Technical Vulnerabilities of Electronic Health Records
0 likes407 views
The document summarizes a seminar on the technical perspectives of vulnerabilities in health records. It discusses key definitions related to data security, including the CIA triangle of confidentiality, integrity, and availability. It outlines common security threats like unauthorized access, viruses, denial of service attacks, and cyberterrorism. The presenter proposes a systematic 10-phase approach to information security that takes organizational goals into account and includes managerial drives, risk analysis, security policies, and regular revisions. Overall, the seminar emphasizes treating health data security systematically rather than through isolated fixes and stresses the importance of integrity protection for sensitive health records.
Technical Vulnerabilities of Electronic Health Records
- 1. Data Security Seminar, 18 March 2005 Dr Lech J.Janczewski Technical Perspective of the Vulnerabilities of Health Records
- 2. Agenda 1. Basic definitions 1. Basic definitions 2. Importance of security threats 2. Importance of security threats 3. Security threats: nature and handling 3. Security threats: nature and handling 4. System approach to IT security 4. System approach to IT security
- 3. Basic Definitions CIA triangle
- 4. Other definitons • Accountability • Authenticity • Dependability
- 5. Importance to the health sector • Integrity • Dependability • Availability • Confidentiality • Authenticity • Accountability
- 6. Integrity protection • Reliability of software – Testing – Testing – Testing....... • Error-free data entry – Who is responsible for data entry? – How to verify results? • Unathorised users • Subversive software
- 7. Unauthorized access to computer networks • Who you are? – Password – Query – Token • Issues – Password confidentiality – Password complexity v human nature – Proximity card: the best for the health sector
- 8. Unauthorized access to computer networks • Attacks on password system – Dictionary attack – Grabber software – Human engineering • Protection – Password policy • No password disclosures • Format – Updated version of software – Virus scanners (latest version!) – Get rid of the unused passwords and „guests” – Double passwords are not useful!
- 9. Unauthorized access to computer networks • Two way authentication – Are you talking to the hospital? – Usually a parameter which you can not change
- 10. Subversive software • Types – Virus – Trojan (bombs) – Worms • Protection – Virus scanners (updated) – No mass data entry from work stations • USB ports, CD ROM drives, disk drives – Carefully monitored dial up access – Firewalls • AcitveX, cookies, etc
- 11. Denial of service attacks • Worm type attack – Started in 1999 – Could immobilize the network for many hours – Requires qualify specialists to handle • Structure
- 12. Denial of service attacks • Almost impossible to handle at the receiving end (workstations) • Handled by the ISPs BUT • Good virus scanner stops your system to become a zombie
- 13. Cyber-terrorist attacks and collateral damages issue • Probability of a direct cyber-terrorist attack against a health IT system in NZ: very low • Slightly higher if there is a “hot patient” in a ward • Probability of collateral damages: very high: – Fires, floods, earthquakes – Need to plan for that!!!!! • back up data and systems
- 14. Approach to information security • System approach – Goals of the organizations taken into consideration at every stage of the security planning, deployment and running • NOT piecemeal approach! – This is not working, let’s fix it! • Follow a staged procedure
- 15. 10 stage procedure Phase 1 Phase 1 Phase 2 Phase 2 Phase 3 Phase 3 Managerial CISO Information drive appointed inventory
- 16. 10 stage procedure Phase 4 Phase 4 Phase 5 Phase 5 Phase 6 Phase 6 Risk Logical Physical Analysis Design Design
- 17. 10 stage procedure Phase 7 Phase 7 Phase 8 Phase 8 Phase 9 Phase 9 Security Implementation Maintenance Polices
- 18. 10 stage procedure Phase 10 Phase 10 Phase ….. Phase ….. Revision Revision
- 19. Summary • Health security; – Confidentiality (privacy) is important but – Integrity is on the top of the list • All protection mechanisms similar as in the other domains • System approach should be enforced • All that is a common sense and not very expensive at the base level!
- 20. Questions?