Title: Information Security in Medical Informatics Nicholas Davis UWMadison, Division of Information Techno
1Information Security in Medical
InformaticsNicholas DavisUW-Madison, Division
of Information Technology
2Overview
- Introduction
- How Information is Critical in Healthcare
- Security Problems in a healthcare environment
- Medical Records Privacy
- US Laws
- Technology Developments
- Digital certificates and PKI
- Password crackers
- Packet sniffers
- Port scanners
3Evolving Landscape in Healthcare Information
Security
- Minimal disclosure
- Risk analysis at core
- Auditing procedures
- Authentication
- Access profile
- Emergency procedures for systems failing open vs.
failing closed
4Major Areas of Concern
- Audit trails
- Printing, data transfers (FAX)
- Authentication of sender and receiver
- Non-repudiation
- Network access
- Training and awareness
- Thin clients vs. thick clients
5How Information Exchange Has Evolved Over the
Past 25 years
- Patient care instant access to current,
correct, readable data - Data transfer to other external treatment
facilities - Prescriptions written vs. electronic
- Insurance and billing business processes
- Notification of infectious diseases to state and
federal authorities - Telemedicine (DICOM)
6Security Issues in the Real World Healthcare
Environment
- Networks not integrated
- Testing labs have disparate systems
- Doctors' PCs largely uncontrolled and unprotected
- Workstations not tied to individuals, often
shared among several people - This environment encourages poor security
practices
7Controlling Access to Sensitive Systems
Security Means Added Complexity
- Data protection conflicts with ease of use
- Password management poses problems
- Medical and non-medical staff dont cooperate
- Non-medical use a reality
- Shared responsibilities complicate audit trail
- Medicine is a high-stress job. Healthcare
professionals just want to do their job without
hassle from technology - Access rights, read, write, append
8Role Based Access Control
- How much patient data should be available to
- Treating physicians?
- Consulting physicians?
- Medical students?
- Pharmacy staff?
- Dietary staff?
- Outpatient treatment personnel after patient
discharge? - Employees in multi-facility applications
(clinics) - Vendors (Managed Care reps, technicians)?
- Information technology staff?
- Volunteers?
9Role Based Access Control
- Individual users should not be assigned rights
too difficult to track and change as roles evolve - Users should belong to groups
- Groups should be granted access rights
- Policy should be established for regular audits
and updates of group membership (semester /
academic year, etc/)
10Social Engineering Threats
- What is Social Engineering?
- In person impersonation
- Telephone impersonation
- Brute force attacks
11Social Engineering
- Online discharge summaries available to everyone
in hospital. A little bit of information is all
people need to gain trust vicious circle - Do use your system access rights to let someone
else on the system - Criminals use patient info for blackmail
- Staff use patient data to get dates or to stalk
victims. Everyone can become spooky given the
right circumstances
12Moving From Paper to Electronic Auditing
- Paper records let medical-records staff
- monitor usage usually highly professional
- Paper records provide good security simply
- because of lower accessibility
- However, paper records are really hard
- to search and use.
13Electronic Auditing
- Hybrid systems use online databases with
- manual input of usage records. Can be
- tedious and potential exists for error.
- Modern systems create audit entries as
- Systems are accessed.
- Use audit and reporting software to analyze
- records.
14Having Tracks Is Not Good Enough
- Who will analyze audit
- trails?
- Need exception reports
- Public Knowledge that
- an audit trail exists is a
- deterrent to misuse.
15Historical Medical Information Access Challenges
- Risk from poorly-controlled data access
- Fears are hindering effective use
- Limited awareness, little understanding among
healthcare professionals - Ineffecient access methods
- Inadequate controls drawn from other work
environments
16There Is Hope!
- Education is essential!
- Develop Informatics Risk Management Committee
with members representing a true cross section of
your operating environment - Resources must be assigned to improve security
(Security costs real money) - Requirements are stringent but must be met
- Passwords make people feel better, but a stronger
system for authentication and authorization needs
to be adopted - Security awareness must be an ongoing process
17Why is Privacy of Medical Records So Important?
- Doctor patient relationship
- Privacy and Confidentiality Different?
