Patient data security in a wireless and mobile world

Florencio Cano Gabarda SEINHE

CISA, IRCA 27001 Lead Auditor

173,8 298

472

982

2009 2010 2011 … 2015

120 % more smartphones in 2015

Smartphones sold in millions

Source: IDG

Mobile devices are inside our network

Photo from gizmologia.com

Photo from www.exalli.com

Whether IT like it or not

USER used to be…

…far far away

Now the USER in inside the network

Network administrators used to have control over the devices connected to the network…

2 laptops 3 switches 10 workstations 3 servers

…but now users want to use their own devices

Photo from www.exalli.com

Whether IT like it or not

Securing only the perimeter is no longer possible

Photo by itjournalist

We have to evaluate deeply

the new risks

A risk assessment is the right tool

A risk assessment is the right tool

Recommended by LOPD

A risk assessment is the right tool

Recommended by LOPD

Mandated by the Esquema Nacional de Seguridad

A risk assessment is the right tool

Recommended by LOPD

Mandated by the Esquema Nacional de Seguridad

Required by the spanish critical infrastructure protection law

A risk assessment is the right tool

Recommended by LOPD

Mandated by the Esquema Nacional de Seguridad

Required by the spanish critical infrastructure protection law

Necessary to be certified

against ISO/IEC 27001

Multiple methodologies

exist

Magerit Octave ISO/IEC 27005 CRAMM

1. Identify information assets

2. Identify threats

3. Identify vulnerabilities

Risk evaluation

Critical assets

User

User

Data

User

Data

Devices

User

Data

Devices

Internal network

User

Data

Devices

Internal network

DEFENSE IN DEPTH

Classical threats

Classical threats Access to patient data

Interruption of critical systems

Classical threats Access to patient data

Interruption of critical systems

New vulnerabilities

New vulnerabilities Wireless vulnerabilities Network vulnerabilities Device vulnerabilities User vulnerabilities

Insecure access

protocols

New vulnerabilities Wireless vulnerabilities Network vulnerabilities Device vulnerabilities User vulnerabilities

Improper network

segmentation

Plain text protocols

New vulnerabilities Wireless vulnerabilities Network vulnerabilities Device vulnerabilities User vulnerabilities

Malware

New vulnerabilities Wireless vulnerabilities Network vulnerabilities Device vulnerabilities User vulnerabilities

Extraction of data without authorization

Improper deletion of

data

Lack of controls

against not authorized

access

New and old solutions

A sound information security polity

Policy enforcement

Network security

Security by design

Network security

Proper segmentation

Network security

Demilitarized zone A segment for malicious or non-

trusted devices with access to Internet A segment for low risk assets

on the internal network A segment for critical devices

Proper segmentation

VLANs and Firewalls

Network security

Intrusion detection

Network security

Honeypots

Network security

Data loss prevention

Network security

Virtual Private Networks

Network security

Wireless security

Proper protocols

Wireless security

Mobile device security

Network Access Control (NAC)

Mobile device security

Health environments are facing new risks Organizations patient data and allow

mobile devices should review the new risks and act

There exist solutions to mitigate the new risks

Conclusions

Thanks! Florencio Cano Gabarda

SEINHE fcano@seinhe.com

@florenciocano