We all know that Cyber Space is becoming a volatile place where everything is pretty much vulnerable. And you can tell the magnitude of the worsening situation when a nurse tells you that your IT infrastructure is messed up. Yes! today we have with us Jelena Milosevic, who, by profession is a nurse but is on a mission to educate people about the loopholes and the vulnerabilities that exist in the medical industry.
So, let's get to know the interesting insights that Jelena has to share with us:
Ali: Jelena, please enlighten us about what you do?
Jelena: By profession, I am a nurse, pediatric, and have also worked closely with psychiatry department. Just recently I have shifted my focus towards issues pertaining to cybersecurity in the health industry.
Ali: What was the pivotal point in your career? What compelled you to shift your focus from nursing to become an advocate for Information security?
Jelena: While I am still working fulltime as a nurse, I do however pursue my cybersecurity endeavors in free time.
I like to do research and solve the issues we face online. Maybe one day I will completely transition into infosec world and become a full-time Cyber Security analyst. Meanwhile, there's a lot I need to learn! 🙂
Ali: As you are an active professional in the healthcare, how do you see the current state of the medical industry in terms of privacy and security?
Jelena: The professionals in the medical industry usually have respect for the privacy of the patients, that is the ultimate code of conduct that we as health care professionals abide by. And we are fully aware that if we don’t respect the privacy of our patients, we'll lose their trust. Trust is the biggest factor in a Doctor/Nurse/Patient relationship and without it, we can’t do our job/work effectively. Now that patient's medical history and other data has all gone online and there's a significant increase in the data breaches cases all over the world, there is a huge risk that in case of any such event, patients' medical history and data may get leaked.
And as far as security is concerned, people working in the medical field don’t think a lot, they are not aware of the dangers lurking in the digital world because they think that hospitals have the “ best security” and if they are allowed to do something or use the products/devices, they generally assume that it is safe and secure, and IT professionals are doing their job responsibly, but it's not the case every time. There is security to an extent, but nothing is even close to full-proof or being perfect. So, lack of communication causes a lot of misunderstandings.
Ali: Are there any strict rules & regulations pertaining to Cyber Security that are followed in the medical field?
Jelena: It depends from hospital to hospital. Some have better some not, but it is still not as it's supposed to be. There is progress being made but it is far from good. We need to work a lot to make everyone digitally safe in healthcare institutions.
Ali: Are Healthcare professionals, while in the vicinity of health institutions, allowed to use social media or have access to stuff online that should be prohibited?
Jelena: As far as I know, in all hospitals/healthcare institutions, everyone who is there can use social media without any restriction. Some healthcare institutions even have public Wi-fi that can be utilized by visitors, patients, and healthcare professionals too. Although there's no surety that these open-internet connections are secure, so everyone is using it at their own risk.
Ali: Do you think there’s a possibility that a patient’s medical history can be manipulated online resulting in wrong diagnosis and wrong medical treatments which can lead to a patient’s death? Have you seen any occurrences like these in the past?
Jelena: There is a possibility to manipulate it and there are online criminals out there who do this. I rather not talk about it publicly. I, however, have discussed this matter with healthcare professionals and they do share their concerns regarding the security loopholes we have in healthcare institutions that are related to PC/Data/Devices/Software and everything else that's connected with internet but is not secure. And so far, all of 'em did help in the overall awareness of the situation and we had a small success in this aspect too.
Ali: Are people sitting in the higher echelons of the medical industry realizing the importance of Cyber Security? Do you think your efforts are making an impact?
Jelena: I am really not sure if they're fully aware of the extent of the danger. Most of the time they just wait till something bad happens and then take actions, which is wrong. Preventions are always, better and cheaper, then “healing” the bad consequences of negligence. Preparing in advance is always better.
Ali: How many conferences and public speaking sessions have you done up till now and which one do you think was most impactful?
Jelena: From June 2017, I have been at 13 conferences/meetups/events where I have share my experiences.
Every event was wonderful for me and I am sure for the audience too. We did learn a lot from each other.
My most unforgettable and impactful event was the first one- BSides London, with great mentor Thom Langford.
The first conference that did invite me and did help me a lot – Virus Bulletin and everyone there. Also the article in The Register that came out after this conference.
*Here's A Speaking Session By Jelena Milosevic at BSides Luxembourg In 2017:
The Hack_lu in Luxembourg was also a great conference where I met a lot of interesting people.
ENISA ehealth security conference did bring me in contact also with healthcare professionals so I could reach them too.
But as I said, the trust and support from all conference I have been part of and the people I met and sharing the knowledge with everyone is always a delightful and memorable experience.
