Information Security for health practitioners

Is it possible for health practitioners to  achieve information security?  Maybe a better question is  “How can health professionals balance privacy, information security and accessibility in an online world?” Or even, should the medical profession be bothered with keeping private and sensitive information secure?

Over the last few months, I’ve been working with a number of health practitioners to help them improve their information security. Much of this has been done with a view to the introduction of electronic health records.

I sympathise with hospital administrators, doctors and nurses. They don’t have a lot of time to think about security and privacy. However, the fact is that they have to do better.

monash university - surgery clinic 2012

Criminals follow the money

According to the Australian Institute of Health and Welfare, the health system costs just under 10% of Australia’s GDP (AUD121.4 billion in 2009/10 according to the AIHW) . In the US, it is around 18% (USD2.6 trillion in 2010 according to the CDC).  With this much money involved in the health system, it is a fat series of targets for cyber attack and fraud.

Terrorist vector? Probably not.

The Department of Homeland Security has even gone so far as to suggest that the health system could be targeted by terrorists and activists in the USA. I am not convinced by this or similar suggestions as the no1 aim of terrorists remains to create terror. Terrorists understand this and seek targets and methods along those lines. It matters less how few people a terrorist kills. It is more important for the terrorists that they have an audience that can clearly see a hard link between cause (terrorist attack) and effect (death, destruction etc). The  murder of a single UK soldier in May 2013 by allegedly Al-Qaeda inspired terrorists with machetes has created significant community angst, not only in the UK where it occurred  but in Australia, Canada and the USA. Yet, it is likely that more people died on that same day on the roads in London. My point is this, that if terrorists discovered some way of causing significant death or maiming from medical equipment, I do not doubt that they would use it. However, it is likely that the effect on the collective public consciousness would not be as great as the machete attack mentioned above.

However, we must accept that it is possible, if not altogether probable. One identified flaw is the chronic inability of many health systems to patch their software and applications.

One high consequence scenario involves hackers attacking defibrillators and insulin delivery systems remotely. I think this comes into the unlikely but possible category. Shodan, was used by a hacker to access the controls of a blood glucose monitor connected to the Internet by WiFi.

Whilst we can probably discount to some extent the terrorist threat, I can imagine the attraction of such attacks as assassination vectors or for the installation of ‘ransomware‘. Thus the high consequence threat from foreign governments and organised crime can’t be as easily discounted.

Beyond the extreme, privacy compromise and fraud

Beyond these extreme events, there is the possibility that patient or staff privacy can be compromised by weak information security. Dr Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University, talking about the US health system has been quoted . “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”…. Unfortunately, it is not possible to hide one’s health under the mattress!

I experienced this personally about a week ago when my daughter’s optometrist sent through the results of her recent eye test, only it wasn’t. The attachment data was for somebody I had never met.

We have a tendency to compare the worst case scenario of e-health privacy with the best case scenario of the current system. We all know that it isn’t the case as my example above shows.

Good information security will also help protect healthcare organisations from fraud. Fraud is estimated to be a USD60 Billion impost on US hospitals. Methods that are being used by fraudsters include

  • Diversion of fee revenue
  • Diversion of controlled items (eg drugs)
  • Collusion with suppliers; and
  • Diversion of accounts receivable.

The same methods are being used in medical practices, albeit on a smaller scale.

What to do

A holistic approach is needed. We have worked with a number of medical practices to implement the key elements of the information security standard ISO 27000. This ensures that the practice has a risk based approach which mitigates threats based on real world experience of consequence and likelihood. Working with practice owners and stakeholders, we determine tolerance to information risk and work with them to implement controls which make sense and meet any regulatory requirements.

If you think this is something your organisation needs, please contact us at [email protected]

Privacy, public surveillance, terrorism

Is Privacy overrated, or should we just think about it in a more balanced way?

Richard Posner (US Judge) in an opinion piece in the NY Times has responded to NY Mayor Bloomberg’s view that there should be a more welcoming attitude towards surveillance cameras.  Bloomberg argues that the US Constitution should be changed to allow more surveillance. Posner makes a good point about Surveillance use in public spaces.

It seems likely that if the Boston bombers hadn’t been caught soon, they would have continued their killing, whether in Boston or NY, only they can say definitively.

surveillance cameras by Jonathan Mcintosh
Surveillance cameras in NY – Photo by Jonathan Mcintosh – http://www.flickr.com/photos/jonathanmcintosh/

I think most people can accept that surveillance cameras should be used in public spaces. They may also be contributing to a general decrease in lawlessness in public spaces, especially in the UK where there are apparently up to 4 million. The question in my mind is always about what is done with the footage. I have fewer problems personally with government agency use of surveillance in a society where somebody watches the watchers than the use by ‘marketers’ of surveillance in shops and ‘semi-private’ places.

