information security - why is it important for the ... · pdf filewhy is it important for the...
TRANSCRIPT
© 2010 IBM Corporation
Information Security: Why is it important for the Healthcare Industry?Glen Gooding IBM Security [email protected]
IBM and Security in the Healthcare Industry
May 25 2010
© 2010 IBM Corporation
Baseline definitions
2
�Security – For purposes in the context of IT security, a number of points need to be addressed
– Confidentiality - Integrity– Availability - Authentication– Authorisation - Audit
– CIA - AAA
�Privacy - Privacy means an individual's interest in limiting who has access to personal health care information.
© 2010 IBM Corporation
How much security is enough (but not too much)
From a security perspective, all IT solutions must balance three conflicting factors:
� The risk – to the organisation
– of operating the IT solution� The cost – of implementing and
operating the security controls
– in general, the tighter the controls the lower the risk
� The usability – of the solution
– in general, the tighter the controls, the greater the impact on the users of the system
� The resulting set of controls must be, as far as possible “necessaryand sufficient ”.
COST
RISK USABILITY
Low
High
Low
High
High
LowSecurity
Environment
3
� Later will hear COST COMPLEXITY COMPLIANCE
© 2010 IBM Corporation
IT Security is about “CIA”
� Confidentiality
� Integrity
� Availability
4
© 2010 IBM Corporation
Data confidentiality
� Definition– To protect against an unauthorised disclosure of the
message.� Technically
– Think encryption, SSL, the ‘lock’ on your browser
Health Care Specific – Secure Messaging…
5
© 2010 IBM Corporation
Data integrity
� Definition– Guarantee that the content of the data has not been
tampered with.� Technically
– Think Data signatures and the signing of data
Health Care Specific – Secure Messaging…
6
© 2010 IBM Corporation
Authentication
� Determines or proves that you ‘are’ who you say you ‘are’� Authentication based upon something you:
– know (e.g. password, PIN)• Too many to remember• Too easily guessed• Can be sniffed/captured• Can be cracked
– have (e.g. smart card, token)• more expensive to deploy• less portable
– are (e.g. biometrics)• even more expensive to deploy• may be considered invasive• error-prone (false pos / neg)
Health Care Specific – HI, NASH7
© 2010 IBM Corporation
Authorisation
� Authorisation determines what an entity is allowed to do.
� Access control is a means of enforcing this authorisation model:
– data not disclosed– data not modified– users remain accountable.
Health Care Specific – Clinical applications, HR systems, Financials, Patient Administration
8
© 2010 IBM Corporation
Audit
� Companies need to audit their IT infrastructure� Determine whether or not business can continue to grow
and mature based on current IT infrastructure� Audit logs are often the only record that suspicious
behaviour is taking place – Can be fed real-time directly into intrusion detection or log management systems.
� Logs can provide individual accountability by tracking a user's actions.
� Logs are useful in reconstructing events after a problem has occurred, security related or not
9
© 2010 IBM Corporation
“Never fly in a plane designed by an optimist.”
Why is security important?
10
© 2010 IBM Corporation
IBM Security Framework
11
Built to meet four key requirements:
�Provide Assurance�Enable Intelligence�Automate Process� Improve Resilience
Introducing the IBM Security Framework and IBM Security Blueprint to Realise Business-Driven Security;
IBM RedGuideREDP-4528-00, July 2009
© 2010 IBM Corporation
Typical Client Security Requirements
12
Governance, Risk Management, Compliance
• 3rd-party audit (SAS 70(2), ISO27001, PCI, HIPAA)
• Client access to tenant-specific log and audit data
• Effective incident reporting for tenants• Visibility into change, incident, image
management, etc.• SLA’s, option to transfer risk from tenant to
provider• Support for forensics• Support for e-Discovery
Application and Process• Application security requirements are
phrased in terms of image security• Compliance with secure development best
practices
Physical• Monitoring and control of physical access
• People and Identity• Privileged user monitoring, including
logging activities, physical monitoring and background checking
• Federated identity / on-boarding: Coordinating authentication and authorisation with enterprise or third party systems
• Standards-based SSO
• Data and Information• Data segregation• Client control over geographic location
of data• Government: Cloud-wide data
classification
• Network, Server, Endpoint• Isolation between tenant domains• Trusted virtual domains: policy-based
security zones• Built-in intrusion detection and
prevention• Vulnerability Management• Protect machine images from
corruption and abuse• Government: MILS-type separation Based on interviews with clients and various analyst reports
© 2010 IBM Corporation
Customers require visibility into the security posture of their environment.
� Establish 3rd-party audits (ISO27001, PCI)
� Provide access to log and audit data
� Create effective incident reporting
� Visibility into change, incident, image management, etc.
� Create policies for PII and for data crossing International boundaries
� Understand applicable regional, national and international laws
� Support for forensics and e-Discovery
Implement a governance and audit management program
Security governance, risk management and complianceSecurity governance, risk management and compliance
IBM Security Framework
13
© 2010 IBM Corporation
Customers require proper authentication of all users.
