Exposing the Data Risks and Offering the Recommendations for the Secure Consumerization of e-Health Jason Lin, Corporate Security Officer Tuesday, May.

Slides:

Advertisements

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Advertisements

IBM SMB Software Group ® ibm.com/software/smb Maintain Hardware Platform Health An IT Services Management Infrastructure Solution.

Security for Mobile Devices

Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

1 1 March 20, 2014 A SIMPLE APPROACH TO BYOD. WHAT THEY DONT WANT IS: Company monitoring of their personal activities or restriction of the apps they.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Internet of Things Security Architecture

THE STRATEGIC COUNCIL LEADERSHIP TRUST AND ENGAGEMENT NEW FUNDING SOURCES AND NEW DELIVERY VEHICLES Appendix 1 NEW FUNDING SERVOURCES AND NEW DELIVERY.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,

Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

GREATER THAN EVER. TODAY, RISK OF DATA FALLING IN THE WRONG HANDS IS QUITE OFTEN THIS RISK IS NOT FROM EXTERNAL ATTACKERS. IT COMES FROM WITHIN.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.

SECURITY: Personal Health Information Protection Act, 2004 this 5 min. course covers: changing landscape of electronic health records security threats.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

PRIVACY AND INFORMATION SECURITY ESSENTIALS Information Security Policy Essentials Melissa Short, IT Specialist Office of Cyber Security- Policy.

1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Security considerations for mobile devices in GoRTT

1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.

Module N° 8 – SSP implementation plan. SSP – A structured approach Module 2 Basic safety management concepts Module 2 Basic safety management concepts.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture a This material (Comp7_Unit7a) was developed by.

© 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Children’s Hospital Requirements for Remote Access.

Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.

Imagine a health system that focuses on health, not just health care. Imagine a sustainable health system with one goal: to improve the lives of the people.

Mobile device management

Working with HIT Systems

Module 7 Planning and Deploying Messaging Compliance.

Clinical Computing Secure, reliable technology that improves clinical workflow at the point of care.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.

©2002 by the National Committee for Quality Assurance NCQA: HIPAA Business Associate Presentation to the 6th National HIPAA Summit March 28, 2003 Patricia.

Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

BYOD: An IT Security Perspective. What is BYOD? Bring your own device - refers to the policy of permitting employees to bring personally owned mobile.

© 2014 IBM Corporation Mobile Customization & Administration IBM Connections 5.0 Workshop Author: Paul Godby IBM Ecosystem Development Duration: 30 minutes.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Mobile Security Solution Solution Overview Check Point Mobile Threat Prevention is an innovative approach to mobile security that detects and stops advanced.

CAN I DO THAT IN THE CLOUD? Jason Testart, BMath, CISSP Director, Information Security Services May 2016.

Data-Tech Guardian Endpoint Security Suite. Guardian Endpoint Security Suite secures All Things Mobile TM from one management console.

Handling Personal Data & Security of Information Paula Trim, Information Officer, Children’s Strategic Services, Mon – Thurs 9:15-2:15.

Lewis Creek Systems, LLC

DATA SECURITY FOR MEDICAL RESEARCH

Lewis Creek Systems, LLC

How to Define a Successful Mobility Strategy

Lessons Learned in Managing IT Risk

Security Standard: “reasonable security”

BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT

Security Engineering.

CYB 110 Education for Service-- tutorialrank.com

Move this to online module slides 11-56

12 STEPS TO A GDPR AWARE NETWORK

The Practical Side of Meaningful Use:

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

4/9/ :42 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Move this to online module slides 11-56

Introduction to the PACS Security

Microsoft 365 Business Technical Fundamentals Series

Presentation transcript:

Exposing the Data Risks and Offering the Recommendations for the Secure Consumerization of e-Health Jason Lin, Corporate Security Officer Tuesday, May 28, 2013

Faculty/Presenter Disclosure Faculty: Jason Lin Relationships with commercial interests: – None

Background Personal Videoconf erencing AccessProductivityQuality

Scope Timeline 2012 Laptops Providers 2013 Tablets Providers Review of policies and agreements to support the PCVC service Focus on the extension of the PCVC service to mobile device platforms (Android and iOS) Mobile Devices ???

