Ahmed Al Barrak - Staff information security practices - a latent threat
1. The 3rd Kuwait Infosecurity Conference
Staff Information Security
Practices: a latent threat
P ti l t t th t
Dr. Ahmed Albarrak
Associate. Professor of Medical Informatics,
Chairman, Medical Informatics Dept.
Director, E-learning and knowledge management
College of Medicine, King Saud University
g , g y
The 3rd
ksuahmed@yahoo.com
Kuwait Infosecurity Conference
albarrak@ksu.edu.sa
Albarrak@ksu.edu.sa
2. Agenda
• Introduction
• Security threats
• User behaviors
• International findings in security threats
• Security study
S
– Objectives
– methods and settings
– Results
• Conclusions and recommendations
The 3rd Kuwait Infosecurity Conference 2
albarrak@ksu.edu.sa
3. Introduction
• Information security is a permanent challenge for any
organization especially governmental health and
especially, governmental, health,
academic organizations
• While the risk of external threats can be assessed and
accounted for by intrusion detection and other relevant
tools
• Insider threats are difficult to detect and manage
threats,
because they primarily emerge from the authorized user
malicious practices.
The 3rd Kuwait Infosecurity Conference 3
albarrak@ksu.edu.sa
4. Introduction
• The enforcement of strict information security polices
therefore has become one of the top p
p priorities for
organizations to protect data against hacking and
unauthorized access
• It is well understood that technolog alone cannot
ell nderstood technology
provide all aspects of information security required by
any organizations
• Technology can help in preventing security threats and
breaches of security in the organization infrastructure,
computer system security compromises, and insecure
compromises
transmission of information
The 3rd Kuwait Infosecurity Conference 4
albarrak@ksu.edu.sa
5. Introduction
• But not or little effect in cases due to the unwanted
disclosure of information take place in several ways,
such as acts of disloyal employees
• Due to the nature of the users threats being latent and
cannot easily be detected by the ordinary intrusion or
access control mechanisms, and because users
behaviour is not consistent across different organization,
this issue become a subject of many research and
investigations.
The 3rd Kuwait Infosecurity Conference 5
albarrak@ksu.edu.sa
6. Introduction
• Information security and privacy, and confidentiality of
p
patients data in healthcare work environment should not
regarded as only policies, procedures, and practices
• Information security includes culture, mores and should
be considered to be part of the healthcare process and
y
medical ethnicity
• Information security of healthcare systems is particularly
vital due to the sensitive nature of information stored in
these systems as well as the cost associated with the
loss of patient’ data
patient
The 3rd Kuwait Infosecurity Conference 6
albarrak@ksu.edu.sa
7. Introduction
• The loss of sensitive patients’ or students’ data may
p y
cause a huge damage to the organization reputation
• It can reduce customer confidence, undermine the
organization reliability and jeopardize its competitiveness
in the market
• In some cases, can result even in legal consequences,
fines and penalties
The 3rd Kuwait Infosecurity Conference 7
albarrak@ksu.edu.sa
8. Security threats
• Information damage might take p
g g place in many forms
y
such as:
– intrusion into the systems,
– thefts of organization data,
– fraudulent use of data,
– defacement of organizational websites
websites,
– other forms of information loss or damage.
Such damages are caused by hackers virus writers as
hackers, writers,
well as AUTHORIZED users
The 3rd Kuwait Infosecurity Conference 8
albarrak@ksu.edu.sa
9. Information security and user behavior
• Organizations sometimes consider information security
g y
as something that can be achieved only by enhanced
technologies (such as, firewalls and intrusion detection
software),
software) and well trained IT personals ……………
personals,
• While ignoring or giving little attention to the role of
systems’ users who represent a critical factor in the
implementation and protection of the systems and data
security
The 3rd Kuwait Infosecurity Conference 9
albarrak@ksu.edu.sa
10. Information security and user behavior
y
• The utilization of IT in the healthcare delivery, where
y,
services are provided by multidisciplinary teams of
healthcare professionals and trainees in a shared
environment,
environment has been accompanied by several
challenges and threats related to the privacy and
confidentiality of patients’ information. Lekkas, 2007
• The breech of electronic patients’ information is
particularly associated with unbearable high loss. It does
not only lead to financial losses, but it may lead to
threatening patients’ safety and jeopardize their lives.
