booz allen day1_hipaa conference2011 secure mobile and wireless
TRANSCRIPT
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
1/26
This document is confidential and is intended solely for the use and information of the client to whom it is addressed.
Trends for the Mobility-Enabled Healthcare Enterprise andSecurity Threats, Vulnerabilities, and Countermeasures
NIST HIPAA ConferenceMay 10, 2011
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
2/26
Agenda
Context for Mobile Health
Risks
Security Implementation Considerations
1
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
3/26
Health care has increasingly used technology to expand itsreach or enhance delivery
Hippocrates (460-377 B.C) and Galen
(131-201 A.D) documented theirpatients process of healing to improve
patient care.
1901 the Trans-Atlantic radio
introduced and by 1924, envisioned
this technology bringing the doctor toour home
1946 the ENIAC computer introduced
1950 the transmission of radiologic
images by telephone between WestChester and Philadelphia (24 miles
was reported in the scientific literature)
1970s a growing number of electronic
medical records systems wereintroduced
Rapid advancements of today bring even more possibilities tomorrow
2
http://www.google.com/imgres?imgurl=http://www.telemedicineinsider.com/images/2005/11/Telemedicine.jpg&imgrefurl=http://www.telemedicineinsider.com/&usg=__YwdOey7wxGcNOYMJ0vJBXiIsczQ=&h=393&w=300&sz=9&hl=en&start=1&zoom=1&tbnid=BD8ZbyqUpQ2TyM:&tbnh=124&tbnw=95&ei=BGG5TYeOO4e4tgeYt6HeBA&prev=/search?q=telemedicine+images&hl=en&gbv=2&tbm=isch&itbs=1 -
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
4/26
Today, mobility and anywhere connectivity is being usedto transform business, drive productivity, and redefine theworkplace
1990s
1980s
2000s2010s
Desktops
Laptops
2G Mobile
Phones
3G Smart
Devices
Consumer
Driven Mobility
3
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
5/26
The explosion of new devices and applications focused onhealthcare solutions is resulting in mHealth
a term used for the practice of medical and public health,supported by mobile devices
4
http://www.knowabouthealth.com/wp-content/uploads/2011/01/iPhone_health_apps.jpg -
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
6/26
These mobile solutions offer significant opportunity forimprovements across the health market
5
Examples
Education
Search the web forhealth information
Utilize localsoftware orremote enterpriseapplications
Conduct patient
education orreview resultsbedside
Remindersand Alerts
Local alarm orcalendar alerts
Register forservice calls;text messages
Enter informationfor personalized
responses
DataCollection
Patient History atthe Bedside; homevisits
Personal HealthRecords local orhosted
Door to door
surveys andresearch protocoldata collection
CareDelivery
View patientinformation, labs,images
Remotemonitoring &consults
Prescription
ordering Dictation
Clinical DecisionSupport
Emergency/Events
Collect andtransmit patientdata at the point ofcare
Transmit imagesfrom the scene
Obtain guidance
and startintervention
http://m.medlineplus.gov/ -
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
7/26
Success of these mobile solutions requires a holistic andintegrated approach
Clinical Integration
Usability
SustainabilitySecurity and Privacy
6
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
8/26
As users increasingly rely on mobility for health careservices, the risk of data compromise escalates
7
Potential Threats and Vulnerabilities
Enterprise Resources
Pr
otectionNeeds
Unsecured Wireless
Malware Attacks
Location Tracking
Threats to theEnterprise
Device Loss
Vulnerabilities
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
9/26
Context for Mobile Health
Risks
Security Implementation Considerations
8
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
10/26
As security professionals, we have been playing catch-up bytrying to learn, analyze, and secure mobile technologies
Realize substantial savings, increased information dissemination frompreviously disparate systems, and enhanced real-time and operationalefficiencies
Ability to integrate communications more closely with business
processes Anywhere and anytime access to email, calendars, and applications
Enabled business processes applications with automated alerts andcontext-driven architectures
9
Increasing Security Posture
GrassrootsMobility
Ad HocMobility
StructuredMobility
OptimizedMobility
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
11/26
Mobile technologies extend the wired infrastructure butintroduce many new challenges for information securitypersonnel
Personal devices vs. care delivery organization (CDO)
Connectivity from anywhere and everywhere
Multiple devices and OS platforms
Multiple applications to support
Data is outside the secure perimeter
Hard to distribute security controls
Access complexities (power users, etc)
Device management
10
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
12/26
11
Our goal is to move employees to technologies that providegreater mobility, efficiency, and productivity
Mobility Challenges
Information security concerns
Business processes canchange dramatically,presenting organizationalchallenges
The business case is complex
Point solutions that do not
address total requirement Technical issues surrounding
connectivity
Standards are evolving
Evolving policies andcorporate governance relatedto mobile devices
Human acceptance of newtechnology
Integrating dynamic mobiledevices with legacyinformation systems
Maintaining the userexperience
Security Challenges
Data disclosure (storage andtransmission)
Physical security
Strong authentication / multi-factor authentication
Multi-user support; separateorganizational and personal
data Safe browsing
Operating systems andabundance of hardwareplatforms
Application isolation
Malware, phishing
Updates App, OS, andFirmware mechanisms
Geolocation privacy Improper decommissioning
Mobile Security
Considerations
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
13/26
The potential effects of risk from mobility include more thanjust eavesdropping on mobile users
Unauthorized monitoring and disclosure of ePHI
Unauthorized modification of ePHI
Unauthorized or fraudulent use of ePHI
Radio frequency interference or disruption of service
Radio traffic analysis and operations security
12
In addition, mobile and wireless technologytypically increases network complexity
Complexity is the enemy of security
Provides more points of entry to intruders
Mobile security tools and technologies are not
standardized
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
14/26
So how bad is it really?
