Security considerations for health care organizations
Download
1 / 35

Security Considerations for Health Care Organizations - PowerPoint PPT Presentation


  • 64 Views
  • Uploaded on

Security Considerations for Health Care Organizations. FEF Group, LLC. Frank E. Ferrante President FEF Group, LLC Chair MTPC 11 January 2001. Presented at SAINT2001 Global Telehealth/Telemedicine and the Internet Workshop San Diego, CA. 1. Outline. HIPAA

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Security Considerations for Health Care Organizations' - linore


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Security considerations for health care organizations
Security Considerations for Health Care Organizations

FEF Group, LLC

Frank E. Ferrante

President

FEF Group, LLC

Chair MTPC

11 January 2001

Presented at SAINT2001

Global Telehealth/Telemedicine and the Internet Workshop

San Diego, CA

1


Outline
Outline

  • HIPAA

  • HHS Patient Information Privacy

  • Threats and Protection Mechanisms

  • Information Protection Rules

  • Typical Security Architectural Views

  • Policies to be considered


Hipaa
HIPAA

  • IEEE-USA’s Medical Technology Policy Committee Positions

    • implementation timetable of two years

    • Patient information must be protected by all means of electronic transmission and storage (includes fax, phone, wireless)

    • Authorization for accessing data bases must be assured

    • IEEE USA recommended coordination among agencies and organizations on a more realistic time schedule

      • Costs for compliance in two years as estimated in the HIPAA NPRM - too low (conflict between timely compliance and financial viability)

      • IEEE recommended effective date be divided into three phases

        • Phase 1: Includes prepare Policies, Plans and Risk Assessments (my estimate: 1 year)

        • Phase 2: Certify new hardware, software and firmware (my estimate: 2 years)

        • Phase 3: Replace installed based of hardware, software and firmware with HIPAA-compliant products (my estimate: 3 to 5 year program)

          • Changes date of compliance to 2008 not 2002 (realistic given cost, technology changes, and training for implementation)


New patient privacy regulations
New Patient Privacy Regulations

  • Takes effect in two years (2003)

  • Bars all health care providers and insurance companies from disclosing private health information for non-health related purposes

  • Doctors required to have written permission from patient before sharing patient information (includes billing and treatment)

  • Prohibits employers from perusing medical information on employees and job applicants

  • If an employer manages their own healthcare plan it cannot use the employee’s information for anything other than for healthcare

  • RULE COVERS BOTH ELECTRONIC AND PAPER RECORDS

  • Penalties: $100 per violation ($25,000 max/yr); $250,000 and 10 yrs prison

  • LAW ENFORCEMENT CAN OBTAIN ACCESS TO RECORDS WITH AN ADMINISTRATIVE SUBPOENA OR SUMMONS (NO COURT NEEDED)


Healthcare information sharing
Healthcare Information Sharing

  • Consulting physicians;

  • Managed care organizations; 

  • Health insurance companies 

  • Life insurance companies; 

  • Self-insured employers; 

  • Pharmacies; 

  • Pharmacy benefit managers; 

  • Clinical laboratories; 

  • Accrediting organizations;  

  • State and Federal statistical agencies; and 

  • Medical information bureaus.


Information protection failures
Information Protection Failures

  • A Michigan-based health system accidentally posted the medical records of thousands of patients on the Internet (The Ann Arbor News, February 10, 1999). 

  • A Utah-based pharmaceutical benefits management firm used patient data to solicit business for its owner, a drug store (Kiplingers, February 2000).

  • An employee of the Tampa, Florida, health department took a computer disk containing the names of 4,000 people who had tested positive for HIV, the virus that causes AIDS (USA Today, October 10, 1996).

  • The health insurance claims forms of thousands of patients blew out of a truck on its way to a recycling center in East Hartford, Connecticut (The Hartford Courant, May 14, 1999). 

  • A patient in a Boston-area hospital discovered that her medical record had been read by more than 200 of the hospital's employees (The Boston Globe, August 1, 2000).

