BSidesSLC -- Jerry Smith -- Getting Privacy Into The Conversation

[Music] what I'm going to talk about is information security and privacy or how you get privacy into the discussion with your information security team I don't have well I do have a PowerPoint presentation but I figured that you've all suffered death by PowerPoint so I'm not going to do one for you today we'll just talk about privacy and what it's all about privacy and information security are actually two separate things they may not seem like they may seem like two things that are together but they're really not they sir share more of a symbiotic relationship the controls are implemented in a different way information security builds a perimeter it essentially gets you to the door

whereas privacy is more about being inside the door it controls the application interface the definition for privacy I work in the healthcare sector as I said for the University of Utah hospital information privacy is more about appropriate use of data so what happens with that appropriate use of data is is that what we looked at is is we look at how our employees use that data and so what we're trying to understand is we don't want them to exceed their use we don't want them to change anything with the HIPAA rules what we're looking at is change of state change of data state the thing to remember with information security or privacy is that data is all about what's

entrusted to a company and that in trust is critical to how a company succeeds or an organization succeed last year Office of Civil Rights Health and Human Services put in twenty six million dollars worth of fine for organ nations that ran afoul of Health and Human Services those fines really are a situation that can hurt an organization for a number of reasons but they also can hurt the reputation of an organization thing to remember about information security we're still looking at the same stuff confidentiality integrity availability with privacy we're still looking at appropriate use the thing to remember about that appropriate uses it's really about hearts and mind what we're trying to do is we're trying to get our employees to

think about that use we want them to understand that they've got to treat that data as carefully as they possibly can but I'm really striving for a lot of times when I talk to employees and when I talk about privacy is to get our employees to recognize the data ship is ownership is their responsibility I know that's a hard concept for a lot of people but what we want them to do is you want to wreck them to recognize that the data that they're handling there is responsibility to it it means something to people for example health care data right now is one of the number-one targets being seeing our opponents the hackers that we looked at is now one of

the number-one targets for hacking in the global expand so the global threat area because it's a wealth of data there is just so much information in there for a hacker to use for anyone to use in that data field but that's what they're after and that's why we've got to protect it that's why we've got to think about it and that's why we've got to get our employees to think about it because the controls that we can put on it for those of you that are familiar with the technology controls as they can be used we have products like I attrex secure onyx fair warning pratensis those solutions can be extremely expensive our employees are not quite as expensive and if we

train them up tool we can create a culture where they can think more about what they're doing when they're handling that data and that's what we've got to do sometimes we've got to get them to think about what they're doing with that data and to make correct decisions or at least make decisions about how they're handling it because frankly I just don't know that we've got the ability to pay for all the technology solutions that keep coming our way I don't know that we've got the ability to do that as long as as we continue down the road what we're alternate looking for is role based access that to me is where we've got to get to the problem with it is is

it's tough to implement because in an operational environment we have a mix of different role based fields that we've got to play with we've got in a clinical environment we've got a variety of different access levels that we have but we've also got a bunch of different profiles that we have to fulfill we've got a clinical person that does a variety of different things I ran into something recently where a P key physical therapist was at the same time an IT person for the department was also a student working on getting a master's degree in business he had three different profiles with a variety of different access and somehow we had to give him the correct access for all

those different profiles and he was working in the burn unit and he was the IT person for that burn unit I mean he came to our attention because he triggered an alarm but he was accessing a patient when in reality he was working as his hat working in his role as the PT person for the burn unit it's things like that to make role-based access so tough but it's something that we need to implement in order for us to get the access levels we need to get correct access or direct get correct controls in play when we talk about information security and technology controls the thing to remember is we're trying to get people delivered to the door with the

technology that we have we establish the firewalls we've got the VPN tunnels we stick that security access net in line then with the privacy controls in place we control the access as people get in the door with a variety of different things but we also get our employees thinking about it the same level on what we're altima leaser looking for with privacy is the idea that we create rules of the road which role based access we limit the access to align with business so that business has can succeed with what they need to do at the same time what we're trying to do is we're trying to get the dialogue open with information security we want to align

with information security so that privacy enters into that conversation because too often information security and privacy never even get into the demint if we get both of them into the conversation with IT and business we can get some sort of lineman to help us achieve some cohesive and unified coverage to get success as we try and protect the organization the other side of security or I should say privacy that we're trying to go for and this is the goals from what which is known as the Fair Information privacy practices what you're looking for with privacy practices is transparency that's for the user what you want is transparency so that they understand what the data is

