Infrastructure Services: Security Management

In order for the WeCare® system to provide the described benefits, it will rely on an information backbone that will be distributed and operating across the country in real time. This makes the system and the information it carries a prime target for security and privacy concerns. HIPAA security and privacy rules

126

lay out specific consideration for the protection of individually identifiable health information which is referred to as electronic Protected Health Information (e-PHI). The WeCare® system will rely highly on e-PHI and therefore a key

component of all aspects of the WeCare® system will be the steps taken to protect patient privacy, ensuring legitimate care and protecting transactions.

From a security perspective the WeCare® system will be classified as a Covered Entity and be required to enforce all policies associated with this

classification. These consist of establishing administrative, physical and technical safeguards for the system to meet the requirements for managing access,

storage and transmission of e-PHI. Due to the desire for the WeCare® system to support remote and mobile transactions, we will have to follow the approach of some of the latest techniques in security today.

127

Figure 3-40 Security Model for WeCare®

In order to cost effectively implement the system, physical safeguards will be part of the deployment plan, relying on trusted providers with experience and reputation for hosting large amounts of secure data to provide physical security, control access, and ensure availability of the data servers. This leaves the

remaining portion of the security process to the interactions with the system itself.

The first phase of access security starts with the users, which in this case can be the patient, medical care provider, medical bill payer, or medical information customer. As an administrative safeguard, three factor

authentications will be required to establish the user account and will be key components of the user security and authentication. Each user will have to have an account which must be established with something they know, something they are, and something they have. The creation of this user profile will be

128

coordinated through the WeCare® system, but may be facilitated by other authorized parties. The WeCare® system is intended to be utilized across a wide base of users, so once a user establishes their account it will be theirs for life.

As another step in the Administrative safeguards, the WeCare® system will rely on a series of user authorization policies that defines a system of roles and access profiles that allow a user to be both a patient, as well as to perform one of the many service providing or administration roles required by a system of this scale.

In addition to the vast number of human users, there will be a much larger portion of devices (personal, municipal, and clinical) that will interact directly with the WeCare® system. All devices will be registered with the system before being able to access the data stores and be associated with a user, clinic, or municipal account. Municipal devices that report on community data (i.e.

weather, air quality) will become trusted sources available for association with a user’s profile.

Smart devices with network connectivity will be capable of registering directly with the system and other devices will rely on their sensor gateway to gain access to the WeCare® system. In these instances the sensor gateway will be the trusted device, terminating the secure connection with WeCare®, and provide its own local secure connection to devices through manufacturer independent security architectures.

129

Once the user/device has gained access to the system, their interaction with the system will rely on the remaining technical safeguards to protect their transactions as well as the patients. The ability to control access, perform audits, maintain integrity, and provide transmission security must all be met in order to comply with federal and state statutes.

In order to control access to the system and authorization service will maintain the user and device profiles and control their level of access and privilege within the system. The authorization system must also handle the

requirement to support emergency access to health records in order to comply with federal statutes to cover emergency scenarios such as natural disasters.

Figure 3-41 User/Device Authorization Service

In order to provide the auditing capability, the Audit Service will rely closely on the Authorization and Logging services. Only authorized

administrators will have access to the audit function. The Audit capability

130

examines activity recorded by the logging mechanism within the system to report on the health and security of the overall system.

As an active component of the health care market, it will be necessary to ensure that the information being exchanged is unaltered, damaged, or lost as well as verifying that it is from a trusted source. Failure to implement these protections will introduce the risk for lawsuits and malpractice. In order to meet this level of requirements we will be implementing a data integrity service and an authentication service.

Figure 3-42 Data Integrity Service

The data integrity service will rely upon a standard hashing technique using either MD-5 or SHA-1 to ensure that digital health records, digital

prescriptions, patient history, and billing transactions are unaltered.

131

The authentication service will rely on digital signatures and will be necessary for ensuring the validity of the source of all information and will be necessary to protect the patient as well as the medical provider from lawsuits. In order to do this the system will require all participants to register with a certificate authority, such as VeriSign. Adding these protections is required and will establish confidence in the system and ensure protection in the services being provided and consumed.

Figure 3-43 Authentication Service

132

Transmission security will be achieved through established network security protocols to protect their sessions such as PGP, SSL and SSH.

Figure 3-44 Network Security Service

Data exchanges between the system and the user/device will rely on proven transmission security practices utilizing encryption standards to protect the data which include RSA, AES, and 3DES.

133

Figure 3-45 Encryption Service

In addition to the security provisions made for securing e-PHI, precautions will need to be taken to ensure security of the system’s operations. These

services l provides data security for the system from the outside; however, if a threat or exploit gains access to the system it could render the other protections useless. In order to protect the transactions of the WeCare® system’s operations, a message security service that utilizes WS-Security will be created.

134

A key component of the WeCare® system is the ability to provide anonymous data to public health systems, and in turn utilize that access to achieve a higher quality of service at the diagnostic level. In order to ensure privacy is maintained de-identification of the data will be required. This method is known as Safe Harbor and removes 18 different types of identifiers in order to ensure that the information is not individually identifiable. In order to implement the safe harbor method, the De-identification service will be implemented to manage and ensure external disclosures of information meet the requirements of the HIPAA Privacy Rule.