This is a list of all the conferences/events that I have been a part of:
- BSides London England
- SHA2017 Holland
- OWASP Brooklyn US Online meeting
- BSides Amsterdam Holland
- FSEC 2017 Croatie
- Virus Bulletin Spain
- Hack_lu Luxembourg
- BSides Luxembourg
- ENISA ehealth security conference. Portugal
- Private event organized by GData, Belgium Holland
- Cyberworkplace Den Haag, Holland
- HACK::SOHO IOActive's event, England
- Hackerhotel Holland
Ali: Are you looking to acquire any certifications in Cyber Security? Would you suggest any beginner level certification or course that you think everyone should do to educate themselves about the basics of cyber security and how to stay vigilant in the digital world?
Jelena: Honestly speaking, I haven't yet enrolled myself in any such certifications, but I would love to get certified. I am currently trying to align my priorities in such manner that I can pursue my cybersecurity endeavors.
I, however, have learned a lot from the people in the infosec industry and believe me, the infosec community is awesome and professionals in the field are really supportive, kind and helpful.
But, first, I would advise everyone to see the current situation of their workplace and ask themselves, “Is there a need for online security in my organization/workplace?” Find loopholes. You will begin to see how and where you need security – and trust me everyone needs it!
The changes in the information security industry are so fast that it won't be virtually possible for you to learn everything with certifications. You need to find your own area/topic that you are interested in so you can learn more and take certificates that you need to have. There are companies out there giving good training, but you first need to follow the people/influencers in the infosec space to learn about the current trends, developments, and happenings.
Ali: What are some of the biggest hurdles you are facing right now in pursuing this path of educating people about infosec?
Jelena: Making people at all levels aware of the importance of good security and keeping the privacy of the patients.
The so-called digitally aware and smart go too fast without caring about security and privacy. The healthcare has become health business and profit is what too many think about. We need to change that and bring it to the basic – care for the patients and build everything around that to really help patients and enable medical professionals to do their work safely and securely.
Ali: Do you think online information encryption tools like VPNs can make a positive impact in securing people’s online privacy and security? Where do you see the future of VPNs?
Jelena: I think that it is important to use VPNs for more reasons. They can protect you, and keep your online space private. However, it all depends upon the usage of it. If the use of VPN is good, then it can really help you big time.
Ali: Recently, Hospitals were attacked because of Ransomware where a lot of the personal data of patients was stolen and was vulnerable to any sort of use. How do you think cyber-attacks like these can be prevented?
Jelena: Big organization and healthcare institutions which have streamlined their priorities can invest in good resources and services that can digitally secure them a lot. And of course there will be always people that will find the way to break into the system, but one needs to be prepared.
We need to build security from the basic and at all levels, medical, administration, tech, everyone and have the only software, products, and devices that are really needed in the hospitals that are good and secure. The Internet of Things is also a big concern these days. Moreover, it is NOT just the products – may be even more important is the organization at the workplace.
There is much more, like taking responsible disclosure and bug bounties serious and work with them together or monitoring/detecting/reacting.
Ali: What would be your advice for everyone who’s online? How can they protect themselves online? As a patient, what measures can one take to secure their medical history (if they can)?
- At first, people need to understand that they have right for their own privacy and that everyone must ask them before using their data and tell them what they can/are going to do with the information.
- To understand that what they put one time online is forever on the internet, so be careful with what you put online and think if it is even necessary to be online.
- Patients need to think do they really need access to their medical records online and having them on their unsecure mobile phone, keeping in mind the consequences if someone gets their data – health and financial.
- And if they do really need them, first healthcare institution guarantee that data is safe, and to make own PC/Smartphone devices secure as much as possible so they can't access those records on an unsafe network online.
- There are a lot of medical documents publicly available online and patients are not aware that their medical documents can even be downloaded by someone else when they use medical apps for their records. Remember, apps and websites are prone to hacking and a tiny loophole can wreak havoc.
And for everyone, take care what you put online, and what you click. Just a simple scroll over the link can show if it's real or fake link (the original link that they want to open, should show up, by scrolling over the link self).
Always use search engines to search/verify the credentials of the unknown sender who sends you an email before directly clicking on the links in the email and take a good look at what they've written in that email. Is it “Too Good To Be True?”
Refrain from buying digital devices/Smartphones from less famous brands as they might contain some bloatware, apps or pre-installed programs and apps that may be spying on you.
Lastly, a simple search about “How To Protect Yourself Online” can lead to some awesome search results, advice and articles that can educate you big time. Cheers. 🙂