SlideShare una empresa de Scribd logo

It security in healthcare

Descargar como PPT, PDF
Nicholas Davis
Nicholas Davis

IT Security For People in Healthcare and Research Environments.

1 de 52
Information Security In Healthcare Environments Nicholas A. Davis, CISA, CISSP Information Security Architect University of Wisconsin-Madison Division of Information Technology (DoIT)
Introduction • Background • Thank you for the invitation • Today’s Topic: Information Security in Healthcare Environments • HIPAA and PHI Controls • Healtcare Environment Vulnerability • Social Engineering • Precautions You Can Take • Q&A Session
HIPAA and PHI Controls
HIPAA Obligations Information covered by HIPAA must be protected: 1.Confidentiality: Only those with a need to know, can see the information. 2.Integrity: Only those authorized to alter information, can do so. 3.Availability: The information can be accessed by those who are authorized to view it.
Protected Identifiers Name, (full or partial) Address Specific dates (day and month), but not year Telephone Fax Email Webpage address Computer IP address Social Security Number Account identification numbers License identification numbers Medical record numbers Health plan beneficiary numbers Medical device identifiers, such as serial number Associated vehicle VINs and other vehicle identification information Any biometric identifier (fingerprint, eye scan, etc.) Photos and images Anything else which can be used to identify a person
Types of Controls Technical controls Administrative controls Some examples, consider your facility Benefits and drawbacks of each
Types of Controls Administrative Controls: •Easy to implement •Inexpensive •Flexible Work best in environments in which people want to do the “right thing” Technical Controls: •Complex to implement •Costly •Stringent Work best in environments in which adherence by everyone is critical
Information Leakage Common points of HIPAA information leakage are: •Video monitors •Printers •Fax machines •Copiers •Unprotected trash bins The best way to prevent information leakage is to practice the The Minimum Necessary Standard, which means that you should only access the minimum amount of HIPAA related information necessary to perform your job.
Preventing Information Leakage • Create and use a data storage policy, including lifecycle management • Never leave HIPAA information unprotected, electronically, or physically • Don’t make un-necessary copies • Destroy electronic media and paper copies containing HIPAA related information according to appropriate standards, before disposing
HIPAA Sensitive Behaviors Lockdown cables for computers Locked office area, lock desk drawers Use strong passwords, which adhere to best practices Logout, when not in use Consider using a screen protector, to limit visibility Antivirus, patching of Operating System, etc. Don’t install unauthorized software on your computer Don’t use file sharing services
Portable Devices • Any mobile device containing HIPAA information, should be encrypted and access protected • This includes portable USB hard disks, flash drives, etc. • Best idea is not to use mobile devices for HIPAA related work
How Computers Become Vulnberable to e-PHI leaks • Infected email attachments • Computer software from non- secure sources • Websites • Files stored on external electronic or magnetic storage media
HIPAA Security Summary • Avoid risks associated with malicious computer software • Protect against unauthorized use of system user IDs and passwords • Protect portable devices • Adhere to policies and procedures • Consider using dedicated computers • Report suspected incidents
Availability -Having a Plan B • Systems must be available when needed • When things don’t work as planned, there must be an alternate method of access • No single point of failure is appropriate when it comes to healthcare system access • Plan your systems for the worst case scenario
Healthcare Environment Vulnerability
Equipment Diagnostic Equipment Workstations Anything with an input Anything connected via a network
Theoretical Example Nick’s visit to Immediate Care, last night Staff member locks screen, leaves room Alone in exam room with computer The computer appears secured, but is it?
How Is the Computer Vulnerable? USB Port CD Drive
Keyloggers • Tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored • Software or hardware based
Lesson Learned Physically limit number of methods for machine input USB ports CD/DVD drive •When possible machine itself should be physically secured / encased •When possible, do not leave machine unattended
Social Engineering
Technology Is Not The Entire Answer Strong computer security has two components: The Technology: passwords, encryption, endpoint protection such as anti-virus. The People: You, your customers, your business partners
Social Engineering The art of manipulating people into performing actions or divulging confidential information It is typically trickery or deception for the purpose of information gathering, fraud, or computer system access
Most Popular Type of Social Engineering Pretexting: An individual lies to obtain privileged data. A pretext is a false motive. Pretexting is a fancy term for impersonation A big problem for computer Help Desks, in all organizations Example:
