design of health technologies healthcare security
Post on 21-Dec-2015
219 views
TRANSCRIPT
Design of Health TechnologiesHealthCare Security
Healthcare IT SecuritySecurity is a critical aspect of Health IT performance:
without secure systems, privacy protection is impossible.
The Health and Human Services (HHS) Agency published a proposed “security rule” in August 1998. Final rule was adopted Feb. 2003.
It’s a set of best practices for securing information systems. Compliance is mandatory for health providers, plans, and clearinghouses.
Security Rule ComplianceLarge organizations were required to comply by April 21,
2005.
Small organizations must comply by April 21, 2006.
Final rule is available here:
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp
•Security StandardThe Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II)
•required the Department of Health and Human Services (HHS) to establish national standards for the security of electronic health care information.
•assure the confidentiality of electronic protected health information
•risks and possible mitigation strategies for remote use of and access to Electronic Protected Health Information (EPHI).
•a general list of suggestions for organizations that require remote use of sensitive health information
Overview•The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II)
•Required the Department of Health and Human Services (HHS) to establish national standards for electronic health care transactions (records)
•Requires that employers have standard national numbers that identify them on standard transactions. The Employer Identification Number (EIN)
•It also addressed the security and privacy of health data.
•As the industry adopts these standards for the efficiency and effectiveness of the nation's health care system will improve the use of electronic data interchange.
Background on HIPAA
Security Rule ComplianceThe security rule creates an additional burden on providers
to improve their IT infrastructure.
On the flip side, the same improvements might improve service (e.g. enabling internet-based secure health information access, or secure wireless).
Another perspective is that any mandatory IT upgrade is an opportunity for global improvement – many problems can be fixed at once.
Data CIA (Confidentiality, Integrity, Availability)The security rule is divided into 3 parts:
1. Administrative safeguards
2. Physical safeguards
3. Technical safeguards
Administrative safeguardsThese steps are required at the highest level:
1. Risk Analysis must be performed
2. Risk Management sufficient for compliance
3. Sanction Policy: against employees who don’t comply
4. Information System Activity Review: records & logs
5. Security Responsibility: assign a security official
Background: Software design and RISK Analysis
An Example framework and template to facilitate building, integrating and deploying a software project: IBM Rational Software RUP http://www-
306.ibm.com/software/rational/
Background: Software design and RISK Analysis
1: Introduction 1-1: Objectives of the project1-2: Constraints: (budget, time etc.)1.3: Scope of the product
2: Project Organization2-1: Management activities2-2: Project planning2-3: Project scheduling2-4: Risk management
3: Risk Analysis3-1: Risk identification (table 3a)3-2: Risk Analysis (table 3b)3-3 Risk Planning (table 3c)3-4 Risk Monitoring (table 3d)
4: Hardware & Software Resource RequirementsA Multi-tiered Architecture (fig. 4a)A Scalable Workflow Architecture (fig 4b)Redundant Replicated Architecture (fig 4c)Redundant Database Architecture (fig 4d)
5: Work Breakdown5-1: Requirements engineering5-2: Global Design5-3: Iterations
6: Project Schedule (Microsoft project)6-1: Split project into tasks and estimate time and resources required to complete each task.6-2: Organize tasks concurrently to make optimal use of workforce.6-3: Minimize task dependencies to avoid delays caused by one task waiting for another to complete.6-4: Dependent on project manager’s intuition and experience.
7: Monitoring and Reporting Mechanisms
Background: Software design and RISK Analysis
3. Risk Analysis:3a) Risk Identification: Identify the potential
Risks
Risks Identification Description Affects
Technology Project
-Defective Components If any of the software modules are defective or improperly integrate with essential components like Pay-Pal
Project
-Database performance The customer profiles and textbook database are essential components
Project
-Hardware Unavailability The web servers are set up on a series of distributed servers to balance the potential peak load on the system
Project
-Technology changes The software deliver methods like hand held devices, phones etc might necessitate design changes
Project
- Rational tools The software suite from rational make take some time to utilize fully and properly
Project
-Performance If a large number of users access the system during peak periods, the system not is able to handle it. Will design to maximum peak loads.
Project
Product Competition There are a number of successful online book stores. The competition will foster a challenging environment to stay ahead and develop niche markets and lower price points.
Business
People
-Recruitment Selecting the right people here in the U.S. and in India will be a challenge
Project
-Turnover Experienced people will potentially leave creating potential issues regarding skills and continuity
Project
-Staff Illness Individual may get sick putting schedules and deadlines at risk
Project
Management-Changes
The organization may change priorities during the course of the project
Project
Organizational
-Financial Problems Cost overruns may hinder project Business
-Restructuring Organizational restructuring may change priorities
Business
Requirements Project and product
-Changes Requirements changes may appear during the project
Project and product
-Specification Delays-Size Underestimates
Specifications and size underestimates may slow down the schedule
Project and product
Estimation -Under estimated development time
The tasks may take longer than expected Project
3b) Risk Analysis: To asses the likelihood and consequences of the risks in the
above table:Risks Identification Description Probability
Low,Med,HighEffectsSerious, Catastrophic
Technology
-Defective Components If any of the software modules are defective or improperly integrate with essential components like Pay-Pal
Low Serious
-Database performance The customer profiles and textbook database are essential components
High Catastrophic
-Hardware Unavailability
The web servers are set up on a series of distributed servers to balance the potential peak load on the system
Med Serious
-Technology changes The software deliver methods like hand held devices, phones etc might necessitate design changes
Low Serious
- Rational tools The software suite from rational make take some time to utilize fully and properly
Low Serious
-Performance If a large number of users access the system during peak periods, the system not is able to handle it. Will design to maximum peak loads.
