New York Certificate of Trust for Bands - PowerPoint by wfs19509

VIEWS: 41 PAGES: 35

New York Certificate of Trust for Bands document sample

More Info
									                                    FEF Group, LLC

     Security Considerations for Health Care
                 Organizations

                                     Frank E. Ferrante
                                             President
                                          FEF Group, LLC
                                            Chair MTPC



                                       11 January 2001


                                      Presented at SAINT2001
                      Global Telehealth/Telemedicine and the Internet Workshop
                                            San Diego, CA

    eHealth Privacy
                                                                                 FEF Group
1
    Outline

     HIPAA
     HHS Patient Information Privacy
     Threats and Protection Mechanisms
     Information Protection Rules
     Typical Security Architectural Views
     Policies to be considered




    eHealth Privacy
                                             FEF Group
2
    HIPAA
      IEEE-USA’s Medical Technology Policy Committee Positions
          – implementation timetable of two years
          – Patient information must be protected by all means of electronic
            transmission and storage (includes fax, phone, wireless)
          – Authorization for accessing data bases must be assured
          – IEEE USA recommended coordination among agencies and organizations
            on a more realistic time schedule
               Costs for compliance in two years as estimated in the HIPAA NPRM -
                too low (conflict between timely compliance and financial viability)
               IEEE recommended effective date be divided into three phases

                  – Phase 1: Includes prepare Policies, Plans and Risk Assessments (my
                    estimate: 1 year)
                  – Phase 2: Certify new hardware, software and firmware (my estimate: 2 years)
                  – Phase 3: Replace installed based of hardware, software and firmware with
                    HIPAA-compliant products (my estimate: 3 to 5 year program)
                         • Changes date of compliance to 2008 not 2002 (realistic given cost,
                           technology changes, and training for implementation)



    eHealth Privacy
                                                                                 FEF Group
3
    New Patient Privacy Regulations

        Takes effect in two years (2003)
        Bars all health care providers and insurance companies from
           disclosing private health information for non-health related purposes
          Doctors required to have written permission from patient before
           sharing patient information (includes billing and treatment)
          Prohibits employers from perusing medical information on employees
           and job applicants
          If an employer manages their own healthcare plan it cannot use the
           employee’s information for anything other than for healthcare
          RULE COVERS BOTH ELECTRONIC AND PAPER RECORDS
          Penalties: $100 per violation ($25,000 max/yr); $250,000 and 10 yrs
           prison
          LAW ENFORCEMENT CAN OBTAIN ACCESS TO RECORDS WITH AN
           ADMINISTRATIVE SUBPOENA OR SUMMONS (NO COURT NEEDED)


    eHealth Privacy
                                                                     FEF Group
4
    Healthcare Information Sharing

      Consulting physicians;
      Managed care organizations;
      Health insurance companies
      Life insurance companies;
      Self-insured employers;
      Pharmacies;
      Pharmacy benefit managers;
      Clinical laboratories;
      Accrediting organizations;
      State and Federal statistical agencies; and
      Medical information bureaus.



    eHealth Privacy
                                                     FEF Group
5
    Information Protection Failures
        A Michigan-based health system accidentally posted the medical records of thousands of patients on
         the Internet (The Ann Arbor News, February 10, 1999).
        A Utah-based pharmaceutical benefits management firm used patient data to solicit business for its
         owner, a drug store (Kiplingers, February 2000).
        An employee of the Tampa, Florida, health department took a computer disk containing the names of
         4,000 people who had tested positive for HIV, the virus that causes AIDS (USA Today, October 10,
         1996).
        The health insurance claims forms of thousands of patients blew out of a truck on its way to a
         recycling center in East Hartford, Connecticut (The Hartford Courant, May 14, 1999).
        A patient in a Boston-area hospital discovered that her medical record had been read by more than 200
         of the hospital's employees (The Boston Globe, August 1, 2000).
        A Nevada woman who purchased a used computer discovered that the computer still contained the
         prescription records of the customers of the pharmacy that had previously owned the computer. The
         pharmacy data base included names, addresses, social security numbers, and a list of all the
         medicines the customers had purchased. (The New York Times, April 4, 1997 and April 12, 1997).
         A speculator bid $4000 for the patient records of a family practice in South Carolina. Among the
         businessman's uses of the purchased records was selling them back to the former patients. (New York
         Times, August 14, 1991).
         In 1993, the Boston Globe reported that Johnson and Johnson marketed a list of 5 million names and
         addresses of elderly incontinent women. (ACLU Legislative Update, April 1998).
        A few weeks after an Orlando woman had her doctor perform some routine tests, she received a letter
         from a drug company promoting a treatment for her high cholesterol. (Orlando Sentinel, November 30,
         1997).


