Presentation is loading. Please wait.

Presentation is loading. Please wait.

19/11/2013 Information security approach within the Belgian social & health sector.

Similar presentations


Presentation on theme: "19/11/2013 Information security approach within the Belgian social & health sector."— Presentation transcript:

1 19/11/2013 Information security approach within the Belgian social & health sector

2 Frank Robben 2

3 Context – Belgian social sector > 11,000,000 citizens concerned > 220,000 employers involved about 3,000 public and private institutions active at several levels (federal, regional, local) dealing with – collection of social security contributions – delivery of social security benefits: child benefits, unemployment benefits, benefits in case of incapacity for work, benefits for the disabled, reimbursement of health care costs, holiday pay, old age pensions, guaranteed minimum income, … – delivery of additional social benefits – delivery of additional benefits based on a person’s social security status 3

4 Expectations – Belgian social sector effective social protection effective support of social policy effective fraud prevention and detection integrated services – attuned to the concrete situation of citizens and companies, and personalized when possible – delivered at the occasion of events that occur during their life cycle – across government levels, public services and private bodies – reliable, secure and permanently available – with minimal costs and minimal administrative burden – if possible, granted automatically 4

5 Context – Belgian health sector > 11,000,000 citizens concerned > 100,000 health care providers involved (physicians, dentists, clinical labs, pharmacists, physiotherapists, nurses, …) > 300 health care institutions involved (hospitals, retirement homes, nursing homes, …) health insurance funds public institutions – federal level (Federal Public Service for Public Health, National Institute for Health & Disability Insurance, Belgian Health Care Knowledge Centre, …) – regional level 5

6 Expectations – Belgian health sector optimal health care quality optimal patient safety adequate support of health policy patient-centric care and empowerment of the patient integrated services – multidisciplinary – holistic – continuous – across health care institutions and health care providers remote care (monitoring, assistance, consultation, diagnosis, operation, …), a.o. home care quickly evolving knowledge => need for reliable, coordinated knowledge management and accessibility 6

7 Risk analysis approach increasing collaboration relating to information management and process integration separate government bodies are no longer free- standing information processing entities, but rather parts of a coherent whole risk of consequential damage and its extent on other systems is much greater than at the location where the original damage occurs  the vision of information security and protection of privacy must thus be determined collectively 7

8 Risk analysis approach 8 1. policy 2. organization 3. risk analysis security requirements 4. selection of measures 5. development planning and implementation of measures 6. training and education 7. supervision, control and evaluation feedback

9 Risk analysis approach absolute security/protection is not a desirable objective, because it will lead to significant opportunity losses in terms of efficiency and effectiveness main challenge: constantly seeking the optimal balance between seizing opportunities and avoiding risks 9

10 Information security measures 1.structural and institutional measures 2.organizational and technical measures (based on ISO 27XXX) 3.legal measures 10

11 1. Structural & institutional measures 1.1.no central data storage 1.2.independent Sectoral Committee of the Privacy Commission 1.3.within social sector, a preventive control of the legitimacy of personal data exchange by CBSS according to the authorizations of the independent Sectoral Committee of the Privacy Commission 1.4.information security department with each actor 1.5.specialized information security service providers 1.6.information security working group 11

12 1.1. No central data storage (social sector) 12 R FW R NEO Users FW RR R Internet R FedMAN R Isabel … FW R R NIC Backbone R … NOSS FW R CBSS

13 1.1. No central data storage (social sector) reference directory, showing – for each citizen at which social security institutions the citizen is already known in what capacity during which period – per social security institution type and per capacity in which a person might be known to the institution which types of data on the person are available – per social security institution type and per capacity in which a person might be known to the institution which types of data does the institution need and is it authorized to receive from other institutions in order to fulfil its duties

14 1.1. No central data storage (social sector) functions of the reference directory – access control – information requests routing – automatic information change transmission

15 1.1. No central data storage (health sector) 15 Suppliers Basic services eHealth platform Network Patients, health care providers and health care institutions VASVASVAS portal eHealth platform portal eHealth platform Health portal Health portal AVS Software health care institution Software health care institution AVS MyCareNet AVS Software health care provider Software health care provider AVS Website NIHDI Website NIHDI AVS VASVASVAS

