© Fujitsu Canada

Six Health Privacy Experiments That Should Never Be Conducted

WCHIPS 2013, WinnipegChris Hammond-ThrasherAssociate DirectorSecurity, Privacy and ComplianceFujitsu Canadachris.hammond-thrasher@ca.fujitsu.com

1

© Fujitsu Canada

Phone Disclosure

© Fujitsu Canada

Conference Number

Dial into the XYZ Disease / Syndrome / Dysfunction Conference Call Now!

204-800-5580

4

2

© Fujitsu Canada6

Social Media

© Fujitsu Canada7

© Fujitsu Canada

Long Memory

8

© Fujitsu Canada

Long Memory

9

• Version 1.0 of the NCSA Mosiac browser was released in November 1993

• Netscape Navigator was released in December 1994

• TELUS launched commercial Internet services in 1995

• Facebook launched in February 2004

© Fujitsu Canada

Teens on Facebook

“Self-definition is about identity, one’s needs and attitudes, and the presentation of the self to others. Teenage patients present

themselves on Facebook as regular teenagers. They do not write public status updates about their stays at CHEO or the

treatments they receive.”

- Van der Velden and El Emam, 2012

10

© Fujitsu Canada11

3

© Fujitsu Canada13

A Simple Wi-Fi Attack

© Fujitsu Canada

The Demonstration Network

Join now!

SSID: wchips2013Password: wchips2013

14

© Fujitsu Canada

Countermeasures

The basics: Any Wi-Fi network with significant security requirements must be configured to use WPA2-Enterprise. No exceptions.

VPNs are excellent defenses when moving sensitive data across non-trusted networks, but there is no completely safe way to connect to and use a hostile Wi-Fi network.

There is no good defense to Wi-Fi denial of service. The best that you can do is have a good wireless incident response team on hand.

15

4

© Fujitsu Canada

Win an iPad Mini!

17

© Fujitsu Canada18

© Fujitsu Canada

Phishing Discussion

Use HTTPS and put the survey on your own domain i.e. https://primarycaresurvey.albertahealthservices.ca

Without HTTPS I can try to impersonate the site and phish for personal health information

As of last night, primarycaresurveys.ca is available for purchase (they used primarycaresurvey.ca) but albertahealthservice.ca has been purchased by a domain squatter

19

© Fujitsu Canada

QR Code Phishing

20

5

© Fujitsu Canada22

Hospital Netwars

© Fujitsu Canada23

6

© Fujitsu Canada25

Healthcare Mysticism

7

© Fujitsu Canada27

Medical Malware

© Fujitsu Canada

A Common Malware Model

28

Command and Control

Server

Infected Laptop

Infected Tablet

Infected Smartpho

ne

8

© Fujitsu Canada30

Balloon Clown Audit

9

© Fujitsu Canada32

Elicitation

© Fujitsu Canada

Definition: “Elicitation”

“In the spy trade, elicitation is the term applied to subtle extraction of information during an apparently normal and innocent conversation. Most intelligence operatives are well trained to take advantage of professional or social opportunities to interact with persons who have access to classified or other protected information.

Conducted by a skillful intelligence collector, elicitation appears to be normal social or professional conversation and can occur anywhere – in a restaurant, at a conference, or during a visit to one’s home. But it is conversation with a purpose, to collect information about your work or to collect assessment information about you or your colleagues.”

33

© Fujitsu Canada

Elicitation Plan

Goal Elicit personal information on at least one individual

Method Seek advice on when teenage girls should start dating as a way to get a

parent talking about their own children

Objectives Parent’s Name __________________ Target’s Name __________________ Relationship __________________ Target’s Gender__________________ Target’s Birthday __________________

Achieved _________ of five objectives

34

C

© Fujitsu Canada

Bibliography Capps, Rusty. "The Spy Who Came to Work," Security

Management, February 1997. *Celent. Using Social Data In Claims and Underwriting,

http://www.celent.com/reports/using-social-data-claims-and-underwriting

Hadnagy, Chris. Social Engineering: The Art of Human Hacking. Wiley, 2011.

Li, Jingquan. “Privacy Policies for Health Social Networking Sites,” Journal of the American Medical Information Association, March 2013.

Malin, El Emam and O’Keefe. “Biomedical Data Privacy: Problems, Perspectives, and Recent Advances,” Journal of the American Medical Information Association, January 2013.

Van der Velden, El Emam. “’Not All My Friends Need to Know’: A Qualitative Study of Teenage Patients, Privacy, and Social Media,” Journal of the American Medical Information Association, July 2012.

*Subscription required.

Hammond-Thrasher, Six Health Privacy Experiments, 2013

© Fujitsu Canada

Conclusions

There are significant challenges facing privacy professionals and academic researchers who want to understand real risk including, Research ethics Research funding and The reputational concerns of personal health information custodians.

The reality of the real risk scenarios examined today is that the threat agents – whether insiders or outsiders – are not bound by the constraints that govern privacy and security professionals.

Van der Velden and El Emam’s paper on sick teens using Facebook is a warning to the complexity of real risk – our assumptions about how good or bad things may be need to be tested.

37

© Fujitsu Canada

Challenge Questions

For you, is the title of this talk a true statement? Should experiments like these *NEVER* be performed? Are some acceptable and not others? And if so why?

Please email your answers to:chris.hammond-thrasher@ca.fujitsu.com

38

Chris Hammond-ThrasherAssociate Director, ConsultingSecurity, Privacy and ComplianceFujitsu Canada

chris.hammond-thrasher@ca.fujitsu.com