six health privacy experiments that should *never* be caried out
DESCRIPTION
In April 2004, a bold experiment by the Infosecurity Tradeshow in London proved what everyone suspected, over 70% of people passing through Liverpool Street Station would reveal their password in exchange for candy (http://news.bbc.co.uk/2/hi/technology/3639679.stm). Some commentators applauded this validation of a previously unproven assumption about Londoner’s attitudes towards password secrecy. Other commentators had serious ethical concerns with the experiment. This candy-for-password experiment got me thinking about health privacy/security experiments. Many suspect that the healthcare system has serious human and technical privacy vulnerabilities, but how can we validate this suspicion? Would a patient hand over their provincial health number for a chocolate bar? Would a medical professional hand over a patient’s information for a chai latte? The more I thought about it, the more extreme – and both frightening and funny – the research projects became.TRANSCRIPT
![Page 1: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/1.jpg)
© Fujitsu Canada
Six Health Privacy Experiments That Should Never Be Conducted
WCHIPS 2013, WinnipegChris Hammond-ThrasherAssociate DirectorSecurity, Privacy and ComplianceFujitsu [email protected]
![Page 2: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/2.jpg)
1
![Page 3: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/3.jpg)
© Fujitsu Canada
Phone Disclosure
![Page 4: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/4.jpg)
© Fujitsu Canada
Conference Number
Dial into the XYZ Disease / Syndrome / Dysfunction Conference Call Now!
204-800-5580
4
![Page 5: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/5.jpg)
2
![Page 6: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/6.jpg)
© Fujitsu Canada6
Social Media
![Page 7: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/7.jpg)
© Fujitsu Canada7
![Page 8: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/8.jpg)
© Fujitsu Canada
Long Memory
8
![Page 9: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/9.jpg)
© Fujitsu Canada
Long Memory
9
• Version 1.0 of the NCSA Mosiac browser was released in November 1993
• Netscape Navigator was released in December 1994
• TELUS launched commercial Internet services in 1995
• Facebook launched in February 2004
![Page 10: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/10.jpg)
© Fujitsu Canada
Teens on Facebook
“Self-definition is about identity, one’s needs and attitudes, and the presentation of the self to others. Teenage patients present
themselves on Facebook as regular teenagers. They do not write public status updates about their stays at CHEO or the
treatments they receive.”
- Van der Velden and El Emam, 2012
10
![Page 11: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/11.jpg)
© Fujitsu Canada11
![Page 12: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/12.jpg)
3
![Page 13: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/13.jpg)
© Fujitsu Canada13
A Simple Wi-Fi Attack
![Page 14: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/14.jpg)
© Fujitsu Canada
The Demonstration Network
Join now!
SSID: wchips2013Password: wchips2013
14
![Page 15: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/15.jpg)
© Fujitsu Canada
Countermeasures
The basics: Any Wi-Fi network with significant security requirements must be configured to use WPA2-Enterprise. No exceptions.
VPNs are excellent defenses when moving sensitive data across non-trusted networks, but there is no completely safe way to connect to and use a hostile Wi-Fi network.
There is no good defense to Wi-Fi denial of service. The best that you can do is have a good wireless incident response team on hand.
15
![Page 16: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/16.jpg)
4
![Page 17: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/17.jpg)
© Fujitsu Canada
Win an iPad Mini!
