- Email: [email protected]
Security implementations in the healthcare enterprise
International Congress Series 1281 (2005) 290 – 295
www.ics-elsevier.com
Security implementations in the healthcare enterprise Roland BrillT, Wolfgang Leetz Siemens AG Medical Solutions, P.O. Box 3260, 91050 Erlangen, Germany
Abstract. Adequate enterprise security solutions require a broad understanding of security issues as well as of limitations of technology based solutions. Many threats which are targeted against a business can be countered by risk management to efficiently achieve the intended level of security. Protection should start with an analysis of possible threats, an identification of the costs of countermeasures and the decision what security tools to use on basis of a cost/benefit analysis. As there is no bone size fits allQ-solution, this paper offers a systematic approach how to implement adequate security in the healthcare enterprise. D 2005 CARS & Elsevier B.V. All rights reserved. Keywords: Security; Healthcare enterprise; Risk management
1. Purpose Security can only be achieved through a combination of various processes using technology as a toolbox while taking into account the specifics of the medical domain. Consideration of guiding aspects is necessary to select and apply appropriate security tools. 2. Guiding aspects 2.1. Safeguarding the business The medical domain is run as a business where decisions are based on external factors like: what processes are most efficient, how much personnel is required for what tasks, what equipment needs to be bought, and why it is needed. The economical success of the business is driven by o Liability Liability is a key factor in an enterprise environment. Most business drivers translate into financial liability for the enterprise and/or for its employees. T Corresponding author. E-mail address: [email protected] (R. Brill). 0531-5131/ D 2005 CARS & Elsevier B.V. All rights reserved. doi:10.1016/j.ics.2005.03.033
R. Brill, W. Leetz / International Congress Series 1281 (2005) 290–295
291
o Customer Satisfaction and Publicity State of the art security is a means to gain good publicity. A lack of security will lead to unsatisfied customers that switch health providers/equipment vendors. o Standards and Regulations Various privacy, safety and security standards and regulations apply to enterprises and their personnel (e.g. HIPAA [1], the European Data Privacy Protection Act [2] and its state-specific implementations [3]). o Information Privacy In most countries people have a legal right to determine who may and who may not have access to information about their person. Disclosure of personal or protected health information (PHI) may result in damages that cannot be undone. o Information Integrity Information may become corrupted or manipulated through various means. All these guiding aspects needs to be assessed such that appropriate security measures can be selected and implemented. 2.2. Threat analysis Threats are the classical reason to increase security efforts. Even when often perceived subjectively they need to be analyzed as objectively as possible. Classifying threats on the basis of the cause-and-effect principle, their likelihood and then balancing them against appropriate countermeasures needs to be done respecting the business context. Possible threats are o Negligence and thoughtlessness can cause security holes like misconfigurations of equipment, not following security guidelines, misplaced trust in people, etc. o Attacks will be most likely where security is weakest. Typical attack paths are: o Intrusion into IT infrastructures from external as well as from internal penetrators; o Sabotage as a deliberate act of destruction or disruption; o Malicious code like computer viruses, mail worms, key loggers, time bombs may attack IT devices [4]; o Denial-of-service attacks, the classical attack against computers in a network. o Perpetual Changes pose new risks that cannot be foreseen. o Complexity is an enemy of security. Security solutions need to be kept as simple as possible. Threats which become real may cause damages. Before implementing appropriate security solutions to limit those damages by controlling their cause, it is necessary to understand o What damages might be caused, e.g. malfunction, loss of property, value, services, integrity, reputation, harm to the patient. o What impact attacks have, e.g. on health, safety, information privacy of patients, functionality of systems, costs, publicity, business in general.
292
R. Brill, W. Leetz / International Congress Series 1281 (2005) 290–295
o Who causes them e.g. external factors, patients, personnel, internal or external intruders. o What is the cause of those damages, e.g. force majeure, criminal intent, negligence. o How likely they are. This risk analysis is the first step of risk management and should be done on an individual basis. 2.3. Costs of security A cost/benefit analysis is the second step and is rarely performed in the medical domain. o Economic Costs The optimal level of security from a business perspective is determined by the minimum of total security related costs. This is simply the sum of costs caused by security violations and security measures. But there are difficulties in determining the total costs: o Most economical costs have a statistical quality only (e.g. individual loss of performance). o The cost of security measures (purchase, installation, training, administration, etc.) are incurred right away to avoid future costs of security violations. o Security measures that meet their goals avoid the tentative costs that were used as reason to implement them. o Non-material Costs (some non-material costs, e.g. loss of freedom, cannot be measured at all) o Decrease of user comfort and/or performance; o Loss of freedom. 3. Security measures Depending on the costs, the risks may be ranked and appropriate security tools can be selected. These tools should start with processes and be enhanced by technology. Models used in the general business world will work in the healthcare world as well, but certainly will need some specific adaptations. Once the local security measures have been introduced, their appropriateness should be continuously checked because safeguarding the required level of security is a moving target. Skills of the attackers and their technologies keep increasing. 3.1. Processes Processes may have a severe impact on the security situation that is often underestimated [5]. Medical organizations may need to get re-organized in order to adequately account for security. Processes need to be enforced and should cover a continuous loop of o Prevention (of exploitation of security breaches) Some issues can be foreseen and fixes can be applied before damage is done.
