Patricia A. H. Williams

In a 'trusting' environment, everyone is responsible for information security

Information security is important in any organisation and particularly where personal and medical information is routinely recorded. Further, where the organisational culture revolves around trust, as in the medical environment, insider threats, both malicious and non-malicious, are difficult to manage. International research has shown that changing security culture and increasing awareness is necessary as technical resolutions are not sufficient to control insider threats. This area of information security is both important and topical in view of the recently publicised breaches of patient health information. Ensuring that all staff assumes responsibility for information security, particularly as part of an information security governance framework, is one practical solution to the problem of insider threats.

Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem

The increased connectivity to existing computer networks has exposed medical devices to cybersecurity vulnerabilities from which they were previously shielded. For the prevention of cybersecurity incidents, it is important to recognize the complexity of the operational environment as well as to catalog the technical vulnerabilities. Cybersecurity protection is not just a technical issue; it is a richer and more intricate problem to solve. A review of the factors that contribute to such a potentially insecure environment, together with the identification of the vulnerabilities, is important for understanding why these vulnerabilities persist and what the solution space should look like. This multifaceted problem must be viewed from a systemic perspective if adequate protection is to be put in place and patient safety concerns addressed. This requires technical controls, governance, resilience measures, consolidated reporting, context expertise, regulation, and standards. It is evident that a coordinated, proactive approach to address this complex challenge is essential. In the interim, patient safety is under threat.

A practical application of CMM to medical security capability

Purpose – The manner in which information is used and communicated in the medical environment has been revolutionized by the introduction of electronic storage, manipulation and communication of information. This change has brought with it many challenges in information security. This research seeks to propose a practical application, the capability maturity model (CMM), to meet the needs of medical information security practice.Design/methodology/approach – This paper builds on previous work by the author using the Tactical Information Governance for Security model developed for the medical setting. An essential element of this model is the ability to assess current capability of a practice to meet the needs of security and to identify how improvements can be made. Existing CMM models are reviewed to inform construction of an operational framework for capability assessment.Findings – An operational capability framework for assessing security capability in medical practice, based on CMM principles, is pre...

Looking at clouds from both sides: The advantages and disadvantages of placing personal narratives in the cloud

This article explores the nature of cloud computing in the context of processing sensitive personal data as part of a personal narrative. In so doing, it identifies general security concerns about cloud computing and presents examples of cloud technologies used to process such data. The use of personal narratives in electronic patient records and in voice output communication aids is compared and contrasted and the implications of the advent of cloud computing for these two scenarios are considered.

Medical data security: Are you informed or afraid?

Practical application of security measures severely hampers the level of security afforded to medical data in Australia. Whilst the reasons for medical data security are widely understood, there is little published information on how to tackle even basic security challenges for medical practice in Australia. Research suggests that there is an underestimation of the potential threats by medical practitioners; hence there is sufficient reason to promote development of tools to assist medical practice with technical issues they are unfamiliar with. This paper discusses the lack of threat realisation and provides a process for how security may be improved by those who are responsible for it. The process includes a framework for risk assessment and its practical implementation to make medical data in Australia secure.

Always connected: The security challenges of the healthcare Internet of Things

In an environment that is only now addressing the security issues of medical devices as a constituent part of IT networks, a new wave of technological development is threatening to swamp healthcare. The Healthcare Internet of Things (HIoT) encompasses the new embedded sensing capabilities of devices together with the availability of always being connected, to improve patient care whilst reducing costs. This development highlights existing security threats as well as creating new vulnerabilities, making the once comprehensive endpoint data transfer frameworks less identifiable and challenging current techniques for information security. This paper reviews the new environment using HIoT, to identify the challenges for security and the impact of this on interoperability in the healthcare setting. Each device and sensor is a potential point of vulnerability for entire networks. The low power design, limited processing and storage capabilities, together with a lack of standard interfaces will also add to the complexity of effective security solutions. Understanding these challenges is vital for anyone engaged in healthcare, as the impact of HIoT will be far-reaching for patients, clinicians, healthcare providers, and healthcare delivery. Making security the enabler of safe and protected data transfer, exchange, and use, is fundamental to using this technology.

