Are you who you claim to be? - PowerPoint PPT Presentation

are you who you claim to be l.
Skip this Video
Loading SlideShow in 5 Seconds..
Are you who you claim to be? PowerPoint Presentation
Download Presentation
Are you who you claim to be?

play fullscreen
1 / 32
Download Presentation
Are you who you claim to be?
Download Presentation

Are you who you claim to be?

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Are you who you claim to be? • Daniel L. Maloney • Director, Emerging Technologies • Department of Veterans Affairs, VHA OI • Silver Spring, MD., U.S.A. •

  2. Overview • Overview of VA • Overview of the issue • Authentication options • What is PKI and why would it help? • How does this apply to real projects? • Hard decisions

  3. Mission To care for him who shall have borne the battle, and for his widow and his orphan... - Abraham Lincoln

  4. Department of Veterans Affairs • 26 million veterans and 43 million dependents • Nearly one-third of the nation’s population are potentially eligible for VA benefits • Facilities in all 50 states, Washington, DC, Puerto Rico, Virgin Islands, Philippines, Guam and Samoa • Nation’s largest medical system with 173 medical centers, 129 nursing homes, 35 domiciliaries and 400 community based clinics • 58 regional veterans benefits offices providing monetary, disability, pension, education and vocational rehabilitation benefits • 13 million home loans and the nations largest insurance program • Nation’s largest cemetery system with 116 national cemeteries

  5. Are you who you claim to be? • When communicating in the electronic world of the future, can you predict how will we prove who we are? • “The only way to accurately predict the future is to build it.”

  6. Major Issues • The Web Changes Everything • As the network services expand and network connectivity improves, security, privacy and authentication become increasingly important • Electronic Service Delivery – customers AND corporations are driving it because it saves them time and money • Risks - If an unauthorized person got your passwords, what problems could develop for you? • Because the world has already changed, we need to catch up with better user authentication, security and privacy practices • Need a portable solutions because we are all mobile – we interact with computers from many locations

  7. “On the Internet, nobody knows you’re a DOG...”

  8. Basic Authentication Options • Something you know (passwords) • Something you have (keys, token) • Something you are (biometrics) • Strong Authentication - Two or more used together are considered to be better than any one alone

  9. User Authentication • The risk associated with the business transaction will determine what level of user authentication that is appropriate • Multiple levels of authentication may be supported at one time • Security is always a compromise involving risks, expenses and current practices • The standards of good business practices will change over time • As technologies become more widely adopted (smart cards, biometrics, etc), the mapping of actions to authentication levels may change over time

  10. Some current VA projects • Web server public access • On-line 10-10 EZ form completion • Save data from a partially completed form • On-line Prescription Refill • Health eVet personal health profile • VA SSA Interagency Secure Electronic Exchange of Medical Evidence • Virtual Private Network access for staff • Pieces of the solution – VA PKI and Veteran Smart Card

  11. Levels of Authentication

  12. Technical Solutions

  13. Basic PKI Concepts • PKI Defined • Combination of policies, procedures, hardware and software • Framework for Public Key Cryptography • Asymmetric Key Pair • Digital Signature • Authentication • Encryption

  14. Basic PKI Concepts PKI Provides: • Strong Authentication • Data Integrity • Confidentiality • Non-Repudiation

  15. PKI - BASIC PRICIPLES c A pair of related keys as opposed to a single key When either key encrypts, the other key decrypts The private key is closely guarded and never given out - PROTECT YOUR PRIVATE KEY The public key and who it belongs to are publicly available

  16. Encryption Process #A3C!Z&Hl*79 My Medical Data Decryption Process #A3C!Z&Hl*79 My Medical Data DEFINITION OF ENCRYPTION Encryption The process of taking a meaningful string of data (cleartext) and converting it into an apparently meaningless string of data (ciphertext). Decryption The reverse process of taking the apparently meaningless string of data (ciphertext) and converting it back into the original string of meaningful data (cleartext).

  17. Encryption Process #A3C!Z&Hl*79 My Medical Data Decryption Process #A3C!Z&Hl*79 My Medical Data CRYPTOGRAPHIC ALGORITHMS - PUBLIC KEY • Public key used for encryption • Private key used for decryption • Public key is widely distributed • Private key held closely by key owner • Private key cannot be calculated from public key Public Key Private Key

  18. Private Key Original Document Signing a Document Requires: 3 1 2 Copy of Electronic Document Signature of Document Using Private Key Message Digest Message Digest Function Digital Signature Engine Using Private Key Original Document

  19. Signature Original Document Original Document Verifying a Signature Requires: Public Key (signer) 1 2 3 Copy of Original Document Signature Message Digest Verification of what was signed and who signed it + Message Digest Function Digital Signature Engine Using Public Key

  20. VA SSA Secure Exchange of Medical Evidence Project GOALS: • Enable SSA and VA to evaluate viability of SSA receiving electronic medical evidence from VA, in a private and secure manner • Decrease overall processing time, e.g. days elapsed per request for completion • Save VA staff time and effort when fulfilling requests for medical evidence • Move towards the goal of 95% of responses that can be fulfilled with electronic extracts

  21. Formatted Data File Formatted Data File VA/SSA Secure EmailWorkstation VistA Data Extract Delivery Flow Step 1) Create VistA Data Attachment VistA Data Capture VistA Network Drive 1. Open VistA. Use Health Summary 2. Initiate Data Capture in terminal emulator software with Incoming Data command 3. Store the file on the network drive and close the data capture process Step 2) Create Email with Data File Attachment + 4. Within Outlook, create a new email including the VistA data capture file as an attachment 5. Apply encryption for message contents and attachments and send email to Social Security Administration 6. Delete all VistA data capture files that have been saved to the network drive. Files will be automatically deleted daily by the system if not done so manually.

  22. Prescriptions for Controlled Substances • Issue - Electronic prescriptions are allowed by Drug Enforcement Administration (DEA) for non controlled substances. DEA approached VA to help to pilot the use of strong technical controls like PKI with prescriptions for controlled substances • Based upon the results, DEA will consider revising existing regulations • Major authentication, integrity, non repudiation, privacy and confidentiality requirements • Proposed solution to be piloted is to use PKI and smart cards • Requires major review and adaptation of existing VA Medical Automation Systems • Analysis and Lab testing stage

  23. What is Health eVet? Health eVet is an internet based, secure Personal Health Space provided to the veteran on an “opt-in” basis

  24. What Will Health eVet Do? To • Provide veterans access to their health care information So That • The veteran is empowered to partner with their health care provider in achieving optimal health

  25. History • Veterans periodically ask for a copy of their medical record • Veterans want to get more involved in managing their care • Pre-internet technology did not provide the means to answer these requests electronically • Dr. Garthwaite, VA Under Secretary For Health predicts “That each person, including veterans, will be the only one with a complete medical record.”

  26. Health eVet Major Characteristics • Priority for security and privacy • Veteran opt-in • Veteran’s Personal Health Space • Copy of essential portions of VA medical data, personalized information • Self entered (health related) data • Controlled by veteran on internet • Health education information • Proceed with lots of input • Status – initial testing at demonstration site

  27. Current Practice • Current good business practices is to allow access to an individual’s records using passwords alone. • This practice has risks • We should support efforts to move to strong authentication • One example is PKI certificates along with passwords

  28. One Scenario for User Authentication • Initially Complex Passwords • PKI Keys on Client with Passwords • PKI Keys on Smart Cards with Passwords

  29. “Which future would you like to build?”

  30. Contacts • email - • Web Sites • VA Web site - • 10-10EZ form - • Health eVet - • VA PKI -