Presentation is loading. Please wait.

Presentation is loading. Please wait.

Configuring Electronic Health Records Privacy and Security in the US Lecture f This material (Comp11_Unit7f) was developed by Oregon Health & Science University,

Similar presentations


Presentation on theme: "Configuring Electronic Health Records Privacy and Security in the US Lecture f This material (Comp11_Unit7f) was developed by Oregon Health & Science University,"— Presentation transcript:

1 Configuring Electronic Health Records Privacy and Security in the US Lecture f This material (Comp11_Unit7f) was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000015

2 Privacy and Security in the US Learning Objectives Compare and contrast the concepts of privacy and security (Lecture a) List the regulatory frameworks for an EHR (Lecture b, c) Describe the concepts and requirements for risk management (Lecture d) Describe authentication, authorization and accounting (Lecture d) Describe passwords and multi-factor authentication and their associated issues (Lecture d) Describe issues with portable devices (Lecture d) Describe elements of disaster preparedness and disaster recovery (Lecture e) Describe issues of physical security (Lecture e) Describe malware concepts (Lecture f) 2 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

3 Viruses Oldest and simple concept: unwanted program that executes when the host program executes Copies itself to media 3 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

4 Virus Types File Boot sector Macro E-mail Multi-variant RFID (theoretical) 4 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

5 Worms Self-replicating program that copies itself to other computers across a network LAN or Intranet Web or Internet E-mail IM IRC P2P 5 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

6 Trojans Destructive program that appears to be a other than what it is From the Greek myth of the wooden horse brought into the city as a trophy – filled with warriors Brought in by the user... Backdoor trojan Data collecting Downloader or dropper 6 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

7 Botnets Coordinated attack using infected systems Stages: –Creation –Configuration –Infection –Control Used for: –DDoS –Spam & spreading malware –Information leakage –Click fraud –Identify fraud 7 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

8 Zero-Day Malware What to do about a new threat? Zero-day malware is not detected by existing anti-virus May be based on zero-day exploits – newly discovered vulnerabilities Are signatures enough? 8 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

9 Rogueware Attempts to defraud users by requesting payment to remove non-existent threats Indications: –Fake pop-up warnings –Appear similar to real antivirus –Quick scan –May identify different files on each pass Highly lucrative Like a virus, hard to remove 9 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

10 What to Do? Resource: Malware Threats and Mitigation Strategies by US-CERT Enclave boundary –Firewalls –IDS Computing environment –Authorized local network devices –O/S patching/updating –O/S hardening –Anti-virus updating –Change control process –Host-based firewall –Vulnerability scanning –Proxy servers and web content filters –E-mail attachment filtering –Monitor logs What to do when compromised –If, not when 10 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

11 Why Viruses Exist Software engineering limitations Bugs 11 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

12 2011 Top 25 Mistakes Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Missing Authentication for Critical Function Missing Authorization Use of Hard-coded Credentials Missing Encryption of Sensitive Data Unrestricted Upload of File with Dangerous Type Reliance on Untrusted Inputs in a Security Decision Execution with Unnecessary Privileges Cross-Site Request Forgery (CSRF) 12 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

13 2011 Top 25 Mistakes (continued) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Download of Code Without Integrity Check Incorrect Authorization Inclusion of Functionality from Untrusted Control Sphere Incorrect Permission Assignment for Critical Resource Use of Potentially Dangerous Function Use of a Broken or Risky Cryptographic Algorithm Incorrect Calculation of Buffer Size Improper Restriction of Excessive Authentication Attempts URL Redirection to Untrusted Site ('Open Redirect') Uncontrolled Format String Integer Overflow or Wraparound Use of a One-Way Hash without a Salt 13 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

14 Detection and Prevention Automated tools Policies and procedures Knowledgeable implementation staff 14 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

15 Privacy and Security in the US Summary – Lecture f Malware Software design issues 15 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

16 Privacy and Security in the US Summary Concepts of privacy and security Regulatory framework Risk assessment Portable devices System access Security awareness training Incident response and disaster recovery Physical security Malware and software design issues 16 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f

17 Privacy and Security in the US References – Lecture f References Christey, S. (2011). 2011 CWE/SANS Top 25 Most Dangerous Software Errors, from http://cwe.mitre.org/top25http://cwe.mitre.org/top25 U.S. Computer Emergency Readiness Team. (2005). Malware Threats and Mitigation Strategies, from http://www.us-cert.gov/reading_room/malware-threats-mitigation.pdf http://www.us-cert.gov/reading_room/malware-threats-mitigation.pdf 17 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture f


Download ppt "Configuring Electronic Health Records Privacy and Security in the US Lecture f This material (Comp11_Unit7f) was developed by Oregon Health & Science University,"

Similar presentations


Ads by Google