ahmed al barrak - staff information security practices - a latent threat

The 3rd Kuwait Infosecurity Conference

Staff Information Security P ti l t t th tPractices: a latent threat

Dr. Ahmed AlbarrakDr. Ahmed Albarrak Associate. Professor of Medical Informatics, Chairman, Medical Informatics Dept.Chairman, Medical Informatics Dept.Director, E-learning and knowledge managementCollege of Medicine, King Saud University

The 3rd Kuwait Infosecurity Conference [email protected] [email protected]

g , g [email protected]

Agenda

• Introduction• Security threats• User behaviors• International findings in security threats

S• Security study– Objectives

methods and settings– methods and settings– Results

• Conclusions and recommendations

The 3rd Kuwait Infosecurity Conference [email protected]

Conclusions and recommendations

2

Introduction

• Information security is a permanent challenge for any organization especially governmental health andorganization especially, governmental, health, and academic organizations

• While the risk of external threats can be assessed and accounted for by intrusion detection and other relevant toolstools

• Insider threats are difficult to detect and manageInsider threats, are difficult to detect and manage because they primarily emerge from the authorized user malicious practices.


3

Introduction

• The enforcement of strict information security polices therefore has become one of the top priorities for p porganizations to protect data against hacking and unauthorized accessIt is ell nderstood that technolog alone cannot• It is well understood that technology alone cannot provide all aspects of information security required by any organizations

• Technology can help in preventing security threats and breaches of security in the organization infrastructure, computer system security compromises and insecurecomputer system security compromises, and insecure transmission of information


4

Introduction

• But not or little effect in cases due to the unwanted disclosure of information take place in several ways, such as acts of disloyal employees

• Due to the nature of the users threats being latent and cannot easily be detected by the ordinary intrusion orcannot easily be detected by the ordinary intrusion or access control mechanisms, and because users behaviour is not consistent across different organization, this issue become a subject of many research andthis issue become a subject of many research and investigations.


5

Introduction

• Information security and privacy, and confidentiality of patients data in healthcare work environment should not pregarded as only policies, procedures, and practices

• Information security includes culture, mores and should be considered to be part of the healthcare process and medical ethnicityy

• Information security of healthcare systems is particularly vital due to the sensitive nature of information stored in these systems as well as the cost associated with the loss of patient’ data


loss of patient data

6

Introduction

• The loss of sensitive patients’ or students’ data may p ycause a huge damage to the organization reputation

• It can reduce customer confidence, undermine the organization reliability and jeopardize its competitiveness in the marketin the market

• In some cases, can result even in legal consequences, fines and penalties


7

Security threats

• Information damage might take place in many forms g g p ysuch as:– intrusion into the systems, – thefts of organization data, – fraudulent use of data,

defacement of organizational websites– defacement of organizational websites, – other forms of information loss or damage.

Such damages are caused by hackers virus writers asSuch damages are caused by hackers, virus writers, as well as AUTHORIZED users


8

Information security and user behaviorInformation security and user behavior

• Organizations sometimes consider information security g yas something that can be achieved only by enhanced technologies (such as, firewalls and intrusion detection software) and well trained IT personalssoftware), and well trained IT personals, ……………

• While ignoring or giving little attention to the role ofWhile ignoring or giving little attention to the role of systems’ users who represent a critical factor in the implementation and protection of the systems and data securitysecurity


9

Information security and user behaviory

• The utilization of IT in the healthcare delivery, where y,services are provided by multidisciplinary teams of healthcare professionals and trainees in a shared environment has been accompanied by severalenvironment, has been accompanied by several challenges and threats related to the privacy and confidentiality of patients’ information. Lekkas, 2007

• The breech of electronic patients’ information is particularly associated with unbearable high loss. It doesparticularly associated with unbearable high loss. It does not only lead to financial losses, but it may lead to threatening patients’ safety and jeopardize their lives.


