IT SECURITY ISSUES IN HEALTHCARE

IT SECURITY ISSUES IN IT SECURITY ISSUES IN HEALTHCAREHEALTHCARE

Assoc. Prof. Dr. Zuraini IsmailAssoc. Prof. Dr. Zuraini IsmailHead of Department, Head of Department,

Advanced Informatics School,Advanced Informatics School,Universiti Teknologi MalaysiaUniversiti Teknologi Malaysia

OUTLINEOUTLINE

2

IntroductionIntroduction1

Healthcare Information System (HIS)Healthcare Information System (HIS)2

IT Security Issues in HISIT Security Issues in HIS3

ConclusionConclusion5

Malaysia On-going InitiativesMalaysia On-going Initiatives4

OUTLINEOUTLINE

3

Introduction1





4

Introduction1

Internet Usage (World Internet Usage (World Regions)Regions)

5

Cyber ThreatsCyber Threats

6

Technology Related Threats

Technology Related Threats

Hack ThreatHack Threat

FraudFraud

Denial of Service AttackDenial of Service Attack

Cross-Border Cross-Border Investigation & Investigation &

Evidential MattersEvidential Matters

Malicious CodeMalicious Code

HarassmentHarassment

Sedition - Threat to Sedition - Threat to National Security National Security

Cyber Content Related Threats

Cyber Content Related Threats

IssuesIssues

International International CollaborationCollaboration

International LawsInternational Laws

Online PornOnline Porn

Chat, Forum & Electronic Chat, Forum & Electronic BulletinBulletin

Data BreachesData Breaches

Top Causes of Data Breaches Top Causes of Data Breaches in 2012in 2012

7

Symantec: Internet Security Threat Report 2013 :: Volume 18

Data Breaches by Sector Data Breaches by Sector in 2012in 2012

8


Largest percentage of disclosed data breaches by industry.

Public sector should increase efforts to protect personal

information

Website Exploits by Type Website Exploits by Type of Websiteof Website

9


HEALTHHEALTHHEALTHHEALTH

Reported Incidents based on Reported Incidents based on General Incident Classification General Incident Classification

Statistics 2013Statistics 2013

10

A total of 3490 incidents referred to CyberSecurity Malaysia since 1 Jan 2013 until 30 April 2013

IncidentsNo. of

Incidents

Content Related 26

Cyber Harassment 148

Denial of Service 6

Fraud 1564

Intrusion 1187

Intrusion Attempt 18

Malicious Code 66

Spam 468

Vulnerabilities Report 7

TOTAL 3490

MyCERT Incident Statistics (2013)

2012 Hospital Security 2012 Hospital Security SurveySurvey

11

Objective

Conducted by: Perception Solutions for Health Facilities Management (HFM) and the American

Society for Healthcare Engineering (ASHE) in June 2012

To learn about trends in hospital security

Beth Burmahl and Suzanna Hoppszallern: HFM Magazine (2012)

2012 Hospital Security 2012 Hospital Security Survey (cont.)Survey (cont.)

12

U.S. hospitals have increased security to protect their electronic records

Findings

More than 90% of hospital respondents and 65% of physician practice respondents conducted a risk analysisApproximately 80 of respondents reported that their organization shares information with at least one other type of organizationFirewalls & user access controls continue to be the most frequently used types of security technology in use by healthcare organizations

Beth Burmahl and Suzanna Hoppszallern: HFM Magazine (2012)

33rdrd Annual Benchmark Study Annual Benchmark Study on on

Patient Privacy & Data Patient Privacy & Data Security 2012Security 2012

13

Ponemon Institute (2012)

14

Most likely to be lost and stolen

Most likely to be lost and stolen

Medical FilesMedical Files

BillingBilling

Insurance RecordsInsurance Records

33rdrd Annual Benchmark Study on Annual Benchmark Study on Patient Privacy & Data Security Patient Privacy & Data Security

2012 (cont.)2012 (cont.)



2012 (cont.)2012 (cont.)

15

Type of data that was lost or stolen More than one choice permitted



2012 (cont.)2012 (cont.)

16

Medical identity

theft may

affect patient treatme

nt

Experienced medical identity theft and it resulted in inaccuracies in the patient’s medical record.

Experienced medical identity theft and it affected the patient’s medical record.


17


2012 (cont.)2012 (cont.)


