Security Considerations for Health Care Organizations

1
Security Considerations for Health Care
Organizations

FEF Group, LLC
Frank E. Ferrante President FEF Group,
LLC Chair MTPC 11 January 2001
Presented at SAINT2001 Global Telehealth/Telemedi
cine and the Internet Workshop San Diego, CA
1
2
Outline

• HIPAA
• HHS Patient Information Privacy
• Threats and Protection Mechanisms
• Information Protection Rules
• Typical Security Architectural Views
• Policies to be considered

3
HIPAA

• IEEE-USAs Medical Technology Policy Committee
  Positions
• implementation timetable of two years
• Patient information must be protected by all
  means of electronic transmission and storage
  (includes fax, phone, wireless)
• Authorization for accessing data bases must be
  assured
• IEEE USA recommended coordination among agencies
  and organizations on a more realistic time
  schedule
• Costs for compliance in two years as estimated in
  the HIPAA NPRM - too low (conflict between timely
  compliance and financial viability)
• IEEE recommended effective date be divided into
  three phases
• Phase 1 Includes prepare Policies, Plans and
  Risk Assessments (my estimate 1 year)
• Phase 2 Certify new hardware, software and
  firmware (my estimate 2 years)
• Phase 3 Replace installed based of hardware,
  software and firmware with HIPAA-compliant
  products (my estimate 3 to 5 year program)
• Changes date of compliance to 2008 not 2002
  (realistic given cost, technology changes, and
  training for implementation)

4
New Patient Privacy Regulations

• Takes effect in two years (2003)
• Bars all health care providers and insurance
  companies from disclosing private health
  information for non-health related purposes
• Doctors required to have written permission from
  patient before sharing patient information
  (includes billing and treatment)
• Prohibits employers from perusing medical
  information on employees and job applicants
• If an employer manages their own healthcare plan
  it cannot use the employees information for
  anything other than for healthcare
• RULE COVERS BOTH ELECTRONIC AND PAPER RECORDS
• Penalties 100 per violation (25,000 max/yr)
  250,000 and 10 yrs prison
• LAW ENFORCEMENT CAN OBTAIN ACCESS TO RECORDS WITH
  AN ADMINISTRATIVE SUBPOENA OR SUMMONS (NO COURT
  NEEDED)

5
Healthcare Information Sharing

• Consulting physicians
• Managed care organizations 
• Health insurance companies 
• Life insurance companies 
• Self-insured employers 
• Pharmacies 
• Pharmacy benefit managers 
• Clinical laboratories 
• Accrediting organizations  
• State and Federal statistical agencies and 
• Medical information bureaus.

6
Information Protection Failures

• A Michigan-based health system accidentally
  posted the medical records of thousands of
  patients on the Internet (The Ann Arbor News,
  February 10, 1999). 
• A Utah-based pharmaceutical benefits management
  firm used patient data to solicit business for
  its owner, a drug store (Kiplingers, February
  2000).
• An employee of the Tampa, Florida, health
  department took a computer disk containing the
  names of 4,000 people who had tested positive for
  HIV, the virus that causes AIDS (USA Today,
  October 10, 1996).
• The health insurance claims forms of thousands of
  patients blew out of a truck on its way to a
  recycling center in East Hartford, Connecticut
  (The Hartford Courant, May 14, 1999). 
• A patient in a Boston-area hospital discovered
  that her medical record had been read by more
  than 200 of the hospital's employees (The Boston
  Globe, August 1, 2000).
• A Nevada woman who purchased a used computer
  discovered that the computer still contained the
  prescription records of the customers of the
  pharmacy that had previously owned the computer.
  The pharmacy data base included names, addresses,
  social security numbers, and a list of all the
  medicines the customers had purchased. (The New
  York Times, April 4, 1997 and April 12, 1997).
• A speculator bid 4000 for the patient records
  of a family practice in South Carolina. Among the
  businessman's uses of the purchased records was
  selling them back to the former patients. (New
  York Times, August 14, 1991).
• In 1993, the Boston Globe reported that Johnson
  and Johnson marketed a list of 5 million names
  and addresses of elderly incontinent women. (ACLU
  Legislative Update, April 1998).
• A few weeks after an Orlando woman had her doctor
  perform some routine tests, she received a letter
  from a drug company promoting a treatment for
  her high cholesterol. (Orlando Sentinel, November
  30, 1997).