The argument against surveillance cameras being linked up is always the fallacy of the slippery slope. I suspect we should all just get used to being watched in public.

In any case, it is probably time for politicians in democratic countries to “Suck it up” and have an honest conversation with the public about privacy, both online and offline.

PS – Of course, when Google glass becomes a mass market item, your life and mine will be 720p movies for ourselves and other people. We won’t say, remember when you were “insert embarrassing event”, we’ll just play it from the memory…. Maybe Minority Report wasn’t so wrong after all – even if Tom Cruise starred. 🙂

 

 

Cyber threat, vulnerability and consequence trends 2013

I was asked to give a snapshot about what I thought the big risks for organisations were likely to be in the cyber world in 2013. Below are eight trends that I think are more likely than not to be important in the next twelve months.

1 Boards continue to struggle to consider cyber risks in a holistic manner

With the exception of technology based companies, most government and private sector boards lack directors with a good understanding of their cyber risks. However all organisations are becoming more dependent on electronic information and commerce. This brings with it both opportunities and threats which are not well understood by boards. Good risk management depends on the board setting the risk tolerance for the organisation. Risk and reward are two sides of the same coin.

Senior Management must create a culture where they acknowledge that cyber risk is evolving and encourage sharing of incident information with trusted partners in government, police, industry and with their service providers. Moreover, if boards see problems in sharing information, they should lobby governments to  improve the conditions for sharing.

2 BYOD goes ballistic – deperimeterisation is forced upon organisations, even when they aren’t ready.

Many organisations are in denial about the threat that ‘bring your own device’ (BYOD) policies make them bear.  Together BYOD and Cloud technologies will force deperimeterisation on organisations. The pressure will come from primarily within as their profit centres demand more connectivity to develop new and rapidly changing business relationships.

In the long-term, this is likely to be positive because it will drive down costs and increase flexibility for organisations. But only the resilient will survive the transition. Even resilient organisations will not go through this deperimeterisation unchanged. This process is likely to cause rude shocks for those organisations  and their boards that are not prepared and do not invest prudently in technology and more importantly people to transition smoothly.

3 Attacks that intentionally destroy data

The other threat which may arise is where the attacker intentionally destroys data, usually after stealing it.  This may be as an act of protest by an issue motivated group, the opposite of Wikileaks if you think of it. Or, it could be undertaken by organised crime  against either government agencies or business. Attacks of this nature could cripple many organisations that do not have hot-backup, even then the question of data integrity comes into play. Boards will need to think carefully about the ‘three cornered stool’ of confidentiality, integrity and availability’ relative to their organisations.

Ransomware, where data is encrypted by an attacker to become inaccessible to the owner until a ransom is paid will increase. However, the problem is likely to remain primarily at the home user and SME level. This is less due to technical difficulties with the attacks and more because of the standard problem for such scams – how to extract money when the authorities have been alerted and are on the hunt. Technologies such as Bitcoin will find increasing use here.

4 More sophisticated attacks by organised crime and nation states.

Here’s an easy one. I am more certain of this prediction than any of the others. We are in a cyber arms race between the attackers and the defenders. The advantage currently lies with the attackers. Since the possibility of an international agreement to curb cyberattacks is negligible as per my cyber law of the sea post, I see no let up in 2013.

5 Privacy continues to increase as a concern for governments in most western countries

In Australia, the Parliament passed the Privacy Amendment (Enhancing Privacy Protection) Bill 2012  in November, tightening the Commonwealth Privacy Act 1988, which applies to Commonwealth agencies and private sector organisations. A summary of the changes are here.

In the same month, the European Network and Information Security Agency (ENISA) published a report about the right to be forgotten. This report proposes a regulation that would allow a European citizen to have their personal data destroyed on request unless there were legitimate grounds for retention.

Large multinationals, like Facebook are going to continue to face scrutiny by privacy advocates and governments around the world about the data that they collect and mine. The new version of Microsoft Internet Explorer set a cat among the pigeons when it was shipped with the ‘do not track’ setting on by default.  The Digital Advertising Alliance issued a statement that “Machine-driven do not track does not represent user choice; it represents browser-manufacturer choice”.

