Download it security issues in healthcare

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
Document related concepts

Electronic prescribing wikipedia , lookup

Transcript 
IT SECURITY ISSUES IN
HEALTHCARE
Assoc. Prof. Dr. Zuraini Ismail
Head of Department,
Advanced Informatics School,
Universiti Teknologi Malaysia
OUTLINE
1
Introduction
2
Healthcare Information System (HIS)
3
IT Security Issues in HIS
4
Malaysia On-going Initiatives
5
Conclusion
2
OUTLINE
1
Introduction
2
Healthcare Information System (HIS)
3
IT Security Issues in HIS
4
Malaysia On-going Initiatives
5
Conclusion
3
1
Introduction
4
Internet Usage (World Regions)
5
Cyber Threats
Technology Related Threats
Hack Threat
Cyber Content Related Threats
Issues
Sedition - Threat to National
Security
Cross-Border Investigation &
Evidential Matters
Fraud
International Collaboration
Chat, Forum & Electronic Bulletin
Malicious Code
International Laws
Online Porn
Denial of Service Attack
Data Breaches
Harassment
6
Top Causes of Data Breaches in 2012
Symantec: Internet Security Threat Report 2013 :: Volume 18
7
Data Breaches by Sector in 2012
Largest percentage
of disclosed data
breaches by
industry.
Public sector should
increase efforts to protect
personal information
Symantec: Internet Security Threat Report 2013 :: Volume 18
8
Website Exploits by Type of Website
HEALTH
Symantec: Internet Security Threat Report 2013 :: Volume 18
9
Reported Incidents based on General
Incident Classification Statistics 2013
A total of 3490 incidents referred to CyberSecurity Malaysia
since 1 Jan 2013 until 30 April 2013
1200
Incidents
Content Related
1000
Content Related
26
Cyber Harassment
148
Fraud
Denial of Service
6
Intrusion
Fraud
1564
Intrusion Attempt
Intrusion
1187
Malicious Code
Intrusion Attempt
18
Spam
Malicious Code
66
Vulnerabilities Report
Spam
468
Cyber Harassment
Denial of Service
800
600
400
200
Vulnerabilities Report
0
Jan
Feb
Mar
Apr
No. of
Incidents
TOTAL
7
3490
MyCERT Incident Statistics (2013)
10
2012 Hospital Security Survey
Objective
To learn about trends in hospital security
Conducted by: Perception Solutions for Health Facilities
Management (HFM) and the American Society for
Healthcare Engineering (ASHE) in June 2012
Beth Burmahl and Suzanna Hoppszallern: HFM Magazine (2012)
11
2012 Hospital Security Survey (cont.)
U.S. hospitals have increased security to
protect their electronic records
More than 90% of hospital respondents and
65% of physician practice respondents
conducted a risk analysis
Findings
Approximately 80 of respondents reported
that their organization shares information
with at least one other type of organization
Firewalls & user access controls continue to
be the most frequently used types of security
technology in use by healthcare organizations
Beth Burmahl and Suzanna Hoppszallern: HFM Magazine (2012)
12
3rd Annual Benchmark Study on
Patient Privacy & Data Security 2012
Ponemon Institute (2012)
13
3rd Annual Benchmark Study on
Patient Privacy & Data Security 2012 (cont.)
Most likely to be
lost and stolen
Medical Files
Billing
Insurance Records
Ponemon Institute (2012)
14
3rd Annual Benchmark Study on
Patient Privacy & Data Security 2012 (cont.)
Type of data that was lost or stolen
More than one choice permitted
Ponemon Institute (2012)
15
3rd Annual Benchmark Study on
Patient Privacy & Data Security 2012 (cont.)
Medical
identity
theft may
affect
patient
treatment
36%
26%
Experienced medical identity theft
and it resulted in inaccuracies in
the patient’s medical record.
Experienced medical identity theft
and it affected the patient’s
medical record.
Ponemon Institute (2012)
16
3rd Annual Benchmark Study on
Patient Privacy & Data Security 2012 (cont.)
Ponemon Institute (2012)
17
3rd Annual Benchmark Study on
Patient Privacy & Data Security 2012 (cont.)
1. Employees report the following as common causes of data breaches:
31%
Technical Glitch
33%
Criminal Attack
42%
46%
Employee Mistake
More than one choice permitted
Lost or Stolen Computing Device
2. Organizations lack defence
67%
LACK CONTROLS to prevent
or detect medical identity theft
Ponemon Institute (2012)
18
3rd Annual Benchmark Study on
Patient Privacy & Data Security 2012 (cont.)
