Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
IT SECURITY ISSUES IN HEALTHCARE Assoc. Prof. Dr. Zuraini Ismail Head of Department, Advanced Informatics School, Universiti Teknologi Malaysia OUTLINE 1 Introduction 2 Healthcare Information System (HIS) 3 IT Security Issues in HIS 4 Malaysia On-going Initiatives 5 Conclusion 2 OUTLINE 1 Introduction 2 Healthcare Information System (HIS) 3 IT Security Issues in HIS 4 Malaysia On-going Initiatives 5 Conclusion 3 1 Introduction 4 Internet Usage (World Regions) 5 Cyber Threats Technology Related Threats Hack Threat Cyber Content Related Threats Issues Sedition - Threat to National Security Cross-Border Investigation & Evidential Matters Fraud International Collaboration Chat, Forum & Electronic Bulletin Malicious Code International Laws Online Porn Denial of Service Attack Data Breaches Harassment 6 Top Causes of Data Breaches in 2012 Symantec: Internet Security Threat Report 2013 :: Volume 18 7 Data Breaches by Sector in 2012 Largest percentage of disclosed data breaches by industry. Public sector should increase efforts to protect personal information Symantec: Internet Security Threat Report 2013 :: Volume 18 8 Website Exploits by Type of Website HEALTH Symantec: Internet Security Threat Report 2013 :: Volume 18 9 Reported Incidents based on General Incident Classification Statistics 2013 A total of 3490 incidents referred to CyberSecurity Malaysia since 1 Jan 2013 until 30 April 2013 1200 Incidents Content Related 1000 Content Related 26 Cyber Harassment 148 Fraud Denial of Service 6 Intrusion Fraud 1564 Intrusion Attempt Intrusion 1187 Malicious Code Intrusion Attempt 18 Spam Malicious Code 66 Vulnerabilities Report Spam 468 Cyber Harassment Denial of Service 800 600 400 200 Vulnerabilities Report 0 Jan Feb Mar Apr No. of Incidents TOTAL 7 3490 MyCERT Incident Statistics (2013) 10 2012 Hospital Security Survey Objective To learn about trends in hospital security Conducted by: Perception Solutions for Health Facilities Management (HFM) and the American Society for Healthcare Engineering (ASHE) in June 2012 Beth Burmahl and Suzanna Hoppszallern: HFM Magazine (2012) 11 2012 Hospital Security Survey (cont.) U.S. hospitals have increased security to protect their electronic records More than 90% of hospital respondents and 65% of physician practice respondents conducted a risk analysis Findings Approximately 80 of respondents reported that their organization shares information with at least one other type of organization Firewalls & user access controls continue to be the most frequently used types of security technology in use by healthcare organizations Beth Burmahl and Suzanna Hoppszallern: HFM Magazine (2012) 12 3rd Annual Benchmark Study on Patient Privacy & Data Security 2012 Ponemon Institute (2012) 13 3rd Annual Benchmark Study on Patient Privacy & Data Security 2012 (cont.) Most likely to be lost and stolen Medical Files Billing Insurance Records Ponemon Institute (2012) 14 3rd Annual Benchmark Study on Patient Privacy & Data Security 2012 (cont.) Type of data that was lost or stolen More than one choice permitted Ponemon Institute (2012) 15 3rd Annual Benchmark Study on Patient Privacy & Data Security 2012 (cont.) Medical identity theft may affect patient treatment 36% 26% Experienced medical identity theft and it resulted in inaccuracies in the patient’s medical record. Experienced medical identity theft and it affected the patient’s medical record. Ponemon Institute (2012) 16 3rd Annual Benchmark Study on Patient Privacy & Data Security 2012 (cont.) Ponemon Institute (2012) 17 3rd Annual Benchmark Study on Patient Privacy & Data Security 2012 (cont.) 1. Employees report the following as common causes of data breaches: 31% Technical Glitch 33% Criminal Attack 42% 46% Employee Mistake More than one choice permitted Lost or Stolen Computing Device 2. Organizations lack defence 67% LACK CONTROLS to prevent or detect medical identity theft Ponemon Institute (2012) 18 3rd Annual Benchmark Study on Patient Privacy & Data Security 2012 (cont.) 3. New technology trends threaten patient data Ponemon Institute (2012) 19 3rd Annual Benchmark Study on Patient Privacy & Data Security 2012 (cont.) Organizations permit employees and medical staff to use their own mobile devices such as smartphones or tablets to connect to their networks or enterprise systems such as email Ponemon Institute (2012) 20 3rd Annual Benchmark Study on Patient Privacy & Data Security 2012 (cont.) Ponemon Institute (2012) 21 OUTLINE 1 Introduction 2 Healthcare Information System (HIS) 3 IT Security Issues in HIS 4 Malaysia On-going Initiatives 5 Conclusion 22 2 Healthcare Information System (HIS) 23 Healthcare Information System (HIS) The transmission from paper-based to paperless-based record system has encouraged the advancement in health data management and technologies, such as the digitization of medical records, creation of central record systems and the development of healthcare data warehouse. Xiong, L., Xia, Y. (2007) The use of ICT in support of health and health-related fields, including health-care services, health surveillance, health literature, and health education, knowledge & research & noted that it has the potential to greatly improve health service efficiency, expand or scale up treatment delivery to thousands of patients in developing countries, and improve patient outcomes. Joaquin (2010) 24 Healthcare Information System (HIS) (cont.) Efficient service Why HIS Reduce cost Improve quality care Share data (HIE) Source: A. Appari and M. Eric Johnson (2010) and J. Adler-Milstein and K. J. Ashish (2012) 25 Information Security and Healthcare Information Security The activity to protect information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities Healthcare Technology innovation makes established ways of doing work in electronic health become outmoded. That lead to security incidents. 