security considerations for health care organizations
DESCRIPTION
This Presentation is provided “as is” without any express or implied warranty. This Presentation is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. Security Considerations for Health Care Organizations. - PowerPoint PPT PresentationTRANSCRIPT
Security Considerations for Health Care Organizations
Disclaimer
This Presentation is provided “as is” without any express or implied warranty. This Presentation is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney.
Trust and Risk
Do you trust the Internet? Do you trust wireless Cell phone Communications? Are you sure that the person at the other end of the
connection is who they say they are?
Trust and Risk
Electronic Fund Transfer Act effective 1979 (15 U.S.C.)], the credit card and ATM industry was forced to limit personal financial risk to users (usually $50 maximum if cards used fraudulently)
Approach focused on reducing risk since technology was not yet ready
Limiting risk compensates for a lack of trust Many consider this approach however, as a band-aid to
the real issue – increasing user trust What is available and what can be provided?
Typical Hacker Threats and Protections
Hackers Masquerading Eavesdropping Interception Address Spoofing Data Manipulation Dictionary Attack
Replay Attacks
Denial of Service
Protection– Authentication
– Encryption
– Digital Carts./Signatures
– Firewalls
– Encryption
– Strong Passwords
– Time Stamping & sequence Numbers
– Authentication
Root access by buffer overflows
Distributed Denial of Service
E-Mail spamming, and relaying
Exploitation of misconfigured software and servers
Mail attachment attacks
Common Internet Attacks and Typical Fixes
Upgrade Systems;Training Creating attack bottlenecks
and coordination Training Verification/Certification of
Software Training of Users to
recognize Attachments
Internet Attacks Fixes
Goals of Security Measures
Authentication – Who or what am I transacting with?
Access Control – Is the party allowed to enter into the transaction?
Confidentiality – Can any unauthorized parties see the transaction?
Integrity – Did the transaction complete correctly and as expected?
Non-Repudiation – Are authorized parties assured they will not be denied from transacting business
Virtual Private Networks (VPN)
Provides Virtual Network Connectivity User to LAN/WAN LAN/WAN to LAN/WAN
Encrypted at the TCP/IP Level
Provides Protected Communications for All TCP/IP Services
LAN/WAN
LAN/WAN
Firewalls Provides Traffic Management in
Both Directions Generally Located at Border
between Public and Private Networks
Features Include Proxy Server/Network Address
Translation (NAT) User Name/Password Authentication Packet Filtering Stateful vs. Stateless Packet
Processing Traffic Audit Logs
Intrusion Detection System (IDS)
Audit Store security-pertinent system data Detect traffic patterns Develop reports and establish critical
parameters intrusion criteria using agent software
Set up revocation lists
Detect Predefine flexible security violations
criteria (e.g., identify zombie placement, Super User, Root user occurrences)
Be proactive Become network-oriented
Secure Fix applications or alterations that
were made by an attacker where appropriate (e.g., Trojan Horse ID, Zombie Ant detection eliminated)
?
??
?
!!!!
LAN/WAN
Backup Charts
Firewall-1 / VPN-1 High Availability
Corporate
Intranet
IKE Synchronization
Secondary VPN-1 Gateway
Primary VPN-1Gateway
VPN-1SecuRemote
VPN-1 Gateway
InternetInternet
Transparent fail-over of IPSec communications without loss of connectivity
Enables hot fail-over and load balancing across VPN gateways Industry’s first transparent VPN fail-over that maintains session
integrity
Architecture of a Distributed System
Web ServersMiddlewareApp Servers
DNSMessaging
DataStorage
User
Backup/Recovery
DataStorage
User
User
Web ServersMiddlewareApp Servers
Internet
User
InternalWANs and LANs
Clients/Partners
Critical Elements of Security Architecture
AUDIT, DETECT, and SECUREThree stages of secure process that are to be
followed
Provide security agentsAutomated Continually monitor all systems
Ensures that Zombie Ants are not being introduced or that Distributed Denial of Service conditions do not occur
Added Notes:
Biometric and Smart Card Technology can be applied where appropriate Biometrics is being tested
Standards still in the mill People issue – many feel uneasy about providing fingerprints of eye
scans, or physical variations as means to set up secure operations) Firms exist to do this today (e.g., International Biometric Group)
Smart cards now used by GSA for their badges have fingerprints embedded (3GI developed this – locally available support)
Operational Documentation Checklist
Project Plan
System Security Plan (SSP)
Risk Assessment
Waiver Letter(s)
Approvals to Test
Interim Approvals to Operate
Certificate Policy
Subscriber Agreement
Security Program Elements
Wide Security Program planning and managing to provide a framework and continuing cycle of activity
for managing risk, developing security policies (in conjunction with the Office of Protection), assigning responsibilities, and monitoring the adequacy of the computer-related controls.
Access Control – controls that limit or detect access to computer resources (data, programs, and
equipment) that protect these resources against unauthorized modification, loss or disclosure.
Segregation of Duties – establishing policies, procedures, and an organizational structure such that one
individual cannot control key aspects of IT-related operations and thereby conduct unauthorized actions or gain unauthorized access to assets or records.
Service Continuity – implementing controls to ensure that when unexpected events occur (i.e., virus)
critical operations continue without interruption or are promptly resumed and critical and sensitive information is protected.
Comprehensive Network Security Policy Approach
Assurance
Mission
Policy
Sec. Org Structure
Sec. Implementation Procedures
Awareness, Training, & Education
Phy & Env Protection
Connectivity Controls
Access Controls
Sys Admin Controls
Storage Media Controls
Accountability Controls
Reference Model
Deny
Detect
Assess
Train
Enforce
Protect Model
Respond
Report
Isolate
Contain
Recover
Response Model
Level 4. Security Implementation Procedures
Level 3. Security Organizational Structure
Level 7-11.Controls: System Access, Connectivity, Administration,
Storage Media, & Accountability
Level 6.Physical & Environmental Systems Protection
Network Security Model
Level 1.System Mission
Level 2.Security Policy
Level 5. Security Awareness, Training , & Education
Level 12. Assurance
Value of Information
Threat Start Network Security Strategic Reference Model
Protect ModelDeny, Detect, Assess,
Train, & Enforce
Response ModelRespond, Report, Isolate,
Contain, & Recover