2. Introduction
• Background
• Thank you for the invitation
• Today’s Topic: Information Security
in Healthcare Environments
• HIPAA and PHI Controls
• Healtcare Environment
Vulnerability
• Social Engineering
• Precautions You Can Take
• Q&A Session
4. HIPAA Obligations
Information covered by HIPAA must
be protected:
1.Confidentiality: Only those with a
need to know, can see the
information.
2.Integrity: Only those authorized to
alter information, can do so.
3.Availability: The information can
be accessed by those who are
authorized to view it.
5. Protected Identifiers
Name, (full or partial)
Address
Specific dates (day and month), but not year
Telephone
Fax
Email
Webpage address
Computer IP address
Social Security Number
Account identification numbers
License identification numbers
Medical record numbers
Health plan beneficiary numbers
Medical device identifiers, such as serial number
Associated vehicle VINs and other vehicle identification
information
Any biometric identifier (fingerprint, eye scan, etc.)
Photos and images
Anything else which can be used to identify a person
6. Types of Controls
Technical controls
Administrative controls
Some examples, consider your facility
Benefits and drawbacks of each
7. Types of Controls
Administrative Controls:
•Easy to implement
•Inexpensive
•Flexible
Work best in environments in which
people want to do the “right thing”
Technical Controls:
•Complex to implement
•Costly
•Stringent
Work best in environments in which
adherence by everyone is critical
8. Information Leakage
Common points of HIPAA information
leakage are:
•Video monitors
•Printers
•Fax machines
•Copiers
•Unprotected trash bins
The best way to prevent information leakage
is to practice the The Minimum Necessary
Standard, which means that you should
only access the minimum amount of HIPAA
related information necessary to perform
your job.
9. Preventing Information Leakage
• Create and use a data storage
policy, including lifecycle
management
• Never leave HIPAA information
unprotected, electronically, or
physically
• Don’t make un-necessary copies
• Destroy electronic media and
paper copies containing HIPAA
related information according to
appropriate standards, before
disposing
10. HIPAA Sensitive
Behaviors
Lockdown cables for computers
Locked office area, lock desk drawers
Use strong passwords, which adhere to
best practices
Logout, when not in use
Consider using a screen protector, to
limit visibility
Antivirus, patching of Operating
System, etc.
Don’t install unauthorized software on
your computer
Don’t use file sharing services
11. Portable Devices
• Any mobile device containing
HIPAA information, should be
encrypted and access
protected
• This includes portable USB
hard disks, flash drives, etc.
• Best idea is not to use mobile
devices for HIPAA related
work
12. How Computers Become
Vulnberable to e-PHI leaks
• Infected email attachments
• Computer software from non-
secure sources
• Websites
• Files stored on external
electronic or magnetic storage
media
13. HIPAA Security Summary
• Avoid risks associated with
malicious computer software
• Protect against unauthorized
use of system user IDs and
passwords
• Protect portable devices
• Adhere to policies and
procedures
• Consider using dedicated
computers
• Report suspected incidents
14. Availability -Having a Plan B
• Systems must be available
when needed
• When things don’t work as
planned, there must be an
alternate method of access
• No single point of failure is
appropriate when it comes to
healthcare system access
• Plan your systems for the
worst case scenario
17. Theoretical Example
Nick’s visit to Immediate Care,
last night
Staff member locks screen,
leaves room
Alone in exam room with
computer
The computer appears secured,
but is it?
18. How Is the Computer
Vulnerable?
USB Port
CD Drive
19. Keyloggers
• Tracking (or logging) the keys struck on a
keyboard, typically in a covert manner so
that the person using the keyboard is
unaware that their actions are being
monitored
• Software or hardware based
20. Lesson Learned
Physically limit number of
methods for machine input
USB ports
CD/DVD drive
•When possible machine itself
should be physically secured /
encased
•When possible, do not leave
machine unattended
22. Technology Is Not
The Entire Answer
Strong computer security has two
components:
The Technology: passwords,
encryption, endpoint protection
such as anti-virus.
The People: You, your
customers, your business
partners
23. Social Engineering
The art of manipulating
people into performing actions
or divulging confidential
information
It is typically trickery or
deception for the purpose of
information gathering, fraud,
or computer system access
24. Most Popular Type of
Social Engineering
Pretexting: An individual lies to obtain
privileged data. A pretext is a false
motive.
Pretexting is a fancy term for
impersonation
A big problem for computer Help
Desks, in all organizations
Example:
25. Let’s Think of a Common
Pretexting Example
Dear Windows User,
It has come to our attention that your Microsoft windows
Installation records are out of date. Every Windows
installation has to be tied to an email account for daily
update.
This requires you to verify the Email Account. Failure to
verify your records will result in account suspension.
Click on the Verify button below and enter your login
information on the following page to Confirm your records.
Thank you,
Microsoft Windows Team.
