Seclarity, Inc.

1
End Point Security and HIPAA
Gary Christoph, Ph.D. Sr. VP Government and
Healthcare gchristoph_at_seclarity.com 410-884-1313
Session 4.05 1030am April 8, 2005
A Blumberg Capital, Valley Ventures and Intel
Capital Funded Security Company
Seclarity, Inc. 11705 Lightfall Court Columbia,
MD 21044
2
Why is Network Security hard?

• Network Security perimeter solutions are
  inadequate
• New technologies, like wireless, render the
  perimeter fuzzy
• Insider threat persistently at the 50-70 level
• Management of the collection of perimeter point
  solutions is complex
• Historically, network security was never
  designed in to IP networksa new approach is
  needed

3
What do we mean by End Point
Security?

• Instead of the Bastion perimeter model
• Install a trusted guard at every host in your
  network
• Let this individual guard have the power of a
  firewall
• Let the guards mediate all user access to the
  network
• Make the guards be under central management,
  rather than under user control
• Let the guards authenticate to each other
• Allow the guards to encrypt traffic between
  legitimate users, wherever they may be

4
A Simplified View of a Contemporary Secured
Network
Wireless
Unencrypted Traffic
Remote users With Software VPN agents
Firewall
Unencrypted Traffic
Internet
VPN IDS Proxy
Encrypted Traffic
5
A Simple view of an Endpoint-Secured Network
Wireless
Encrypted Traffic
Encrypted Traffic
Firewall
Remote user
Internet
Encrypted Traffic
6
What Does HIPAA Really Require?

• YOU MUST
• Think about the risks you face
• Develop coherent, enforceable policy
• Write it down
• Implement/operate whatever controls this requires
• Train/educate staff
• Periodically test document

7
Transaction Standards
Standard Code Sets
Unique Health Identifiers
Security
Privacy
Limitations
Administrative Procedures

• Covers Protected Health Information (PHI)
  transmitted or

• Covers Protected Health Information (PHI)
  transmitted or

Technical Security Services
stored, in any medium (electronic, paper, oral)

• Chain of Trust Agreement
• Certification,

• Access Controls
• Authorization

• Access Controls
• Authorization

• Internal Audit, Training, Written Policies
  Procedures, etc.

• Internal Audit, Training, Written Policies
  Procedures, etc.

• Data Authentication

General Rules

• Entity Authentication

• Entity Authentication

• PHI data elements defined
• Notice of Privacy Practices mandated

Physical Safeguards
Technical Security Mechanisms

• Secure Workstation
• Physical Access Controls,
• Media Controls, etc.
• Security Awareness

• Minimum necessary disclosure/use of data

• Minimum necessary disclosure/use of data

• Basic Network Safeguards
• Integrity and Protection

• Basic Network Safeguards
• Integrity and Protection

• Consent required for routine use
• Authorization required for non-routine use
• Business associate contracts required
• Designated Privacy Officer

• Training

• Training

Electronic Signature

• Not currently required

8
HIPAA NW Security/Privacy Issues

• People are involved
• People are neither repeatable nor logical
• People on the job make inappropriate assumptions
• Technical Solutions are too complex
• Point products do not tile the floor
• Management of many solutions is not easy or cheap
• Pace of technological change adds new
  vulnerabilities (e.g., wireless)
• Administrative Solutions that are not
• Processes get in the way of work
• Controls violated without your knowledge or
  without consequence

9
Technical Solution Target

• Want transparency
• Easy for users to comply
• Easy for admins to enforce
• Want universality
• Everywhere same policy enforced the same
• Use technology to reduce administrative controls
• Want simplicity
• Complexity is the enemy
• Easy to manage
• Want verifiability
• Documentable
• Want cheap
• Do not want to go out of business

10
End Point Security Can Help

• Change the paradigm
• Control access to the network at the individual
  End Points
• Give users only the network access they need
• Give back control to the enterprise of those
  access rights
• Eliminate depending on the network infrastructure
  to enforce separation

11
A More Realistic Secured Network
Unencrypted path
Labs
Unencrypted path
Hospital
IDS VPN Proxy GW
Physicians Office
IDS VPN Proxy GW
Wireless
Unencrypted path
Internet
Encrypted path
IDS VPN Proxy GW
Unencrypted path
12
An End Point Secured Network
Encrypted path
Encrypted path
Labs
Encrypted path
Hospital
IDS
Physicians Office
IDS
Wireless
Internet
Encrypted path
Encrypted paths
Encrypted path
IDS
Unencrypted path
13
Vulnerability Scan Results
After Sinic Install
Before Sinic Install

• Three Generic Windows 2000 Servers
• OS Installed from CD Media with SP1
• Updated via Windows Update to the Latest
  Available Patches

Blocked
14
Securing End Points Network Virtualization
Set up separate user communities Encrypt All
PHI Traffic
Doctor on Rounds
Doctors Office
Laboratory Analyst
Accounting PCs
Hospital Network
Internal Network
Accounting Office Servers
P
P
P
P
P
P
Hospital Mainframe
Hospital PHI DB Server
Remote User
15
Different Kinds of End Point Security

• Five kinds based on where the guard resides
• Software in the hosts user space
• Software in the hosts operating system
• Hardware TPM in the host
• Hardware at the NIC level
• Hardware at the Hosts edge

16
Different Kinds of End Point Security
Ex Sygate
Software Agents
Ex Microsoft
INCREASING TRUST
Ex TBA TCG-TPM
Host on network
Ex 14-South, Seclarity
Hardware Agents
Ex TBA
17
End Point Security Can Help

• Benefits of Centrally managed End-Point Security
• Not capturable by the userusers only get those
  rights you want them to have
• Distributed enforcement can be fine-grained
• Addresses many Insider Threat issues
• Separates security from network management
• Policy enforcement is everywhere the same
• Simplified audit reporting
• Do not have to modify user behaviorreduced
  training
• Better security at lower overall cost
• Reduces urgency of patch-in-a-hurry
• Secures remote and distant users

18
Some Scenarios

• Secure PHI for mobile users, e.g., Doctor on
  Hospital Rounds
• Patients/visitors given access to the Internet
  from Hospital networks (RJ-45 jacks), without
  fear of compromise of PHI
• Concessions (e.g., POS devices) can have
  completely isolated use of the enterprise network
• Prompt containment of compromised satellite hosts
  or workstations
• Securely manage PHI-containing servers from
  sysadmins at home or from Starbucks
• Simply demonstrate to auditors that no
  connection from PHI containing servers to
  unauthorized users has occurred

19
Questions?