16 1.1. No central data storage (health sector) System as is 16

17 A C B 1: Where can we find data? 3: Fetch data from hub A 3: Fetch data from hub C 4: All data available 2: In hub A and C 1.1. No central data storage (health sector) System to be: hub-metahub

18 1.2. Independent Sectoral Committee designated by the Belgian Parliament mandate – information security supervision – authorizing information exchange – complaint handling – information security recommendations – extensive investigating powers – annual activity report 18

19 1.4. Information security department with each social sector institution and in some health care institutions composition – information security officer – one or more assistants Sectoral Committee carries out control on independence and enables the permanent education of the information security officers Sectoral Committee can allow that a task of the information security department is outsourced to a recognized specialized information security service provider 19

20 1.4. Information security department Information security department recommends promotes documents controls reports directly to the executive management formulates the blueprint of the information security plan elaborates the annual information security report Executive management takes decisions has the final responsibility gives motivated feedback approves the information security plan supplies the necessary ressources 20

21 1.4. Information security department annual information security report – general overview of the information security situation – overview of the activities recommendations and their effects control activities campaigns to promote information security – overview of external recommendations and their effects – overview of trainings received 21

22 1.6. Information security working group composition – information security officers of all branches in the sector – sub-working groups branches themes (policy, audit,...) tasks – coordination – creation of information security awareness – communication – formulating recommendations to the Sectoral Committee 22

23 1.6. Information security working group deliverables – ISMS and information security policies – minimum information security standards – information security guidelines – codes of good practice – protecting the network – organizing internal information security audits – disaster recovery methods 23

24 2. Organizational & technical measures 2.1.ISMS and information security policies 2.2.information classification 2.3.human resources security 2.4.physical and environmental security 2.5.operations management 2.6.personal data processing 2.7.logical access security 2.8.information system acquisition, development and maintenance 2.9.business continuity management 2.10.compliance (internal and external control/audit) 2.11.communication to the public of security and privacy protection policies 24

25 2.1. ISMS & information security policies Information Security Management System governing principle behind an ISMS: an organization should – design, implement and maintain a coherent set of policies, processes and systems – manage risks related to its information assets – thus ensuring acceptable levels of information security risks concerted approach of information security > General Coordination Committee methodology aims to lead to an optimal information security approach based on the international ISO 27XXX standards common methodology for all institutions

26 2.1. ISMS & information security policies

27 integrated set of security policies elaborated through step-by-step refinement directives, architecture, standards, procedures and techniques are described to apply an integral set of information security policies, in accordance with the priorities set by the information security working group 27

28 2.1. ISMS & information security policies policies should always have the following structure – main field of application/personal field of application – definitions of the concepts used under the policy – general principles, rules and responsibilities – requirements – references to other policies – sanctions if the policy is not complied with, arising from laws and regulations – references to directives, architecture, procedures, standards and techniques to comply with the policy – version and date of validation by the appropriate parties – note of the person responsible for policy maintenance 28

29 2.1. ISMS & information security policies 29

30 2.1. CBSS information security policies minimum standards – annual update – applicable to all social security institutions – institutions interested in being integrated into the CBSS network must have an up-to-date, long-term information security plan containing measures on complying with the minimum standards – annual self-assessment executed via question and answer form 30

31 2.1. CBSS information security policies minimum standards – the Sectoral Committee can at all times engage an external institution to verify whether the institutions complies with the minimum information security standards – ultimate sanction: if a social security institution does not comply with these standards, the institution can, after formal notice, no longer access the network in accordance with article 46, first paragraph, 1°, of the CBSS Law 31

32 2.2. Information classification determining the protection level per information item, based on 2 aspects – importance of the business continuity of public services (e.g. vital, critical, necessary, useful) – sensitivity in relation to protection of privacy (e.g. public, internal, confidential, secret) scope includes information (mainly personal data) used for services to citizens, companies and civil servants, regardless of the equipment on which they are kept information is labeled depending on the classification criteria used continuous process without too much formalisms 32

33 2.3. Human resources security information security tasks and responsibilities are included in all job descriptions to which it applies sensitive positions are stated as such in job descriptions applicants for sensitive jobs are screened carefully a secrecy declaration is signed by every staff member all staff members are briefed, educated and trained on a regular basis 33

34 2.3. Human resources security at each institution – solid procedures are established and frequently tested to report any information security breach or weakness to the information security officer in a timely manner – a working method is established and frequently tested to analyze any information-security-related incident and weakness reported by the information security officer, and adequate remedial measures are proposed for implementation within a reasonable timeframe 34

