florencio cano - patient data security in a wireless and mobile world
DESCRIPTION
Presentation of Workshop on Technology for Healthcare and Healthy Lifestyle 2011Thursday 1st Dec 2011Session IIIhttp://www.tsb.upv.es/wths2011TRANSCRIPT
Patient data security in a wireless and mobile world
Florencio Cano Gabarda SEINHE
CISA, IRCA 27001 Lead Auditor
173,8 298
472
982
2009 2010 2011 … 2015
120 % more smartphones in 2015
Smartphones sold in millions
Source: IDG
Mobile devices are inside our network
Photo from gizmologia.com
Photo from www.exalli.com
Whether IT like it or not
USER used to be…
…far far away
Now the USER in inside the network
Network administrators used to have control over the devices connected to the network…
2 laptops 3 switches 10 workstations 3 servers
…but now users want to use their own devices
Photo from www.exalli.com
Whether IT like it or not
Securing only the perimeter is no longer possible
Photo by itjournalist
We have to evaluate deeply
the new risks
A risk assessment is the right tool
A risk assessment is the right tool
Recommended by LOPD
A risk assessment is the right tool
Recommended by LOPD
Mandated by the Esquema Nacional de Seguridad
A risk assessment is the right tool
Recommended by LOPD
Mandated by the Esquema Nacional de Seguridad
Required by the spanish critical infrastructure protection law
A risk assessment is the right tool
Recommended by LOPD
Mandated by the Esquema Nacional de Seguridad
Required by the spanish critical infrastructure protection law
Necessary to be certified
against ISO/IEC 27001
Multiple methodologies
exist
Magerit Octave ISO/IEC 27005 CRAMM
1. Identify information assets
2. Identify threats
3. Identify vulnerabilities
Risk evaluation
Critical assets
User
User
Data
User
Data
Devices
User
Data
Devices
Internal network
User
Data
Devices
Internal network
DEFENSE IN DEPTH
Classical threats
Classical threats Access to patient data
Interruption of critical systems
Classical threats Access to patient data
Interruption of critical systems
New vulnerabilities
New vulnerabilities Wireless vulnerabilities Network vulnerabilities Device vulnerabilities User vulnerabilities
Insecure access
protocols
New vulnerabilities Wireless vulnerabilities Network vulnerabilities Device vulnerabilities User vulnerabilities
Improper network
segmentation
Plain text protocols
New vulnerabilities Wireless vulnerabilities Network vulnerabilities Device vulnerabilities User vulnerabilities
Malware
New vulnerabilities Wireless vulnerabilities Network vulnerabilities Device vulnerabilities User vulnerabilities
Extraction of data without authorization
Improper deletion of
data
Lack of controls
against not authorized
access
New and old solutions
A sound information security polity
Policy enforcement
Network security
Security by design
Network security
Proper segmentation
Network security
Demilitarized zone A segment for malicious or non-
trusted devices with access to Internet A segment for low risk assets
on the internal network A segment for critical devices
Proper segmentation
VLANs and Firewalls
Network security
Intrusion detection
Network security
Honeypots
Network security
Data loss prevention
Network security
Virtual Private Networks
Network security
Wireless security
Proper protocols
Wireless security
Mobile device security
Network Access Control (NAC)
Mobile device security
Health environments are facing new risks Organizations patient data and allow
mobile devices should review the new risks and act
There exist solutions to mitigate the new risks
Conclusions