    eHealth Privacy
                                                                                              FEF Group
6
    Trust and Risk

                       Do you trust the Internet?
                       Do you trust wireless Cell
                        phone Communications?
                       Are you sure that the
                        person at the other end
                        of the connection is who
                        they say they are?




    eHealth Privacy
                                       FEF Group
7
    Trust and Risk

     Electronic Fund Transfer Act effective 1979 (15 U.S.C.)], the credit card
        and ATM industry was forced to limit personal financial risk to users
        (usually $50 maximum if cards used fraudulently)
       Approach focused on reducing risk since technology was not yet ready
       Limiting risk compensates for a lack of trust
       Many consider this approach however, as a band-aid to the real issue –
        increasing user trust
       What is available and what can be provided?




    eHealth Privacy
                                                                       FEF Group
8
    Typical Hacker Threats and Protections

     Hackers                   Protection
         – Masquerading           – Authentication
         – Eavesdropping          – Encryption
         – Interception           – Digital Carts./Signatures
         – Address Spoofing       – Firewalls
         – Data Manipulation      – Encryption
         – Dictionary Attack      – Strong Passwords
         – Replay Attacks         – Time Stamping & sequence
                                    Numbers
         – Denial of Service      – Authentication




    eHealth Privacy
                                                         FEF Group
9
     Common Internet Attacks and Typical
     Fixes
         Internet Attacks                         Fixes
      Root access by buffer            Upgrade Systems;Training
       overflows                        Creating attack bottlenecks and
      Distributed Denial of Service     coordination
      E-Mail spamming, and             Training
       relaying                         Verification/Certification of
      Exploitation of                   Software
       misconfigured software and       Training of Users to recognize
       servers                           Attachments
      Mail attachment attacks




     eHealth Privacy
                                                          FEF Group
10
     Goals of Security Measures

      Authentication – Who or what am I transacting with?
      Access Control – Is the party allowed to enter into the
       transaction?
      Confidentiality – Can any unauthorized parties see the
       transaction?
      Integrity – Did the transaction complete correctly and as
       expected?
      Non-Repudiation – Are authorized parties assured they will
       not be denied from transacting business



     eHealth Privacy
                                                            FEF Group
11
     Goals Satisfied by Current Security
     Mechanisms




       Authentication    P       P       P   P
      Access Control     P       P   P   P   P
       Confidentiality       P           P   P
             Integrity
                             P           P   P
               Non-
         Repudiation                         P

     eHealth Privacy
                                                 FEF Group
12
     Public Key Infrastructure (PKI)
                                                                               Verify
      Public/Private Key                                                      Digital
      Most comprehensive                           Digitally
                                                                              Signature
       security model to date                        Signed
        – Encryption                                Message
        – Digital certificates
                                        Senders              Certificate
           for authentication                                 Authority    Senders Public Key
                                        Private
                                                            ----------
        – Digital Signatures              Key               --------
                                                                                        Decrypt
           for non-repudiation                              ----------                  Message
                                                            --------
      Certificates (Hash                                   ----------
                                                                             Recipients
                                                            --------
       function and Certificate                                               Private
       assignments              Recipients Public                               Key
       automated)                      Key          Encrypted
        – Integration into                          Message
           applications (Can
           be implemented
           Rapidly using
           existing CA
           Servers)
     eHealth Privacy
                                                                           FEF Group
13
     Global eCommerce Environment




     eHealth Privacy
                                    FEF Group
14
     Virtual Private Networks (VPN)
                       LAN/WAN    Provides Virtual Network
                                   Connectivity
                                    – User to LAN/WAN
                                    – LAN/WAN to
                                      LAN/WAN
                                  Encrypted at the TCP/IP
                                   Level
                                  Provides Protected
                                   Communications for All
                                   TCP/IP Services


