1 / 14

Remote Servicing under HIPAA with proposed Solution A

Remote Servicing under HIPAA with proposed Solution A. John F. Moehrke Chairmen of Remote Servicing Focus Group NEMA/COCIR/JIRA Security and Privacy Committee Systems Engineering – Security and Privacy in Healthcare GE Medical Systems. What you will learn today.

Download Presentation

Remote Servicing under HIPAA with proposed Solution A

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Remote Servicing under HIPAAwith proposed Solution A John F. Moehrke Chairmen of Remote Servicing Focus Group NEMA/COCIR/JIRA Security and Privacy Committee Systems Engineering – Security and Privacy in Healthcare GE Medical Systems

  2. What you will learn today • Remote Servicing is critical • Remote Servicing presents new security risks • Vendors are working on a common solution that will • Reduce administration (Hospital and Vendor) • Improve Accountability • Provide a more secure environment Privacy is the Goal, Security is the way.

  3. Security and Privacy Committee (SPC) • Joint effort by NEMA-MII, COCIR-IT, and JIRA • Mission: Ensure a level of data security and data privacy in the health care sector that: • Meets legally mandated requirements • Can be implemented in ways that are reasonable and appropriate • Reduces Healthcare costs of compliance • Scope: All systems, devices, components, and accessories used in medical imaging informatics • Scope is not exclusive of other products and is expected to be extendable to all Equipment that maintains Patient Data (PHI) • International data security and data privacy legislation, currently focusing on the European Community, Japan, and the United States of America

  4. Efforts of the SPC • Educational Document : • http://medical.nema.org/privacy/education.pdf • Remote Servicing Proposal (This talk) • http://medical.nema.org/privacy/remote.pdf • Audit Controls: • http://medical.nema.org/privacy • Secure IHE Profiles • Work in progress • Members: AGFA, GE, Kodak, Konica, Philips, Siemens, Toshiba

  5. Why do Remote Servicing? Benefit to Health Care Provider • Better Availability and Integrity of the systems • Quick response as no Travel involved • Higher quality of service • Knowledge base available at the Vendor • Expert can be applied to the problem/solution Benefit to Vendor • Lower costs to service equipment • More service offerings (preemptive diagnosis) • Remote Service Centers (RSC) centralize knowledge and expertise

  6. Hospital Remote Servicing today Remote Service Center Hospital Network Vendor X Vendor Y Vendor Z Modem Connections Complex Wired Infrastructure

  7. Hospital Remote Servicing Solution Vendor X Vendor Y Uses Hospital Network Access points Access points Access points Access points Vendor Z Ex. Internet VPN

  8. Hospital Access Control Vendor X 1. Individual Service Personal 1. Individual Service Personal 1. Individual Service Personal 1. Individual Service Personal 1. Individual Service Personal 2. Device under service 2. Device under service 2. Device under service 2. Device under service 2. Device under service 2. Device under service Vendor Y Vendor Z 3. Access point Edges 3. Access point Edges 3. Access point Edges

  9. Hospital Audit Trails Vendor X 1. Individual Service Personal 1. who, what, where, when & why 1. Individual Service Personal 1. Individual Service Personal 1. Individual Service Personal 2. Device under service 2. Device under service 2. when, and what 2. Device under service 2. Device under service 2. Device under service Vendor Y Vendor Z 3. Access point Edges 3. Access point Edges 3. Session specifics where and when

  10. Health Care Provider gains Control and Manageability • Control of each session and/or vendor • Rules that restrict where vendor X can go, what tools they can use, when they can connect, etc • Strong Access Point Authentication • Audit trails to prove accountability

  11. Next Steps for SPC  Focus Group Charter Define a Reasonable and Practical solution that follows this architecture • Candidate ‘A’ -- IPSec tunneling over the Internet • ESP/AH – 3DES and SHA1 • IKE – Session Key negotiation • Certificates – communicated out-of-band (mail, courier, etc) • Filtering and Routing rules maintained by the Healthcare facility • Audit trails maintained at RSC • Individual Authentication maintained at the RSC

  12. Hospital Solution A: IPSec on Internet Vendor X Vendor Y Vendor Z IPSec Tunnel, ESP+AH 3DES,SHA1 IKE-RSA, PKI out-of-band

  13. Conclusion • The Focus Group is actively creating these Descriptions of Candidate Implementations • Vendors are providing experts from their Service organizations • AGFA, GE, Kodak, Philips, Siemens, Toshiba, + • Targeting End of 2002 with demonstration at RSNA • Will seek approval by NEMA, COCIR, and JIRA early 2002 • Likely Vendor implementations mid 2002

  14. John F. Moehrke GE Medical Systems 262-293-1667 John.Moehrke@med.ge.com

More Related