7
Trust and Risk

• Do you trust the Internet?
• Do you trust wireless Cell phone Communications?
• Are you sure that the person at the other end of
  the connection is who they say they are?

8
Trust and Risk

• Electronic Fund Transfer Act effective 1979 (15
  U.S.C.), the credit card and ATM industry was
  forced to limit personal financial risk to users
  (usually 50 maximum if cards used fraudulently)
• Approach focused on reducing risk since
  technology was not yet ready
• Limiting risk compensates for a lack of trust
• Many consider this approach however, as a
  band-aid to the real issue increasing user
  trust
• What is available and what can be provided?

9
Typical Hacker Threats and Protections

• Hackers
• Masquerading
• Eavesdropping
• Interception
• Address Spoofing
• Data Manipulation
• Dictionary Attack
• Replay Attacks
• Denial of Service

• Protection
• Authentication
• Encryption
• Digital Carts./Signatures
• Firewalls
• Encryption
• Strong Passwords
• Time Stamping sequence Numbers
• Authentication

10
Common Internet Attacks and Typical Fixes
Fixes
Internet Attacks

• Root access by buffer overflows
• Distributed Denial of Service
• E-Mail spamming, and relaying
• Exploitation of misconfigured software and
  servers
• Mail attachment attacks

• Upgrade SystemsTraining
• Creating attack bottlenecks and coordination
• Training
• Verification/Certification of Software
• Training of Users to recognize Attachments

11
Goals of Security Measures

• Authentication Who or what am I transacting
  with?
• Access Control Is the party allowed to enter
  into the transaction?
• Confidentiality Can any unauthorized parties
  see the transaction?
• Integrity Did the transaction complete
  correctly and as expected?
• Non-Repudiation Are authorized parties assured
  they will not be denied from transacting business

12
Goals Satisfied by Current Security Mechanisms

Intrusion Detection System
Virtual Private Network
Public Key Infrastructure
User Name/ Password
Encryption
Firewall
P
P
P
P
Authentication Access Control Confidentiality Int
egrity Non-Repudiation
P
P
P
P
P
P
P
P
P
P
P
P
13
Public Key Infrastructure (PKI)
Verify Digital Signature

• Public/Private Key
• Most comprehensive security model to date
• Encryption
• Digital certificates for authentication
• Digital Signatures for non-repudiation
• Certificates (Hash function and Certificate
  assignments automated)
• Integration into applications (Can be
  implemented Rapidly using existing CA Servers)

Digitally Signed Message
Senders Private Key
Certificate Authority ------------------ -----
------------- ------------------
Senders Public Key
Decrypt Message
Recipients Private Key
Recipients Public Key
Encrypted Message
14
Global eCommerce Environment
15
Virtual Private Networks (VPN)

• Provides Virtual Network Connectivity
• User to LAN/WAN
• LAN/WAN to LAN/WAN
• Encrypted at the TCP/IP Level
• Provides Protected Communications for All TCP/IP
  Services

16
Firewalls

• Provides Traffic Management in Both Directions
• Generally Located at Border between Public and
  Private Networks
• Features Include
• Proxy Server/Network Address Translation (NAT)
• User Name/Password Authentication
• Packet Filtering
• Stateful vs. Stateless Packet Processing
• Traffic Audit Logs

17
Intrusion Detection System (IDS)

• Audit
• Store security-pertinent system data
• Detect traffic patterns
• Develop reports and establish critical parameters
  intrusion criteria using agent software
• Set up revocation lists
• Detect
• Predefine flexible security violations criteria
  (e.g., identify zombie placement, Super User,
  Root user occurrences)
• Be proactive
• Become network-oriented
• Secure
• Fix applications or alterations that were made by
  an attacker where appropriate (e.g., Trojan Horse
  ID, Zombie Ant detection eliminated)

!!!!
?
LAN/WAN
?
?
?
18
Security Policies - Why Are They Needed?

• Security policies drive the general security
  framework
• Policies define what behavior is and is not
  allowed
• Policies define who, what, and how much to trust
• Too much trust leads to security problems
• Too little trust leads to usability problems
• Principle of least access
• Policies will often set the stage in terms of
  what tools and procedures are needed for the
  organization
• Policies communicate consensus among a group of
  governing people
• Computer security is now a global issue and
  computing sites are expected to follow the good
  neighbor philosophy

19
Key Elements of an Information Protection Policy

• Define who can have access to sensitive
  information
• special circumstances
• non-disclosure agreements
• Define how sensitive information is to be stored
  and transmitted (encrypted, archive files,
  uuencoded, etc)
• Define on which systems sensitive information can
  be stored
• Discuss what levels of sensitive information can
  be printed on physically insecure printers.
• Define how sensitive information is removed from
  systems and storage devices
• Discuss any default file and directory
  permissions defined in system-wide configuration
  files.

