HL7 Security Working Group John Moehrke

Slides:

Advertisements

Similar presentations

Georgia Department of Community Health

Advertisements

Institute for Cyber Security

5-1 Chapter 5 Fundamental Documentation © 2012 The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill.

1 Copyright © 2010, Elsevier Inc. All rights Reserved Fig 2.1 Chapter 2.

September, 2005What IHE Delivers 1 Key Image Notes Evidence Documents Simple Image & Numeric Report Access to Radiology Information IHE Vendors Workshop.

What IHE Delivers Basic Patient Privacy Consents HIT-Standards – Privacy & Security Workgroup John Moehrke GE Healthcare.

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.

Cerner Presentation to S&I esMD Workgroup – Industry Scan

© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International.

Click to edit Master title style HEALTH INFORMATION 1 Identity & Access Management Presenter: Mike Davis (760) January 09, 2007.

MyProxy Jim Basney Senior Research Scientist NCSA

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Single Sign-on Integration (SSI)

The Open Health Data API Rik Smithies –

Server Access The REST of the Story David Cleary

1 Copyright © 2013, Oracle and/or its affiliates. All rights reserved.

1 The phone in the cloud Utilizing resources hosted anywhere Claes Nilsson.

Care Services Discovery

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

© 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5,

ONE® Mail Training Presentation North York General Hospital North York General Hospital.

Copyright © AIIM | All rights reserved. #AIIM The Global Community of Information Professionals aiim.org Information Management and Social Media Jesse.

User-Managed Access UMA Work tinyurl.com/umawg | tinyurl.com/umafaq IIW 16, May

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security.

© 2013 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International.

© 2014 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International.

Addition 1’s to 20.

Christopher Carr Director of Informatics, RSNA

‘Changing environment – changing security’ - Cyber-threat challenges today – Budapest, September 17-18, Industry and the fight against cybercrime.

Oracle User Productivity Kit Professional Ensuring Success with Oracle Apps

Secure RESTful Interface Profile Phase 1 Briefing

More Than You Think HL7 is people, HL7 is ideas, HL7 is collaboration.

Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.

THE DICOM 2014 Chengdu Workshop August 25, 2014 Chengdu, China Keeping It Safe Brad Genereaux, Agfa HealthCare Product Manager Industry Co-Chair, DICOM.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Information Security Technological Security Implementation and Privacy Protection.

UMA Could I Manage My Own Data. Please?. Agenda Business Trends & Technical Solutions Distributed Business (Decentralisation) Mobility & Automation Delegation.

1 © Health Level Seven International ®, Inc. All Rights Reserved. HL7 International and Health Level Seven International are registered trademarks.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

February 8, 2005IHE Europe Educational Event 1 Integrating the Healthcare Enterprise Basic Security Robert Horn Agfa Healthcare.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

Working with HIT Systems

SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.

Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.

Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.

Web Services Security Patterns Alex Mackman CM Group Ltd

Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.

XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.

Integrating the Healthcare Enterprise Improving Clinical Care: Enterprise User Authentication For IT Infrastructure Robert Horn Agfa Healthcare.

Basic Security Cor Loef Philips Medical Systems Co-Chair IHE Radiology Technical Committee.

Secure Mobile Development with NetIQ Access Manager

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

SaaS Application Deep Dive

Power BI Security Best Practices

Azure AD Line Of Business Application Integration

County HIPAA Review All Rights Reserved 2002.

Office 365 Identity Management

IT Management Services Infrastructure Services

Microsoft Virtual Academy

Presentation transcript:

HL7 Security Working Group John Moehrke Security - mHealth and FHIR: mobile health applications and other Internet uses Security in HL7 Standards HL7 Security Working Group John Moehrke

Agenda Basic mHealth security Communications security User Authentication Authorization Relationship to Privacy Consent Audit Logging and reporting 3/27/2017

Overall view of mobile device security Functional, Operational, Physical, Procedural, Network, User, etc.. NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations NIST 800-124 - Guidelines on Cell Phone and PDA Security 3/27/2017

NIST 800-53 Control Families 18 Families related to Security Access Control Media Protection Awareness and Training Physical and Environmental Protection Audit and Accountability Planning Security Assessment and Authorization Personnel Security Configuration Management Risk Assessment Contingency Planning System and Services Acquisition Identification and Authentication System and Communications Protection Incident Response System and Information Integrity Maintenance Program Management 8 Families related to Privacy Authority and Purpose Individual Participation and Redress Accountability, Audit, and Risk Management Security Data Quality and Integrity Transparency Data Minimization and Retention Use Limitation

Risk – Scalable Security Risk Assessment is a general and natural process Risk Assessment is applicable to many levels of design and deployment Standards development – Security Cookbook Software design – Medical Device ISO 14971 Network design Deploying systems onto network – IEC 80001 Organizational – beyond network scope – ISO 27001 Nationwide Exchanges – IHE Affinity Deployment 3/27/2017

Risk Scenario In this scenario: The vulnerability is the hole in the roof The threat is the rain cloud Rain could exploit the vulnerability As mentioned before, risk level is measured in terms of a combination of the likelihood of occurrence (probability) and degree of impact (positive or negative) of an anticipated event. Going back to the “hole in the roof” scenario, the risk is that weather (the threat) could cause damage to components inside the building as well as the building itself. As long as the weather report shows that there is little chance of precipitation, our risk level is low. However, this risk increases as the likelihood of precipitation increases. Since we cannot control the threat of precipitation, we mitigate our risk by changing the vulnerability; we fix the hole in the roof. The cost of fixing the vulnerability is much less, in this case, than the damage rain or snow would cause. The risk is that the building and equipment in the building could be damaged as long as the vulnerability exists and there is a likely chance that rain will fall. 3/27/2017

