Access to Electronic PHI Finding the Balance. Security, Convenience, and Usability

Transcription

1 Access to Electronic PHI Finding the Balance Security, Convenience, and Usability

2 Speaker Lassaad Fridhi, MS Information Privacy & Security Officer Commonwealth Care Alliance

3 Anatomy of Anthem s Massive Data Breach TARGET: Anthem TIME: Sometime before Wed, 2/04/2015 EXPLOIT: Credentials used to access a database IMPACT: Compromise of 80 million customers and employees 1 in 4 Americans WEAKNESS: Anthem did not take appropriate measures to encrypt its customers data COST: Unknown (definitely huge cost)

4 The Information Pyramid Wisdom/ Judgment Knowledge Information PHI, PI, etc Data

5 Poll Question 1 What does PHI stand for?

6 What Information Do we Care About? Trade secrets (proprietary and confidential information): secret device or technique used by a company, in the form of formulas, processes, and methods, used in its production or services, Personally identifiable information (PII): any information used to identify, contact, or locate a single person, or to identify an individual in context, Protected health information (PHI): any PII that can associate a person and the delivery of their health care, Sensitive data: Any of the above can be considered sensitive in PHI, HIV/AIDS info, alcohol and drug abuse info, etc. are considered even more confidential than other PHI. Information Data

7 The Sphere of Confidential Information Sensitive PHI PII

8 Poll Question 2 How often do you use PHI to perform your job duties?

9 What is Information Security? Information being free from danger or threat. Against unauthorized access, use, disclosure, disruption, modification, or destruction, Regardless of form: electronic, print, or other, From internal or external threats.

10 Why secure information? To ensure its value there needs to be a protection of its C.I.A.: Confidentiality Integrity Availability plus: Accuracy Authenticity Utility Possession

11 Poll Question 3 Which major regulation (or part of) governs the security of protected health information (PHI)?

12 It s the Law(s)! In health care, most notably: Health Insurance Portability and Accountability Act (HIPAA) 1996 Health Information Technology for Economic and Clinical Health (HITECH) 2009 Omnibus HIPAA Rulemaking (Omnibus Rule) 2013

13 HIPAA In general, HIPAA rules prescribe: Who s covered What s protected What s required These 2 are concerned with confidentiality: HIPAA Privacy Rule HIPAA Security Rule

14 HIPAA Security Rule Administrative Safeguards Physical Safeguards Technical Safeguards: Authentication Access Control Etc.

15 Over-Authentication and Password Exhaustion 6-8 passwords per employee within organization, despite single sign-on (SSO) 1 Plus, an average of 17 passwords for personal use 2 Total of 25 passwords to manage 1 Inglesant & Sasse, CHI The 2014 Intermedia SMB Cloud Landscape Report

16 The Price of Password Exhaustion On average, it takes 20 seconds to log into an application it doesn t sound like much. But, while each user stares at the login screen for 20 seconds, the employer is losing $ (in productivity): $14K for 75 users, or $102K for 550 users Not to mention when your password standards are too stringent, users end up working around it! *The 2014 Intermedia SMB Cloud Landscape Report

17 Bad Authentication Costs Productivity! A frustrated user might: Stop using the technology Return the equipment Make repeated phone calls to the helpdesk Leave the company

18 Bad Input=Bad Results Bad Security Measures = Bad Security Outcomes Unhappy users will find risky workarounds to avoid security measures, which puts the company at risk for major security breaches.

19 5 Quality Components of Usability As outlined by the Nielsen Norman Group

20 Poll Question 4 Define usability

21 Learnability How easy it is for users to accomplish basic tasks the first time they encounter the design.

22 Efficiency Once users have learned the design, how quickly can they perform tasks.

23 Memorability When users return to the design after a period of not using it, how easily can they reestablish proficiency.

24 Errors How many errors do users make, how severe are these errors, and how easily can they recover from the errors.

25 Satisfaction How pleasant the design is to use.

26 Poll Question 5 There is an inherent tension between usability and security, which unless eased, one is usually at the expense of the other.

27 Zero-Sum Equation? SECURITY USABILITY

28 Poll Question 6 Do you think your organization favors security over usability?

29 Don t Fool Yourself Usability is their satisfaction, but Security is an obstacle So, security becomes secondary!

30 A Battle and a Balance According to Kaspersky: A never-ending battle and a tricky balance. That s because, as one study points out, there is an inherent conflict of interest between users and system owners: The top priority for users is maximum ease of use, while the top priority for system owners is the security of their system.

31 Discover your users Know who they are What they want What they don t want What they like

32 Discover more! Be the user for systems, applications and processes Understand what doesn t work and why Find out why they think what you thought works for them, actually doesn t!

33 Test, Test, and Test Some More Test your technology Test your user Test your security

34 Poll Question 7 How likely do you think the balance between usability, security and efficiency can be achieved?

35 Partnership! Good security is always built on good usability Usability Efficiency Security

36 Prevent Conduct your risk analysis Conduct your usability analysis Do your security training Do your technology education Keep an open line of communication Keep only the minimum necessary

37 Mitigate Address your risks Deal with the Sec measures that are hurting usability Update them on how security is (good or bad) Find out if your users know your technology No news, does not always mean good news If you can t get rid of it, build a fort around it!

38 Think outside the box Find the right technology Apply hardened security to the right place Adopt best practices (learn from others mistakes) Give ownership to the user and keep an eye on it! Build a partnership with influential users Recruit pioneers and champions

39 Create a balance! ORGANIZATION Evaluate Monitor Usability Test Measure Discover Simplify Prevent Predict Security USER

40 Thank you! Questions!