Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exposing the Data Risks and Offering the Recommendations for the Secure Consumerization of e-Health Jason Lin, Corporate Security Officer Tuesday, May.

Similar presentations


Presentation on theme: "Exposing the Data Risks and Offering the Recommendations for the Secure Consumerization of e-Health Jason Lin, Corporate Security Officer Tuesday, May."— Presentation transcript:

1 Exposing the Data Risks and Offering the Recommendations for the Secure Consumerization of e-Health Jason Lin, Corporate Security Officer Tuesday, May 28, 2013

2 Faculty/Presenter Disclosure Faculty: Jason Lin Relationships with commercial interests: – None

3 Background Personal Videoconf erencing AccessProductivityQuality

4 Scope Timeline 2012 Laptops Providers 2013 Tablets Providers Review of policies and agreements to support the PCVC service Focus on the extension of the PCVC service to mobile device platforms (Android and iOS) Mobile Devices ???

5 “Our mission is to develop and support telemedicine solutions that enhance access and quality of health care in Ontario, and inspire adoption by health care providers, organizations, and the public.” Access “and” Quality 5

6 Confidentiality: Privacy of patients depends upon maintaining the confidentiality of personal health information (PHI) at all times. Integrity: Patient safety depends upon maintaining the integrity of PHI (e.g. ensure no systematic errors exist). Failure to maintain integrity can result in illness, injury or even death. Availability: In order to provide safe care, HCP must have ready access to important PHI before, during and after providing care. Integrity Confidentiality Availability Quality includes Information Security CIA Triad

7 Center for Information Technology Leadership (CITL) Maturity Model

8 PCVC Threat Risk Assessment Findings Impact Very High High Medium Low R1, R3, R4 R2 Very Low LowMediumHighVery High Likelihood 8 R1: Unauthorised disclosure of PHI due to re-provisioned or lost/stolen device containing Vidyo Mobile Logs R2: Inadvertent exposure and unauthorised access to PCVC sessions due to limitations in Guestlink operations and configuration R3: Breach of physician privacy due to lack of end user guidance and surreptitious recording capabilities of consultations by end users/patients, especially within a BYOD configuration R4: Limitations and complexity within policies, MOUs, member and end user guidance coupled with presence of PHI on mobile devices

9 Defense In Depth Safeguards 9 TECHNOLOGY PEOPLEPROCESS Technology Process People

10 R1: “Unauthorised disclosure of PHI due to re- provisioned or lost/stolen device containing Vidyo Mobile Logs” Safeguard No PHI Anonymized PHI Pseudonymized PHI Explicit PHI Do not leave your mobile device unattended

11 R1: “Unauthorised disclosure of PHI due to re- provisioned or lost/stolen device containing Vidyo Mobile Logs” Safeguard Use passphrases

12 R2: “Inadvertent exposure and unauthorised access to PCVC sessions” Safeguard Do not leave your mobile device unattended

13 R2: “Inadvertent exposure and unauthorised access to PCVC sessions” Safeguard Do not share your account credentials

14 Risk 3 “Breach of physician privacy due to lack of end user guidance” Safeguard 14 AwarenessTrainingEducation AttributeWhat?How?Why? ImpartsInformationKnowledgeInsight MethodMedia Video Newsletters Posters Practical Instruction Lectures Case Study Hands-on practice Theoretical Instruction Seminar and discussion Reading and study Impact Time-FrameShort-TermMedium-TermLong-Term Regularly Create best practise guidelines for HIC users

15 Risk 4 “Limitations and Complexity within Policies” Safeguard Create simplified and friendly terms of services

16 Risk “Increased external attacks…”

17 Risk “Increased external attacks” Safeguard Harden devices and applications

18 Risk “Increased external attacks…” Safeguard Separate corporate from consumer environments

19 Circles of Trust InternationalFederalProvincialOTN Local

20 Questions and Answers Thank You

21 #Recommendation DescriptionPriority 1Amend current policies, MOUs and guidelines to reflect the PVC solution on mobile devices. Extend and amend the Terms of Service to reflect patient use, and designate the term “User” to a patient. 1 2Create and distribute simplified/patient friendly terms of service and guidelines for end users 2 3Develop prescriptive security guidelines for BYOD scenario1 4Ensure training to meeting chairs to monitor control panel activity to ensure guest links are used by the intended persons. 2 5Ensure training on administering guest links is robust. PIN should be required but delivered over the phone or via SMS (out-of-band) 2 6Ensure installed Mobile Device Management agents on OTN owned/provisioned devices allow and enforce remote wipe and device lockdown capabilities to prevent inappropriate use and session recording. 1 8Modify how/what the application logs on the mobile devices to limit the generation of PHI. Disable the “Send logs” functionality within the mobile application. 1 9Remove the solutions ability (via GuestLink) to accept blank characters as display name. 2 10Deploy Vidyo FIPS-140 Module/component when available3 21 Appendix - Recommendations


Download ppt "Exposing the Data Risks and Offering the Recommendations for the Secure Consumerization of e-Health Jason Lin, Corporate Security Officer Tuesday, May."

Similar presentations


Ads by Google