1 / 40

Authentication: Traditional and Innovative Techniques

Authentication: Traditional and Innovative Techniques. AMC Security and Privacy : Progress and Prospects September 26 - 28, 2005 Research Triangle Park, NC. Panel Members .

dian
Download Presentation

Authentication: Traditional and Innovative Techniques

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication: Traditional and Innovative Techniques AMC Security and Privacy: Progress and Prospects September 26 - 28, 2005 Research Triangle Park, NC

  2. Panel Members Ron PriceAssociate Dean, Loyola University Chicago Stritch School of MedicineandChief Technologist, Loyola University Health System Wayne ThompsonVice President Information Services and Technology University of Medicine and Dentistry of New Jersey Hai Ngo, CISSP Information Security Officer NYU Medical Center

  3. Authentication: The Challenge of an AMC “If you eat a frog for breakfast, it maybe the toughest thing you’ll do all day”

  4. Authentication: The Challenge of an AMC Users Major Systems or Applications Computers Desktop Operating Systems Vendors Major User Directories • 8,000+ • 30+ • 7,000+ • 5+ • 50+ • 4

  5. Authentication: The Challenge of an AMC • Diversity of users and directories • New users, terminations and role changes • Technology diversity • Hardware, OS software and applications • Multiple vendors • Many standards and approaches • Changing technologies and the ability for organizations to absorb change

  6. University of Medicineand Dentistry of New Jersey Case Study

  7. HIPAA SECURITY Implementing an Authentication Model September, 2005 AAMC W. Thompson, VP Information Systems and Technologies, UMDNJ

  8. Agenda • Organizational Profile • Overview of the UMDNJ Approach • Monitoring HIPAA Compliance • Implementing Authentication • Changing the Culture

  9. UMDNJ Organizational Profile • State-wide Health Sciences University • 8 Schools • 4 Campuses • 1 Hospital • 3 Multi-specialty Practice Plans • 14,000 faculty staff and students • Tripartite Mission • Education • Research • Healthcare

  10. Philosophical Approach • A close collaboration with the organization’s compliance entity (Office of Business Conduct). • “Reasonable” efforts to achieve compliance. • A combination of policy, tools, and behavior modification.

  11. Major Plan Activities • Communications Plan (ongoing) • Risk Assessment (completed) • Policy Analysis (completed) • New/Revised Policy adoption (completed) • Security risk reduction (ongoing) • Training (ongoing) • Periodic Review (ongoing)

  12. HIPAA Security Structure • The “Data Steward” Concept • Responsibility for safeguards at the lowest levels • Responsibility for reporting and escalation • Policy Excerpt : • Data Steward - a person who creates, maintains, or stores a file which contains SEI and is responsible for that database. • Sensitive Electronic Information (SEI) – includes electronic information that is protected by state or federal regulations. As such, it includes Protected Health Information (PHI) as defined under HIPAA regulations, as well as information governed by GLB and other applicable regulations. • HIPAA Coordinator • Unit level responsibilities as above • A team combined with the technical liaison • Compliance Hotline • Anonymity • Tracking, and followup • Direct links to the IT organization • Escalation to HIPAA Privacy or Security Officer

  13. Monitoring HIPAA Compliance • Internal Audit • Integrate into annual internal audit cycle • Internal Review Boards • Process and policy modified to review HIPAA obligations • Information Systems and Technologies • Periodic review of high risk areas • Data Center • Clinical Systems credentials • Office of Business Conduct (Compliance) • Chart audit process, general compliance audits

  14. Implementing Authentication

  15. Authentication - Overview • Challenges • Network Access • Enterprise Servers and Domains • Enterprise Applications • Local Resources

  16. Authentication Challenges • “System A does not have sufficient security granularity, so we use a group or role-based login that is shared” • “The security mechanism on System B is very inconvenient, so we disabled authentication, but you have to be in room A563 to access the system so it is pretty secure” • “It takes too long to get credentials for System C, so we keep some IDs and passwords from people who left to give out while we wait. It works so well that sometimes we forget to apply for new credentials, but that’s ok because people are always leaving” • “Trust me, I have my own security methodology” • “Yes, those 112 people do need root access to the box !” • “The guy who set up the box was Dr Smith’s nephew who went back to college. Thank god he had guest access turned on because otherwise the 84 people using it would never be able to work” • “I’ve never had a problem with anonymous FTP or my guest login” • “I refuse to be monitored and tracked by Big Brother”

