Exposing the Data Risks and Offering
the Recommendations for the Secure
Consumerization of e-Health
Jason Lin, Corporate Security Officer
Tuesday, May 28, 2013
Faculty/Presenter Disclosure
Faculty: Jason Lin
Relationships with commercial interests:
– None
Background
Productivity
Access
Quality
Personal
Videoconf
erencing
Scope Timeline
Review of policies and agreements to support the PCVC service
Focus on the extension of the PCVC service to mobile device platforms
(Android and iOS)
2012
2013
2014+
• Laptops
• Providers
• Tablets
• Providers
• Mobile Devices
• ???
Access “and” Quality
“Our mission is to develop and support telemedicine solutions that enhance
access and quality of health care in Ontario, and inspire adoption by
health care providers, organizations, and the public.”
5
Quality includes Information Security CIA
Triad
Confidentiality: Privacy of patients
depends upon maintaining the
confidentiality of personal health
information (PHI) at all times.
Confidentiality
Integrity: Patient safety depends upon
maintaining the integrity of PHI (e.g.
ensure no systematic errors exist). Failure
to maintain integrity can result in illness,
injury or even death.
Availability: In order to provide safe
care, HCP must have ready access to
important PHI before, during and after
providing care.
Integrity
Availability
Center for Information Technology
Leadership (CITL) Maturity Model
PCVC Threat Risk Assessment Findings
Impact
Very High
High
R1: Unauthorised
disclosure of PHI due
to re-provisioned or
lost/stolen device
containing Vidyo
Mobile Logs
R3: Breach of physician privacy
due to lack of end user guidance
and surreptitious recording
capabilities of consultations by
end users/patients, especially
within a BYOD configuration
Medium
R1, R3, R4
R2
R4: Limitations and
complexity within
policies, MOUs,
member and end
user guidance
coupled with
presence of PHI on
mobile devices
Low
Very Low
Very Low
R2: Inadvertent exposure and
unauthorised access to PCVC sessions
due to limitations in Guestlink
operations
and configuration High
Low
Medium
Likelihood
Very High
8
Defense In Depth Safeguards
TECHNOLOGY
People
PEOPLE
PROCESS
Process
Technology
9
R1: “Unauthorised disclosure of PHI due to reprovisioned or lost/stolen device containing
Vidyo Mobile Logs” Safeguard
No PHI
Anonymized
PHI
Pseudonymized
PHI
Explicit PHI
Do not leave your mobile device unattended
R1: “Unauthorised disclosure of PHI due to reprovisioned or lost/stolen device containing
Vidyo Mobile Logs” Safeguard
Use passphrases
R2: “Inadvertent exposure and unauthorised
access to PCVC sessions” Safeguard
Do not leave your mobile device unattended
R2: “Inadvertent exposure and unauthorised
access to PCVC sessions” Safeguard
Do not share your
account credentials
Risk 3 “Breach of physician privacy due to lack
of end user guidance” Safeguard
Awareness
Training
Education
Attribute
What?
How?
Why?
Imparts
Information
Knowledge
Insight
Method
Media
•Video
•Newsletters
•Posters
Practical Instruction
•Lectures
•Case Study
•Hands-on practice
Theoretical
Instruction
•Seminar and
discussion
•Reading and study
Impact Time-Frame
Short-Term
Medium-Term
Long-Term
Regularly
Create best practise guidelines for HIC users
14
Risk 4 “Limitations and Complexity within
Policies” Safeguard
Create simplified and friendly terms of services
Risk “Increased external attacks…”
Risk “Increased external attacks”
Safeguard
Harden devices and applications
Risk “Increased external attacks…”
Safeguard
Separate corporate from consumer environments
Circles of Trust
International
Federal
Provincial
OTN Local
Questions and Answers
Thank You
http://otn.ca/en/services/pcvc