According to the Department of Health and Human Services, 9,300 medicaldata breaches were reported under HIPAA/HITECH between September 23,2009 and September 30, 2010
Recent Breaches
18 April Sensitive personally identifiable information (PII) was stolen from Android
Skype users by malicious third-party applications
Any third-party application with data harvesting capabilities could steal data
Stolen data included customer names, date of birth, location, account balances,
phone numbers, email addresses, and biographic details
17 March BlackBerry JavaScript vulnerability allowed hackers to steal user data
Remote code execution attack provided access to media cards and storage
02 March Two dozen infected applications were removed from Android Marketplace
Malware was capable of rooting devices and stealing data
Over 200,000 of these applications were downloaded 22 February Financial data was stolen from thousands of Symbian and Windows
mobile users
Zeus malware captured sensitive financial transaction authentication numbers
13
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
15/26
Mobility SecurityPolicy andPlanning
Mobility RiskAssessment
Mobility SecuritySolutions
Mobility SecurityOperations andAdministration
Establish a strong security policy foundation and riskmanagement program for mobile solutions
Define the mobile concept of operations (CONOPS)
Develop and integrate the applications that allow the mobile
services to be secure in the enterprise
Make engineering tradeoffs and procurement decisions Migrate legacy systems
Enterprise mobile solutions are operated and
administered according to defined requirements
Security posture is periodically evaluated for compliance
Assess the threats and vulnerabilities faced by the
enterprise
Define a package of security countermeasures thatmitigate the risks to an acceptable level
Implementation of mobile application technology will requireintegrating a number of cyber-security, privacy, andconfidentiality measures
14
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
16/26
Context for Mobile Health
Risks
Security Implementation Considerations
15
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
17/26
16
The proper strategic imperatives to support a mobileecosystem must be developed and thoroughly explored inthe beginning
StandardizationHW and SWstandardization must beconsidered from start toreduce maintenance costs Security
Requirements of
HIPAA, FISMA, OMB,and Privacy Act of1974
IntegrationIntegration is key to theeffectiveness of system;integration with back endsystems must beevaluated
Patient SafetyVital factor in driving the
implementation of mobilityin the health care field
Asset ManagementHardware and userassessment must be
regularly monitored todetermine overall system
effectiveness and toremove defective care
delivery devices
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
18/26
Successfully implementing enterprise mobility requires anadvanced Secure Mobility Framework
Implement technical policies and
procedures that allow and restrictsystem and data access
Unique identification, multi-factor
authentication (AuthN) and role-based
authorization (AuthZ) access controls
Continuous monitoring and detection
for unauthorized wireless activity Data encryption (at rest and in transit)
Configuration documentation
Physical access controls, includingsession/device timeouts
Security testing and evaluation
Conduct risk analysis Incorporate into Security Awareness
training
Software Assurance
17
S
ecureMobilityF
ramework
Policy Planning & Guidance
Operations Optimization
Acquisition & Procurement
Testing
Secure Infrastructure
Hardware/OSAccreditation
Authorized EndDevice
Mobile ApplicationCertification
Mobile ApplicationDistribution
Hardware/OSMobile Application
Development
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
19/26
18
Mobile security implementation includes all components ofthe communications system
People
Implement technicalpolicies and
procedures that allowand restrict systemand data access
Have an approval
policy and process
Use only approveddevices andimplement controls togrant/restrict remote
access
Conduct asolution/technologyrisk assessment
Provide end usersecurity andawareness training
Policy groups/role-based access
End-point
ePHIConfidentiality/Integrity
Unique two-factor/PIN
local and enterpriseAuthN
Access control to localdevice
Application-levelsecurity controls
Device interrogationfor enterprisecompliance andaccess (phase 2 & 3)
Audit controls
Remote wipe (phase 2& 3)
Data separation(personal versussensitive)
Automatic logoff
Commun-
ications
Patient History at theBedside; home visits
