FEF Group eHealth Privacy 1 Security Considerations for Health Care Organizations Frank E. Ferrante...

FEF GroupeHealth PrivacyeHealth Privacy1

Security Considerations for Health Care Security Considerations for Health Care OrganizationsOrganizations

Frank E. FerranteFrank E. FerrantePresident President

FEF Group, LLCFEF Group, LLC

Chair MTPCChair MTPC

11 January 200111 January 2001

FEF Group, LLCFEF Group, LLC

Presented at SAINT2001 Global Telehealth/Telemedicine and the Internet Workshop

San Diego, CA

2

FEF GroupeHealth PrivacyeHealth Privacy

OutlineOutline

HIPAAHIPAA HHS Patient Information PrivacyHHS Patient Information Privacy Threats and Protection MechanismsThreats and Protection Mechanisms Information Protection RulesInformation Protection Rules Typical Security Architectural ViewsTypical Security Architectural Views Policies to be consideredPolicies to be considered

3


HIPAAHIPAA

IEEE-USA’s Medical Technology Policy Committee PositionsIEEE-USA’s Medical Technology Policy Committee Positions– implementation timetable of two yearsimplementation timetable of two years– Patient information must be protected by all means of electronic Patient information must be protected by all means of electronic

transmission and storage (includes fax, phone, wireless)transmission and storage (includes fax, phone, wireless)– Authorization for accessing data bases must be assured Authorization for accessing data bases must be assured – IEEE USA recommended coordination among agencies and organizationsIEEE USA recommended coordination among agencies and organizations

on a more realistic time scheduleon a more realistic time schedule Costs for compliance in two years as estimated in the HIPAA NPRM - too Costs for compliance in two years as estimated in the HIPAA NPRM - too

low (conflict between timely compliance and financial viabilitylow (conflict between timely compliance and financial viability)) IEEE recommended effective date be divided into three phasesIEEE recommended effective date be divided into three phases

– Phase 1: Includes prepare Policies, Plans and Risk Assessments (my estimate: 1 year)

– Phase 2: Certify new hardware, software and firmware (my estimate: 2 years)– Phase 3: Replace installed based of hardware, software and firmware with

HIPAA-compliant products (my estimate: 3 to 5 year program)• Changes date of compliance to 2008 not 2002 (realistic given cost,

technology changes, and training for implementation)

4


New Patient Privacy New Patient Privacy RegulationsRegulations

Takes effect in two years (2003)Takes effect in two years (2003) Bars all health care providers and insurance companies from Bars all health care providers and insurance companies from

disclosing private health information for non-health related purposesdisclosing private health information for non-health related purposes Doctors required to have written permission from patient before Doctors required to have written permission from patient before

sharing patient information (includes billing and treatment)sharing patient information (includes billing and treatment) Prohibits employers from perusing medical information on employees Prohibits employers from perusing medical information on employees

and job applicantsand job applicants If an employer manages their own healthcare plan it cannot use the If an employer manages their own healthcare plan it cannot use the

employee’s information for anything other than for healthcareemployee’s information for anything other than for healthcare RULE COVERS BOTH ELECTRONIC AND PAPER RECORDSRULE COVERS BOTH ELECTRONIC AND PAPER RECORDS Penalties: $100 per violation ($25,000 max/yr); $250,000 and 10 yrs Penalties: $100 per violation ($25,000 max/yr); $250,000 and 10 yrs

prisonprison LAW ENFORCEMENT CAN OBTAIN ACCESS TO RECORDS WITH AN LAW ENFORCEMENT CAN OBTAIN ACCESS TO RECORDS WITH AN

ADMINISTRATIVE SUBPOENA OR SUMMONS (NO COURT NEEDED)ADMINISTRATIVE SUBPOENA OR SUMMONS (NO COURT NEEDED)

5


Healthcare Information SharingHealthcare Information Sharing

Consulting physicians;Consulting physicians; Managed care organizations; Managed care organizations; Health insurance companies Health insurance companies Life insurance companies; Life insurance companies; Self-insured employers; Self-insured employers; Pharmacies; Pharmacies; Pharmacy benefit managers; Pharmacy benefit managers; Clinical laboratories; Clinical laboratories; Accrediting organizations; Accrediting organizations; State and Federal statistical agencies; and State and Federal statistical agencies; and Medical information bureaus.Medical information bureaus.

