Information

Security and
Cybersecurity
NURSING DEPARTMENT
COLLEGE OF HEALTH SCIENCES
BASILAN STATE COLLEGE
Introduction
Many healthcare organizations have various types of specialized hospital
information systems such as EHR systems, e-prescribing systems, practice
management support systems, clinical decision support systems, radiology
information systems and computerized physician order entry systems.
Additionally, thousands of devices that comprise the Internet of Things must
be protected as well. These include smart elevators, smart heating,
ventilation and air conditioning (HVAC) systems, infusion pumps, remote
patient monitoring devices and others.
Introduction
In 2015, hospitals and healthcare systems were the number one victims of cyber
attacks. No industry is immune, but hospitals and healthcare systems seem to have
become a favorite target of hackers out to profit from insufficiently secure networks,
so much so that IBM called 2015 the "year of the healthcare security breach." Almost
100 million healthcare records were compromised that year.
Protected health information has a high resale value on the black market. Electronic
health records (EHRs) contain not only personal health and medical information, but
also Social Security numbers, employment details, and banking and financial
information.
What is Security?

The term 'information security' means protecting information and

information systems from unauthorized access, use, disclosure,
disruption, modification, or destruction in order to provide
integrity, confidentiality, and availability.

NIST SP 800-59 UNDER INFORMATION SECURITY FROM 44 U.S.C., SEC. 3542 (B)(1)
Layers of Security
Physical security – to protect physical items, objects, or areas from
unauthorized access and misuse
Personnel security – to protect the individual or group of
individuals who are authorized to access the organization and its
operations
Operations security – to protect the details of a particular
operation or series of activities
Layers of Security
Communications security – to protect communications media,
technology, and content
Network security – to protect networking components, connections, and
content
Information security – to protect the confidentiality, integrity, and
availability of information assets, whether in storage, processing, or
transmission. It is achieved via the application of policy, education,
training and awareness, and technology.
Key Information Security
Concepts
➢Access ➢Protection Profile, or security posture

➢Asset ➢Risk

➢Attack ➢Subjects and objects

➢Control, safeguard, or countermeasure ➢Threat

➢Exploit ➢Threat agent

➢Exposure ➢Vulnerability

➢Loss
Access
➢A subject or object’s ability to use, manipulate, modify, or affect
another subject or object.
➢Authorized users have legal access to a system, whereas hackers
have illegal access to a system.
➢Access controls regulate this ability (examples on succeeding slides)
Asset
➢The organizational resource that is being protected.
➢An asset can be logical such as a Web site, information,
or data; or an asset can be physical, such as a person,
computer system, or other tangible object.
➢Information assets are the focus of security efforts.
Attack
➢An intentional or unintentional act that can cause
damage to or otherwise compromise information and/or
the systems that support it.
➢Attacks can be active or passive, intentional or
unintentional, and direct or indirect.
Control, safeguard, or
countermeasure

Security mechanisms, policies, or procedures that can

successfully counter attacks, reduce risk, resolve
vulnerabilities, and otherwise improve the security within
an organization.
 Basic Security Controls
➢Anti-virus ➢Incident response plan

➢Backup and restoration of files/data ➢Intrusion detection and prevention system

➢Data loss prevention ➢Mobile device management

➢Email gateway ➢Policies and procedures

➢Encryption at rest ➢Secure disposal

➢Encryption for archived files/data ➢Security awareness training

➢Encryption in transit ➢Vulnerability management program/patch

management program
➢Firewall
➢Web gateway
Advanced Security Controls
➢Anti-theft devices
➢Business continuity and disaster recovery plan
➢Digital forensics
➢Multi-factor authentication
➢Network segmentation
➢Penetration testing
➢Threat intelligence sharing (also called information sharing)
➢Vulnerability scans
Exploit

A technique used to compromise a system.

Exposure

A condition or state of being exposed. In information security,

exposure exists when a vulnerability known to an attacker is
present.
Loss

A single instance of an information asset suffering

damage or unintended or unauthorized modification or
disclosure.
Protection profile or security
posture

The entire set of controls and safeguards, including policy,

education, training, and awareness, and technology, that the
organization implements (or fails to implement) to protect the
asset.
Risk

The probability that something unwanted will happen.

Subjects and objects

A device can be either the subject of an attack - an agent entity

used to conduct the attack – or the object of an attack – the
target entity
Threat

A category of objects, persons, or other entities that presents a

danger to an asset
Threat agent

The specific instance or a component of a threat.

