smart card presentation for trinity9-02

8/14/2019 Smart Card Presentation for Trinity9-02

http://slidepdf.com/reader/full/smart-card-presentation-for-trinity9-02 1/13

UConn Health Center

Security Optimization & Fortification

Initiative

Bob Brandner

Deputy CIO



2

Overall Objectives• All the Healthcare business drivers mentioned in Datacard slides apply to our

scenario

• Use Digital Signatures to replace written signatures as approvals for internal

forms routing and external electronic commerce.• Single, streamlined process for employees or affiliates to obtain

credentials/privileges for visual, physical or logical access.

• Centrally managed security administration (issuance, revision, revocation) process with emphasis on improving:

– Timeliness of service delivery

– Audit Capabilities – Accountability

– Measurements

• Fortification of safeguards for all aspects of Security using Smart Card assingle credential store

• Address HIPAA requirements with common sense (see Appendix two)

• Introduce two factor authentication in sensitive areas using any combinationof:

– Password/PIN (something you know)

– Smart Card/PKI (something you have)

– Biometric (something you are)

• Facilitate automated password administration by introducing single/reducedsign-on capability



3

Staff & Caregiver ID - Needs

• One ID card for multiple functions

• One secure enrollment & card issuing process

• One secure and accurate data source• Integration of “second” factor of

authentication in network and physical access

• Multiple applications on smart cards

– network security, cafeteria, vending

Central Secured Identity Database

• ONE database to store identity information – HR, LDAP Compliant Directory, Central ID Database

– Populate from HR database

– Connectivity to legacy access control &time/attendance systems

– Ability to view from other locations

Smart Cards

• Multi-application capability

– Logical security

– Add single sign-on & PKI

– Add biometric template

– Future applications

• Best choice for combining logical and physical security

– Combine two or three factors of authenticationSomething you have (card), something you know

(PIN) and something you are (biometric) – Portable, secure

Value Statement

Datacard offers a single source

solution for consolidating visual,

physical, and network authentication

using a seamless smart card issuance

process. This provides greater

security at a lower cost.

Mirrors UConn Health Center’sGoals & Approach



4

UConn Current State – Physical & Visual

• Visual & Physical Security accomplished via use of at least (6)

different cards (ie Photo Badge, door access mag stripe & proximity,

parking lot proximity, mag stripe vending, Etc)

• Employee picture Ids have no intelligence and other types of cards

mentioned do not include pictures and are all configured via different

applications.

• Only different color badges provide any visual differentiation for

physical access between employees

• Public Safety (Campus Police) office gets paper list of new employees

scheduled for weekly orientation who need badge pictures taken.



5

UConn Current State – Logical (Chaos)• Approximately 199 business applications in use by over 3000 employees

• 56 different employees manage password access for the 199 applications (only

IDX Suite access managed by IT)• 52% contain Protected Health Information (PHI)

• 40 % have ability to assign varying levels of access

• 34% have role-based access administration

• 18% have passwords with automatic expirations

• 15% of applications are used enterprise-wide: – 10 applications have between 250 and 500 users

– 6 applications have between 50 and 250 users

– 13 applications have between 20 and 50 users

• Approximately 332 users have access to at least two enterprise wideapplications:

– 184 users have access to two different enterprise wide clinical applications:• (134) IDX Suite & Lab

• (28) IDX Suite & Radiology

• (22) IDX Suite & Pharmacy

– 142 users with access to IDX Clinical Suite also have access to Finance System

– 80 users have access to both Human Resource and Finance Systems

• 85% of applications (170) have between 1 and 20 users and are departmentalin nature.



6

UConn Current State – Smart Cards

• In-house developed Physician Order Entry (POE) system PKI enabled

for logon via Gemplus card smart card & PIN with photo and Verisigndigital certificate (on-site lite product)

• Digital Certificate is captured for each order in a SQL database

• Over 500 cards issued for Physicians and Residents

• Visual only, employee ID’s also required for smart card users.

• Physicians find use of PIN cumbersome and would like Biometricoption for second factor authentication.

• CT Hosp Association supplied and administered smart card printing/issuance process, but discontinued this service one month intoPOE rollout.