Let’s Think of a Common Pretexting Example Dear Windows User, It has come to our attention that your Microsoft windows Installation records are out of date. Every Windows installation has to be tied to an email account for daily update. This requires you to verify the Email Account. Failure to verify your records will result in account suspension. Click on the Verify button below and enter your login information on the following page to Confirm your records. Thank you, Microsoft Windows Team.
Warming Signs of Social Engineering • You are made to feel as if you are doing something wrong • You are being pressured into performing an action • There is a sense of urgency and immediacy • There is no way to confirm veracity of that which is claimed
Phishing • Deception, but not just in person • Email • Websites • Facebook status updates • Tweets • Phishing, in the context of the healthcare working environment is extremely dangerous
Don’t Touch That QR Code • Just as bad as clicking on an unknown link • Looks fancy and official, but is easy to create
What Phishing Looks Like • As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows. • They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.
Techniques For Phishing • Employ visual elements from target site • DNS Tricks: • www.ebay.com.kr • www.ebay.com@192.168.0.5 • www.gooogle.com • JavaScript Attacks • Spoofed SSL lock Certificates • Phishers can acquire certificates for domains they own • Certificate authorities make mistakes
Let’s Talk About Facebook • So important, it gets its own slide! • Essentially unauthenticated – discussion • Three friends and you’re out! - discussion • Privacy settings mean nothing – discussion • Treasure Trove of identity information • Games as information harvesters
Socially Aware Phishing
Context Aware “Your bid on eBay has won!” “The books on your Amazon wish list are on sale!”
Seems Suspicious
Too Good to be True, Even When It Is Signed
Detecting Fraudulent Email Information requested is inappropriate for the channel of communication: "Verify your account."nobody should ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail. Urgency and potential penalty or loss are implied: "If you don't respond within 48 hours, your account will be closed.”
Detecting Fraudulent Email "Dear Valued Customer."Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name.
A Note on Spear Phishing • Designed especially for you • Includes your name • May reference an environment or issue you are aware of and familiar with • Asks for special treatment, with justification for the request
Passwords Your password is your electronic key to valuable resources. Sharing – Toothbrush Discussion Theft – Discussion Password Rotation - Discussion
Creating a Strong Password Following two rules are bare minimal that you should follow while creating a password. Rule 1 – Password Length: Stick with passwords that are at least 8 characters in length. The more character in the passwords is better, as the time taken to crack the password by an attacker will be longer. 10 characters or longer are better. Rule 2 – Password Complexity: At least 4 characters in your passwords should be each one of the following:
Creating a Strong Password 1.Lower case alphabets 2.Upper case alphabets 3.Numbers 4.Special Characters Use the “8 4 Rule” 8 = 8 characters minimum length 4 = 1 lower case + 1 upper case + 1 number + 1 special character. Do not use a password strength checking website! Any ideas why this is a bad idea?
Adware, Malware, Spyware Adware – unwanted ad software which is noticed Malware – unwanted software which is noticed and potentially causes harm Spyware – unwanted software which goes un-noticed and harvests your personal information Use endpoint protection!
Adware, Malware, Spyware How these get on your computer: Email Web pages Downloaded software CD, USB flash drive Sometimes, out of the box
Trojan Malware
Baiting Hey, look! A free USB drive! I wonder what is on this confidential CD which I found in the bathroom? These are vectors for malware! Play on your curiousity or desire to get something for nothing Don’t be a piggy!
Precautions You Can Take
A Note About Out of Office Assistant Using the Out of Office responder in a responsible manner – minimum necessary information
Physical Security • The UW is a fairly open and shared physical environment • Seeing strangers is normal, we won’t know if they are here as friend or foe • Lock your office • Lock your desk • Lock your computer • Criminals are opportunistic • Even if you are just gone for a moment • Report suspicious activity to your administration and UW Police • If you have an IT related concern, contact the Office of Campus Information Security
Sharing Information With The Public • The University of Wisconsin is an open environment • However, on occasion, this open nature can be exploited by people with nefarious intent • Don’t volunteer sensitive information • Only disclose what is necessary • Follow records retention policies • When in doubt, ask for proof, honest people will understand, dishonest people will become frustrated
Looking In the Mirror • Which types of sensitive information do you have access to? • What about others who share the computer network with you? • The threat from within may exceed external threats • File sharing software and services • Think about the implications associated that data being stolen and exploited!
Traveling With Sensitive Information • Minimum amount necessary • Don’t send as checked baggage • When going through security at the airport, place computer as last item on conveyer belt and time your walk through concurrently
Questions and Discussion Nicholas Davis ndavis1@wisc.edu 608-262-3837 facebook.com/nicholas.a.davis

