Upload
douglas-jenkins
View
220
Download
1
Tags:
Embed Size (px)
Citation preview
IT SECURITY ISSUES IN IT SECURITY ISSUES IN HEALTHCAREHEALTHCARE
Assoc. Prof. Dr. Zuraini IsmailAssoc. Prof. Dr. Zuraini IsmailHead of Department, Head of Department,
Advanced Informatics School,Advanced Informatics School,Universiti Teknologi MalaysiaUniversiti Teknologi Malaysia
OUTLINEOUTLINE
2
IntroductionIntroduction1
Healthcare Information System (HIS)Healthcare Information System (HIS)2
IT Security Issues in HISIT Security Issues in HIS3
ConclusionConclusion5
Malaysia On-going InitiativesMalaysia On-going Initiatives4
OUTLINEOUTLINE
3
Introduction1
Healthcare Information System (HIS)Healthcare Information System (HIS)2
IT Security Issues in HISIT Security Issues in HIS3
ConclusionConclusion5
Malaysia On-going InitiativesMalaysia On-going Initiatives4
4
Introduction1
Internet Usage (World Internet Usage (World Regions)Regions)
5
Cyber ThreatsCyber Threats
6
Technology Related Threats
Technology Related Threats
Hack ThreatHack Threat
FraudFraud
Denial of Service AttackDenial of Service Attack
Cross-Border Cross-Border Investigation & Investigation &
Evidential MattersEvidential Matters
Malicious CodeMalicious Code
HarassmentHarassment
Sedition - Threat to Sedition - Threat to National Security National Security
Cyber Content Related Threats
Cyber Content Related Threats
IssuesIssues
International International CollaborationCollaboration
International LawsInternational Laws
Online PornOnline Porn
Chat, Forum & Electronic Chat, Forum & Electronic BulletinBulletin
Data BreachesData Breaches
Top Causes of Data Breaches Top Causes of Data Breaches in 2012in 2012
7
Symantec: Internet Security Threat Report 2013 :: Volume 18
Data Breaches by Sector Data Breaches by Sector in 2012in 2012
8
Symantec: Internet Security Threat Report 2013 :: Volume 18
Largest percentage of disclosed data breaches by industry.
Public sector should increase efforts to protect personal
information
Website Exploits by Type Website Exploits by Type of Websiteof Website
9
Symantec: Internet Security Threat Report 2013 :: Volume 18
HEALTHHEALTHHEALTHHEALTH
Reported Incidents based on Reported Incidents based on General Incident Classification General Incident Classification
Statistics 2013Statistics 2013
10
A total of 3490 incidents referred to CyberSecurity Malaysia since 1 Jan 2013 until 30 April 2013
IncidentsNo. of
Incidents
Content Related 26
Cyber Harassment 148
Denial of Service 6
Fraud 1564
Intrusion 1187
Intrusion Attempt 18
Malicious Code 66
Spam 468
Vulnerabilities Report 7
TOTAL 3490
MyCERT Incident Statistics (2013)
2012 Hospital Security 2012 Hospital Security SurveySurvey
11
Objective
Conducted by: Perception Solutions for Health Facilities Management (HFM) and the American
Society for Healthcare Engineering (ASHE) in June 2012
To learn about trends in hospital security
Beth Burmahl and Suzanna Hoppszallern: HFM Magazine (2012)
2012 Hospital Security 2012 Hospital Security Survey (cont.)Survey (cont.)
12
U.S. hospitals have increased security to protect their electronic records
Findings
More than 90% of hospital respondents and 65% of physician practice respondents conducted a risk analysisApproximately 80 of respondents reported that their organization shares information with at least one other type of organizationFirewalls & user access controls continue to be the most frequently used types of security technology in use by healthcare organizations
Beth Burmahl and Suzanna Hoppszallern: HFM Magazine (2012)
33rdrd Annual Benchmark Study Annual Benchmark Study on on
Patient Privacy & Data Patient Privacy & Data Security 2012Security 2012
13
Ponemon Institute (2012)
14
Most likely to be lost and stolen
Most likely to be lost and stolen
Medical FilesMedical Files
BillingBilling
Insurance RecordsInsurance Records
33rdrd Annual Benchmark Study on Annual Benchmark Study on Patient Privacy & Data Security Patient Privacy & Data Security
2012 (cont.)2012 (cont.)
