Exposing the Data Risks and Offering the Recommendations for the Secure Consumerization of e-Health Jason Lin, Corporate Security Officer Tuesday, May 28, 2013 Faculty/Presenter Disclosure Faculty: Jason Lin Relationships with commercial interests: – None Background Productivity Access Quality Personal Videoconf erencing Scope Timeline Review of policies and agreements to support the PCVC service Focus on the extension of the PCVC service to mobile device platforms (Android and iOS) 2012 2013 2014+ • Laptops • Providers • Tablets • Providers • Mobile Devices • ??? Access “and” Quality “Our mission is to develop and support telemedicine solutions that enhance access and quality of health care in Ontario, and inspire adoption by health care providers, organizations, and the public.” 5 Quality includes Information Security CIA Triad Confidentiality: Privacy of patients depends upon maintaining the confidentiality of personal health information (PHI) at all times. Confidentiality Integrity: Patient safety depends upon maintaining the integrity of PHI (e.g. ensure no systematic errors exist). Failure to maintain integrity can result in illness, injury or even death. Availability: In order to provide safe care, HCP must have ready access to important PHI before, during and after providing care. Integrity Availability Center for Information Technology Leadership (CITL) Maturity Model PCVC Threat Risk Assessment Findings Impact Very High High R1: Unauthorised disclosure of PHI due to re-provisioned or lost/stolen device containing Vidyo Mobile Logs R3: Breach of physician privacy due to lack of end user guidance and surreptitious recording capabilities of consultations by end users/patients, especially within a BYOD configuration Medium R1, R3, R4 R2 R4: Limitations and complexity within policies, MOUs, member and end user guidance coupled with presence of PHI on mobile devices Low Very Low Very Low R2: Inadvertent exposure and unauthorised access to PCVC sessions due to limitations in Guestlink operations and configuration High Low Medium Likelihood Very High 8 Defense In Depth Safeguards TECHNOLOGY People PEOPLE PROCESS Process Technology 9 R1: “Unauthorised disclosure of PHI due to reprovisioned or lost/stolen device containing Vidyo Mobile Logs” Safeguard No PHI Anonymized PHI Pseudonymized PHI Explicit PHI Do not leave your mobile device unattended R1: “Unauthorised disclosure of PHI due to reprovisioned or lost/stolen device containing Vidyo Mobile Logs” Safeguard Use passphrases R2: “Inadvertent exposure and unauthorised access to PCVC sessions” Safeguard Do not leave your mobile device unattended R2: “Inadvertent exposure and unauthorised access to PCVC sessions” Safeguard Do not share your account credentials Risk 3 “Breach of physician privacy due to lack of end user guidance” Safeguard Awareness Training Education Attribute What? How? Why? Imparts Information Knowledge Insight Method Media •Video •Newsletters •Posters Practical Instruction •Lectures •Case Study •Hands-on practice Theoretical Instruction •Seminar and discussion •Reading and study Impact Time-Frame Short-Term Medium-Term Long-Term Regularly Create best practise guidelines for HIC users 14 Risk 4 “Limitations and Complexity within Policies” Safeguard Create simplified and friendly terms of services Risk “Increased external attacks…” Risk “Increased external attacks” Safeguard Harden devices and applications Risk “Increased external attacks…” Safeguard Separate corporate from consumer environments Circles of Trust International Federal Provincial OTN Local Questions and Answers Thank You http://otn.ca/en/services/pcvc