  • A Nevada woman who purchased a used computer discovered that the computer still contained the prescription records of the customers of the pharmacy that had previously owned the computer. The pharmacy data base included names, addresses, social security numbers, and a list of all the medicines the customers had purchased. (The New York Times, April 4, 1997 and April 12, 1997).

  • A speculator bid $4000 for the patient records of a family practice in South Carolina. Among the businessman's uses of the purchased records was selling them back to the former patients. (New York Times, August 14, 1991).

  • In 1993, the Boston Globe reported that Johnson and Johnson marketed a list of 5 million names and addresses of elderly incontinent women. (ACLU Legislative Update, April 1998).

  • A few weeks after an Orlando woman had her doctor perform some routine tests, she received a letter from a drug company promoting a treatment for her high cholesterol. (Orlando Sentinel, November 30, 1997).


Trust and risk
Trust and Risk

  • Do you trust the Internet?

  • Do you trust wireless Cell phone Communications?

  • Are you sure that the person at the other end of the connection is who they say they are?


Trust and risk1
Trust and Risk

  • Electronic Fund Transfer Act effective 1979 (15 U.S.C.)], the credit card and ATM industry was forced to limit personal financial risk to users (usually $50 maximum if cards used fraudulently)

  • Approach focused on reducing risk since technology was not yet ready

  • Limiting risk compensates for a lack of trust

  • Many consider this approach however, as a band-aid to the real issue – increasing user trust

  • What is available and what can be provided?


Typical hacker threats and protections
Typical Hacker Threats and Protections

  • Hackers

    • Masquerading

    • Eavesdropping

    • Interception

    • Address Spoofing

    • Data Manipulation

    • Dictionary Attack

    • Replay Attacks

    • Denial of Service

  • Protection

    • Authentication

    • Encryption

    • Digital Carts./Signatures

    • Firewalls

    • Encryption

    • Strong Passwords

    • Time Stamping & sequence Numbers

    • Authentication


Common internet attacks and typical fixes
Common Internet Attacks and Typical Fixes

Fixes

Internet Attacks

  • Root access by buffer overflows

  • Distributed Denial of Service

  • E-Mail spamming, and relaying

  • Exploitation of misconfigured software and servers

  • Mail attachment attacks

  • Upgrade Systems;Training

  • Creating attack bottlenecks and coordination

  • Training

  • Verification/Certification of Software

  • Training of Users to recognize Attachments


Goals of security measures
Goals of Security Measures

  • Authentication – Who or what am I transacting with?

  • Access Control – Is the party allowed to enter into the transaction?

  • Confidentiality – Can any unauthorized parties see the transaction?

  • Integrity – Did the transaction complete correctly and as expected?

  • Non-Repudiation – Are authorized parties assured they will not be denied from transacting business


Goals satisfied by current security mechanisms
Goals Satisfied by Current Security Mechanisms

Intrusion

Detection System

Virtual Private

Network

Public Key

Infrastructure

User Name/

Password

Encryption

Firewall

P

P

P

P

Authentication

Access Control

Confidentiality

Integrity

Non-Repudiation

P

P

P

P

P

P

P

P

P

P

P

P


Public key infrastructure pki
Public Key Infrastructure (PKI)

Verify

Digital

Signature

Digitally

Signed

Message

  • Public/Private Key

  • Most comprehensive security model to date

    • Encryption

    • Digital certificates for authentication

    • Digital Signatures for non-repudiation

  • Certificates (Hash function and Certificate assignments automated)

    • Integration into applications (Can be implemented Rapidly using existing CA Servers)

Senders

Private

Key

Certificate

Authority

------------------

------------------

------------------

Senders Public Key

Decrypt

Message

Recipients

Private

Key

Recipients Public

Key

Encrypted

Message



Virtual private networks vpn

LAN/WAN

LAN/WAN

Virtual Private Networks (VPN)