Ponemon Institute (2012)
33rdrd Annual Benchmark Study on Annual Benchmark Study on Patient Privacy & Data Security Patient Privacy & Data Security
2012 (cont.)2012 (cont.)
15
Type of data that was lost or stolen More than one choice permitted
Ponemon Institute (2012)
33rdrd Annual Benchmark Study on Annual Benchmark Study on Patient Privacy & Data Security Patient Privacy & Data Security
2012 (cont.)2012 (cont.)
16
Medical identity
theft may
affect patient treatme
nt
Experienced medical identity theft and it resulted in inaccuracies in the patient’s medical record.
Experienced medical identity theft and it affected the patient’s medical record.
Ponemon Institute (2012)
17
33rdrd Annual Benchmark Study on Annual Benchmark Study on Patient Privacy & Data Security Patient Privacy & Data Security
2012 (cont.)2012 (cont.)
Ponemon Institute (2012)
18
1. Employees report the following as common causes of data breaches:
Technical Glitch
Criminal Attack
Employee Mistake
Lost or Stolen Computing Device
2. Organizations lack defence
LACK CONTROLS to prevent or detect medical identity theft
33rdrd Annual Benchmark Study on Annual Benchmark Study on Patient Privacy & Data Security Patient Privacy & Data Security
2012 (cont.)2012 (cont.)
Ponemon Institute (2012)
More than one choice permitted
19
3. New technology trends threaten patient data
33rdrd Annual Benchmark Study on Annual Benchmark Study on Patient Privacy & Data Security Patient Privacy & Data Security
2012 (cont.)2012 (cont.)
Ponemon Institute (2012)
20
Organizations permit employees and medical staff to use their own mobile
devices such as smartphones or tablets to connect to their networks or
enterprise systems such as email
33rdrd Annual Benchmark Study on Annual Benchmark Study on Patient Privacy & Data Security Patient Privacy & Data Security
2012 (cont.)2012 (cont.)
Ponemon Institute (2012)
21
33rdrd Annual Benchmark Study on Annual Benchmark Study on Patient Privacy & Data Security Patient Privacy & Data Security
2012 (cont.)2012 (cont.)
Ponemon Institute (2012)
OUTLINEOUTLINE
22
IntroductionIntroduction1
IT Security Issues in HISIT Security Issues in HIS3
ConclusionConclusion5
Malaysia On-going InitiativesMalaysia On-going Initiatives4
Healthcare Information System (HIS)2
23
Healthcare Information System (HIS)2
Healthcare Information Healthcare Information System (HIS)System (HIS)
24
The use of ICT in support of health and health-related fields, including health-care services, health surveillance, health literature, and health education,
knowledge & research & noted that it has the potential to greatly improve health service efficiency, expand or scale up treatment delivery to thousands of patients in
developing countries, and improve patient outcomes.
Joaquin (2010)
The transmission from paper-based to paperless-based record system has encouraged the advancement in health data management and technologies, such as the digitization of medical records, creation of central record systems and the development of healthcare data
warehouse.Xiong, L., Xia, Y. (2007)
Healthcare Information System Healthcare Information System (HIS) (cont.)(HIS) (cont.)
25
Why Why HISHIS
Efficient serviceEfficient service
Reduce costReduce cost
Improve quality care
Improve quality care
Share data (HIE)Share data (HIE)
Source: A. Appari and M. Eric Johnson (2010) and J. Adler-Milstein and K. J. Ashish (2012)
The activity to protect information from a wide range of threats in order to ensure business continuity, minimize business
damage and maximize return on investments and business opportunities
Information Security and Information Security and HealthcareHealthcare
26
Information SecurityInformation Security
Technology innovation makes established ways of doing work in electronic health
become outmoded. That lead to security incidents.