Recomendados

Computer security privacy and ethics
Computer security privacy and ethicsComputer security privacy and ethics
Computer security privacy and ethicsgeneveve_
 
An Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesAn Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesBlake Carver
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeSalma Zafar
 
Securityawareness
SecurityawarenessSecurityawareness
SecurityawarenessJayfErika
 
BASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSBASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSMd Abu Syeem Dipu
 
Online Self Defense
Online Self DefenseOnline Self Defense
Online Self DefenseBarry Caplin
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
11 Computer Privacy
11 Computer Privacy11 Computer Privacy
11 Computer PrivacySaqib Raza
 

Recomendados

Computer security privacy and ethics
Computer security privacy and ethicsComputer security privacy and ethics
Computer security privacy and ethicsgeneveve_
 
An Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesAn Introduction To IT Security And Privacy for Librarians and Libraries
An Introduction To IT Security And Privacy for Librarians and LibrariesBlake Carver
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeSalma Zafar
 
Securityawareness
SecurityawarenessSecurityawareness
SecurityawarenessJayfErika
 
BASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSBASIC IT AND CYBER SECURITY AWARENESS
BASIC IT AND CYBER SECURITY AWARENESSMd Abu Syeem Dipu
 
Online Self Defense
Online Self DefenseOnline Self Defense
Online Self DefenseBarry Caplin
 
Security best practices for regular users
Security best practices for regular usersSecurity best practices for regular users
Security best practices for regular usersGeoffrey Vaughan
 
11 Computer Privacy
11 Computer Privacy11 Computer Privacy
11 Computer PrivacySaqib Raza
 
Web Application Security Session for Web Developers
Web Application Security Session for Web DevelopersWeb Application Security Session for Web Developers
Web Application Security Session for Web DevelopersKrishna Srikanth Manda
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Programdavidcurriecia
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness TrainingJen Ruhman
 
Internet security
Internet securityInternet security
Internet securityMohammed Adam
 
NENA 2017 Doxing and Social Engineering
NENA 2017 Doxing and Social EngineeringNENA 2017 Doxing and Social Engineering
NENA 2017 Doxing and Social EngineeringJack Kessler
 
Eset cybersecurity awareness (laxman giri)
Eset cybersecurity awareness (laxman giri)Eset cybersecurity awareness (laxman giri)
Eset cybersecurity awareness (laxman giri)लक्ष्मण गिरी
 
Keeping you and your library safe and secure
Keeping you and your library safe and secureKeeping you and your library safe and secure
Keeping you and your library safe and secureLYRASIS
 
Computer Security
Computer SecurityComputer Security
Computer SecurityVaibhavi Patel
 
Computer Security
Computer SecurityComputer Security
Computer SecurityGreater Noida Institute Of Technology
 
Information Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanInformation Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanAhmed Musaad
 
Itsa end user 2013
Itsa end user 2013Itsa end user 2013
Itsa end user 2013salleh1n
 
Computer security and privacy
Computer security and privacyComputer security and privacy
Computer security and privacyeiramespi07
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hackingsamprada123
 
part 3 cyber crimes
part 3 cyber crimes part 3 cyber crimes
part 3 cyber crimes Bharati Vidyapeeth New Law College,Pune
 
