Presentation is loading. Please wait.

Presentation is loading. Please wait.

Configuring Electronic Health Records Privacy and Security in the US Lecture f This material (Comp11_Unit7f) was developed by Oregon Health & Science University,

Published byEdwin Greer Modified over 8 years ago

Similar presentations

Presentation on theme: "Configuring Electronic Health Records Privacy and Security in the US Lecture f This material (Comp11_Unit7f) was developed by Oregon Health & Science University,"— Presentation transcript:

1 Configuring Electronic Health Records Privacy and Security in the US Lecture f This material (Comp11_Unit7f) was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000015

2 Privacy and Security in the US Learning Objectives Compare and contrast the concepts of privacy and security (Lecture a) List the regulatory frameworks for an EHR (Lecture b, c) Describe the concepts and requirements for risk management (Lecture d) Describe authentication, authorization and accounting (Lecture d) Describe passwords and multi-factor authentication and their associated issues (Lecture d) Describe issues with portable devices (Lecture d) Describe elements of disaster preparedness and disaster recovery (Lecture e) Describe issues of physical security (Lecture e) Describe malware concepts (Lecture f) 2 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

3 Viruses Oldest and simple concept: unwanted program that executes when the host program executes Copies itself to media 3 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

4 Virus Types File Boot sector Macro E-mail Multi-variant RFID (theoretical) 4 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

5 Worms Self-replicating program that copies itself to other computers across a network LAN or Intranet Web or Internet E-mail IM IRC P2P 5 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

6 Trojans Destructive program that appears to be a other than what it is From the Greek myth of the wooden horse brought into the city as a trophy – filled with warriors Brought in by the user... Backdoor trojan Data collecting Downloader or dropper 6 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

7 Botnets Coordinated attack using infected systems Stages: –Creation –Configuration –Infection –Control Used for: –DDoS –Spam & spreading malware –Information leakage –Click fraud –Identify fraud 7 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

8 Zero-Day Malware What to do about a new threat? Zero-day malware is not detected by existing anti-virus May be based on zero-day exploits – newly discovered vulnerabilities Are signatures enough? 8 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

9 Rogueware Attempts to defraud users by requesting payment to remove non-existent threats Indications: –Fake pop-up warnings –Appear similar to real antivirus –Quick scan –May identify different files on each pass Highly lucrative Like a virus, hard to remove 9 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

10 What to Do? Resource: Malware Threats and Mitigation Strategies by US-CERT Enclave boundary –Firewalls –IDS Computing environment –Authorized local network devices –O/S patching/updating –O/S hardening –Anti-virus updating –Change control process –Host-based firewall –Vulnerability scanning –Proxy servers and web content filters –E-mail attachment filtering –Monitor logs What to do when compromised –If, not when 10 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

11 Why Viruses Exist Software engineering limitations Bugs 11 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

12 2011 Top 25 Mistakes Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Missing Authentication for Critical Function Missing Authorization Use of Hard-coded Credentials Missing Encryption of Sensitive Data Unrestricted Upload of File with Dangerous Type Reliance on Untrusted Inputs in a Security Decision Execution with Unnecessary Privileges Cross-Site Request Forgery (CSRF) 12 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

13 2011 Top 25 Mistakes (continued) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Download of Code Without Integrity Check Incorrect Authorization Inclusion of Functionality from Untrusted Control Sphere Incorrect Permission Assignment for Critical Resource Use of Potentially Dangerous Function Use of a Broken or Risky Cryptographic Algorithm Incorrect Calculation of Buffer Size Improper Restriction of Excessive Authentication Attempts URL Redirection to Untrusted Site ('Open Redirect') Uncontrolled Format String Integer Overflow or Wraparound Use of a One-Way Hash without a Salt 13 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

14 Detection and Prevention Automated tools Policies and procedures Knowledgeable implementation staff 14 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

15 Privacy and Security in the US Summary – Lecture f Malware Software design issues 15 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

16 Privacy and Security in the US Summary Concepts of privacy and security Regulatory framework Risk assessment Portable devices System access Security awareness training Incident response and disaster recovery Physical security Malware and software design issues 16 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

17 Privacy and Security in the US References – Lecture f References Christey, S. (2011). 2011 CWE/SANS Top 25 Most Dangerous Software Errors, from http://cwe.mitre.org/top25http://cwe.mitre.org/top25 U.S. Computer Emergency Readiness Team. (2005). Malware Threats and Mitigation Strategies, from http://www.us-cert.gov/reading_room/malware-threats-mitigation.pdf http://www.us-cert.gov/reading_room/malware-threats-mitigation.pdf 17 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

Download ppt "Configuring Electronic Health Records Privacy and Security in the US Lecture f This material (Comp11_Unit7f) was developed by Oregon Health & Science University,"

Similar presentations

CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.

CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.

Silberschatz, Galvin and Gagne  Operating System Concepts The Security Problem A system is secure iff its resources are used and accessed as.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.

CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Geneva, Switzerland, 15-16 September 2014 ITU-T CYBEX standards for cybersecurity and data protection Youki Kadobayashi, NICT Japan Rapporteur, ITU-T Q.4/17.

Geneva, Switzerland, September 2014 ITU-T CYBEX standards for cybersecurity and data protection Youki Kadobayashi, NICT Japan Rapporteur, ITU-T Q.4/17.
Chapter 4 Application Security Knowledge and Test Prep

Chapter 4 Application Security Knowledge and Test Prep
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.

Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.

Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.
Quiz Review.

Quiz Review.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.

Similar presentations

Ads by Google