10

International Findings In Security Th tThreats

• In a study by North 2006, of 465 students at Clark y y ,Atlanta University, – 23% of students replied that they have used other

l ’ t ith t th i tipeople’s computers without authorization. • A research conducted by CISCO in 2008,

– 2000 users in 10 countries showed that at least one– 2000 users in 10 countries showed that at least one of every 3 employees leave their computers logged on and unlocked when they are away from their desk t t k l h h ft ki hto take a lunch or go home after working hours.


11

International Findings In Security ThreatsThreats

• In a survey of 381 employees of a medium sized public y p y psector agency, – 16% of the respondents shared passwords with other

lpeople. Woodhouse 2007

• A survey study of students on password practices and attitudes, it was found that,attitudes, it was found that,– 22% of respondents share their webmail password

with others. Hart 2008

– Similar conclusion was also reported by CISCO 2008, that 18% of the surveyed employees share passwords with co-workers.


passwords with co workers.

12

International Findings In Security ThreatsThreats

• Research and Studies have shown that users are generally reluctant to change their passwords as well. In a survey given to university students at Plattsburgh about their attitudes and practices regarding passwordsabout their attitudes and practices regarding passwords, – Over than 80% of them rarely change their password.

(Hart 2008)

– Comparable results were reported in a study by Stanton et al. that 23% of the employees surveyed sometimes disclose their passwords to colleaguessometimes disclose their passwords to colleagues and staff members. (Stanton et al. 2004)


13

International Findings In Security Threats g y

• A totally secured system from a technical point of view y y pcan become totally insecure by the users’ mal practices.

Bardram 2005

• The promotion of security culture to comply with security policies and raising the end-user awareness on securitypolicies and raising the end user awareness on security issue through education as the best practices to reduce security threats in the working place environment.

D’Arc 2007D’Arcy 2007


14

Security study

• A study examined breaches of information security y yoriginating from the staff mal practices at KSU College of Medicine and two University Hospitals

Th bj ti f th t dThe objectives of the study were:• to assess, evaluate, and analyze the security behavior of

users at King Saud University Hospitals, Riyadh, Saudiusers at King Saud University Hospitals, Riyadh, Saudi Arabia,

• to examines whether such behavior differ across l t iemployee categories


15

Study methods and settings

• Data collection was done by a means of a questionnaire y qdistributed to a random sample of 2000 employees (220 administrative staff, 380 physicians, 900 nursing staff and 500 allied health and technical staff)and 500 allied health and technical staff)

• The questions were set to address the security behaviorThe questions were set to address the security behavior of users and explore their awareness on some basics security and privacy issues.

• The (SPSS 16©) was used for all data analysis. Comparison was held statistically significant if (p≤ 0.05).


Comparison was held statistically significant if (p≤ 0.05).

16

Results

• In total, 554 questionnaires were completed on which , q panalysis was based

• Demographics:– 73% females, 27% male– Saudis constituted 18%

age (40 +/ 0 5 yrs; mean+/ SE)– age, (40 +/- 0.5 yrs; mean+/- SE) – period of employment at the hospitals, (7 +/- 0.3 yrs;

mean+/- SE) )– time since employee started using the hospital IT

system, (6 +/- 0.2; mean+/- SE) years.


17

Results

Respondents were distributed between professions as p pfollows;

• 62 Physicians (consultants, specialists and general titi )practitioners),

• 49 administrative staff, • 354 nursing staff• 354 nursing staff, • 84 allied health staff (laboratory, x-ray and other

technicians).


18

Results

Respondents (users) access the hospital IT system to p ( ) p yperform at least one of the following tasks;

• viewing and editing of medical records and accessing th h it l i f ti t (HIS) (47%)the hospital information system (HIS) (47%),

• investigating laboratory results (LAB system) (15%),• retrieving of x-rays (22%)• retrieving of x-rays (22%),• internet and e-mail services (15%).


19

• 81% of hospital staff use shared computers, and the p p ,proportion of nursing and allied health staff using shared computers is significantly higher than in other job categoriescategories

personal, 19%

shared , 81%


20

Working environment (shared work stations)

80

90

100

50

60

70

Personal

20

30

40

Personal

Shared

0

10

20

Physicians% Administrative% Nursing% Allied health staff%


21

• 16% of respondents do not sign out applications after p g ppworking sessions

• Older employees tend to be more aware about such a ti th th i t t ( 0 01)practice than their younger counterparts (p=0.01).

