In Depth Security Review

Martin Rogers

Computer Horizons Corp.

© Copyright eB Networks All rights reserved. No part of this presentation may be reproduced, stored in a retrieval system or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission.

2

Facts about Proposed Security Regulations

• Language is Technology Neutral

• Broad Applicability

– [§ 142.308(d)(2)] Network Controls. If an entity uses network controls (to protect sensitive communication that is transmitted electronically over open or private networks so that it cannot be easily intercepted and interpreted by parties other than the intended recipient)

• Good Business Practice

3

Key Security Terms

• PKI = Public key infrastructure

– The technology, legal practices, operational procedures and related infrastructure that support (digital certificate) management, generation and usage

• IDS = Intrusion Detection System

– Network and Host based

• Digital Signature

– Integrity- detects changes in content

– Authentication- establishes identity of the signer

– Non-Repudiation- Signer cannot deny signing the message

4

Key Security Terms

• SMTP = Simple Mail Transfer Protocol

• TCP/IP = Transmit ion Control Protocol/ Internet Protocol

• SSL = Secure Sockets Layer

• VPN = Virtual Private Network

• ACL = Access Control List

• DOS Attacks = Denial of service attacks

• Packet Sniffing - Copy and read clear text network transmit ion

• Port Scanning- Identify open TCP/IP communication ports

• BIA – Business Impact Analysis

5

Principles of the Security Regulations

• Administrative

– Policies procedures and training

• Authentication

– Be sure only authorized personnel can access the PHI

• Privacy (confidentiality)

– Keep PHI confidential

• Authorization

– Insure users do not exceed their allowed authority

• Non-Repudiation

– Have evidence in the event of dispute (litigation)

• Integrity

– Be sure nothing is changed behind your back

6

Keeping PHI Secure (10 basics)

• Security Policies and Procedures

• Training (awareness)

• Disaster Recovery

• Physical Plant Security

• Internet Security (Internet = Encryption)

• Email Security (use digital certificates)

• Password Policy

• Access Control Administration

• Network Vulnerability Analysis (Penetration Analysis)

• Security Enforcement Points (control communications)

7

The Proposed HIPAA Security Standards: Four Subject Areas

• Administrative Procedures [45 CFR §142.308(a)]

• Physical Safeguards [45 CFR §142.308(b)]

• Technical Security Services [45 CFR §142.308(c)]

• Technical Security Mechanisms [45 CFR §142.308(d)]

• Electronic Signature Standard § [142.310]

8

Characteristics of Security Rules

• General Guidance

– Deliberate

• “The standard does not address the extent to which a particular entity should implement the specific features. Instead, we would require that each affected entity assess its own security needs and risks and devise, implement, and maintain appropriate security to address its business requirements.” Federal Register, August 12, 1998 [43250]

9

Administrative Procedures

• Certification Process and Program Development[45 CFR §142.308(a)(1)]

– Internal or external

• Chain of Trust Partner Agreement Development[45 CFR §142.308(a)(2)]

– Electronic exchange of data

• Contingency Program Development [45 CFR §142.308(a)(3)]

– Must include: Applications and Data Criticality Analysis

– Data Backup Plan

– Disaster Recovery Plan for the Entire Enterprise

– Emergency Mode of Operation

– Testing and Revision Procedures

10

Administrative Procedures (continued)

• Records Processing Policies and Procedures Development [45 CFR §142.308(a)(4)]

– Receipt, manipulation, storage, dissemination, transmission, disposal of PHI

• Information Access Control Policies and Procedures[45 CFR §142.308(a)(5)]

– Access Authorization (overall access procedures)

– Access Establishment (Initial right of access)

– Access Modification (job change or termination)

11

Administrative Procedures (continued)

• Internal Audit Policies and Procedures Development[45 CFR §142.308(a)(6)]

• In house review of:

– System Activity Logging

– Security Incident

– Forensic Capability

12

Administrative Procedures (continued)

• Personnel Security [45 CFR §142.308(a)(7)]

– Procedure for Maintenance Personnel Oversight

– Ongoing Review of Levels of Access Granted to Users

– Proper Level of Access Authorization if on or Near PHI

– Establish Personnel Clearance Procedures

– Procedures to insure that authority to access is equal to clearance level

– Assure security awareness training for system users

13

Administrative Procedures (continued)

• Security Configuration Management Policies[45 CFR §142.308(a)(8)]