20
Key Elements of a Network Connection Policy

• Defines requirements for adding new devices to
  your network.
• Well suited for sites with multiple support
  teams.
• Important for sites which are not behind a
  firewall.
• Should discuss
• who can install new resources on network
• what approval and notification must be done
• how changes are documented
• what are the security requirements
• how unsecured devices are treated

21
Other Important Policies

• Policy which addresses forwarding of email to
  offsite addresses
• Policy which addresses wireless networks
• Policy which addresses baseline lab security
  standards
• Policy which addresses baseline router
  configuration parameters

22
Backup Charts
23
Open PKI Support for Customer Choice
Baltimore
Entrust
Microsoft
Verisign
Supplier Network
Corporate Intranet
Netscape
Verisign
Microsoft
Internet
Mobile User
Entrust
Netscape
Remote Office
Mobile User
Baltimore
Customer Network
24
Firewall-1 / VPN-1 High Availability

• Transparent fail-over of IPSec communications
  without loss of connectivity
• Enables hot fail-over and load balancing across
  VPN gateways
• Industrys first transparent VPN fail-over that
  maintains session integrity

25
Architecture of a Distributed System
Web Servers Middleware App Servers
Data Storage
Internal WANs and LANs
DNS Messaging
Backup/ Recovery
User
User
Internet
Web Servers Middleware App Servers
User
Clients/ Partners
Data Storage
User
26
Critical Elements of Security Architecture

• AUDIT, DETECT, and SECURE
• Three stages of secure process that are to be
  followed
• Provide security agents
• Automated
• Continually monitor all systems
• Ensures that Zombie Ants are not being introduced
  or that Distributed Denial of Service conditions
  do not occur

27
Call Centers

• New systems available
• IP Inclusive
• Secure
• Minimize Labor Element
• Customer Oriented
• Flexible
• High Performance
• Products Vendors
• Lucent
• Others
• Recommendation for Support

28
Added Notes

• Biometric and Smart Card Technology can be
  applied where appropriate
• Biometrics is being tested
• Standards still in the mill
• People issue many feel uneasy about providing
  fingerprints of eye scans, or physical variations
  as means to set up secure operations)
• Firms exist to do this today (e.g., International
  Biometric Group)
• Smart cards now used by GSA for their badges have
  fingerprints embedded (3GI developed this
  locally available support)
• See ITPro May/Jun 2000 issue , page 24 article on
  Electronic and Digital Signatures In search of a
  Standard by Tom Wells,CEO of b4bpartner, Inc
  (Florida firm)

29
List of PKI Operation Reference Specs and
Requirements

• DOD5200R
• DOD 5200.2-R, Personnel Security Program.
• FIPS1401
• Security Requirements for Cryptographic Modules,
  1994-01. http//csrc.nist.gov/fips/fips1401.htm
• FIPS112
• Password Usage, 1985-05-30. http//csrc.nist.gov/f
  ips/
• FIPS186
• Digital Signature Standard, 1994-05-19.
  http//csrc.nist.gov/fips/fips186.pdf
• FPKI-E
• Federal PKI Version 1 Technical Specifications
  Part E X.509 Certificate and CRL Extensions
  Profile, 7 Jul 1997. http//csrc.nist.gov/pki/FPKI
  7-10.DOC
• ISO9594-8
• Information Technology-Open Systems
  Interconnection-The Directory Authentication
  Framework, 1997. ftp//ftp.bull.com/pub/OSIdirecto
  ry/ITU/97x509final.doc
• NS4005
• NSTISSI 4005, Safeguarding COMSEC Facilities and
  Material, 1997 August.

