- This topic has 16 replies, 13 voices, and was last updated 2 years, 12 months ago by
.
-
Posts
-
-
According to the principle of information security or CIA Triad, have you ever had experience about not being able to preserve the confidentiality or Integrity or Availablity of your information system? Please share that experience.
What happened?
How did it affect the system or users?
And how to prevent it? -
I do not have experience about not being able to preserve the CIA of the system, but I would like to share the process of running the COVID-19 vaccine reservation and the idea that might be the pitfall of the system.
In the COVID-19 vaccine clinic, we would like to make it easier for the patient to reserve the date and time to get vaccinated, so the idea was that the patient could fill in their name or citizen ID on the website and make a reservation. In the process, when the patient fills in the citizen ID, there is some information that comes up to confirm the identity of the patient (eg. citizen ID, name, surname, age, phone number, place, and time of 1st dose vaccination if to reserve 2nd dose). Then someone in the team mentioned that this might be a loophole for someone to check for others’ personal information(eg. checking someone’s citizen ID, name, or telephone number with his/her name or citizen ID). This idea was changed to not showing the information to confirm the identity but only showing the data that the patient filled in to confirm that he/she uses name/ID to reserve the vaccine.
-
-
I would like to share my experience in roles of user and IT guy.
User – I had experience with lack of confidentiality when I work as a physician. In my former hospital, doctors could access to every patients’ information even the information was not belong to the patient taken care by specific doctors. The events affected in less confidential of patients’ information that might cause data leakage. In my opinion, the system should be designed to restrict accessible to only specific doctors who involved in taking care of specific patient.
IT guy – I had experience in availability and integrity problem. There were a few time that HIS system taken care by my team was down and had issue in showing wrong lab result. It affected quality of care a lot. To solve the problem, we had to stick to our plan, such as Business Continuity Plan, written to prevent and recovery this kind of problems.
-
Personally, I have never had an experience of failure to preserve information security.
However, cases of unauthorized or inappropriate access to patients’ information by hospital staff have been reported occasionally in Japan.
In these cases, it seems that information access management, security awareness, or work station security were compromised, while only technical aspects were prioritized.
More emphasis should be placed on administrative and physical aspects such as establishing rules and regulations or staff training on confidentiality. -
I do not have such experience since I mostly work on secondary and aggregated data. Although for the project that I currently working on, I need to collect personal information of survey participants that include name, phone number, and email. These sensitive data will be protected by limiting access to the data. I have full access to the data since I am the one that will manage and analyse it. However, if there is a need for other team members to see the data, I am going to de-identified and give a unique ID before sharing it.
It would be interesting to hear other people experiences of handling and managing sensitive data.
-
When I want to share the database with others in my team I did the same as you did but instead of de-identify the data, I just set the permission in the system to decide which level of access can see the sensitive or identifiable data (only the person who is an administrator can see the sensitive or identifiable data).
-
-
-
-
I never had experience any CIA issues on our information system but I’d like to share the potential wide data breach that may have happened in our country. Lots of Filipino people have been complaining of receiving malicious texts from random random mobile numbers. The messages usually contain job opportunities with embedded links for further communication.
We highly suspect that the breach happened on our national contact tracing app for COVID-19, which was mandated by our government as the application to trace potential carriers of the disease. It is extremely alarming as the app contains our name, age, company affiliation, location history, and other PHI. The Philippine National Privacy Commission has formally launched an investigation on the said breach and will continue to give us updates.
-
The security of the information system is disturbed. There is an additional menu created by hackers. The effects of this are :
1. There is an additional menu
2. Flooding technique (flood the system with unhandled requests so that the system becomes sluggish)Based on this experience, the following steps were taken to prevent the incident from happening again:
1. Improve system security by adding SSL
2. Added HTacces, which are a number of rules written in programming languages to protect root applications from unauthorized users.
3. Changing the HTTP/HTTPS port
4. Database Using long and unique user and password -
-
I had experienced admin staff trying to access the patient’s history portal and sharing the diagnosis with his colleagues. As we can see from the CIA Triad principle, this is the confidentiality breach by unauthorized disclosure of personal information. After this incident was reported, staff was given proper training, the disciplinary warning was given , a Strong password was reset and two factors authentication was implemented.
-
I haven’t experienced any CIA issues but I have a similar situation with Karina. Sometimes, we need to collect personal data or CV/Resume for project registration and for internal processes. Therefore, we redacted all unnecessary sensitive data before using the documents and also protect confidentiality by limiting access to the data.
-
In my opinion, I realized that some program in my computer workplace has a common password that everyone knows. This would be the confidentiality issue (access control) according to the CIA triad. This common password makes everyone easy to access, but it is not secure for the patient data. If we want to prevent it, 1) The administer should give us the user name/password individually, 2) Not allow access by using the previous common password, and 3) Ask or request us to change the personal password periodically.
-
I personally have never been experienced about not being able to preserve the CIA of the information system. Also, this issue is possible when there is unauthorized person attempt to access the system and alter the data. To prevent this issue, using access control, setting a strong password, and setting the policy to allow only authorized person to access the system should be implemented.
-
Personally, I don’t have experience with CIA issues but as a system user, I’ve worked on many information systems used to manage PHI that does not use a secured connection (HTTPS). Also, a few systems failed to maintain proper confidentiality by using a weak password policy and 2FA is optional to make it easier for system users.
-
You must be logged in to reply to this topic. Login here