- Regulations Affecting Patient Records (HIPAA is
of primary concern) If you can meet HIPAA, you
are gold! - Basic Principle of Medical Informatics Security
Need to know basis
18Medical Record Security
- Technology has always incited worry
- Rights of privacy
- Unreasonable intrusion
- Appropriation of name, appearance
- Unreasonable publicity
- Misrepresentation
19Government Regulations
- Privacy Act of 1974
- Health Insurance Portability and Accountability
Act of 1996 (HIPAA) - State-Specific Privacy Security Laws
- Electronic Signature Act of 2000
20HIPAA
- Goals of HIPAA
- HIPAA Approach Authenticate Protect Provide
Assurance - Penalties in HIPAA
- Expectations Impacts of HIPAA are vague at best
- HIPAA Privacy Rules
21HIPAA Goals
- Tie the healthcare industry together
- Save money
- Increase productivity and efficiency
- Lower the costs of products based on implementing
a more limited number of standards - Lower administrative and back-office costs by
lowering error rates, creating cleaner claims,
speeding payments - Lower the costs of maintaining and managing the
healthcare IT infrastructure
22The Use of Electronic Signatures
- Electronic Signatures in Global and National
Commerce Act - Allows e-signatures to have same legal weight as
pen-and-ink signatures - Currently determined on a state by state basis
23Electronic Signatures
- Effects on HIPAA are as yet uncertain
- Remains to be seen what will be accepted as
electronic signature - Image of signature?
- Cryptographic signature?
24The Technology
- Card/token systems
- People would leave tokens behind
- Card-swipe systems
- People would leave systems logged on after they
left - Biometric systems
- Expensive user resistance
- Same problem of failure to log off
- Proximity card/token systems promising
25Proximity Based Authentication and Authorization
- Usually radio-frequency responders
- Base station recognizes token
- Communicates with access-control system
- Initiates automatic logon
- Can have two-factor authentication
- Immediate screen lock when user leaves
- Can even have session follow staff members
- Instant access to screen anywhere
- Reduces delays
26Usernames and Passwords
- Why do we have usernames and passwords?
- Authenticate and Authorize
- Why are usernames and passwords a bad idea?
- Theft, sniffing, shoulder surfing, brute force
attacks, concurrent usage, intentional sharing to
thwart technical controls.
27One Time Password Devices
- RSA SecurID
- Addresses many username/password concerns
- Time based
- Event based
- Only good for authentication
28Digital Certificates
- What is a digital certificate?
- Authentication
- Authorization
- Non-repudiation
- Encryption
- Email, documents, system access, physical access
29The Threats of Portable Data
- Theft and misappropriation
- Consistency and version control
- Lack of an authoritative source
30The Importance of Systems That Fail Open
- Failing open vs. failing closed
- Reasonable assurance depends on risk at hand
- What might be acceptable in the ER might not be
acceptable in the Foot and Ankle Clinic
31Takeaways From Todays Session
- It is your job to protect PHI
- Just because you cant see it happening, dont
assume it isnt happening - Retain only necessary data
- Dont circumvent technical controls
32The Hackers Credo Play By the Rules
- Contrary to popular belief, hackers dont break
the rules - Hackers find weaknesses in the rules and then
exploit those weaknesses - Only the king has access to the goldI guess
Ill have to become a king!
33Protecting Email With a Digital Certificate
- Digitally sign your messages
- Encrypt email to others
- Try it out today in the computer lab
34What is PKI?
- PKI is the acronym for Public Key Infrastructure.
- The PKI system ensures confidentiality,
authenticity, integrity and non-repudiation of
electronic data. - Principles of public key cryptography and the
public-private key relationship are the basis for
any PKI - The Infrastructure part of PKI is the underlying
system needed to issue keys and certificates and
to publish public information.
35Confidentiality, Authenticity, Integrity, and
Non-repudiation
- As the wired world progresses, we will
become increasingly reliant upon electronic
communication both within and outside of the
UW-Madison campus network. We want to be careful
to protect our online identity and confidential
information. PKI can help us with this.
36Confidentiality
- Means that the information contained in the
message is kept private and only the sender and
the intended recipient will be able to read it
37Authenticity
- Verification that the people with whom we are
corresponding actually are who they claim to be
38Integrity
- Verification that the information contained in
the message is not tampered with, accidentally or
deliberately, during transmission
39Non-repudiation
- There can be no denial on the part of the
sender of having sent a message that is digitally
signed
40How does PKI accomplish all of these things?
- Data Encryption
- Digital Signature
- Root Authorities
41- Encryption refers to the conversion of a message
into an unintelligible form of data, with the aim
of ensuring confidentiality - Decryption is the reversal of encryption it is
the process of transforming encrypted data back
into an intelligible message - In public key cryptography, encryption and
decryption are performed with the use of a pair
of public and private keys
42 - The public and private key pair is comprised of
two distinct and uniquely matched strings of
numbers. - The public key is available to everyone and a
private key is personal and confidential, known
to and maintained by the designated owner. - Although related, it is computationally
infeasible to derive the private key from the
public key and vice-versa. When one of the keys
in the key pair is used for encryption, the other
key has to be used for decryption.