• Ability to manage entire smart card lifecycle in-house was requiredimmediately.

• ActivCard selected as vendor of choice via RFP for Smart Card driven pilot including cards, readers, printer, Smart Card Lifecyclemanagement and reduced sign-on software.



7

ActivCard/Datacard - Smart Card Pilot Objectives

•Automatic creation of Cryptographic smart cards to be used for PKI,desktop security, physical access, time reporting, copier charge debitand photo ID badge purposes

• Reduced sign-on to Windows client server, Telnet and browser basedsystem logons (non-programmatic interface or vendor specific agents)

• Protection of information and transactions using PKI

• Desktop locking and session resumption

• Single, application shareable credential store (LDAP compliant)

• Web authentication using SSL and client-side certificates

• Digitally signed and encrypted e-mail (S/MIME)

• Mobile certificates using smart cards virtual smart cards

• Automatic and manual PC file encryption

• Compatible with Verisign Certificates



8

Pilot Results• Using templates created in ID Works with support from distributor, currently

using Datacard ICIV camera and printer to issue Schlumberger Smart Cardsfor POE application

• Adding Verisign certs to Smart Cards

• Verified ability of ActivCard Trinity software to automate the followingsystem access functions:

– Create single credential store in LDAP directory and transfer to Smart Cardindividual user Ids and passwords for employees

– Automate sign-on process to all systems by using tools to create software templates

for various UCHC client/server, terminal emulated or web based logon dialogs. – Automate creation of new passwords by recognizing expiration notice and using

rules to seamlessly create system specific new password.

– Use any combination of Smart Card, PIN, password or biometric for systemauthentication varied by employee and or by each system access by each employee.

– Automate MS Domain/Exchange and or Active Directory Logon

– Assignment of access privileges to new hires via drag and drop of templates – PC session locking when smart card is removed.

• Verified ability to feed new employee data from HR system to MS ActiveDirectory’s LDAP store that automatically updates both Trinity and ID Worksdatabases (See Appendix One for data flow)

• Clinical IT Steering committee saw demo of Trinity automated logon

capabilities and strongly endorsed the product.



9

Security Initiative Current Status

• Initiating purchase of first 100 of 2500 to 3000 total Trinity licenses

• Creating temporary point to point feeds from HR system directly to ID Works

and Trinity Database (Until Active Directory is in full production)• Modifying com object providing PKI interface via smart card for POE logon

to use Schlumberger cards and Trinity Software.

• Working with various individuals responsible for password administration of UCHC systems to establish IT security as single customer contract for requesting and aggregating credentials for multiple systems (Access Broker)

• Finalizing strategy for assigning appropriate type of ID card to requirementsof various job types (ie. Plastic photo card, Picture & Mag Stripe, Picture,Mag & Proximity & Smart Card Combo.

• Modifying HR new employee forms to capture systems access requestinformation and adding to electronic feed.

• Modifying electronic approvals for in-house forms routing to replace use of

SS# and PW with PKI.• Transitioning Datacard Equipment and ID Works operation to Public Safety

(Security) departments to replace current visual only badges.

• Rolling out Trinity software to most sensitive patient care areas and tocommunities requiring access to multiple applications.

• Evaluating opportunities to interface Trinity credentialing process with

Verisign enrollment to further streamline administration.



10

HR applicant tracking system generates

Electronic feed containing list of new employees

including departmental demographic, facility access

& information systems access information

MS Active DirectoryLDAP

v.3

Feed includes Names of

new employees

Needing Facility, barcode &Information Systems

Access Employee

Only New employee names needing

Systems Access fed from MS Active

Directory via LDAP into

Database for Trinity Authentication

Application.

Full set of new employee

Information fed from MS Active

Directory via LDAP into Access

Database for ID Works Badging

System.

ID Works System Trinity System

NoYes

Greentree Application Tracking System

IT Security creates

Trinity new employee

Systems access profile

Available for download

To ID Badge

Required

BadgingOption

Picture

Badge Only

(Plastic Only)

Picture Badge with

Facility access and/or

Barcode card

Configuration only

(Magnetic Stripe)

Picture Badge with

Facility & IT Systems

card Configuration only

(Magnetic Stripe &

Microchip)

IT Security enrolls New employee in

Verisign PKI system

And readies certificateFor download to Card

Need

DigitalCertificate

Yes

Print badge with Picture

And with/withoutBarcode/mag stripe

No

Need IT Access

Credentials on

Card?