Types of cyber crimes
Types of cyber crimesTypes of cyber crimes
Types of cyber crimesBharati Vidyapeeth New Law College,Pune
 
csa2014 IBC
csa2014 IBCcsa2014 IBC
csa2014 IBCapyn
 
IT Security DOs and DON'Ts
IT Security DOs and DON'Ts IT Security DOs and DON'Ts
IT Security DOs and DON'Ts Sophos
 
Cybercrime And Cyber forensics
Cybercrime And Cyber forensics Cybercrime And Cyber forensics
Cybercrime And Cyber forensics sunanditaAnand
 
PART 2 TYPES OF CYBER CRIMES
PART 2 TYPES OF CYBER CRIMESPART 2 TYPES OF CYBER CRIMES
PART 2 TYPES OF CYBER CRIMESBharati Vidyapeeth New Law College,Pune
 
Cyber Safety Class 9
Cyber Safety Class 9Cyber Safety Class 9
Cyber Safety Class 9NehaRohtagi1
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProRonald Soh
 
Internet Security
Internet SecurityInternet Security
Internet Securitymjelson
 

Más contenido relacionado

La actualidad más candente

Web Application Security Session for Web Developers
Web Application Security Session for Web DevelopersWeb Application Security Session for Web Developers
Web Application Security Session for Web DevelopersKrishna Srikanth Manda
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Programdavidcurriecia
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness TrainingJen Ruhman
 
NENA 2017 Doxing and Social Engineering
NENA 2017 Doxing and Social EngineeringNENA 2017 Doxing and Social Engineering
NENA 2017 Doxing and Social EngineeringJack Kessler
 
Keeping you and your library safe and secure
Keeping you and your library safe and secureKeeping you and your library safe and secure
Keeping you and your library safe and secureLYRASIS
 
Information Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanInformation Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanAhmed Musaad
 
Itsa end user 2013
Itsa end user 2013Itsa end user 2013
Itsa end user 2013salleh1n
 
Computer security and privacy
Computer security and privacyComputer security and privacy
Computer security and privacyeiramespi07
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hackingsamprada123
 
csa2014 IBC
csa2014 IBCcsa2014 IBC
csa2014 IBCapyn
 
IT Security DOs and DON'Ts
IT Security DOs and DON'Ts IT Security DOs and DON'Ts
IT Security DOs and DON'Ts Sophos
 
Cybercrime And Cyber forensics
Cybercrime And Cyber forensics Cybercrime And Cyber forensics
Cybercrime And Cyber forensics sunanditaAnand
 
Cyber Safety Class 9
Cyber Safety Class 9Cyber Safety Class 9
Cyber Safety Class 9NehaRohtagi1
 

La actualidad más candente (20)

Web Application Security Session for Web Developers
Web Application Security Session for Web DevelopersWeb Application Security Session for Web Developers
Web Application Security Session for Web Developers
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
 
Internet security
Internet securityInternet security
Internet security
 
NENA 2017 Doxing and Social Engineering
NENA 2017 Doxing and Social EngineeringNENA 2017 Doxing and Social Engineering
NENA 2017 Doxing and Social Engineering
 
Eset cybersecurity awareness (laxman giri)
Eset cybersecurity awareness (laxman giri)Eset cybersecurity awareness (laxman giri)
Eset cybersecurity awareness (laxman giri)
 
Keeping you and your library safe and secure
Keeping you and your library safe and secureKeeping you and your library safe and secure
Keeping you and your library safe and secure
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Information Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanInformation Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing Sudan
 
Itsa end user 2013
Itsa end user 2013Itsa end user 2013
Itsa end user 2013
 
Computer security and privacy
Computer security and privacyComputer security and privacy
Computer security and privacy
 
Final report ethical hacking
Final report ethical hackingFinal report ethical hacking
Final report ethical hacking
 
part 3 cyber crimes
part 3 cyber crimes part 3 cyber crimes
part 3 cyber crimes
 
Types of cyber crimes
Types of cyber crimesTypes of cyber crimes
Types of cyber crimes
 
csa2014 IBC
csa2014 IBCcsa2014 IBC
csa2014 IBC
 
IT Security DOs and DON'Ts
IT Security DOs and DON'Ts IT Security DOs and DON'Ts
IT Security DOs and DON'Ts
 