  • Provides Virtual Network Connectivity

    • User to LAN/WAN

    • LAN/WAN to LAN/WAN

  • Encrypted at the TCP/IP Level

  • Provides Protected Communications for All TCP/IP Services


Firewalls
Firewalls

  • Provides Traffic Management in Both Directions

  • Generally Located at Border between Public and Private Networks

  • Features Include

    • Proxy Server/Network Address Translation (NAT)

    • User Name/Password Authentication

    • Packet Filtering

    • Stateful vs. Stateless Packet Processing

    • Traffic Audit Logs


Intrusion detection system ids
Intrusion Detection System (IDS)

  • Audit

    • Store security-pertinent system data

    • Detect traffic patterns

    • Develop reports and establish critical parameters intrusion criteria using agent software

    • Set up revocation lists

  • Detect

    • Predefine flexible security violations criteria (e.g., identify zombie placement, Super User, Root user occurrences)

    • Be proactive

    • Become network-oriented

  • Secure

    • Fix applications or alterations that were made by an attacker where appropriate (e.g., Trojan Horse ID, Zombie Ant detection eliminated)

!!!!

?

LAN/WAN

?

?

?


Security policies why are they needed
Security Policies - Why Are They Needed?

  • Security policies drive the general security framework

  • Policies define what behavior is and is not allowed

  • Policies define who, what, and how much to trust

    • Too much trust leads to security problems

    • Too little trust leads to usability problems

    • Principle of least access

  • Policies will often set the stage in terms of what tools and procedures are needed for the organization

  • Policies communicate consensus among a group of “governing” people

  • Computer security is now a global issue and computing sites are expected to follow the “good neighbor” philosophy


Key elements of an information protection policy
Key Elements of an Information Protection Policy

  • Define who can have access to sensitive information

    • special circumstances

    • non-disclosure agreements

  • Define how sensitive information is to be stored and transmitted (encrypted, archive files, uuencoded, etc)

  • Define on which systems sensitive information can be stored

  • Discuss what levels of sensitive information can be printed on physically insecure printers.

  • Define how sensitive information is removed from systems and storage devices

  • Discuss any default file and directory permissions defined in system-wide configuration files.


Key elements of a network connection policy
Key Elements of a Network Connection Policy

  • Defines requirements for adding new devices to your network.

  • Well suited for sites with multiple support teams.

  • Important for sites which are not behind a firewall.

  • Should discuss:

    • who can install new resources on network

    • what approval and notification must be done

    • how changes are documented

    • what are the security requirements

    • how unsecured devices are treated


Other important policies
Other Important Policies

  • Policy which addresses forwarding of email to offsite addresses

  • Policy which addresses wireless networks

  • Policy which addresses baseline lab security standards

  • Policy which addresses baseline router configuration parameters



Open pki support for customer choice
Open PKI Support for Customer Choice

Baltimore

Entrust

Microsoft

Verisign

Supplier

Network

Corporate

Intranet

Netscape

Verisign

Microsoft

Internet

Mobile User

Entrust

Netscape

Remote Office

Mobile User

Baltimore

Customer

Network


Firewall 1 vpn 1 high availability

Secondary VPN-1

Gateway

VPN-1

SecuRemote

Corporate

Intranet

Primary VPN-1

Gateway

Internet

VPN-1

Gateway

IKE Synchronization

Firewall-1 / VPN-1 High Availability

  • Transparent fail-over of IPSec communications without loss of connectivity

  • Enables hot fail-over and load balancing across VPN gateways

  • Industry’s first transparent VPN fail-over that maintains session integrity


Architecture of a distributed system
Architecture of a Distributed System

Web Servers

Middleware

App Servers

Data

Storage

Internal

WANs and LANs

DNS

Messaging

Backup/

Recovery

User

User

Internet

Web Servers

Middleware

App Servers

User

Clients/

Partners

Data

Storage

User


Critical elements of security architecture
Critical Elements of Security Architecture