6


Information Protection FailuresInformation Protection Failures A Michigan-based health system accidentally posted the medical records of thousands of patients on A Michigan-based health system accidentally posted the medical records of thousands of patients on

the Internet (The Ann Arbor News, February 10, 1999). the Internet (The Ann Arbor News, February 10, 1999). A Utah-based pharmaceutical benefits management firm used patient data to solicit business for its A Utah-based pharmaceutical benefits management firm used patient data to solicit business for its

owner, a drug store (Kiplingers, February 2000).owner, a drug store (Kiplingers, February 2000). An employee of the Tampa, Florida, health department took a computer disk containing the names of An employee of the Tampa, Florida, health department took a computer disk containing the names of

4,000 people who had tested positive for HIV, the virus that causes AIDS (USA Today, October 10, 4,000 people who had tested positive for HIV, the virus that causes AIDS (USA Today, October 10, 1996).1996).

The health insurance claims forms of thousands of patients blew out of a truck on its way to a The health insurance claims forms of thousands of patients blew out of a truck on its way to a recycling center in East Hartford, Connecticut (The Hartford Courant, May 14, 1999). recycling center in East Hartford, Connecticut (The Hartford Courant, May 14, 1999).

A patient in a Boston-area hospital discovered that her medical record had been read by more than A patient in a Boston-area hospital discovered that her medical record had been read by more than 200 of the hospital's employees (The Boston Globe, August 1, 2000).200 of the hospital's employees (The Boston Globe, August 1, 2000).

A Nevada woman who purchased a used computer discovered that the computer still contained the A Nevada woman who purchased a used computer discovered that the computer still contained the prescription records of the customers of the pharmacy that had previously owned the computer. The prescription records of the customers of the pharmacy that had previously owned the computer. The pharmacy data base included names, addresses, social security numbers, and a list of all the pharmacy data base included names, addresses, social security numbers, and a list of all the medicines the customers had purchased. (The New York Times, April 4, 1997 and April 12, 1997).medicines the customers had purchased. (The New York Times, April 4, 1997 and April 12, 1997).

A speculator bid $4000 for the patient records of a family practice in South Carolina. Among the A speculator bid $4000 for the patient records of a family practice in South Carolina. Among the businessman's uses of the purchased records was selling them back to the former patients. (New York businessman's uses of the purchased records was selling them back to the former patients. (New York Times, August 14, 1991).Times, August 14, 1991).

In 1993, the Boston Globe reported that Johnson and Johnson marketed a list of 5 million names and In 1993, the Boston Globe reported that Johnson and Johnson marketed a list of 5 million names and addresses of elderly incontinent women. (ACLU Legislative Update, April 1998).addresses of elderly incontinent women. (ACLU Legislative Update, April 1998).

A few weeks after an Orlando woman had her doctor perform some routine tests, she received a letter A few weeks after an Orlando woman had her doctor perform some routine tests, she received a letter from a drug company promoting a treatment for her high cholesterol. (Orlando Sentinel, November 30, from a drug company promoting a treatment for her high cholesterol. (Orlando Sentinel, November 30, 1997).1997).

7


Trust and Risk Trust and Risk

Do you trust the Internet?Do you trust the Internet? Do you trust wireless Cell Do you trust wireless Cell

phone Communications?phone Communications? Are you sure that the Are you sure that the

person at the other end person at the other end of the connection is who of the connection is who they say they are?they say they are?

8


Trust and RiskTrust and Risk

Electronic Fund Transfer Act effective 1979 (15 U.S.C.)], the credit card Electronic Fund Transfer Act effective 1979 (15 U.S.C.)], the credit card and ATM industry was forced to limit personal financial risk to users and ATM industry was forced to limit personal financial risk to users (usually $50 maximum if cards used fraudulently)(usually $50 maximum if cards used fraudulently)

Approach focused on reducing Approach focused on reducing risk risk since technology was not yet readysince technology was not yet ready Limiting Limiting riskrisk compensates for a lack of compensates for a lack of trusttrust Many consider this approach however, as a band-aid to the real issue – Many consider this approach however, as a band-aid to the real issue –

increasing user increasing user trusttrust What is available and what can be provided? What is available and what can be provided?

