Consumer Health Informatics, Mobile Health, and Social Media for Health: Part...
The Real World for Health Records Security, Privacy & Confidentiality
1. The Real World for Health Records
Security, Privacy & Confidentiality
นพ.นวนรรน ธีระอัมพรพันธุ์
คณะแพทยศาสตร์โรงพยาบาลรามาธิบดี มหาวิทยาลัยมหิดล
27 เม.ย. 2560SlideShare.net/Nawanan
11. 11
Case Studies of Security & Privacy
So, two informaticians
walk into a bar...
The bouncer says,
"What's the password."
One says, "Password?"
The bouncer lets them
in.
Credits: @RossMartin & AMIA (2012)
20. 20
Common Security Pitfalls in Healthcare
• User Security
Poor user awareness
Weak passwords
Written passwords
Unexpired passwords
Weak authen/access controls
No “Principle of Least Privilege”
21. 21
Common Security Pitfalls in Healthcare
• System Security
Unpatched servers & clients
Legacy systems
Lack of adequate anti-malware protections
Inadequate redundancies & backups
No honeypots
22. 22
Common Security Pitfalls in Healthcare
• Software Security
Customized software
No “Security by Design”
Poor software testing & SDLC quality controls
Most likely weaknesses: invalid input, XSS, SQL
injection, poor exception handling
Lack of medical device security regulations
24. 24
Why Healthcare Lags Behind?
• IT & IT security not industry’s strengths
• Many people to deal with (and to train security
awareness)
• Lack of awareness among executives, users, and
almost everyone
• Underestimated risks
• IT often perceived as “barrier” to patient care
28. 28
Moving Forward
• Creating networks of cybersec people in
healthcare
• Build capacity on security & privacy
• Use case studies as lessons
• Link security & privacy with bioethics
Autonomy (Patient’s rights)
Beneficence (Benefits to the patient)
Non-maleficence (“First, do no harm”)
29. 29
...
What I may see or hear in the course
of treatment or even outside of the
treatment in regard to the life of men,
which on no account one must spread
abroad, I will keep myself holding
such things shameful to be spoken
about.
...
http://en.wikipedia.org/wiki/Hippocratic_Oath
Hippocratic Oath
33. 33
Moving Forward
• Survey of security practices in healthcare
• Engage with vendors & policymakers
• Establish security framework for healthcare-
specific technologies: medical devices, clinical
information systems
• Apply security standards (with sensibility)
• Revise health information privacy laws for better
clarifications and fostering trust
34. 34
My Last Thought
Let’s Connect & Share (Health
Information), While Respecting
Patient’s Rights and
Taking Care!