18

1. Employees report the following as common causes of data breaches:

Technical Glitch

Criminal Attack

Employee Mistake

Lost or Stolen Computing Device

2. Organizations lack defence

LACK CONTROLS to prevent or detect medical identity theft


2012 (cont.)2012 (cont.)


More than one choice permitted

19

3. New technology trends threaten patient data


2012 (cont.)2012 (cont.)


20

Organizations permit employees and medical staff to use their own mobile

devices such as smartphones or tablets to connect to their networks or

enterprise systems such as email


2012 (cont.)2012 (cont.)


21


2012 (cont.)2012 (cont.)


OUTLINEOUTLINE

22





Healthcare Information System (HIS)2

23

Healthcare Information System (HIS)2

Healthcare Information Healthcare Information System (HIS)System (HIS)

24

The use of ICT in support of health and health-related fields, including health-care services, health surveillance, health literature, and health education,

knowledge & research & noted that it has the potential to greatly improve health service efficiency, expand or scale up treatment delivery to thousands of patients in

developing countries, and improve patient outcomes.

Joaquin (2010)

The transmission from paper-based to paperless-based record system has encouraged the advancement in health data management and technologies, such as the digitization of medical records, creation of central record systems and the development of healthcare data

warehouse.Xiong, L., Xia, Y. (2007)

Healthcare Information System Healthcare Information System (HIS) (cont.)(HIS) (cont.)

25

Why Why HISHIS

Efficient serviceEfficient service

Reduce costReduce cost

Improve quality care

Improve quality care

Share data (HIE)Share data (HIE)

Source: A. Appari and M. Eric Johnson (2010) and J. Adler-Milstein and K. J. Ashish (2012)

The activity to protect information from a wide range of threats in order to ensure business continuity, minimize business

damage and maximize return on investments and business opportunities

Information Security and Information Security and HealthcareHealthcare

26

Information SecurityInformation Security

Technology innovation makes established ways of doing work in electronic health

become outmoded. That lead to security incidents.

HealthcareHealthcare

HIS and THIS in MalaysiaHIS and THIS in Malaysia

• Hospital Information System (HIS) and (Total-HIS) is widely use in Malaysia. The adoption of the HIS and Total-HIS in Malaysia is still low due to usability of the system is not well-implemented.

(Ismail and Abdullah, 2012).

27

Categories of Hospital Information System (HIS) (adapted by Nor Baizura, 2010).

THIS IHIS BHIS

Hospital Putrajaya, Hospital Selayang, Hospital Serdang, Hospital Pandan, Hospital Ampang, Hospital Sg. Buloh, Hospital Alor Setar and Hospital Sungai Petani.

Hospital Keningau and Hospital Lahad Datu.

Hospital Kuala Batas, Hospital Setiu, Hospital Pekan, Hospital Pitas, Hospital Kuala Penyu and Hospital Kunak.

OUTLINEOUTLINE

28





IT Security Issues in HIS3

29

IT Security Issues in HIS3

Research Domains in Research Domains in Healthcare Information Healthcare Information

SecuritySecurity

30

Appari and Johnson (2010)

Healthcare Consumers•Personal Health Record Management•Clinical Trial Participation•Personal Disposition to Data Disclosure

Inter-Organizational•Health Services Subcontracting•Integrated Healthcare Systems•Billing & Payment Efficacy

Public Policy•Medical Research•Law Enforcement•NHIN/RHIO•Social welfare programs•Disaster Response/Disease Control•Pricing of Health Services

Information Security

Threats to InformationPrivacy & Security

•Data Interoperability•Regulatory Implications to Healthcare Practice/Technology Adoption•Secured Data Disclosure

•Privacy Concern•Financial Risk•Medical Identity Theft

•Access Control•Data Interoperability•Fraud Control•Multi-institutional Network Security

•Access Control•Information Integrity•Network Security•Privacy Policy Management•Risk Management

Providers•Impact of IT on medical errors•RFID deployment in medication admin•Risk analysis and assessment•Telemedicine/eHealth•Pervasive Computing in healthcare•Operations management

Information Security Information Security CultureCulture

31

Security ramification of information system in health informatics environment started to permeate

the national consciousness.Savastano et al., 2008; Garg and Brewer, 2011

Incidents

Threats(Ganthan Narayana Samy, Zuraini

Ismail & Rabiah Ahmad, 2010)

Medical Error in DSS

(Chaudry et al, 2006 ; Radley, 2013)

Technical Approach(Whitman et al.)