35 2.3. Human resources security (disciplinary) sanctions when measures relating to the information security and privacy protection are circumvented or not complied with controls are executed to ensure that – (disciplinary) sanctions are sufficiently known when measures relating to the information security and privacy protection are circumvented or not complied with – adequate measures are applied when a working relationship with a staff member is terminated 35

36 2.4. Physical and environmental security availability of premises is protected against bad external influences, unauthorized access, theft, flooding, fire, … ICT infrastructure supporting vital and critical business processes is professionally accommodated at these premises power supply for ICT infrastructure supporting vital and critical business processes is guaranteed wireline and wireless connections are secured against wire-tapping and sniffing 36

37 2.4. Physical and environmental security proper procedures for installing and removing business equipment, also in cases of maintenance and repair, are established and tested frequently rules are established and tested for managing business equipment used by staff (e.g. laptops, handhelds, tablets, mobile phones, smartphones, call tokens,...) giving access to information that needs to be protected 37

38 2.5. Operations management segregation of duties between the governance/ management and operations/maintenance of ICT infrastructure information security procedures, including incident management procedures, take into account segregation of duties internal rules are established and tested frequently for day-to-day operations (e.g. back-ups, network monitoring, equipment removal, archiving,...) 38

39 2.5. Operations management each stage in the life-cycle of an application, including acceptance scenarios, is established and tested frequently, also in terms of legal and regulatory compliance new applications or changes to existing applications are submitted for acceptance tests in a separate acceptance environment, distinct from the production environment, before being released into production, with special attention towards test data ITIL v3 and COBIT 5 frameworks are used as inspiration sources for ICT operations management 39

40 2.5. Operations management preventive measures for securing information systems against viruses and other types of harmful software (malware) networks are managed following approved and defined procedures, especially when connected to external networks interchange agreements are written down and approved for the use of network services, especially for network services required for external collaboration 40

41 2.6. Personal data processing for each processing a controller is designated, i.e. a person who determines the purposes and means of the processing and who is responsible for the processing personal data are processed in conformance with the EU principles* on the protection of individuals with regard to the processing of personal data and on the free movement of such data 41 * Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995

42 2.6. Personal data processing following principles are complied with – purpose limitation principle – proportionality principle – data quality principle – reasonable storage duration principle sensitive personal data, personal data relating to health, and legal personal data, are processed in conformance with the relevant special rules laid down by EU law* 42 * Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995

43 2.6. Personal data processing controller of the processing – informs the person concerned when personal data are collected/recorded/reported – notifies the processing to the Commission for the Protection of Privacy – provides information to his staff members concerning data protection provisions – regularly checks for conformance of information systems that process personal data with the notification made to the Commission for the Protection of Privacy procedures are established and tested frequently to deal with persons exercising rights of access, reporting, correction, deletion, blocking access or objection 43

44 2.7. Logical access security logical access management policy – roles and functions – authorizations on the basis of those roles and functions – authorization time-limits authorizations are managed at the levels of – people – resources – applications 44

45 2.7. Logical access security identification and authentication methods (user ID, password, token, digital certificate, electronic signature,...) are established for people, resources, applications and services buildings are properly partitioned, security access layers are implemented and access control measures to premises are implemented access control measures to physical ICT resources (computers, networks,...) by users (people, resources or applications) are established and tested frequently 45

46 2.7. Logical access security particular attention to business equipment relating to people (e.g. laptops, handhelds, tablets, mobile phones, smartphones, call tokens,...) access control measures to – (sections of) application code – applications (parts) and services (parts) by internal and external users (people, resources or applications) ICT equipment is automatically timed out after a defined period of inactivity all access attempts are time-logged (importance of clock synchronization) 46

47 2.7. Logical access security 47

48 2.7. Logical access security: vault system Vault Governance Archiving Management Vault data Authentication...Authorisation Data quality Encryption Decryption Authentication Vault connector Threshold decryption Trusted 3rd party 2 1 V ault Core having a “health care relationship” depending on their role No access for ICT administrators, host provider,.. the eHealth-platform authorities without the active cooperation of the owner of the second key Access for health care providers

