1 / 65

HIPAA and how it affects Information Technology in a clinical environment

HIPAA and how it affects Information Technology in a clinical environment. Keith Layne - Infuturo. HIPPA - Security Requirements. Protect health records from unauthorized use or disclosure. Implement security solutions for data exchange.

kalona
Télécharger la présentation

HIPAA and how it affects Information Technology in a clinical environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA and how it affects Information Technology in a clinical environment Keith Layne - Infuturo

  2. HIPPA - Security Requirements • Protect health records from unauthorized use or disclosure. • Implement security solutions for data exchange. • Ensure compliance with HIPAA regulations for network devices.

  3. Recent Surveys & Studies • 75 percent of responding companies said they have been victimized by computer-related crime. • 59 percent of these companies placed a dollar figure on their losses - which averaged more than $400,000. • Damage from electronic attacks will exceed $10 billion in 2001 • 61% of the companies said that they had experienced an internal attack.

  4. Accreditors Board Insurers Audit Security Policy Business Impact Duty of Care Network Ops Auditors Regulators Security Partners Business Ops Challenges for the CEO

  5. Strategic risk: A Boardroom topic LOSS OF CLIENT CONFIDENCE INDIRECT COSTS Security Breach! OFFICER LIABILITY REGULATORY ACTION

  6. RISK COST PERFORMANCE Why you can’t ever be 100% secure

  7. Asset Asset RISK RISK Threat Threat Vulnerability Vulnerability Managing clinical security risks Residual Risk after Countermeasures Applied Baseline Risk

  8. Challenges for clinical managers • To what degree is the security policy of the network putting my business operations at risk? • Which of my operations are at high risk for attack and which are at a lower risk? • What are the potential costs associated with a network attack or failure? • What is the likelihood that such an attack or failure will actually occur? • How much should I spend to lower risk levels? • Which group of safeguards or countermeasures are most cost-effective?

  9. Challenges for network managers • What is the right trade off between security and network performance? • What is the right trade off between security and cost? • For each network segment, what are the right security practices? • How do I embed these practices into day-to-day operations? • And how do I manage this in a dynamic environment -- what if I need to change the posture?

  10. RISK COST PERFORMANCE Risk management is the goal Where’s the sweet spot?

  11. Assess • What systems & assets are on the network? • What are the critical vulnerabilities? • What business operations are at risk? Monitor Plan • Changes to network configuration • Compliance with policies • Insider/outsider misuse • Organizational security policies • Technical security designs • Incident response plans Implement • Management control systems • Patches, passwords, settings • Product & custom solutions The foundation for risk management THE SECURITY LIFECYCLE

  12. Security - Threats • Types of threats: • Competitors • Foreign governments • Hackers • Current employees • Former employees • Threat agents • Anyone who seeks to seize, manipulate, or exploit assets • Motivation • Business and technical skills • Opportunity

  13. Assessments - Threats • Categories of Threats • Denial of services • Buffer overflow • Trojan horses • Intruders and physical security • Intercepted transmission • Social engineering • Lack of user support • Findings • Assigns priorities to threats that your company faces • Identifies specific threat agents • Determines motives, goals and skills set of threats agents

  14. Assessments - Vulnerability • Findings • Weak passwords • Missing or weak security • Specific buffer overflows • Accessible UDP or TCP ports • Products • Firewalls • Virus Scanners • Intrusion Detection Systems • Vulnerability Scanners • Network Traffic Analyzers • Application Firewalls

  15. Planning • Must consider the nature, value and location of assets • Develop security policies and practices that are current with changing business and technical scene • Post your security plan where all users can see • Technical security designs • Incident response plans

  16. Monitoring • Must monitor against a defined security policy • Must monitor against the implementation plan • Must monitor changes to network configuration • Must monitor insider/outsider misuse