17
![Page 18: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/18.jpg)
© Fujitsu Canada18
![Page 19: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/19.jpg)
© Fujitsu Canada
Phishing Discussion
Use HTTPS and put the survey on your own domain i.e. https://primarycaresurvey.albertahealthservices.ca
Without HTTPS I can try to impersonate the site and phish for personal health information
As of last night, primarycaresurveys.ca is available for purchase (they used primarycaresurvey.ca) but albertahealthservice.ca has been purchased by a domain squatter
19
![Page 20: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/20.jpg)
© Fujitsu Canada
QR Code Phishing
20
![Page 21: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/21.jpg)
5
![Page 22: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/22.jpg)
© Fujitsu Canada22
Hospital Netwars
![Page 23: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/23.jpg)
© Fujitsu Canada23
![Page 24: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/24.jpg)
6
![Page 25: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/25.jpg)
© Fujitsu Canada25
Healthcare Mysticism
![Page 26: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/26.jpg)
7
![Page 27: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/27.jpg)
© Fujitsu Canada27
Medical Malware
![Page 28: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/28.jpg)
© Fujitsu Canada
A Common Malware Model
28
Command and Control
Server
Infected Laptop
Infected Tablet
Infected Smartpho
ne
![Page 29: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/29.jpg)
8
![Page 30: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/30.jpg)
© Fujitsu Canada30
Balloon Clown Audit
![Page 31: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/31.jpg)
9
![Page 32: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/32.jpg)
© Fujitsu Canada32
Elicitation
![Page 33: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/33.jpg)
© Fujitsu Canada
Definition: “Elicitation”
“In the spy trade, elicitation is the term applied to subtle extraction of information during an apparently normal and innocent conversation. Most intelligence operatives are well trained to take advantage of professional or social opportunities to interact with persons who have access to classified or other protected information.
Conducted by a skillful intelligence collector, elicitation appears to be normal social or professional conversation and can occur anywhere – in a restaurant, at a conference, or during a visit to one’s home. But it is conversation with a purpose, to collect information about your work or to collect assessment information about you or your colleagues.”
33
![Page 34: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/34.jpg)
© Fujitsu Canada
Elicitation Plan
Goal Elicit personal information on at least one individual
Method Seek advice on when teenage girls should start dating as a way to get a
parent talking about their own children
Objectives Parent’s Name __________________ Target’s Name __________________ Relationship __________________ Target’s Gender__________________ Target’s Birthday __________________
Achieved _________ of five objectives
34
![Page 35: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/35.jpg)
C
![Page 36: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/36.jpg)
© Fujitsu Canada
Bibliography Capps, Rusty. "The Spy Who Came to Work," Security
Management, February 1997. *Celent. Using Social Data In Claims and Underwriting,
http://www.celent.com/reports/using-social-data-claims-and-underwriting
Hadnagy, Chris. Social Engineering: The Art of Human Hacking. Wiley, 2011.
Li, Jingquan. “Privacy Policies for Health Social Networking Sites,” Journal of the American Medical Information Association, March 2013.
Malin, El Emam and O’Keefe. “Biomedical Data Privacy: Problems, Perspectives, and Recent Advances,” Journal of the American Medical Information Association, January 2013.
Van der Velden, El Emam. “’Not All My Friends Need to Know’: A Qualitative Study of Teenage Patients, Privacy, and Social Media,” Journal of the American Medical Information Association, July 2012.
*Subscription required.
Hammond-Thrasher, Six Health Privacy Experiments, 2013
![Page 37: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/37.jpg)
© Fujitsu Canada
Conclusions
There are significant challenges facing privacy professionals and academic researchers who want to understand real risk including, Research ethics Research funding and The reputational concerns of personal health information custodians.
The reality of the real risk scenarios examined today is that the threat agents – whether insiders or outsiders – are not bound by the constraints that govern privacy and security professionals.
Van der Velden and El Emam’s paper on sick teens using Facebook is a warning to the complexity of real risk – our assumptions about how good or bad things may be need to be tested.
37
![Page 38: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/38.jpg)
© Fujitsu Canada
Challenge Questions
For you, is the title of this talk a true statement? Should experiments like these *NEVER* be performed? Are some acceptable and not others? And if so why?
Please email your answers to:[email protected]
38
![Page 39: Six health privacy experiments that should *NEVER* be caried out](https://reader036.vdocuments.net/reader036/viewer/2022081518/54623efdb1af9f71408b4fc9/html5/thumbnails/39.jpg)
Chris Hammond-ThrasherAssociate Director, ConsultingSecurity, Privacy and ComplianceFujitsu Canada