Wireless MSR Progress - IEEE-USA
Download
Report
Transcript Wireless MSR Progress - IEEE-USA
FEF Group, LLC
Security Considerations for Health Care
Organizations
Frank E. Ferrante
President
FEF Group, LLC
Chair MTPC
11 January 2001
Presented at SAINT2001
Global Telehealth/Telemedicine and the Internet Workshop
San Diego, CA
1
eHealth Privacy
FEF Group
Outline
HIPAA
HHS Patient Information Privacy
Threats and Protection Mechanisms
Information Protection Rules
Typical Security Architectural Views
Policies to be considered
2
eHealth Privacy
FEF Group
HIPAA
IEEE-USA’s Medical Technology Policy Committee Positions
– implementation timetable of two years
– Patient information must be protected by all means of electronic
transmission and storage (includes fax, phone, wireless)
– Authorization for accessing data bases must be assured
– IEEE USA recommended coordination among agencies and organizations
on a more realistic time schedule
Costs for compliance in two years as estimated in the HIPAA NPRM too low (conflict between timely compliance and financial viability)
IEEE recommended effective date be divided into three phases
– Phase 1: Includes prepare Policies, Plans and Risk Assessments (my
estimate: 1 year)
– Phase 2: Certify new hardware, software and firmware (my estimate: 2 years)
– Phase 3: Replace installed based of hardware, software and firmware with
HIPAA-compliant products (my estimate: 3 to 5 year program)
• Changes date of compliance to 2008 not 2002 (realistic given cost,
technology changes, and training for implementation)
3
eHealth Privacy
FEF Group
New Patient Privacy Regulations
Takes effect in two years (2003)
Bars all health care providers and insurance companies from
4
disclosing private health information for non-health related purposes
Doctors required to have written permission from patient before
sharing patient information (includes billing and treatment)
Prohibits employers from perusing medical information on employees
and job applicants
If an employer manages their own healthcare plan it cannot use the
employee’s information for anything other than for healthcare
RULE COVERS BOTH ELECTRONIC AND PAPER RECORDS
Penalties: $100 per violation ($25,000 max/yr); $250,000 and 10 yrs
prison
LAW ENFORCEMENT CAN OBTAIN ACCESS TO RECORDS WITH AN
ADMINISTRATIVE SUBPOENA OR SUMMONS (NO COURT NEEDED)
eHealth Privacy
FEF Group
Healthcare Information Sharing
Consulting physicians;
Managed care organizations;
Health insurance companies
Life insurance companies;
Self-insured employers;
Pharmacies;
Pharmacy benefit managers;
Clinical laboratories;
Accrediting organizations;
State and Federal statistical agencies; and
Medical information bureaus.
5
eHealth Privacy
FEF Group
Information Protection Failures
6
A Michigan-based health system accidentally posted the medical records of thousands of patients on
the Internet (The Ann Arbor News, February 10, 1999).
A Utah-based pharmaceutical benefits management firm used patient data to solicit business for its
owner, a drug store (Kiplingers, February 2000).
An employee of the Tampa, Florida, health department took a computer disk containing the names of
4,000 people who had tested positive for HIV, the virus that causes AIDS (USA Today, October 10,
1996).
The health insurance claims forms of thousands of patients blew out of a truck on its way to a
recycling center in East Hartford, Connecticut (The Hartford Courant, May 14, 1999).
A patient in a Boston-area hospital discovered that her medical record had been read by more than 200
of the hospital's employees (The Boston Globe, August 1, 2000).
A Nevada woman who purchased a used computer discovered that the computer still contained the
prescription records of the customers of the pharmacy that had previously owned the computer. The
pharmacy data base included names, addresses, social security numbers, and a list of all the
medicines the customers had purchased. (The New York Times, April 4, 1997 and April 12, 1997).
A speculator bid $4000 for the patient records of a family practice in South Carolina. Among the
businessman's uses of the purchased records was selling them back to the former patients. (New York
Times, August 14, 1991).
In 1993, the Boston Globe reported that Johnson and Johnson marketed a list of 5 million names and
addresses of elderly incontinent women. (ACLU Legislative Update, April 1998).
A few weeks after an Orlando woman had her doctor perform some routine tests, she received a letter
from a drug company promoting a treatment for her high cholesterol. (Orlando Sentinel, November 30,
1997).
eHealth Privacy
FEF Group
Trust and Risk
Do you trust the Internet?
Do you trust wireless Cell
phone Communications?
Are you sure that the
person at the other end
of the connection is who
they say they are?