Medium Serious
Product Competition
There are a number of successful online book stores. The competition will foster a challenging environment to stay ahead and develop niche markets and lower price points.
High Catastrophic
People
-Recruitment Selecting the right people here in the U.S. and in India will be a challenge
Low Serious
-Turnover Experienced people will potentially leave creating potential issues regarding skills and continuity
Low Serious
-Staff Illness Individual may get sick putting schedules and deadlines at risk
Low Serious
Management-Changes
The organization may change priorities during the course of the project
Medium Serious
Organizational
-Financial Problems Cost overruns may hinder project High Catastrophic
-Restructuring Organizational restructuring may change priorities
Medium Serious
Requirements
-Changes Requirements changes may appear during the project
Medium Serious
-Specification Delays-Size Underestimates
Specifications and size underestimates may slow down the schedule
Medium Serious
Estimation -Under estimated development time
The tasks may take longer than expected
High Serious
3c) Risk Planning:
RiskStrategy
Organizational - Financial Problems
Prepare a document for top management. Discuss Potential cost overruns with outsourcing partners.
Management
-Changes -Restructuring
Prepare a detailed document that indicates essential job responsibilities, so if a restructuring takes place essential functions can continue. Show how this project is making good progress and is a benefit to the corporation.
Requirements Changes Document steps and processes that can be traced to determine the potential impacts.
People
-Recruitment Problems Alert customers to potential difficulties and the possibility of delays.
-Turnover Prepare documentation on potential recruits, consulting companies and outsourcing to prepare for any essential personnel turnover. Document all procedure so tasks could be handed over to new individuals
-Staff Illness Reorganize team so there is more overlap of work and people understand each others jobs
Technology Document the technology used and available alternatives is this changes or becomes unavailable
-Database Examine other more extensive database products that can be used if this one doesn’t meet project needs
-Defective Components Replace defective components with new ones of know reliability
Product Competition Evaluate strategies to become more nimble, to modify functionality so they won’t get caught off guard. Research competitors to be sure you are aware of all competitors products
Estimation Investigate buying off the shelf components, if development time appears to take to long
3c) Risk Planning: (cont)
Example Database replication / Failure planning
3d) Risk Monitoring We plan to monitor all risks on a regular basis, twice a month at our bimonthly senior management progress meetings, to determine if each item has been elevated to a higher or lower risk threat. In addition we plan to research whether the risk effects have increased or decreased. An example would be to monitor critical internet book store competitors to see if any new functions or technologies have surfaced that might we might need to address.
Risk TypePotential Indicators
Organizational Monitor managers, to determine if they have changed their commitment. Determine if top managers have failed to act on any key issues that may indicate lack of support.
People Monitor morale and relationships between working groups, to head off any potential problems
Requirements Monitor any changes in requirements. In addition customer’s issues or complaints should be monitored as they may affect final project delivery.
Technology Monitor if deliverables hardware or software is late
- Tools Determine if developers are using development tools like CASE or Rational Rose. If not this might slow down delivery schedules. Monitor requests for new hardware need to support their work.
Estimation Closely monitor schedules to determine if all key components are late. This might have a cascading effect on other parts of the project.
Risk Analysis
Administrative safeguardsSome required steps:
1. Isolate Health Clearinghouse from rest of organization
2. Access Control for protected records
3. Access Establishment and modification
4. Security Reminders: updates and messages
5. Protection from Malicious Software
6. Log-in Monitoring: all login attempts
7. Password Management
Administrative safeguardsStandards for availability:
1. Data Backup Plan
2. Disaster Recovery Plan
3. Emergency Mode Operation Plan
4. Testing and Revision of contingency plans
5. Applications and Data Criticality Analysis: Identify the critical components in an emergency
Physical SafeguardsHere are some:
1. Facility Access Control
2. Emergency Facility Access
3. Physical Access to Workstations
4. Media Access Controls
5. Disposal Policies
6. Media Erasure before Re-use
Technical SafeguardsHere are some:
1. Access Controls
2. Unique User IDs
3. Emergency Access Procedures
4. Automatic Logoff (optional)
5. Encryption and Decryption (optional)
6. Audit Controls (optional)
Technical SafeguardsSome more optional sections:
1. Access Records: who accessed PHI (Protected Health Information )
2. Personal Identity: is the user really who they claim to be? Biometrics?
3. Transmission Security: Secure communication channels
Over the Atlantic…The European Parliament has been passing security and
privacy rules as well.
