350 likes | 442 Views
Security Considerations for Health Care Organizations. FEF Group, LLC. Frank E. Ferrante President FEF Group, LLC Chair MTPC 11 January 2001. Presented at SAINT2001 Global Telehealth/Telemedicine and the Internet Workshop San Diego, CA. 1. Outline. HIPAA
E N D
Security Considerations for Health Care Organizations FEF Group, LLC Frank E. Ferrante President FEF Group, LLC Chair MTPC 11 January 2001 Presented at SAINT2001 Global Telehealth/Telemedicine and the Internet Workshop San Diego, CA 1
Outline • HIPAA • HHS Patient Information Privacy • Threats and Protection Mechanisms • Information Protection Rules • Typical Security Architectural Views • Policies to be considered
HIPAA • IEEE-USA’s Medical Technology Policy Committee Positions • implementation timetable of two years • Patient information must be protected by all means of electronic transmission and storage (includes fax, phone, wireless) • Authorization for accessing data bases must be assured • IEEE USA recommended coordination among agencies and organizations on a more realistic time schedule • Costs for compliance in two years as estimated in the HIPAA NPRM - too low (conflict between timely compliance and financial viability) • IEEE recommended effective date be divided into three phases • Phase 1: Includes prepare Policies, Plans and Risk Assessments (my estimate: 1 year) • Phase 2: Certify new hardware, software and firmware (my estimate: 2 years) • Phase 3: Replace installed based of hardware, software and firmware with HIPAA-compliant products (my estimate: 3 to 5 year program) • Changes date of compliance to 2008 not 2002 (realistic given cost, technology changes, and training for implementation)
New Patient Privacy Regulations • Takes effect in two years (2003) • Bars all health care providers and insurance companies from disclosing private health information for non-health related purposes • Doctors required to have written permission from patient before sharing patient information (includes billing and treatment) • Prohibits employers from perusing medical information on employees and job applicants • If an employer manages their own healthcare plan it cannot use the employee’s information for anything other than for healthcare • RULE COVERS BOTH ELECTRONIC AND PAPER RECORDS • Penalties: $100 per violation ($25,000 max/yr); $250,000 and 10 yrs prison • LAW ENFORCEMENT CAN OBTAIN ACCESS TO RECORDS WITH AN ADMINISTRATIVE SUBPOENA OR SUMMONS (NO COURT NEEDED)
Healthcare Information Sharing • Consulting physicians; • Managed care organizations; • Health insurance companies • Life insurance companies; • Self-insured employers; • Pharmacies; • Pharmacy benefit managers; • Clinical laboratories; • Accrediting organizations; • State and Federal statistical agencies; and • Medical information bureaus.
Information Protection Failures • A Michigan-based health system accidentally posted the medical records of thousands of patients on the Internet (The Ann Arbor News, February 10, 1999). • A Utah-based pharmaceutical benefits management firm used patient data to solicit business for its owner, a drug store (Kiplingers, February 2000). • An employee of the Tampa, Florida, health department took a computer disk containing the names of 4,000 people who had tested positive for HIV, the virus that causes AIDS (USA Today, October 10, 1996). • The health insurance claims forms of thousands of patients blew out of a truck on its way to a recycling center in East Hartford, Connecticut (The Hartford Courant, May 14, 1999). • A patient in a Boston-area hospital discovered that her medical record had been read by more than 200 of the hospital's employees (The Boston Globe, August 1, 2000). • A Nevada woman who purchased a used computer discovered that the computer still contained the prescription records of the customers of the pharmacy that had previously owned the computer. The pharmacy data base included names, addresses, social security numbers, and a list of all the medicines the customers had purchased. (The New York Times, April 4, 1997 and April 12, 1997). • A speculator bid $4000 for the patient records of a family practice in South Carolina. Among the businessman's uses of the purchased records was selling them back to the former patients. (New York Times, August 14, 1991). • In 1993, the Boston Globe reported that Johnson and Johnson marketed a list of 5 million names and addresses of elderly incontinent women. (ACLU Legislative Update, April 1998). • A few weeks after an Orlando woman had her doctor perform some routine tests, she received a letter from a drug company promoting a treatment for her high cholesterol. (Orlando Sentinel, November 30, 1997).