7
eHealth Privacy
FEF Group
Trust and Risk
Electronic Fund Transfer Act effective 1979 (15 U.S.C.)], the credit card
8
and ATM industry was forced to limit personal financial risk to users
(usually $50 maximum if cards used fraudulently)
Approach focused on reducing risk since technology was not yet ready
Limiting risk compensates for a lack of trust
Many consider this approach however, as a band-aid to the real issue –
increasing user trust
What is available and what can be provided?
eHealth Privacy
FEF Group
Typical Hacker Threats and Protections
Hackers
– Masquerading
– Eavesdropping
– Interception
– Address Spoofing
– Data Manipulation
– Dictionary Attack
– Replay Attacks
– Denial of Service
9
eHealth Privacy
Protection
–
–
–
–
–
–
–
Authentication
Encryption
Digital Carts./Signatures
Firewalls
Encryption
Strong Passwords
Time Stamping & sequence
Numbers
– Authentication
FEF Group
Common Internet Attacks and Typical
Fixes
Internet Attacks
Root access by buffer
overflows
Distributed Denial of Service
E-Mail spamming, and
relaying
Exploitation of
misconfigured software and
servers
Mail attachment attacks
10
eHealth Privacy
Fixes
Upgrade Systems;Training
Creating attack bottlenecks and
coordination
Training
Verification/Certification of
Software
Training of Users to recognize
Attachments
FEF Group
Goals of Security Measures
Authentication – Who or what am I transacting with?
Access Control – Is the party allowed to enter into the
transaction?
Confidentiality – Can any unauthorized parties see the
transaction?
Integrity – Did the transaction complete correctly and as
expected?
Non-Repudiation – Are authorized parties assured they will
not be denied from transacting business
11
eHealth Privacy
FEF Group
Goals Satisfied by Current Security
Mechanisms
Authentication
Access Control
Confidentiality
Integrity
NonRepudiation
12
eHealth Privacy
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
P
FEF Group
Public Key Infrastructure (PKI)
Public/Private Key
Most comprehensive
security model to date
– Encryption
– Digital certificates
for authentication
– Digital Signatures
for non-repudiation
Certificates (Hash
function and Certificate
assignments
automated)
– Integration into
applications (Can
be implemented
Rapidly using
existing CA
Servers)
13
eHealth Privacy
Digitally
Signed
Message
Senders
Private
Key
Recipients Public
Key
Certificate
Authority
----------------------------------------------------
Verify
Digital
Signature
Senders Public Key
Decrypt
Message
Recipients
Private
Key
Encrypted
Message
FEF Group
Global eCommerce Environment
14
eHealth Privacy
FEF Group
Virtual Private Networks (VPN)
LAN/WAN
Provides Virtual Network
Connectivity
– User to LAN/WAN
– LAN/WAN to LAN/WAN
Encrypted at the TCP/IP
Level
Provides Protected
Communications for All
TCP/IP Services
LAN/WAN
15
eHealth Privacy
FEF Group
Firewalls
Provides Traffic Management in
Both Directions
Generally Located at Border
between Public and Private
Networks
Features Include
– Proxy Server/Network
Address Translation (NAT)
– User Name/Password
Authentication
– Packet Filtering
– Stateful vs. Stateless
Packet Processing
– Traffic Audit Logs
16
eHealth Privacy
FEF Group
Intrusion Detection System (IDS)
Audit
–
–
–
!!!!
–
Detect
–
?
LAN/WAN
?
?
?
17
eHealth Privacy
Store security-pertinent system data
Detect traffic patterns
Develop reports and establish critical
parameters intrusion criteria using
agent software
Set up revocation lists
Predefine flexible security violations
criteria (e.g., identify zombie
placement, Super User, Root user
occurrences)
Be proactive
Become network-oriented
–
–
Secure
–
Fix applications or alterations that were
made by an attacker where appropriate
(e.g., Trojan Horse ID, Zombie Ant
detection eliminated)
FEF Group
Security Policies - Why Are They
Needed?
Security policies drive the general security framework
Policies define what behavior is and is not allowed
Policies define who, what, and how much to trust
– Too much trust leads to security problems
– Too little trust leads to usability problems
– Principle of least access
Policies will often set the stage in terms of what tools and procedures are
needed for the organization
Policies communicate consensus among a group of “governing” people
Computer security is now a global issue and computing sites are
expected to follow the “good neighbor” philosophy
18
eHealth Privacy
FEF Group
Key Elements of an Information
Protection Policy
Define who can have access to sensitive information
– special circumstances
– non-disclosure agreements
Define how sensitive information is to be stored and transmitted
(encrypted, archive files, uuencoded, etc)
Define on which systems sensitive information can be stored
Discuss what levels of sensitive information can be printed on physically
insecure printers.