Incident Reporting System (Feijter et al.,2012)

Current SolutionCurrent Solution

Information Security Information Security Culture (cont.)Culture (cont.)

32

Security CultureSolms et al. (2010), Veiga et al. (2007),

Ahmad and Alnatheer (2009)

Security CultureSolms et al. (2010), Veiga et al. (2007),

Ahmad and Alnatheer (2009)

Solution

Behavior(Veiga and Eloff, 2010),

Behavior(Veiga and Eloff, 2010),

Awareness(Chia et al., 2002)

Awareness(Chia et al., 2002)

Knowledge(Zakaria and Gani, 2003; Thomson et al., 2006 )

Knowledge(Zakaria and Gani, 2003; Thomson et al., 2006 )

Human Factor (Non-technical issues, Socio –technical issues)

Kreamer et al. (2009)

PrivacyPrivacy

33

Awareness

1. Information Privacy Protection

Consent

AccessIntegrity / Security

Enforcement

Not currently practiced – due to cost factor and lack of patient

awareness.Not strictly practiced –

due to lack of awareness

Accessible but not with easy procedures and

sometimes incur some costs.

Strictly under practiced

Suhaila Samsuri, Zuraini Ismail & Rabiah Ahmad (2013)

No any specific act being enacted in order to protect PMI privacy

in government hospitals, except for the standard ethical code of professional

conducts

Privacy (cont.)Privacy (cont.)

34

2. Privacy Mechanism in Securing PMI


Legislation

• Based on any information privacy or data protection act enforced in that country.

Ethical Code of Conduct

• Based on hospital or the ministry’s policies & medical act

Privacy Protection Technology• Enhancing

the PMI database & management system in accordance to the latest privacy mechanism technologies.

Privacy Awareness

• Continuous training & education need to be provided for all personnel in HIS hospitals.

Supported•Prefer to share sensitive PMI case with close or extended family•Put more confidence on familiar or recognized staffs to handle their PMI rather than a stranger

Supported•Government hospital is the best protector of patients’ medical information•Rarely complain on any policies enforced over procedures in collecting, usage and handling their PMI•Public do believe on their rights over PMI, however, they seldom express it.

Privacy (cont.)Privacy (cont.)

35

3. Cultural Factors


Power DistancePower Distance CollectivismCollectivism

OUTLINEOUTLINE

36





Malaysia On-going Initiatives4

37

Malaysia On-going Initiatives4

Malaysia On-going Malaysia On-going InitiativesInitiatives

38

FIRST FIRST PHASEPHASEMalaysia Health

Information Exchange (MyHIX)

Malaysian Healthcare Data

Warehouse (MyHDW)

Medical Treatment Information System

MoH’s Patient Management System

Hospital Management

System (HIS@KKM)

The Malaysian DRG (Diagnostic Related Groups) Casemix

System

SECOND SECOND PHASEPHASE

Cloud Computing Technologies

A Feasibility Study for a Centralised Patient Registry

System

Upgrade Public Health Laboratory

System Services Development of a

Family Health Reporting System

Using Data Visualiser

A Joint Consultancy Services

Applicable to all businesses in the private sector that processes

personal data (including sensitive personal data) in respect of

commercial transactions

Related Privacy Act in Related Privacy Act in MalaysiaMalaysia

39

Personal Personal Data Data

ProtectioProtection Act n Act

(PDPA) (PDPA) 20102010

Personal Personal Data Data

ProtectioProtection Act n Act

(PDPA) (PDPA) 20102010

Consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other

beliefs of a similar nature, the commission or alleged commission by him of any offence or any

other personal data

Sensitive Personal Sensitive Personal DataData

Sensitive Personal Sensitive Personal DataData

Related Privacy Act in Related Privacy Act in Malaysia (cont.)Malaysia (cont.)

40

What is NOT

protected by PDPA

2010?

What is NOT

protected by PDPA

2010?

Data processed by Federal & State Government

Data solely & wholly processed outside Malaysia

Data processed in non-commercial transactions

Data processed for credit reporting business under the Credit Reporting Agencies Act

2010

Any matters relating to the supply or exchange of goods or services, agency, investments,

financing, banking and insurance, but does not include a credit reporting business carried out by

a credit reporting agency under the Credit Reporting Agencies Act 2010.

