- This topic has 16 replies, 13 voices, and was last updated 3 years ago by Hazem Abouelfetouh.
-
AuthorPosts
-
-
2021-11-08 at 10:36 am #32797Pongthep MiankaewParticipant
According to the principle of information security or CIA Triad, have you ever had experience about not being able to preserve the confidentiality or Integrity or Availablity of your information system? Please share that experience.
What happened?
How did it affect the system or users?
And how to prevent it? -
2021-11-15 at 6:04 pm #33136Auswin RojanasumapongParticipant
I do not have experience about not being able to preserve the CIA of the system, but I would like to share the process of running the COVID-19 vaccine reservation and the idea that might be the pitfall of the system.
In the COVID-19 vaccine clinic, we would like to make it easier for the patient to reserve the date and time to get vaccinated, so the idea was that the patient could fill in their name or citizen ID on the website and make a reservation. In the process, when the patient fills in the citizen ID, there is some information that comes up to confirm the identity of the patient (eg. citizen ID, name, surname, age, phone number, place, and time of 1st dose vaccination if to reserve 2nd dose). Then someone in the team mentioned that this might be a loophole for someone to check for others’ personal information(eg. checking someone’s citizen ID, name, or telephone number with his/her name or citizen ID). This idea was changed to not showing the information to confirm the identity but only showing the data that the patient filled in to confirm that he/she uses name/ID to reserve the vaccine.
-
2021-11-19 at 6:52 pm #33252Anawat ratchatornParticipant
I also faced with this problem and I agree with you that the vaccination information system should be designed to deliver a proper confidentiality. Thank you for sharing.
-
-
2021-11-19 at 6:50 pm #33251Anawat ratchatornParticipant
I would like to share my experience in roles of user and IT guy.
User – I had experience with lack of confidentiality when I work as a physician. In my former hospital, doctors could access to every patients’ information even the information was not belong to the patient taken care by specific doctors. The events affected in less confidential of patients’ information that might cause data leakage. In my opinion, the system should be designed to restrict accessible to only specific doctors who involved in taking care of specific patient.
IT guy – I had experience in availability and integrity problem. There were a few time that HIS system taken care by my team was down and had issue in showing wrong lab result. It affected quality of care a lot. To solve the problem, we had to stick to our plan, such as Business Continuity Plan, written to prevent and recovery this kind of problems.
-
2021-11-20 at 11:21 pm #33253TARO KITAParticipant
Personally, I have never had an experience of failure to preserve information security.
However, cases of unauthorized or inappropriate access to patients’ information by hospital staff have been reported occasionally in Japan.
In these cases, it seems that information access management, security awareness, or work station security were compromised, while only technical aspects were prioritized.
More emphasis should be placed on administrative and physical aspects such as establishing rules and regulations or staff training on confidentiality. -
2021-11-21 at 3:49 pm #33254Karina Dian LestariParticipant
I do not have such experience since I mostly work on secondary and aggregated data. Although for the project that I currently working on, I need to collect personal information of survey participants that include name, phone number, and email. These sensitive data will be protected by limiting access to the data. I have full access to the data since I am the one that will manage and analyse it. However, if there is a need for other team members to see the data, I am going to de-identified and give a unique ID before sharing it.
It would be interesting to hear other people experiences of handling and managing sensitive data.
-
2021-11-22 at 6:06 pm #33303Auswin RojanasumapongParticipant
When I want to share the database with others in my team I did the same as you did but instead of de-identify the data, I just set the permission in the system to decide which level of access can see the sensitive or identifiable data (only the person who is an administrator can see the sensitive or identifiable data).
-
2021-11-22 at 7:22 pm #33305Arwin Jerome Manalo OndaParticipant
Establishing procedures or protocols on when or where to de-encrypt data may be helpful in such situations to avoid repetitive data de-encryption.
-
2021-11-24 at 11:07 pm #33400Napisa Freya SawamiphakParticipant
Thank you for sharing I also have a similar situation. I like both your idea and Auswin to de-identified the document and set the permission in the system. Will use it in my practice.
-
-
2021-11-22 at 7:20 pm #33304Arwin Jerome Manalo OndaParticipant
I never had experience any CIA issues on our information system but I’d like to share the potential wide data breach that may have happened in our country. Lots of Filipino people have been complaining of receiving malicious texts from random random mobile numbers. The messages usually contain job opportunities with embedded links for further communication.
We highly suspect that the breach happened on our national contact tracing app for COVID-19, which was mandated by our government as the application to trace potential carriers of the disease. It is extremely alarming as the app contains our name, age, company affiliation, location history, and other PHI. The Philippine National Privacy Commission has formally launched an investigation on the said breach and will continue to give us updates.
-
2021-11-23 at 4:54 am #33306Sri Budi FajariyanParticipant
The security of the information system is disturbed. There is an additional menu created by hackers. The effects of this are :
1. There is an additional menu
2. Flooding technique (flood the system with unhandled requests so that the system becomes sluggish)Based on this experience, the following steps were taken to prevent the incident from happening again:
1. Improve system security by adding SSL
2. Added HTacces, which are a number of rules written in programming languages to protect root applications from unauthorized users.
3. Changing the HTTP/HTTPS port
4. Database Using long and unique user and password -
2021-11-23 at 11:53 am #33309Pisit SaiwangjitParticipant
I’ve never experienced the CIA issues yet since I’m barely exposed to information system and not working in healthcare organization. But I love to hear more of that from the classmates.
-
2021-11-24 at 3:01 pm #33398Navin PrasaiParticipant
I had experienced admin staff trying to access the patient’s history portal and sharing the diagnosis with his colleagues. As we can see from the CIA Triad principle, this is the confidentiality breach by unauthorized disclosure of personal information. After this incident was reported, staff was given proper training, the disciplinary warning was given , a Strong password was reset and two factors authentication was implemented.
-
2021-11-24 at 11:04 pm #33399Napisa Freya SawamiphakParticipant
I haven’t experienced any CIA issues but I have a similar situation with Karina. Sometimes, we need to collect personal data or CV/Resume for project registration and for internal processes. Therefore, we redacted all unnecessary sensitive data before using the documents and also protect confidentiality by limiting access to the data.
-
2021-11-25 at 3:06 am #33403Tossapol PrapassaroParticipant
In my opinion, I realized that some program in my computer workplace has a common password that everyone knows. This would be the confidentiality issue (access control) according to the CIA triad. This common password makes everyone easy to access, but it is not secure for the patient data. If we want to prevent it, 1) The administer should give us the user name/password individually, 2) Not allow access by using the previous common password, and 3) Ask or request us to change the personal password periodically.
-
2021-11-25 at 9:37 am #33404Ashaya.iParticipant
I personally have never been experienced about not being able to preserve the CIA of the information system. Also, this issue is possible when there is unauthorized person attempt to access the system and alter the data. To prevent this issue, using access control, setting a strong password, and setting the policy to allow only authorized person to access the system should be implemented.
-
2021-11-25 at 1:09 pm #33406Hazem AbouelfetouhParticipant
Personally, I don’t have experience with CIA issues but as a system user, I’ve worked on many information systems used to manage PHI that does not use a secured connection (HTTPS). Also, a few systems failed to maintain proper confidentiality by using a weak password policy and 2FA is optional to make it easier for system users.
-
-
AuthorPosts
You must be logged in to reply to this topic. Login here