R. Brill, W. Leetz / International Congress Series 1281 (2005) 290–295
293
o Detection (of security holes) Efficient monitoring is part of a larger process, based on feedback loops. o Assessment (of what has been detected) On-going assessment of security breaks and the overall security situation is a necessity (e.g. through evaluation of audit logs). o Response (on the basis of the assessment) Timely reaction to security gaps will help reduce the impact on your business. This loop needs to be enhanced by o Assurance and certification Assessment and response should be based on standards and best practices. o Training Teaching employees on security issues and thus raising everybody’s level of awareness. o Outsourcing Some tasks can be done more professionally and much more efficiently by people who do it as their main business. Efficient processes help increase security at moderate cost and should be based on ITIL [6]. Processes that are hard to understand and/or hard to maintain may amplify existing or introduce new security issues. A well-maintained old-fashioned log-book may fulfil the same purpose as computerized activity logging—and it continues to work in black-out scenarios. 3.2. Technology There is no security technology available that prevents all potential kinds of security breaches. However, technology is needed to support security processes. Partitioning and separation of assets ensures better control. As a strategy, we recommend to follow the Defense In Depth strategy, that implements different security measures at different locations within an IT infrastructure, not just at its periphery. Important technology tools include: o Physical protections (a simple key may be an bimportant toolQ) Locking down areas and equipment adds physical protection. o Access control within the IT system o Identification and Authentication is a coupled process where a user claims an identity, e.g. by typing in his name, that is verified in the second step, e.g. by using a password, a smart-card, a biometric device, etc. o An authorization procedure then defines what tasks an authenticated user is allowed to perform to data and/or system functions. (More detail in Section 3.3.) o Cryptographic means are used to encrypt and hence protect information against unauthorized access, e.g. DICOM encryption. o Network management o IT administration tools help maintain and manage IT equipment.
294
R. Brill, W. Leetz / International Congress Series 1281 (2005) 290–295
o Firewalls and virtual private networks (VPNs) separate network zones (e.g. Internet and intranet) and filter network traffic. o Logging and auditing are used as after-the-fact investigations of events and user activities to identify unauthorized activities. 3.3. Access control management models The technology most visible to the clinical user is Access Control within the IT system. The administrative processes that are behind Access Control as visible on the application level are worth being investigated because they may severely impact the respective maintenance efforts. First applications just implemented the bsimpleQ model to individually define access rights for each user (user based access control). But this is getting inflexible and complicated with raising number of activities a user may perform. Each change in the user’s competencies may change more than one specific task he is allowed to perform and hence requires more than one change of his access rights. More efficient approaches have been developed for general IT applications and are becoming available for medical application software now: o Role-Based Access Control (RBAC) has become the dominant form of access control in computing in general as well as for healthcare specifically [7]. It is based on gathering several activities of the local workflow under specific roles. This abstraction simplifies security administration. Even a complex change in the user’s competencies may be just a simple change of his role. RBAC supports the principle of least authority: a user should always be acting with the lowest level of authority necessary to complete a task. This prevents users a priori from making unauthorized activities. o Context-Based Access Control is based on the organizational context (location, health care unit, date/time, etc.) of the access. Context-based access control adds another dimension to RBAC. For example, a ward clinician who is allowed to access medical images while he is in the treatment room may be prohibited from doing so while performing reimbursement administration in the reception area. o Logic-Driven Access Control evaluates logical conditions or rules derived from local workflow aspects (e.g. VIP patient status, diagnosis code). User conditions (e.g. possessing a particular certification) or environmental conditions (e.g. accessing the data over a trusted or untrusted network) may be additionally evaluated. Synonyms are bconditional securityQ, or brule-based securityQ. o Instance-Based Access Control grants or denies access to specific instances of data independently of the user’s role, user’s context, or a generic rule. For example, a patient may want to restrict the access of a particular physician to some or all of the patient’s data. RBAC, Context-Based, and Logic-Based Access Control are all workflow driven and independent of any data instance. The workflow comes first and authorization calls need to be fitted in where the workflow dictates. Context-Based and Logic-Based access control are both driven by factors outside of the security domain. Different actions may have to be
R. Brill, W. Leetz / International Congress Series 1281 (2005) 290–295
295
performed and different screens have to be displayed to the user based on the context or the outcome of a logical decision. Instance-based Access Control assesses additional properties of each data item before granting access or not. Changes of the access rights need to be applied to each data item individually. Therefore, it should only be considered as an exception to the workflow driven models. 4. Conclusion There is no bone size fits allQ-solution that is able to enhance security in any healthcare facility. Appropriate measures to meet the necessary security level need to be defined individually and for each environment. Risk analysis and a cost/benefit analysis then define what secure processes should be implemented using what kind of appropriate technological tools. Using the right model to manage access control may ease security administration. As security is a moving target, the following best practice steps should be performed continuously [8]: 1. 2. 3. 4. 5. 6.