9


Typical Hacker Threats and Typical Hacker Threats and ProtectionsProtections

Hackers Hackers – MasqueradingMasquerading– EavesdroppingEavesdropping

– InterceptionInterception

– Address SpoofingAddress Spoofing– Data ManipulationData Manipulation– Dictionary AttackDictionary Attack

– Replay AttacksReplay Attacks

– Denial of ServiceDenial of Service

ProtectionProtection– AuthenticationAuthentication– Encryption Encryption – Digital Carts./SignaturesDigital Carts./Signatures– FirewallsFirewalls– EncryptionEncryption– Strong PasswordsStrong Passwords– Time Stamping & sequence Time Stamping & sequence

NumbersNumbers– AuthenticationAuthentication

10


Root access by buffer Root access by buffer overflowsoverflows

Distributed Denial of ServiceDistributed Denial of Service E-Mail spamming, and E-Mail spamming, and

relayingrelaying Exploitation of Exploitation of

misconfigured software and misconfigured software and serversservers

Mail attachment attacksMail attachment attacks

Common Internet Attacks and Common Internet Attacks and Typical FixesTypical Fixes

Upgrade Systems;Training Upgrade Systems;Training Creating attack bottlenecks and Creating attack bottlenecks and

coordinationcoordination TrainingTraining Verification/Certification of Verification/Certification of

SoftwareSoftware Training of Users to recognize Training of Users to recognize

AttachmentsAttachments

Internet AttacksInternet Attacks FixesFixes

11


Goals of Security MeasuresGoals of Security Measures

Authentication – Who or what am I transacting with?Authentication – Who or what am I transacting with? Access Control – Is the party allowed to enter into the Access Control – Is the party allowed to enter into the

transaction?transaction? Confidentiality – Can any unauthorized parties see the Confidentiality – Can any unauthorized parties see the

transaction?transaction? Integrity – Did the transaction complete correctly and as Integrity – Did the transaction complete correctly and as

expected?expected? Non-Repudiation – Are authorized parties assured they will Non-Repudiation – Are authorized parties assured they will

not be denied from transacting businessnot be denied from transacting business

12


Goals Satisfied by Current Goals Satisfied by Current Security MechanismsSecurity Mechanisms

Authentication

Access Control

Confidentiality

Integrity

Non-Repudiation

User N

ame/

Passw

ord

Encry

ptio

nFi

rew

all

Intru

sion

Detec

tion

Syste

m

Public

Key

Infra

stru

ctur

e

Virtua

l Priv

ate

Netw

ork

13


Public Key Infrastructure (PKI)Public Key Infrastructure (PKI) Public/Private KeyPublic/Private Key Most comprehensive Most comprehensive

security model to datesecurity model to date– EncryptionEncryption– Digital certificates Digital certificates

for authenticationfor authentication– Digital Signatures Digital Signatures

for non-repudiationfor non-repudiation Certificates (Hash Certificates (Hash

function and Certificate function and Certificate assignments automated)assignments automated)

– Integration into Integration into applications (Can applications (Can be implemented be implemented Rapidly using Rapidly using existing CA existing CA Servers)Servers)

Certificate Authority------------------------------------------------------

Senders Private

Key

Recipients Public Key Encrypted

Message

Verify Digital

Signature

Decrypt

Message

Recipients Private

Key

Senders Public Key

Digitally Signed

Message

14


Global eCommerce Global eCommerce EnvironmentEnvironment

Cross-certification

Bridging

Root Anchor

CA Islands

Distinguish Name Server(DINS)

• Distinguish name

• Path• Policy map

Cross-certification

Bridging

Root Anchor

CA Islands



• Distinguish name• Distinguish name

• Path• Policy map

15


Virtual Private Networks (VPN)Virtual Private Networks (VPN)

Provides Virtual Network Provides Virtual Network ConnectivityConnectivity– User to LAN/WANUser to LAN/WAN– LAN/WAN to LAN/WANLAN/WAN to LAN/WAN

Encrypted at the TCP/IP Encrypted at the TCP/IP LevelLevel

Provides Protected Provides Protected Communications for All Communications for All TCP/IP ServicesTCP/IP Services