It will be interesting to see who wins. Consumers have shown themselves to be willing to choose services which commercialise their information in return for real value. The key here is choice.

6 Failure by government to protect private sector organisations causes more of them to create CERTs

In a number of countries national Computer Emergency Response Teams have been created with much fanfare with the aim to share information between government and industry about the threats to the critical infrastructure. In general it hasn’t worked well. Western economies are dependent on infrastructure that is primarily in the hands of private enterprise, so all the players understand that neither government, nor industry can ‘solve cyber’ on their own. In a federal system like Australia or the US, the problem is exponentially harder.

At its heart, the problem is not technical, it is trust. Security and law enforcement have long come to the CERTs with their hands out asking for information, but unwilling to share what they knew about. Industry doesn’t trust government or their competitors. Meanwhile, the attackers make hay.

In a similar way to international negotiations, when multilateral agreements fail, bilateral ones can take their place (messily). Increasingly we are likely to see technology dependent organisations setting up their own CERTs and working at the technical level with like organisations, at the same time, bypassing central government CERTs and inward focussed intelligence organisations.

7 Organisations start to concern themselves more with cyber-dependencies

Organisations have long understood in the physical world that if their supply chain is attacked or degraded, then their ability to function is impeded. Without wheels from factory A, factory B can’t assemble cars.  Therefore Factory B is keen to ensure that Factory A survives, but it’s also keen to make sure that the tyres from Factory A don’t cause car accidents. A company’s dependencies do not stop at their front door.

This principle needs to be extended actively into the cyber space. Most organisations do not develop all their technology in house. Vulnerabilities in hardware and software operated by their suppliers are of prime importance. Defence companies have long needed to take this account, but this thinking will expand to more parts of the economy.

8 Developing trusted identities continue to challenge governments and organisations

With deperimeterisation upon us, organisations must assume that attackers can enter their networks. Only through good identity and access management can an organisation potentially protect itself.  My post, Trusted Identity – a primer  took a longer look at this trend.

If an organisation has no perimeter, it becomes impossible to work out who should access what, if there is not a good identity system in place. Governments are realising the same. Essentially if they are to provide the services that their citizens want, then they have to have ways of identifying for certain what those citizens are entitled to.

In 2013, we will see some results from the US efforts (NSTIC) to pilot programs to develop trusted identities. Business is taking a big part in this, with leadership from the likes of Paypal.

In Australia, there are varying signals coming from the Commonwealth Government. E-Health is moving forward, albeit slowly, and so is online Service Delivery Reform which will also depend on identity at its core. There has not been much news of late about the Cyber white paper, which was due in the second half of 2012.

 

Pizza Hut Australia got hacked – what they did right!

Last week Pizza Hut Australia admitted that its cyber-defences had been breached. Unfortunately the attackers did get hold of customers’ names and addresses. Technically it seems that Pizza Hut didn’t get breached, but the website providers who host their site did.

From a privacy perspective, its time to use the ‘pub’ test, That is – what would your level of unhappiness be if the world knew that you liked the meatlover’s supreme with extra cheese and lived at 32 Rosegardens Road, Morphett Vale? I think not very high. The important thing is that the company claims credit card details didn’t get stolen.

Pizza – not Pizza Hut

My sources tell me that the hackers didn’t get credit card details because this information is held in a separate and better-protected database by a specialised payment gateway. I hope they’re right!

There are a couple of important lessons for organisations to learn from this breach. Firstly by developing granular controls that separate data by its value and what it was used for, organisations like Pizza Hut can develop protocols for their security that give the best mix of data availability and confidentiality. As an example, there are far more parts of the business that benefit from knowing where customers live and who they are than need the credit details. If the data isn’t separated, the organisation can’t make the best use of the data and ensure security at the same time – they have to do one or other. But with granular controls, the marketing department can use addresses and telephone numbers to plan promotions and the planning department can work out where to open the next store, but they don’t need to know credit card details.

The other point is about risk transfer. Although transferring risk to a third-party is an acceptable mitigation according to the risk management standard ISO31000, organisational reputation can’t be transferred. If your company wants to keep its good name when it gets hacked, it needs to have thought about recovery and restoration. Blaming the web provider won’t cut it with customers if your organisation is anything bigger than the local fish and chippery. Generally, the larger the company, the bigger the reputation; more so for .gov

There has been a gradual, but definite change in the way that cybersecurity professionals talk about breaches. Until around 2001, people talked about the possibility of being breached online. Now this has changed from ‘if you get breached’ to ‘when you get breached’.