What problem does the security solution solve? Does it meet the expectations? What new problems does it add? What are the economic and social costs? Is it worth the costs? What are clear independent assessments?
But other than for general IT applications, in the healthcare environment, IT security is not the highest goal. Implementation of security measures must always take into account the necessity to be able to deliver the required patient care. Security solutions have to account for emergency procedures and bPatient Health FirstQ. References [1] Security Standards (HIPAA Security Rule), Final Rule, U.S. Department of Health and Human Services (DHHS), 45 CFR Parts 160, 162, and 164 (Feb. 2003). [2] European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Oct. 1995). [3] Bundesdatenschutzgesetz (German Federal Data Protection Act), Bundesgesetzblatt 2001, Nr. 23 (Mai 2001). [4] Joint NEMA/COCIR/JIRA Security And Privacy Committee (SPC), Defending Medical Information Systems Against Malicious Software (Sept. 2003). [5] ISO/ITC Standard 17799, The Information Security Standard-Information technology-Code of practice for information security management (2000). [6] Jan van Bon, itSMF, IT Service Management: An Introduction, Bernan Associates, 2005 April. [7] Science Applications International Corporation (SAIC), Role-Based Access Control (RBAC), Role Engineering Process, Developed For The Healthcare RBAC Task Force, Version 2.0 (March 2004). [8] B. Schneier, Fixing Security by hacking the business climate, Counterpane Internet Security, 2002 June.
www.ics-elsevier.com
Security implementations in the healthcare enterprise Roland BrillT, Wolfgang Leetz Siemens AG Medical Solutions, P.O. Box 3260, 91050 Erlangen, Germany
Abstract. Adequate enterprise security solutions require a broad understanding of security issues as well as of limitations of technology based solutions. Many threats which are targeted against a business can be countered by risk management to efficiently achieve the intended level of security. Protection should start with an analysis of possible threats, an identification of the costs of countermeasures and the decision what security tools to use on basis of a cost/benefit analysis. As there is no bone size fits allQ-solution, this paper offers a systematic approach how to implement adequate security in the healthcare enterprise. D 2005 CARS & Elsevier B.V. All rights reserved. Keywords: Security; Healthcare enterprise; Risk management
1. Purpose Security can only be achieved through a combination of various processes using technology as a toolbox while taking into account the specifics of the medical domain. Consideration of guiding aspects is necessary to select and apply appropriate security tools. 2. Guiding aspects 2.1. Safeguarding the business The medical domain is run as a business where decisions are based on external factors like: what processes are most efficient, how much personnel is required for what tasks, what equipment needs to be bought, and why it is needed. The economical success of the business is driven by o Liability Liability is a key factor in an enterprise environment. Most business drivers translate into financial liability for the enterprise and/or for its employees. T Corresponding author. E-mail address: [email protected] (R. Brill). 0531-5131/ D 2005 CARS & Elsevier B.V. All rights reserved. doi:10.1016/j.ics.2005.03.033
R. Brill, W. Leetz / International Congress Series 1281 (2005) 290–295
291
o Customer Satisfaction and Publicity State of the art security is a means to gain good publicity. A lack of security will lead to unsatisfied customers that switch health providers/equipment vendors. o Standards and Regulations Various privacy, safety and security standards and regulations apply to enterprises and their personnel (e.g. HIPAA [1], the European Data Privacy Protection Act [2] and its state-specific implementations [3]). o Information Privacy In most countries people have a legal right to determine who may and who may not have access to information about their person. Disclosure of personal or protected health information (PHI) may result in damages that cannot be undone. o Information Integrity Information may become corrupted or manipulated through various means. All these guiding aspects needs to be assessed such that appropriate security measures can be selected and implemented. 2.2. Threat analysis Threats are the classical reason to increase security efforts. Even when often perceived subjectively they need to be analyzed as objectively as possible. Classifying threats on the basis of the cause-and-effect principle, their likelihood and then balancing them against appropriate countermeasures needs to be done respecting the business context. Possible threats are o Negligence and thoughtlessness can cause security holes like misconfigurations of equipment, not following security guidelines, misplaced trust in people, etc. o Attacks will be most likely where security is weakest. Typical attack paths are: o Intrusion into IT infrastructures from external as well as from internal penetrators; o Sabotage as a deliberate act of destruction or disruption; o Malicious code like computer viruses, mail worms, key loggers, time bombs may attack IT devices [4]; o Denial-of-service attacks, the classical attack against computers in a network. o Perpetual Changes pose new risks that cannot be foreseen. o Complexity is an enemy of security. Security solutions need to be kept as simple as possible. Threats which become real may cause damages. Before implementing appropriate security solutions to limit those damages by controlling their cause, it is necessary to understand o What damages might be caused, e.g. malfunction, loss of property, value, services, integrity, reputation, harm to the patient. o What impact attacks have, e.g. on health, safety, information privacy of patients, functionality of systems, costs, publicity, business in general.
