March 15, 2002 HIPAA Summit West II San Francisco, California Computer Sciences Corporation Healthcare Group 1325 Avenue of the Americas, 6th floor New.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide
Microsoft ® Office 2007 Training Security II: Turn off the Message Bar and run code safely P J Human Resources Pte Ltd presents:
Upgrading the Oracle Applications: Going Beyond the Technical Upgrade Atlanta OAUG March 19, 1999 Robert Cooney.
Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.
Electronic Submission of Medical Documentation (esMD) Face to Face Informational Session esMD Requirements, Priorities and Potential Workgroups – 2:00pm.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
SLIDE 1 Westbrook Technologies from Fortis: A Healthcare Solution for Medical Records, Billing and HIPAA.
Are you ready for HIPPO??? Welcome to HIPAA
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
August 2004 Providing Industry-wide Security and Identity Management Solutions.
Security Controls – What Works
Public Key Infrastructure at the University of Pittsburgh Robert F. Pack, Vice Provost Academic Planning and Resources Management March 27, 2000 CNI Spring.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
Acquiring Information Systems and Applications
Microsoft ® Application Virtualization 4.6 Infrastructure Planning and Design Published: September 2008 Updated: February 2010.
Electronic Submission of Medical Documentation (esMD) Face to Face Informational Session Charter Discussion – 9:30am – 10:00am October 18, 2011.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
Building E-Commerce Applications and Infrastructure.
© by Seclarity Inc. 2005, Slide: 1 Seclarity, Inc Lightfall Court Columbia, MD A Blumberg Capital, Valley Ventures and Intel Capital Funded.
Dao Dinh Kha National Centre of Digital Signature Authentication - Agency of Information Technology Application A vision on a national Electronic Authentication.
Masud Hasan Secue VS Hushmail Project 2.
Moving into Design SYSTEMS ANALYSIS AND DESIGN, 6 TH EDITION DENNIS, WIXOM, AND ROTH © 2015 JOHN WILEY & SONS. ALL RIGHTS RESERVED. 1 Roberta M. Roth.
What is Enterprise Architecture?
Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.
PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
Chapter 13: Developing and Implementing Effective Accounting Information Systems
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.
Chapter 6 of the Executive Guide manual Technology.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
6/1/2001 Supplementing Aleph Reports Using The Crystal Reports Web Component Server Presented by Bob Gerrity Head.
Cis339 Chapter 2 The Origins of Software 2.1 Modern Systems Analysis and Design Fifth Edition.
HIPAA Security Final Rule Overview
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.
HIPAA Security Final Rule Overview for HIPAA Summit West June 5, 2003Karen Trudel.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Could your company’s team reach the Champions League final?
Password Management Market Analysis, Market Size, Analysis 2014 To 2020 Grand View Research has announced the addition of " Global Password Management.
The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.
RSA Professional Services RSA SecurID Solution Design and Implementation (D&I) Services.
Understanding The Cloud
BANKING INFORMATION SYSTEMS
MCSA VCE
Hyper-V Cloud Proof of Concept Kickoff Meeting <Customer Name>
IS4550 Security Policies and Implementation
HIPAA Security Standards Final Rule
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Chapter 13 Building Systems.
Introduction to the PACS Security
Enterprise Resource Planning Systems
Presentation transcript:

March 15, 2002 HIPAA Summit West II San Francisco, California Computer Sciences Corporation Healthcare Group 1325 Avenue of the Americas, 6th floor New York, New York Phone: Fax: Implementing HIPAA Security – A Real Life Experience

I.The Setup II.The Players (Anonymized!) III.Security Tasks IV.Mission Creep V.Conclusion Agenda

The Setup

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation The Client – a Health Care Clearinghouse CSC Enters the Arena Small, but backed by major payers In need of System Integration Core Payer Security Requirements: HIPAA Compliant Public Key Infrastructure Our initial security tasking was limited to the PKI

The Players

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation “Low-Density” Slide Layout Computer Sciences Corporation, one of the world's leading information technology services providers, helps organizations achieve business results through the adroit use of technology. CSC is currently a 10.5 billion dollar, 68,000 person company. No other company offers the same range of professional services and global reach as CSC does in areas such as security, e-business strategies and technologies, management consulting, information systems consulting and integration, application software, and IT and business process outsourcing. Computer Sciences Corporation

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation “Low-Density” Slide LayoutPayers Several of the largest insurance companies in the United States backed the clearinghouse They have a vested interest in ensuring the success AND security of the arrangement As industry powerhouses, they are used to calling the shots – the 800 lb. gorillas defer to them

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation “Low-Density” Slide LayoutThe Clearinghouse Initially consisted of a few executives and a CSC-led team of technical/business personnel Starting from scratch – the Clearinghouse had a custom designed application to receive claims status, eligibility requests from providers; reformat and send request to payer; send answer back to provider in real time Marching orders in security based on a previous consultant’s recommendations.