No

Public Safety

Gives finished

Badge to employee

Update MS Active

Directory record for

New employee withDigital Certificate

Information via LDAP

Yes

Public Safety logs

Into Trinity System

As Operator, inserts new

Card into reader and downloads

IT access credentials to card

PKI

Digital Certificate?

NoYes

Public Safety

Downloads Verisign

Certificate onto card

Via Card Reader

Certificate

Sent to Public

Safety from

Verisignto

Special email

account

Appendix One



11

Compliance with the majority of the privacy rule provisions will

be achieved by:

•Securing physical access to facilities where either paper (file

rooms) or systems containing PHI (Data Center) are stored.

•Employee Education on sacred nature of patient privacy

•Implementing & enforcing specific privacy policies

•Use and tracking of paper consent/authorization forms

•System modifications may be required to deliver the following

capabilities that are necessary for HIPAA compliance:

•Verify authorizations for repeated disclosures have not been

revoked prior to each PHI disclosure

•Log the nature and date of each disclosure

•Record amendments made to electronic PHI via patient request

or staff.

b) Most privacy rule provisions require modifications to

existing or newly acquired electronic systems containing PHI.

Creating a few roles with access to a broad range of patient PHI

data elements is both permissible and appropriate as part of a

HIPAA compliant procedure because:

Most employees with ANY access rights to electronic PHI have

legitimate needs to access diagnosis & procedure information

Many employees with ANY access rights need to access

infection precautionsThe minority of staff not needing access to these broad

categories should be placed into a few roles with very limited

PHI access.

a) Mandates IT system redesigns for ability to impose distinct

limitations on precise data elements accessible by dozens of

user roles

HIPAA RealitiesHIPAA Myth’s

Rule Calls for a balance between the ultimate protection,

risk, cost and clearly states the desire not to impose patientcare affecting burden.

I. Privacy Compliance Requirements

Appendix Two



12


Rules mandate capabilities, policies and mechanisms; not

specific technologies.

b) Mandates very specific security technologies & solutions

•Majority of security rule compliance will be addressed by

physical facility security enhancements and establishing policies

to protect PHI.

•Majority of rule’s electronic data protections will use

technology organizations have installed or are planning to as

part of normal business precautions and infrastructure upgrades.

a) Requires enormous investment in IT security specifically for

HIPAA compliance.

Rule Calls for a balance between the ultimate protection,

risk and cost

II. Security Compliance Requirements

Impersonating at patient at the point of care to illegally acquire a

person’s electronic PHI is not a probable threat because:• Number of parties interested in a “non-celebrity’s” PHI, but not

entitled to it, is small at any time.

•There is no ready market for PHI a hacker might acquire via

impersonating the individual.

•Blackmail involves large sums of money is Too messy, too

risky and too personal for hackers.

•Exploiting the helpful nature of organization’s staff not

adequately trained in patient privacy policies & procedures is amuch more probable scenario for illegal/inappropriate access to

PHI than stealing a password by “shoulder surfing”.

c) Impersonation of a patient at the point of care represents the

principal and most probable threat to unauthorized access toPHI via HCO’s electronic system.



13


Not required; use of normal internet browser technologysupporting SSL encryption, unique passwords and inactivity

timeouts will address HIPAA requirements.

d) Electronic PHI remote access via the Internet requires use of password tokens (Secure ID Cards) and Virtual Private Network

(VPN) Software

•Majority of electronic access to PHI can be sufficiently

protected by ensuring the use of unique user ID’s and passwords.

•Two factor authentication methods (i.e. smart card/PIN,

Biometric/PIN, etc) will make sense in the most sensitive care

delivery settings.

•Best and most widely pursued method of ensuring adequate

protection for electronic PHI is automating the provisioning and

tracking of access rights via single sign-on technology.

c) Requires use of Two factor Authentication to access PHI (e.g.

Password & Biometric)

smart card presentation for trinity9-02

Documents