292
R. Brill, W. Leetz / International Congress Series 1281 (2005) 290–295
o Who causes them e.g. external factors, patients, personnel, internal or external intruders. o What is the cause of those damages, e.g. force majeure, criminal intent, negligence. o How likely they are. This risk analysis is the first step of risk management and should be done on an individual basis. 2.3. Costs of security A cost/benefit analysis is the second step and is rarely performed in the medical domain. o Economic Costs The optimal level of security from a business perspective is determined by the minimum of total security related costs. This is simply the sum of costs caused by security violations and security measures. But there are difficulties in determining the total costs: o Most economical costs have a statistical quality only (e.g. individual loss of performance). o The cost of security measures (purchase, installation, training, administration, etc.) are incurred right away to avoid future costs of security violations. o Security measures that meet their goals avoid the tentative costs that were used as reason to implement them. o Non-material Costs (some non-material costs, e.g. loss of freedom, cannot be measured at all) o Decrease of user comfort and/or performance; o Loss of freedom. 3. Security measures Depending on the costs, the risks may be ranked and appropriate security tools can be selected. These tools should start with processes and be enhanced by technology. Models used in the general business world will work in the healthcare world as well, but certainly will need some specific adaptations. Once the local security measures have been introduced, their appropriateness should be continuously checked because safeguarding the required level of security is a moving target. Skills of the attackers and their technologies keep increasing. 3.1. Processes Processes may have a severe impact on the security situation that is often underestimated [5]. Medical organizations may need to get re-organized in order to adequately account for security. Processes need to be enforced and should cover a continuous loop of o Prevention (of exploitation of security breaches) Some issues can be foreseen and fixes can be applied before damage is done.
R. Brill, W. Leetz / International Congress Series 1281 (2005) 290–295
293
o Detection (of security holes) Efficient monitoring is part of a larger process, based on feedback loops. o Assessment (of what has been detected) On-going assessment of security breaks and the overall security situation is a necessity (e.g. through evaluation of audit logs). o Response (on the basis of the assessment) Timely reaction to security gaps will help reduce the impact on your business. This loop needs to be enhanced by o Assurance and certification Assessment and response should be based on standards and best practices. o Training Teaching employees on security issues and thus raising everybody’s level of awareness. o Outsourcing Some tasks can be done more professionally and much more efficiently by people who do it as their main business. Efficient processes help increase security at moderate cost and should be based on ITIL [6]. Processes that are hard to understand and/or hard to maintain may amplify existing or introduce new security issues. A well-maintained old-fashioned log-book may fulfil the same purpose as computerized activity logging—and it continues to work in black-out scenarios. 3.2. Technology There is no security technology available that prevents all potential kinds of security breaches. However, technology is needed to support security processes. Partitioning and separation of assets ensures better control. As a strategy, we recommend to follow the Defense In Depth strategy, that implements different security measures at different locations within an IT infrastructure, not just at its periphery. Important technology tools include: o Physical protections (a simple key may be an bimportant toolQ) Locking down areas and equipment adds physical protection. o Access control within the IT system o Identification and Authentication is a coupled process where a user claims an identity, e.g. by typing in his name, that is verified in the second step, e.g. by using a password, a smart-card, a biometric device, etc. o An authorization procedure then defines what tasks an authenticated user is allowed to perform to data and/or system functions. (More detail in Section 3.3.) o Cryptographic means are used to encrypt and hence protect information against unauthorized access, e.g. DICOM encryption. o Network management o IT administration tools help maintain and manage IT equipment.