3. New technology trends threaten patient data
Ponemon Institute (2012)
19
3rd Annual Benchmark Study on
Patient Privacy & Data Security 2012 (cont.)
Organizations permit employees and medical
staff to use their own mobile devices such as
smartphones or tablets to connect to their
networks or enterprise systems such as email
Ponemon Institute (2012)
20
3rd Annual Benchmark Study on
Patient Privacy & Data Security 2012 (cont.)
Ponemon Institute (2012)
21
OUTLINE
1
Introduction
2
Healthcare Information System (HIS)
3
IT Security Issues in HIS
4
Malaysia On-going Initiatives
5
Conclusion
22
2
Healthcare Information System (HIS)
23
Healthcare Information System (HIS)
The transmission from paper-based to paperless-based record
system has encouraged the advancement in health data
management and technologies, such as the digitization of medical
records, creation of central record systems and the development of
healthcare data warehouse.
Xiong, L., Xia, Y. (2007)
The use of ICT in support of health and health-related fields,
including health-care services, health surveillance, health literature,
and health education, knowledge & research & noted that it has the
potential to greatly improve health service efficiency, expand or
scale up treatment delivery to thousands of patients in developing
countries, and improve patient outcomes.
Joaquin (2010)
24
Healthcare Information System (HIS) (cont.)
Efficient service
Why HIS
Reduce cost
Improve quality care
Share data (HIE)
Source: A. Appari and M. Eric Johnson (2010) and J. Adler-Milstein and K. J. Ashish (2012)
25
Information Security and Healthcare
Information Security
The activity to protect information from a wide
range of threats in order to ensure business
continuity, minimize business damage and
maximize return on investments and business
opportunities
Healthcare
Technology innovation makes established ways of
doing work in electronic health become
outmoded. That lead to security incidents.
26
HIS and THIS in Malaysia
• Hospital Information System (HIS) and (Total-HIS) is widely use in
Malaysia. The adoption of the HIS and Total-HIS in Malaysia is still
low due to usability of the system is not well-implemented.
(Ismail and Abdullah, 2012).
THIS
IHIS
Hospital Putrajaya,
Hospital Selayang,
Hospital Serdang,
Hospital Pandan,
Hospital Ampang,
Hospital Sg. Buloh,
Hospital Alor Setar and
Hospital Sungai Petani.
BHIS
Hospital Keningau
Hospital Kuala Batas,
and Hospital Lahad Datu. Hospital Setiu,
Hospital Pekan,
Hospital Pitas,
Hospital Kuala Penyu
and Hospital Kunak.
Categories of Hospital Information System (HIS)
(adapted by Nor Baizura, 2010).
27
OUTLINE
1
Introduction
2
Healthcare Information System (HIS)
3
IT Security Issues in HIS
4
Malaysia On-going Initiatives
5
Conclusion
28
3
IT Security Issues in HIS
29
Research Domains in Healthcare
Information Security
•Data Interoperability
•Regulatory Implications to
Healthcare Practice/Technology
Adoption
•Secured Data Disclosure
Public Policy
•Medical Research
•Law Enforcement
•NHIN/RHIO
•Social welfare programs
•Disaster Response/Disease
Control
•Pricing of Health Services
Healthcare Consumers
•Personal Health Record Management
•Clinical Trial Participation
•Personal Disposition to Data
Disclosure
Providers
Information
Security
Threats to Information
Privacy & Security
Inter-Organizational
•Access Control
•Data Interoperability
•Fraud Control
•Multi-institutional Network Security
•Privacy Concern
•Financial Risk
•Medical Identity Theft
•Health Services Subcontracting
•Integrated Healthcare Systems
•Billing & Payment Efficacy
•Impact of IT on medical errors
•RFID deployment in medication admin
•Risk analysis and assessment
•Telemedicine/eHealth
•Pervasive Computing in healthcare
•Operations management
•Access Control
•Information Integrity
•Network Security
•Privacy Policy Management
•Risk Management
Appari and Johnson (2010)
30
Information Security Culture
Security ramification of information system in health
informatics environment started to permeate the national
consciousness.
Savastano et al., 2008; Garg and Brewer, 2011
Incidents
Medical Error in DSS
Threats
(Ganthan Narayana Samy, Zuraini Ismail
& Rabiah Ahmad, 2010)
(Chaudry et al, 2006 ; Radley, 2013)
Current Solution
Technical Approach
(Whitman et al.)
