Information Security: Why is it important for the Healthcare Industry?

Information Security:

Why is it important for the Healthcare

Industry?

Glen Gooding

IBM Security Leader ggooding@au1.ibm.com

Baseline definitions

Security – For purposes in the context of IT security, a

number of points need to be addressed

–

Confidentiality

-

Integrity

–

Availability

-

Authentication

–

Authorisation

-

Audit

–

CIA

-

AAA

Privacy - Privacy means an individual's interest in limiting

How much security is enough (but not too much)

From a security perspective, all IT solutions must balance three conflicting factors:

The risk – to the organisation –of operating the IT solution

The cost – of implementing and

operating the security controls

–in general, the tighter the controls the lower the risk

The usability – of the solution –in general, the tighter the

controls, the greater the impact on the users of the

system The resulting set of controls must be, as far as possible “necessary

and sufficient”. COST RISK USABILITY Low High Low High Hig h Low Security Environment

IT Security is about “CIA”

C

onfidentiality

I

ntegrity

Data confidentiality

Definition

–

To protect against an unauthorised disclosure of the

message.

Technically

–

Think encryption, SSL, the ‘lock’ on your browser

Data integrity

Definition

–

Guarantee that the content of the data has not been

tampered with.

Technically

–

Think Data signatures and the signing of data

Authentication

Determines or proves that you ‘are’ who you say you ‘are’

Authentication based upon something you:

–

know (e.g. password, PIN)

•

Too many to remember

•

Too easily guessed

•

Can be sniffed/captured

•

Can be cracked

–

have (e.g. smart card, token)

•

more expensive to deploy

•

less portable

–

are (e.g. biometrics)

•

even more expensive to deploy

•

may be considered invasive

•

error-prone (false pos / neg)

Authorisation

Authorisation determines what an entity is allowed

to do.

Access control is a means of enforcing this

authorisation model:

–

data not disclosed

–

data not modified

–

users remain accountable.

Health Care Specific –

Clinical applications, HR systems,

Audit

Companies need to audit their IT infrastructure

Determine whether or not business can continue to grow

and mature based on current IT infrastructure

Audit logs are often the only record that suspicious

behaviour is taking place

–

Can be fed real-time directly into intrusion detection or log

management systems.

Logs can provide individual accountability by tracking a

user's actions.

Logs are useful in reconstructing events after a problem

has occurred, security related or not

“Never fly in a plane designed by an optimist.”

IBM Security Framework

Built to meet four key requirements:

Provide

Assurance

Enable

Intelligence

Automate

Process

Improve

Resilience

Introducing the IBM Security Framework and IBM Security Blueprint to Realise Business-Driven Security; IBM RedGuide REDP-4528-00, July 2009

Typical Client Security Requirements

Governance, Risk Management, Compliance

• 3rd-party audit (SAS 70(2), ISO27001, PCI, HIPAA)

• Client access to tenant-specific log and

audit data

• Effective incident reporting for tenants • Visibility into change, incident, image

management, etc.

• SLA’s, option to transfer risk from tenant to provider

• Support for forensics • Support for e-Discovery

Application and Process

• Application security requirements are phrased in terms of image security

• Compliance with secure development best practices

Physical

• Monitoring and control of physical access • People and Identity

• Privileged user monitoring, including logging activities, physical monitoring and background checking

• Federated identity / on-boarding: Coordinating authentication and

authorisation with enterprise or third party systems

• Standards-based SSO • Data and Information

• Data segregation

• Client control over geographic location of data

• Government: Cloud-wide data classification

• Network, Server, Endpoint

• Isolation between tenant domains

• Trusted virtual domains: policy-based security zones

• Built-in intrusion detection and prevention

• Vulnerability Management • Protect machine images from

Customers require visibility into the

security posture of their environment

.

Establish 3rd-party audits (ISO27001, PCI)

Provide access to log and audit data

Create effective incident reporting

Visibility into change, incident, image management, etc.

Create policies for PII and for data crossing International boundaries

Understand applicable regional, national and international laws

Support for forensics and e-Discovery

Implement a governance and audit management program

Security governance, risk management and compliance

Security governance, risk management and compliance

Customers require proper

authentication of all users.