Trust and Risk • Do you trust the Internet? • Do you trust wireless Cell phone Communications? • Are you sure that the person at the other end of the connection is who they say they are?
Trust and Risk • Electronic Fund Transfer Act effective 1979 (15 U.S.C.)], the credit card and ATM industry was forced to limit personal financial risk to users (usually $50 maximum if cards used fraudulently) • Approach focused on reducing risk since technology was not yet ready • Limiting risk compensates for a lack of trust • Many consider this approach however, as a band-aid to the real issue – increasing user trust • What is available and what can be provided?
Typical Hacker Threats and Protections • Hackers • Masquerading • Eavesdropping • Interception • Address Spoofing • Data Manipulation • Dictionary Attack • Replay Attacks • Denial of Service • Protection • Authentication • Encryption • Digital Carts./Signatures • Firewalls • Encryption • Strong Passwords • Time Stamping & sequence Numbers • Authentication
Common Internet Attacks and Typical Fixes Fixes Internet Attacks • Root access by buffer overflows • Distributed Denial of Service • E-Mail spamming, and relaying • Exploitation of misconfigured software and servers • Mail attachment attacks • Upgrade Systems;Training • Creating attack bottlenecks and coordination • Training • Verification/Certification of Software • Training of Users to recognize Attachments
Goals of Security Measures • Authentication – Who or what am I transacting with? • Access Control – Is the party allowed to enter into the transaction? • Confidentiality – Can any unauthorized parties see the transaction? • Integrity – Did the transaction complete correctly and as expected? • Non-Repudiation – Are authorized parties assured they will not be denied from transacting business
Goals Satisfied by Current Security Mechanisms Intrusion Detection System Virtual Private Network Public Key Infrastructure User Name/ Password Encryption Firewall P P P P Authentication Access Control Confidentiality Integrity Non-Repudiation P P P P P P P P P P P P
Public Key Infrastructure (PKI) Verify Digital Signature Digitally Signed Message • Public/Private Key • Most comprehensive security model to date • Encryption • Digital certificates for authentication • Digital Signatures for non-repudiation • Certificates (Hash function and Certificate assignments automated) • Integration into applications (Can be implemented Rapidly using existing CA Servers) Senders Private Key Certificate Authority ------------------ ------------------ ------------------ Senders Public Key Decrypt Message Recipients Private Key Recipients Public Key Encrypted Message
LAN/WAN LAN/WAN Virtual Private Networks (VPN) • Provides Virtual Network Connectivity • User to LAN/WAN • LAN/WAN to LAN/WAN • Encrypted at the TCP/IP Level • Provides Protected Communications for All TCP/IP Services
Firewalls • Provides Traffic Management in Both Directions • Generally Located at Border between Public and Private Networks • Features Include • Proxy Server/Network Address Translation (NAT) • User Name/Password Authentication • Packet Filtering • Stateful vs. Stateless Packet Processing • Traffic Audit Logs
Intrusion Detection System (IDS) • Audit • Store security-pertinent system data • Detect traffic patterns • Develop reports and establish critical parameters intrusion criteria using agent software • Set up revocation lists • Detect • Predefine flexible security violations criteria (e.g., identify zombie placement, Super User, Root user occurrences) • Be proactive • Become network-oriented • Secure • Fix applications or alterations that were made by an attacker where appropriate (e.g., Trojan Horse ID, Zombie Ant detection eliminated) !!!! ? LAN/WAN ? ? ?
Security Policies - Why Are They Needed? • Security policies drive the general security framework • Policies define what behavior is and is not allowed • Policies define who, what, and how much to trust • Too much trust leads to security problems • Too little trust leads to usability problems • Principle of least access • Policies will often set the stage in terms of what tools and procedures are needed for the organization • Policies communicate consensus among a group of “governing” people • Computer security is now a global issue and computing sites are expected to follow the “good neighbor” philosophy
Key Elements of an Information Protection Policy • Define who can have access to sensitive information • special circumstances • non-disclosure agreements • Define how sensitive information is to be stored and transmitted (encrypted, archive files, uuencoded, etc) • Define on which systems sensitive information can be stored • Discuss what levels of sensitive information can be printed on physically insecure printers. • Define how sensitive information is removed from systems and storage devices • Discuss any default file and directory permissions defined in system-wide configuration files.