Incident Reporting System (Feijter et al.,2012)
31
Information Security Culture (cont.)
Human Factor
(Non-technical issues, Socio –technical issues)
Kreamer et al. (2009)
Solution
Security Culture
Solms et al. (2010), Veiga et al. (2007),
Ahmad and Alnatheer (2009)
Knowledge
(Zakaria and Gani, 2003;
Thomson et al., 2006 )
Awareness
(Chia et al., 2002)
Behavior
(Veiga and Eloff, 2010),
32
Privacy
1. Information Privacy Protection
Not currently practiced –
Awareness
due to cost factor and lack
patientpracticed
awareness.
Consent
Notofstrictly
– due
Accessible
but not with
to lack of awareness
Access
easy procedures and
No
any specific
actsome
being
sometimes
incur
Integrity / Security
Strictlyin
under
enacted
orderpracticed
to protect
costs.
Enforcement
PMI privacy in government
hospitals, except for the
standard ethical code of
Suhaila Samsuri, Zurainiprofessional
Ismail & Rabiah conducts
Ahmad (2013)
Privacy (cont.)
2. Privacy Mechanism in Securing PMI
Legislation
• Based on any
information
privacy or
data
protection act
enforced in
that country.
Ethical Code of
Conduct
• Based on
hospital or
the ministry’s
policies &
medical act
Privacy
Protection
Technology
• Enhancing
the PMI
database &
management
system in
accordance to
the latest
privacy
mechanism
technologies.
Privacy
Awareness
• Continuous
training &
education
need to be
provided for
all personnel
in HIS
hospitals.
Suhaila Samsuri, Zuraini Ismail & Rabiah Ahmad (2013)
34
Privacy (cont.)
3. Cultural Factors
Power Distance
•
•
•
Supported
Government hospital is the best
protector of patients’ medical
information
Rarely complain on any policies
enforced over procedures in
collecting, usage and handling their
PMI
Public do believe on their rights over
PMI, however, they seldom express
it.
Collectivism
Supported
• Prefer to share sensitive PMI case
with close or extended family
• Put more confidence on familiar or
recognized staffs to handle their PMI
rather than a stranger
Suhaila Samsuri, Zuraini Ismail & Rabiah Ahmad (2013)
35
OUTLINE
1
Introduction
2
Healthcare Information System (HIS)
3
IT Security Issues in HIS
4
Malaysia On-going Initiatives
5
Conclusion
36
4
Malaysia On-going Initiatives
37
Malaysia On-going Initiatives
FIRST PHASE
Malaysia Health
Information Exchange
(MyHIX)
Malaysian Healthcare
Data Warehouse
(MyHDW)
MoH’s Patient
Management System
Hospital Management
System (HIS@KKM)
Medical Treatment
Information System
The Malaysian DRG
(Diagnostic Related
Groups) Casemix System
SECOND PHASE
Cloud Computing
Technologies
A Feasibility Study for
a Centralised Patient
Registry System
Development of a Family
Health Reporting System
Using Data Visualiser
Upgrade Public Health
Laboratory System
Services
A Joint Consultancy
Services
38
Related Privacy Act in Malaysia
Personal
Data
Protection
Act (PDPA)
2010
Applicable to all businesses in the private
sector that processes personal data
(including sensitive personal data) in
respect of commercial transactions
Sensitive Personal Data
Consisting of information as to the physical or mental health
or condition of a data subject, his political opinions, his
religious beliefs or other beliefs of a similar nature, the
commission or alleged commission by him of any offence or
any other personal data
39
Related Privacy Act in Malaysia (cont.)
Commercial Transactions
Any matters relating to the supply or exchange of goods or
services, agency, investments, financing, banking and
insurance, but does not include a credit reporting business
carried out by a credit reporting agency under the Credit
Reporting Agencies Act 2010.
Data processed by Federal & State Government
What is NOT
protected by
PDPA 2010?
Data solely & wholly processed outside Malaysia
Data processed in non-commercial transactions
Data processed for credit reporting business under
the Credit Reporting Agencies Act 2010
40
Critical National Information
Infrastructure (CNII)
Those assets (real and virtual), systems and functions that
are vital to the nations that their incapacity or destruction
would have a devastating impact on:
National Economic
Strength
Government Capability
to Functions
National Defence &
Security
Banking & Finance
Information &
Communications
National Defence &
Security
National Image
Energy
Public Health & Safety
Water
Government
CNII SECTORS
Transportation
Emergency Services
Health Services
Food & Agriculture
http://cnii.cybersecurity.my/
41
OUTLINE
1
Introduction
2
Healthcare Information System (HIS)
3
IT Security Issues in HIS
4
Malaysia On-going Initiatives
5
Conclusion
42
5
Conclusion
43
Conclusion
1
Security issues
• Vulnerabilities & Threats
• Physical Security
• Information Security Culture
• PMI Privacy
44
Conclusion (cont.)