Vulnerability

A weakness or fault in a system or protection mechanism that

opens to attack or damage.
Critical
Characteristics of
Information
Critical Characteristics of
Information
Availability – enables authorized users – persons or computer systems – to
access information without interference or obstruction and to receive it in the
required format
Accuracy – information is free from mistakes or errors and it has the value
that the end user expects
Authenticity – the quality or state of being genuine or original, rather than a
reproduction or fabrication (…)
Authenticity (Threats)
Email spoofing – the act of sending an email message with a modified field
(often the address of the originator) (more details on succeeding slides)
Phishing – when an attacker attempts to obtain personal or financial
information using fraudulent means, most often by posing as another
individual or organization
Critical Characteristics of
Information
Confidentiality - information is protected from disclosure or exposure to
unauthorized individuals or systems (…)
Integrity – information is whole, complete, and uncorrupted
Utility – the quality or state of having value for some purpose or end
Possession – the quality or state of ownership or control
Confidentiality
Ensures that only those people with rights and privileges to access
information are able to do so.
To protect confidentiality of information, the following measures may be used:
➢Information classification
➢Secure document storage
➢Application of general security policies
➢Education of information custodian and end users
Components of Information
System
Software – operating systems, and assorted command utilities
Hardware – the physical technology that houses and executes the software, stores
and transports the data, and provides interfaces for the entry and removal of
information from the system
Data – stored, processed, and transmitted by a computer system that must be
protected
People
Procedures – are written instructions for accomplishing a specific task
Networks
Balancing Information Security
and Access
Information security cannot be absolute; it is a process, not a goal.

To achieve balance – to operate an information system that

satisfies the users involved and the security professionals – the
security level must allow reasonable access, yet protect against
threats
Security Professionals and the
Organization
Champion – senior executive who promotes the project/system
and ensures its support, both financially and administratively, at
the highest levels of the organization
Team Leader – a project/system manager, who may be
departmental line manager or staff unit manager, who
understands project management, personnel management, and
information security technical requirements
Security Professionals and the
Organization
Security Policy Developers – people who understand the
organizational culture, existing policies, and requirements for
developing and implementing successful policies.
Risk assessment specialists – people who understand financial
risk assessment techniques, the value of organization assets, and
the security methods to be used
Security Professionals and the
Organization
Security professionals – dedicated, trained, and well-educated
specialists in all aspects of information security from both a
technical and nontechnical standpoint
System administrators – people with the primary responsibility for
administering the systems that house the information used by the
organization
End users – those whom the system will most directly affect
Important Functions That
Information Security Performs
➢Protecting the organization’s ability to function
➢Enabling the safe operation of applications running on the
organization’s IT systems
➢Protecting the data the organization collects and uses
➢Safeguarding the organization’s technology assets
Threats
Deliberate Software Attacks
Virus – consist of segments of code that performs malicious
actions
Worms – a malicious program that replicates itself constantly,
without requiring another program environment
Trojan Horses – are software programs that hide their true nature
and reveal their designed behavior only when activated
Deliberate Software Attacks
Backdoor or Trap Door – a virus or worm can have a payload that
installs a back door or trap door component in a system, which
allows attacker to access the system at will with special privileges
Polymorphic Threats – one that over time changes the way it
appears to anti-virus software programs, making it undetectable
by techniques that look for preconfigured signatures
Deviations in Quality of Service
➢Internet Service Issues
➢Communications and Other Service Provider Issues
➢Power Irregularities
Espionage or Trespass
When an unauthorized individual gains access to the information an
organization is trying to protect
Industrial espionage – when information gatherers employ techniques
that cross the threshold of what is legal or unethical
Shoulder surfing – is used in public or semi-public settings when
individuals gather information they are not authorized to have by
looking over another individual’s shoulder or viewing the information
from a distance
Espionage or Trespass
Trespass – unauthorized real or virtual actions that enable
gatherers to enter premises or systems they have not been
authorized to enter
Hackers – are people who create end-user computer software to
gain access to information illegally
Forces of Nature
➢Fire ➢Tornado/severe windstorm
➢Flood ➢Hurricane or typhoon
➢Earthquake ➢Tsunami
➢Lightning ➢Electrostatic discharge (ESD)
➢Landslide or mudslide ➢Dust contamination
Human Error or Failure
Includes acts performed without intent or malicious purpose by an
authorized user.

Causes may be due to inexperience, improper training, and

incorrect assumptions
Information Extortion

Occurs when an attacker or trusted insider steals information from

a computer system and demands compensation for its return or
for an agreement not to disclose
Missing, inadequate, or incomplete
Organization Policy or Planning
➢Makes an organization vulnerable to loss, damage or disclosure
of information assets when other threats lead to attacks
➢Information security, at its core, is a management function.
➢The organization’s executive leadership is responsible for
strategic planning for security as well as for IT and business
functions – a task known as governance.
Missing, Inadequate, or
Incomplete Controls

Means security safeguards and information asset protection

controls are missing, misconfigured, antiquated, or poorly
designed or managed
Sabotage or Vandalism

Involves deliberate sabotage of a computer or business, or acts of

vandalism to either destroy an asset or damage the image of an
organization
Theft