• Communication of passwords between office mates and friends was reported by 27% of respondents. Morefriends was reported by 27% of respondents. More frequent among females than among males (p=0.0001). higher among nursing staff than other job categories (p=0 0001)(p=0.0001)


22

• The practice of NOT changing the password after being p g g p gknown to unauthorized persons was stated by 45% of participantsM l i ifi tl d i b tt i thi h bit• Males are significantly doing better concerning this habit than females

• Nursing staff appears to be the least aware group aboutNursing staff appears to be the least aware group about changing their passwords when released to others than any other group of staff (p=0.0001)


23

• 70% of respondents had never changed their default p gsystem generated passwords. This practice is also more frequent among females compared to males and among nursing staff compared to other professionsnursing staff compared to other professions

yes30%

no70%

Changing the password after first being generated by administrator


24


70

80

40

50

60

Yes

20

30

Yes

No

0

10



25

53%60

33%

30

40

50

0%

14%

0

10

20

Password structure

Alphabetsonly

Digits only Alphabets &digits

Alphabets,digits &symbols


Password structure

26

Parameter Response No. % Use of personal or shared computer Personal 99 19

Shared 418 81 Logging off the application after yes 448 84Logging off the application after work sessions

yes 448 84no 83 16

Allowing others to use the account without giving them the password

yes 213 40 no 317 60

All i ffi t d f i d 145 27Allowing office mates and friends to know the password

yes 145 27no 394 73

Changing the password after being known to other people

yes 290 55 no 240 45


yes 158 30no 370 70


27

Allowing office mates and friends to know the password

80

90

100

50

60

70

Yes

20

30

40

Yes

No

0

10

20



28

Changing the password after being known to others

70

80

40

50

60

Yes

20

30

Yes

No

0

10



29

Allowing others to use the account without giving them the

70

80

password

50

60

20

30

40 Yes

No

0

10



30

Findings

• Although sharing of workstations is not a user choice g gand it is more likely attributed to the nature of hospital or work environment, however it represents a latent security threatssecurity threats

• It be can argued that compliance with security policies and procedures is very hard in a multiuser shared environment than in other places where each user login to a dedicated personal computer

• In such a multiuser environment security practice and• In such a multiuser environment, security practice and awareness of users constitutes the first defense line to safeguard patient data


31

Findings

• Studies have shown that users are generally reluctant to g ychange their passwords

• Users should be initiated and encouraged to change th i d h f lt f it btheir passwords when felt for any reasons it become unsafe

• Change of password, as a precautionary securityChange of password, as a precautionary security measure, is highly recommended, mainly in three situations; after being issued by system administrator, after feeling that it was known by others and after everyafter feeling that it was known by others, and after every regular time intervals


32

Findings

• This study further reveals that the staff are varying in y y gcomplying with security measures

• Understanding privacy, and security threats and challenges facing organization is essential for building a holistic security process and avoiding loss and threats toholistic security process and avoiding loss and threats to patient information

• Besides, users should be instructed to strictly comply ith li i d d th t t i tiwith policies and procedures that prevent communication

of passwords, using others accounts and keeping of passwords unchanged for long time intervals


p g g

33

Recommendations

• Organizations should build a sense of information security awareness among all staff to gain their support y g g ppin protecting sensitive data

• Continuous educations and evaluation of the security processes are major elements in that context

• Other measures such as, auto locking & logging off when are not in use for predefined period.


34

Conclusions

• It is clearly proofed that the technical security measures alone can NOT prevent security breaches.

• Insider threats, are difficult to detect and manage because they primarily emerge from the authorized user malicious practicesmalicious practices

• Which emphasized that awareness training and education of users on information security issues are

i t t f hi i li bl l l fvery important for achieving a reliable level of information security in any organizations


35


36

ahmed al barrak - staff information security practices - a latent threat

Documents