HealthcareHealthcare
HIS and THIS in MalaysiaHIS and THIS in Malaysia
• Hospital Information System (HIS) and (Total-HIS) is widely use in Malaysia. The adoption of the HIS and Total-HIS in Malaysia is still low due to usability of the system is not well-implemented.
(Ismail and Abdullah, 2012).
27
Categories of Hospital Information System (HIS) (adapted by Nor Baizura, 2010).
THIS IHIS BHIS
Hospital Putrajaya, Hospital Selayang, Hospital Serdang, Hospital Pandan, Hospital Ampang, Hospital Sg. Buloh, Hospital Alor Setar and Hospital Sungai Petani.
Hospital Keningau and Hospital Lahad Datu.
Hospital Kuala Batas, Hospital Setiu, Hospital Pekan, Hospital Pitas, Hospital Kuala Penyu and Hospital Kunak.
OUTLINEOUTLINE
28
IntroductionIntroduction1
Healthcare Information System (HIS)Healthcare Information System (HIS)2
ConclusionConclusion5
Malaysia On-going InitiativesMalaysia On-going Initiatives4
IT Security Issues in HIS3
29
IT Security Issues in HIS3
Research Domains in Research Domains in Healthcare Information Healthcare Information
SecuritySecurity
30
Appari and Johnson (2010)
Healthcare Consumers•Personal Health Record Management•Clinical Trial Participation•Personal Disposition to Data Disclosure
Inter-Organizational•Health Services Subcontracting•Integrated Healthcare Systems•Billing & Payment Efficacy
Public Policy•Medical Research•Law Enforcement•NHIN/RHIO•Social welfare programs•Disaster Response/Disease Control•Pricing of Health Services
Information Security
Threats to InformationPrivacy & Security
•Data Interoperability•Regulatory Implications to Healthcare Practice/Technology Adoption•Secured Data Disclosure
•Privacy Concern•Financial Risk•Medical Identity Theft
•Access Control•Data Interoperability•Fraud Control•Multi-institutional Network Security
•Access Control•Information Integrity•Network Security•Privacy Policy Management•Risk Management
Providers•Impact of IT on medical errors•RFID deployment in medication admin•Risk analysis and assessment•Telemedicine/eHealth•Pervasive Computing in healthcare•Operations management
Information Security Information Security CultureCulture
31
Security ramification of information system in health informatics environment started to permeate
the national consciousness.Savastano et al., 2008; Garg and Brewer, 2011
Incidents
Threats(Ganthan Narayana Samy, Zuraini
Ismail & Rabiah Ahmad, 2010)
Medical Error in DSS
(Chaudry et al, 2006 ; Radley, 2013)
Technical Approach(Whitman et al.)
Incident Reporting System (Feijter et al.,2012)
Current SolutionCurrent Solution
Information Security Information Security Culture (cont.)Culture (cont.)
32
Security CultureSolms et al. (2010), Veiga et al. (2007),
Ahmad and Alnatheer (2009)
Security CultureSolms et al. (2010), Veiga et al. (2007),
Ahmad and Alnatheer (2009)
Solution
Behavior(Veiga and Eloff, 2010),
Behavior(Veiga and Eloff, 2010),
Awareness(Chia et al., 2002)
Awareness(Chia et al., 2002)
Knowledge(Zakaria and Gani, 2003; Thomson et al., 2006 )
Knowledge(Zakaria and Gani, 2003; Thomson et al., 2006 )
Human Factor (Non-technical issues, Socio –technical issues)
Kreamer et al. (2009)
PrivacyPrivacy
33
Awareness
1. Information Privacy Protection
Consent
AccessIntegrity / Security
Enforcement
Not currently practiced – due to cost factor and lack of patient
awareness.Not strictly practiced –
due to lack of awareness
Accessible but not with easy procedures and
sometimes incur some costs.
Strictly under practiced
Suhaila Samsuri, Zuraini Ismail & Rabiah Ahmad (2013)
No any specific act being enacted in order to protect PMI privacy
in government hospitals, except for the standard ethical code of professional
conducts
Privacy (cont.)Privacy (cont.)
