Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mađarić: ISO/IEC vs. hospital/health care reality

Published byHartono Lie Modified over 6 years ago

Similar presentations

Presentation on theme: "Mađarić: ISO/IEC vs. hospital/health care reality"— Presentation transcript:

1 Mađarić: ISO/IEC 27799 vs. hospital/health care reality
Workshop on Data Protection – New Challenges (JHA 51505) ISO/IEC vs. hospital/health care reality Dr.sc. Miroslav Mađarić Klinički bolnički centar Zagreb Savjetnik ravnatelja za informatiku Workshop on Data Protection - New Challenges Mađarić: ISO/IEC vs. hospital/health care reality

2 Mađarić: ISO/IEC 27799 vs. hospital/health care reality
Sadržaj: Nomologija: zaštita vs. sigurnost Struktura ISO/IEC 27799 25 prijetnji sigurnosti u e-Zdravlju Primjeri prijetnji sigurnosti iz iskustva KBC-a Zagreb Zaključci Workshop on Data Protection - New Challenges Mađarić: ISO/IEC vs. hospital/health care reality

3 Nomologija: sigurnost i zaštita
Zakon o zaštiti osobnih podataka, članak 1: “Svrha zaštite osobnih podataka je zaštita privatnog života i ostalih ljudskih prava i temeljnih sloboda u prikupljanju, obradi i korištenju osobnih podataka“ Dakle, svrha ovoga Zakona stavlja fokus na POVJERLJIVOST Ostale sastavnice (Integritet, Raspoloživost) ovaj Zakon spominje marginalno. Workshop on Data Protection - New Challenges Mađarić: ISO/IEC vs. hospital/health care reality

4 Nomologija: sigurnost i zaštita
Obratno, temeljni “propis” informatičke sigurnosti u zdravstvu - standard ISO 27799, koji u području zdravstva operacionalizira primjenu ISO (opću informatičku sigurnost) – bavi se upravljanjem ukupnom sigurnošću: “This International Standard provides: guidance to healthcare organizations and other custodians of personal health information on how best to: protect the Confidentiality, Integrity and Availability of such information by implementing ISO/IEC 27002” Workshop on Data Protection - New Challenges Mađarić: ISO/IEC vs. hospital/health care reality

5 Mađarić: ISO/IEC 27799 vs. hospital/health care reality
Struktura ISO/IEC 27799 5. Health information security 6. Practical action plan for implementing ISO/IEC 27002 7. Healthcare implications of ISO/IEC 27002 Annexes (informative): A) Threats to health information security B) Tasks and related documents of the Information Security Management C) Potential benefits and required attributes of support tools Workshop on Data Protection - New Challenges Mađarić: ISO/IEC vs. hospital/health care reality

6 25 prijetnji sigurnosti u e-Zdravlju
ISO/IEC Appendix A: Threats to health information security: 13) Technical failure of the host, storage facility or network infrastructure 1) Masquerade by insiders 14) Environmental support failure 2) Masquerade by service providers 15) System or network software failure 3) Masquerade by outsiders 16) Application software failure (e.g., of a health information application) 4) Unauthorized use of a health information application 17) Operator error 5) Introduction of damaging or disruptive software 18) Maintenance error 6) Misuse of system resources 19) User error 7) Communications infiltration 20) Staff shortage 8) Communications interception 21) Theft by insiders (including theft of equipment or data) 9) Repudiation 22) Theft by outsiders 10) Connection failure 23) Wilful damage by insiders 11) Embedding of malicious code 24) Wilful damage by outsiders 12) Accidental misrouting 25) Terrorism Workshop on Data Protection - New Challenges Mađarić: ISO/IEC vs. hospital/health care reality

7 25+1 prijetnji sigurnosti u e-Zdravlju
Sigurnosna prijetnja Primjer(i) iz KBC-a Zagreb koji se odnosi/e na zaštitu osobnih podataka C.I.A. kategorija 1) Masquerade by insiders Korištenje tuđeg ID/password kod odlaska pravog korisnika od računala; Zadržavanje inicijalne korisničke zaporke C 2) Masquerade by service providers 3) Masquerade by outsiders 4) Unauthorized use of a health information application Neovlašten uvid u podatke pacijenata koji su “medijski zanimljivi” ili s “društveno stigmatiziranim zdravstvenim statusom” 5) Introduction of damaging or disruptive software 6) Misuse of system resources Skidanje velikih datoteka putem interneta vodi zagušenju pristupa internetu, npr. za potrebe CEZIH-u A 7) Communications infiltration 8) Communications interception 9) Repudiation Osporavanje neovlaštenog pristupa pod 4) 10) Connection failure Nemogućnost spajanja VPN-om 11) Embedding of malicious code 12) Accidental misrouting Slanje nalaza om na krivu adresu C, A 13) Technical failure of the host, storage facility or network infrastructure Zaustavljanje cijelog hitnog prijema zbog mrežne greške na Radiologiji Workshop on Data Protection - New Challenges Mađarić: ISO/IEC vs. hospital/health care reality

8 Neovlašten (?) uvid u “tuđe” pacijente
Workshop on Data Protection - New Challenges Mađarić: ISO/IEC vs. hospital/health care reality