Implement least privilege model for user’s access

Strong Identity lifecycle management

All administrative access over secure channels

Privileged user monitoring, including logging activities, physical monitoring and background checking

Utilise federated identity to coordinate authentication and authorization with enterprise or third party systems

A standards-based, single sign-on capability

Implement strong identity and access management

IBM Security Framework

People and Identity

Customers cite data protection as their

most important concern.

Protect PII and Intellectual Property

Implement a secure key management program

Use a secure network protocol when connecting to a secure information store

Implement a firewall to isolate confidential information, and ensure that all confidential information is stored

behind the firewall

Sensitive information not essential to the business should be securely destroyed

Ensure confidential data protection

IBM Security Framework

Data and Information

Customers require secure applications

and provider processes.

Implement a program for application and image provisioning.

Ensure provisioning management is strictly controlled

Protect machine images from corruption and abuse

Ensure all changes to virtual images and applications are logged.

Ensure provisioned images apply appropriate access rights

Ensure destruction of outdated images

Establish application and environment provisioning

IBM Security Framework

Application and Process

Customers expect a secure cloud

operating environment.

.

Implement vulnerability scanning, anti-virus, intrusion detection and prevention on all appropriate images

Ensure isolation exists between tenant domains

Trusted virtual domains: policy-based security zones

A secure application testing program should be

implemented.

Develop all Web based applications using secure coding guidelines.

Ensure external facing Web applications are black box tested

Maintain environment testing and vulnerability/intrusion management

IBM Security Framework

IBM Cloud Security Guidance Document

Network, Server and End Point

Customers expect health based data

centers to be physically secure.

.

Ensure the facility has appropriate controls to monitor access

Prevent unauthorised entrance to critical areas within facilities e.g. servers, routers, storage, power supplies

Biometric access of employees

Ensure that all employees with direct access to systems have full background checks

Provide adequate protection against natural disasters

Implement a physical environment security plan

IBM Security Framework

Physical Security

Speed –

accelerate delivery and integration

Flexibility –

grow and add new capabilities incrementally Choice – multiple solution on-ramps and business partners Architectural blueprints for provider and payer transformation

Pre-built healthcare accelerators

Built on a Smart SOATM

foundation

Keep up with open standards

Leverage an ecosystem of key business partners

Leverage existing

healthcare applications, systems and business processes

The IBM Health Integration Framework

Infrastructure and Governance

Health Integration Framework

Business Partner Ecosystem Healthcare Provider Solutions

Rapid Development

& Integration Process Flexibility Intelligence

Lowered Risk and

Cost Interoperability

Reduced Manual Intervention

Healthcare Identity, Access and Audit Management

IBM's approach is to strategically manage risk end-to end across all risk areas within an organisation.

Security Info and Event Mgr Identity Manager

Enables visibility into user activity, control over access to PHI, and automation

of the sign-on process in order to improve quality of care, clinician productivity,

User Compliance Auditing

Identity Management

Access Management

I promised earlier that you would hear...

COST RISK USABILITY Low High Low High Hig h Low Security Environment

COST

COMPLEXITY

COMPLIANCE

COST RISK USABILITY Low High Low High Hig h Low Security Environment

Reduce Complexity

Scenario: Improve service by e

xpanding reach via role based portals to services and applications Patient Portals Hospital Website/ Portals Physician Portals

Quickly roll out new applications and services to authorised users

Enable single sign on for authentication

Issue and manage user credentials

Users “role” will determine the information and services they are authorised to access

Scenario:

Reduce costs with self service and service management integration

Reduce Cost

Offering user self-service to manage profile,

passwords and access can reduce help

desk, IT administration and user productivity costs

• By enabling users to manage passwords via challenge/response questions

• Rapid access to applications By accelerating time to access applications and sharing of workstations and kiosks

• By reducing labor required to manage and audit application-specific password policies via single sign-on

• Fast user switching

Integrating identity management with

incident management can reduce IT costs

• Offload service desk workload with self-service password, profile management and access request

• Automate incident resolution within Tivoli Service Request Manager

Tivoli Service Request Catalog Tivoli Identity Manager

Scenario:

Manage risk of insider threat and support audit requirements with access recertification, user activity monitoring and reporting

Manage Compliance

Monitor user access

• Do user access rights match responsibilities?

• Are rights consistently certified?

• Are there separation of duty violations?

Monitor user activity

• Volume of activity

• Type & location of activity

• Timing of activity

• Privileged user activity

Compliance Reporting

• Pre-built reporting modules on

common regulatory mandates (SOX, PCI, Basel II, HIPAA, etc.)