Security and Privacy Issues for Mobile Health

Security and privacy have been well established as major considerations in health informatics generally (Rindfleisch 1997). A challenge for healthcare innovation is to embrace the potential of mobile health creatively within the healthcare system and not to merely replicate current technologies into a parallel wireless environment. In addressing this challenge, the complexities of securing health information along a composite clinical information pathway and in each situation of use must be defined.

It will never happen to us: the likelihood and impact of privacy breaches on health data in Australia.

With the recent introduction of the Australian e-health system, health reforms and legislation were passed. Whilst the aim of these health reforms was reasonable and sensible, the implementation was rushed and less than perfect. The Deloitte e-health Strategy [1] which was endorsed by the National Health and Hospital Reform Commission (NHHRC) recommended that based on international experience implementation of shared electronic health records nationally was a ten year journey. In Australia this was condensed into two years. The resultant effect has been that privacy, which is essential for the uptake of technologies to share data in a compliant manner, may be compromised. People trust transparent systems. Where there is a breach in privacy people deserve the respect and right to know about it so that they can mitigate damages and with full disclosure, retain their trust in the system. If this is not evident, the public will refuse to share their information. Hence, whilst the technologies may work, their use may be limited. The consequence of this in Australia would be the continuance of dangerous and inefficient silos of health data.

Security of ePrescriptions: data in transit comparison using existing and mobile device services

The push for improved access to health information using digital health and electronic technologies has seen Australia at the forefront of developing foundational services such as medication management. The current national solution for the electronic transfer of prescriptions is based on a centralised exchange model which is an expensive solution over the long term. Further, it does not include access by the patient to their electronic prescription information. In an environment where it is increasingly beneficial for patient engagement in their own information and subsequent care, alternative and cheaper solutions should be considered. One such solution has been the focus of doctoral research into the transfer of electronic prescriptions using mobile phone technology. A constituent part of any such solution in the security of the data at rest and in transit. The potential candidate transfer mechanisms for the security of data in transit were investigated, including near field communication (NFC) and Bluetooth for Health. The issues in using NFC as a potential solution lie with platform related software development and its impact on seamless interoperability, making this a less reliable and less viable solution for electronic prescription transfer on mobile devices. The investigation of Bluetooth revealed that it is more amenable to multiple platforms and interoperability with significant support from both vendors and the software development community. The impact of these research findings lie in the proof of concept using mobile devices to improve the ability of the patient to be an active participant in their own healthcare and the important aspect of medication management.

I know what you did last summer... an investigation into remnant data on USB storage devices sold in Australia in 2015

The demand for portable digital data storage has increased with the evolution and advancement in consumer electronic devices. USB storage devices, also referred to as USB sticks, pen drives, flash drives, thumb drives, and key drives, have replaced many other portable storage. With the evolution of these devices, an increased use for data transportation has been seen for both private and commercial data. USB storage capacity has increased during the past decades with capacities up to one terabyte available today. Such devices are increasingly popular given their robustness, low power consumption, rapid response rates, non-volatile nature, and ease of transportation. This study obtained second hand USB flash memory storage devices, purchased from eBay Australia over a period of seven months, to determine whether there were any traces of data on the devices, and whether or not an attempt had been made to securely wipe the devices. If data fragments were recovered, it was assessed to see if there was a sufficient volume and sensitivity of data to be of value to anyone with malicious intent. The findings from the research show that in the majority of the cases, the USB flash memory storage devices retained a large volume of data. Concurring with outcomes from previous studies in 2009 and 2011, the devices investigated in this study, owned by both individuals and organisations, were used to store highly sensitive and confidential data. This data was not permanently nor securely destroyed prior to disposal (by sale) of the devices. Such incidents highlight the failure to meet regulatory obligations with regard to privacy legislation in Australia.