Post on 14-Dec-2015
Exposing the Data Risks and Offering the Recommendations for the Secure Consumerization of e-Health
Jason Lin, Corporate Security OfficerTuesday, May 28, 2013
Faculty/Presenter Disclosure
Faculty: Jason Lin
Relationships with commercial interests:– None
Background
Personal Videoconferencing
Access
Productivity
Quality
Scope Timeline
2012• Laptops• Providers
2013• Tablets• Providers
Review of policies and agreements to support the PCVC serviceFocus on the extension of the PCVC service to mobile device platforms (Android and iOS)
2014+• Mobile Devices• ???
“Our mission is to develop and support telemedicine solutions that enhance access and quality of health care in Ontario, and inspire adoption by
health care providers, organizations, and the public.”
Access “and” Quality
5
Confidentiality: Privacy of patients depends upon maintaining the confidentiality of personal health information (PHI) at all times.
Integrity: Patient safety depends upon maintaining the integrity of PHI (e.g. ensure no systematic errors exist). Failure to maintain integrity can result in illness,injury or even death.
Availability: In order to provide safe care, HCP must have ready access to important PHI before, during and after providing care.
Integrity
Confidentiality
Availability
Quality includes Information Security CIA Triad
Center for Information Technology Leadership (CITL) Maturity Model
PCVC Threat Risk Assessment Findings
Impact
Very High
High
Medium
Low
R1, R3, R4 R2
Very Low
Very Low Low Medium High Very High
Likelihood 8
R1: Unauthorised disclosure of PHI due to re-provisioned or lost/stolen device containing Vidyo
Mobile Logs
R2: Inadvertent exposure and unauthorised access to PCVC sessions
due to limitations in Guestlink operations and configuration
R3: Breach of physician privacy due to lack of end user guidance
and surreptitious recording capabilities of consultations by end users/patients, especially within a BYOD configuration
R4: Limitations and complexity within
policies, MOUs, member and end
user guidance coupled with
presence of PHI on mobile devices
Defense In Depth Safeguards
9
TECHNOLOGY
PEOPLE PROCESS
Technology
Process
People
R1: “Unauthorised disclosure of PHI due to re-provisioned or lost/stolen device containing Vidyo Mobile Logs” Safeguard
No PHI Anonymized PHI
Pseudonymized PHI Explicit PHI
Do not leave your mobile device unattended
R1: “Unauthorised disclosure of PHI due to re-provisioned or lost/stolen device containing
Vidyo Mobile Logs” Safeguard
Use passphrases
R2: “Inadvertent exposure and unauthorised access to PCVC sessions” Safeguard
Do not leave your mobile device unattended
R2: “Inadvertent exposure and unauthorised access to PCVC sessions” Safeguard
Do not share your account credentials
Risk 3 “Breach of physician privacy due to lack of end user guidance” Safeguard
14
Awareness Training EducationAttribute What? How? Why?
Imparts Information Knowledge Insight
Method Media•Video
•Newsletters•Posters
Practical Instruction•Lectures
•Case Study•Hands-on practice
Theoretical Instruction
•Seminar and discussion
•Reading and studyImpact Time-Frame Short-Term Medium-Term Long-Term
Regularly
Create best practise guidelines for HIC users
Risk 4 “Limitations and Complexity within Policies” Safeguard
Create simplified and friendly terms of services
Risk “Increased external attacks…”
Risk “Increased external attacks” Safeguard
Harden devices and applications
Risk “Increased external attacks…” Safeguard
Separate corporate from consumer environments
Circles of Trust
International
Federal
Provincial
OTN Local