Cybercrime And Cyber forensics
Cybercrime And Cyber forensics Cybercrime And Cyber forensics
Cybercrime And Cyber forensics
 
PART 2 TYPES OF CYBER CRIMES
PART 2 TYPES OF CYBER CRIMESPART 2 TYPES OF CYBER CRIMES
PART 2 TYPES OF CYBER CRIMES
 
Cyber Safety Class 9
Cyber Safety Class 9Cyber Safety Class 9
Cyber Safety Class 9
 

Similar a It security in healthcare

Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProRonald Soh
 
Internet Security
Internet SecurityInternet Security
Internet Securitymjelson
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness TrainingRandy Bowman
 
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter StyleCybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter StyleBrian Pichman
 
CyberSecurity Cyber24x7.pdf
CyberSecurity Cyber24x7.pdfCyberSecurity Cyber24x7.pdf
CyberSecurity Cyber24x7.pdfVarinder K
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024Brian Pichman
 
Securing and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupSecuring and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupBrian Pichman
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
 
Securing & Safeguarding Your Library Setup.pptx
Securing & Safeguarding Your Library Setup.pptxSecuring & Safeguarding Your Library Setup.pptx
Securing & Safeguarding Your Library Setup.pptxBrian Pichman
 
E business internet fraud
E business internet fraudE business internet fraud
E business internet fraudRadiant Minds
 
Meeting the Cybersecurity Challenge
Meeting the Cybersecurity ChallengeMeeting the Cybersecurity Challenge
Meeting the Cybersecurity ChallengeNet at Work
 
Unveiling the dark web. The importance of your cybersecurity posture
Unveiling the dark web. The importance of your cybersecurity postureUnveiling the dark web. The importance of your cybersecurity posture
Unveiling the dark web. The importance of your cybersecurity postureLourdes Paloma Gimenez
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfMansoorAhmed57263
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Cyber security-1.pptx
Cyber security-1.pptxCyber security-1.pptx
Cyber security-1.pptxCharithraaAR
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber securityKaushal Solanki
 
TheCyberThreatAndYou2_deck.pptx
TheCyberThreatAndYou2_deck.pptxTheCyberThreatAndYou2_deck.pptx
TheCyberThreatAndYou2_deck.pptxKevinRiley83
 
Phishing Whaling and Hacking Case Studies.pptx
Phishing Whaling and Hacking Case Studies.pptxPhishing Whaling and Hacking Case Studies.pptx
Phishing Whaling and Hacking Case Studies.pptxStephen Jesukanth Martin
 

Similar a It security in healthcare (20)

Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-Pro
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
 
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter StyleCybersecurity - Defense Against The Dark Arts Harry Potter Style
Cybersecurity - Defense Against The Dark Arts Harry Potter Style
 
CyberSecurity Cyber24x7.pdf
CyberSecurity Cyber24x7.pdfCyberSecurity Cyber24x7.pdf
CyberSecurity Cyber24x7.pdf
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024
 
Securing and Safeguarding Your Library Setup
Securing and Safeguarding Your Library SetupSecuring and Safeguarding Your Library Setup
Securing and Safeguarding Your Library Setup
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids
 
Securing & Safeguarding Your Library Setup.pptx
Securing & Safeguarding Your Library Setup.pptxSecuring & Safeguarding Your Library Setup.pptx
Securing & Safeguarding Your Library Setup.pptx
 
E business internet fraud
E business internet fraudE business internet fraud
E business internet fraud
 
Meeting the Cybersecurity Challenge
Meeting the Cybersecurity ChallengeMeeting the Cybersecurity Challenge
Meeting the Cybersecurity Challenge
 
Unveiling the dark web. The importance of your cybersecurity posture
Unveiling the dark web. The importance of your cybersecurity postureUnveiling the dark web. The importance of your cybersecurity posture
Unveiling the dark web. The importance of your cybersecurity posture
 
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdfitsecurityawareness-v1-230413174238-5e7cba3c.pdf
itsecurityawareness-v1-230413174238-5e7cba3c.pdf
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Cyber security-1.pptx
Cyber security-1.pptxCyber security-1.pptx
Cyber security-1.pptx
 