Essentially, if information is available on Internet facing systems, then it is more a matter of time and luck as to when your system gets done over. This is something security professionals need to communicate with the senior management of the organisation.

For Pizza Hut, this recent event will probably contribute to its longevity and improve its resilience. Research is showing that organisations that undergo small shocks are more ready for the black swans of the future.

However, they should not rest on their laurels, in the aftermath of any breach, an organisation needs to examine how to reduce the risk of further breaches. Some of the questions I ask in such situations are (in no particular order):

  • Does the organisation need to think further about the balance between confidentiality of personal information and the availability to internet facing systems.
  • From a marketing and public relations perspective is the organisation talking to its customers to show that the organisation is taking their personal information seriously;
  • What changes does the organisation need to make in terms of digital evidence gathering – was this adequate enough to deter future attacks – in the long term the rule of law is the only way to reduce the power of the attackers;
  • Did the organisation understand how to respond to the breach, does this need regular exercising;
  • Was there an ageed direction from senior management in the event of a breach, so that the technical staff could ‘get on with the job’ as quickly as possible;
  • Are the relationships with service providers adequate, were the levels of service and measures taken to recover sufficient.

It is important to recognise that the best value gains for the organisation come not from IT changes like forensics, but business process rearrangement.

Online trusted identities – a primer

“Trust is the currency of the new economy”

You may have heard recently about the efforts being promoted by the USA and Australia amongst others to promote trusted online identities. There are also significant efforts in the private sector to develop online trust systems.

Trust will be the currency of the new economy as it was in the mediaeval village. During the late 19th and early 20th Century, formal identity credentials gradually replaced more informal systems of identifying people that we interacted with. Increasing population and technology drove this change. It was simply impossible to know everybody that you might deal with and so societies began to rely on commonly used credentials such as drivers’ licences to prove identity and ‘place’ in society. Of course, drivers’ licences don’t say much if anything about reputation. But if you think about  high value financial transactions you establish your identity and then you give a mechanism to pay for the transaction. Although in most cases it wouldn’t matter who you are, it gives the vendor some comfort that the name on your driver’s licence is the same as on your credit card and makes it just that bit more difficult to commit fraud on the vendor if the credit card isn’t legit. However this isn’t the case with interbank lending. Most of this is done on a trust basis within the ‘club’ of banks and it is only at a later time that the financials are tallied up for the day.

You can’t trust who or what is on the other end of the keyboard just because of what they say

What is a trusted ID?

Most simply, trusted online identity systems are the online equivalent of a physical credential such as a drivers’ licence used to give evidence of identity online. They can (but don’t have to) also be the basis for online reputation. They may also say something about the rights of the credential holder, such as that they are a resident in a particular country.

Which countries are developing trusted identity systems

The program in the USA is called NSTIC – National Strategy for Trusted Identities in Cyberspace. In Australia, the Prime Ministers’ department has been investigating the possibility of a trusted identity system as part of its work on a cyber policy paper which was due to be released ‘early in 2012’. At the same time, Australia has undertaken a number of processes of service delivery reform, government 2.0 and e-health. All without necessarily solving the problem of identifying whom they are dealing with online. The USA has gone beyond the planning stage and announced that it will move forward on development. As I mentioned recently. NIST has announced grants for pilot projects in NSTIC.

Some countries have already implemented online identity systems simply by migrating their physical identity cards online and allowing these to be used as trusted online systems. A number of Asian countries including Malaysia, Hong Kong and Singapore have proportions of their online services available through such means. Estonia probably leads the world in online service delivery with around 90% of the population having access to an online ID card and around 98% of banking transactions being via the Internet. More information at the Estonia EU website. While NSTIC was issued by the USA government, it calls for the private sector to lead the development of an Identity Ecosystem that can replace passwords, allow people to prove online that they are who they claim to be, and enhance privacy.  A tall order which runs the risk of creating an oligopoly of identity systems driven by corporate interests and not one which suits users. It may be a signal of things to come that Citibank and Paypal have recently been accepted to lead development of the NSTIC. There are also a number of private sector initiatives which come at the issue from a different perspective. Beyond Paypal, Google Wallet and the recently announced Apple Passbook are interesting initiatives which give some of the attributes of a trusted identity.

Why might we want one?