26 HIS and THIS in Malaysia • Hospital Information System (HIS) and (Total-HIS) is widely use in Malaysia. The adoption of the HIS and Total-HIS in Malaysia is still low due to usability of the system is not well-implemented. (Ismail and Abdullah, 2012). THIS IHIS Hospital Putrajaya, Hospital Selayang, Hospital Serdang, Hospital Pandan, Hospital Ampang, Hospital Sg. Buloh, Hospital Alor Setar and Hospital Sungai Petani. BHIS Hospital Keningau Hospital Kuala Batas, and Hospital Lahad Datu. Hospital Setiu, Hospital Pekan, Hospital Pitas, Hospital Kuala Penyu and Hospital Kunak. Categories of Hospital Information System (HIS) (adapted by Nor Baizura, 2010). 27 OUTLINE 1 Introduction 2 Healthcare Information System (HIS) 3 IT Security Issues in HIS 4 Malaysia On-going Initiatives 5 Conclusion 28 3 IT Security Issues in HIS 29 Research Domains in Healthcare Information Security •Data Interoperability •Regulatory Implications to Healthcare Practice/Technology Adoption •Secured Data Disclosure Public Policy •Medical Research •Law Enforcement •NHIN/RHIO •Social welfare programs •Disaster Response/Disease Control •Pricing of Health Services Healthcare Consumers •Personal Health Record Management •Clinical Trial Participation •Personal Disposition to Data Disclosure Providers Information Security Threats to Information Privacy & Security Inter-Organizational •Access Control •Data Interoperability •Fraud Control •Multi-institutional Network Security •Privacy Concern •Financial Risk •Medical Identity Theft •Health Services Subcontracting •Integrated Healthcare Systems •Billing & Payment Efficacy •Impact of IT on medical errors •RFID deployment in medication admin •Risk analysis and assessment •Telemedicine/eHealth •Pervasive Computing in healthcare •Operations management •Access Control •Information Integrity •Network Security •Privacy Policy Management •Risk Management Appari and Johnson (2010) 30 Information Security Culture Security ramification of information system in health informatics environment started to permeate the national consciousness. Savastano et al., 2008; Garg and Brewer, 2011 Incidents Medical Error in DSS Threats (Ganthan Narayana Samy, Zuraini Ismail & Rabiah Ahmad, 2010) (Chaudry et al, 2006 ; Radley, 2013) Current Solution Technical Approach (Whitman et al.) Incident Reporting System (Feijter et al.,2012) 31 Information Security Culture (cont.) Human Factor (Non-technical issues, Socio –technical issues) Kreamer et al. (2009) Solution Security Culture Solms et al. (2010), Veiga et al. (2007), Ahmad and Alnatheer (2009) Knowledge (Zakaria and Gani, 2003; Thomson et al., 2006 ) Awareness (Chia et al., 2002) Behavior (Veiga and Eloff, 2010), 32 Privacy 1. Information Privacy Protection Not currently practiced – Awareness due to cost factor and lack patientpracticed awareness. Consent Notofstrictly – due Accessible but not with to lack of awareness Access easy procedures and No any specific actsome being sometimes incur Integrity / Security Strictlyin under enacted orderpracticed to protect costs. Enforcement PMI privacy in government hospitals, except for the standard ethical code of Suhaila Samsuri, Zurainiprofessional Ismail & Rabiah conducts Ahmad (2013) Privacy (cont.) 2. Privacy Mechanism in Securing PMI Legislation • Based on any information privacy or data protection act enforced in that country. Ethical Code of Conduct • Based on hospital or the ministry’s policies & medical act Privacy Protection Technology • Enhancing the PMI database & management system in accordance to the latest privacy mechanism technologies. Privacy Awareness • Continuous training & education need to be provided for all personnel in HIS hospitals. Suhaila Samsuri, Zuraini Ismail & Rabiah Ahmad (2013) 34 Privacy (cont.) 3. Cultural Factors Power Distance • • • Supported Government hospital is the best protector of patients’ medical information Rarely complain on any policies enforced over procedures in collecting, usage and handling their PMI Public do believe on their rights over PMI, however, they seldom express it. Collectivism Supported • Prefer to share sensitive PMI case with close or extended family • Put more confidence on familiar or recognized staffs to handle their PMI rather than a stranger Suhaila Samsuri, Zuraini Ismail & Rabiah Ahmad (2013) 35 OUTLINE 1 Introduction 2 Healthcare Information System (HIS) 3 IT Security Issues in HIS 4 Malaysia On-going Initiatives 5 Conclusion 36 4 Malaysia On-going Initiatives 37 Malaysia On-going Initiatives FIRST PHASE