LAN/WAN

LAN/WAN

16


FirewallsFirewalls

Provides Traffic Management in Provides Traffic Management in Both DirectionsBoth Directions

Generally Located at Border Generally Located at Border between Public and Private between Public and Private NetworksNetworks

Features IncludeFeatures Include– Proxy Server/Network Proxy Server/Network

Address Translation (NAT)Address Translation (NAT)– User Name/Password User Name/Password

Authentication Authentication – Packet FilteringPacket Filtering– Stateful vs. Stateless Stateful vs. Stateless

Packet ProcessingPacket Processing– Traffic Audit LogsTraffic Audit Logs

17


Intrusion Detection System Intrusion Detection System (IDS)(IDS)

Audit Audit – Store security-pertinent system dataStore security-pertinent system data– Detect traffic patterns Detect traffic patterns – Develop reports and establish critical Develop reports and establish critical

parameters intrusion criteria using parameters intrusion criteria using agent softwareagent software

– Set up revocation listsSet up revocation lists Detect Detect

– Predefine flexible security violations Predefine flexible security violations criteria (e.g., identify zombie criteria (e.g., identify zombie placement, Super User, Root user placement, Super User, Root user occurrences)occurrences)

– Be proactive Be proactive – Become network-oriented Become network-oriented

Secure Secure – Fix applications or alterations that were Fix applications or alterations that were

made by an attacker where appropriate made by an attacker where appropriate (e.g., Trojan Horse ID, Zombie Ant (e.g., Trojan Horse ID, Zombie Ant detection eliminated)detection eliminated)

?

??

?

!!!!

LAN/WAN

18


Security Policies - Why Are Security Policies - Why Are They Needed?They Needed?

Security policies drive the general security frameworkSecurity policies drive the general security framework Policies define what behavior is and is not allowedPolicies define what behavior is and is not allowed Policies define who, what, and how much to trustPolicies define who, what, and how much to trust

– Too much trust leads to security problemsToo much trust leads to security problems– Too little trust leads to usability problemsToo little trust leads to usability problems– Principle of least accessPrinciple of least access

Policies will often set the stage in terms of what tools and procedures are Policies will often set the stage in terms of what tools and procedures are needed for the organizationneeded for the organization

Policies communicate consensus among a group of “governing” peoplePolicies communicate consensus among a group of “governing” people Computer security is now a global issue and computing sites are Computer security is now a global issue and computing sites are

expected to follow the “good neighbor” philosophyexpected to follow the “good neighbor” philosophy

19


Key Elements of an Information Key Elements of an Information Protection PolicyProtection Policy

Define who can have access to sensitive informationDefine who can have access to sensitive information– special circumstancesspecial circumstances– non-disclosure agreementsnon-disclosure agreements

Define how sensitive information is to be stored and transmitted Define how sensitive information is to be stored and transmitted (encrypted, archive files, uuencoded, etc)(encrypted, archive files, uuencoded, etc)

Define on which systems sensitive information can be storedDefine on which systems sensitive information can be stored Discuss what levels of sensitive information can be printed on physically Discuss what levels of sensitive information can be printed on physically

insecure printers.insecure printers. Define how sensitive information is removed from systems and storage Define how sensitive information is removed from systems and storage

devicesdevices Discuss any default file and directory permissions defined in system-Discuss any default file and directory permissions defined in system-

wide configuration files.wide configuration files.

20


Key Elements of a Network Key Elements of a Network Connection PolicyConnection Policy

Defines requirements for adding new devices to your Defines requirements for adding new devices to your network.network.

Well suited for sites with multiple support teams.Well suited for sites with multiple support teams. Important for sites which are not behind a firewall.Important for sites which are not behind a firewall. Should discuss:Should discuss:

– who can install new resources on networkwho can install new resources on network– what approval and notification must be donewhat approval and notification must be done– how changes are documentedhow changes are documented– what are the security requirementswhat are the security requirements– how unsecured devices are treatedhow unsecured devices are treated

21


Other Important PoliciesOther Important Policies

Policy which addresses forwarding of email to offsite Policy which addresses forwarding of email to offsite addressesaddresses