9 25+1 prijetnji sigurnosti u e-Zdravlju
Sigurnosna prijetnja (dodano!) Primjer(i) iz KBC-a Zagreb koji se odnosi/e na zaštitu osobnih podataka C.I.A. kategorija 14) Environmental support failure Ispad napajanja servera; kvar klime A 15) System or network software failure; or “works as designed” Ispad Terminal Servera  nemogućnost prijave na sustav; Manjkavosti primjene VDI (terminala) C 16) Application software failure (e.g., of a health information application); or “works as designed” Nedovoljna kontrola kod upisa podataka, npr. za pacijente s istim imenom i prezimenom; nekonzistentnost sučelja vodi do gubitka podataka; neprimjereno zaključavanje/otključavanje dokumenata; Izmjena dokumenta bez evidentirane povijesti izmjena; prikupljanje nepotrebnih informacija, … I 17) Operator error Pogrešne postavke (najčešća prava pristupa) C,A 18) Maintenance error Ispad ili pogreška u funkcionalnostima zbog instalacije patcheva i novih verzija sustava 19) User error Zamjena identiteta; manjkav ili netočan upis; Pokretanje velikih obrada u vršnom opterećenju 20) Staff shortage; also other scarce resources Nedovoljna potpora pri uporabi aplikativnih funkcionalnosti; Štednja nabavom zamjenskih tonera Workshop on Data Protection - New Challenges Mađarić: ISO/IEC vs. hospital/health care reality

10 25+1 prijetnji sigurnosti u e-Zdravlju
Sigurnosna prijetnja Primjer(i) iz KBC-a Zagreb koji se odnosi/e na zaštitu osobnih podataka C.I.A. kategorija 21) Theft by insiders (including theft of equipment or data) Sve veći rizik kod mobilnih/prenosivih uređaja! A 22) Theft by outsiders C,A 23) Wilful damage by insiders Neprijateljski stav prema promjenama koje donosi IT – “kava u tastaturi”. 24) Wilful damage by outsiders 25) Terrorism xx) Manjak integracije (kategorija koja nedostaje u ISO/IEC !) Nemogućnost kontrole ispravnosti matičnih podataka pri upisu pacijenata (poglavito u hitnoj službi); sučelje između ljekarne i ordiniranja ili između e-Recepta i BIS-a; Misrouting A, I C Workshop on Data Protection - New Challenges Mađarić: ISO/IEC vs. hospital/health care reality

11 Mađarić: ISO/IEC 27799 vs. hospital/health care reality
Zaključci Provoditi zaštitu osobnih podataka u svoj punini, ne samo privatnost: C. kao Confidentiality I. kao Integrity A. kao Availability Prihvatiti kompromis u ravnoteži C/A ISO/IEC upotrijebiti kao: Checklist Preporuke u granicama realnosti Podlogu za certifikaciju SW ISMS kao shared service e-Zdravlja. Workshop on Data Protection - New Challenges Mađarić: ISO/IEC vs. hospital/health care reality

12 Pitanja? (može i na: miroslav.madjaric@kbc-zagreb.hr)
Hvala na pažnji! Pitanja? (može i na: Workshop on Data Protection - New Challenges Mađarić: ISO/IEC vs. hospital/health care reality

Download ppt "Mađarić: ISO/IEC vs. hospital/health care reality"

Similar presentations

Ma.

Ma.
Click on each of us to hear our sounds.

Click on each of us to hear our sounds.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Security Controls – What Works

Security Controls – What Works
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Evolving IT Framework Standards (Compliance and IT)

Evolving IT Framework Standards (Compliance and IT)
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.

INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
CONTROLLING INFORMATION SYSTEMS

CONTROLLING INFORMATION SYSTEMS
Www.safensoft.com Safe’n’Sec IT security solutions for enterprises of any size.

Safe’n’Sec IT security solutions for enterprises of any size.
Computer threats, Attacks and Assets upasana pandit 411165 T.E comp.

Computer threats, Attacks and Assets upasana pandit T.E comp.
C OMPUTER THREATS, ATTACKS AND ASSETS DONE BY NISHANT NARVEKAR TE COMP 411143.

C OMPUTER THREATS, ATTACKS AND ASSETS DONE BY NISHANT NARVEKAR TE COMP
Zakon o informacijskoj sigurnosti izazov informatičkoj industriji (panel) Mr. sc. Aleksandar Klaić, dipl. ing. Ured Vijeća za nacionalnu sigurnost (UVNS)

Zakon o informacijskoj sigurnosti izazov informatičkoj industriji (panel) Mr. sc. Aleksandar Klaić, dipl. ing. Ured Vijeća za nacionalnu sigurnost (UVNS)
Information Security tools for records managers Frank Rankin.

Information Security tools for records managers Frank Rankin.
ma mu mi mo me pe pi pa pu po si sa so.

ma mu mi mo me pe pi pa pu po si sa so.
Security Shmuel Wimer prepared and instructed by

Security Shmuel Wimer prepared and instructed by
MREŽE RAČUNALA.

MREŽE RAČUNALA.
Katedra za informatiku

Katedra za informatiku
Siniša Petrović Zagreb,

Siniša Petrović Zagreb,
Ekonomska škola Šibenik Nada Bujas, prof.

Ekonomska škola Šibenik Nada Bujas, prof.

Similar presentations

Ads by Google