Access “and” Quality - e

Exposing the Data Risks and Offering the Recommendations for the Secure Consumerization of e-Health Jason Lin, Corporate Security Officer Tuesday, May 28, 2013

Faculty/Presenter Disclosure Faculty: Jason Lin Relationships with commercial interests: – None

Background Productivity Access

Quality Personal Videoconf erencing

Scope Timeline Review of policies and agreements to support the PCVC service Focus on the extension of the PCVC service to mobile device platforms (Android and iOS)

2012

2013

2014+

• Laptops • Providers

• Tablets • Providers

• Mobile Devices • ???

Access “and” Quality

“Our mission is to develop and support telemedicine solutions that enhance access and quality of health care in Ontario, and inspire adoption by health care providers, organizations, and the public.”

5

Quality includes Information Security CIA Triad Confidentiality: Privacy of patients depends upon maintaining the confidentiality of personal health information (PHI) at all times.

Confidentiality

Integrity: Patient safety depends upon maintaining the integrity of PHI (e.g. ensure no systematic errors exist). Failure to maintain integrity can result in illness, injury or even death. Availability: In order to provide safe care, HCP must have ready access to important PHI before, during and after providing care.

Integrity

Availability

Center for Information Technology Leadership (CITL) Maturity Model

PCVC Threat Risk Assessment Findings Impact

Very High

High

R1: Unauthorised disclosure of PHI due to re-provisioned or lost/stolen device containing Vidyo Mobile Logs

R3: Breach of physician privacy due to lack of end user guidance and surreptitious recording capabilities of consultations by end users/patients, especially within a BYOD configuration

Medium

R1, R3, R4

R2

R4: Limitations and complexity within policies, MOUs, member and end user guidance coupled with presence of PHI on mobile devices

Low

Very Low

Very Low

R2: Inadvertent exposure and unauthorised access to PCVC sessions due to limitations in Guestlink operations and configuration High Low Medium Likelihood

Very High

8

Defense In Depth Safeguards TECHNOLOGY

People PEOPLE

PROCESS

Process Technology

9

R1: “Unauthorised disclosure of PHI due to reprovisioned or lost/stolen device containing Vidyo Mobile Logs” Safeguard

No PHI

Anonymized PHI

Pseudonymized PHI

Explicit PHI

Do not leave your mobile device unattended

R1: “Unauthorised disclosure of PHI due to reprovisioned or lost/stolen device containing Vidyo Mobile Logs” Safeguard

Use passphrases

R2: “Inadvertent exposure and unauthorised access to PCVC sessions” Safeguard

Do not leave your mobile device unattended

R2: “Inadvertent exposure and unauthorised access to PCVC sessions” Safeguard

Do not share your account credentials

Risk 3 “Breach of physician privacy due to lack of end user guidance” Safeguard Awareness

Training

Education

Attribute

What?

How?

Why?

Imparts

Information

Knowledge

Insight

Method

Media •Video •Newsletters •Posters

Practical Instruction •Lectures •Case Study •Hands-on practice

Theoretical Instruction •Seminar and discussion •Reading and study

Impact Time-Frame

Short-Term

Medium-Term

Long-Term

Regularly

Create best practise guidelines for HIC users

14

Risk 4 “Limitations and Complexity within Policies” Safeguard

Create simplified and friendly terms of services

Risk “Increased external attacks…”

Risk “Increased external attacks” Safeguard

Harden devices and applications

Risk “Increased external attacks…” Safeguard

Separate corporate from consumer environments

Circles of Trust International

Federal

Provincial

OTN Local

Questions and Answers

Thank You http://otn.ca/en/services/pcvc