“On the protection of medical data” (Recommendation R(97)5) is still a recommendation.
The most recent is Directive 2002/58 “Privacy and electronic communications: Processing of personal data and the protection of privacy in electronic communication”
•Council of Europe, Committee of Ministers, Recommendation No. R (97) 5 on the Protection of Medical Data (Feb. 13, 1997).
•Considering that the aim of the Council of Europe is to achieve a greater unity between its members
1. Definitions
•the expression "medical data" refers to all personal data concerning the health of an individual. It refers also to data which have a clear and close link with health as well as to genetic data; 2. ScopeThis recommendation is applicable to the collection and automatic processing of medical data3. Respect for privacy3.1. The respect of rights and fundamental freedoms, and in particular of the right to privacy,9. Security9.1. Appropriate technical and organizational measures shall be taken to protect personal data - processed in accordance with this recommendation - against accidental or illegal destruction, accidental loss, as well as against unauthorized access, alteration, communication or any other form of processing.
Background European (95) 5 Protection of Medical Datahttp://www1.umn.edu/humanrts/instree/coerecr97-5.html
R(97)5 summaryThe European recommendation covers a lot of ground in
the short document. It specifies both HIPAA-style privacy rules, as well as data-protection procedures.
Stronger emphasis on results of genetic testing:
1. Patients should have access
2. It should not be illegal in the country
3. The information is not likely to cause harm (?)
Gritzalis et al. paperThis paper is based mostly on EU directives on general
electronic privacy, as well as the medical security proposal.
The paper also includes a sample RA (Risk Analysis) for the Beta-Thalassemia unit using CRAMM (CCTA Risk Analysis and Management Methodology).
D. Gritzalis1, 2, A. Tomaras1, S. Katsikas1, 2 and J. Keklikoglou1
(1) Department of Informatics, From the Technological Educational Institute (TEI) of Athens, Ag. Spyridonos Street, Aegaleo, 12210 Athens, Greece(2) Department of Mathematics, Karlovassi, University of the Aegean, 83200 Samos, Greece
Abstract In this paper, a proposal for a Medical Data Protection in Greece is presented. The whole effort is based on what holds internationally, particularly in the EC countries, on recent data acquired from Greek sources and on the experience resulting from what is acceptable in Greece. Accordingly, policies and their influence on the protection of health data, as well as main problems related to that protection, have been considered.
Gritzalis et al. paper background
Risk Analysis
Risk Analysis
Proposals: Authentication: Smart cards, X.509 certificates
In cryptography X.509 is a standard for public Key infrastructure (PKI). X.509 specifies, amongst other things, standard formats for public key certificates and a certification path validation algorithm.
Communication: SSL, application-level security Transport Layer Security (TLS) and its predecessor, Secure Sockets
Layer (SSL), are cryptographic protocols which provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers. There are slight differences between SSL 3.0 and TLS 1.0, but the protocol remains substantially the same. The term "TLS" as used here applies to both protocols unless clarified by context.
Disclosure from client machines (discourage): Through explicit web form fields Cookies and client-side script engines
Anonymization methods: various technical approaches are listed, not clear any of these are intended to be used.
Security
•A public key certificate (or identity certificate) is an electronic document which incorporates a digital signature to bind together a public key with an identity
•Public key cryptography is a form of cryptography in which a user has a pair of cryptographic keys - a public key and a private key.
•The private key is kept secret, while the public key may be widely distributed. The keys are related mathematically, but the private key cannot be practically derived from the public key. A message encrypted with the public key can be decrypted only with the corresponding private key.
A public key certificate
Alice and Bob agree to use a prime number p=23 and base g=5. Alice chooses a secret integer a=6, then sends Bob (ga mod p)
56 mod 23 = 8. Bob chooses a secret integer b=15, then sends Alice (gb mod p)
515 mod 23 = 19. Alice computes (gb mod p)a mod p
196 mod 23 = 2. Bob computes (ga mod p)b mod p
815 mod 23 = 2. Both Alice and Bob have arrived at the same value, because gab and
gba are equal. Note that only a, b and gab = gba are kept secret. All the other values are sent in the clear.
Gritzalis et al. paperASP model: Control local code execution. Any
code to be executed locally must be signed by someone (e.g. Microsoft or Verisign).
Aside: Smart phones typically include additional quality control for locally-run code: e.g. “True Brew” certification for Qualcomm Brew phones.
Medical service provider responsibilities Inform users about their services, ask for consent for
required uses of client information. Use standards such as CEN and HL7 Use RBAC (Role-Based Access Control) Moderated Mailing Lists (?) w/ usage permissions Do not downgrade functionality to users who refuse to
provide specific information
Discussion QuestionsQ1: Is Quality Certification a viable method for helping to
secure medical software? Points of comparison: phone and driver software just mentioned, medical equipment, drugs,… How could it be implemented?
Q2: Implementation of the security rule usually requires a significant overhaul of IT infrastructure. Discuss the trade-off in building secure systems “from scratch” vs. a “generalized firewall” approach which puts secure screens around vulnerable IT.