1 / 33

Patient Protection – Ensuring Trust in the Electronic Health Record

Patient Protection – Ensuring Trust in the Electronic Health Record. John Weigelt National Technology Officer Microsoft Canada. The Evolving Threat. National Interest. Spy. Personal Gain. Motivation. Thief. Personal Fame. Trespasser. Author. Curiosity. Vandal. Script-Kiddy.

neal
Download Presentation

Patient Protection – Ensuring Trust in the Electronic Health Record

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Patient Protection – Ensuring Trust in the Electronic Health Record John WeigeltNational Technology OfficerMicrosoft Canada

  2. The Evolving Threat National Interest Spy Personal Gain Motivation Thief Personal Fame Trespasser Author Curiosity Vandal Script-Kiddy Undergrad Expert Specialist Expertise

  3. “All security frameworks should include a comprehensive, layered approach...” Understanding the Nine Protection Styles of Host-Based Intrusion Prevention Gartner – May 2005 “Integration and simplified manageabilityare important drivers when purchasing security” The State of Security in SMB & Enterprises, Forrester Research, Inc. – Sept. 21, 2005 Threats are moredangerous than ever Fragmentation ofsecurity technology Difficult to use,deploy and manage Increasingly Challenging Security Concerns More advanced Profit motivated More frequent Application-oriented Too many point products Poor interoperability among security products Lack of integration with IT infrastructure Multiple consoles Uncoordinated event reporting & analysis Cost and complexity

  4. Top Security Challenges Viruses, Spyware and Worms Botnets and Rootkits SPAM, Phishing, Evil Twins and Fraud Virus & Malware Prevention Regulatory Compliance Develop and Implement of Security Policies Reporting and Accountability Business Practices Identity Management and Access Control Managing Access in the Extended Enterprise Security Risk of Unmanaged PCs Implementing Defense in Depth Deploying Security Updates System Identification and Configuration Security Policy Enforcement Security Management

  5. Security: Solution Enabler • Better Patient Outcomes for Citizens • Secure Wireless • Secure Mobility • Reliable Client Machines • Healthcare Community Interoperability • Inter-jurisdictional Collaboration • Trusted Digital Communities

  6. Implement Defence in Depth • Engages the entire organization for success • Allows for the allocation of controls outside of IT • Supports a multidisciplinary approach Legislation Policies Procedures Physical Controls Native Application Features Specialized Capabilities

  7. Security and Privacy Foundations Security Security Safeguards Security Data Marking Rules based Approach Bell- Lapadula Biba Risk Management Approach Evaluation Scheme Security Policies Threat Risk Assessment 50BC 1940 Late 60s 1973 1975 1980s 1983 1986 1993 Privacy Policies Data Marking For Privacy Privacy Enhancing Technologies Privacy Legislation Rules based approach Privacy Impact Assessement Privacy 1983 1994 1996 2001 2002 2002

  8. Privacy Challenges • Spotlight on PIPEDA / PHIPA / FOIPPA • Policy interpretations are still emerging • Relationship to Security services misunderstood • Privacy often implemented in a binary manner • Privacy Metrics Developing • Privacy often driven by popular opinion • Focus on privacy enhancing technologies

  9. Designing for Privacy • Implement for all privacy principles • Privacy implementations require defence in depth • A risk managed approach should be taken • Solutions must provide privacy policy agility • Privacy and security must be viewed as related but not dependent • Use existing technology in privacy enhancing ways http://www.microsoft.com/downloads/details.aspx?FamilyId=C48CF80F-6E87-48F5-83EC-A18D1AD2FC1F&displaylang=en

  10. Dependable, Available Predictable, consistent, responsive service Maintainable Resilient, works despite changes Recoverable, easily restored Proven, ready Secure against attacks Protects confidentiality, integrity and availability of data and systems Manageable Protects from unwanted communication Controls for informational privacy Products, online services adhere to fair information principles Commitment to customer-centric Interoperability Recognized industry leader, world-class partner Open, transparent

  11. Microsoft’s Security Vision is Much More… Establishing trust in computing to realize the full potential of an interconnected world

  12. Microsoft’s Security Focus Fundamentally secure platforms enhanced by security products, services and guidance to help keep customers safe • Security awareness and education through partnerships and collaboration • Information sharing on threat landscape • Best practices, whitepapers and tools • Authoritative incident response • Excellence in fundamentals • Security innovations

