12. 12
Case Studies of Security & Privacy
So, two informaticians
walk into a bar...
The bouncer says,
"What's the password."
One says, "Password?"
The bouncer lets them
in.
Credits: @RossMartin & AMIA (2012)
14. 14
Case Studies of Security & Privacy
http://www.healthcareitnews.com/news/more-half-hospitals-hit-ransomware-last-12-months
15. 15
Case Studies of Security & Privacy
http://news.mthai.com/hot-news/world-news/453842.html
16. 16
Case Studies of Security & Privacy
http://pantip.com/topic/33678081
https://www.facebook.com/photo.php?fbid=971229119583658&set=a.379576565415586.90
794.100000897364762&type=1&theater
17. 17
Case Studies of Security & Privacy
http://www.matichon.co.th/news_detail.php?newsid=1429341430
18. 18
Case Studies of Security & Privacy
http://manager.co.th/Entertainment/ViewNews.aspx
?NewsID=9580000076405
19. 19
เราเห็นอะไรจากตัวอย่าง Case Studies เหล่านี้
• Incidents ส่วนใหญ่ เป็นเรื่อง privacy มากกว่า
security: People are the “weakest link”
• Security attacks มักเป็น basic attacks มากกว่า
advanced, sophisticated attacks
• Insider threat และ user’s ignorance เป็นเรื่อง
สาคัญมาก
20. 20
Common Security Pitfalls in Healthcare
• User Security
Poor user awareness
Weak passwords
Written passwords
Unexpired passwords
Weak authen/access controls
No “Principle of Least Privilege”
21. 21
Common Security Pitfalls in Healthcare
• System Security
Unpatched servers & clients
Legacy systems
Lack of adequate anti-malware protections
Inadequate redundancies & backups
No honeypots
22. 22
Common Security Pitfalls in Healthcare
• Software Security
Customized software
No “Security by Design”
Poor software testing & SDLC quality controls
Most likely weaknesses: invalid input, XSS, SQL
injection, poor exception handling
Lack of medical device security regulations
24. 24
Why Healthcare Lags Behind?
• IT & IT security not industry’s strengths
• Many people to deal with (and to train security
awareness)
• Lack of awareness among executives, users, and
almost everyone
• Underestimated risks
• IT often perceived as “barrier” to patient care
25. 25
Moving Forward
• Creating networks of cybersec people in
healthcare
• Build capacity on security & privacy
• Use case studies as lessons
• Link security & privacy with bioethics
Autonomy (Patient’s rights)
Beneficence (Benefits to the patient)
Non-maleficence (“First, do no harm”)
26. 26
...
What I may see or hear in the course
of treatment or even outside of the
treatment in regard to the life of men,
which on no account one must spread
abroad, I will keep myself holding
such things shameful to be spoken
about.
...
http://en.wikipedia.org/wiki/Hippocratic_Oath
Hippocratic Oath
30. 30
Moving Forward
• Survey of security practices in healthcare
• Engage with vendors & policymakers
• Establish security framework for healthcare-
specific technologies: medical devices, clinical
information systems
• Revise health information privacy laws for better
clarifications and fostering trust