The 3rd Kuwait Infosecurity Conference 10
albarrak@ksu.edu.sa
11. International Findings In Security
Threats
Th t
• In a study by North 2006, of 465 students at Clark
y y ,
Atlanta University,
– 23% of students replied that they have used other
people’s computers without authorization.
l ’ t ith t th i ti
• A research conducted by CISCO in 2008,
– 2000 users in 10 countries showed that at least one
of every 3 employees leave their computers logged
on and unlocked when they are away from their desk
to t k
t take a lunch or go h
l h home after working h
ft ki hours.
The 3rd Kuwait Infosecurity Conference 11
albarrak@ksu.edu.sa
12. International Findings In Security
Threats
• In a survey of 381 employees of a medium sized p
y p y public
sector agency,
– 16% of the respondents shared passwords with other
people. Woodhouse 2007
l
• A survey study of students on password practices and
attitudes, it was found that,
– 22% of respondents share their webmail password
with others. Hart 2008
– Similar conclusion was also reported by CISCO 2008,
that 18% of the surveyed employees share
passwords with co-workers.
co workers.
The 3rd Kuwait Infosecurity Conference 12
albarrak@ksu.edu.sa
13. International Findings In Security
Threats
• Research and Studies have shown that users are
generally reluctant to change their passwords as well. In
a survey given to university students at Plattsburgh
about their attitudes and practices regarding passwords
passwords,
– Over than 80% of them rarely change their password.
(Hart 2008)
– Comparable results were reported in a study by
Stanton et al. that 23% of the employees surveyed
sometimes disclose their passwords to colleagues
and staff members. (Stanton et al. 2004)
The 3rd Kuwait Infosecurity Conference 13
albarrak@ksu.edu.sa
14. International Findings In Security Threats
g y
• A totally secured system from a technical p
y y point of view
can become totally insecure by the users’ mal practices.
Bardram 2005
• The promotion of security culture to comply with security
policies and raising the end-user awareness on security
end user
issue through education as the best practices to reduce
security threats in the working place environment.
D’Arcy
D’Arc 2007
The 3rd Kuwait Infosecurity Conference 14
albarrak@ksu.edu.sa
15. Security study
• A study examined breaches of information security
y y
originating from the staff mal practices at KSU College of
Medicine and two University Hospitals
The bj ti
Th objectives of th study were:
f the t d
• to assess, evaluate, and analyze the security behavior of
users at King Saud University Hospitals, Riyadh, Saudi
Arabia,
• to examines whether such behavior differ across
employee categories
l t i
The 3rd Kuwait Infosecurity Conference 15
albarrak@ksu.edu.sa
17. Results
• In total, 554 questionnaires were completed on which
, q p
analysis was based
• Demographics:
– 73% females, 27% male
– Saudis constituted 18%
– age (40 +/ 0 5 yrs; mean+/ SE)
age, +/- 0.5 mean+/-
– period of employment at the hospitals, (7 +/- 0.3 yrs;
mean+/- SE) )
– time since employee started using the hospital IT
system, (6 +/- 0.2; mean+/- SE) years.
The 3rd Kuwait Infosecurity Conference 17
albarrak@ksu.edu.sa
18. Results
Respondents were distributed between p
p professions as
follows;
• 62 Physicians (consultants, specialists and general
practitioners),
titi )
• 49 administrative staff,
• 354 nursing staff
staff,
• 84 allied health staff (laboratory, x-ray and other
technicians).
The 3rd Kuwait Infosecurity Conference 18
albarrak@ksu.edu.sa
19. Results
Respondents (
p (users) access the hospital IT system to
) p y
perform at least one of the following tasks;
• viewing and editing of medical records and accessing
the h
th hospital i f
it l information system (HIS) (47%)
ti t (47%),
• investigating laboratory results (LAB system) (15%),
• retrieving of x-rays (22%),
(22%)
• internet and e-mail services (15%).
The 3rd Kuwait Infosecurity Conference 19
albarrak@ksu.edu.sa
20. • 81% of hospital staff use shared computers, and the
p p ,
proportion of nursing and allied health staff using shared
computers is significantly higher than in other job
categories
personal, 19%
shared , 81%
The 3rd Kuwait Infosecurity Conference 20
albarrak@ksu.edu.sa
21. Working environment (shared work stations)
100
90
80
70
60
50 Personal
Personal
Shared
40
30
20
10
0
Physicians% Administrative% Nursing% Allied health staff%
The 3rd Kuwait Infosecurity Conference 21
albarrak@ksu.edu.sa
22. • 16% of respondents do not sign out applications after
p g pp
working sessions
• Older employees tend to be more aware about such a
practice th th i younger counterparts ( 0 01)
ti than their t t (p=0.01).
