HOLISTIC SECURITY ARCHITECTURE FOR EFFECTIVE MANAGEMENT OF HEALTHCARE CYBER THREATS

Öz

Cyber security has become one of the top priorities for healthcare systems, due to the fact that the healthcare information security and personal privacy are major concerns for patients, healthcare providers and governments. The information that is incrementally available in the health records has a much longer shelf life and is a fertile and invaluable source for identity theft. The stagnant social security numbers cannot be easily canceled and medical and prescription records are permanent in the systems. Furthermore, healthcare information has a higher value than credit card information in the underground market in the dark web. There is a huge market for health insurance fraud and abuse, which may be more profitable than selling the records honestly in the forums. There are common but seriously increasing threats, which can be exploit healthcare information, is becoming compromised or stolen outright, when patient health records are being digitized. The abuses of health data such as DNA information is the most critical since it can be used for possible targeted biological weapons or certain targeted artificial diseases. The aim of this study is to provide a framework for future research by identifying concept of security and cyber threats in the healthcare systems.

Anahtar Kelimeler

• Healthcare,cyber security,e-government,EHRs,COBIT-5

SAĞLIKTAKİ SİBER-TEHDİTLERİN ETKİLİ YÖNETİMİ İÇİN BÜTÜNCÜL GÜVENLİK MİMARİSİ

Öz

Sağlık bilgisi güvenliği ve kişisel mahremiyet, hastalar, sağlık hizmeti sağlayıcıları ve hükümetler için önemli kaygılar olduğundan, siber güvenlik sağlık sistemleri için en önemli önceliklerden birisi haline gelmiştir. Sağlık kayıtlarında artmakta olan bilgiler çok daha uzun bir raf ömrüne sahiptir ve kimlik hırsızlığı için verimli ve paha biçilmez bir kaynaktır. Statik sosyal güvenlik numaraları kolayca iptal edilemez ve sistemlerde tıbbi ve reçete kayıtları kalıcıdır. Ayrıca, sağlık bilgisi, karanlık ağdaki yer altı pazarındaki kredi kartı bilgisinden daha yüksek bir değere sahiptir. Sağlık sigortası dolandırıcılığı ve suiistimali için büyük bir pazar var, bu da reklâmların forumlarda dürüstçe satılmasından daha karlı olabilir. Hasta sağlık kayıtlarının sayısallaştırıldığı durumlarda, istismarın artmasına neden olabilecek sağlık sorunlarının tehlikeye girmesi ya da çalınması sonucu ortaya çıkan yaygın ve ciddi tehlikeler vardır. DNA bilgisi gibi sağlık verilerinin kötüye kullanılması, olası hedefli biyolojik silahlar veya belirli hedeflenmiş yapay hastalıklar için kullanılabilecek en kritik durumdur. Ayrıca hastalara ait tanı verileri ilaç firmaları açısından da paha biçilmezdir. Bu çalışmanın amacı, sağlık sistemlerinde güvenlik ve siber tehditler kavramını tanımlayarak gelecekteki araştırmalar için bir çerçeve sağlamaktır.

Anahtar Kelimeler

• Sağlık,siber güvenlik,e-devlet,EHRS,COBIT-5

Kaynakça

1. Abbas A., Khan US., (2014), A Review on the State-of-the-Art Privacy-Preserving Approaches in the e-Health Clouds, IEEE Journal of Biomedical and Health Informatics, Vol. 18, No. 4, July
2. Adam David, (2004), https://www.theguardian.com/science/2004/oct/28/thisweekssciencequestions.weaponstechnology, last accesed on 25.06.2018
3. Bioterror, (2012), https://sites.google.com/site/bioterrorbible/BIO-WEAPONS/RACE-SPECIFIC-BIO-WEAPONS, last accesed on 10.05.2018
4. Cert, (2017), https://www.certtr.com/Iletisim.aspx, (Access Date: 28/05/2017).
5. Cryptome, (2013), https://cryptome.org/2013/09/infosecurity-cert.pdf, (Access Date: 28/05/2017).
6. EC, (2018), http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf, last accesed on 35.03.2018
7. Efe, A, (2015), COBIT-5 Framework As A Model For The Regional Development Agencies. International Journal of Ebusiness And Egovernment Studies, 33-43.
8. Efe, A. (2016), Unearthing and Enhancing Intelligence and Wisdom Within the COBIT 5 Governance of Information Model. ISACA Journal.

