Download presentation
Presentation is loading. Please wait.
Published byGwendolyn Collie Modified over 9 years ago
1
Exposing the Data Risks and Offering the Recommendations for the Secure Consumerization of e-Health Jason Lin, Corporate Security Officer Tuesday, May 28, 2013
2
Faculty/Presenter Disclosure Faculty: Jason Lin Relationships with commercial interests: – None
3
Background Personal Videoconf erencing AccessProductivityQuality
4
Scope Timeline 2012 Laptops Providers 2013 Tablets Providers Review of policies and agreements to support the PCVC service Focus on the extension of the PCVC service to mobile device platforms (Android and iOS) 2014+ Mobile Devices ???
5
“Our mission is to develop and support telemedicine solutions that enhance access and quality of health care in Ontario, and inspire adoption by health care providers, organizations, and the public.” Access “and” Quality 5
6
Confidentiality: Privacy of patients depends upon maintaining the confidentiality of personal health information (PHI) at all times. Integrity: Patient safety depends upon maintaining the integrity of PHI (e.g. ensure no systematic errors exist). Failure to maintain integrity can result in illness, injury or even death. Availability: In order to provide safe care, HCP must have ready access to important PHI before, during and after providing care. Integrity Confidentiality Availability Quality includes Information Security CIA Triad
7
Center for Information Technology Leadership (CITL) Maturity Model
8
PCVC Threat Risk Assessment Findings Impact Very High High Medium Low R1, R3, R4 R2 Very Low LowMediumHighVery High Likelihood 8 R1: Unauthorised disclosure of PHI due to re-provisioned or lost/stolen device containing Vidyo Mobile Logs R2: Inadvertent exposure and unauthorised access to PCVC sessions due to limitations in Guestlink operations and configuration R3: Breach of physician privacy due to lack of end user guidance and surreptitious recording capabilities of consultations by end users/patients, especially within a BYOD configuration R4: Limitations and complexity within policies, MOUs, member and end user guidance coupled with presence of PHI on mobile devices
9
Defense In Depth Safeguards 9 TECHNOLOGY PEOPLEPROCESS Technology Process People
10
R1: “Unauthorised disclosure of PHI due to re- provisioned or lost/stolen device containing Vidyo Mobile Logs” Safeguard No PHI Anonymized PHI Pseudonymized PHI Explicit PHI Do not leave your mobile device unattended
11
R1: “Unauthorised disclosure of PHI due to re- provisioned or lost/stolen device containing Vidyo Mobile Logs” Safeguard Use passphrases
12
R2: “Inadvertent exposure and unauthorised access to PCVC sessions” Safeguard Do not leave your mobile device unattended
13
R2: “Inadvertent exposure and unauthorised access to PCVC sessions” Safeguard Do not share your account credentials
14
Risk 3 “Breach of physician privacy due to lack of end user guidance” Safeguard 14 AwarenessTrainingEducation AttributeWhat?How?Why? ImpartsInformationKnowledgeInsight MethodMedia Video Newsletters Posters Practical Instruction Lectures Case Study Hands-on practice Theoretical Instruction Seminar and discussion Reading and study Impact Time-FrameShort-TermMedium-TermLong-Term Regularly Create best practise guidelines for HIC users
15
Risk 4 “Limitations and Complexity within Policies” Safeguard Create simplified and friendly terms of services
16
Risk “Increased external attacks…”
17
Risk “Increased external attacks” Safeguard Harden devices and applications
18
Risk “Increased external attacks…” Safeguard Separate corporate from consumer environments
19
Circles of Trust InternationalFederalProvincialOTN Local
20
Questions and Answers Thank You http://otn.ca/en/services/pcvc
21
#Recommendation DescriptionPriority 1Amend current policies, MOUs and guidelines to reflect the PVC solution on mobile devices. Extend and amend the Terms of Service to reflect patient use, and designate the term “User” to a patient. 1 2Create and distribute simplified/patient friendly terms of service and guidelines for end users 2 3Develop prescriptive security guidelines for BYOD scenario1 4Ensure training to meeting chairs to monitor control panel activity to ensure guest links are used by the intended persons. 2 5Ensure training on administering guest links is robust. PIN should be required but delivered over the phone or via SMS (out-of-band) 2 6Ensure installed Mobile Device Management agents on OTN owned/provisioned devices allow and enforce remote wipe and device lockdown capabilities to prevent inappropriate use and session recording. 1 8Modify how/what the application logs on the mobile devices to limit the generation of PHI. Disable the “Send logs” functionality within the mobile application. 1 9Remove the solutions ability (via GuestLink) to accept blank characters as display name. 2 10Deploy Vidyo FIPS-140 Module/component when available3 21 Appendix - Recommendations
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.