Upload
chris-hammond-thrasher
View
387
Download
1
Embed Size (px)
DESCRIPTION
In April 2004, a bold experiment by the Infosecurity Tradeshow in London proved what everyone suspected, over 70% of people passing through Liverpool Street Station would reveal their password in exchange for candy (http://news.bbc.co.uk/2/hi/technology/3639679.stm). Some commentators applauded this validation of a previously unproven assumption about Londoner’s attitudes towards password secrecy. Other commentators had serious ethical concerns with the experiment. This candy-for-password experiment got me thinking about health privacy/security experiments. Many suspect that the healthcare system has serious human and technical privacy vulnerabilities, but how can we validate this suspicion? Would a patient hand over their provincial health number for a chocolate bar? Would a medical professional hand over a patient’s information for a chai latte? The more I thought about it, the more extreme – and both frightening and funny – the research projects became.
Citation preview
© Fujitsu Canada
Six Health Privacy Experiments That Should Never Be Conducted
WCHIPS 2013, WinnipegChris Hammond-ThrasherAssociate DirectorSecurity, Privacy and ComplianceFujitsu [email protected]
1
© Fujitsu Canada
Phone Disclosure
© Fujitsu Canada
Conference Number
Dial into the XYZ Disease / Syndrome / Dysfunction Conference Call Now!
204-800-5580
4
2
© Fujitsu Canada6
Social Media
© Fujitsu Canada7
© Fujitsu Canada
Long Memory
8
© Fujitsu Canada
Long Memory
9
• Version 1.0 of the NCSA Mosiac browser was released in November 1993
• Netscape Navigator was released in December 1994
• TELUS launched commercial Internet services in 1995
• Facebook launched in February 2004
© Fujitsu Canada
Teens on Facebook
“Self-definition is about identity, one’s needs and attitudes, and the presentation of the self to others. Teenage patients present
themselves on Facebook as regular teenagers. They do not write public status updates about their stays at CHEO or the
treatments they receive.”
- Van der Velden and El Emam, 2012
10
© Fujitsu Canada11
3
© Fujitsu Canada13
A Simple Wi-Fi Attack
© Fujitsu Canada
The Demonstration Network
Join now!
SSID: wchips2013Password: wchips2013
14
© Fujitsu Canada
Countermeasures
The basics: Any Wi-Fi network with significant security requirements must be configured to use WPA2-Enterprise. No exceptions.
VPNs are excellent defenses when moving sensitive data across non-trusted networks, but there is no completely safe way to connect to and use a hostile Wi-Fi network.
There is no good defense to Wi-Fi denial of service. The best that you can do is have a good wireless incident response team on hand.
15
4
© Fujitsu Canada
Win an iPad Mini!
17
© Fujitsu Canada18
© Fujitsu Canada
Phishing Discussion
Use HTTPS and put the survey on your own domain i.e. https://primarycaresurvey.albertahealthservices.ca
Without HTTPS I can try to impersonate the site and phish for personal health information
As of last night, primarycaresurveys.ca is available for purchase (they used primarycaresurvey.ca) but albertahealthservice.ca has been purchased by a domain squatter
19
© Fujitsu Canada
QR Code Phishing
20
5
© Fujitsu Canada22
Hospital Netwars
© Fujitsu Canada23
6
© Fujitsu Canada25
Healthcare Mysticism
7
© Fujitsu Canada27
Medical Malware
© Fujitsu Canada
A Common Malware Model
28
Command and Control
Server
Infected Laptop
Infected Tablet
Infected Smartpho
ne
8
© Fujitsu Canada30
Balloon Clown Audit
9
© Fujitsu Canada32
Elicitation
© Fujitsu Canada
Definition: “Elicitation”
“In the spy trade, elicitation is the term applied to subtle extraction of information during an apparently normal and innocent conversation. Most intelligence operatives are well trained to take advantage of professional or social opportunities to interact with persons who have access to classified or other protected information.
Conducted by a skillful intelligence collector, elicitation appears to be normal social or professional conversation and can occur anywhere – in a restaurant, at a conference, or during a visit to one’s home. But it is conversation with a purpose, to collect information about your work or to collect assessment information about you or your colleagues.”
33
© Fujitsu Canada
Elicitation Plan
Goal Elicit personal information on at least one individual
Method Seek advice on when teenage girls should start dating as a way to get a
parent talking about their own children
Objectives Parent’s Name __________________ Target’s Name __________________ Relationship __________________ Target’s Gender__________________ Target’s Birthday __________________
Achieved _________ of five objectives
34
C
© Fujitsu Canada
Bibliography Capps, Rusty. "The Spy Who Came to Work," Security
Management, February 1997. *Celent. Using Social Data In Claims and Underwriting,
http://www.celent.com/reports/using-social-data-claims-and-underwriting
Hadnagy, Chris. Social Engineering: The Art of Human Hacking. Wiley, 2011.
Li, Jingquan. “Privacy Policies for Health Social Networking Sites,” Journal of the American Medical Information Association, March 2013.
Malin, El Emam and O’Keefe. “Biomedical Data Privacy: Problems, Perspectives, and Recent Advances,” Journal of the American Medical Information Association, January 2013.
Van der Velden, El Emam. “’Not All My Friends Need to Know’: A Qualitative Study of Teenage Patients, Privacy, and Social Media,” Journal of the American Medical Information Association, July 2012.
*Subscription required.
Hammond-Thrasher, Six Health Privacy Experiments, 2013
© Fujitsu Canada
Conclusions
There are significant challenges facing privacy professionals and academic researchers who want to understand real risk including, Research ethics Research funding and The reputational concerns of personal health information custodians.
The reality of the real risk scenarios examined today is that the threat agents – whether insiders or outsiders – are not bound by the constraints that govern privacy and security professionals.
Van der Velden and El Emam’s paper on sick teens using Facebook is a warning to the complexity of real risk – our assumptions about how good or bad things may be need to be tested.
37
© Fujitsu Canada
Challenge Questions
For you, is the title of this talk a true statement? Should experiments like these *NEVER* be performed? Are some acceptable and not others? And if so why?
Please email your answers to:[email protected]
38
Chris Hammond-ThrasherAssociate Director, ConsultingSecurity, Privacy and ComplianceFujitsu Canada