                 LAN/WAN

     eHealth Privacy
                                                 FEF Group
15
     Firewalls
                        Provides Traffic Management in
                         Both Directions
                        Generally Located at Border
                         between Public and Private
                         Networks
                        Features Include
                          – Proxy Server/Network
                             Address Translation (NAT)
                          – User Name/Password
                             Authentication
                          – Packet Filtering
                          – Stateful vs. Stateless
                             Packet Processing
                          – Traffic Audit Logs



     eHealth Privacy
                                             FEF Group
16
     Intrusion Detection System (IDS)
                                       Audit
                                          –       Store security-pertinent system data
                                          –       Detect traffic patterns
                                          –       Develop reports and establish critical
                                                  parameters intrusion criteria using
                                                  agent software
                           !!!!          –        Set up revocation lists
                                       Detect
        ?                                –        Predefine flexible security violations
                                                  criteria (e.g., identify zombie
                                                  placement, Super User, Root user
                                                  occurrences)
                LAN/WAN                  –        Be proactive
                                         –        Become network-oriented
                                       Secure
                                         –     Fix applications or alterations that were
         ?                        ?            made by an attacker where appropriate
                                               (e.g., Trojan Horse ID, Zombie Ant
                       ?                       detection eliminated)


     eHealth Privacy
                                                                     FEF Group
17
     Security Policies - Why Are They
     Needed?

      Security policies drive the general security framework
      Policies define what behavior is and is not allowed
      Policies define who, what, and how much to trust
        – Too much trust leads to security problems
        – Too little trust leads to usability problems
        – Principle of least access
      Policies will often set the stage in terms of what tools and procedures are
       needed for the organization
      Policies communicate consensus among a group of “governing” people
      Computer security is now a global issue and computing sites are
       expected to follow the “good neighbor” philosophy



     eHealth Privacy
                                                                       FEF Group
18
     Key Elements of an Information
     Protection Policy

      Define who can have access to sensitive information
        – special circumstances
        – non-disclosure agreements
      Define how sensitive information is to be stored and transmitted
       (encrypted, archive files, uuencoded, etc)
      Define on which systems sensitive information can be stored
      Discuss what levels of sensitive information can be printed on physically
       insecure printers.
      Define how sensitive information is removed from systems and storage
       devices
      Discuss any default file and directory permissions defined in system-
       wide configuration files.




     eHealth Privacy
                                                                      FEF Group
19
     Key Elements of a Network Connection
     Policy

      Defines requirements for adding new devices to your
       network.
      Well suited for sites with multiple support teams.
      Important for sites which are not behind a firewall.
      Should discuss:
        – who can install new resources on network
        – what approval and notification must be done
        – how changes are documented
        – what are the security requirements
        – how unsecured devices are treated


     eHealth Privacy
                                                              FEF Group
20
     Other Important Policies

      Policy which addresses forwarding of email to offsite
       addresses
      Policy which addresses wireless networks
      Policy which addresses baseline lab security standards
      Policy which addresses baseline router configuration
       parameters




     eHealth Privacy
                                                          FEF Group
21
Backup Charts
     Open PKI Support for Customer
     Choice

                                     Baltimore
                                     Entrust
                                     Microsoft           Verisign
                                     Netscape
                                                                    Supplier
                                                                    Network
                                     Verisign
                                                                    Microsoft
                                       Internet
                                                                        Mobile
                                                                         User
                                                          Entrust
                       Netscape
                                                              Remote
                         Mobile   Baltimore                    Office
                          User                Customer
                                              Network



     eHealth Privacy
                                                                FEF Group
23
     Firewall-1 / VPN-1 High Availability


                                                 Secondary VPN-1
                                                     Gateway

                                                                               VPN-1
                                                                               SecuRemote

                                 Primary VPN-1
                                    Gateway                Internet        VPN-1
                                                                           Gateway
                                            IKE
                                       Synchronization

       Transparent fail-over of IPSec communications without loss of connectivity
       Enables hot fail-over and load balancing across VPN gateways
       Industry’s first transparent VPN fail-over that maintains session integrity



     eHealth Privacy
                                                                           FEF Group
24
     Architecture of a Distributed System
       Web Servers
       Middleware                                    Data
       App Servers                                  Storage
                                Internal
          DNS                WANs and LANs          Backup/
        Messaging                                   Recovery




                      User                   User

                                 Internet
        Web Servers
        Middleware
        App Servers
                                             User