34
2. Privacy Mechanism in Securing PMI
Suhaila Samsuri, Zuraini Ismail & Rabiah Ahmad (2013)
Legislation
• Based on any information privacy or data protection act enforced in that country.
Ethical Code of Conduct
• Based on hospital or the ministry’s policies & medical act
Privacy Protection Technology• Enhancing
the PMI database & management system in accordance to the latest privacy mechanism technologies.
Privacy Awareness
• Continuous training & education need to be provided for all personnel in HIS hospitals.
Supported•Prefer to share sensitive PMI case with close or extended family•Put more confidence on familiar or recognized staffs to handle their PMI rather than a stranger
Supported•Government hospital is the best protector of patients’ medical information•Rarely complain on any policies enforced over procedures in collecting, usage and handling their PMI•Public do believe on their rights over PMI, however, they seldom express it.
Privacy (cont.)Privacy (cont.)
35
3. Cultural Factors
Suhaila Samsuri, Zuraini Ismail & Rabiah Ahmad (2013)
Power DistancePower Distance CollectivismCollectivism
OUTLINEOUTLINE
36
IntroductionIntroduction1
Healthcare Information System (HIS)Healthcare Information System (HIS)2
ConclusionConclusion5
IT Security Issues in HISIT Security Issues in HIS3
Malaysia On-going Initiatives4
37
Malaysia On-going Initiatives4
Malaysia On-going Malaysia On-going InitiativesInitiatives
38
FIRST FIRST PHASEPHASEMalaysia Health
Information Exchange (MyHIX)
Malaysian Healthcare Data
Warehouse (MyHDW)
Medical Treatment Information System
MoH’s Patient Management System
Hospital Management
System (HIS@KKM)
The Malaysian DRG (Diagnostic Related Groups) Casemix
System
SECOND SECOND PHASEPHASE
Cloud Computing Technologies
A Feasibility Study for a Centralised Patient Registry
System
Upgrade Public Health Laboratory
System Services Development of a
Family Health Reporting System
Using Data Visualiser
A Joint Consultancy Services
Applicable to all businesses in the private sector that processes
personal data (including sensitive personal data) in respect of
commercial transactions
Related Privacy Act in Related Privacy Act in MalaysiaMalaysia
39
Personal Personal Data Data
ProtectioProtection Act n Act
(PDPA) (PDPA) 20102010
Personal Personal Data Data
ProtectioProtection Act n Act
(PDPA) (PDPA) 20102010
Consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other
beliefs of a similar nature, the commission or alleged commission by him of any offence or any
other personal data
Sensitive Personal Sensitive Personal DataData
Sensitive Personal Sensitive Personal DataData
Related Privacy Act in Related Privacy Act in Malaysia (cont.)Malaysia (cont.)
40
What is NOT
protected by PDPA
2010?
What is NOT
protected by PDPA
2010?
Data processed by Federal & State Government
Data solely & wholly processed outside Malaysia
Data processed in non-commercial transactions
Data processed for credit reporting business under the Credit Reporting Agencies Act
2010
Any matters relating to the supply or exchange of goods or services, agency, investments,
financing, banking and insurance, but does not include a credit reporting business carried out by
a credit reporting agency under the Credit Reporting Agencies Act 2010.
Commercial Commercial TransactionsTransactionsCommercial Commercial TransactionsTransactions
Critical National Information Infrastructure
(CNII)
41
Those assets (real and virtual), systems and functions that are vital to the nations that their
incapacity or destruction would have a devastating impact on:
Those assets (real and virtual), systems and functions that are vital to the nations that their
incapacity or destruction would have a devastating impact on:
National Economic Strength
National Economic Strength National ImageNational Image National Defence
& SecurityNational Defence
& SecurityGovernment Capability to
Functions
Government Capability to
Functions
Public Health & Safety
Public Health & Safety
CNII SECTORSBanking & Finance
Banking & Finance
Information & Communications
Information & Communications
EnergyEnergy
TransportationTransportation
WaterWater GovernmentGovernment
Food & Agriculture
Food & Agriculture
Emergency Services
Emergency Services
National Defence & Security
National Defence & Security
http://cnii.cybersecurity.my/
Health ServicesHealth Services
OUTLINEOUTLINE
42
IntroductionIntroduction1
Healthcare Information System (HIS)Healthcare Information System (HIS)2
IT Security Issues in HISIT Security Issues in HIS3
Conclusion5
Malaysia On-going InitiativesMalaysia On-going Initiatives4
43
Conclusion5
ConclusionConclusion
44
Security issues1• Vulnerabilities & Threats • Physical Security• Information Security
Culture• PMI Privacy
45
Need to identify the current problems at different views of users.