30
List of PKI Operation Reference Specs and
Requirements (Concluded)

• NS4009 NSTISSI 4009, National Information
  Systems Security Glossary, 1999 January.
• RFC2510 Adams and Farrell. Certificate
  Management Protocol, 1999 March.
  http//www.ietf.org/rfc/rfc2510.txt
• RFC2527 Chokhani and Ford. Certificate Policy
  and Certification Practices Framework, 1999
  March. http//www.ietf.org/rfc/rfc2527.txt
• SDN702 SDN.702, Abstract Syntax for Utilization
  with Common Security Protocol (CSP), Version 3
  X.509 Certificates, and Version 2 CRLs, Revision
  3, 31 July 1997. http//www.armadillo.Huntsville.a
  l.us/Fortezza_docs/sdn702rev3.pdf
• SDN706 X.509 Certificate and Certification
  Revocation List Profiles and Certification Path
  Processing Rules for MISSI Revision 3.0, 30 May
  1997. http//www.armadillo.Huntsville.al.us/Fortez
  za_docs/sdn706r30.pdf
• Information Technology Security Program Used for
  assessing and modifying existing security
  policies) Draft from CIO Council March 2000.
• Circular A-130 Management of Federal Information
  Resources,OMB
• Special Pub 800-14 Generally Accepted Principles
  and Practices for Security Information Technology
  Systems (GSSP), NIST

31
Operational Documentation Checklist

• Project Plan
• CONOPS
• System Security Plan (SSP)
• Risk Assessment
• Waiver Letter(s)
• Approvals to Test
• Interim Approvals to Operate
• Certificate Policy
• Subscriber Agreement

32
Security Program Elements

• Mint-wide Security Program
• planning and managing to provide a framework and
  continuing cycle of activity for managing risk,
  developing security policies (in conjunction with
  the Office of Protection), assigning
  responsibilities, and monitoring the adequacy of
  the Mint's computer-relatedcontrols.
• Access Control
• controls that limit or detect access to computer
  resources (data, programs, and equipment) that
  protect these resources against unauthorized
  modification, loss or disclosure.
• Segregation of Duties
• establishing policies, procedures, and an
  organizational structure such that one individual
  cannot control key aspects of IT-related
  operations and thereby conduct unauthorized
  actions or gain unauthorized access to assets or
  records.
• Service Continuity
• implementing controls to ensure that when
  unexpected events occur (i.e., virus) critical
  operations continue without interruption or are
  promptly resumed and critical and sensitive
  information is protected.

33
Comprehensive Network Security Policy Approach
Reference Model
Mission
Policy
Sec. Org Structure
Sec. Implementation Procedures
Awareness, Training, Education
Phy Env Protection
Connectivity Controls
Access Controls
Sys Admin Controls
Storage Media Controls
Accountability Controls

• Assurance

34
Network Security Model
Start Network Security Strategic Reference Model
Threat
Level 1. System Mission
Level 2. Security Policy
Value of Information
Protect Model Deny, Detect, Assess, Train,
Enforce
Level 3. Security Organizational Structure
Level 4. Security Implementation Procedures
Response Model Respond, Report, Isolate,
Contain, Recover
Level 5. Security Awareness, Training ,
Education
Level 6. Physical Environmental Systems
Protection
Level 7-11. Controls System Access,
Connectivity, Administration, Storage Media,
Accountability
Level 12. Assurance
35
Telecommunications Trends and Increasing
Complexity
Data Rates
100 Gbps
ATM/SONET Networks 10 Gbps
10 Gbps
Wireless Systems
1 Gbps
FDDI 100 Mbps
100 Mbps
Fast Ethernet 100 Mbps
Ethernet (IEEE 802.3) 10 Mbps

• LMDS/MMDS Wireless
• 2.4 - 38 GHz upper band, 10- 155 Mbps

10 Mbps
IBM's Token Ring 16 Mbps
1 Mbps

• 3G Wireless
• 256Kbps - 2Mbps

ISDN
X.25 56 Kbps
100 Kbps
Early Modem Access

• ARDIS (4.8 - 19.2Kbps)

1200 bps
10 Kbps

• RAM (8Kbps)

Modem Access

• AMPS (Analog)

1 Kbps
100 bps
Direct Access
75 bps
10 bps
1950
1955
1960
1965
1970
1975
1980
1985
1990
1995
2000

• Frequency Band Trends (39-50 MHz, 150 MHz,
  400MHz, 800MHz, 700MHz, 2.5 GHz, 5 GHz, 28GHz, 38
  GHz )
• Local/Multichannel Multipoint Distribution
  System (LMDS/MMDS) Wireless Analog/Digital Cable
  Technology (unlicensed - 2.4 -2.5 GHz bands,
  licensed-24 - 38 GHz bands with Data rates in the
  1.5 to 155Mbps range)
• RAM - Radio Analog Mobile Service
• ARDIS - Advanced Radio Data Information Service
• AMPS - Analog Mobile Paging System