Define how sensitive information is removed from systems and storage
devices
Discuss any default file and directory permissions defined in systemwide configuration files.
19
eHealth Privacy
FEF Group
Key Elements of a Network Connection
Policy
Defines requirements for adding new devices to your
network.
Well suited for sites with multiple support teams.
Important for sites which are not behind a firewall.
Should discuss:
– who can install new resources on network
– what approval and notification must be done
– how changes are documented
– what are the security requirements
– how unsecured devices are treated
20
eHealth Privacy
FEF Group
Other Important Policies
Policy which addresses forwarding of email to offsite
addresses
Policy which addresses wireless networks
Policy which addresses baseline lab security standards
Policy which addresses baseline router configuration
parameters
21
eHealth Privacy
FEF Group
Backup Charts
Open PKI Support for Customer
Choice
Baltimore
Entrust
Microsoft
Netscape
Verisign
Verisign
Supplier
Network
Microsoft
Internet
Entrust
Mobile
User
Netscape
Mobile
User
23
eHealth Privacy
Baltimore
Customer
Network
Remote
Office
FEF Group
Firewall-1 / VPN-1 High Availability
Secondary VPN-1
Gateway
VPN-1
SecuRemote
Primary VPN-1
Gateway
IKE
Synchronization
Internet
VPN-1
Gateway
Transparent fail-over of IPSec communications without loss of connectivity
Enables hot fail-over and load balancing across VPN gateways
Industry’s first transparent VPN fail-over that maintains session integrity
24
eHealth Privacy
FEF Group
Architecture of a Distributed System
Web Servers
Middleware
App Servers
Data
Storage
Internal
WANs and LANs
DNS
Messaging
User
Backup/
Recovery
User
Internet
Web Servers
Middleware
App Servers
User
Clients/
Partners
User
25
eHealth Privacy
Data
Storage
FEF Group
Critical Elements of Security Architecture
AUDIT, DETECT, and SECURE
Three stages of secure process that are to be followed
Provide security agents
– Automated
– Continually monitor all systems
Ensures that Zombie Ants are not being introduced or
that Distributed Denial of Service conditions do not
occur
26
eHealth Privacy
FEF Group
Call Centers
New systems available
– IP Inclusive
– Secure
– Minimize Labor Element
– Customer Oriented
– Flexible
– High Performance
Products Vendors
– Lucent
– Others
Recommendation for Support
27
eHealth Privacy
FEF Group
Added Notes:
Biometric and Smart Card Technology can be applied where appropriate
– Biometrics is being tested
Standards still in the mill
People issue – many feel uneasy about providing fingerprints of
eye scans, or physical variations as means to set up secure
operations)
Firms exist to do this today (e.g., International Biometric Group)
– Smart cards now used by GSA for their badges have fingerprints
embedded (3GI developed this – locally available support)
See ITPro May/Jun 2000 issue , page 24 article on Electronic and Digital
Signatures: In search of a Standard by Tom Wells,CEO of b4bpartner, Inc
(Florida firm)
28
eHealth Privacy
FEF Group
List of PKI Operation Reference Specs and
Requirements
DOD5200R
29
– DOD 5200.2-R, Personnel Security Program.
FIPS1401
– Security Requirements for Cryptographic Modules, 1994-01.
http://csrc.nist.gov/fips/fips1401.htm
FIPS112
– Password Usage, 1985-05-30. http://csrc.nist.gov/fips/
FIPS186
– Digital Signature Standard, 1994-05-19.
http://csrc.nist.gov/fips/fips186.pdf
FPKI-E
– Federal PKI Version 1 Technical Specifications: Part E –
X.509 Certificate and CRL Extensions Profile, 7 Jul 1997.
http://csrc.nist.gov/pki/FPKI7-10.DOC
ISO9594-8
– Information Technology-Open Systems Interconnection-The
Directory: Authentication Framework, 1997.
ftp://ftp.bull.com/pub/OSIdirectory/ITU/97x509final.doc
NS4005
– NSTISSI 4005, Safeguarding COMSEC Facilities and
Material, 1997 August.
eHealth Privacy
FEF Group
List of PKI Operation Reference Specs
and Requirements (Concluded)
NS4009; NSTISSI 4009, National Information Systems Security
30
Glossary, 1999 January.
