are you who you claim to be l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Are you who you claim to be? PowerPoint Presentation
Download Presentation
Are you who you claim to be?

Loading in 2 Seconds...

play fullscreen
1 / 32

Are you who you claim to be? - PowerPoint PPT Presentation


  • 497 Views
  • Uploaded on

Are you who you claim to be? Daniel L. Maloney Director, Emerging Technologies Department of Veterans Affairs, VHA OI Silver Spring, MD., U.S.A. daniel.maloney@med.va.gov Overview Overview of VA Overview of the issue Authentication options What is PKI and why would it help?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Are you who you claim to be?' - JasminFlorian


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
are you who you claim to be
Are you who you claim to be?
  • Daniel L. Maloney
  • Director, Emerging Technologies
  • Department of Veterans Affairs, VHA OI
  • Silver Spring, MD., U.S.A.
  • daniel.maloney@med.va.gov
overview
Overview
  • Overview of VA
  • Overview of the issue
  • Authentication options
  • What is PKI and why would it help?
  • How does this apply to real projects?
  • Hard decisions
mission
Mission

To care for him who shall have borne the battle, and for his widow and his orphan...

- Abraham Lincoln

department of veterans affairs
Department of Veterans Affairs
  • 26 million veterans and 43 million dependents
  • Nearly one-third of the nation’s population are potentially eligible for VA benefits
  • Facilities in all 50 states, Washington, DC, Puerto Rico, Virgin Islands, Philippines, Guam and Samoa
  • Nation’s largest medical system with 173 medical centers, 129 nursing homes, 35 domiciliaries and 400 community based clinics
  • 58 regional veterans benefits offices providing monetary, disability, pension, education and vocational rehabilitation benefits
  • 13 million home loans and the nations largest insurance program
  • Nation’s largest cemetery system with 116 national cemeteries
are you who you claim to be5
Are you who you claim to be?
  • When communicating in the electronic world of the future, can you predict how will we prove who we are?
  • “The only way to accurately predict the future is to build it.”
major issues
Major Issues
  • The Web Changes Everything
  • As the network services expand and network connectivity improves, security, privacy and authentication become increasingly important
  • Electronic Service Delivery – customers AND corporations are driving it because it saves them time and money
  • Risks - If an unauthorized person got your passwords, what problems could develop for you?
  • Because the world has already changed, we need to catch up with better user authentication, security and privacy practices
  • Need a portable solutions because we are all mobile – we interact with computers from many locations
basic authentication options
Basic Authentication Options
  • Something you know (passwords)
  • Something you have (keys, token)
  • Something you are (biometrics)
  • Strong Authentication - Two or more used together are considered to be better than any one alone
user authentication
User Authentication
  • The risk associated with the business transaction will determine what level of user authentication that is appropriate
  • Multiple levels of authentication may be supported at one time
  • Security is always a compromise involving risks, expenses and current practices
  • The standards of good business practices will change over time
  • As technologies become more widely adopted (smart cards, biometrics, etc), the mapping of actions to authentication levels may change over time
some current va projects
Some current VA projects
  • Web server public access
  • On-line 10-10 EZ form completion
  • Save data from a partially completed form
  • On-line Prescription Refill
  • Health eVet personal health profile
  • VA SSA Interagency Secure Electronic Exchange of Medical Evidence
  • Virtual Private Network access for staff
  • Pieces of the solution – VA PKI and Veteran Smart Card
basic pki concepts
Basic PKI Concepts
  • PKI Defined
    • Combination of policies, procedures, hardware and software
    • Framework for Public Key Cryptography
  • Asymmetric Key Pair
  • Digital Signature
    • Authentication
  • Encryption
basic pki concepts14
Basic PKI Concepts

PKI Provides:

  • Strong Authentication
  • Data Integrity
  • Confidentiality
  • Non-Repudiation
pki basic priciples c
PKI - BASIC PRICIPLES c

A pair of related keys as opposed to a single key

When either key encrypts, the other key decrypts

The private key is closely guarded and never given out - PROTECT YOUR PRIVATE KEY

The public key and who it belongs to are publicly available

slide16

Encryption

Process

#A3C!Z&Hl*79

My Medical Data

Decryption Process

#A3C!Z&Hl*79

My Medical Data

DEFINITION OF ENCRYPTION

Encryption

The process of taking a meaningful string of data (cleartext) and converting it into an apparently meaningless string of data (ciphertext).