Policy which addresses wireless networksPolicy which addresses wireless networks Policy which addresses baseline lab security standardsPolicy which addresses baseline lab security standards Policy which addresses baseline router configuration Policy which addresses baseline router configuration

parametersparameters

Backup Charts

23


Open PKI Support for Customer Open PKI Support for Customer ChoiceChoice

Internet

Corporate

Intranet

Mobile User

Remote Office

Entrust

CustomerNetwork

VerisignSupplierNetwork

Baltimore

Microsoft

Entrust

Verisign

Microsoft

Netscape

Mobile User

Netscape

Baltimore

24


Firewall-1 / VPN-1 High AvailabilityFirewall-1 / VPN-1 High Availability

Corporate

Intranet

IKE Synchronization

Secondary VPN-1 Gateway

Primary VPN-1Gateway

VPN-1SecuRemote

VPN-1 Gateway

InternetInternet

Transparent fail-over of IPSec communications without loss of connectivityTransparent fail-over of IPSec communications without loss of connectivity Enables hot fail-over and load balancing across VPN gatewaysEnables hot fail-over and load balancing across VPN gateways Industry’s first transparent VPN fail-over that maintains session integrityIndustry’s first transparent VPN fail-over that maintains session integrity

25


Architecture of a Distributed Architecture of a Distributed SystemSystem

Web ServersMiddlewareApp Servers

DNSMessaging

DataStorage

User

Backup/Recovery

DataStorage

User

User

Web ServersMiddlewareApp Servers

Internet

User

InternalWANs and LANs

Clients/Partners

26


Critical Elements of Security Critical Elements of Security Architecture Architecture

AUDIT, DETECT, and SECUREAUDIT, DETECT, and SECURE Three stages of secure process that are to be followedThree stages of secure process that are to be followed

Provide security agentsProvide security agents– Automated Automated – Continually monitor all systemsContinually monitor all systems

Ensures that Zombie Ants are not being introduced or Ensures that Zombie Ants are not being introduced or that Distributed Denial of Service conditions do not that Distributed Denial of Service conditions do not occur occur

27


Call CentersCall Centers

New systems availableNew systems available– IP InclusiveIP Inclusive– SecureSecure– Minimize Labor ElementMinimize Labor Element– Customer OrientedCustomer Oriented– FlexibleFlexible– High PerformanceHigh Performance

Products Vendors Products Vendors – LucentLucent– OthersOthers

Recommendation for SupportRecommendation for Support

28


Added Notes:Added Notes:

Biometric and Smart Card Technology can be applied where appropriateBiometric and Smart Card Technology can be applied where appropriate– Biometrics is being testedBiometrics is being tested

Standards still in the millStandards still in the mill People issue – many feel uneasy about providing fingerprints of People issue – many feel uneasy about providing fingerprints of

eye scans, or physical variations as means to set up secure eye scans, or physical variations as means to set up secure operations)operations)

Firms exist to do this today (e.g., International Biometric Group)Firms exist to do this today (e.g., International Biometric Group)– Smart cards now used by GSA for their badges have fingerprints Smart cards now used by GSA for their badges have fingerprints

embedded (3GI developed this – locally available support)embedded (3GI developed this – locally available support) See ITPro May/Jun 2000 issue , page 24 article on Electronic and Digital See ITPro May/Jun 2000 issue , page 24 article on Electronic and Digital

Signatures: In search of a Standard by Tom Wells,CEO of b4bpartner, Signatures: In search of a Standard by Tom Wells,CEO of b4bpartner, Inc (Florida firm)Inc (Florida firm)

29


List of PKI Operation Reference List of PKI Operation Reference Specs and RequirementsSpecs and Requirements

DOD5200RDOD5200R– DOD 5200.2-R, Personnel Security Program.DOD 5200.2-R, Personnel Security Program.