  13. Engineering for Security Microsoft’s Security Development Lifecycle • Corporate process and standard for security in engineering • Evangelized internally through training • Verified through pre-ship audit • The Security Development Lifecycle book • Privacy Guidelines for Developing Software Products and Services Shared with ISV and IT development partners • Documentation and training • Learning Paths for Security • Active community involvement Automated with tools in Visual Studio • PREfast • FxCop

  14. Summary of Vista Security Stay More Secure • Anti-malware • Restart Manager • Client-based Security Scan Agent • Fine-grained Audit Control • Communicate More Securely • Network Access Protection • Inbound/outbound firewall • PnP Simple Smart Cards • Pluggable Crypto Run More Securely • User Account Protection • Browser Anti-Phishing and Low-rights IE • Windows service hardening • Start More Securely • Hardware-based Secure Startup • Bit-Locker Full Volume Encryption • Code Integrity

  15. Mainstream Mobility Integrated mobile support throughout the platform Windows Vista, Windows Mobile 5, Smartphone Office, MSN … Visual Studio Passport, Alerts, Messenger Windows Server, Enterprise Servers (SQL, BizTalk, Exchange, MMIS, CMS…)

  16. Comprehensive Security Services Edge Server Applications Encrypting File System (EFS) BitLocker™ Information Protection Network Access Protection (NAP) Client and Server OS Identity Management SystemsManagement Active Directory Federation Services (ADFS) Guidance Developer Tools

  17. EHRSBlueprint

  18. Connected Healthcare Framework Microsoft architecture and solution collateral collected from national eHealth initiatives around the world Solution patterns, reference architectures, reference implementations and best practices being distilled into a set of eHealth reference architecture collateral Result will be a core healthcare reference architecture capable of supporting a number of eHealth scenarios • “Your User Processes” • “Your Business Processes”

  19. PasswordFatigue

  20. Have we been conditioned to be phished?

  21. A set of claims someone makes about me Claims are packaged as security tokens Many identities for many uses Useful to distinguish from profiles What is a digital identity?

  22. Identity is Matched to Context In Context • Bank card at ATM • Gov’t ID at border check • Coffee card at coffee stand • MSN Passport at HotMail Out of Context • Coffee card at border check Maybe Out of Context? • Gov’t ID at ATM • SSN as Student ID • MSN Passport at eBay

  23. User control and consent Minimal disclosure for a defined use Justifiable parties Directional identity Pluralism of operators and technologies Human integration Consistent experience across contexts Join the discussion atwww.identityblog.com The Laws of IdentityAn Industry Dialog

  24. Web Self-Asserted Login Domain Login X-Forest Trust Identity Metasystem Federation Domain/Directory Services Certificate Services ADFS Certificate Authority Authentication Spectrum eAuthentication eID Employee Network Access Cross Program Authentication Interjurisdictional Authentication Business Extranet Citizen Service Delivery Products ERM CRM CardSpace LDAP SQL X.500

  25. Helps end users avoid many phishing attacks Support for two-factor authentication Secure subsystem Self-asserted and “managed” identities Reduces reliance on usernames & passwords Consistent user interface for login and registration Grounded in real-world metaphor Returning Identity Control to the End User CardSpace Safer Easier Built on Web Services Protocols

  26. An Industry-Wide Activity

  27. www.microsoft.com/security/guidance

  28. Microsoft Regulatory Compliance Guide

  29. Microsoft’sMITS Compliance Planning Guide The guide identifies specific Microsoft products and services that can be used to help respond to the 120+ mandatory MITS requirements While this guide is focused on MITS, it is also designed to provide a generic framework that can be used to: • Evolve with MITS and related GoC IT Security guidelines • Respond to other guidelines and legislation, not just MITS • Help non-GoC organizations (Provincial, Municipal, Private Industry)

  30. Table 1 –MITSMapping

  31. Microsoft Security Collaboration for Governments Primary Security Concern Security mobilization Prescriptive guidance via on-line content, CD-ROM, on-line training, service offerings Primary audience: IT managers & professionals Developers Offerings are designed to address different concerns Security of IT deployments Security Cooperation Program (SCP) Incident response and public safety collaboration Cooperative projects Information exchange Primary audience: Policy and national security agencies Public safety and incident response agencies Government Security Program (GSP) Source code access Certification evidence Training Feedback New - now includes GSHP Primary audience: Policy makers Purchasing decision makers Computing safety Product security

  32. John Weigeltjohnwei@microsoft.com

More Related