configuring electronic health records privacy and security in the us lecture f this material...
TRANSCRIPT
Configuring Electronic Health Records
Privacy and Security in the US
Lecture f
This material (Comp11_Unit7f) was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number
IU24OC000015
Privacy and Security in the USLearning Objectives
• Compare and contrast the concepts of privacy and security
(Lecture a)• List the regulatory frameworks for an EHR (Lecture b, c)• Describe the concepts and requirements for risk management
(Lecture d)• Describe authentication, authorization and accounting (Lecture d)• Describe passwords and multi-factor authentication and their
associated issues (Lecture d)• Describe issues with portable devices (Lecture d)• Describe elements of disaster preparedness and disaster recovery
(Lecture e)• Describe issues of physical security (Lecture e)• Describe malware concepts (Lecture f)
2Health IT Workforce Curriculum Version 3.0/Spring 2012
Configuring Electronic Health Records Privacy and Security in the US
Lecture f
Viruses
• Oldest and simple concept: unwanted program that executes when the host program executes
• Copies itself to media
3Health IT Workforce Curriculum Version 3.0/Spring 2012
Configuring Electronic Health Records Privacy and Security in the US
Lecture f
Virus Types
• File• Boot sector• Macro• E-mail• Multi-variant• RFID (theoretical)
4Health IT Workforce Curriculum Version 3.0/Spring 2012
Configuring Electronic Health Records Privacy and Security in the US
Lecture f
Worms
• Self-replicating program that copies itself to other computers across a network
• LAN or Intranet• Web or Internet• E-mail• IM• IRC• P2P
5Health IT Workforce Curriculum Version 3.0/Spring 2012
Configuring Electronic Health Records Privacy and Security in the US
Lecture f
Trojans
• Destructive program that appears to be a other than what it is
• From the Greek myth of the wooden horse brought into the city as a trophy – filled with warriors
• Brought in by the user . . .• Backdoor trojan• Data collecting• Downloader or dropper
6Health IT Workforce Curriculum Version 3.0/Spring 2012
Configuring Electronic Health Records Privacy and Security in the US
Lecture f
Botnets
• Coordinated attack using infected systems• Stages:
– Creation– Configuration– Infection– Control
• Used for:– DDoS– Spam & spreading malware– Information leakage– Click fraud– Identify fraud
7Health IT Workforce Curriculum Version 3.0/Spring 2012
Configuring Electronic Health Records Privacy and Security in the US
Lecture f
Zero-Day Malware
• What to do about a new threat?• Zero-day malware is not detected by existing
anti-virus• May be based on zero-day exploits – newly
discovered vulnerabilities• Are signatures enough?
8Health IT Workforce Curriculum Version 3.0/Spring 2012
Configuring Electronic Health Records Privacy and Security in the US
Lecture f
Rogueware
• Attempts to defraud users by requesting payment to remove non-existent threats
• Indications:– Fake pop-up warnings– Appear similar to real antivirus– Quick scan– May identify different files on each pass
• Highly lucrative• Like a virus, hard to remove
9Health IT Workforce Curriculum Version 3.0/Spring 2012
Configuring Electronic Health Records Privacy and Security in the US
Lecture f
What to Do?• Resource: Malware Threats and Mitigation Strategies by US-CERT• Enclave boundary
– Firewalls– IDS
• Computing environment– Authorized local network devices– O/S patching/updating– O/S hardening– Anti-virus updating– Change control process– Host-based firewall– Vulnerability scanning– Proxy servers and web content filters– E-mail attachment filtering– Monitor logs
• What to do when compromised– If, not when
10Health IT Workforce Curriculum Version 3.0/Spring 2012
Configuring Electronic Health Records Privacy and Security in the US
Lecture f
Why Viruses Exist
• Software engineering limitations• Bugs
11Health IT Workforce Curriculum Version 3.0/Spring 2012
Configuring Electronic Health Records Privacy and Security in the US
Lecture f
2011 Top 25 Mistakes• Improper Neutralization of Special Elements used in an SQL Command
('SQL Injection')
• Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
• Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
• Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
• Missing Authentication for Critical Function
• Missing Authorization
• Use of Hard-coded Credentials
• Missing Encryption of Sensitive Data
• Unrestricted Upload of File with Dangerous Type
• Reliance on Untrusted Inputs in a Security Decision
• Execution with Unnecessary Privileges
• Cross-Site Request Forgery (CSRF)
12Health IT Workforce Curriculum Version 3.0/Spring 2012
Configuring Electronic Health Records Privacy and Security in the US
Lecture f
2011 Top 25 Mistakes (continued)• Improper Limitation of a Pathname to a Restricted Directory ('Path
Traversal')
• Download of Code Without Integrity Check
• Incorrect Authorization
• Inclusion of Functionality from Untrusted Control Sphere
• Incorrect Permission Assignment for Critical Resource
• Use of Potentially Dangerous Function
• Use of a Broken or Risky Cryptographic Algorithm
• Incorrect Calculation of Buffer Size
• Improper Restriction of Excessive Authentication Attempts
• URL Redirection to Untrusted Site ('Open Redirect')
• Uncontrolled Format String
• Integer Overflow or Wraparound
• Use of a One-Way Hash without a Salt
13Health IT Workforce Curriculum Version 3.0/Spring 2012
Configuring Electronic Health Records Privacy and Security in the US
Lecture f
Detection and Prevention
• Automated tools• Policies and procedures• Knowledgeable implementation staff
14Health IT Workforce Curriculum Version 3.0/Spring 2012
Configuring Electronic Health Records Privacy and Security in the US
Lecture f
Privacy and Security in the USSummary – Lecture f
• Malware• Software design issues
15Health IT Workforce Curriculum Version 3.0/Spring 2012
Configuring Electronic Health Records Privacy and Security in the US
Lecture f
Privacy and Security in the USSummary
• Concepts of privacy and security• Regulatory framework• Risk assessment• Portable devices• System access• Security awareness training• Incident response and disaster recovery• Physical security• Malware and software design issues
16Health IT Workforce Curriculum Version 3.0/Spring 2012
Configuring Electronic Health Records Privacy and Security in the US
Lecture f
Privacy and Security in the USReferences – Lecture f
References• Christey, S. (2011). 2011 CWE/SANS Top 25 Most Dangerous Software Errors, from http://cwe.mitre.org/top25 • U.S. Computer Emergency Readiness Team. (2005). Malware Threats and Mitigation Strategies, from
http://www.us-cert.gov/reading_room/malware-threats-mitigation.pdf
17Health IT Workforce Curriculum Version 3.0/Spring 2012
Configuring Electronic Health Records Privacy and Security in the US
Lecture f