
How Computers Become Vulnberable to e-PHI leaks
![Page 13: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/13.jpg)
• Avoid risks associated with malicious computer software
• Protect against unauthorized use of system user IDs and passwords
• Protect portable devices• Adhere to policies and
procedures• Consider using dedicated
computers• Report suspected incidents
HIPAA Security Summary
![Page 14: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/14.jpg)
• Systems must be available when needed
• When things don’t work as planned, there must be an alternate method of access
• No single point of failure is appropriate when it comes to healthcare system access
• Plan your systems for the worst case scenario
Availability -Having a Plan B
![Page 15: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/15.jpg)
Healthcare Environment Vulnerability
![Page 16: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/16.jpg)
Diagnostic EquipmentWorkstationsAnything with an inputAnything connected via a network
Equipment
![Page 17: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/17.jpg)
Nick’s visit to Immediate Care, last nightStaff member locks screen, leaves roomAlone in exam room with computerThe computer appears secured, but is it?
Theoretical Example
![Page 18: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/18.jpg)
USB PortCD Drive
How Is the Computer Vulnerable?
![Page 19: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/19.jpg)
Keyloggers
• Tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored
• Software or hardware based
![Page 20: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/20.jpg)
Physically limit number of methods for machine inputUSB portsCD/DVD drive
•When possible machine itself should be physically secured / encased•When possible, do not leave machine unattended
Lesson Learned
![Page 21: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/21.jpg)
Social Engineering
![Page 22: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/22.jpg)
Technology Is NotThe Entire Answer
Strong computer security has two components:
The Technology: passwords, encryption, endpoint protection such as anti-virus.
The People: You, your customers, your business partners
![Page 23: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/23.jpg)
Social Engineering
The art of manipulating people into performing actions or divulging confidential information
It is typically trickery or deception for the purpose of information gathering, fraud, or computer system access
![Page 24: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/24.jpg)
Most Popular Type of Social Engineering
Pretexting: An individual lies to obtain privileged data. A pretext is a false motive.
Pretexting is a fancy term for impersonation
A big problem for computer Help Desks, in all organizations
Example:
![Page 25: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/25.jpg)
Let’s Think of a CommonPretexting Example
Dear Windows User,It has come to our attention that your Microsoft windows Installation records are out of date. Every Windows installation has to be tied to an email account for daily update.
This requires you to verify the Email Account. Failure to verify your records will result in account suspension. Click on the Verify button below and enter your login information on the following page to Confirm your records.
Thank you,
Microsoft Windows Team.
![Page 26: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/26.jpg)
• You are made to feel as if you are doing something wrong
• You are being pressured into performing an action
• There is a sense of urgency and immediacy
• There is no way to confirm veracity of that which is claimed
Warming Signs of Social Engineering
![Page 27: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/27.jpg)
Phishing
• Deception, but not just in person
• Email• Websites• Facebook status updates• Tweets• Phishing, in the context of the
healthcare working environment is extremely dangerous
![Page 28: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/28.jpg)
Don’t Touch That QR Code
• Just as bad as clicking on an unknown link
• Looks fancy and official, but is easy to create
![Page 29: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/29.jpg)
What Phishing Looks Like
• As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows.
• They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.
![Page 30: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/30.jpg)
Techniques For Phishing
• Employ visual elements from target site• DNS Tricks:• www.ebay.com.kr• [email protected]• www.gooogle.com• JavaScript Attacks• Spoofed SSL lock Certificates• Phishers can acquire certificates for domains they
own• Certificate authorities make mistakes
![Page 31: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/31.jpg)
Let’s Talk About Facebook• So important, it gets its own slide!• Essentially unauthenticated – discussion• Three friends and you’re out! - discussion• Privacy settings mean nothing – discussion• Treasure Trove of identity information• Games as information harvesters
![Page 32: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/32.jpg)
Socially Aware Phishing
![Page 33: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/33.jpg)
Context Aware
“Your bid on eBay has won!”“The books on your Amazon wish list are on sale!”