� Implement least privilege model for user’s access
� Strong Identity lifecycle management
� All administrative access over secure channels
� Privileged user monitoring, including logging activities, physical monitoring and background checking
� Utilise federated identity to coordinate authentication and authorization with enterprise or third party systems
� A standards-based, single sign-on capability
Implement strong identity and access managementIBM Security Framework
People and IdentityPeople and Identity
14
© 2010 IBM Corporation
Customers cite data protection as their most important concern.
� Protect PII and Intellectual Property
� Implement a secure key management program
� Use a secure network protocol when connecting to a secure information store
� Implement a firewall to isolate confidential information, and ensure that all confidential information is stored behind the firewall
� Sensitive information not essential to the business should be securely destroyed
Ensure confidential data protection
IBM Security Framework
Data and InformationData and Information
15
© 2010 IBM Corporation
Customers require secure applicationsand provider processes .
� Implement a program for application and image provisioning.
� Ensure provisioning management is strictly controlled
� Protect machine images from corruption and abuse
� Ensure all changes to virtual images and applications are logged.
� Ensure provisioned images apply appropriate access rights
� Ensure destruction of outdated images
Establish application and environment provisioning
IBM Security Framework
Application and ProcessApplication and Process
16
© 2010 IBM Corporation
Customers expect a secure cloud operating environment .
.
� Implement vulnerability scanning, anti-virus, intrusion detection and prevention on all appropriate images
� Ensure isolation exists between tenant domains
� Trusted virtual domains: policy-based security zones
� A secure application testing program should be implemented.
� Develop all Web based applications using secure coding guidelines.
� Ensure external facing Web applications are black box tested
Maintain environment testing and vulnerability/intr usion management
IBM Security Framework
IBM Cloud Security Guidance Document
Network, Server and End PointNetwork, Server and End Point
17
© 2010 IBM Corporation
Customers expect health based data centers to be physically secure .
.
� Ensure the facility has appropriate controls to monitor access
� Prevent unauthorised entrance to critical areas within facilities e.g. servers, routers, storage, power supplies
� Biometric access of employees
� Ensure that all employees with direct access to systems have full background checks
� Provide adequate protection against natural disasters
Implement a physical environment security plan
IBM Security Framework
Physical SecurityPhysical Security
18
© 2010 IBM Corporation
� Speed –accelerate delivery and integration
� Flexibility –grow and add new capabilities incrementally
� Choice –multiple solution on-ramps and business partners
� Architectural blueprints for provider and payer transformation
� Pre-built healthcare accelerators
� Built on a Smart SOATM
foundation
� Keep up with open standards
� Leverage an ecosystem of key business partners
� Leverage existing healthcare applications, systems and business processes
The IBM Health Integration Framework
Infrastructure and Governance
Health Integration Framework
Business Partner Ecosystem
Healthcare Provider Solutions
Rapid Development & Integration
Process Flexibility Intelligence
Lowered Risk and Cost
Interoperability Reduced Manual Intervention
19
© 2010 IBM Corporation
Healthcare Identity, Access and Audit Management
IBM's approach is to strategically manage risk end-to end across all risk areas within an organisation.
Security Info and Event Mgr
Identity Manager
Enables visibility into user activity, control over access to PHI, and automationof the sign-on process in order to improve quality of care, clinician productivity,
and overall compliance
User Compliance Auditing
Identity Management
Access Management
Unified Single Sign-On
20
© 2010 IBM Corporation
I promised earlier that you would hear...COST
RISK USABILITY
Low
High
Low
High
High
LowSecurity
Environment
21
COST COMPLEXITY COMPLIANCE
COST
RISK USABILITY
Low
High
Low
High
High
LowSecurity
Environment
© 2010 IBM Corporation
Reduce Complexity
Scenario: Improve service by expanding reach via role based portals to services and applications
PatientPortals
HospitalWebsite /Portals
PayerPortals
PhysicianPortals
� Quickly roll out new applications and services to authorised users
� Enable single sign on for authentication
� Issue and manage user credentials
� Users “role” will determine the information and services they are authorised to access
� Monitor, audit and report on user activity
22
© 2010 IBM Corporation
Scenario : Reduce costs with self service and service management integration
Reduce Cost
� Offering user self-service to manage profile, passwords and access can reduce help desk, IT administration and user productivity costs
• By enabling users to manage passwords via challenge/response questions
• Rapid access to applications By accelerating time to access applications and sharing of workstations and kiosks
• By reducing labor required to manage and audit application-specific password policies via single sign-on
• Fast user switching
� Integrating identity management with incident management can reduce IT costs
• Offload service desk workload with self-service password, profile management and access request
• Automate incident resolution within Tivoli Service Request Manager
Tivoli Service Request Catalog
Tivoli Identity ManagerSelf-Service
23
© 2010 IBM Corporation
Scenario : Manage risk of insider threat and support audit requirements with access recertification, user activity monitoring and reporting
Manage Compliance
� Monitor user access• Do user access rights match
responsibilities?• Are rights consistently certified?• Are there separation of duty
violations?� Monitor user activity
• Volume of activity• Type & location of activity• Timing of activity• Privileged user activity
� Compliance Reporting• Pre-built reporting modules on
common regulatory mandates (SOX, PCI, Basel II, HIPAA, etc.)