The illegal taking of another’s property, which can be physical,

electronic, or intellectual
Technical Hardware Failures or
Errors
➢Occur when a manufacturer distributes equipment containing a
known or unknown flaw
➢Defects can cause the system to perform outside of expected
parameters, resulting in unrecoverable loss of the equipment
Technical Software Failures or
Errors
➢Range from bugs to untested failure conditions
➢Sometimes the bugs are not errors but purposeful shortcuts left
by programmers for benign or malign reasons
Technological Obsolescence

Antiquated or outdated infrastructure can lead to unrealiable and

untrustworthy systems
Attacks
Types of Major Attacks
➢Malicious Code ➢Denial-of-Service (DoS) ➢Sniffers
and Distributed Denial-
➢Hoaxes ➢Social Engineering
of-Service (DDoS)
➢Backdoors ➢Phishing
➢Spoofing
➢Password Crack ➢Pharming
➢Man-in-the Middle
➢Brute Force ➢Timing Attack
➢Spam
➢Dictionary
➢Mail Bombing
Malicious Code
Can be in the form of:
➢Viruses
➢Worms
➢Trojan Horses,
➢Etc.
Hoaxes

These can take the form of false virus alerts (such as the "Good
Times" hoax), chain letters, or attempts to spread false
information about some issue (such as warnings that the Federal
Government is about to tax e-mail).
Backdoors

Any method by which authorized and unauthorized users are able

to get around normal security measures and gain high level user
access (aka root access) on a computer system, network, or
software application
Password Crack, Brute Force,
Dictionary
Password crack - a process of identifying a forgotten or unknown
password to a computer or network resource by means of an
application program.
Brute force - A predetermined number of combinations of characters
are manipulated until the combination that matches the password is
found.
Dictionary attack - The method involves comparing a wordlist with the
passwords of users.
Denial-of-Service (DoS) and
Distributed Denial-of-Service (DDoS)
A denial-of-service (DoS) attack floods a server with traffic, making a
website or resource unavailable.

A distributed denial-of-service (DDoS) attack is a DoS attack that uses

multiple computers or machines to flood a targeted resource.

Both types of attacks overload a server or web application with the goal
of interrupting services.
Spoofing

A situation in which a person or program successfully identifies as

another by falsifying data, to gain an illegitimate advantage.
Man-in-the Middle
A man-in-the-middle (MitM) attack is a type of cyberattack in which communications
between two parties is intercepted, often to steal login credentials or personal
information, spy on victims, sabotage communications, or corrupt data.

“MitM attacks are attacks where the attacker is actually sitting between the victim
and a legitimate host the victim is trying to connect to,” says Johannes Ullrich, dean
of research at SANS Technology Institute. “So, they're either passively listening in on
the connection or they're actually intercepting the connection, terminating it and
setting up a new connection to the destination.”
Spam

Spam is an unsolicited email message that is automatically sent

to a large number of addresses at once. Commonly referred to as
junk mail, spam is most often used for advertising purposes,
although some hackers may also use it to distribute malware.
Mail Bombing

A mail bomb is a form of a denial-of-service (DoS) attack designed

to overwhelm an inbox or inhibit a server by sending a massive
number of emails to a specific person or system. The aim is to fill
up the recipient's disk space on the server or overload a server to
stop it from functioning.
Sniffers

Sniffing is the act of intercepting and monitoring traffic on a network. This can
be done using software that captures all data packets passing through a given
network interface or by using hardware devices explicitly designed for this
purpose.
Social Engineering
Social engineering is the art of exploiting human psychology,
rather than technical hacking techniques, to gain access to
buildings, systems, or data.

For example, instead of trying to find a software vulnerability, a

social engineer might call an employee and pose as an IT support
person, trying to trick the employee into divulging his password.
Phishing

Phishing is a type of cyberattack that uses disguised email as a

weapon. These attacks use social engineering techniques to trick
the email recipient into believing that the message is something
they want or need—a request from their bank, for instance, or a
note from someone in their company—and to click a link or
download an attachment.
Pharming
Pharming is like phishing in that it is a threat that tricks users into
divulging private information, but instead of relying on email as the
attack vector, pharming uses malicious code executed on the victim’s
device to redirect to an attacker-controlled website.

Because pharming runs code on the victim’s computer, the attacker

does not rely on the targeted user clicking a link or replying to an email.
Instead, the malicious code directs the targeted user to the attacker’s
website, eliminating the extra step of a user clicking a link.
Timing Attacks

A timing attack is a sophisticated way to circumvent security

mechanisms and discover vulnerabilities by studying how long it
takes the system to respond to different inputs. In a timing attack,
the attacker gains information that is indirectly leaked by the
application. This information is then used for malicious purposes,
such as guessing the password of a user.
What are the best ways for
nurses to protect their
patients’ information?
What are the best ways for nurses to
protect patients’ information?
➢Always use unique passwords for accounts.
➢Never plug personal devices (or unauthorized devices) into workstations or
work devices.
➢Don’t click on attachments or links in emails without first inspecting the
messages.
➢Be aware of what’s going on in the present