Malaysia Health Information Exchange (MyHIX) Malaysian Healthcare Data Warehouse (MyHDW) MoH’s Patient Management System Hospital Management System (HIS@KKM) Medical Treatment Information System The Malaysian DRG (Diagnostic Related Groups) Casemix System SECOND PHASE Cloud Computing Technologies A Feasibility Study for a Centralised Patient Registry System Development of a Family Health Reporting System Using Data Visualiser Upgrade Public Health Laboratory System Services A Joint Consultancy Services 38 Related Privacy Act in Malaysia Personal Data Protection Act (PDPA) 2010 Applicable to all businesses in the private sector that processes personal data (including sensitive personal data) in respect of commercial transactions Sensitive Personal Data Consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data 39 Related Privacy Act in Malaysia (cont.) Commercial Transactions Any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010. Data processed by Federal & State Government What is NOT protected by PDPA 2010? Data solely & wholly processed outside Malaysia Data processed in non-commercial transactions Data processed for credit reporting business under the Credit Reporting Agencies Act 2010 40 Critical National Information Infrastructure (CNII) Those assets (real and virtual), systems and functions that are vital to the nations that their incapacity or destruction would have a devastating impact on: National Economic Strength Government Capability to Functions National Defence & Security Banking & Finance Information & Communications National Defence & Security National Image Energy Public Health & Safety Water Government CNII SECTORS Transportation Emergency Services Health Services Food & Agriculture http://cnii.cybersecurity.my/ 41 OUTLINE 1 Introduction 2 Healthcare Information System (HIS) 3 IT Security Issues in HIS 4 Malaysia On-going Initiatives 5 Conclusion 42 5 Conclusion 43 Conclusion 1 Security issues • Vulnerabilities & Threats • Physical Security • Information Security Culture • PMI Privacy 44 Conclusion (cont.) 2 Need to identify the current problems at different views of users. Appropriate solutions To protect privacy and confidentiality of PMI 45 Recommendations Defense in Depth •Emphasize multiple, overlapping, and mutually supportive defensive systems Educate Employees •Raise employees’ awareness about the risks of social engineering and counter it with staff training Data Loss Prevention •Prevent data loss and exfiltration with data loss protection software on the network. Symantec: Internet Security Threat Report 2013 :: Volume 18 46 Recommendations (cont.) Use a Full Range of Protection Technology •Antivirus is not enough •Network-based protection & reputation technology must be deployed on endpoints to help prevent attacks Protect Public-facing Websites •Consider Always On SSL to encrypt visitors’ interactions Protect Code-signing Certificates •Certificate owners should apply rigorous protection & security policies to safeguard keys Software Updating and Review Patching Processes •It’s essential to update and patch all software promptly Symantec: Internet Security Threat Report 2013 :: Volume 18 47 How to Reduce Risks Develop and implement plans for incident risk assessment and data breach response. Structure information security to report directly to the Board, to demonstrate commitment to data privacy and security. Conduct annual risk assessments of data privacy and security. Update policies and procedures to include cloud, mobile devices and BYOD. Ponemon Institute (2012) 48 Risk Analysis for Healthcare Environment To identify potential or influential information security threats. Adopt medical research design & adapt into risk management process. Outcomes: Identify the gaps in the existing security controls, policies and procedures Ganthan Narayana Samy, Zuraini Ismail and Rabiah Ahmad (2012) 49 General Risk Management Processes with Adoption and Adaption of Medical Research Design and Approach in Risk Management Process Ganthan Narayana Samy, Zuraini Ismail and Rabiah Ahmad (2012) 50 Conclusion (cont.) 3 Raise Awareness Identify the information security cultural factors in healthcare informatics environment. Security Behaviour Security Knowledge Security Awareness Noor Hafizah Hassan & Zuraini Ismail (2012) 51 Future Research Areas Threats to Information Privacy And Security Privacy concerns among healthcare consumers Providers’ perspective of regulatory compliance Information-access control Data interoperability and information security Information security issues of ehealth Information security risks in authorised data disclosure Information integrity in healthcare Financial Risk Regulatory implications for healthcare practice Information security risk management Appari and Johnson (2010) 52 Appreciation Organizing Committee Health IT Security Forum Workshop 2013 United Nations University International Institute for Global Health (UNU-IIGH) All HIS researchers at UTM 53 Thank you Assoc. Prof. Dr. Zuraini Ismail [email protected] ADVANCED INFORMATICS SCHOOL (UTM AIS) UNIVERSITI TEKNOLOGI MALAYSIA JALAN SEMARAK 54100 KUALA LUMPUR WILAYAH PERSEKUTUAN MALAYSIA PHONE NUMBER: +603-21805202 FAX NUMBER: +603-21805370 54