Decryption

The reverse process of taking the apparently meaningless string of data (ciphertext) and converting it back into the original string of meaningful data (cleartext).

slide17

Encryption

Process

#A3C!Z&Hl*79

My Medical Data

Decryption Process

#A3C!Z&Hl*79

My Medical Data

CRYPTOGRAPHIC ALGORITHMS - PUBLIC KEY

  • Public key used for encryption
  • Private key used for decryption
  • Public key is widely distributed
  • Private key held closely by key owner
  • Private key cannot be calculated from public key

Public Key

Private Key

signing a document

Private

Key

Original

Document

Signing a Document

Requires:

3

1

2

Copy of

Electronic

Document

Signature

of Document

Using Private

Key

Message Digest

Message Digest

Function

Digital

Signature

Engine

Using

Private

Key

Original

Document

verifying a signature

Signature

Original

Document

Original

Document

Verifying a Signature

Requires:

Public Key

(signer)

1

2

3

Copy of

Original

Document

Signature

Message Digest

Verification of

what was

signed and

who signed it

+

Message Digest

Function

Digital

Signature

Engine

Using

Public

Key

va ssa secure exchange of medical evidence project
VA SSA Secure Exchange of Medical Evidence Project

GOALS:

  • Enable SSA and VA to evaluate viability of SSA receiving electronic medical evidence from VA, in a private and secure manner
  • Decrease overall processing time, e.g. days elapsed per request for completion
  • Save VA staff time and effort when fulfilling requests for medical evidence
  • Move towards the goal of 95% of responses that can be fulfilled with electronic extracts
va ssa secure email workstation vista data extract delivery flow

Formatted Data File

Formatted Data File

VA/SSA Secure EmailWorkstation VistA Data Extract Delivery Flow

Step 1) Create VistA Data Attachment

VistA Data Capture

VistA

Network

Drive

1. Open VistA.

Use Health

Summary

2. Initiate Data Capture in terminal emulator software with Incoming Data command

3. Store the file on the network drive and close

the data capture process

Step 2) Create Email with Data File Attachment

+

4. Within Outlook, create a new email including the VistA data capture file as an attachment

5. Apply encryption for message contents and attachments and send email to Social Security Administration

6. Delete all VistA data capture files that have been saved to the network drive. Files will be automatically deleted daily by the system if not done so manually.

prescriptions for controlled substances
Prescriptions for Controlled Substances
  • Issue - Electronic prescriptions are allowed by Drug Enforcement Administration (DEA) for non controlled substances. DEA approached VA to help to pilot the use of strong technical controls like PKI with prescriptions for controlled substances
  • Based upon the results, DEA will consider revising existing regulations
  • Major authentication, integrity, non repudiation, privacy and confidentiality requirements
  • Proposed solution to be piloted is to use PKI and smart cards
  • Requires major review and adaptation of existing VA Medical Automation Systems
  • Analysis and Lab testing stage
what is health evet
What is Health eVet?

Health eVet is an internet based, secure Personal Health Space provided to the veteran on an “opt-in” basis

what will health evet do
What Will Health eVet Do?

To

  • Provide veterans access to their health care information

So That

  • The veteran is empowered to partner with their health care provider in achieving optimal health
history
History
  • Veterans periodically ask for a copy of their medical record
  • Veterans want to get more involved in managing their care
  • Pre-internet technology did not provide the means to answer these requests electronically
  • Dr. Garthwaite, VA Under Secretary For Health predicts “That each person, including veterans, will be the only one with a complete medical record.”
health evet major characteristics
Health eVet Major Characteristics
  • Priority for security and privacy
  • Veteran opt-in
  • Veteran’s Personal Health Space
    • Copy of essential portions of VA medical data, personalized information
    • Self entered (health related) data
    • Controlled by veteran on internet
    • Health education information
  • Proceed with lots of input
  • Status – initial testing at demonstration site
current practice
Current Practice
  • Current good business practices is to allow access to an individual’s records using passwords alone.
  • This practice has risks
  • We should support efforts to move to strong authentication
  • One example is PKI certificates along with passwords
one scenario for user authentication
One Scenario for User Authentication
  • Initially Complex Passwords
  • PKI Keys on Client with Passwords
  • PKI Keys on Smart Cards with Passwords
contacts
Contacts
  • email - daniel.maloney@med.va.gov
  • Web Sites
    • VA Web site - http://www.va.gov/
    • 10-10EZ form - http://www.va.gov/1010ez.htm
    • Health eVet - http://www.health-evet.va.gov
    • VA PKI - http://www.va.gov/vapki.htm