- This topic has 20 replies, 13 voices, and was last updated 1 year, 11 months ago by
.
-
Posts
-
-
According to the principle of information security or CIA Triad, have you ever had experience about not being able to preserve the confidentiality or Integrity or Availablity of your information system? Please share that experience.
What happened?
How did it affect the system or users?
And how to prevent it? -
I haven’t had an experience where I was being unable to maintain CIA of the workplace’s information system; however, with the current deficient administrative safeguards, I assume that my institution is vulnerable to improper access control such as disclosing usernames and passwords of certain applications for health service and office management.
I think the HIPAA security code of conduct has regulated a set of security rules where each specification of administrative, physical, and technical safeguards is required to be had, of course in my office. Thanks to this course, I am planning to execute a risk analysis to overview to what extent the level of CIA is performed by my organization.
-
-
With the CIA triad in mind, I would like to share an instances where integrity of the information systems was not able to preserve.
Integrity
I worked in conflict-affected areas in eastern-border of Myanmar and we are working with Ethnic Health Organization consortium and developing an information systems for different ethnic groups is tricky. We advocated to shift the information system to a cloud-based system to ensure integrity of the system with different users with different privileges to access part of the system. This was push to maintain the integrity of the system but some organization refused and they want to use a physical server. To access the system we opened a private IPs for different organizations but due to technical difficulties we had to open a public IP. One unauthorized gained access to the system during our system test and were able to access the data fortunately, since it was during a test period, the unauthorized user didn’t see the real patient data because it was not yet uploaded but it gave us an unforgettable lesson about the need to maintain integrity of information system.We then overcame the technical difficulties since and were even able to successfully advocated to most of our partners to use a cloud platform.
-
Nowadays, although cloud technology has advanced and gained popularity. Some people still feel insecure about storing their data in the cloud. Normally, it’s good practice to avoid opening a public IP to users from the Internet to access important data resources. You need to implement a good and strong firewall policy as well as an access control rules. Also, keep monitoring log is a good thing to do too.
Thanks for sharing,
Pongthep
-
-
To be honest, I have never participated as an information system administrator. However, I have had experience as an electronic health record in some hospitals. There are two major problems regarding information security, namely to preserve confidentiality and to preserve availability. In the problem of preserving confidentiality, medical students have to use the electronic medical record; however, they have no username to access the information system. Therefore, they must access the system by using their senior username and password. This problem has been solved by asking the information technology department to generate the username and password for individual medical students. Another problem is to preserve availability. The information system has to be closed during regular maintenance, interrupting our healthcare service. The organization should have another server to use during the maintenance of the main server.
Thank you.
-
Sharing username and password is not a good idea. For the problem of system interupting when it is under maintenance, normally IT should maintain the system after midnight, this way affects less users. Another way is a good choice, but it is quite technical, we called “live migration”, IT administrators, especially in cloud setting know this technique. There is no system downtime with this way.
Thank you,
Pongthep
-
-
I have experienced the situation when the confidentiality couldn’t be preserved but luckily it didn’t cause any damages.
At my previous workplace, Access control had been implemented by the design. There were username and password for each staff which had authority level to access and adjust information based on staff position. However,in practical situation, there were many days when the high authority staff were absent but the work needed high priority access urgently. Therefore, the username and password had to be shared among staff undeniably.
So far these situations didn’t cause any problems. It could be worse if people intentionally used other’s accessibility to adjust important information for personal benefits which could create problems to the password owner later.
Chances of losing ability to control information in this case were from security awareness. It could start with regular training for workforce to remind people about the importance of information security. Moreover, log-in monitoring and regular password renewing could help detect the suspicious log-in and limit the unexpected system access respectively.-
Absolutely, sharing username and password should not happen in an organization. It could lead to many problems later. In terms of password policy in the organization, from my experience, I have implemented an “active directory”, the software from Microsoft to enforce users to behave in accordance with the organization’s policy. So, with this way, I can control, monitor, and enforce them based on the security policy.
Thanks for sharing,
Pongthep -
-
-
Personally, I haven’t had any experience with CIA issues. However, I used many health information systems in hospitals that do not implement a secured connection (SSL). Also, preserving the data confidentiality the system availability was a challenge even in big institutions. A few systems failed to maintain proper confidentiality by using a weak password policy and 2FA was optional to make it easier for system users.