  17. Where do you start • Disable all unnecessary network access and services • First step is to disable features you don’t absolutely need • Scan your network for known security holes • Operating systems holes, open ports • Implement baseline best practices everywhere • Protects from intruders and establishes basis for duty of care • Formulate robust incident response plans • Back ups, redundancy, forensics, press relations • Fix the education deficit • Increase user awareness of security policies • Keep current with software updates and patches • Prepare for accreditation and audits • Industry best practices, government regulations, insurance companies

  18. Vital tools to Securing a Network Intrusion Detection System Network Vulnerability Scanner FIREWALL Your Network Network Traffic Analyzer Virus Scanner Application Firewall

  19. Best of Breed Products Never ending technology products and services

  20. Using NetScreen Firewalls, VPN & IDP To Meet HIPPA Requirements Nashville, TN September 25, 2002 Paul L. Thomas pthomas@netscreen.com 404-812-0404

  21. Key Corporate Facts • Strong revenue • More than $200 million in available cash • Cash-flow positive • Market cap: > $1B • NASDAQ: NSCN • > 400 employees • Many key awards and certifications $ Millions As of April 2002

  22. About NetScreen • Leading supplier of network security solutions for large scale and high capacity enterprise and carrier networks • Integrated firewall, VPN and traffic management • Leading market share • #1, #2 or #3 in key VPN and firewall categories* * Based on data from Dataquest/Gartner Group, Infonetics Research, International Data Corp.

  23. HIPPA : A Three Part Set of Rules • Regulates E-commerce and mandates certain technologies; such as Electronic Data Interchange • Privacy Portion of the rule….which has critics saying that it’s too costly • A Third portion is about security…..and the last is still being defined

  24. Management Responsibility • CEO gets shot first……. • Organizations and their Business partners take as much care of the information as they would • ALL medical partners need to be secure

  25. IT Responsibility • The requirements are vague…… • HIPPA does provide some check lists…. • Must be scalable; from the largest to the smallest • HIPPA is technology neutral

  26. Using the Net • Protect the network from Internet Based Attacks • Encrypt the data within • Protect against Data Theft from the inside • 65-75% of data thefts will occur from within the Organization

  27. HIPPA SECURITY BASICS • Firewalls • VPN • Authentication • Intrusion Detection NetScreen supplies all of these pieces of the puzzle

  28. Who We Are • Developer of next generation Internet security appliances and systems, delivering: • Performance: driving security into silicon (just like layer 3 switches did to routing) • Integration: firewall, VPN and traffic shaping & IDP • Ease of use: installs easily • Value: industry leading price/performance • Availability: HA redundancy cluster, no moving parts • Most complete product line: data center to telecommuter • Optimized for Internet data centers, Service Providers, and Enterprises –from SME to SOHO

  29. Encryption Performance CPU I/O RAM VPN Co-Processor Bus CPU I/O Dual Ported RAM ASIC • ASIC accelerates key functions 5 to 10 times: • Firewall rule parsing • VPN encryption • NAT • DoS protection • Authentication NetScreen Purpose-built ASIC • ASIC+CPU+I/O on same board • Using dual ported RAM, data accessed concurrently by I/O & ASIC • Data blasts through at CPU speed • Typical General Purpose Computer • Single access RAM • Limited by bus speed & contention • Encryption interferes with other Firewall functions

  30. Broad Market and Solution Coverage Enterprise Telecommuter Carrier Cloud Central Site Medium Site Small Office NetScreen-500 NetScreen-5XT NetScreen-50 NetScreen-1000 NetScreen-5XP NetScreen-25 NetScreen-200 Series NetScreen -Remote NetScreen-5000 Series NetScreen-Global PRO NetScreen-Global PRO Express

  31. NetScreen’s Security Product Line

  32. Universal Security Gateway Architecture • Security zones introduced as customizable objects • Create multiple security domains for policy enforcement • Can have multiple interfaces in a security zone • Interfaces supported generically • All physical interfaces can independently have firewall and DoS protections activated using the Network Attack Blocking Engine • Each interface (physical and logical using 802.1q VLANs) can be assigned to separate security zone • IPSec VPN tunnels to/from any interface • Use any interface for VPN tunnels • Enables encryption and firewall policy access to be used on wireless LANs • Virtual Systems with enhanced functionality • Physical, in addition to logical, interfaces can be used in VSYS • Architectural base to support future functionality