43- This relationship of public to private keys not
only enables protection of data confidentiality,
but also provides for the creation of a digital
signature, which serves to ensure the
authenticity and integrity of the message as well
as its non-repudiation by the sender
44- Digital SignatureAddresses the issues of
authenticity, integrity and non-repudiation. Like
its hand-written counterpart, a digital signature
proves authorship of a particular message.
Technically, a digital signature is derived from
the content of the sender's message in
combination with his private key, and can be
verified by the recipient using the sender's
public key to perform a verification operation.
45Digital Certificates and Certificate Authorities
- A digital certificate is a digital document that
proves the relationship between the identity of
the holder of the digital certificate and the
public key contained in the digital certificate.
It is issued by a trusted third party called a
Certificate Authority (CA.) Our digital
certificate contains our public key and other
attributes that can identify us.
46- When a person sends a digitally signed message
to another person, the recipient may verify the
validity of the signature via a mathematical
operation, using the senders chained public key
to verify the digital signature created by the
sender.
47How is a certificate issued?
- When a person applies for a digital
certificate from a CA, the CA usually checks the
person's identity and then generates the key pair
on the users computer. Alternatively, the CA may
generate the key pair for the person and deliver
the private key to the person via secure means.
The private key is kept by the person (stored on
the person's computer or possibly on a smart card)
48Encryption Example
- Peter wants to send Ann his super secret resume.
49Encrypting an email (continued)
- Peter encrypts using Anns public key
- Ann decrypts using her private key
50Encryption (Continued)
- If Ann wishes to send Peter a confidential
reply, she encrypts her message using Peter's
public key. Peter then uses his private key to
decrypt and read Ann's reply.
51Digital Signature Example
- Ann signs the email with her private key
- Peter verifies Anns signature by running an
operation of the digital signature against her
public key.
52Where is my Certificate Stored?
- You digital certificate is stored either on your
machine or on a cryptographic USB hardware device - Dual factor authentication
53What does it actually look like in practice?
-Sending-
54What does it actually look like in practice
(unlocking my private key)-sending-
55What does it actually look like in
practice?-receiving- (decrypted)
56Digitally signed and verified Encrypted
57What does it actually look like in
practice?-receiving- (intercepted)
58Summary Points
- Digital Signatures can
- Provide verified assurance to the recipient of
your email or document that you are indeed a
member of the UW-Madison community - Prove that the contents of an email or a document
have not been altered from their original form - Provide certified proof that you did indeed send
a specific email or author a specific document.
59Summary Points
- PKI based encryption allows you to
- Encrypt email and files for others so that they
are protected end to end while in transit - Maintain protection of email and files in storage
on your local computer hard drive, or on any
network drive. - Assist in complying with HIPAA, FERPA and other
such government regulations.
60Todays Practical Demonstration
- Password cracker Ophcrack, demonstrates the
importance of complex passwords and providing
true physical security on machines containing
sensitive data. - Your system is secured with username and
password, therefore it must be safe, right? - Your system is kept in a secured area, therefore
it must be safe, right? - What you cant see is a bigger threat than what
you can see! Id rather have external bleeding
than internal bleeding
61Ophcrack
- One way hash
- Takes advantage of rainbow tables to speed its
actions - Dictionary Attack
- Brute Force Attack
62How to Thwart Ophcrack
- Stop using usernames and passwords
- If you cant stop, than at least use strong
passwords - Use digital certificates to control access
- Firewall all nodes on your network
- Implement an IDS / IPS on your network
- Limit access to physical access only
- Encrypt data on your host machine
- Actually look at your audit logs once in a while!
63Lets Crack Some Passwords Together!
64Packet Sniffers and Honeypots
- Packet sniffers can reveal a lot about your
network and HIPAA compliance - Lure in potential intruders with a Honeypot
65Is My System Secure?
- OS doesnt matter, none are 100 safe
- Apply security patches!
- When you are not sure, backup, audit, restore
- File comparison helpful, but not 100 assurance
66Viruses, Malware, Spyware
- What is a virus?
- What is malware?
- What is spyware?
- Who can I trust?
67What is Phishing?
- Should I help a man in Nigeria transfer funds to
the US? - How do I know when I am being Phished?
68What Does That Little Lock in My Browser Really
Mean?
- SSL Secure Socket Layer
- Protection of data in transit
- Protection of data at rest
- Where is the greater threat?
69Questions and Comments
- Nicholas Davis
- PKI Project Leader
- UW-Madison, Division of
- Information Technology
- ndavis1_at_wisc.edu
- 608-262-3837
- Please dont hesitate to contact me if you have
any questions! - Thanks for having me here today!