  17. Authentication Levels • Network/Perimeter • Domain • Application • Remote Access

  18. Application • Application or database level authentication • Mostly User Id and Password • Certificates in select areas • Role-based authorization once authenticated

  19. Domain • Active Directory

  20. Network/Perimeter • Virtual Local Area Network (VLAN) • Most clinical applications • Some confidential resources • Bradford

  21. Authentication Map

  22. Remote Access • VPN

  23. Changing the Culture

  24. Changing the Culture • “Shock and Awe !” • “Culture eats strategy for lunch !” • Training and awareness to reinforce the responsibilities at all levels

  25. NYU Medical Center Case Study

  26. NYU Medical Center Approach • One Identity • One Password • One Entitlement Repository

  27. One Identity • Policy on unique user ID across the Medical Center • Challenges…multiple naming standards, shared computing resources, etc. • Central directory • Challenges…data feeds, data integrity, ownerships, etc.

  28. One Password • Establish a campus wide policy • Standardize on two authentication sources LDAP and AD • Migrate critical applications toward LDAP and AD • Home grown applications would utilize a common API, where possible • Single Sign-On across major clinical applications • Use 802.1x/EAP for Wi-Fi • Password synchronization tool for end users

  29. One Entitlement Repository • Policy and standards on access managements…roles, approval, workflow, etc. • Central repository and workflow to manage request

  30. Next Steps • Process and/or mechanism for password resets and self-servicing • Access revalidation to rid off unused userIDs • Workflow for request and termination of systems accesses • Investigate Shiboleth and SAML for federated authentication

  31. This is the Peer Engagement Part of this Session This part is designed to engage you (the audience) in exploring this topic. It is your opportunity to: - hear how your AMC peers see the topic and how their AMCs are handling it and -for you to provide information about how your AMC is handling the topic.

  32. Engagement Process • Facilitators: • Stimulate audience discussion with: • requests for questions and comments , • Pre-designed questions and “instant polls” that are designed to assess how the audience of AMC peers sees the topic and to start further questions and comments from the audience. • Collect the results for reporting in the “track reporting” part of each plenary session and a planned GASP (Guidelines for AMCs on Security and Privacy) update. • Audience (and panelists): Respond to the questions, comments, provide your own.

  33. Instant Poll Rules • Facilitators role: • Require audience members and panelists to shut their eyes (to promote more honest voting) • Ask for a show of hands for each item to be voted on. • Audience role: • Vote as you see fit. • Voting is anonymous. • Follow-up questions may ask voters to describe why they voted as they did, if they are comfortable doing so. • Anonymity: • For some issues, you may wish to keep your vote private; the “eyes-shut” voting rule is the main rule that assures this. • Also, the facilitators will take only the notes that you see on the screen and will not identify you by name or institution unless you explicitly say that you are willing to be so identified.

  34. Authentication - Passwords • Passwords at my AMC are so robust even Kevin Mitnick couldn’t crack them! • Strongly agree ____ • Disagree ___ • Neither agree nor disagree ___ • Agree ___ • Strongly agree __ • Don’t know who Kevin Mitnick is ___

  35. Authentication - Passwords • What is your institution doing to assure robust passwords? • Rules for creation • Frequency of change • How administered • What could you being doing better? • Words of wisdom?

  36. The Search for the Holy Grail • Single sign-on – myth or reality? • Pros • Cons

  37. Innovative Technologies • My AMC uses biometrics ___ • My AMC uses smart cards ___ • My AMC uses proximity detectors __ • My AMC uses some combination of the above ___ • My AMC has no money for fancy gizmos and relies solely on password authentication ___

  38. Authentication Experience • What was involved in the implementation at your AMC? • How long did the initial roll-out take? • Was user training involved? • What have been the successes/failures/issues? • What are the lessons learned?

  39. What follow-up activities would be helpful to AMCs in dealing with this topic? • {Audience/panelists responses}

  40. Engagement Quality Instant Poll • This session did a good job of engaging the panelists and the audience on the topic. 1 - Strongly Disagree ___ 2 - Disagree ___ 3 - Neither agree not disagree ___ 4 – Agree ____ 5 - Strongly agree ____

More Related