FIPS1401FIPS1401– Security Requirements for Cryptographic ModulesSecurity Requirements for Cryptographic Modules, 1994-01. , 1994-01.

http://http://csrccsrc..nistnist..govgov//fipsfips/fips1401./fips1401.htmhtm FIPS112FIPS112

– Password Usage,Password Usage, 1985-05-30. 1985-05-30. http://http://csrccsrc..nistnist..govgov//fipsfips// FIPS186FIPS186

– Digital Signature StandardDigital Signature Standard, 1994-05-19. , 1994-05-19. http://http://csrccsrc..nistnist..govgov//fipsfips/fips186.pdf/fips186.pdf

FPKI-EFPKI-E– Federal PKI Version 1 Technical Specifications: Part E – Federal PKI Version 1 Technical Specifications: Part E –

X.509 Certificate and CRL Extensions Profile, X.509 Certificate and CRL Extensions Profile, 7 Jul 1997. 7 Jul 1997. http://http://csrccsrc..nistnist..govgov//pkipki/FPKI7-10.DOC/FPKI7-10.DOC

ISO9594-8ISO9594-8– Information Technology-Open Systems Interconnection-The Information Technology-Open Systems Interconnection-The

Directory: Authentication Framework, Directory: Authentication Framework, 1997. 1997. ftp://ftp.bull.com/pub/ftp://ftp.bull.com/pub/OSIdirectoryOSIdirectory/ITU/97x509final.doc/ITU/97x509final.doc

NS4005NS4005– NSTISSI 4005, Safeguarding COMSEC Facilities and NSTISSI 4005, Safeguarding COMSEC Facilities and

MaterialMaterial, 1997 August., 1997 August.

30


List of PKI Operation Reference List of PKI Operation Reference Specs and Requirements Specs and Requirements (Concluded)(Concluded) NS4009; NS4009; NSTISSI 4009, National Information Systems Security NSTISSI 4009, National Information Systems Security

Glossary, Glossary, 1999 January.1999 January. RFC2510; Adams and Farrell.RFC2510; Adams and Farrell. Certificate Management Protocol, Certificate Management Protocol, 1999 1999

March. March. http://www.ietf.org/rfc/rfc2510.txthttp://www.ietf.org/rfc/rfc2510.txt RFC2527; Chokhani and Ford. RFC2527; Chokhani and Ford. Certificate Policy and Certification Certificate Policy and Certification

Practices FrameworkPractices Framework, 1999 March. , 1999 March. http://www.ietf.org/rfc/rfc2527.txthttp://www.ietf.org/rfc/rfc2527.txt SDN702; SDN702; SDN.702, Abstract Syntax for Utilization with Common SDN.702, Abstract Syntax for Utilization with Common

Security Protocol (CSP), Version 3 X.509 Certificates, and Version 2 Security Protocol (CSP), Version 3 X.509 Certificates, and Version 2 CRLs, Revision 3, CRLs, Revision 3, 31 July 1997. 31 July 1997. http://www.armadillo.Huntsville.al.us/Fortezza_docs/sdn702rev3.pdfhttp://www.armadillo.Huntsville.al.us/Fortezza_docs/sdn702rev3.pdf

SDN706; SDN706; X.509 Certificate and Certification Revocation List Profiles and X.509 Certificate and Certification Revocation List Profiles and Certification Path Processing Rules for MISSI Revision 3.0,Certification Path Processing Rules for MISSI Revision 3.0, 30 May 30 May 1997. 1997. http://www.armadillo.Huntsville.al.us/Fortezza_docs/sdn706r30.pdfhttp://www.armadillo.Huntsville.al.us/Fortezza_docs/sdn706r30.pdf

Information Technology Security Program; Used for assessing and Information Technology Security Program; Used for assessing and modifying existing security policies) – Draft from CIO Council; March modifying existing security policies) – Draft from CIO Council; March 2000.2000.

Circular A-130; Management of Federal Information Resources,OMBCircular A-130; Management of Federal Information Resources,OMB Special Pub 800-14; Generally Accepted Principles and Practices for Special Pub 800-14; Generally Accepted Principles and Practices for

Security Information Technology Systems (GSSP), NISTSecurity Information Technology Systems (GSSP), NIST

31


Operational Documentation Operational Documentation ChecklistChecklistProject PlanProject PlanCONOPSCONOPSSystem Security Plan (SSP)System Security Plan (SSP)Risk AssessmentRisk AssessmentWaiver Letter(s)Waiver Letter(s)Approvals to TestApprovals to TestInterim Approvals to OperateInterim Approvals to OperateCertificate PolicyCertificate PolicySubscriber AgreementSubscriber Agreement

32


Security Program ElementsSecurity Program Elements

Mint-wide Security ProgramMint-wide Security Program– planning and managing to provide a framework and continuing cycle of activity for planning and managing to provide a framework and continuing cycle of activity for

managing risk, developing security policies (in conjunction with the Office of managing risk, developing security policies (in conjunction with the Office of Protection), assigning responsibilities, and monitoring the adequacy of the Mint's Protection), assigning responsibilities, and monitoring the adequacy of the Mint's computer-relatedcomputer-relatedcontrols.controls.