  33. Central Site Enterprise Deployments Integrated VPN, FW and Traffic Mgmt • VPN • No Special Licenses or Additional Hardware • >100 Remote Sites or RA Users • 1000 tunnels & 200M 3DES • Firewall • Stateful Inspection FW, NAT, DHCP server & relay • Class Leading FW for Central Site • 100K+ sessions & 13K ramp rate • Traffic Management • Reduce BW for non-critical traffic • Better utilize expensive WAN BW • High Availability • Stateful fail over FW & VPN Internet Multiple interfaces needed in many central site deployments HA Web Servers Internal Network Application Servers

  34. Deploying ScreenOS against Enterprise Vulnerabilities Common External Threats Internet Compromised Server Unauthorized Wireless User Web Server ((( DMZ App Server VPN Clients Wireless Zone = Threat Unsuspecting Employee with Trojan Finance Servers = Attack Blocking & Policy Engines Dishonest Employee = Attack Prevention

  35. NetScreen-5XT Rear Panel Console (CLI) Interface DB-9 RS232 Modem Interface DB-9 (High Speed) RS232 Speeds up to 115KB Untrust Interface 10/100 Base-T Auto-sensing and Auto-correcting Power Inlet 12 Volts 1 Amp Trust Interface Four Switching 10/100 Base-T Auto-sensing and Auto-correcting

  36. NetScreen-5XT Key ScreenOS Features • Dedicated Purpose Built OS • Enterprise Class Firewall and VPN Standard • NAT, Transparent & Route Modes • ICSA Certified Stateful Packet Inspection Firewall • ICSA VPN and VPNC Certified for IPSec interoperability • IPSec 3DES VPN – Site to Site & Remote Access • 3DES, DES, and AES Encryption using digital certificates, IKE auto-key, or manual key • PKI, Policy Based NAT, Hub & Spoke, L2TP, Policy Management • IPSec NAT Traversal • IPSec tunnel over NAT, PAT, or NAPT devices • Redundant VPN gateways for redundancy of VPN connections • Robust Attack Prevention • DoS blocking with ASIC acceleration • SYN, ICMP Flood, and Port Scan attacks • Traffic Management • Maximize and tailors bandwidth utilization • Easy setup for plug and play IP addressing in most networks

  37. Dial Back-up Functionality Remote Office • With external modem, can provide Dial Back-up* should DSL modem or DSLAM fail External modems supported: • US Robotics 56K V.92/V.90 Model 5686 • ZyXel ISDN Modem - Model OMNI.net.LCD • Network monitoring for detection of failure with automatic fail-over and fail-back • Key for mission-critical enterprise remote locations • Additional value-added service with managed firewall/DSL service Analog/ISDN Modem DSL Modem Admin DMZ Web E-mail Central Site * Available in Q3 2002

  38. NetScreen-5XP • Tailored for remote offices and telecommuters • DHCP client and server with PPPoE • 10 Mbps wire speed ASIC-based capacity • 10 VPN tunnels • QuickStart for easy deployment • Included on the NS-5xp are: • IPSec, DES/3DES, MD5, SHA-1, IKE key management • Stateful inspection firewall (strongest DoS protection around!) • NAT (mapped IP, Virtual IP) • Traffic Shaping • URL filtering (with WebSense) • Works with any proxy based Anti-virus services • WebUI, CLI, Global Pro central mgmt

  39. Improved Security for Mobile Workers • User-based (rather than machine-based) policy management to reduce administration and improve security • NetScreen-Global PRO • Centrally control VPN groups rather than on a per-user basis • Custom extensions for RADIUS, other directories • Smart card support for NetScreen-Remote clients Smart cards NetScreen-Global PRO RADIUS/LDAP Mobile workers/client-initiated VPNs