• Communication of passwords between office mates and
friends was reported by 27% of respondents. More
frequent among females than among males (p=0.0001).
higher among nursing staff than other job categories
(p=0.0001)
(p=0 0001)
The 3rd Kuwait Infosecurity Conference 22
albarrak@ksu.edu.sa
23. • The practice of NOT changing the p
p g g password after being
g
known to unauthorized persons was stated by 45% of
participants
• M l are significantly d i b tt concerning thi h bit
Males i ifi tl doing better i this habit
than females
• Nursing staff appears to be the least aware group about
changing their passwords when released to others than
any other group of staff (p=0.0001)
The 3rd Kuwait Infosecurity Conference 23
albarrak@ksu.edu.sa
24. • 70% of respondents had never changed their default
p g
system generated passwords. This practice is also more
frequent among females compared to males and among
nursing staff compared to other professions
yes
30%
no
70%
Changing the password after first being
generated by administrator
The 3rd Kuwait Infosecurity Conference 24
albarrak@ksu.edu.sa
27. Parameter Response No. %
Use of personal or shared computer Personal 99 19
Shared 418 81
Logging off the application after yes 448 84
work sessions no 83 16
Allowing others to use the account yes 213 40
without giving them the password no 317 60
Allowing office mates and friends yes
All i ffi t d f i d 145 27
to know the password no 394 73
Changing the password after being yes 290 55
known to other people no 240 45
Changing the password after first yes 158 30
being generated by administrator no 370 70
The 3rd Kuwait Infosecurity Conference 27
albarrak@ksu.edu.sa
29. Changing the password after being known to others
80
70
60
50
40 Yes
No
30
20
10
0
Physicians% Administrative% Nursing% Allied health staff%
The 3rd Kuwait Infosecurity Conference 29
albarrak@ksu.edu.sa
31. Findings
• Although sharing of workstations is not a user choice
g g
and it is more likely attributed to the nature of hospital or
work environment, however it represents a latent
security threats
• It be can argued that compliance with security policies
and procedures is very hard in a multiuser shared
environment than in other places where each user login
to a dedicated personal computer
• In such a multiuser environment security practice and
environment,
awareness of users constitutes the first defense line to
safeguard patient data
The 3rd Kuwait Infosecurity Conference 31
albarrak@ksu.edu.sa
32. Findings
• Studies have shown that users are generally reluctant to
g y
change their passwords
• Users should be initiated and encouraged to change
their
th i passwords when f lt f any reasons it b
d h felt for become
unsafe
• Change of password, as a precautionary security
measure, is highly recommended, mainly in three
situations; after being issued by system administrator,
after feeling that it was known by others and after every
others,
regular time intervals
The 3rd Kuwait Infosecurity Conference 32
albarrak@ksu.edu.sa
33. Findings
• This study further reveals that the staff are varying in
y y g
complying with security measures
• Understanding privacy, and security threats and
challenges facing organization is essential for building a
holistic security process and avoiding loss and threats to
patient information
• Besides, users should be instructed to strictly comply
with policies and procedures th t prevent communication
ith li i d d that t i ti
of passwords, using others accounts and keeping of
p
passwords unchanged for long time intervals
g g
The 3rd Kuwait Infosecurity Conference 33
albarrak@ksu.edu.sa
34. Recommendations
• Organizations should build a sense of information
security awareness among all staff to g
y g gain their support
pp
in protecting sensitive data
• Continuous educations and evaluation of the security
processes are major elements in that context
• Other measures such as, auto locking & logging off
when are not in use for predefined period.
The 3rd Kuwait Infosecurity Conference 34
albarrak@ksu.edu.sa
35. Conclusions
• It is clearly proofed that the technical security measures
alone can NOT prevent security breaches.
• Insider threats, are difficult to detect and manage
because they primarily emerge from the authorized user
malicious practices
• Which emphasized that awareness training and
education of users on information security issues are
very i important for achieving a reliable l
t tf hi i li bl level of
l f
information security in any organizations
The 3rd Kuwait Infosecurity Conference 35
albarrak@ksu.edu.sa
36. The 3rd Kuwait Infosecurity Conference 36
albarrak@ksu.edu.sa