  • AUDIT, DETECT, and SECURE

    • Three stages of secure process that are to be followed

  • Provide security agents

    • Automated

    • Continually monitor all systems

      • Ensures that Zombie Ants are not being introduced or that Distributed Denial of Service conditions do not occur


  • Call centers
    Call Centers

    • New systems available

      • IP Inclusive

      • Secure

      • Minimize Labor Element

      • Customer Oriented

      • Flexible

      • High Performance

    • Products Vendors

      • Lucent

      • Others

    • Recommendation for Support


    Added notes
    Added Notes:

    • Biometric and Smart Card Technology can be applied where appropriate

      • Biometrics is being tested

        • Standards still in the mill

        • People issue – many feel uneasy about providing fingerprints of eye scans, or physical variations as means to set up secure operations)

        • Firms exist to do this today (e.g., International Biometric Group)

      • Smart cards now used by GSA for their badges have fingerprints embedded (3GI developed this – locally available support)

    • See ITPro May/Jun 2000 issue , page 24 article on Electronic and Digital Signatures: In search of a Standard by Tom Wells,CEO of b4bpartner, Inc (Florida firm)


    List of pki operation reference specs and requirements
    List of PKI Operation Reference Specs and Requirements

    • DOD5200R

      • DOD 5200.2-R, Personnel Security Program.

    • FIPS1401

      • Security Requirements for Cryptographic Modules, 1994-01. http://csrc.nist.gov/fips/fips1401.htm

    • FIPS112

      • Password Usage, 1985-05-30. http://csrc.nist.gov/fips/

    • FIPS186

      • Digital Signature Standard, 1994-05-19. http://csrc.nist.gov/fips/fips186.pdf

    • FPKI-E

      • Federal PKI Version 1 Technical Specifications: Part E – X.509 Certificate and CRL Extensions Profile, 7 Jul 1997. http://csrc.nist.gov/pki/FPKI7-10.DOC

    • ISO9594-8

      • Information Technology-Open Systems Interconnection-The Directory: Authentication Framework, 1997. ftp://ftp.bull.com/pub/OSIdirectory/ITU/97x509final.doc

    • NS4005

      • NSTISSI 4005, Safeguarding COMSEC Facilities and Material, 1997 August.


    List of pki operation reference specs and requirements concluded
    List of PKI Operation Reference Specs and Requirements (Concluded)

    • NS4009; NSTISSI 4009, National Information Systems Security Glossary, 1999 January.

    • RFC2510; Adams and Farrell. Certificate Management Protocol, 1999 March. http://www.ietf.org/rfc/rfc2510.txt

    • RFC2527; Chokhani and Ford. Certificate Policy and Certification Practices Framework, 1999 March. http://www.ietf.org/rfc/rfc2527.txt

    • SDN702; SDN.702, Abstract Syntax for Utilization with Common Security Protocol (CSP), Version 3 X.509 Certificates, and Version 2 CRLs, Revision 3, 31 July 1997. http://www.armadillo.Huntsville.al.us/Fortezza_docs/sdn702rev3.pdf

    • SDN706; X.509 Certificate and Certification Revocation List Profiles and Certification Path Processing Rules for MISSI Revision 3.0, 30 May 1997. http://www.armadillo.Huntsville.al.us/Fortezza_docs/sdn706r30.pdf

    • Information Technology Security Program; Used for assessing and modifying existing security policies) – Draft from CIO Council; March 2000.

    • Circular A-130; Management of Federal Information Resources,OMB

    • Special Pub 800-14; Generally Accepted Principles and Practices for Security Information Technology Systems (GSSP), NIST


    Operational documentation checklist
    Operational Documentation Checklist

    • Project Plan

    • CONOPS

    • System Security Plan (SSP)

    • Risk Assessment

    • Waiver Letter(s)

    • Approvals to Test

    • Interim Approvals to Operate

    • Certificate Policy

    • Subscriber Agreement


    Security program elements
    Security Program Elements

    • Mint-wide Security Program

      • planning and managing to provide a framework and continuing cycle of activity for managing risk, developing security policies (in conjunction with the Office of Protection), assigning responsibilities, and monitoring the adequacy of the Mint's computer-relatedcontrols.