9. Efe, A. (2017), A Model Proposal for Organizational Prudence and Wisdom within Governance of Business and Enterprise IT. ISACA Journal.
10. ENISA, (2017), http://old.cimt.dk/wp-content/uploads/2017/04/Dimitra-Liveri-ENISA-Cybersecurity-in-hospitals.pdf last accesed on 15.05.2018
11. Eom J., Lee DH., Lee K., (2016) Patient-Controlled Attribute-Based Encryption for Secure, J Med Syst 40: 253, DOI 10.1007/s10916-016-0621-3
12. Faysela M.A., (2015) Evaluation of a Cyber Security System for Hospital Network, MEDINFO 2015: eHealth-enabled Health, I.N. Sarkar et al. (Eds.), IMIA and IOS Press, doi:10.3233/978-1-61499-564-7-915
13. Gope P., Ruhul Amin R., (2016), A Novel Reference Security Model with the Situation Based Access Policy for Accessing EPHR Data, J Med Syst 40: 242, DOI 10.1007/s10916-016-0620-4
14. HHS, (2018), https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html, last accesed on 11.04.2018 HIMMS, (2017),
15. http://www.himss.org/sites/himssorg/files/081516_CybersecurityCheckup.pdf, (Access Date: 29/04/2017).
16. HIMSS, (2016), Cybersecurity Survey, Sponsored by FairWarning, www.himss.org
17. ICIT, (2016), http://icitech.org/wp-content/uploads/2016/01/ICIT-Brief-Hacking-Healthcare-IT-in-2016.pdf, last accesed on 10.05.2018
18. Infoesec, (2017), What Is The HCISPP? Healthcare Information Security & Privacy Practitioner http://resources.infosecinstitute.com/category/certifications-training/cissp/cissp-concentrations/hcispp/, last accesed on 17.06.2018
19. INFOSEC, (2015), http://resources.infosecinstitute.com/hackers-selling-healthcare-data-in-the-black-market/#gref, last accesed on 15.05.2018
20. ISACA, (2018), http://www.isaca.org/Knowledge-Center/Research/Documents/COBIT-Focus-The-Failed-VASA-COBIT-5-Governance-and-the-Seven-Enablers-Part-3_nlt_Eng_1014.pdf, last accesed on 15.05.2018
21. Kruse SC., Frederick B., Jacobson T., Monticone DK., (2017), Cybersecurity in healthcare A systematic, Technology and Health Care 25 1–10, DOI 10.3233/THC-161263
22. Lopes P., Silva L.B., Oliveira J.L. 2015, Challenges and Opportunities for Exploring Patient-Level Data, Hindawi Publishing Corporation, BioMed Research International, Volume, Article ID 150435, pp:11, http://dx.doi.org/10.1155/2015/150435 Mayra R. F., (2017),
23. https://www.trendmicro.com/content/dam/trendmicro/en/security-intelligence/research/reports/wp-cybercrime-&-other-threats-faced-by-the-healthcare-industry.pdf, last accesed on 15.06.2018
24. McAfee, (2016), Threats Report,https://www.mcafee.com/au/resources/reports/rp-quarterly-threats-sep-2016.pdf (September 2016), ss. 49 (Access Date: 29/04/2017).
25. Mohammed EA., Slack JC., Naugler CT., (2016), Generating unique IDs from patient identification data using security models, Journal of Pathology Informatics, 7: 55, DOI 10.4103/2153-3539.197203
26. Ponemon, (2016), Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, Research Report Sponsored by ID Experts Independently conducted by Ponemon Institute LLC
27. Rau HH., Wu YS., Chu CM., Wang FC., Hsu MH., Chang CW., Chen KH., Lee YL., Kao S., Chiu YL., Wen HC., Fuad A., Hsu CY., Hung-Wen Chiu WH., (2017), Importance-Performance Analysis of Personal Health Records in Taiwan: A Web-Based Survey, Journal of Medical Internet Research, vol. 19, iss. 4, e131, p.1
28. RG, (2016), http://www.resmigazete.gov.tr/eskiler/2016/10/20161020-1.htm, last accesed on 15.05.2018
29. Saglik, (2017), https://bilgiguvenligi.saglik.gov.tr/ , (Access Date: 28/05/2017).
30. Saglik, (2018), http://sbsgm.saglik.gov.tr/TR,15220/kisisel-saglik-verileri-komisyonunun-teskili-ve-calisma-usul-ve-esaslari-hakkindaki-yonerge.html, last accesed on 15.05.2018
31. SANS, (2016) State of ICS Security Survey, https://www.sans.org/reading-room/whitepapers/analyst/2016-state-ics-security-survey-37067, (Access Date: 29/04/2017).
32. Veracode, (2018), https://info.veracode.com/whitepaper-state-of-web-and-mobile-application-security-in-healthcare.html, last accesed on 15.06.2018
33. Zeadally S., Isaac JT., Baig Z., (2016), Security Attacks and Solutions in Electronic Health (E-health) Systems, J Med Syst 40: 263, DOI 10.1007/s10916-016-0597-z