![Page 34: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/34.jpg)
Seems Suspicious
![Page 35: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/35.jpg)
Too Good to be True, Even When It Is Signed
![Page 36: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/36.jpg)
DetectingFraudulent Email
Information requested is inappropriate for the channel of communication:
"Verify your account."nobody should ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail.
Urgency and potential penalty or loss are implied:
"If you don't respond within 48 hours, your account will be closed.”
![Page 37: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/37.jpg)
Detecting FraudulentEmail
"Dear Valued Customer."Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name.
![Page 38: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/38.jpg)
A Note on Spear Phishing
• Designed especially for you• Includes your name• May reference an environment or
issue you are aware of and familiar with
• Asks for special treatment, with justification for the request
![Page 39: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/39.jpg)
Passwords
Your password is your electronic key to valuable resources.
Sharing – Toothbrush DiscussionTheft – DiscussionPassword Rotation - Discussion
![Page 40: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/40.jpg)
Creating a StrongPassword
Following two rules are bare minimal that you should follow while creating a password.
Rule 1 – Password Length: Stick with passwords that are at least 8 characters in length. The more character in the passwords is better, as the time taken to crack the password by an attacker will be longer. 10 characters or longer are better.
Rule 2 – Password Complexity: At least 4 characters in your passwords should be each one of the following:
![Page 41: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/41.jpg)
Creating a StrongPassword
1.Lower case alphabets2.Upper case alphabets3.Numbers4.Special Characters
Use the “8 4 Rule”8 = 8 characters minimum length4 = 1 lower case + 1 upper case + 1 number + 1 special character.
Do not use a password strength checking website! Any ideas why this is a bad idea?
![Page 42: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/42.jpg)
Adware, Malware, Spyware
Adware – unwanted ad software which is noticedMalware – unwanted software which is noticed and potentially causes harmSpyware – unwanted software which goes un-noticed and harvests your personal information
Use endpoint protection!
![Page 43: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/43.jpg)
Adware, Malware, Spyware
How these get on your computer:EmailWeb pagesDownloaded softwareCD, USB flash driveSometimes, out of the box
![Page 44: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/44.jpg)
Trojan Malware
![Page 45: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/45.jpg)
Baiting
Hey, look! A free USB drive!I wonder what is on this confidential CD which I found in the bathroom?
These are vectors for malware!Play on your curiousity or desire to get something for nothing
Don’t be a piggy!
![Page 46: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/46.jpg)
Precautions You Can Take
![Page 47: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/47.jpg)
A Note About Out of Office Assistant
Using the Out of Office responder in a responsible manner – minimum necessary information
![Page 48: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/48.jpg)
Physical Security
• The UW is a fairly open and shared physical environment
• Seeing strangers is normal, we won’t know if they are here as friend or foe
• Lock your office• Lock your desk• Lock your computer• Criminals are opportunistic• Even if you are just gone for a moment• Report suspicious activity to your
administration and UW Police• If you have an IT related concern, contact
the Office of Campus Information Security
![Page 49: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/49.jpg)
Sharing Information WithThe Public
• The University of Wisconsin is an open environment
• However, on occasion, this open nature can be exploited by people with nefarious intent
• Don’t volunteer sensitive information• Only disclose what is necessary• Follow records retention policies• When in doubt, ask for proof, honest
people will understand, dishonest people will become frustrated
![Page 50: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/50.jpg)
Looking In the Mirror
• Which types of sensitive information do you have access to?
• What about others who share the computer network with you?
• The threat from within may exceed external threats
• File sharing software and services• Think about the implications associated
that data being stolen and exploited!
![Page 51: It security in healthcare](https://reader033.fdocuments.in/reader033/viewer/2022061219/54b8de4c4a7959a61e8b4584/html5/thumbnails/51.jpg)
Traveling With Sensitive Information
• Minimum amount necessary• Don’t send as checked baggage• When going through security at the
airport, place computer as last item on conveyer belt and time your walk through concurrently