Embed Size (px)
DESCRIPTION
Lukas - Ancaman E-Health Security
Citation preview
Ancaman-ancaman Terhadap Keamanan Informasi Pada eHealth(Security Threats in eHealth)
Lukas & Hadi Syahrial
[email protected] [email protected]
Lukas & Hadi Syahrial
Honeynet mission
To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.
Outline:
eHealth attack: motives, tacticts, tools.
What is eHealth? http://www.who.int/trade/glossary/story021/en/
E-health is the transfer of health resources and health care by electronic means. It encompasses three main areas:
The delivery of health information, for health professionals and health consumers, through the Internet and telecommunications.
Using the power of IT and e-commerce to improve public health services, e.g. through the education and training of health workers.
The use of e-commerce and e-business practices in health systems management.
4(#total)
eHealth - The Future of Healthcare
The banking metaphor Most transactions carried out by the customer
Centralisation of specialist services
Decentralisation of non-specialist services
5(#total)
Existing Health on the Web
Estimated to be ~20,000 health websites
Used by 98 million adults75% of people who have web access
average of 3.3 times per month
More than consult doctors each day3
7M e-patients/day on the net; 2-3M patients see a doctor
6(#total)
Existing Health on the Web
Access to accurate information can lead tomore knowledgable, empowered, less anxious
patientsmore participatory health decisionsbetter care as patient and doctor become
partners
Mis-information can lead to confused and angry patientsbad decisions, mis-placed hope, worse care,
harm
Privacy violations can cause emotional and economic damage
7(#total)
eHealth
“Healthcare which is supported by electronic processes”
Other terms:– Healthcare informatics or Health Information
Technology (HIT)– Medical Information Systems (MIS)– Biomedical informatics (also includes Bioinformatics:
gene sequencing etc.)
8(#total)
eHealth includes:
Electronic Medical Records: easy communication of patient data between different healthcare professionals (GPs, specialists, care team, pharmacy)
Telemedicine: do not require a patient and specialist in same physical location.
Decision support systems in healthcare Data can be analysed to provide alerts, reminders and real-time decision aids
Evidence Based Medicine:
The application of the scientific method to medical practice
Check if diagnosis is in line with scientific research.
Data can be kept up-to-date.
Citizen-oriented Information Provision: for both healthy individuals and patients
Specialist-oriented Information Provision: best practice guidelines from latest medical journals.
Virtual healthcare teams: collaborate and share information on patients through digital equipment (for transmural care).
9(#total)
Transmural Care
Transmural: Care should not stop at the walls of the hospital– Both intra- and extra-mural, thus ‘transmural care’.– Care before, during and after the hospital stay. – Cooperation and coordination among local practitioner,
hospital, home care and rehabilitation centres– Patient part of an agreed programme - protocols and
standards.
10(#total)
Medical Errors
Human Errors:
IOM Report, 1999
44,000 to 98,000 die in US annually from medical errors
at 44,000, would rank as 8th leading cause of death
car accidents: 43,458
breast cancer: 42,297
AIDS: 16,516
7000 deaths from medication errors alone
http://www.theaustralian.com.au/australian-it/government/e-health-data-systen-is-vulnerable-to-attack-from-fraudsters/story-fn4htb9o-1226310709795
Data Breaches by Sector in 2012
Symantec: Internet Security Threat Report 2013 :: Volume 18
Ancaman-ancaman (Threats)
Pihak manajemen rumah sakit (CEO) tidak sepenuhnya mengerti tentang resiko keamanan informasi dan cara mengelola dan menanganinya.
Sulit mencari professional yang berbakat di bidang keamanan informasi.
Orang dalam (insiders) yang sengaja atau tidak sengaja membocorkan informasi personal dan rahasia.
Hacktivists
Crime as a Service (CaaS)
Kebocoran informasi (Information leaks)
BYOD (bring your own device)
BYOC (bring your own cloud)
Regulasi (regulation) dari pemerintah tentang keamanan informasi rumah sakit
Big Data
Ancaman-ancaman (threats) - lanjutan
Impact
Pasien
Keluarga
Reputasi (reputation) rumah sakit
Motives
1. Personal financial gain Blackmail, competitive advantage, lawsuit, career advancement, corruption of clinical trials or research results, divert valuable assets
2. Revenge Denied advancement, perceived wrong, ideological redress (common occurrences from a potentially disgruntled employee; higher probability then most other sources of threat to an agencies information, information technology infrastructure, and/or physical facilities)
3. Curiosity and thrill seeking Non-malicious hacker, desire to be an insider, “how does it work” reasons, gain access
4. Intellectual challenge, learning, need for acceptance and respect Malicious and non-malicious hackers, destroy data bases, take control
5. Personal evidence Cover a crime, cover a mistake, insider and external information destruction
Motives
6. Institutional evidence Cover crime, cover bad decisions, cover misadventures, change clinical trials or research results, intimidate personnel
7. Perceived moral or idealism purpose Religious, cultural and philosophical radicals, demonstrate ideological or religious causes, labor unrest, domestic and foreign cultural agitation, “Robin Hood” motives
8. Military and national intelligence Information on readiness, composition and disposition of units, status and intent of forces, impact readiness through destruction of capability
9. Political and economic intelligence Gain information on individuals, gain advantage in international negotiations, obtain research and other valuable technical information that would be too expensive to develop by oneself or in failing block, keys, etc.
Motives
10. Business intelligence Competitive advantage, trade secrets entrusted to government, illegally obtain product specifications or research content and results, illegally obtain data to conduct research
11. Terror Create life threatening situations, destroy care capability, weaken culture and values
12. Ignorance Intruders may be unaware that actions are illegal and punishable, consultants obtaining unauthorized password block, keys, etc.
Solusi (rekomendasi)
Teknologi (technology)
Proses (process)
Orang (people)
Kepatuhan (compliance)
Resiko (risk)
Tata kelola keamanan informasi (information security governance)
Tactics
Stolen devices (laptop, flashdisk, harddisk, etc)
Sniffing the network
Social engineering
Trojan Horse: A program that, unknown to the user, contains instructions that exploit a known vulnerability in some software.
Back Doors: In case the original entry point has been detected, having a few hidden ways back makes reentry easy and difficult to detect.
Malicious Applets: Tiny programs, sometimes written in the popular java computer language, that misuse your computer's resources, modify files on the hard disk, send fake E-mail, or steal passwords.
Pentingnya Melakukan Security Review
Security requirement analysis
Threat modeling
IT infrastructure architecture analysis
Code review
Penetration testing
Compliance audit
Security maturity
Conclusion
To secure eHealth: a raised level of awareness,
shared responsibility, constant risk assessment and testing procedures,
the management of identified risks,
and finally the most difficult issue of implementing truly comprehensive and steadfast legal and enforcing mechanisms
It is important to apply Cyber Hygiene for all employees and medical staffs in the hospital
