1 / 18

Security Considerations for Health Care Organizations

This Presentation is provided “as is” without any express or implied warranty. This Presentation is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. Security Considerations for Health Care Organizations.

emanuele-yadiel
Download Presentation

Security Considerations for Health Care Organizations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. This Presentation is provided “as is” without any express or implied warranty. This Presentation is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. Security Considerations for Health Care Organizations Disclaimer

  2. Trust and Risk • Do you trust the Internet? • Do you trust wireless Cell phone Communications? • Are you sure that the person at the other end of the connection is who they say they are?

  3. Trust and Risk • Electronic Fund Transfer Act effective 1979 (15 U.S.C.)], the credit card and ATM industry was forced to limit personal financial risk to users (usually $50 maximum if cards used fraudulently) • Approach focused on reducing risk since technology was not yet ready • Limiting risk compensates for a lack of trust • Many consider this approach however, as a band-aid to the real issue – increasing user trust • What is available and what can be provided?

  4. Hackers Masquerading Eavesdropping Interception Address Spoofing Data Manipulation Dictionary Attack Replay Attacks Denial of Service Typical Hacker Threats and Protections • Protection • Authentication • Encryption • Digital Carts./Signatures • Firewalls • Encryption • Strong Passwords • Time Stamping & sequence Numbers • Authentication

  5. Root access by buffer overflows Distributed Denial of Service E-Mail spamming, and relaying Exploitation of misconfigured software and servers Mail attachment attacks Common Internet Attacks and Typical Fixes Fixes Internet Attacks • Upgrade Systems;Training • Creating attack bottlenecks and coordination • Training • Verification/Certification of Software • Training of Users to recognize Attachments

  6. Authentication – Who or what am I transacting with? Access Control – Is the party allowed to enter into the transaction? Confidentiality – Can any unauthorized parties see the transaction? Integrity – Did the transaction complete correctly and as expected? Non-Repudiation – Are authorized parties assured they will not be denied from transacting business Goals of Security Measures

  7. LAN/WAN LAN/WAN Virtual Private Networks (VPN) • Provides Virtual Network Connectivity • User to LAN/WAN • LAN/WAN to LAN/WAN • Encrypted at the TCP/IP Level • Provides Protected Communications for All TCP/IP Services

  8. Firewalls • Provides Traffic Management in Both Directions • Generally Located at Border between Public and Private Networks • Features Include • Proxy Server/Network Address Translation (NAT) • User Name/Password Authentication • Packet Filtering • Stateful vs. Stateless Packet Processing • Traffic Audit Logs

  9. Intrusion Detection System (IDS) • Audit • Store security-pertinent system data • Detect traffic patterns • Develop reports and establish critical parameters intrusion criteria using agent software • Set up revocation lists • Detect • Predefine flexible security violations criteria (e.g., identify zombie placement, Super User, Root user occurrences) • Be proactive • Become network-oriented • Secure • Fix applications or alterations that were made by an attacker where appropriate (e.g., Trojan Horse ID, Zombie Ant detection eliminated) !!!! ? LAN/WAN ? ? ?

  10. Backup Charts

  11. Transparent fail-over of IPSec communications without loss of connectivity Enables hot fail-over and load balancing across VPN gateways Industry’s first transparent VPN fail-over that maintains session integrity Secondary VPN-1 Gateway VPN-1 SecuRemote Corporate Intranet Primary VPN-1 Gateway Internet VPN-1 Gateway IKE Synchronization Firewall-1 / VPN-1 High Availability

  12. Architecture of a Distributed System Web Servers Middleware App Servers Data Storage Internal WANs and LANs DNS Messaging Backup/ Recovery User User Internet Web Servers Middleware App Servers User Clients/ Partners Data Storage User

  13. AUDIT, DETECT, and SECURE Three stages of secure process that are to be followed Provide security agents Automated Continually monitor all systems Ensures that Zombie Ants are not being introduced or that Distributed Denial of Service conditions do not occur Critical Elements of Security Architecture

  14. Biometric and Smart Card Technology can be applied where appropriate Biometrics is being tested Standards still in the mill People issue – many feel uneasy about providing fingerprints of eye scans, or physical variations as means to set up secure operations) Firms exist to do this today (e.g., International Biometric Group) Smart cards now used by GSA for their badges have fingerprints embedded (3GI developed this – locally available support) Added Notes:

  15. Project Plan System Security Plan (SSP) Risk Assessment Waiver Letter(s) Approvals to Test Interim Approvals to Operate Certificate Policy Subscriber Agreement Operational Documentation Checklist

  16. Wide Security Program planning and managing to provide a framework and continuing cycle of activity for managing risk, developing security policies (in conjunction with the Office of Protection), assigning responsibilities, and monitoring the adequacy of the computer-related controls. Access Control – controls that limit or detect access to computer resources (data, programs, and equipment) that protect these resources against unauthorized modification, loss or disclosure. Segregation of Duties – establishing policies, procedures, and an organizational structure such that one individual cannot control key aspects of IT-related operations and thereby conduct unauthorized actions or gain unauthorized access to assets or records. Service Continuity – implementing controls to ensure that when unexpected events occur (i.e., virus) critical operations continue without interruption or are promptly resumed and critical and sensitive information is protected. Security Program Elements

  17. Assurance Protect Model Deny Detect Assess Train Enforce Response Model Respond Report Isolate Contain Recover Comprehensive Network Security Policy Approach Reference Model Mission Policy Sec. Org Structure Sec. Implementation Procedures Awareness, Training, & Education Phy & Env Protection Connectivity Controls Access Controls Sys Admin Controls Storage Media Controls Accountability Controls

  18. Network Security Model Start Network Security Strategic Reference Model Threat Level 1. System Mission Level 2. Security Policy Value of Information Protect Model Deny, Detect, Assess, Train, & Enforce Level 3. Security Organizational Structure Level 4. Security Implementation Procedures Response Model Respond, Report, Isolate, Contain, & Recover Level 5. Security Awareness, Training , & Education Level 6. Physical & Environmental Systems Protection Level 7-11. Controls: System Access, Connectivity, Administration, Storage Media, & Accountability Level 12. Assurance

More Related