• Flexible report design to match company-specific audit requirements
24
© 2010 IBM Corporation
Understanding the needs of Healthcare Providers
We understand your needs… …and IBM delivers.
Access workflow automation with context management for HIT applications.
Choice of second factor authentication with user-centric access tracking.
Fast user switching for clinical environments, and combined physical & information access.
Centralised identity and policy management.
No modifications to existing infrastructure.
Out-of-box compliance enablement and reporting.
Improved quality of patient care and patient safety.
Risk management & the protection of patient information.
Improved productivity of care givers.
Centralised management of information access.
Easy integration & fast deployment.
Regulatory compliance.
25
© 2010 IBM Corporation26
Thank you!
For more information, please visit:ibm.com/security
IBM and Security in the Health Care Industry
© 2010 IBM Corporation27
Manage Compliance
Reduce costs
Improve patient care
Prevent security breaches
IBM Service Management Solutions For Healthcare
Key Healthcare Challenges
Healthcare Application
Performance Management
Healthcare Access
Management
eHealth Service
Management
Healthcare Asset
Management
Availability & reliability of Assets
Solving Challenges with IBM Service Management in hea lthcare
ITM, OMNIBusITNM
ITCAMOmegamon
TIM, TAM, TFIM, TDI, TAM
ESSO
TSRM, TPMTPC, TSM
TKLM, TSIEM
Maximo Asset Management
TAMIT
© 2010 IBM Corporation
Hospitals can see significant benefits from impleme nting Identity and Access Assurance for Healthcare.
� Simplify user experience – deliver the right information quickly and securely.
� Secure access to applications, information and data while still allowing easy access for those with need and authority.
� Consistently enforce and audit corporate security and compliance policy.
� Streamline provisioning processes to facilitate quick access to clinical systems for staff.
� Reduce operational expenses through automation of common administrative tasks and providing service catalog components for those that make business sense.
� Enable remote physician Web portal access to key data securely.2828
© 2010 IBM Corporation
IAA for Healthcare - Business Case Summary
� Business Need– Healthcare IT facilitates access to patient confidential data that is used to enable
clinical care.• Many Providers are faced with no central control of Identity provisioning.
• Security audits are central to local regulations Joint Commission compliance.
� Client Value Proposition
– Identity and Access Assurance allows the provider tighter control over their HIT infrastructure
• Know who is accessing which systems• Know when their staff is accessing the systems
• Implement measures to assure a consistent audit trail procedure over security access.
– The business can depend on Identity and Access Assurance for Healthcare Providers• Content exists to enable HIPAA compliance reporting in the solution.
• HIT ISV are partnering with IBM to develop provisioning adapters to their application suites.
• Enterprise Single Sign on with multifactor authentication can be deployed.
� Services – Delivery and Deployment Strategy
– IBM Business Partners with Service Management experience can be engaged.– Gold Coast Security Lab Services can be engaged for architectural guidance
29
© 2010 IBM Corporation
IBM is the Trusted Partner of Choice
30
“IBM is an international company. It has a good brand and status in the industry. We will be comfortable with IBM in terms of data security ”
“IBM is a trusted supplier of information security …”
“Yes I think they can offer secured services ”
■ 2008: Most trusted IT companyPonemon Institute and TRUSTe study
■ Thought leadership
■ Commitment and customer insight
■ Industries/sectors expertise
■ Comprehensive capabilities, products, services and research
■ SC Security Company of the year2010 RSA Security
Cloud Computing Quotes
Source: Oliver Wyman Interviews
© 2010 IBM Corporation
� Visualisation in Identity and Access Management– Provides a single view into Identity Management across the
entire business (Tivoli Identity Manager [TIM], Tivoli Security Information and Event Manager [TSIEM].)
– Enables access audit trail reporting (TSIEM.)
� Control in Identity and Access Management– Brings seamless, secure and auditable access to web servic es
(Tivoli Access Manager [TAM] and Web SSO.)
– Supports integration of customer and partner services (Tivoli Federated Identity Manager [TFIM] solutions.)
– Simplifies administration with single sign on to mu ltiple services (TAM for Enterprise SSO [TAMESSO].)
– Provides a single point of control for Identity Man agement(TIM.)
� Automation in Identity and Access Management– Business policy can be enforced through implemented rules
(TSIEM.)
– Security Events can generate incident reports (Tivoli Service Request Manager [TSRM] and TSIEM.)
– Automate common Identity tasks to reduce costs ofIdentity Management (TIM, TPM, TSRM.)
WebServicesProvider
WebServicesProvider
External Provider
EmployeesCustomers
Secure Identity
Federation
CarrierPortal
CarrierPortal
WebApplication
WebApplication
External Provider
Identity and Access Assurance within Hospitals
31
© 2010 IBM Corporation32
Gartner quadrantIncluding ESB