1 / 54

IT SECURITY ISSUES IN HEALTHCARE

IT SECURITY ISSUES IN HEALTHCARE. Assoc. Prof. Dr. Zuraini Ismail Head of Department, Advanced Informatics School, Universiti Teknologi Malaysia. OUTLINE. 1. Introduction. 2. Healthcare Information System (HIS). 3. IT Security Issues in HIS. 4. Malaysia On-going Initiatives. 5.

conway
Télécharger la présentation

IT SECURITY ISSUES IN HEALTHCARE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT SECURITY ISSUES IN HEALTHCARE Assoc. Prof. Dr. Zuraini Ismail Head of Department, Advanced Informatics School, UniversitiTeknologi Malaysia

  2. OUTLINE 1 • Introduction 2 • Healthcare Information System (HIS) 3 • IT Security Issues in HIS 4 • Malaysia On-going Initiatives 5 • Conclusion

  3. OUTLINE 1 • Introduction 2 • Healthcare Information System (HIS) 3 • IT Security Issues in HIS 4 • Malaysia On-going Initiatives 5 • Conclusion

  4. 1 • Introduction

  5. Internet Usage (World Regions)

  6. Cyber Threats Technology Related Threats Cyber Content Related Threats Sedition - Threat to National Security Issues Hack Threat Cross-Border Investigation & Evidential Matters Fraud International Collaboration Chat, Forum & Electronic Bulletin International Laws Malicious Code Online Porn Denial of Service Attack Data Breaches Harassment

  7. Top Causes of Data Breaches in 2012 Symantec: Internet Security Threat Report 2013 :: Volume 18

  8. Data Breaches by Sector in 2012 Healthcare Industry Largest percentage of disclosed data breaches by industry. Public sector should increase efforts to protect personal information Symantec: Internet Security Threat Report 2013 :: Volume 18

  9. Website Exploits by Type of Website HEALTH Symantec: Internet Security Threat Report 2013 :: Volume 18

  10. Reported Incidents based on General Incident Classification Statistics 2013 A total of 3490 incidents referred to CyberSecurity Malaysia since 1 Jan 2013 until 30 April 2013 MyCERT Incident Statistics (2013)

  11. 2012 Hospital Security Survey Objective To learn about trends in hospital security Conducted by: Perception Solutions for Health Facilities Management (HFM) and the American Society for Healthcare Engineering (ASHE) in June 2012 Beth Burmahl and Suzanna Hoppszallern: HFM Magazine (2012)

  12. 2012 Hospital Security Survey (cont.) U.S. hospitals have increased security to protect their electronic records More than 90% of hospital respondents and 65% of physician practice respondents conducted a risk analysis Findings Approximately 80 of respondents reported that their organization shares information with at least one other type of organization Firewalls & user access controls continue to be the most frequently used types of security technology in use by healthcare organizations Beth Burmahl and Suzanna Hoppszallern: HFM Magazine (2012)

  13. 3rd Annual Benchmark Study on Patient Privacy & Data Security 2012 Ponemon Institute (2012)

  14. 3rd Annual Benchmark Study on Patient Privacy & Data Security 2012 (cont.) Most likely to be lost and stolen Medical Files Billing Insurance Records Ponemon Institute (2012)

  15. 3rd Annual Benchmark Study on Patient Privacy & Data Security 2012 (cont.) Type of data that was lost or stolen More than one choice permitted Ponemon Institute (2012)

  16. 3rd Annual Benchmark Study on Patient Privacy & Data Security 2012 (cont.) Medical identity theft may affect patient treatment Experienced medical identity theft and it resulted in inaccuracies in the patient’s medical record. 36% 26% Experienced medical identity theft and it affected the patient’s medical record. Ponemon Institute (2012)

  17. 3rd Annual Benchmark Study on Patient Privacy & Data Security 2012 (cont.) Ponemon Institute (2012)

  18. 3rd Annual Benchmark Study on Patient Privacy & Data Security 2012 (cont.) HOW IT HAPPENS? 1. Employees report the following as common causes of data breaches: More than one choice permitted 31% Technical Glitch 33% Criminal Attack 42% Employee Mistake 46% Lost or Stolen Computing Device 2. Organizations lack defence LACK CONTROLS to prevent or detect medical identity theft 67% Ponemon Institute (2012)

  19. 3rd Annual Benchmark Study on Patient Privacy & Data Security 2012 (cont.) HOW IT HAPPENS? 3. New technology trends threaten patient data Ponemon Institute (2012)

  20. 3rd Annual Benchmark Study on Patient Privacy & Data Security 2012 (cont.) Organizations permit employees and medical staff to use their own mobile devices such as smartphones or tablets to connect to their networks or enterprise systems such as email Ponemon Institute (2012)

