This page contains a Flash digital edition of a book.
FEATURE


Information security and social engineering


Alberto Tinazzi IT Security Consultant eHealth Security Services atinazzi@ehealthsecurity.com.au


Often, when I discuss the topic of Internet security with health professionals, I receive a lot of scepticism and a common question: “We are not a bank or a corporation with valuable trade secrets! Why would someone be interested in hacking into my practice information system? Why would a hacker be interested in accessing my patients’ clinical records?” When a malicious individual (hacker) attempts


to penetrate an information system, they do not necessarily know what they will find and how valuable that information is to them until they actually get inside the information system and take a look around. They simply take a gamble. The first step for a hacker would be to identify a


vulnerable target. This is quite an easy task to perform even for a non-professional hacker. In fact, there are a number of automated tools available on the web that can be used to scan and detect the vulnerabilities of an information system connected to the Internet. A large number of intrusions are perpetrated by


young people (script-kiddies) that use hacking tools downloaded from the Internet just for fun and simply because they can get away with it.1 The FBI Internet Crime Report 2009 indicated that


in 2009 7.9% of cyber-crimes have been motivated by vandalism while identity theft scores 14.1%.2


The


2010 Data Breach Investigations Report from Verizon indicates that 36% of security breaches are perpetrated against random targets.3 Computers used in a business context, compared to


home computers, handle very different types of data. Home computers hold data related to an individual and perhaps their family members. Business computers store information concerning many other individuals,


Alberto Tinazzi is a Certified Information Systems Security Professional (CISSP). He works as an independent information security consultant specialised in the healthcare sector. He has 16 years experience as an IT professional, specialised in information management and security. He has spent the last 10 years working within the health sector covering a number of different roles within the Division of General Practice Network.


34 Pulse+IT


these being patients or more generic customers and suppliers in the healthcare sector. A practice needs to protect its patients’ records not only to comply with legal requirements, but also to protect the privacy of patients who have given their information in good faith that it will be stored and treated with maximum confidentiality. For any business, including medical practices,


information is the most valuable and irreplaceable asset, requiring adequate protection. It is, in fact, a common mistake to think that medical records have no commercial value. According to the Australian Businesses Assessment


of Computer User Security (ABACUS) report 2009, from the Australian Institute of Criminology, crimes involving identity theft have increased in recent years and businesses operating in the healthcare sector manage a large quantity of personal data, making them prime targets for this kind of crime.4


Personal


information stolen through security incidents can be used to commit more serious crimes. For example, an individual in possession of a patient’s personal information could ring the patient’s bank and organise a money transfer. In fact, if you forget your telephone banking password, how does the operator generally identify and authenticate you? By asking a few personal questions such as name, surname, address, date of birth — information that is also stored in clinical software. The Australian Taxation Office reported identity


theft to be the single biggest component of the $65 million worth of fraud they identified in the first two months of this financial year.5 In addition to identity theft, stolen information


can also be used by perpetrators to blackmail patients, threatening to disclose their information if they do not agree to pay a ransom. In May 2009, the Virginia Department of Health


Professions (DHP) received a request to pay a US$10 million ransom.6 The perpetrator claimed to have downloaded a copy of their database containing records of over 35 million prescriptions and to have encrypted the original database making it inaccessible


www.pulseitmagazine.com.au


Author Info


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52