Key Elements of a Network Connection Policy • Defines requirements for adding new devices to your network. • Well suited for sites with multiple support teams. • Important for sites which are not behind a firewall. • Should discuss: • who can install new resources on network • what approval and notification must be done • how changes are documented • what are the security requirements • how unsecured devices are treated
Other Important Policies • Policy which addresses forwarding of email to offsite addresses • Policy which addresses wireless networks • Policy which addresses baseline lab security standards • Policy which addresses baseline router configuration parameters
Open PKI Support for Customer Choice Baltimore Entrust Microsoft Verisign Supplier Network Corporate Intranet Netscape Verisign Microsoft Internet Mobile User Entrust Netscape Remote Office Mobile User Baltimore Customer Network
Secondary VPN-1 Gateway VPN-1 SecuRemote Corporate Intranet Primary VPN-1 Gateway Internet VPN-1 Gateway IKE Synchronization Firewall-1 / VPN-1 High Availability • Transparent fail-over of IPSec communications without loss of connectivity • Enables hot fail-over and load balancing across VPN gateways • Industry’s first transparent VPN fail-over that maintains session integrity
Architecture of a Distributed System Web Servers Middleware App Servers Data Storage Internal WANs and LANs DNS Messaging Backup/ Recovery User User Internet Web Servers Middleware App Servers User Clients/ Partners Data Storage User
Critical Elements of Security Architecture • AUDIT, DETECT, and SECURE • Three stages of secure process that are to be followed • Provide security agents • Automated • Continually monitor all systems • Ensures that Zombie Ants are not being introduced or that Distributed Denial of Service conditions do not occur
Call Centers • New systems available • IP Inclusive • Secure • Minimize Labor Element • Customer Oriented • Flexible • High Performance • Products Vendors • Lucent • Others • Recommendation for Support
Added Notes: • Biometric and Smart Card Technology can be applied where appropriate • Biometrics is being tested • Standards still in the mill • People issue – many feel uneasy about providing fingerprints of eye scans, or physical variations as means to set up secure operations) • Firms exist to do this today (e.g., International Biometric Group) • Smart cards now used by GSA for their badges have fingerprints embedded (3GI developed this – locally available support) • See ITPro May/Jun 2000 issue , page 24 article on Electronic and Digital Signatures: In search of a Standard by Tom Wells,CEO of b4bpartner, Inc (Florida firm)
List of PKI Operation Reference Specs and Requirements • DOD5200R • DOD 5200.2-R, Personnel Security Program. • FIPS1401 • Security Requirements for Cryptographic Modules, 1994-01. http://csrc.nist.gov/fips/fips1401.htm • FIPS112 • Password Usage, 1985-05-30. http://csrc.nist.gov/fips/ • FIPS186 • Digital Signature Standard, 1994-05-19. http://csrc.nist.gov/fips/fips186.pdf • FPKI-E • Federal PKI Version 1 Technical Specifications: Part E – X.509 Certificate and CRL Extensions Profile, 7 Jul 1997. http://csrc.nist.gov/pki/FPKI7-10.DOC • ISO9594-8 • Information Technology-Open Systems Interconnection-The Directory: Authentication Framework, 1997. ftp://ftp.bull.com/pub/OSIdirectory/ITU/97x509final.doc • NS4005 • NSTISSI 4005, Safeguarding COMSEC Facilities and Material, 1997 August.