Risk Management (ISO13335) 3/27/2017

Risks – Resource protection Wrong people get access Right people get denied proper access Right people see too much (consent) Unauthorized Create/Update/Delete allowed Right people get wrong data Perception that wrong people got access Wrong people get access Snooping on network Non-encrypted storage of data No access controls Bad RBAC Right people get denied proper access DDOS on service prevented good access Not PurposeOfUse Right People see too much (consent) Consent not functioning right Patient getting data before release Provider getting access to unfinished/unsigned report Unauthorized CUD Corruption of data through overrights Incomplete access controls Right people get wrong data Server not authenticated, so got a malicious service Client not authenticated, so got malicious object created Communications not integrity protected, so malicious man-in-the-middle Perception that wrong people got access Need audit logs 3/27/2017

NIST 800-53 Control Families 18 Families related to Security Access Control Media Protection Awareness and Training Physical and Environmental Protection Audit and Accountability Planning Security Assessment and Authorization Personnel Security Configuration Management Risk Assessment Contingency Planning System and Services Acquisition Identification and Authentication System and Communications Protection Incident Response System and Information Integrity Maintenance Program Management 8 Families related to Privacy Authority and Purpose Individual Participation and Redress Accountability, Audit, and Risk Management Security Data Quality and Integrity Transparency Data Minimization and Retention Use Limitation

mHealth = Security layers TCP/IP + DNS IHE IUA (2013) IHE MHD HL7 FHIR HL7/OMG hData DICOM WADO Continua … RESTful Resources Secure RESTful HTTP Transport Internet

Basic HTTP security Using HTTPS – Server side TLS/SSL No impact on resource content and encoding Authenticates server Encrypts and Integrity protects communication Does Not authenticate client Use Client Authentication  Hard to manage Does not authenticate user (see next slide) 3/27/2017

User Authentication Using HTTP Authentication Basic – username/password  Not scalable Form – username/password  Not plugable tech Kerberos  Doesn’t work well outside organization SAML – SSO profile  okay if enterprise focused oAuth  best if internet focused 3/27/2017

Healthcare - Access Control Healthcare needs are more complex But leverage concepts: RBAC, Policy, Tags, Enforce Privacy Consents special consent rules, episodic, expired, revoked Data not simply classifiable into Role Leverage clinical types but need Security Tags Policies point at data characteristics Sensitive Health Topics, Care-Team Break-Glass – safety medical judgement Residual Rules  Obligations 3/27/2017

HL7 PASS – Access control 3/27/2017

Access Control Engine Context Break-Glass PurposeOfUse Workflow Policies FHIR API User Role Authz Facility Patient Consent Care-team Deligates Resource Sec Tags Class Dates 3/27/2017

mHealth Access Control Deployment Models Human uses Application uses FHIR-API intermediated by Access Controls using FHIR-API 3/27/2017

Internet User Authorization (IUA) Sub-Authorizations user would otherwise have Use-Case: Simple browser app, mobile application, embedded device, and third party service Enables separation of concerns: User Identity, User Authentication, User Delegation of their Rights… Authenticable claims: user identity, user authentication mechanism, roles asserted, purpose of use asserted, policy pointers, .. oAuth 2.0: JWT/SAML token - Can be proxied to SAML Authorization is from user perspective and may not be same as resource perspective authorization Profile built from mobile application use-cases, but the same security needs as the SAML profile Used by: IHE, HL7, DICOM, Continua, others? Based on: RHeX, OpenID-Connect, NSTIC Supported by big internet providers: google, facebook, linkedin, salesforce.com Enables pluggable user authentication systems while isolating the service and application from variance 3/27/2017

Resource – Security Tags Developing story – stay tuned Leveraging existing work Security/Privacy DAM DS4P – Metadata use IHE XD* metadata model Vocabulary (HL7, OASIS, ISO, etc) Access Control engine – Uses FHIR API too FHIR resources have Provenance FHIR resources have Security Tags 3/27/2017

User Management Best Practice: Use federated identity Leverage security layer, abstract healthcare specifics from user management Internet or Corporate – oAuth or SAML FHIR Servers need to be careful which Identity Providers they trust, and for what reason Might be added to FHIR – for those that really want it, it should be there in a consistently usable way 3/27/2017

The Role of the HL7 Security WG HL7 Security Risk Assessment Process Provides training on the HL7 Risk Assessment process Gives direct assistance to WGs during the risk assessment process Liason to mHealth Liason to FHIR 3/27/2017

Conclusion Building off of advancements in general Internet Security Standards (HTTPS, oAuth, SAML, Dir) pluggable authentication Building off of healthcare standards Layering Security in a way that is usable for many Healthcare projects (Continua, DICOM, IHE, HL7) Embedding Security Tags into FHIR Resources FHIR – Security Audit Log Resource 3/27/2017

Resources HL7 * Security http://wiki.hl7.org/index.php?title=Security * mHealth http://wiki.hl7.org/index.php?title=Mobile_Health * FHIR Wiki http://wiki.hl7.org/index.php?title=FHIR IHE * web http://www.ihe.net/ * IHE Wiki http://wiki.ihe.net/ DICOM http://medical.nema.org/standard.html My blog http://healthcaresecprivacy.blogspot.com/ 3/27/2017