being used for individual participation make sure that they understand what it's for purpose specification you want them to understand why you're using the data and what it's for data minimization being use it only for what it's supposed to be used for you don't want to use everything just use just what you need use limitations same thing use it just for what you need the data quality and integrity maintain just for quality and integrity don't let it get loose also the security side of it you want to maintain security accountability in auditing you want to be able to audit an account for all of the data that's being used speaking of accountability and auditing I recently had a situation where a

company informed me of a breach of my personal data um I got this letter in the mail telling me that a company that I'd worked for 20 years ago told me that my data had been exposed in a phishing attack what had happened was was that the company had received I guess in the payroll department they'd received an email from the CFO indicating that they needed to have all the employee data from the last 20 years uploaded to a Dropbox account which they did including my data which I was so thrilled about 20 years I mean 20 years how do you protect yourself from stuff like that I can't I can't protect myself when somebody makes a mistake

like that and takes my data and uploads it to drop off I mean the thing of it is is just by saying the word Dropbox should have been enough to say there's no reason for anybody to upload anything to Dropbox but that never entered into it the funny thing of it was was that's what I told the general counsel for the company I said you've got to be kidding me Dropbox should have been the clue Dropbox should have been the clue you shouldn't have been uploading anything so what are you going to give me for this stuff and she said Divya you're just out of luck that's just the way it goes and that is

the way it goes and see the problem with that is is that's the way you've got it with these corporations in some case is they don't really care and why would that's why we need to get this idea across that people need to take ownership of data we've got to get our employees to recognize that they can't give away data they've got to control it they've got to protect it and if they don't protect it they're going to have situations like that happen where they give away data to somebody that's just going to use it and I you know I'm nearly 60 years old my data is gone I'm never going to get it back and for the next 20 years I'm going

to be sitting here wondering who's got my data and how soon am I going to lose it to somebody else my credits always going to be at risk you know I'm a little old to be worrying about credit risk right now but I don't have any choice because somebody decided they were going to upload to a Dropbox account you know those are things that we need to be cautious about and need to protect for and that's what we need to train our employees about this is not hard stuff this is not hard to do and it's not hard to train for so that's why we need to bring our employees into the loop I know there's a lot of people that

think that employees are not worth training they are unknown employees are worth training we need to bring them into the mix we need to get the culture change we need to get them change to the idea that they need to protect this data they need to take the ownership of the data and to understand the things I'd like to give us a take away to cut this all shorten so that you all can go on and enjoy your rest of your day is think about privacy when you're thinking about information security add it to the conversation think about appropriate use of data make sure if you're talking about data think about the idea of integrating it into information security

especially in this day of age of cloud security cloud providers when you're thinking about cloud security reclad providers think about privacy keep that in mind when you're discussing the idea of moving the cloud make sure that when you're talking about IT IT security cloud providers think about your SLA think about your bas if you've got health insurer or health data moving into the cloud make sure that that baa aligns with the SLA because if they don't you've got problems make sure that you establish a relationship with the cloud provider ensure that you know who owns the data once it's up with a cloud provider I don't know if you remember the old days but it used to be the cloud

providers said that once they move that data up into a cloud providers arena or up in their services a lot of times the data became theirs you can't do that in a healthcare situation health care data needs to retain be retained by the covered entity speaking about covered entities I'm not sure if you all saw the situation recently I last year actually a covered entity had entered into a contract with a German provider of hardware what they did was they had two servers on-site within the covered entity that had 4,000 records of medical information for 4,000 patients and somehow these folks got into a patient paying billing dispute well the covered entity just told them

look we're going to figure this out but we're not going to pay right now well the hardware company decided that they weren't going to put up with that and they killed those two servers and they lost the data 4,000 patients situation you can't you can't sit there and hold patient information hostage like that I'm not sure what's going to happen in that whole situation my feeling is the Office of Civil Rights will more than likely try and find the German company but I'm not quite sure they're going to be able to reach out and get up if that's something you've got to be really careful about the other thing you've got remember what this stuff is is if I can

just make it that one point clear again get privacy into that conversation with your security folks get that alignment going get them to understand that privacy is part of that rap that you bring around your your data and make it secure because it helps the organization if your text your organization with that kind of information you can get the organization's to succeed you can align with the business and help them succeed and that's about all I've got for you any questions go have fun 4:30