2
Appropriate solutions
To protect privacy and confidentiality of
PMI
Conclusion (cont.)Conclusion (cont.)
RecommendationsRecommendations
46
Symantec: Internet Security Threat Report 2013 :: Volume 18
•Emphasize multiple, overlapping, and mutually supportive defensive systems
Defense in Depth
•Raise employees’ awareness about the risks of social engineering and counter it with staff training
Educate Employees
•Prevent data loss and exfiltration with data loss protection software on the network.
Data Loss Prevention
Recommendations Recommendations (cont.)(cont.)
47
Symantec: Internet Security Threat Report 2013 :: Volume 18
• Antivirus is not enough• Network-based protection & reputation
technology must be deployed on endpoints to help prevent attacks
Use a Full Range of Protection Technology
• Consider Always On SSL to encrypt visitors’ interactions
Protect Public-facing Websites
• Certificate owners should apply rigorous protection & security policies to safeguard keys
Protect Code-signing
Certificates
• It’s essential to update and patch all software promptly
Software Updating and Review
Patching Processes
How to Reduce RisksHow to Reduce Risks
48
Ponemon Institute (2012)
Update policies and procedures to include cloud, mobile devices and BYOD.
Develop and implement plans for incident risk assessment and data breach response.Structure information security to report directly to the Board, to demonstrate commitment to data privacy and security.Conduct annual risk assessments of data privacy and security.
Risk Analysis for Healthcare Risk Analysis for Healthcare EnvironmentEnvironment
49
Ganthan Narayana Samy, Zuraini Ismail and Rabiah Ahmad (2012)
To identify potential or influential
information security threats.
Adopt medical research design & adapt into risk
management process.
Outcomes: Identify the gaps
in the existing security controls,
policies and procedures
General Risk Management Processes with Adoption andGeneral Risk Management Processes with Adoption andAdaption of Medical Research Design and Approach in Adaption of Medical Research Design and Approach in
Risk Management ProcessRisk Management Process
50
Ganthan Narayana Samy, Zuraini Ismail and Rabiah Ahmad (2012)
51
3 Raise Awareness
Noor Hafizah Hassan & Zuraini Ismail (2012)
Conclusion (cont.)Conclusion (cont.)
Security Security BehaviouBehaviou
rr
Security Security KnowledKnowled
gege
Security Security AwareneAwarene
ssss
Future Research AreasFuture Research Areas
52
Threats to Information Privacy And Security
Privacy concerns among healthcare consumers
Providers’ perspective of regulatory compliance
Information-access control
Data interoperability and information security
Information security issues of ehealth
Information security risks in authorised data disclosure
Information integrity in healthcare
Financial Risk
Regulatory implications for healthcare practice
Information security risk management
Appari and Johnson (2010)
AppreciationAppreciation
Organizing Committee Health IT Security Forum Workshop 2013
United Nations University International Institute for Global
Health (UNU-IIGH)
All HIS researchers at UTM
53
Thank youThank you
Assoc. Prof. Dr. Zuraini [email protected]
ADVANCED INFORMATICS SCHOOL (UTM AIS)UNIVERSITI TEKNOLOGI MALAYSIA
JALAN SEMARAK 54100 KUALA LUMPURWILAYAH PERSEKUTUAN
MALAYSIAPHONE NUMBER: +603-21805202
FAX NUMBER: +603-21805370
54