RFC2510; Adams and Farrell. Certificate Management Protocol, 1999
March. http://www.ietf.org/rfc/rfc2510.txt
RFC2527; Chokhani and Ford. Certificate Policy and Certification
Practices Framework, 1999 March. http://www.ietf.org/rfc/rfc2527.txt
SDN702; SDN.702, Abstract Syntax for Utilization with Common
Security Protocol (CSP), Version 3 X.509 Certificates, and Version 2
CRLs, Revision 3, 31 July 1997.
http://www.armadillo.Huntsville.al.us/Fortezza_docs/sdn702rev3.pdf
SDN706; X.509 Certificate and Certification Revocation List Profiles and
Certification Path Processing Rules for MISSI Revision 3.0, 30 May
1997.
http://www.armadillo.Huntsville.al.us/Fortezza_docs/sdn706r30.pdf
Information Technology Security Program; Used for assessing and
modifying existing security policies) – Draft from CIO Council; March
2000.
Circular A-130; Management of Federal Information Resources,OMB
Special Pub 800-14; Generally Accepted Principles and Practices for
Security Information Technology Systems (GSSP), NIST
eHealth Privacy
FEF Group
Operational Documentation Checklist
Project Plan
CONOPS
System Security Plan (SSP)
Risk Assessment
Waiver Letter(s)
Approvals to Test
Interim Approvals to Operate
Certificate Policy
Subscriber Agreement
31
eHealth Privacy
FEF Group
Security Program Elements
Mint-wide Security Program
– planning and managing to provide a framework and continuing cycle of activity for
managing risk, developing security policies (in conjunction with the Office of
Protection), assigning responsibilities, and monitoring the adequacy of the Mint's
computer-related
controls.
Access Control –
– controls that limit or detect access to computer resources (data, programs, and
equipment) that protect these resources against unauthorized modification, loss or
disclosure.
Segregation of Duties –
– establishing policies, procedures, and an organizational structure such that one
individual cannot control key aspects of IT-related operations and thereby conduct
unauthorized actions or gain unauthorized access to assets or records.
Service Continuity –
– implementing controls to ensure that when unexpected events occur (i.e., virus) critical
operations continue without interruption or are promptly resumed and critical and
sensitive information is protected.
32
eHealth Privacy
FEF Group
Comprehensive Network Security
Policy Approach
Reference Model
Protect Model
Mission
Deny
Policy
Detect
Sec. Org Structure
Assess
Sec. Implementation Procedures
Train
Awareness, Training, & Education
Enforce
Phy & Env Protection
Connectivity Controls
Access Controls
Sys Admin Controls
33
Response Model
Respond
Report
Storage Media Controls
Isolate
Accountability Controls
Contain
Assurance
eHealth Privacy
Recover
FEF Group
Network Security Model
Start Network
Security Strategic
Reference Model
Threat
Level 1.
System Mission
Level 2.
Value of
Information
Protect Model
Deny, Detect, Assess,
Train, & Enforce
Security Policy
Level 3.
Security Organizational Structure
Level 4.
Response Model
Respond, Report, Isolate,
Contain, & Recover
Security Implementation Procedures
Level 5.
Security Awareness, Training , & Education
Level 6.
Physical & Environmental Systems Protection
Level 7-11.
Controls: System Access, Connectivity, Administration,
Storage Media, & Accountability
Level 12.
Assurance
34
eHealth Privacy
FEF Group
Telecommunications Trends and
Increasing Complexity
Data Rates
100 Gbps
ATM/SONET
Networks
10 Gbps+
10 Gbps
1 Gbps
100 Mbps
Ethernet
(IEEE 802.3)
10 Mbps
10 Mbps
1 Mbps
100 Kbps
Early Modem Access
1200 bps
10 Kbps
X.25
56 Kbps
• ISDN
Fast Ethernet
LMDS/MMDS Wireless
100 Mbps
2.4 - 38 GHz upper band, 10IBM's Token Ring
155 Mbps
16 Mbps
3G Wireless
256Kbps - 2Mbps+
•ARDIS (4.8 - 19.2Kbps)
•RAM (8Kbps)
AMPS (Analog)
Modem Access
9.6 Kbps
Dial-Up
300 bps
1 Kbps
100 bps
Wireless Systems
FDDI
100 Mbps
Direct Access
75 bps
10 bps
1950
1955
1960
1965
1970
1975
1980
1985
1990
1995
2000
Frequency Band Trends (39-50 MHz, 150 MHz, 400MHz, 800MHz, 700MHz, 2.5 GHz, 5 GHz, 28GHz, 38 GHz )
Local/Multichannel Multipoint Distribution System (LMDS/MMDS) Wireless; Analog/Digital Cable Technology (unlicensed
- 2.4 -2.5 GHz bands, licensed-24 - 38 GHz bands with Data rates in the 1.5 to 155Mbps range)
RAM - Radio Analog Mobile Service
ARDIS - Advanced Radio Data Information Service
AMPS - Analog Mobile Paging System
35
eHealth Privacy
FEF Group