Cyber crime and cyber security
Cyber crime and cyber securityCyber crime and cyber security
Cyber crime and cyber security
 
TheCyberThreatAndYou2_deck.pptx
TheCyberThreatAndYou2_deck.pptxTheCyberThreatAndYou2_deck.pptx
TheCyberThreatAndYou2_deck.pptx
 
Personal Threat Models
Personal Threat ModelsPersonal Threat Models
Personal Threat Models
 
Phishing Whaling and Hacking Case Studies.pptx
Phishing Whaling and Hacking Case Studies.pptxPhishing Whaling and Hacking Case Studies.pptx
Phishing Whaling and Hacking Case Studies.pptx
 

Más de Nicholas Davis

Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentNicholas Davis
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 
UW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsUW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsNicholas Davis
 
Software Development Methodologies
Software Development MethodologiesSoftware Development Methodologies
Software Development MethodologiesNicholas Davis
 
Information systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityInformation systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityNicholas Davis
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Nicholas Davis
 
Information Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewInformation Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewNicholas Davis
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets PersonalNicholas Davis
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...Nicholas Davis
 
Bringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectBringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectNicholas Davis
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...Nicholas Davis
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Nicholas Davis
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryInformation Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryNicholas Davis
 
Organizational Phishing Education
Organizational Phishing EducationOrganizational Phishing Education
Organizational Phishing EducationNicholas Davis
 
Security Operations -- An Overview
Security Operations -- An OverviewSecurity Operations -- An Overview
Security Operations -- An OverviewNicholas Davis
 
Network Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNetwork Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNicholas Davis
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Nicholas Davis
 
Demystifying Professional Certifications
Demystifying Professional CertificationsDemystifying Professional Certifications
Demystifying Professional CertificationsNicholas Davis
 

Más de Nicholas Davis (20)

Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) Assessment
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
 
UW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsUW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support Systems
 
Lecture blockchain
Lecture blockchainLecture blockchain
Lecture blockchain
 
Software Development Methodologies
Software Development MethodologiesSoftware Development Methodologies
Software Development Methodologies
 
Information systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityInformation systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD Security
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
 
Information Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewInformation Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things Overview
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets Personal
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
 
Bringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectBringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team Project
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryInformation Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up Summary
 
Organizational Phishing Education
Organizational Phishing EducationOrganizational Phishing Education
Organizational Phishing Education
 
Security Operations -- An Overview
Security Operations -- An OverviewSecurity Operations -- An Overview
Security Operations -- An Overview
 
Network Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNetwork Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security Implications
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
 
Demystifying Professional Certifications
Demystifying Professional CertificationsDemystifying Professional Certifications
Demystifying Professional Certifications
 