2
Need to identify the current problems at
different views of users.
Appropriate solutions
To protect privacy and
confidentiality of PMI
45
Recommendations
Defense in
Depth
•Emphasize multiple, overlapping,
and mutually supportive defensive
systems
Educate
Employees
•Raise employees’ awareness about
the risks of social engineering and
counter it with staff training
Data Loss
Prevention
•Prevent data loss and exfiltration
with data loss protection software
on the network.
Symantec: Internet Security Threat Report 2013 :: Volume 18
46
Recommendations (cont.)
Use a Full Range of
Protection
Technology
•Antivirus is not enough
•Network-based protection & reputation
technology must be deployed on endpoints to
help prevent attacks
Protect Public-facing
Websites
•Consider Always On SSL to encrypt visitors’
interactions
Protect Code-signing
Certificates
•Certificate owners should apply rigorous
protection & security policies to safeguard keys
Software Updating
and Review Patching
Processes
•It’s essential to update and patch all software
promptly
Symantec: Internet Security Threat Report 2013 :: Volume 18
47
How to Reduce Risks
Develop and implement plans for incident risk
assessment and data breach response.
Structure information security to report directly
to the Board, to demonstrate commitment to
data privacy and security.
Conduct annual risk assessments of data
privacy and security.
Update policies and procedures to include cloud,
mobile devices and BYOD.
Ponemon Institute (2012)
48
Risk Analysis for Healthcare Environment
To identify potential
or influential
information security
threats.
Adopt medical
research design &
adapt into risk
management
process.
Outcomes: Identify
the gaps in the
existing security
controls, policies and
procedures
Ganthan Narayana Samy, Zuraini Ismail and Rabiah Ahmad (2012)
49
General Risk Management Processes with Adoption and
Adaption of Medical Research Design and Approach in Risk
Management Process
Ganthan Narayana Samy, Zuraini Ismail and Rabiah Ahmad (2012)
50
Conclusion (cont.)
3
Raise Awareness
Identify the information security
cultural factors in healthcare
informatics environment.
Security
Behaviour
Security
Knowledge
Security
Awareness
Noor Hafizah Hassan & Zuraini Ismail (2012)
51
Future Research Areas
Threats to Information Privacy And Security
Privacy concerns among healthcare consumers
Providers’ perspective of regulatory compliance
Information-access control
Data interoperability and information security
Information security issues of ehealth
Information security risks in authorised data disclosure
Information integrity in healthcare
Financial Risk
Regulatory implications for healthcare practice
Information security risk management
Appari and Johnson (2010)
52
Appreciation
Organizing Committee Health IT Security
Forum Workshop 2013
United Nations University International
Institute for Global Health (UNU-IIGH)
All HIS researchers at UTM
53
Thank you
Assoc. Prof. Dr. Zuraini Ismail
[email protected]
ADVANCED INFORMATICS SCHOOL (UTM AIS)
UNIVERSITI TEKNOLOGI MALAYSIA
JALAN SEMARAK 54100 KUALA LUMPUR
WILAYAH PERSEKUTUAN
MALAYSIA
PHONE NUMBER: +603-21805202
FAX NUMBER: +603-21805370
54
Related documents
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
Computer Science 9616a, Fall 2011 Project Description Your project
Computer Science 9616a, Fall 2011 Project Description Your project
Is the #1 geo-targeted digital media company in the world Operates
Is the #1 geo-targeted digital media company in the world Operates
Misc. Privacy Topics (concluding)
Misc. Privacy Topics (concluding)
Computer Science 9616b, Fall 2016 Project Description Your project
Computer Science 9616b, Fall 2016 Project Description Your project
David Cutrara`s Privacy Policy
David Cutrara`s Privacy Policy
Lecture for Chapter 2.3 (Fall 09)
Lecture for Chapter 2.3 (Fall 09)
here - Cumberland Family Medical Centers
here - Cumberland Family Medical Centers
Types of Economies
Types of Economies
Privacy Statement - Handprints and Footsteps
Privacy Statement - Handprints and Footsteps