190 likes | 194 Views
Learn about the challenges of network security and HIPAA compliance, and how endpoint security can provide a simpler and more effective solution. Discover the benefits of implementing a trusted guard at every host in your network and the importance of encryption and authentication.
E N D
End Point Security and HIPAA Gary Christoph, Ph.D. Sr. VP Government and Healthcare gchristoph@seclarity.com 410-884-1313 Session 4.05 10:30am April 8, 2005 • A Blumberg Capital, Valley Ventures and Intel Capital Funded Security Company Seclarity, Inc. 11705 Lightfall Court Columbia, MD 21044
Why is Network Security hard? • Network Security perimeter solutions are inadequate • New technologies, like wireless, render the “perimeter” fuzzy • Insider threat persistently at the 50-70% level • Management of the collection of perimeter point solutions is complex • Historically, network security was never “designed in” to IP networks—a new approach is needed
What do we mean by “End Point Security”? Instead of the Bastion perimeter model: • Install a trusted “guard” at every host in your network • Let this individual “guard” have the power of a firewall • Let the “guards” mediate all user access to the network • Make the “guards” be under central management, rather than under user control • Let the “guards” authenticate to each other • Allow the “guards” to encrypt traffic between legitimate users, wherever they may be
A Simplified View of a Contemporary “Secured” Network: Wireless Unencrypted Traffic Remote users With Software VPN agents Firewall Unencrypted Traffic Internet VPN IDS Proxy Encrypted Traffic
A Simple view of an Endpoint-Secured Network: Wireless Encrypted Traffic Encrypted Traffic Firewall Remote user Internet Encrypted Traffic
What Does HIPAA Really Require? • YOU MUST: • Think about the risks you face • Develop coherent, enforceable policy • Write it down • Implement/operate whatever controls this requires • Train/educate staff • Periodically test & document
HIPAA Title II Administrative Simplification Transaction Standards Standard Code Sets Unique Health Identifiers Security Privacy Limitations Administrative Procedures • Covers Protected Health Information (PHI) transmitted or • Covers Protected Health Information (PHI) transmitted or Technical Security Services stored, in any medium (electronic, paper, oral) • Chain of Trust Agreement • Certification, • Access Controls • Authorization • Access Controls • Authorization • Internal Audit, Training, Written Policies & Procedures, etc. • Internal Audit, Training, Written Policies & Procedures, etc. • Data Authentication General Rules • Entity Authentication • Entity Authentication • PHI data elements defined • Notice of Privacy Practices mandated Physical Safeguards Technical Security Mechanisms • Secure Workstation • Physical Access Controls, • Media Controls, etc. • Security Awareness • Minimum necessary disclosure/use of data • Minimum necessary disclosure/use of data • Basic Network Safeguards • Integrity and Protection • Basic Network Safeguards • Integrity and Protection • Consent required for routine use • Authorization required for non-routine use • Business associate contracts required • Designated Privacy Officer • Training • Training Electronic Signature • Not currently required
HIPAA NW Security/Privacy Issues: • People are involved • People are neither repeatable nor logical • People on the job make inappropriate assumptions • Technical Solutions are too complex • Point products do not tile the floor • Management of many solutions is not easy or cheap • Pace of technological change adds new vulnerabilities (e.g., wireless) • Administrative Solutions that are not • Processes get in the way of work • Controls violated without your knowledge or without consequence
Technical Solution Target • Want transparency • Easy for users to comply • Easy for admins to enforce • Want universality • Everywhere same policy enforced the same • Use technology to reduce administrative controls • Want simplicity • Complexity is the enemy • Easy to manage • Want verifiability • Documentable • Want cheap • Do not want to go out of business
End Point Security Can Help: Change the paradigm: • Control access to the network at the individual End Points • Give users only the network access they need • Give back control to the enterprise of those access rights • Eliminate depending on the network infrastructure to enforce separation
A More Realistic “Secured” Network: Unencrypted path Labs Unencrypted path Hospital IDS VPN Proxy GW Physicians’ Office IDS VPN Proxy GW Wireless Unencrypted path Internet Encrypted path IDS VPN Proxy GW Unencrypted path
An “End Point” Secured Network: Encrypted path Encrypted path Labs Encrypted path Hospital IDS Physicians’ Office IDS Wireless Internet Encrypted path Encrypted paths Encrypted path IDS Unencrypted path
Informational Low Medium High Serious Vulnerability Scan Results After Sinic Install Before Sinic Install • Three Generic Windows 2000 Servers • OS Installed from CD Media with SP1 • Updated via Windows Update to the Latest Available Patches Blocked
Securing End Points : Network Virtualization Set up separate “user communities” – Encrypt All PHI Traffic Doctor on Rounds Doctor’s Office Laboratory Analyst Accounting PC’s Hospital Network Internal Network Accounting Office Servers P P P P P P Hospital Mainframe Hospital PHI DB Server Remote User
Different Kinds of End Point Security Five kinds based on where the “guard” resides: • Software in the host’s user space • Software in the host’s operating system • Hardware TPM in the host • Hardware at the NIC level • Hardware at the Host’s edge
OS Agent PHI Agent OS PHI Agent OS Agent PHI OS Agent PHI OS PHI Different Kinds of End Point Security Ex: Sygate Software Agents Ex: Microsoft INCREASING TRUST Ex: TBA: TCG-TPM Host on network Ex: 14-South, Seclarity Hardware Agents Ex: TBA
End Point Security Can Help: Benefits of Centrally managed End-Point Security • Not capturable by the user—users only get those rights you want them to have • Distributed enforcement can be fine-grained • Addresses many Insider Threat issues • Separates security from network management • Policy enforcement is everywhere the same • Simplified audit reporting • Do not have to modify user behavior—reduced training • Better security at lower overall cost • Reduces urgency of patch-in-a-hurry • Secures remote and distant users
Some Scenarios: • Secure PHI for mobile users, e.g., Doctor on Hospital Rounds • Patients/visitors given access to the Internet from Hospital networks (RJ-45 jacks), without fear of compromise of PHI • Concessions (e.g., POS devices) can have completely isolated use of the enterprise network • Prompt containment of compromised satellite hosts or workstations • Securely manage PHI-containing servers from sysadmins at home or from Starbucks • Simply demonstrate to auditors that “no connection from PHI containing servers to unauthorized users has occurred”