Security Considerations for Health Care Organizations

Disclaimer

 This Presentation is provided “as is” without any express or implied warranty. This Presentation is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney.

Trust and Risk

 Do you trust the Internet?

 Do you trust wireless Cell phone Communications?

 Are you sure that the person at the other end of the connection is who they say they are?

Trust and Risk

 Electronic Fund Transfer Act effective 1979 (15 U.S.C.)], the credit card and ATM industry was forced to limit personal financial risk to users (usually $50 maximum if cards used fraudulently)  Approach focused on reducing

risk

since technology was not yet ready  Limiting

risk

compensates for a lack of

trust

 Many consider this approach however, as a band-aid to the real issue – increasing user

trust

 What is available and what can be provided?

Typical Hacker Threats and Protections

 Hackers  Masquerading  Eavesdropping  Interception  Address Spoofing  Data Manipulation  Dictionary Attack  Replay Attacks  Denial of Service  Protection – Authentication – Encryption – Digital Carts./Signatures – Firewalls – Encryption – Strong Passwords – Time Stamping & sequence Numbers – Authentication

Common Internet Attacks and Typical Fixes

Internet Attacks  Root access by buffer overflows  Distributed Denial of Service  E-Mail spamming, and relaying  Exploitation of misconfigured software and servers  Mail attachment attacks Fixes  Upgrade Systems;Training  Creating attack bottlenecks and coordination  Training  Verification/Certification of Software  Training of Users to recognize Attachments

Goals of Security Measures

 Authentication – Who or what am I transacting with?

 Access Control – transaction?

Is the party allowed to enter into the  Confidentiality – transaction?

Can any unauthorized parties see the  Integrity – expected?

Did the transaction complete correctly and as  Non-Repudiation – Are authorized parties assured they will not be denied from transacting business

Virtual Private Networks (VPN)

LAN/WAN

 Provides Virtual Network Connectivity  User to LAN/WAN  LAN/WAN to LAN/WAN  Encrypted at the TCP/IP Level  Provides Protected Communications for All TCP/IP Services

LAN/WAN

Firewalls

 Provides Traffic Management in Both Directions  Generally Located at Border between Public and Private Networks  Features Include  Proxy Server/Network Address Translation (NAT)  User Name/Password Authentication  Packet Filtering  Stateful vs. Stateless Packet Processing  Traffic Audit Logs

Intrusion Detection System (IDS)

?

?

LAN/WAN ?

!!!!

?

  Audit     Store security-pertinent system data Detect traffic patterns Develop reports and establish critical parameters intrusion criteria using agent software Set up revocation lists Detect   Predefine flexible security violations criteria (e.g., identify zombie placement, Super User, Root user occurrences) Be proactive  Become network-oriented  Secure  Fix applications or alterations that were made by an attacker where appropriate (e.g., Trojan Horse ID, Zombie Ant detection eliminated)

Backup Charts

Firewall-1 / VPN-1 High Availability

Secondary VPN-1 Gateway Primary VPN-1 Gateway

IKE Synchronization

Internet

VPN-1 SecuRemote VPN-1 Gateway  Transparent fail-over of IPSec communications without loss of connectivity   Enables hot fail-over and load balancing across VPN gateways Industry’s first transparent VPN fail-over that maintains session integrity

Architecture of a Distributed System

Web Servers Middleware App Servers DNS Messaging Web Servers Middleware App Servers User Internal WANs and LANs Internet User User Clients/ Partners Data Storage Backup/ Recovery User Data Storage

Critical Elements of Security Architecture

 AUDIT, DETECT, and SECURE  Three stages of secure process that are to be followed  Provide security agents  Automated  Continually monitor all systems  Ensures that Zombie Ants are not being introduced or that Distributed Denial of Service conditions do not occur

Added Notes:

 Biometric and Smart Card Technology can be applied where appropriate  Biometrics is being tested  Standards still in the mill  People issue – many feel uneasy about providing fingerprints of eye scans, or physical variations as means to set up secure operations)  Firms exist to do this today (e.g., International Biometric Group)  Smart cards now used by GSA for their badges have fingerprints embedded (3GI developed this – locally available support)

Operational Documentation Checklist

 Project Plan  System Security Plan (SSP)  Risk Assessment  Waiver Letter(s)  Approvals to Test  Interim Approvals to Operate  Certificate Policy  Subscriber Agreement

Security Program Elements

  Wide Security Program  planning and managing to provide a framework and continuing cycle of activity for managing risk, developing security policies (in conjunction with the Office of Protection), assigning responsibilities, and monitoring the adequacy of the computer-related controls.

Access Control –  controls that limit or detect access to computer resources (data, programs, and equipment) that protect these resources against unauthorized modification, loss or disclosure.

 Segregation of Duties –  establishing policies, procedures, and an organizational structure such that one individual cannot control key aspects of IT-related operations and thereby conduct unauthorized actions or gain unauthorized access to assets or records.

 Service Continuity –  implementing controls to ensure that when unexpected events occur (i.e., virus) critical operations continue without interruption or are promptly resumed and critical and sensitive information is protected.

Comprehensive Network Security Policy Approach

Reference Model Mission Policy Sec. Org Structure Sec. Implementation Procedures Awareness, Training, & Education Phy & Env Protection Connectivity Controls Access Controls Sys Admin Controls Storage Media Controls Accountability Controls

Assurance

Response Model Respond Report Isolate Contain Recover Protect Model Deny Detect Assess Train Enforce

Network Security Model

Value of Information Threat Response Model Contain, & Recover Protect Model Deny, Detect, Assess, Train, & Enforce Respond, Report, Isolate, Start Network Security Strategic Reference Model Level 1.

System Mission Level 2.

Security Policy Level 3. Security Organizational Structure Level 4. Security Implementation Procedures Level 5. Security Awareness, Training , & Education Level 6.

Physical & Environmental Systems Protection Level 7-11.

Controls: System Access, Connectivity, Administration, Storage Media, & Accountability Level 12. Assurance