  21. 3rd Annual Benchmark Study on Patient Privacy & Data Security 2012 (cont.) Ponemon Institute (2012)

  22. OUTLINE • Introduction 1 2 • Healthcare Information System (HIS) 3 • IT Security Issues in HIS 4 • Malaysia On-going Initiatives 5 • Conclusion

  23. 2 • Healthcare Information System (HIS)

  24. Healthcare Information System (HIS) The transmission from paper-based to paperless-based record system has encouraged the advancement in health data management and technologies, such as the digitization of medical records, creation of central record systems and the development of healthcare data warehouse. Xiong, L., Xia, Y. (2007) The use of ICT in support of health and health-related fields, including health-care services, health surveillance, health literature, and health education, knowledge & research & noted that it has the potential to greatly improve health service efficiency, expand or scale up treatment delivery to thousands of patients in developing countries, and improve patient outcomes. Joaquin (2010)

  25. Healthcare Information System (HIS) (cont.) Efficient service Reduce cost Why HIS Improve quality care Share data (HIE) Source: A. Appari and M. Eric Johnson (2010) and J. Adler-Milstein and K. J. Ashish (2012)

  26. Information Security and Healthcare Information Security The activity to protect information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities Healthcare Technology innovation makes established ways of doing work in electronic health become outmoded. That lead to security incidents.

  27. HIS and THIS in Malaysia • Hospital Information System (HIS) and (Total-HIS) is widely use in Malaysia. The adoption of the HIS and Total-HIS in Malaysia is still low due to usability of the system is not well-implemented. (Ismail and Abdullah, 2012). Categories of Hospital Information System (HIS) (adapted by Nor Baizura, 2010).

  28. OUTLINE • Introduction 1 2 • Healthcare Information System (HIS) 3 • IT Security Issues in HIS 4 • Malaysia On-going Initiatives 5 • Conclusion

  29. 3 • IT Security Issues in HIS

  30. Research Domains in Healthcare Information Security • Data Interoperability • Regulatory Implications to Healthcare Practice/Technology Adoption • Secured Data Disclosure • Privacy Concern • Financial Risk • Medical Identity Theft • Healthcare Consumers • Personal Health Record Management • Clinical Trial Participation • Personal Disposition to Data Disclosure • Public Policy • Medical Research • Law Enforcement • NHIN/RHIO • Social welfare programs • Disaster Response/Disease Control • Pricing of Health Services • Providers • Impact of IT on medical errors • RFID deployment in medication admin • Risk analysis and assessment • Telemedicine/eHealth • Pervasive Computing in healthcare • Operations management Information Security Threats to Information Privacy & Security • Inter-Organizational • Health Services Subcontracting • Integrated Healthcare Systems • Billing & Payment Efficacy • Access Control • Information Integrity • Network Security • Privacy Policy Management • Risk Management • Access Control • Data Interoperability • Fraud Control • Multi-institutional Network Security Appari and Johnson (2010)

  31. Information Security Culture Security ramification of information system in health informatics environment started to permeate the national consciousness. Savastano et al., 2008; Garg and Brewer, 2011 Incidents • Medical Error in DSS • (Chaudry et al, 2006 ; Radley, 2013) • Threats • (Ganthan Narayana Samy, Zuraini Ismail & Rabiah Ahmad, 2010) Current Solution Technical Approach (Whitman et al.) Incident Reporting System (Feijter et al.,2012)

  32. Information Security Culture (cont.) Human Factor (Non-technical issues, Socio –technical issues) Kreamer et al. (2009) Solution Security Culture Solms et al. (2010), Veiga et al. (2007), Ahmad and Alnatheer (2009) Knowledge (Zakaria and Gani, 2003; Thomson et al., 2006 ) Awareness (Chia et al., 2002) Behavior (Veiga and Eloff, 2010),

  33. Privacy Study have shown that: 1. Information Privacy Protection Not currently practiced – due to cost factor and lack of patient awareness. Awareness Not strictly practiced – due to lack of awareness Consent Accessible but not with easy procedures and sometimes incur some costs. Access Strictly under practiced No any specific act being enacted in order to protect PMI privacy in government hospitals, except for the standard ethical code of professional conducts Integrity / Security Enforcement Suhaila Samsuri, Zuraini Ismail & Rabiah Ahmad (2013)

  34. Privacy (cont.) Legislation Ethical Code of Conduct Privacy Protection Technology Privacy Awareness • Based on any information privacy or data protection act enforced in that country. • Based on hospital or the ministry’s policies & medical act • Enhancing the PMI database & management system in accordance to the latest privacy mechanism technologies. • Continuous training & education need to be provided for all personnel in HIS hospitals. 2. Privacy Mechanism in Securing PMI Suhaila Samsuri, Zuraini Ismail & Rabiah Ahmad (2013)