• Flexible report design to match company-specific audit requirements

Understanding the needs of Healthcare Providers

We understand your needs… …and IBM delivers.

Access workflow automation with context management for HIT applications.

Choice of second factor authentication with user-centric access tracking.

Fast user switching for clinical environments, and combined physical & information access. Centralised identity and policy management. No modifications to existing infrastructure. Out-of-box compliance enablement and

reporting.

Improved quality of patient care and patient safety.

Risk management & the protection of patient information.

Improved productivity of care givers. Centralised management of

information access.

Easy integration & fast deployment. Regulatory compliance.

Thank you!

For more information, please visit:

ibm.com/security

Manage Compliance Reduce costs Improve patient care

Prevent security breaches

IBM Service Management Solutions For Healthcare Key Healthcare Challenges

Healthcare Application Performance Management Healthcare Access Management eHealth Service Management Healthcare Asset Management Availability & reliability of

Assets

Solving Challenges with IBM Service Management in healthcare

ITM, OMNIBus ITNM ITCAM Omegamon

TIM, TAM, TFIM, TDI, TAM

ESSO TSRM, TPM TPC, TSM TKLM, TSIEM Maximo Asset Management TAMIT

Hospitals can see significant benefits from implementing

Identity and Access Assurance for Healthcare.

Simplify user experience – deliver the right information quickly and securely.

Secure access to applications, information and data while still allowing easy access for those with need and authority.

Consistently enforce and audit corporate security and compliance policy.

Streamline provisioning processes to facilitate quick access to clinical systems for staff.

Reduce operational expenses through automation of common

administrative tasks and providing service catalog components for those that make business sense.

IAA for Healthcare - Business Case Summary

Business Need

– Healthcare IT facilitates access to patient confidential data that is used to enable clinical care.

• Many Providers are faced with no central control of Identity provisioning. • Security audits are central to local regulations Joint Commission compliance.

Client Value Proposition

– Identity and Access Assurance allows the provider tighter control over their HIT infrastructure

• Know who is accessing which systems

• Know when their staff is accessing the systems

• Implement measures to assure a consistent audit trail procedure over security access.

– The business can depend on Identity and Access Assurance for Healthcare Providers

• Content exists to enable HIPAA compliance reporting in the solution.

• HIT ISV are partnering with IBM to develop provisioning adapters to their application suites.

• Enterprise Single Sign on with multifactor authentication can be deployed.

Services – Delivery and Deployment Strategy

– IBM Business Partners with Service Management experience can be engaged. – Gold Coast Security Lab Services can be engaged for architectural guidance

IBM is the Trusted Partner of Choice

“IBM is an international company. It has a good brand and status in the industry. We will be comfortable with IBM in terms of data security”

“IBM is a trusted supplier of information

security…”

“Yes I think they can offer secured services”

■ _{2008: Most trusted IT company}

Ponemon Institute and TRUSTe study

■ Thought leadership

■ _{Commitment and customer insight} ■ _{Industries/sectors expertise}

■ _{Comprehensive capabilities,}

products, services and research

■ _{SC Security Company of the year}

2010 RSA Security

Cloud Computing Quotes

Visualisation in Identity and Access Management

– Provides a single view into Identity Management across the entire business (Tivoli Identity Manager [TIM], Tivoli Security Information and Event Manager [TSIEM].)

– Enables access audit trail reporting (TSIEM.)

Control in Identity and Access Management

– Brings seamless, secure and auditable access to web services (Tivoli Access Manager [TAM] and Web SSO.)

– Supports integration of customer and partner services (Tivoli Federated Identity Manager [TFIM] solutions.)

– Simplifies administration with single sign on to multiple services (TAM for Enterprise SSO [TAMESSO].)

– Provides a single point of control for Identity Management

(TIM.)

Automation in Identity and Access Management

– Business policy can be enforced through implemented rules

(TSIEM.)

– Security Events can generate incident reports (Tivoli Service Request Manager [TSRM] and TSIEM.)

– Automate common Identity tasks to reduce costs of Identity Management (TIM, TPM, TSRM.)

Web Services Provider Web Services Provider External Provider Employees Customers Secure Identity Federation Carrier Portal Carrier Portal Web Application Web Application External Provider

Gartner quadrant Including ESB