26. Warming Signs of Social
Engineering
• You are made to feel as if you
are doing something wrong
• You are being pressured into
performing an action
• There is a sense of urgency
and immediacy
• There is no way to confirm
veracity of that which is
claimed
27. Phishing
• Deception, but not just in
person
• Email
• Websites
• Facebook status updates
• Tweets
• Phishing, in the context of the
healthcare working environment
is extremely dangerous
28. Don’t Touch That QR Code
• Just as bad as clicking on an
unknown link
• Looks fancy and official, but is easy
to create
29. What Phishing Looks Like
• As scam artists become more
sophisticated, so do their phishing e-mail
messages and pop-up windows.
• They often include official-looking logos
from real organizations and other identifying
information taken directly from legitimate
Web sites.
30. Techniques For Phishing
• Employ visual elements from target site
• DNS Tricks:
• www.ebay.com.kr
• www.ebay.com@192.168.0.5
• www.gooogle.com
• JavaScript Attacks
• Spoofed SSL lock Certificates
• Phishers can acquire certificates for domains they
own
• Certificate authorities make mistakes
31. Let’s Talk About Facebook
• So important, it gets its own slide!
• Essentially unauthenticated – discussion
• Three friends and you’re out! - discussion
• Privacy settings mean nothing – discussion
• Treasure Trove of identity information
• Games as information harvesters
36. Detecting
Fraudulent Email
Information requested is inappropriate for the
channel of communication:
"Verify your account."nobody should ask you
to send passwords, login names, Social
Security numbers, or other personal
information through e-mail.
Urgency and potential penalty or loss are
implied:
"If you don't respond within 48 hours, your
account will be closed.”
37. Detecting Fraudulent
Email
"Dear Valued Customer."Phishing e-mail messages
are usually sent out in bulk and often do not contain
your first or last name.
38. A Note on Spear Phishing
• Designed especially for you
• Includes your name
• May reference an environment or
issue you are aware of and familiar
with
• Asks for special treatment, with
justification for the request
39. Passwords
Your password is your electronic key to
valuable resources.
Sharing – Toothbrush Discussion
Theft – Discussion
Password Rotation - Discussion
40. Creating a Strong
Password
Following two rules are bare minimal that you
should follow while creating a password.
Rule 1 – Password Length: Stick with
passwords that are at least 8 characters in
length. The more character in the passwords
is better, as the time taken to crack the
password by an attacker will be longer. 10
characters or longer are better.
Rule 2 – Password Complexity: At least 4
characters in your passwords should be each
one of the following:
41. Creating a Strong
Password
1.Lower case alphabets
2.Upper case alphabets
3.Numbers
4.Special Characters
Use the “8 4 Rule”
8 = 8 characters minimum length
4 = 1 lower case + 1 upper case + 1 number + 1
special character.
Do not use a password
strength checking website!
Any ideas why this
is a bad idea?
42. Adware, Malware, Spyware
Adware – unwanted ad software which is
noticed
Malware – unwanted software which is
noticed and potentially causes harm
Spyware – unwanted software which goes
un-noticed and harvests your personal
information
Use endpoint protection!
43. Adware, Malware,
Spyware
How these get on your computer:
Email
Web pages
Downloaded software
CD, USB flash drive
Sometimes, out of the box
45. Baiting
Hey, look! A free USB drive!
I wonder what is on this confidential CD which I found
in the bathroom?
These are vectors for malware!
Play on your curiousity or desire to get something for
nothing
Don’t be a piggy!
47. A Note About Out of Office
Assistant
Using the Out of Office responder in a
responsible manner – minimum
necessary information
48. Physical Security
• The UW is a fairly open and shared
physical environment
• Seeing strangers is normal, we won’t know
if they are here as friend or foe
• Lock your office
• Lock your desk
• Lock your computer
• Criminals are opportunistic
• Even if you are just gone for a moment
• Report suspicious activity to your
administration and UW Police
• If you have an IT related concern, contact
the Office of Campus Information Security
49. Sharing Information With
The Public
• The University of Wisconsin is an open
environment
• However, on occasion, this open nature
can be exploited by people with nefarious
intent
• Don’t volunteer sensitive information
• Only disclose what is necessary
• Follow records retention policies
• When in doubt, ask for proof, honest
people will understand, dishonest people
will become frustrated
50. Looking In the Mirror
• Which types of sensitive information do
you have access to?
• What about others who share the
computer network with you?
• The threat from within may exceed
external threats
• File sharing software and services
• Think about the implications associated
that data being stolen and exploited!
51. Traveling With
Sensitive Information
• Minimum amount necessary
• Don’t send as checked baggage
• When going through security at the
airport, place computer as last item
on conveyer belt and time your walk
through concurrently
52. Questions and
Discussion
Nicholas Davis
ndavis1@wisc.edu
608-262-3837
facebook.com/nicholas.a.davis