    • Access Control –

      • controls that limit or detect access to computer resources (data, programs, and equipment) that protect these resources against unauthorized modification, loss or disclosure.

    • Segregation of Duties –

      • establishing policies, procedures, and an organizational structure such that one individual cannot control key aspects of IT-related operations and thereby conduct unauthorized actions or gain unauthorized access to assets or records.

    • Service Continuity –

      • implementing controls to ensure that when unexpected events occur (i.e., virus) critical operations continue without interruption or are promptly resumed and critical and sensitive information is protected.


    Assurance

    Assurance

    Protect Model

    Deny

    Detect

    Assess

    Train

    Enforce

    Response Model

    Respond

    Report

    Isolate

    Contain

    Recover

    Comprehensive Network Security Policy Approach

    Reference Model

    Mission

    Policy

    Sec. Org Structure

    Sec. Implementation Procedures

    Awareness, Training, & Education

    Phy & Env Protection

    Connectivity Controls

    Access Controls

    Sys Admin Controls

    Storage Media Controls

    Accountability Controls


    Network security model
    Network Security Model

    Start Network

    Security Strategic

    Reference Model

    Threat

    Level 1.

    System Mission

    Level 2.

    Security Policy

    Value of

    Information

    Protect Model

    Deny, Detect, Assess,

    Train, & Enforce

    Level 3.

    Security Organizational Structure

    Level 4.

    Security Implementation Procedures

    Response Model

    Respond, Report, Isolate,

    Contain, & Recover

    Level 5.

    Security Awareness, Training , & Education

    Level 6.

    Physical & Environmental Systems Protection

    Level 7-11.

    Controls: System Access, Connectivity, Administration,

    Storage Media, & Accountability

    Level 12.

    Assurance


    Telecommunications trends and increasing complexity

    Dial-Up

    9.6 Kbps

    300 bps

    Telecommunications Trends and Increasing Complexity

    Data Rates

    100 Gbps

    ATM/SONET

    Networks

    10 Gbps+

    10 Gbps

    Wireless Systems

    1 Gbps

    FDDI

    100 Mbps

    100 Mbps

    Fast Ethernet

    100 Mbps

    Ethernet

    (IEEE 802.3)

    10 Mbps

    • LMDS/MMDS Wireless

    • 2.4 - 38 GHz upper band, 10- 155 Mbps

    10 Mbps

    IBM's Token Ring

    16 Mbps

    1 Mbps

    • 3G Wireless

    • 256Kbps - 2Mbps+

    • ISDN

    X.25

    56 Kbps

    100 Kbps

    Early Modem Access

    • ARDIS (4.8 - 19.2Kbps)

    1200 bps

    10 Kbps

    • RAM (8Kbps)

    Modem Access

    • AMPS (Analog)

    1 Kbps

    100 bps

    Direct Access

    75 bps

    10 bps

    1950

    1955

    1960

    1965

    1970

    1975

    1980

    1985

    1990

    1995

    2000

    • Frequency Band Trends (39-50 MHz, 150 MHz, 400MHz, 800MHz, 700MHz, 2.5 GHz, 5 GHz, 28GHz, 38 GHz )

    • Local/Multichannel Multipoint Distribution System (LMDS/MMDS) Wireless; Analog/Digital Cable Technology (unlicensed - 2.4 -2.5 GHz bands, licensed-24 - 38 GHz bands with Data rates in the 1.5 to 155Mbps range)

    • RAM - Radio Analog Mobile Service

    • ARDIS - Advanced Radio Data Information Service

    • AMPS - Analog Mobile Paging System


    ad