Access Control –Access Control –– controls that limit or detect access to computer resources (data, programs, and controls that limit or detect access to computer resources (data, programs, and

equipment) that protect these resources against unauthorized modification, loss or equipment) that protect these resources against unauthorized modification, loss or disclosure.disclosure.

Segregation of Duties – Segregation of Duties – – establishing policies, procedures, and an organizational structure such that one establishing policies, procedures, and an organizational structure such that one

individual cannot control key aspects of IT-related operations and thereby conduct individual cannot control key aspects of IT-related operations and thereby conduct unauthorized actions or gain unauthorized access to assets or records.unauthorized actions or gain unauthorized access to assets or records.

Service Continuity –Service Continuity –– implementing controls to ensure that when unexpected events occur (i.e., virus) critical implementing controls to ensure that when unexpected events occur (i.e., virus) critical

operations continue without interruption or are promptly resumed and critical and operations continue without interruption or are promptly resumed and critical and sensitive information is protected.sensitive information is protected.

33


Comprehensive Network Comprehensive Network Security Policy ApproachSecurity Policy Approach

AssuranceAssurance

Mission

Policy

Sec. Org Structure

Sec. Implementation Procedures

Awareness, Training, & Education

Phy & Env Protection

Connectivity Controls

Access Controls

Sys Admin Controls

Storage Media Controls

Accountability Controls

Reference Model

Deny

Detect

Assess

Train

Enforce

Protect Model

Respond

Report

Isolate

Contain

Recover

Response Model

34


Level 4. Security Implementation Procedures

Level 3. Security Organizational Structure

Level 7-11.Controls: System Access, Connectivity, Administration,

Storage Media, & Accountability

Level 6.Physical & Environmental Systems Protection

Network Security ModelNetwork Security Model

Level 1.System Mission

Level 2.Security Policy

Level 5. Security Awareness, Training , & Education

Level 12. Assurance

Value of Information

Threat Start Network Security Strategic Reference Model

Protect ModelDeny, Detect, Assess,

Train, & Enforce

Response ModelRespond, Report, Isolate,

Contain, & Recover

35


Telecommunications Trends Telecommunications Trends and Increasing Complexityand Increasing Complexity

• ISDN

1950 1955 1960 1965 1970 1975 1980 1985 1990 1995 2000

75 bps

1200 bps

Data Rates

IBM's Token Ring16 Mbps

Ethernet(IEEE 802.3)

10 Mbps

Direct Access

300 bpsDial-Up

Early Modem Access

100 Mbps

10 bps

100 bps

1 Kbps

10 Kbps

100 Kbps

1 Mbps

10 Mbps

1 Gbps

10 Gbps

ATM/SONET Networks10 Gbps+

9.6 KbpsModem Access

Fast Ethernet100 Mbps

FDDI100 Mbps

X.2556 Kbps

3G Wireless256Kbps - 2Mbps+

•RAM (8Kbps)•ARDIS (4.8 - 19.2Kbps)

AMPS (Analog)

Wireless Systems

100 Gbps

Frequency Band Trends (39-50 MHz, 150 MHz, 400MHz, 800MHz, 700MHz, 2.5 GHz, 5 GHz, 28GHz, 38 GHz ) Local/Multichannel Multipoint Distribution System (LMDS/MMDS) Wireless; Analog/Digital Cable Technology (unlicensed - 2.4 -2.5 GHz bands, licensed-24 - 38 GHz bands with Data rates in the 1.5 to 155Mbps range) RAM - Radio Analog Mobile Service ARDIS - Advanced Radio Data Information Service AMPS - Analog Mobile Paging System

LMDS/MMDS Wireless2.4 - 38 GHz upper band, 10-

155 Mbps

FEF Group eHealth Privacy 1 Security Considerations for Health Care Organizations Frank E. Ferrante...

Documents

Transcript of FEF Group eHealth Privacy 1 Security Considerations for Health Care Organizations Frank E. Ferrante...