It security in healthcare

  • 1. Information Security In Healthcare Environments Nicholas A. Davis, CISA, CISSP Information Security Architect University of Wisconsin-Madison Division of Information Technology (DoIT)
  • 2. Introduction • Background • Thank you for the invitation • Today’s Topic: Information Security in Healthcare Environments • HIPAA and PHI Controls • Healtcare Environment Vulnerability • Social Engineering • Precautions You Can Take • Q&A Session
  • 3. HIPAA and PHI Controls
  • 4. HIPAA Obligations Information covered by HIPAA must be protected: 1.Confidentiality: Only those with a need to know, can see the information. 2.Integrity: Only those authorized to alter information, can do so. 3.Availability: The information can be accessed by those who are authorized to view it.
  • 5. Protected Identifiers Name, (full or partial) Address Specific dates (day and month), but not year Telephone Fax Email Webpage address Computer IP address Social Security Number Account identification numbers License identification numbers Medical record numbers Health plan beneficiary numbers Medical device identifiers, such as serial number Associated vehicle VINs and other vehicle identification information Any biometric identifier (fingerprint, eye scan, etc.) Photos and images Anything else which can be used to identify a person
  • 6. Types of Controls Technical controls Administrative controls Some examples, consider your facility Benefits and drawbacks of each
  • 7. Types of Controls Administrative Controls: •Easy to implement •Inexpensive •Flexible Work best in environments in which people want to do the “right thing” Technical Controls: •Complex to implement •Costly •Stringent Work best in environments in which adherence by everyone is critical
  • 8. Information Leakage Common points of HIPAA information leakage are: •Video monitors •Printers •Fax machines •Copiers •Unprotected trash bins The best way to prevent information leakage is to practice the The Minimum Necessary Standard, which means that you should only access the minimum amount of HIPAA related information necessary to perform your job.
  • 9. Preventing Information Leakage • Create and use a data storage policy, including lifecycle management • Never leave HIPAA information unprotected, electronically, or physically • Don’t make un-necessary copies • Destroy electronic media and paper copies containing HIPAA related information according to appropriate standards, before disposing
  • 10. HIPAA Sensitive Behaviors Lockdown cables for computers Locked office area, lock desk drawers Use strong passwords, which adhere to best practices Logout, when not in use Consider using a screen protector, to limit visibility Antivirus, patching of Operating System, etc. Don’t install unauthorized software on your computer Don’t use file sharing services
  • 11. Portable Devices • Any mobile device containing HIPAA information, should be encrypted and access protected • This includes portable USB hard disks, flash drives, etc. • Best idea is not to use mobile devices for HIPAA related work
  • 12. How Computers Become Vulnberable to e-PHI leaks • Infected email attachments • Computer software from non- secure sources • Websites • Files stored on external electronic or magnetic storage media
  • 13. HIPAA Security Summary • Avoid risks associated with malicious computer software • Protect against unauthorized use of system user IDs and passwords • Protect portable devices • Adhere to policies and procedures • Consider using dedicated computers • Report suspected incidents
  • 14. Availability -Having a Plan B • Systems must be available when needed • When things don’t work as planned, there must be an alternate method of access • No single point of failure is appropriate when it comes to healthcare system access • Plan your systems for the worst case scenario
  • 15. Healthcare Environment Vulnerability
  • 16. Equipment Diagnostic Equipment Workstations Anything with an input Anything connected via a network
  • 17. Theoretical Example Nick’s visit to Immediate Care, last night Staff member locks screen, leaves room Alone in exam room with computer The computer appears secured, but is it?
  • 18. How Is the Computer Vulnerable? USB Port CD Drive
  • 19. Keyloggers • Tracking (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored • Software or hardware based
  • 20. Lesson Learned Physically limit number of methods for machine input USB ports CD/DVD drive •When possible machine itself should be physically secured / encased •When possible, do not leave machine unattended
  • 22. Technology Is Not The Entire Answer Strong computer security has two components: The Technology: passwords, encryption, endpoint protection such as anti-virus. The People: You, your customers, your business partners
  • 23. Social Engineering The art of manipulating people into performing actions or divulging confidential information It is typically trickery or deception for the purpose of information gathering, fraud, or computer system access
  • 24. Most Popular Type of Social Engineering Pretexting: An individual lies to obtain privileged data. A pretext is a false motive. Pretexting is a fancy term for impersonation A big problem for computer Help Desks, in all organizations Example:
  • 25. Let’s Think of a Common Pretexting Example Dear Windows User, It has come to our attention that your Microsoft windows Installation records are out of date. Every Windows installation has to be tied to an email account for daily update. This requires you to verify the Email Account. Failure to verify your records will result in account suspension. Click on the Verify button below and enter your login information on the following page to Confirm your records. Thank you, Microsoft Windows Team.