  40. Manage Personal VPN Policies via NetScreen-Global PRO • Remote user launches NetScreen-Remote VPN Client to connect • Secure authentication to NetScreen-Global PRO or NetScreen-Global PRO Express • External authentication servers may be queried (e.g. NT Domain via RADIUS) • User authenticated • Users VPN policy securely downloaded to NetScreen-Remote VPN Client user • VPN tunnels established to NetScreen devices Users authenticate to NetScreen-Global PRO Internet NetScreen-Remote VPN Client VPN VPN tunnels established DMZ Private LAN SSL Web & Email Users policy retrieved RADIUS Server NT Domain NetScreen-Global PRO External authentication server queried

  41. Easy to Use VPN Login • User launches NetScreen-Remote VPN Client to login and establish VPN • User is securely authenticated to Global PRO or external database prior to VPN policy download • Profiles defined by admin and users allowed to select which Global PRO device or policy domain to connect to • Status window shows current user and connection statistics

  42. NetScreen-Remote Security Client 8.0 • NetScreen-Remote Security Client includes VPN client with integrated personal firewall software providing mobile users additional security • Firewall security features • Stateful inspection firewall monitors state of TCP/IP traffic to prevent hijacked or unwanted sessions • Application control functionality blocks network access to applications until they’ve been allowed by user or administrator • ICSA certified PC firewall • Host-based security features • NetBIOS protection allows users to share drives or printers without exposing PC to outside attacks • Posture assessment ensures host has not been compromised prior to establishing VPN sessions • Extensive attack, session and packet logging with AutoBlock capability • Platform support • Windows 95B, Windows 98, Windows NT 4.0 SP3+, Windows ME, Windows 2000 Professional, Windows XP Professional & Home Edition

  43. New Personal Firewall Client Software • New NetScreen-Remote Security Client offers VPN, firewall and other key security features to better protect mobile workers • Using Sygate Technologies’ leading enterprise-class Personal Firewall SE 5.0 • Will be manageable via NetScreen-Global PRO in a future release

  44. Application Control for Personal Firewall Internet Internet Explorer Trusted Applications VPN Tunnel Outlook Untrusted Applications Unknown App… Internal Servers NetScreen-Remote Security Client • Restrict network access to trusted applications • Admin or user may define trusted applications • User is prompted if a new application attempts to gain network access, user may approve or deny • Network access is blocked for untrusted applications, preventing unwanted outbound connections • Prevents Trojans or rouge-applications from accessing VPN network or Internet from mobile users PC

  45. Exploding number of VPN tunnels NetScreen-5 Small Office NetScreen-5 Small Office NetScreen-5 Broadband telecommuter B2B Partner NetScreen-100 Central office Multiple links per remote site Multiple links for B2B Partner NetScreen-10 Branch office NetScreen-5 Small office

  46. Hub & Spoke VPN NetScreen-10 Branch office NetScreen-5 Small Office NetScreen-5 Broadband telecommuter B2B Partner HA NetScreen-100 Central office Single tunnel to all destinations 10-user NetScreen device is enough Single link to B2B Partner Wire speed VPN transfer (full duplex) NetScreen-5 Small Office NetScreen-5 Small office

  47. Traffic Shaping • Quality of Service when needed • Prioritize key applications: e-business vs File Transfers • Prioritize key users: customers vs employees • Powerful capabilities • Guaranteed bandwidth and maximum bandwidth • 8 prioritization levels • Defined by application/service, port, IP address, time of day

  48. Interoperability • Fully IKE IPSec compliant • interfaces with all other ICSA certified VPN systems. • Ex: Tunnels with HQ Check Point or Pix firewall. • NetScreen security rule creation process is similar to Check Point • Easy to duplicate policies in NetScreen devices and keep in synch

More Related