Key Challenges in Implementing Information Security and ...
Transcript of Key Challenges in Implementing Information Security and ...
Key Challenges in
Implementing Information
Security and Privacy
Policies in Public Sector
1
Presented by
Dickson Wong, Hospital Authority
19 May 2010
Quote fromEx. Privacy Commissioner: Mr KM LAU
Security and Privacy Risks of a Medical Record Database� Besides information of the individual's physical health, a medical
record may include information about family relationships, sexual behavior, substance abuse, and even the private thoughts and feelings that come with psychotherapy.
� Information from a medical record may influence an individual's
2
� Information from a medical record may influence an individual's credit, admission to educational institutions, and employment. It may also affect the ability to get health insurance, or the rates for coverage.
� With the creation of medical databases many individuals have expressed some apprehension as these and other information begin to become computerized. There is a fear that computerized records will allow many more people legitimately accessing medical records. The tendency for "function creep" could lead to authorized users to use the data for unauthorized purposes.
Source: PCPD, 2000
Privacy Complaint Statistics
(2/2)
4
� Use or disclosure of personal data beyond the scope of collection purpose and without the consent of the individual (31%);
� Lack of security measures to protect personal data (28%);
� Excessive or unfair collection of personal data (27%); and
� Non-compliance with data access or correction requests (12%).
Source : Annual Report 2009, PCPD
Other Reasons of Data Leak
5
Privacy and Security at Risk:
Hacking
Theft
Backdoor / Trapdoor
Social Engineering etc
Hospital Authority
� Patients’ medical history
� Paper folders
� Electronic Data
6
� Other confidential information
Information Security
Infrastructure
� Layered security in IT infrastructure
� Physical Lock-down of risky
workstations
7
� Application security
� Network security
� Audited patient database accesses
� Secured remote access
Still Security & Privacy Breach
� Lost of USB containing patient data
� Lost of paper medical records
8
� Lost of paper medical records
� HA medical records in Foxy/
Facebook posted by 3rd parties
Policy:
Avoid storing personal data in the
portable devices. If necessary, always
protect with encryption or HA encrypted
9
protect with encryption or HA encrypted
devices.
Incident:
a)Store un-necessary personal data
b)No protection
Paper records
� Thousands of records transacted per day
� Security vs Operational
10
� Security vs Operational efficiency
� Cannot eliminate: Loss during transit
� Minimize by digitization
Incidents Management
� Hospital Authority:
� Medical events
� Outbreak of infectious diseases
� Safety incidents
� Well defined protocols and procedures
into the system, now including
� Information security / privacy incidents
13
Known factors
� Although policies are clear, mindset
(awareness) needs time to build up
� Convenience vs Compliance
� Weak risk culture
� Reluctance towards changes
15
Learn from Incidents
� Management Focus on Incidents /
events
� Events e.g. near miss cases, are just
one step before incident
� Promulgate the policy and compliance
– usually very effective
16
Prevention
� Ideally, assessment before risk being
exposed
� Cannot rely solely upon a single party,
but the business users to be made
accountable and responsible
17
Privacy Impact Assessment
(PIA)
� PIA Process
Requirement
Phase
18
Privacy Impact
Assessment
(PIA)
Phase
Design
Phase
Deploymen
t
Phase
Maintenance
Phase
(Production
Systems)
Who Conducts PIA ?
� PIA is owned by the Project Manager
� PM knows how personal data are: Use
20
personal data are:• Collected
• Kept
• Used
• Secured
• Accessed
Data
(Kept)
Accessed
Use
PIA Initial Assessment
� Objective:
Highlight Probable Privacy Issues
Through questioning on:
Technologies adopted
21
� Technologies adopted
� Personal Data Identifiers used
� Organizations involved
� Data itself
� Exemptions / Exceptions claimed
PIA Initial Assessment
Technologies
1 Smartcards
2 RFID tags
22
3 Mobile phone/ GPS locators
4 Visual surveillance
5 Biometric data collection
6 Monitoring of electronic communication
7 Data mining & Profiling
PIA Initial Assessment
Personal Identifiers
� Using personal identifiers such as HKID, biometric data, etc ?
23
� Authentication / identity management ?
� Converting anonymous to identified information ?
PIA Initial Assessment
� What are the organizations involved:
� External 3rd parties ?
� Outsourced parties ?
24
� Government agencies ?
� Business partners ?
PIA Initial Assessment
� Personal Data Itself
� New or changed handling?
New or changed amount of data ?
25
� New or changed amount of data ?
� Large group of individuals ?
� Inter-linking or Cross-referencing ?
PIA Initial Assessment
� Claimed Exemptions / Exceptions
� From ordinance / legislation ?
26
� From ordinance / legislation ?
� Other claimed justifications such as
security and safety ?
Detail Assessment:-
Privacy & Security
� HIPAA:
Privacy Rule overlaps with Security Rule:
29
Privacy Rule overlaps with Security Rule:
Safeguards / Protection
PIA Detail Assessment
� Who, when, what, how, why, …
� Any way to reduce personal data ?
� Is it legal ? Consent sought ?
30
� Is it legal ? Consent sought ?
PIA Detail Assessment
� System function, provision, controls
� Use of information
31
� Use of information
� Retention
PIA Detail Assessment
� Sharing with internal and external individuals / organizations
� In-line with purpose of collection ?
32
� In-line with purpose of collection ?
� Legal agreement, confidentiality undertaking
� What safeguards in protecting download, transmission etc.
PIA Detail Assessment
� Technical safeguards
� Access control
� Database encryption/ protection
33
� Backup and Recovery
� Auditing
� Training
� etc
PIA Detail Assessment
� Risks identified
� Controls (System / Manual) in place
� Residual risks make known to management
35
management
� PIA is an on-going assessment to address change in system, and change in environment
Ultimate Goals of PIA
� Effectively communicate privacy risks not addressed in conventional project management / system design
36
� Building trust and confidence with public
� Clear accountabilities
� Reduce Risks