Commercial Commercial TransactionsTransactionsCommercial Commercial TransactionsTransactions

Critical National Information Infrastructure

(CNII)

41

Those assets (real and virtual), systems and functions that are vital to the nations that their

incapacity or destruction would have a devastating impact on:

Those assets (real and virtual), systems and functions that are vital to the nations that their

incapacity or destruction would have a devastating impact on:

National Economic Strength

National Economic Strength National ImageNational Image National Defence

& SecurityNational Defence

& SecurityGovernment Capability to

Functions

Government Capability to

Functions

Public Health & Safety

Public Health & Safety

CNII SECTORSBanking & Finance

Banking & Finance

Information & Communications

Information & Communications

EnergyEnergy

TransportationTransportation

WaterWater GovernmentGovernment

Food & Agriculture

Food & Agriculture

Emergency Services

Emergency Services

National Defence & Security

National Defence & Security

http://cnii.cybersecurity.my/

Health ServicesHealth Services

OUTLINEOUTLINE

42




Conclusion5


43

Conclusion5

ConclusionConclusion

44

Security issues1• Vulnerabilities & Threats • Physical Security• Information Security

Culture• PMI Privacy

45

Need to identify the current problems at different views of users.

2

Appropriate solutions

To protect privacy and confidentiality of

PMI

Conclusion (cont.)Conclusion (cont.)

RecommendationsRecommendations

46


•Emphasize multiple, overlapping, and mutually supportive defensive systems

Defense in Depth

•Raise employees’ awareness about the risks of social engineering and counter it with staff training

Educate Employees

•Prevent data loss and exfiltration with data loss protection software on the network.

Data Loss Prevention

Recommendations Recommendations (cont.)(cont.)

47


• Antivirus is not enough• Network-based protection & reputation

technology must be deployed on endpoints to help prevent attacks

Use a Full Range of Protection Technology

• Consider Always On SSL to encrypt visitors’ interactions

Protect Public-facing Websites

• Certificate owners should apply rigorous protection & security policies to safeguard keys

Protect Code-signing

Certificates

• It’s essential to update and patch all software promptly

Software Updating and Review

Patching Processes

How to Reduce RisksHow to Reduce Risks

48


Update policies and procedures to include cloud, mobile devices and BYOD.

Develop and implement plans for incident risk assessment and data breach response.Structure information security to report directly to the Board, to demonstrate commitment to data privacy and security.Conduct annual risk assessments of data privacy and security.

Risk Analysis for Healthcare Risk Analysis for Healthcare EnvironmentEnvironment

49

Ganthan Narayana Samy, Zuraini Ismail and Rabiah Ahmad (2012)

To identify potential or influential

information security threats.

Adopt medical research design & adapt into risk

management process.

Outcomes: Identify the gaps

in the existing security controls,

policies and procedures

General Risk Management Processes with Adoption andGeneral Risk Management Processes with Adoption andAdaption of Medical Research Design and Approach in Adaption of Medical Research Design and Approach in

Risk Management ProcessRisk Management Process

50

Ganthan Narayana Samy, Zuraini Ismail and Rabiah Ahmad (2012)

51

3 Raise Awareness

Noor Hafizah Hassan & Zuraini Ismail (2012)

Conclusion (cont.)Conclusion (cont.)

Security Security BehaviouBehaviou

rr

Security Security KnowledKnowled

gege

Security Security AwareneAwarene

ssss

Future Research AreasFuture Research Areas

52

Threats to Information Privacy And Security

Privacy concerns among healthcare consumers

Providers’ perspective of regulatory compliance

Information-access control

Data interoperability and information security

Information security issues of ehealth

Information security risks in authorised data disclosure

Information integrity in healthcare

Financial Risk

Regulatory implications for healthcare practice

Information security risk management

Appari and Johnson (2010)

AppreciationAppreciation

Organizing Committee Health IT Security Forum Workshop 2013

United Nations University International Institute for Global

Health (UNU-IIGH)

All HIS researchers at UTM

53

Thank youThank you

Assoc. Prof. Dr. Zuraini [email protected]

ADVANCED INFORMATICS SCHOOL (UTM AIS)UNIVERSITI TEKNOLOGI MALAYSIA

JALAN SEMARAK 54100 KUALA LUMPURWILAYAH PERSEKUTUAN

MALAYSIAPHONE NUMBER: +603-21805202

FAX NUMBER: +603-21805370

54

IT SECURITY ISSUES IN HEALTHCARE

Documents

Transcript of IT SECURITY ISSUES IN HEALTHCARE