                                 Clients/
                                                     Data
                                 Partners           Storage
                      User




     eHealth Privacy
                                               FEF Group
25
     Critical Elements of Security Architecture

      AUDIT, DETECT, and SECURE
             Three stages of secure process that are to be followed
              

      Provide security agents
        – Automated
        – Continually monitor all systems
            Ensures that Zombie Ants are not being introduced or

             that Distributed Denial of Service conditions do not
             occur




     eHealth Privacy
                                                          FEF Group
26
     Call Centers

        New systems available
          – IP Inclusive
          – Secure
          – Minimize Labor Element
          – Customer Oriented
          – Flexible
          – High Performance
        Products Vendors
          – Lucent
          – Others
        Recommendation for Support




     eHealth Privacy
                                      FEF Group
27
     Added Notes:

      Biometric and Smart Card Technology can be applied where appropriate
        – Biometrics is being tested
              Standards still in the mill

              People issue – many feel uneasy about providing fingerprints of

               eye scans, or physical variations as means to set up secure
               operations)
              Firms exist to do this today (e.g., International Biometric Group)

        – Smart cards now used by GSA for their badges have fingerprints
           embedded (3GI developed this – locally available support)
      See ITPro May/Jun 2000 issue , page 24 article on Electronic and Digital
       Signatures: In search of a Standard by Tom Wells,CEO of b4bpartner, Inc
       (Florida firm)


     eHealth Privacy
                                                                      FEF Group
28
     List of PKI Operation Reference Specs and
     Requirements
        DOD5200R
            – DOD 5200.2-R, Personnel Security Program.
          FIPS1401
            – Security Requirements for Cryptographic Modules, 1994-01.
              http://csrc.nist.gov/fips/fips1401.htm
          FIPS112
            – Password Usage, 1985-05-30. http://csrc.nist.gov/fips/
          FIPS186
            – Digital Signature Standard, 1994-05-19.
              http://csrc.nist.gov/fips/fips186.pdf
          FPKI-E
            – Federal PKI Version 1 Technical Specifications: Part E –
              X.509 Certificate and CRL Extensions Profile, 7 Jul 1997.
              http://csrc.nist.gov/pki/FPKI7-10.DOC
          ISO9594-8
            – Information Technology-Open Systems Interconnection-The
              Directory: Authentication Framework, 1997.
              ftp://ftp.bull.com/pub/OSIdirectory/ITU/97x509final.doc
          NS4005
            – NSTISSI 4005, Safeguarding COMSEC Facilities and
              Material, 1997 August.

     eHealth Privacy
                                                              FEF Group
29
     List of PKI Operation Reference Specs
     and Requirements (Concluded)
       NS4009; NSTISSI 4009, National Information Systems Security
          Glossary, 1999 January.
         RFC2510; Adams and Farrell. Certificate Management Protocol, 1999
          March. http://www.ietf.org/rfc/rfc2510.txt
         RFC2527; Chokhani and Ford. Certificate Policy and Certification
          Practices Framework, 1999 March. http://www.ietf.org/rfc/rfc2527.txt
         SDN702; SDN.702, Abstract Syntax for Utilization with Common
          Security Protocol (CSP), Version 3 X.509 Certificates, and Version 2
          CRLs, Revision 3, 31 July 1997.
          http://www.armadillo.Huntsville.al.us/Fortezza_docs/sdn702rev3.pdf
         SDN706; X.509 Certificate and Certification Revocation List Profiles and
          Certification Path Processing Rules for MISSI Revision 3.0, 30 May
          1997.
          http://www.armadillo.Huntsville.al.us/Fortezza_docs/sdn706r30.pdf
         Information Technology Security Program; Used for assessing and
          modifying existing security policies) – Draft from CIO Council; March
          2000.
         Circular A-130; Management of Federal Information Resources,OMB
         Special Pub 800-14; Generally Accepted Principles and Practices for
          Security Information Technology Systems (GSSP), NIST


     eHealth Privacy
                                                                         FEF Group
30
     Operational Documentation Checklist

       Project Plan
       CONOPS
       System Security Plan (SSP)
       Risk Assessment
       Waiver Letter(s)
       Approvals to Test
       Interim Approvals to Operate
       Certificate Policy
       Subscriber Agreement



     eHealth Privacy
                                       FEF Group
31
     Security Program Elements

      Mint-wide Security Program
        – planning and managing to provide a framework and continuing cycle of activity for
          managing risk, developing security policies (in conjunction with the Office of
          Protection), assigning responsibilities, and monitoring the adequacy of the Mint's
          computer-related
          controls.
      Access Control –
        – controls that limit or detect access to computer resources (data, programs, and
          equipment) that protect these resources against unauthorized modification, loss or
          disclosure.