294
R. Brill, W. Leetz / International Congress Series 1281 (2005) 290–295
o Firewalls and virtual private networks (VPNs) separate network zones (e.g. Internet and intranet) and filter network traffic. o Logging and auditing are used as after-the-fact investigations of events and user activities to identify unauthorized activities. 3.3. Access control management models The technology most visible to the clinical user is Access Control within the IT system. The administrative processes that are behind Access Control as visible on the application level are worth being investigated because they may severely impact the respective maintenance efforts. First applications just implemented the bsimpleQ model to individually define access rights for each user (user based access control). But this is getting inflexible and complicated with raising number of activities a user may perform. Each change in the user’s competencies may change more than one specific task he is allowed to perform and hence requires more than one change of his access rights. More efficient approaches have been developed for general IT applications and are becoming available for medical application software now: o Role-Based Access Control (RBAC) has become the dominant form of access control in computing in general as well as for healthcare specifically [7]. It is based on gathering several activities of the local workflow under specific roles. This abstraction simplifies security administration. Even a complex change in the user’s competencies may be just a simple change of his role. RBAC supports the principle of least authority: a user should always be acting with the lowest level of authority necessary to complete a task. This prevents users a priori from making unauthorized activities. o Context-Based Access Control is based on the organizational context (location, health care unit, date/time, etc.) of the access. Context-based access control adds another dimension to RBAC. For example, a ward clinician who is allowed to access medical images while he is in the treatment room may be prohibited from doing so while performing reimbursement administration in the reception area. o Logic-Driven Access Control evaluates logical conditions or rules derived from local workflow aspects (e.g. VIP patient status, diagnosis code). User conditions (e.g. possessing a particular certification) or environmental conditions (e.g. accessing the data over a trusted or untrusted network) may be additionally evaluated. Synonyms are bconditional securityQ, or brule-based securityQ. o Instance-Based Access Control grants or denies access to specific instances of data independently of the user’s role, user’s context, or a generic rule. For example, a patient may want to restrict the access of a particular physician to some or all of the patient’s data. RBAC, Context-Based, and Logic-Based Access Control are all workflow driven and independent of any data instance. The workflow comes first and authorization calls need to be fitted in where the workflow dictates. Context-Based and Logic-Based access control are both driven by factors outside of the security domain. Different actions may have to be
R. Brill, W. Leetz / International Congress Series 1281 (2005) 290–295
295
performed and different screens have to be displayed to the user based on the context or the outcome of a logical decision. Instance-based Access Control assesses additional properties of each data item before granting access or not. Changes of the access rights need to be applied to each data item individually. Therefore, it should only be considered as an exception to the workflow driven models. 4. Conclusion There is no bone size fits allQ-solution that is able to enhance security in any healthcare facility. Appropriate measures to meet the necessary security level need to be defined individually and for each environment. Risk analysis and a cost/benefit analysis then define what secure processes should be implemented using what kind of appropriate technological tools. Using the right model to manage access control may ease security administration. As security is a moving target, the following best practice steps should be performed continuously [8]: 1. 2. 3. 4. 5. 6.
What problem does the security solution solve? Does it meet the expectations? What new problems does it add? What are the economic and social costs? Is it worth the costs? What are clear independent assessments?
But other than for general IT applications, in the healthcare environment, IT security is not the highest goal. Implementation of security measures must always take into account the necessity to be able to deliver the required patient care. Security solutions have to account for emergency procedures and bPatient Health FirstQ. References [1] Security Standards (HIPAA Security Rule), Final Rule, U.S. Department of Health and Human Services (DHHS), 45 CFR Parts 160, 162, and 164 (Feb. 2003). [2] European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Oct. 1995). [3] Bundesdatenschutzgesetz (German Federal Data Protection Act), Bundesgesetzblatt 2001, Nr. 23 (Mai 2001). [4] Joint NEMA/COCIR/JIRA Security And Privacy Committee (SPC), Defending Medical Information Systems Against Malicious Software (Sept. 2003). [5] ISO/ITC Standard 17799, The Information Security Standard-Information technology-Code of practice for information security management (2000). [6] Jan van Bon, itSMF, IT Service Management: An Introduction, Bernan Associates, 2005 April. [7] Science Applications International Corporation (SAIC), Role-Based Access Control (RBAC), Role Engineering Process, Developed For The Healthcare RBAC Task Force, Version 2.0 (March 2004). [8] B. Schneier, Fixing Security by hacking the business climate, Counterpane Internet Security, 2002 June.