  • 26. Warming Signs of Social Engineering • You are made to feel as if you are doing something wrong • You are being pressured into performing an action • There is a sense of urgency and immediacy • There is no way to confirm veracity of that which is claimed
  • 27. Phishing • Deception, but not just in person • Email • Websites • Facebook status updates • Tweets • Phishing, in the context of the healthcare working environment is extremely dangerous
  • 28. Don’t Touch That QR Code • Just as bad as clicking on an unknown link • Looks fancy and official, but is easy to create
  • 29. What Phishing Looks Like • As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows. • They often include official-looking logos from real organizations and other identifying information taken directly from legitimate Web sites.
  • 30. Techniques For Phishing • Employ visual elements from target site • DNS Tricks: • www.ebay.com.kr • www.ebay.com@192.168.0.5 • www.gooogle.com • JavaScript Attacks • Spoofed SSL lock Certificates • Phishers can acquire certificates for domains they own • Certificate authorities make mistakes
  • 31. Let’s Talk About Facebook • So important, it gets its own slide! • Essentially unauthenticated – discussion • Three friends and you’re out! - discussion • Privacy settings mean nothing – discussion • Treasure Trove of identity information • Games as information harvesters
  • 33. Context Aware “Your bid on eBay has won!” “The books on your Amazon wish list are on sale!”
  • 35. Too Good to be True, Even When It Is Signed
  • 36. Detecting Fraudulent Email Information requested is inappropriate for the channel of communication: "Verify your account."nobody should ask you to send passwords, login names, Social Security numbers, or other personal information through e-mail. Urgency and potential penalty or loss are implied: "If you don't respond within 48 hours, your account will be closed.”
  • 37. Detecting Fraudulent Email "Dear Valued Customer."Phishing e-mail messages are usually sent out in bulk and often do not contain your first or last name.
  • 38. A Note on Spear Phishing • Designed especially for you • Includes your name • May reference an environment or issue you are aware of and familiar with • Asks for special treatment, with justification for the request
  • 39. Passwords Your password is your electronic key to valuable resources. Sharing – Toothbrush Discussion Theft – Discussion Password Rotation - Discussion
  • 40. Creating a Strong Password Following two rules are bare minimal that you should follow while creating a password. Rule 1 – Password Length: Stick with passwords that are at least 8 characters in length. The more character in the passwords is better, as the time taken to crack the password by an attacker will be longer. 10 characters or longer are better. Rule 2 – Password Complexity: At least 4 characters in your passwords should be each one of the following:
  • 41. Creating a Strong Password 1.Lower case alphabets 2.Upper case alphabets 3.Numbers 4.Special Characters Use the “8 4 Rule” 8 = 8 characters minimum length 4 = 1 lower case + 1 upper case + 1 number + 1 special character. Do not use a password strength checking website! Any ideas why this is a bad idea?
  • 42. Adware, Malware, Spyware Adware – unwanted ad software which is noticed Malware – unwanted software which is noticed and potentially causes harm Spyware – unwanted software which goes un-noticed and harvests your personal information Use endpoint protection!
  • 43. Adware, Malware, Spyware How these get on your computer: Email Web pages Downloaded software CD, USB flash drive Sometimes, out of the box
  • 45. Baiting Hey, look! A free USB drive! I wonder what is on this confidential CD which I found in the bathroom? These are vectors for malware! Play on your curiousity or desire to get something for nothing Don’t be a piggy!
  • 47. A Note About Out of Office Assistant Using the Out of Office responder in a responsible manner – minimum necessary information
  • 48. Physical Security • The UW is a fairly open and shared physical environment • Seeing strangers is normal, we won’t know if they are here as friend or foe • Lock your office • Lock your desk • Lock your computer • Criminals are opportunistic • Even if you are just gone for a moment • Report suspicious activity to your administration and UW Police • If you have an IT related concern, contact the Office of Campus Information Security
  • 49. Sharing Information With The Public • The University of Wisconsin is an open environment • However, on occasion, this open nature can be exploited by people with nefarious intent • Don’t volunteer sensitive information • Only disclose what is necessary • Follow records retention policies • When in doubt, ask for proof, honest people will understand, dishonest people will become frustrated
  • 50. Looking In the Mirror • Which types of sensitive information do you have access to? • What about others who share the computer network with you? • The threat from within may exceed external threats • File sharing software and services • Think about the implications associated that data being stolen and exploited!
  • 51. Traveling With Sensitive Information • Minimum amount necessary • Don’t send as checked baggage • When going through security at the airport, place computer as last item on conveyer belt and time your walk through concurrently
  • 52. Questions and Discussion Nicholas Davis ndavis1@wisc.edu 608-262-3837 facebook.com/nicholas.a.davis