      Segregation of Duties –
         – establishing policies, procedures, and an organizational structure such that one
           individual cannot control key aspects of IT-related operations and thereby conduct
           unauthorized actions or gain unauthorized access to assets or records.

      Service Continuity –
         – implementing controls to ensure that when unexpected events occur (i.e., virus) critical
           operations continue without interruption or are promptly resumed and critical and
           sensitive information is protected.


     eHealth Privacy
                                                                                      FEF Group
32
     Comprehensive Network Security
     Policy Approach
                Reference Model

                  Mission                                  Protect Model

                   Policy                                        Deny
                                                                Detect
            Sec. Org Structure
                                                                Assess
     Sec. Implementation Procedures
                                                                 Train
       Awareness, Training, & Education
                                                                Enforce
          Phy & Env Protection

          Connectivity Controls           Response Model
             Access Controls
                                              Respond
           Sys Admin Controls
                                              Report
        Storage Media Controls                Isolate
        Accountability Controls               Contain

              Assurance
     eHealth Privacy
                                              Recover             FEF Group
33
     Network Security Model
                 Threat                           Start Network
                                                  Security Strategic
                                                  Reference Model               Level 1.
                                                                         System Mission
                                                                                Level 2.
         Value of                                                         Security Policy
                             Protect Model
       Information        Deny, Detect, Assess,                                 Level 3.
                            Train, & Enforce           Security Organizational Structure
                                                                                Level 4.
                                                     Security Implementation Procedures
         Response Model
     Respond, Report, Isolate,                                                  Level 5.
                                              Security Awareness, Training , & Education
       Contain, & Recover
                                                                                Level 6.
                                           Physical & Environmental Systems Protection
                                                                             Level 7-11.
                                   Controls: System Access, Connectivity, Administration,
                                                        Storage Media, & Accountability
                                                                               Level 12.
                                                                              Assurance

     eHealth Privacy
                                                                             FEF Group
34
     Telecommunications Trends and
     Increasing Complexity
         Data Rates
          100 Gbps                                                                                   ATM/SONET
                                                                                                      Networks
           10 Gbps                                                                                    10 Gbps+

            1 Gbps                                                                          FDDI                              Wireless Systems
                                                                                          100 Mbps
          100 Mbps
                                                                           Ethernet                      Fast Ethernet
                                                                                                           100 Mbps        LMDS/MMDS Wireless
          10 Mbps                                                        (IEEE 802.3)
                                                                                               IBM's Token Ring         2.4 - 38 GHz upper band, 10-
                                                                           10 Mbps
                                                                                                   16 Mbps                        155 Mbps
           1 Mbps                                                                                                         3G Wireless
                                                                                    • ISDN                             256Kbps - 2Mbps+
          100 Kbps                                                          X.25
                                              Early Modem Access          56 Kbps
                                                                                                              •ARDIS (4.8 - 19.2Kbps)
           10 Kbps                                  1200 bps
                                                                               Modem Access                  •RAM (8Kbps)
           1 Kbps
                                    Dial-Up                                      9.6 Kbps                   AMPS (Analog)
                                    300 bps
           100 bps     Direct Access
                          75 bps
            10 bps
                  1950       1955     1960      1965      1970     1975      1980       1985    1990     1995      2000

                      Frequency Band Trends (39-50 MHz, 150 MHz, 400MHz, 800MHz, 700MHz, 2.5 GHz, 5 GHz, 28GHz, 38 GHz )
                      Local/Multichannel Multipoint Distribution System (LMDS/MMDS) Wireless; Analog/Digital Cable Technology (unlicensed
                     - 2.4 -2.5 GHz bands, licensed-24 - 38 GHz bands with Data rates in the 1.5 to 155Mbps range)
                      RAM - Radio Analog Mobile Service
                      ARDIS - Advanced Radio Data Information Service
                      AMPS - Analog Mobile Paging System

     eHealth Privacy
                                                                                                                            FEF Group
35

								
To top