I think organizations should hire information security professionals to review their outdated systems and assess potential risks to anticipate malware attacks and train employees to maintain CIA Triad in the organization.
-
-
I haven’t had any experience with system administration. However, as a user, I saw a gap in the system of the hospital where I worked. The hospital’s Picture Archiving and Communication System (PACS) uses extremely easy-to-guess passwords such as 1, 1234, or 0000. This increases the risk of the patient’s personal information being leaked because everyone in the hospital can easily guess the password to enter and retrieve information from the PACS.
In order to prevent the risk of breaching the information confidentiality. I think hospitals should improve access restrictions by setting up strong passwords and educating users on computer security literacy.
-
Firstly, I have never been involved in information system design and so I have no experience in not being able to preserve the CIA as well. But let me share one experience that may nearly impact information confidentiality. I was once experienced working as a clinical research monitor and needed to access the EMR system at the clinical site to monitor the subject’s clinical history. However, this site did not request access for external users. Therefore, I need to use the study coordinator’s access to the EMR system with an over-the-shoulder method. This should be prevented by requesting CRA’s access at least 1 month before the visit. It is good that this site has access control of different levels to ensure that the user can get the right information without accidental access to any sensitive information.
-
Thank you for sharing. I’m also working as a CRA.
During my last monitor, I also had an EMR access problem.
SC offered me the over-the-shoulder access but I refused to use it since I’m concerned about the privacy issue because I’m also not familiar with EMR at this study site.I agreed with your plan on advance request for limited EMR access.
-
-
I have the exact same problem with what Mr.Kawin said! It’s about the default password and “test” password which I believe was once created to simplify internal testing yet those accounts still are active in real world use. Nonetheless, I have never really had any direct experience about CIA in my organisation. Well, there might be some “downtime” in the HIS server due to power shortage, malware attacks but other things seem to be performing well to me. All hospital data is stored within internal network and is not intended to be shared whatsoever, but since it is an old-fashioned database design which was used over decades ago, I strongly doubt that it will provide such an encryption or data privacy policy, to be honest.
In order to achieve data confidentiality, integrity and availability standard, I personally would suggest to upgrade an infrastructure and database design, but I don’t think it is something that can be done over night because it will require a lot of manpower, time and resources.
-
I haven’t had an experience of unable to preserve the CIA of my workplace’s information system. But there was an incidence that someone from other department misused their access authority of EMRs, had tried to access e-PHI of a very important celebrity patient.
We, as a physician, can normally access our patients’ EMR for in-charge services. We do have some IT security training session and I think most of us aware of its importance. For specific group of patients, they will be assigned different name (not the real one) in the system for regular access, only assigned staffs will know and there will be a close monitoring in the system.
Without awareness of the issue and also different level of protection policy for those specific group of patients, someone accessed EMR by searching from the real name but it was not found. So, in terms of access control technique, their every activity had been recorded in the system. They ended up with admonition from the board and IT team.
-
Thank you for sharing ka.
This issue is very interesting.I am always curious why outsiders could know the progress of celebrities when they are admitted to the hospital and/or get sick. Fortunately, this incident was detected and managed in the proper way.
By the way, I think that information security and privacy are important for everyone no matter what they are popular or not.
-
-
I have not been in part of system administration. However, recently just today, I coincidentally ran into pdf scanned files contain personal identifiable information which I should not get access into. I rose this issue to regulatory and IT department. They will soon investigate and handle with this issue. Definitely, the access should be locked for those authorized only.
-
-
This event in not directly involved with PHI but still also one of information security incidence.
What happened?
I create the website for my small business using WordPress. However, I did not update the client and patch regularly.
Since this incident occurred 2-3 years ago. I have little knowledge of SSL and its important to the website’s integrity.
My website was hacked and all user cannot access the website.How did it affect the system or users?
All user can not access the website. I tried to contact Helpdesk but I still can not bring my website back.How to prevent it?
– Secure the website using the SSL
– Update the patch of WordPress regularly
-
You must be logged in to reply to this topic. Login here