49 2.7. Logical access security: vault system Data sharing each actor keeps his own file up to date however, he can decide to share parts of the file with other actors examples: medication schedule SUMEHR parameters journal... Vault ecosystem General practitioner Actor ecosystem Home care Citizen Pharmacy Hospital Vault Actor ecosystem... Actor ecosystem

50 Logical access security: encryption eHealth-platform Healthcare actor Person or entity Internet Identification certificate Identification certificate Web service Register key Connector or other software to generate key pair Sends public key Stores private key in a secure way Public keys repository Authenticates sender Stores public key 3 4

51 2.7. Logical access security: encryption 51 Identification certificate Internet eHealth-platform Public keys repository Authenticates sender Sends public key 2 3 Message originator Identification certificate Asks for public key Encrypts message 4 1 Message recipient Decrypts message 5 Stored private key Identification certificate Web service Ask public key Send message Any protocol

52 2.7. Logical access security: encryption 52 User 2 Recipient User 1 Originator Key Management / Depot Messages Depot 1 asks for key 2 sends key Symmetric key Encrypted with public key of user 1 3 sends encrypted message Message encrypted with symmetric key Encrypted with public key of Message depot Message encrypted with symmetric key 4 justifies right to obtain key 4 justifies right to obtain message Symmetric key Encrypted with public key of user 2 5 receives key 5 receives message Message encrypted with symmetric key Encrypted with public key of User 2

53 2.8. Information system acquisition, development and maintenance information security directives to be complied with during development or maintenance of applications and services secured development environment (remember how to securely handle development test data) rules to design/build information security directly into applications and services (mainly externally accessible applications and services) procedures concerning technical and functional tests are established and tested in an acceptance environment, distinct from the production environment, with clear go/no-go areas 53

54 2.8. Information system acquisition, development and maintenance methods, procedures to establish and apply for – analyzing the impact of amendments to operating systems and applications on information security – analyzing the impact of changes to standard software used on information security – proper destruction of information when further processing is no longer authorized 54

55 2.9. Business continuity management back-up and restore procedures for information and applications source code and (development, test, installation, configuration) documentation of the latest version of all relevant applications are kept at a secure site, distinct from the production location parts of information systems, certainly those supporting vital and critical business processes, are split up geographically in sites with a different risk profile in eHealth: next release environment 55

56 2.9. Business continuity management a business continuity plan is established and available at each institution – indicating vital and critical components and processes – with an inventory of necessary infrastructure and skills for each component and process – with a description of actions, responsibilities and procedures in the event of an (internal or external) emergency ( + order to return to normal operation) – with a description of test scenarios for the business continuity plan with the relevant third parties affected 56

57 2.9. Business continuity management the business continuity plan is tested annually with the relevant third parties affected and with a report of the results, aimed at permanent improvement information systems are insured against physical risks such as fire, flooding or earthquake, but also against theft 57

58 2.10. Compliance permanent internal controls performed by the information security officer and/or the internal auditor regular external controls performed by an external auditor by the executive management of the institution or by the Commission for the Protection of Privacy or the competent Sectoral Committee the internal control methods and the information systems and logs are easily accessible to the people carrying out internal or external assurance functions 58

59 2.10. Compliance monitoring systems, that raise potential risks linked to the infringements of laws, policies, directives, architecture, standards and procedures, and on any undesirable use made of ICT facilities, are easily accessible for the information security officer a regular check is carried out by the controller of the processing on the security measures currently embedded in contracts with third parties COBIT 5 framework is used as inspiration source for information security audits 59

60 2.11. Communication to the public reporting information security information to the Parliament, press, integrators’ websites special attention to advice on information security and protection of privacy by producing the results of the risk analysis communication strategy is established in order to provide information on security facts and on measures taken to prevent immediate further damage and similar damage in the future 60

61 3. Legal measures obligations of the controller of the processing – criteria for making data processing legitimate – respect of basic privacy protection principles, such as the purpose limitation principle and the proportionality principle – specific rules for the processing of sensitive data – information to be given to the data subject – processing confidentiality, integrity and availability – notification of personal data processing 61

62 3. Legal measures rights of the data subject – right to information – right to access – right to rectify, erase or block his/her data – right to a judicial remedy sanctions and penalties 62

63 63 Frank Robben General manager - Crossroads Bank for Social Security - https://www.ehealth.fgov.be Thank you ! Any question ?


Download ppt "19/11/2013 Information security approach within the Belgian social & health sector."

Similar presentations


Ads by Google