Security Tasks

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation There are several vendors of PKI packages. We wanted a package that was –Turn-key – given the time frame, we needed plug-n-play –Cost effective – as always –Scalable – the pilot was to be limited, production to be large –Disposable – if the pilot didn’t work, we wanted the loss to be bearable We settled on VeriSign OnSite because –It met all the factors above, especially Turn-key Selecting the Vendor Building a Pilot PKI

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation Factors VeriSign OnSite Feature Pilot NeedsOnSite # of users Minimum of 500 CostCost control desired$45,000 HIPAA CompliantNot required for pilot. However, HIPAA compliance required for production roll-out Yes – root certificate formally documented User AuthenticationProviders authenticated prior to pilot in selection phase Choice of automatic, manual, or outsourced to VeriSign Reusability in production phaseDependant on costYes Users may keep the same certificate after the pilot Desirable, but not requiredYes – the root CA would remain the same Prevent users from exporting certificates to other machines No requirement definedYes Single logonNo requirement definedYes (with integration) Roaming capabilityNo requirement definedYes ScalabilityNoneYes

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation Installation went smoothly We opted to use manual authentication for the pilot – Automatic authentication required a pre-existing database of authorized users; not available at this stage of the game Time to install certificates on user desktops –Our first snag! We made the selection, let’s get it done VeriSign OnSite Installation

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation On a practical level, most users were nurses and office workers Most were not computer savvy We sent people to individual provider offices to help them register for certificates – A significant percentage still had problems Result – lots of time on the phone for the PKI Admin Users = Providers The Users

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation We did not plan on using the certificates for Role-based Access Control –This was built into the custom application The sole use (for the pilot) was authentication –This was for simplicity –If the authentication features were functioning, so would add on features (encryption, digital signatures, etc.) There were plans for additional capabilities in the future Our Main Interest was a Functioning PKI Certificate Criteria

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation The full version of Onsite with all the bells and whistles includes a plug- in called GoSecure While considered an “option”, it really isn’t It replaces the crypto modules in Internet Explorer A problem may arise: The First Usability Problem OnSite’s Manual Administration Mode

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation An undocumented “feature” found in Windows 9x and Windows NT is that the password popup window will show and require a password each time the key is accessed within a single session – potentially dozens of times, each session Oy Choose High Security, Choose Major Irritation

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation Microsoft explained that this was a design feature of Win9x and NT, and that it had been fixed in WinMe and 2K –This behavior you describe is actually by design. When the feature to password encrypt the certificate locally was implemented, it was done so that each request would require the password to be retyped. In Windows 2000 the implementation was changed. The reason it is saved in Windows 2000 is because subsequent calls (calls after the first request for the cert password) to CryptSignHash use a cached private key in Windows 2000 and does not in the down-level clients.Your only options are to disable the "strong private key encryption" or upgrade the clients to Windows 2000 Another solution would have been to ditch IE and use Netscape, which did not suffer from this “feature” Neither was practical It’s a Feature, Not a Bug And We Fixed It!

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation Multiple password entries are clearly not convenient The PKI did work for authentication –It was just a pain in the stethoscope –We had demonstrated the concept –We knew the cure Declare Victory and Depart We shut down the pilot And the Complaints Rolled In…… The clearinghouse depended on convenience to sell the product

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation Planned the procedures and LDAP needed for automated authentication Developed policies to cover authentication requirements Other security issues came to the forefront –Negotiations with those payers In general, the payers advocated the platinum security solution, while the clearinghouse favored the economy family-size solution This did not contribute to harmonious talks Time to Plan for the Future We Worked to Make the Production Rollout an Unqualified Success

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation We were crunching numbers using estimates supplied to us by VeriSign, others… The costs were looking staggering… Meanwhile…… Let’s Look at Longer Term PKI Dollars

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation Meanwhile…… Various Options versus Costs

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation Final PKI Decision

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation AdministrativePhysical Technical Security Services Technical Security Mechanisms Policies and Procedures Locks, Storage, Physical Access Control Auditing, Access Control, Authorization, Authentication Network Security HIPAA is Much More Than PKI In Fact, HIPAA Doesn’t Require a PKI

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation Administrative Policies and Procedures Those Discussions With the Payers Were Still Ongoing The Clearinghouse used Payer patient data Privacy Use, Disclosure, Chain of Trust No one at the Clearinghouse ever accessed the patient data Nonetheless, the data was flowing from the Payer to the Clearinghouse and the Payers needed assurance that the data was secure Therefore, a Chain of Trust Agreement had to be negotiated between all parties Closest analogy: “Herding Cats”

Mission Creep

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation There’s more to HIPAA than just the issues addressed by a PKI One of the 4 security areas – Administrative Measures – is commonly neglected and usually not sufficient for HIPAA even in conscientious organizations Policies and Procedures must be defined in substantial detail AND enforced We became policy writers as well as technology integrators Remember Our Mission Build a PKI – but there’s more than that in HIPAA

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation These are not necessarily exhaustive – more policies might be needed for some organizations Step 1: What policies already exist at the Clearinghouse? –Answer – not many Step 2: What policies will we write? –A full policy writing effort for an organization of this size and complexity would probably take around 3 months of full time effort –Well beyond the scope of work Writing Policies HIPAA Security Rules define 12 areas that must be covered

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation HIPAA requirement for alarms, audit capability on the network This capacity did not exist –Interim answer – Snort Capable, open source IDS Installed at the hosting center Also wrote Incident Response policy/procedure based on public documents and Clearinghouse needs As Production neared, we developed an IDS architecture using a commercial system Intrusion Detection Technical Security Mechanisms

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation How secure is the other company? Go out and look at it How do we integrate their infrastructure with ours? How do we achieve Single Sign-On? Acquisition The Clearinghouse gained capabilities by acquiring another company

Conclusion

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation PKI is most appropriate when your users are already well known to you The cost of authenticating users can be huge The cost of certificates can also reach the stratosphere All four HIPAA security areas must be addressed in parallel Getting multiple parties to agree to a single security policy is a long process; multiply that by the number of policies to be written The deeper you look into some of the requirements (especially auditing access), the more daunting they can seem Lessons Learned HIPAA Security is a multi-headed beast

5/6/2015 5:21:02 AM©2002 Computer Sciences Corporation We built a secure authentication infrastructure We wrote a number of important policies We built an interim Intrusion Detection System We helped to integrate two companies’ infrastructure Conclusion Ultimately our security effort was successful

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.