Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exposing the Data Risks and Offering the Recommendations for the Secure Consumerization of e-Health Jason Lin, Corporate Security Officer Tuesday, May.

Published byGwendolyn Collie Modified over 9 years ago

Similar presentations

Presentation on theme: "Exposing the Data Risks and Offering the Recommendations for the Secure Consumerization of e-Health Jason Lin, Corporate Security Officer Tuesday, May."— Presentation transcript:

1 Exposing the Data Risks and Offering the Recommendations for the Secure Consumerization of e-Health Jason Lin, Corporate Security Officer Tuesday, May 28, 2013

2 Faculty/Presenter Disclosure Faculty: Jason Lin Relationships with commercial interests: – None

3 Background Personal Videoconf erencing AccessProductivityQuality

4 Scope Timeline 2012 Laptops Providers 2013 Tablets Providers Review of policies and agreements to support the PCVC service Focus on the extension of the PCVC service to mobile device platforms (Android and iOS) 2014+ Mobile Devices ???

5 “Our mission is to develop and support telemedicine solutions that enhance access and quality of health care in Ontario, and inspire adoption by health care providers, organizations, and the public.” Access “and” Quality 5

6 Confidentiality: Privacy of patients depends upon maintaining the confidentiality of personal health information (PHI) at all times. Integrity: Patient safety depends upon maintaining the integrity of PHI (e.g. ensure no systematic errors exist). Failure to maintain integrity can result in illness, injury or even death. Availability: In order to provide safe care, HCP must have ready access to important PHI before, during and after providing care. Integrity Confidentiality Availability Quality includes Information Security CIA Triad

7 Center for Information Technology Leadership (CITL) Maturity Model

8 PCVC Threat Risk Assessment Findings Impact Very High High Medium Low R1, R3, R4 R2 Very Low LowMediumHighVery High Likelihood 8 R1: Unauthorised disclosure of PHI due to re-provisioned or lost/stolen device containing Vidyo Mobile Logs R2: Inadvertent exposure and unauthorised access to PCVC sessions due to limitations in Guestlink operations and configuration R3: Breach of physician privacy due to lack of end user guidance and surreptitious recording capabilities of consultations by end users/patients, especially within a BYOD configuration R4: Limitations and complexity within policies, MOUs, member and end user guidance coupled with presence of PHI on mobile devices

9 Defense In Depth Safeguards 9 TECHNOLOGY PEOPLEPROCESS Technology Process People

10 R1: “Unauthorised disclosure of PHI due to re- provisioned or lost/stolen device containing Vidyo Mobile Logs” Safeguard No PHI Anonymized PHI Pseudonymized PHI Explicit PHI Do not leave your mobile device unattended

11 R1: “Unauthorised disclosure of PHI due to re- provisioned or lost/stolen device containing Vidyo Mobile Logs” Safeguard Use passphrases

12 R2: “Inadvertent exposure and unauthorised access to PCVC sessions” Safeguard Do not leave your mobile device unattended

13 R2: “Inadvertent exposure and unauthorised access to PCVC sessions” Safeguard Do not share your account credentials

14 Risk 3 “Breach of physician privacy due to lack of end user guidance” Safeguard 14 AwarenessTrainingEducation AttributeWhat?How?Why? ImpartsInformationKnowledgeInsight MethodMedia Video Newsletters Posters Practical Instruction Lectures Case Study Hands-on practice Theoretical Instruction Seminar and discussion Reading and study Impact Time-FrameShort-TermMedium-TermLong-Term Regularly Create best practise guidelines for HIC users

15 Risk 4 “Limitations and Complexity within Policies” Safeguard Create simplified and friendly terms of services

16 Risk “Increased external attacks…”

17 Risk “Increased external attacks” Safeguard Harden devices and applications

18 Risk “Increased external attacks…” Safeguard Separate corporate from consumer environments

19 Circles of Trust InternationalFederalProvincialOTN Local

20 Questions and Answers Thank You http://otn.ca/en/services/pcvc

21 #Recommendation DescriptionPriority 1Amend current policies, MOUs and guidelines to reflect the PVC solution on mobile devices. Extend and amend the Terms of Service to reflect patient use, and designate the term “User” to a patient. 1 2Create and distribute simplified/patient friendly terms of service and guidelines for end users 2 3Develop prescriptive security guidelines for BYOD scenario1 4Ensure training to meeting chairs to monitor control panel activity to ensure guest links are used by the intended persons. 2 5Ensure training on administering guest links is robust. PIN should be required but delivered over the phone or via SMS (out-of-band) 2 6Ensure installed Mobile Device Management agents on OTN owned/provisioned devices allow and enforce remote wipe and device lockdown capabilities to prevent inappropriate use and session recording. 1 8Modify how/what the application logs on the mobile devices to limit the generation of PHI. Disable the “Send logs” functionality within the mobile application. 1 9Remove the solutions ability (via GuestLink) to accept blank characters as display name. 2 10Deploy Vidyo FIPS-140 Module/component when available3 21 Appendix - Recommendations

Download ppt "Exposing the Data Risks and Offering the Recommendations for the Secure Consumerization of e-Health Jason Lin, Corporate Security Officer Tuesday, May."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
IBM SMB Software Group ® ibm.com/software/smb Maintain Hardware Platform Health An IT Services Management Infrastructure Solution.

IBM SMB Software Group ® ibm.com/software/smb Maintain Hardware Platform Health An IT Services Management Infrastructure Solution.
Security for Mobile Devices

Security for Mobile Devices
Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.

Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
1 1 March 20, 2014 A SIMPLE APPROACH TO BYOD. WHAT THEY DONT WANT IS: Company monitoring of their personal activities or restriction of the apps they.

1 1 March 20, 2014 A SIMPLE APPROACH TO BYOD. WHAT THEY DONT WANT IS: Company monitoring of their personal activities or restriction of the apps they.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Internet of Things Security Architecture

Internet of Things Security Architecture
THE STRATEGIC COUNCIL LEADERSHIP TRUST AND ENGAGEMENT NEW FUNDING SOURCES AND NEW DELIVERY VEHICLES Appendix 1 NEW FUNDING SERVOURCES AND NEW DELIVERY.

THE STRATEGIC COUNCIL LEADERSHIP TRUST AND ENGAGEMENT NEW FUNDING SOURCES AND NEW DELIVERY VEHICLES Appendix 1 NEW FUNDING SERVOURCES AND NEW DELIVERY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,

6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,
Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.

Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
GREATER THAN EVER. TODAY, RISK OF DATA FALLING IN THE WRONG HANDS IS QUITE OFTEN THIS RISK IS NOT FROM EXTERNAL ATTACKERS. IT COMES FROM WITHIN.

GREATER THAN EVER. TODAY, RISK OF DATA FALLING IN THE WRONG HANDS IS QUITE OFTEN THIS RISK IS NOT FROM EXTERNAL ATTACKERS. IT COMES FROM WITHIN.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.

1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.

©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.
SECURITY: 2014. Personal Health Information Protection Act, 2004 this 5 min. course covers: changing landscape of electronic health records security threats.

SECURITY: Personal Health Information Protection Act, 2004 this 5 min. course covers: changing landscape of electronic health records security threats.

Similar presentations

Ads by Google