– Documentation (written security plans, rules, procedures, and instructions concerning all components of an entity’s security)

– Hardware and software installation and maintenance review and testing

– Hardware and software inventory

– Security Testing (host and network component penetration testing) Protocols and Services

• FTP ,Telnet, Trojans (Netbus, Back Orifice, PC Anywhere

– Virus Protection

14

Administrative Procedures (continued)

• Security Incident Procedures Development[45 CFR §142.308(a)(9)]

– Incident Report Procedures

– Incident Response Procedures

• Security Management Process Development[45 CFR §142.308(a)(10)] Person in charge of Security

– Risk Analysis (cost vs. loss)

– Risk Management (reduce and maintain level of risk reduction)

– Sanction Policies and Procedures (notification of law enforcement, disciplinary action, removal of system access)

– Security Policy (Acceptable use)

15

Administrative Procedures (continued)

• Termination Procedures [45 CFR §142.308(a)(11)]

– Change Locks

– Remove from Access List

– Remove User Account

– Turn in Physical Access Mechanisms(keys, badge, etc.)

16

Administrative Procedures (continued)

• Training Program Development[45 CFR §142.308(a)(12)]

– Security Awareness Training for ALL Personnel

– Periodic Reminders

– Virus Protection Education

– Log in Access Education

– Password Management Education

17

Physical Safeguards

• Assigned Security Responsibility [45 CFR §142.308(b)(1)] (must understand all aspects of information security)

• Media Control Process Development [45 CFR §142.308(b)(2)] Receipt and removal of diskettes and tapes into and out of the facility

– Access Control to Media (physical access)

– Accountability

– Data Backup

– Data Storage

– Disposal (final disposition)

18

Physical Safeguards

• Physical Access Controls [45 CFR §142.308(b)(3)]

– Disaster Recovery Plan (event of fire,natural disaster ect).

– Emergency Mode of Operation

– Equipment Control (into and out of the site)

– Facility Security Plan (safeguard the premises)

– Procedures for Verifying Access Authorization Before Access is Given

– Facility repair and maintenance records

– Need to Know Policy

– Procedures for Sign in and Escort

– Procedures to Restrict Testing and Revision

19

Physical Safeguards

• Policy and Guidelines on Workstation use[45 CFR §142.308(b)(4)]

• A Secure Workstation Location [45 CFR §142.308(b)(5)]

• Security Awareness Training [45 CFR §142.308(b)(6)] all employees, agents, and contractors must participate

20

Technical Security Systems

• Access Control [45 CFR §142.308(c)(1)(i)]

– Procedure for emergency access (admin, supervisor, root passwords)

– Implementation Features - at least one of the following:

• Context-based

• Role-based

• User-based

• Audit controls [45 CFR 42.308(c)(1)(ii)]

– Mechanisms to record and examine system activity (IDS)

21

Technical Security Services

• Authorization control[45 CFR §142.308(c)(1)(iii)]

– Mechanism for obtaining consent for the use and disclosure (at least one)

• Role-based

• User-based

• Data authentication[45 CFR §142.308(c)(1)(iv)]

– The corroboration that data has not been altered or destroyed (Digital Certificates PKI)

22

Technical Security Services

• Entity authentication[45 CFR §142.308(c)(1)(v)]

– Automatic Log Off (session termination)

– Unique User ID

– Authentication (at least one)

• Biometric

• Password

• PIN (use with something you have)

• Callback

• Token

23

Technical Security Mechanisms

• Network Controls

– Integrity controls [45 CFR §142.308(d)(1)(i)(A)]

• Validation (Digital Certificates) PKI

– Message authentication [45 CFR §142.308(d)(1)(i)(B)]

• Message Received = Message Sent (Integrity of the message) (Digital signatures) PKI

• Implementation Feature (Technically Neutral)

– [§ 142.308(d)(1)(ii)(A)] Access controls Protection of PHI Transitions over Open or Private Networks so that it can not easily be intercepted and interpreted by parties other than the intended (VPN)

– [§ 142.308(d)(1)(ii)(B)] Encryption

24

Technical Security Mechanisms

• Network Controls [45 CFR §142.308(d)(2)]

– Alarm (IDS)

– Audit Trail (IDS) or other logging and reporting systems

– Entity Authentication (Digital Signature) PKI

– Event Reporting (IDS)