exposing the data risks and offering the recommendations for the secure consumerization of e-health...

Exposing the Data Risks and Offering the Recommendations for the Secure Consumerization of e-Health

Jason Lin, Corporate Security OfficerTuesday, May 28, 2013

Faculty/Presenter Disclosure

Faculty: Jason Lin

Relationships with commercial interests:– None

Background

Personal Videoconferencing

Access

Productivity

Quality

Scope Timeline

2012• Laptops• Providers

2013• Tablets• Providers

Review of policies and agreements to support the PCVC serviceFocus on the extension of the PCVC service to mobile device platforms (Android and iOS)

2014+• Mobile Devices• ???

“Our mission is to develop and support telemedicine solutions that enhance access and quality of health care in Ontario, and inspire adoption by

health care providers, organizations, and the public.”

Access “and” Quality

5

Confidentiality: Privacy of patients depends upon maintaining the confidentiality of personal health information (PHI) at all times.

Integrity: Patient safety depends upon maintaining the integrity of PHI (e.g. ensure no systematic errors exist). Failure to maintain integrity can result in illness,injury or even death.

Availability: In order to provide safe care, HCP must have ready access to important PHI before, during and after providing care.

Integrity

Confidentiality

Availability

Quality includes Information Security CIA Triad

Center for Information Technology Leadership (CITL) Maturity Model

PCVC Threat Risk Assessment Findings

Impact

Very High

High

Medium

Low

R1, R3, R4 R2

Very Low

Very Low Low Medium High Very High

Likelihood 8

R1: Unauthorised disclosure of PHI due to re-provisioned or lost/stolen device containing Vidyo

Mobile Logs

R2: Inadvertent exposure and unauthorised access to PCVC sessions

due to limitations in Guestlink operations and configuration

R3: Breach of physician privacy due to lack of end user guidance

and surreptitious recording capabilities of consultations by end users/patients, especially within a BYOD configuration

R4: Limitations and complexity within

policies, MOUs, member and end

user guidance coupled with

presence of PHI on mobile devices

Defense In Depth Safeguards

9

TECHNOLOGY

PEOPLE PROCESS

Technology

Process

People

R1: “Unauthorised disclosure of PHI due to re-provisioned or lost/stolen device containing Vidyo Mobile Logs” Safeguard

No PHI Anonymized PHI

Pseudonymized PHI Explicit PHI

Do not leave your mobile device unattended

R1: “Unauthorised disclosure of PHI due to re-provisioned or lost/stolen device containing

Vidyo Mobile Logs” Safeguard

Use passphrases

R2: “Inadvertent exposure and unauthorised access to PCVC sessions” Safeguard

Do not leave your mobile device unattended

R2: “Inadvertent exposure and unauthorised access to PCVC sessions” Safeguard

Do not share your account credentials

Risk 3 “Breach of physician privacy due to lack of end user guidance” Safeguard

14

Awareness Training EducationAttribute What? How? Why?

Imparts Information Knowledge Insight

Method Media•Video

•Newsletters•Posters

Practical Instruction•Lectures

•Case Study•Hands-on practice

Theoretical Instruction

•Seminar and discussion

•Reading and studyImpact Time-Frame Short-Term Medium-Term Long-Term

Regularly

Create best practise guidelines for HIC users

Risk 4 “Limitations and Complexity within Policies” Safeguard

Create simplified and friendly terms of services

Risk “Increased external attacks…”

Risk “Increased external attacks” Safeguard

Harden devices and applications

Risk “Increased external attacks…” Safeguard

Separate corporate from consumer environments

Circles of Trust

International

Federal

Provincial

OTN Local

Questions and Answers

Thank You

http://otn.ca/en/services/pcvc