As more services go online from both government and business and more people want to use them there will be an increased demand for a way of proving who you are online without having to repeat the process separately with each service provider. In some ways this is already happening when we use PayPal to buy products not only on eBay, where it originated but also on Wiggle.co.uk and many others. The problem is that different services need different levels of trust between the vendor and the purchaser. Thinking about a transaction in terms of risk… The majority of private sector transactions online carry equal risk for both the vendor and customer. In that the customer risks that he or she won’t get a product or service from the transaction and the vendor risks that they won’t get the cash. Here online escrow services such as Transpact, or PayPal can help.

Where this doesn’t work well is where there complexity to the transaction.  The banking or government services sector are key areas where this is the case. Here the vendor must know their customer. One area might be analysing whether a customer can pay for a service on credit. Another is in applying for a passport, you need to prove that you are a citizen and pay a fee. However, the intrinsic value of the passport is far greater than the face value, as shown by the black market price. The result to the government if it issues the passport to the wrong person is not the value of the nominal fee, but closer to the black market value of the passport.

As a result, we are at an impasse online, in order for more ‘high trust’ services to go online the community has to have more trust that people are who they say they are.

Who might need a trusted identity?

If you take the Estonian example, 90% of the population. Most of us carry around some form of identity on our persons that we can present if required. In some countries, it’s the law that a citizen must carry their identity card around with them. In Australia and Canada and other countries, it’s a bit more relaxed. In the end the question will be whether a trusted id is used by customers and required by vendors. This will be influenced by whether there are alternative ways of conveying trust between people and institutions which are independent of the concept of identity in the traditional sense of the word

Next time:

What are the security and safety implications of a trusted identity and a discussion of about social footprint and whether this may overtake government efforts

 

He has shifty eyes, but at least we know who he is

A legislative approach that defines as ‘sensitive’ any  biometric measurement shows a lack of common sense and understanding of the science.

A better approach would be to protect those aspects of sensitive personal information  (eg sexuality, political opinion, racial / ethnic origin) collected by any means, making legislation independent of technology.

An interesting paper was published in the most recent International Journal of Biometrics. Finnish scientists have developed a biometric measure using saccade eye movements. Saccade eye movements are the involuntary eye movements when both eyes move quickly in one direction. Using a video camera to record movement, this biometric measure can be highly correlated to an individual.

What is important is that there are large numbers of these life (bio) measurements (metrics) being discovered as scientists look more closely at human physiology and behaviour.

The use of biometric identification technologies sees biometric information (eg eye movement) converted into a series of digits (a hash), which can be statistically compared against another series of digits that have been previously collected during the enrolment of an individual to use a system (eg building access control). A biometric ‘match’ is a comparison of the number derived from the collection of a biometric during enrolment with the number that is elicited during verification. In the real world, these ‘numbers’ are nearly always slightly different. The challenge is to make a system able to allow an individual to get a match when he/she seeks verification and to ensure that the bad guy is repelled.

Generally speaking, biometric identity systems are not primarily designed to determine information that might be used to elicit sensitive personal information. Nor is it practical to reverse-engineer the biometric because of the intentional use of one-way mathematical functions and the degradation of data quantity collected. This means that one person would be hard pressed to elicit any information that might be used to discriminate against another with access to this series of digits.

The word ‘biometric’ seems to send shivers down the spines of some privacy advocates. I suggest it is because most, if not all, are not scientists but lawyers. But these biometric systems  are just the current technology. Many critics of biometrics forget that like any tool, it depends on how it is used. The old saying that fire is a ‘good servant, but a bad master’ is equally true of biometrics.

What seems lacking in common sense is that legislation in several countries (including in Australia) puts up a barrier for the use of biometrics for purposes that protect the privacy and safety of people and organisations.

The information that a biometric collects is not necessarily sensitive information –I don’t really care if you know how often I blink. In fact, a photo of me is more likely to give you information about me that I am sensitive about.

The danger with this approach is that people focus on the technology being ‘bad’ and not on the fact that it is the sensitive information which is potentially harmful.  Biometrics can be privacy enhancing, particularly as they can add additional layers to securing claims about identity and be used to protect individuals and organisations from becoming victims of identity fraud.

Disaggregating biometrics from ‘sensitive information’ and considering technology on the basis of what (sensitive information – gender, medical information, religious affiliation etc) it collects about an individual would more appropriately provides a course of protecting personal information. This of course would avoid stifling the practical application of technology.

 

The journal article can be found here

Martti Juhola et al. Biometric verification of subjects using saccade eye movementsInternational Journal of Biometrics, 2012, 4, 317-337

 

Back To Top