Personal Health
Records local orhosted
Door to door surveysand research protocoldata collection
Perimeter
View patientinformation, labs,
images
Remote monitoring &consults
Prescription ordering
Dictation
Clinical DecisionSupport
Enterprise
Collect and transmitpatient data at the
point of care
Transmit images fromthe scene
Obtain guidance andstart intervention
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
20/26
To successfully reduce risk, CDOs must extend enterprisesecurity throughout their mobile ecosystem
The HIPAA
Security Rule Access Control164.312(a)(1)
Audit Controls164.312(b)
Integrity164.312(c)(1)
Person or EntityAuthentication164.312(d)(1)
Transmission Security
164.312(e)(1)
19
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
21/26
Security can be implemented by integrating and leveragingexisting enterprise security capabilities for mobiletechnologies
20
Notional Network
Anti-Virus &Hostile Code
Management
Security PolicyEnforcement &
Compliance
AuditingSystem
IntrusionDetection
System
Public KeyInfrastructure
IdentityManagement
System
NetworkManagement
System
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
22/26
Risk Assessment
Pilot programs
Security overlay
ST&E
Certification and
Accreditation
Enrollment
procedures
System AdminTraining
Process
improvement
Policy
Departmental
guidance
Roles andResponsibilities
Security
enforcementframework
21
As with any technology, the goal is to balance conveniencewith security
OperationsIntegration
TechnologyImplementation
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
23/26
NIST SP 800-53 Rev3 Mobile Enterprise Solution (example)
Category Control Name Control No. IT PolicyRecommended
SettingComments
Access ControlUse of External
Information SystemsAC-20
Allow InternalConnections
FALSE
Specifies whetherapplications, includingthird-party applications,
can initiate internalconnections
System andCommunications
ProtectionMobile Code SC-18
Allow Resettingof Idle Timer
FALSE
Permits third-party
applications to resetthe inactivity timeout
value, bypassing thesecurity timeout value
Access ControlConcurrent Session
ControlAC-10
Allow Split-pipeConnections
FALSE
Specifies whetherapplications, includingthird-party, can open
internal and externalconnections
simultaneously
Leverage both civil and defense policy and guidance to secure yourmobile and wireless investments (i.e. CNSS, DHS, HHS, NIST, VA andDISA Wireless STIGs)
22
Security professionals should leverage NIST guidance andother industry best practices to establish baseline securityrequirements for mobile technologies
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
24/26
Key Initiatives and Resources
The HIPAA Security Rule can be found at HHS.gov:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html
Health information technology (Health IT) allows comprehensivemanagement of medical information and its secure exchange betweenhealth care consumers and providers:http://healthit.hhs.gov/portal/server.pt
The National Institute of Standards and Technology
23
SP 800-48 Rev1 - Guide to Securing Legacy
IEEE 802.11 Wireless Networks
SP 800-66 Rev1 - An Introductory Resource
Guide for Implementing the Health Insurance
Portability and Accountability Act (HIPAA)
Security Rule
SP 800-97 - Establishing Wireless Robust
Security Networks: A Guide to IEEE 802.11i
SP 800-98 - Guidelines for Securing Radio
Frequency Identification (RFID) Systems
SP 800-111 - Guide to Storage Encryption
Technologies for End User Devices
SP 800-121 - Guide to Bluetooth Security
SP 800-122 - Guide to Protecting the
Confidentiality of Personally Identifiable
Information (PII)
SP 800-127 - Guide to Securing WiMAX
Wireless Communications
IR 7497 - Security Architecture Design Process
for Health Information Exchanges (HIEs)
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
25/26
Closing remarks
Dont ignore investigate the complete range of mobile devices
necessary to enhance various clinical and business workflows withinthe enterprise
Set strategy realize that mobile and wireless technologies will createnew privacy and security challenges that will require new policies andtechnical controls; be sure to include device ownership, support, andmaintenance
Set integration approach and employ standards-based technologieswhere possible
Monitor and manage mobile devices and supporting infrastructure
24
-
7/29/2019 Booz Allen Day1_HIPAA Conference2011 Secure Mobile and Wireless
26/26
Contact Information
25
Ilene Yarnoff
Principal
Booz | Allen | Hamilton
(o) 703/917-2574
www.boozallen.com
Brenda EckenPrincipal
Booz | Allen | Hamilton
(o) 571/346-5854