“Our mission is to develop and support telemedicine solutions that enhance access and quality of health care in Ontario, and inspire adoption by health care providers, organizations, and the public.” Access “and” Quality 5

Confidentiality: Privacy of patients depends upon maintaining the confidentiality of personal health information (PHI) at all times. Integrity: Patient safety depends upon maintaining the integrity of PHI (e.g. ensure no systematic errors exist). Failure to maintain integrity can result in illness, injury or even death. Availability: In order to provide safe care, HCP must have ready access to important PHI before, during and after providing care. Integrity Confidentiality Availability Quality includes Information Security CIA Triad

Center for Information Technology Leadership (CITL) Maturity Model

PCVC Threat Risk Assessment Findings Impact Very High High Medium Low R1, R3, R4 R2 Very Low LowMediumHighVery High Likelihood 8 R1: Unauthorised disclosure of PHI due to re-provisioned or lost/stolen device containing Vidyo Mobile Logs R2: Inadvertent exposure and unauthorised access to PCVC sessions due to limitations in Guestlink operations and configuration R3: Breach of physician privacy due to lack of end user guidance and surreptitious recording capabilities of consultations by end users/patients, especially within a BYOD configuration R4: Limitations and complexity within policies, MOUs, member and end user guidance coupled with presence of PHI on mobile devices

Defense In Depth Safeguards 9 TECHNOLOGY PEOPLEPROCESS Technology Process People

R1: “Unauthorised disclosure of PHI due to re- provisioned or lost/stolen device containing Vidyo Mobile Logs” Safeguard No PHI Anonymized PHI Pseudonymized PHI Explicit PHI Do not leave your mobile device unattended

R1: “Unauthorised disclosure of PHI due to re- provisioned or lost/stolen device containing Vidyo Mobile Logs” Safeguard Use passphrases

R2: “Inadvertent exposure and unauthorised access to PCVC sessions” Safeguard Do not leave your mobile device unattended

R2: “Inadvertent exposure and unauthorised access to PCVC sessions” Safeguard Do not share your account credentials

Risk 3 “Breach of physician privacy due to lack of end user guidance” Safeguard 14 AwarenessTrainingEducation AttributeWhat?How?Why? ImpartsInformationKnowledgeInsight MethodMedia Video Newsletters Posters Practical Instruction Lectures Case Study Hands-on practice Theoretical Instruction Seminar and discussion Reading and study Impact Time-FrameShort-TermMedium-TermLong-Term Regularly Create best practise guidelines for HIC users

Risk 4 “Limitations and Complexity within Policies” Safeguard Create simplified and friendly terms of services

Risk “Increased external attacks…”

Risk “Increased external attacks” Safeguard Harden devices and applications

Risk “Increased external attacks…” Safeguard Separate corporate from consumer environments

Circles of Trust InternationalFederalProvincialOTN Local

Questions and Answers Thank You

#Recommendation DescriptionPriority 1Amend current policies, MOUs and guidelines to reflect the PVC solution on mobile devices. Extend and amend the Terms of Service to reflect patient use, and designate the term “User” to a patient. 1 2Create and distribute simplified/patient friendly terms of service and guidelines for end users 2 3Develop prescriptive security guidelines for BYOD scenario1 4Ensure training to meeting chairs to monitor control panel activity to ensure guest links are used by the intended persons. 2 5Ensure training on administering guest links is robust. PIN should be required but delivered over the phone or via SMS (out-of-band) 2 6Ensure installed Mobile Device Management agents on OTN owned/provisioned devices allow and enforce remote wipe and device lockdown capabilities to prevent inappropriate use and session recording. 1 8Modify how/what the application logs on the mobile devices to limit the generation of PHI. Disable the “Send logs” functionality within the mobile application. 1 9Remove the solutions ability (via GuestLink) to accept blank characters as display name. 2 10Deploy Vidyo FIPS-140 Module/component when available3 21 Appendix - Recommendations