List of PKI Operation Reference Specs and Requirements (Concluded) • NS4009; NSTISSI 4009, National Information Systems Security Glossary, 1999 January. • RFC2510; Adams and Farrell. Certificate Management Protocol, 1999 March. http://www.ietf.org/rfc/rfc2510.txt • RFC2527; Chokhani and Ford. Certificate Policy and Certification Practices Framework, 1999 March. http://www.ietf.org/rfc/rfc2527.txt • SDN702; SDN.702, Abstract Syntax for Utilization with Common Security Protocol (CSP), Version 3 X.509 Certificates, and Version 2 CRLs, Revision 3, 31 July 1997. http://www.armadillo.Huntsville.al.us/Fortezza_docs/sdn702rev3.pdf • SDN706; X.509 Certificate and Certification Revocation List Profiles and Certification Path Processing Rules for MISSI Revision 3.0, 30 May 1997. http://www.armadillo.Huntsville.al.us/Fortezza_docs/sdn706r30.pdf • Information Technology Security Program; Used for assessing and modifying existing security policies) – Draft from CIO Council; March 2000. • Circular A-130; Management of Federal Information Resources,OMB • Special Pub 800-14; Generally Accepted Principles and Practices for Security Information Technology Systems (GSSP), NIST
Operational Documentation Checklist • Project Plan • CONOPS • System Security Plan (SSP) • Risk Assessment • Waiver Letter(s) • Approvals to Test • Interim Approvals to Operate • Certificate Policy • Subscriber Agreement
Security Program Elements • Mint-wide Security Program • planning and managing to provide a framework and continuing cycle of activity for managing risk, developing security policies (in conjunction with the Office of Protection), assigning responsibilities, and monitoring the adequacy of the Mint's computer-relatedcontrols. • Access Control – • controls that limit or detect access to computer resources (data, programs, and equipment) that protect these resources against unauthorized modification, loss or disclosure. • Segregation of Duties – • establishing policies, procedures, and an organizational structure such that one individual cannot control key aspects of IT-related operations and thereby conduct unauthorized actions or gain unauthorized access to assets or records. • Service Continuity – • implementing controls to ensure that when unexpected events occur (i.e., virus) critical operations continue without interruption or are promptly resumed and critical and sensitive information is protected.
Assurance Protect Model Deny Detect Assess Train Enforce Response Model Respond Report Isolate Contain Recover Comprehensive Network Security Policy Approach Reference Model Mission Policy Sec. Org Structure Sec. Implementation Procedures Awareness, Training, & Education Phy & Env Protection Connectivity Controls Access Controls Sys Admin Controls Storage Media Controls Accountability Controls
Network Security Model Start Network Security Strategic Reference Model Threat Level 1. System Mission Level 2. Security Policy Value of Information Protect Model Deny, Detect, Assess, Train, & Enforce Level 3. Security Organizational Structure Level 4. Security Implementation Procedures Response Model Respond, Report, Isolate, Contain, & Recover Level 5. Security Awareness, Training , & Education Level 6. Physical & Environmental Systems Protection Level 7-11. Controls: System Access, Connectivity, Administration, Storage Media, & Accountability Level 12. Assurance
Dial-Up 9.6 Kbps 300 bps Telecommunications Trends and Increasing Complexity Data Rates 100 Gbps ATM/SONET Networks 10 Gbps+ 10 Gbps Wireless Systems 1 Gbps FDDI 100 Mbps 100 Mbps Fast Ethernet 100 Mbps Ethernet (IEEE 802.3) 10 Mbps • LMDS/MMDS Wireless • 2.4 - 38 GHz upper band, 10- 155 Mbps 10 Mbps IBM's Token Ring 16 Mbps 1 Mbps • 3G Wireless • 256Kbps - 2Mbps+ • ISDN X.25 56 Kbps 100 Kbps Early Modem Access • ARDIS (4.8 - 19.2Kbps) 1200 bps 10 Kbps • RAM (8Kbps) Modem Access • AMPS (Analog) 1 Kbps 100 bps Direct Access 75 bps 10 bps 1950 1955 1960 1965 1970 1975 1980 1985 1990 1995 2000 • Frequency Band Trends (39-50 MHz, 150 MHz, 400MHz, 800MHz, 700MHz, 2.5 GHz, 5 GHz, 28GHz, 38 GHz ) • Local/Multichannel Multipoint Distribution System (LMDS/MMDS) Wireless; Analog/Digital Cable Technology (unlicensed - 2.4 -2.5 GHz bands, licensed-24 - 38 GHz bands with Data rates in the 1.5 to 155Mbps range) • RAM - Radio Analog Mobile Service • ARDIS - Advanced Radio Data Information Service • AMPS - Analog Mobile Paging System