  35. Privacy (cont.) 3. Cultural Factors Power Distance Collectivism • Supported • Government hospital is the best protector of patients’ medical information • Rarely complain on any policies enforced over procedures in collecting, usage and handling their PMI • Public do believe on their rights over PMI, however, they seldom express it. • Supported • Prefer to share sensitive PMI case with close or extended family • Put more confidence on familiar or recognized staffs to handle their PMI rather than a stranger Suhaila Samsuri, Zuraini Ismail & Rabiah Ahmad (2013)

  36. OUTLINE • Introduction 1 2 • Healthcare Information System (HIS) 3 • IT Security Issues in HIS 4 • Malaysia On-going Initiatives 5 • Conclusion

  37. 4 • Malaysia On-going Initiatives

  38. Malaysia On-going Initiatives FIRST PHASE Malaysia Health Information Exchange (MyHIX) Malaysian Healthcare Data Warehouse (MyHDW) Medical Treatment Information System • MoH’s Patient Management System • Hospital Management System (HIS@KKM) • The Malaysian DRG (Diagnostic Related Groups) Casemix System SECOND PHASE Cloud Computing Technologies A Feasibility Study for a Centralised Patient Registry System Upgrade Public Health Laboratory System Services Development of a Family Health Reporting System Using Data Visualiser A Joint Consultancy Services

  39. Related Privacy Act in Malaysia Personal Data Protection Act (PDPA) 2010 • Applicable to all businesses in the private sector that processes personal data (including sensitive personal data) in respect of commercial transactions Sensitive Personal Data Consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data

  40. Related Privacy Act in Malaysia (cont.) Commercial Transactions Any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010. What is NOT protected by PDPA 2010? Data processed by Federal & State Government Data solely & wholly processed outside Malaysia Data processed in non-commercial transactions Data processed for credit reporting business under the Credit Reporting Agencies Act 2010

  41. Critical National Information Infrastructure (CNII) Those assets (real and virtual), systems and functions that are vital to the nations that their incapacity or destruction would have a devastating impact on: National Economic Strength National Image National Defence & Security Government Capability to Functions Public Health & Safety CNII SECTORS National Defence & Security Energy Water Government Banking & Finance Emergency Services Information & Communications Food & Agriculture Transportation Health Services http://cnii.cybersecurity.my/

  42. OUTLINE • Introduction 1 2 • Healthcare Information System (HIS) 3 • IT Security Issues in HIS 4 • Malaysia On-going Initiatives 5 • Conclusion

  43. 5 • Conclusion

  44. Conclusion 1 Security issues • Vulnerabilities & Threats • Physical Security • Information Security Culture • PMI Privacy

  45. Conclusion (cont.) Need to identify the current problems at different views of users. 2 Appropriate solutions To protect privacy and confidentiality of PMI

  46. Defense in Depth Recommendations • Emphasize multiple, overlapping, and mutually supportive defensive systems Educate Employees • Raise employees’ awareness about the risks of social engineering and counter it with staff training Data Loss Prevention • Prevent data loss and exfiltration with data loss protection software on the network. Symantec: Internet Security Threat Report 2013 :: Volume 18

  47. Use a Full Range of Protection Technology • Antivirus is not enough • Network-based protection & reputation technology must be deployed on endpoints to help prevent attacks Recommendations (cont.) Protect Public-facing Websites • Consider Always On SSL to encrypt visitors’ interactions Protect Code-signing Certificates • Certificate owners should apply rigorous protection & security policies to safeguard keys Software Updating and Review Patching Processes • It’s essential to update and patch all software promptly Symantec: Internet Security Threat Report 2013 :: Volume 18

  48. How to Reduce Risks • Develop and implement plans for incident risk assessment and data breach response. • Structure information security to report directly to the Board, to demonstrate commitment to data privacy and security. • Conduct annual risk assessments of data privacy and security. • Update policies and procedures to include cloud, mobile devices and BYOD. Ponemon Institute (2012)

  49. To identify potential or influential information security threats. Adopt medical research design & adapt into risk management process. Risk Analysis for Healthcare Environment Outcomes: Identify the gaps in the existing security controls, policies and procedures Ganthan Narayana Samy, Zuraini Ismail and Rabiah Ahmad (2012)

  50. General Risk Management Processes with Adoption andAdaption of Medical Research Design and Approach in Risk Management Process Ganthan Narayana Samy, Zuraini Ismail and Rabiah Ahmad (2012)

More Related