2. Security Goals
1. Protect PHI by empowering individuals to control access to their
own healthcare information.
2. Allow only fully authenticated and authorized individuals access to
data.
3. Preserve integrity of network data.
4. Hold users and organizations accountable for network actions.
5. Hold each node in a network accountable for the security of the
data in its custody.
6. Enable the formation of larger scale networks by securely linking
together health information networks (HINs).
(NHIN Project/HIPAA/Markle Common Framework for Private and Secure HIE)
5. Security Requirements
ID
Security Requirements
R1
Only authorized and authenticated systems shall be targets of network queries
R2
Only authorized and authenticated users shall request data over the network
R3
Data integrity shall be preserved within all nodes and over the network
R4
Data confidentiality shall be protected over the network
R5
All access to healthcare data shall be traceable to an individual or organization
R6
Where applicable patient shall specify access to PHI (rules enforced on all nodes)
R7
Requests originating in another trust domain shall be authenticated and authorized
R8
Data and system integrity shall be preserved at each node in the network
6. Security Mechanisms
ID
Security Mechanism
Mapping
M1 User identity management
R2, R4
M2 User authentication
R2, R4, R6
M3 User authorization
R5
M4 Auditing
R5
M5 Anonymization
R4
M6 Secure messaging
R1, R2, R3, R4
M7 Consent management
R6
M8 Inter-domain security
R7
M9 System availability and integrity protection
R8
7. Security Threats and Countermeasures
ID
Security Mechanism
Countermeasure
Mapping
T1 Unauthorized user/system produces data
Identification/authentication
M1, M2
T2 Unauthorized user/system consumes data
Identification/authentication/access control M1, M2, M5, M6,
M7, M8
T3 Data integrity compromised at
Network, OS, application, and database
controls at each node
M1, M2, M9
T4 Data integrity compromised over network
Integrity protection (MD5, hash, checksum)
M6, A1
T5 Data confidentiality compromised over network
Encryption over network (SSL)
M6, M7, A1
T6 Information compromised by valid user
Audit, organization binding, responsibility
M4, A1, A2, A3
T7 Virus, spyware
Anti-virus, firewall, intrusion detection
system (IDS)
M6, M9
T8 Denial of service
IDS, firewall, application
M6
T9 Identity spoofing
Client certificate based auth. (two-way SSL)
M1, M6
consumer/producer/intermediary level
(consumer/producer/intermediary)
Editor's Notes
Sources Kailar, Rajashekar. "A security architecture for health information networks.“ AMIA Annual Symposium Proceedings. Vol. 2007. American Medical Informatics Association, 2007.Scholl, Matthew, et al. Security architecture design process for health information exchanges (HIEs). US Department of Commerce, National Institute of Standards and Technology, 2010.Gritzalis, Dimitris, and Costas Lambrinoudakis. "A security architecture for interconnecting health information systems." International Journal of Medical Informatics 73.3 (2004): 305-309.Mandl, Kenneth D., et al. "Indivo: a personally controlled health record for health information exchange and communication." BMC medical informatics and decision making 7.1 (2007): 25.ResourcesAHRQ:The Health Information Security and Privacy Collaboration Toolkithttp://healthit.ahrq.gov/health-it-tools-and-resources/health-information-security-and-privacy-collaboration-toolkitAHIMA: An IT Primer for Health Information Exchangehttp://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_036239.hcsp?dDocName=bok1_036239HIMSS: Privacy and Security Toolkithttp://www.himss.org/library/healthcare-privacy-securityHealthIT.gov: Guide to Privacy and Security of Health Informationhttp://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdfHealthIT.gov:Information Security Policy Templatehttp://www.healthit.gov/providers-professionals/implementation-resources/information-security-policy-templateHealthIT.gov: Relevant Legal Requirements for Health Data Exchange for Health Care Organizations http://healthit.ahrq.gov/sites/default/files/docs/page/C_RelevantLegalRequirementsforHealthDataExchange_0.pdfMarkleFoundaton: Common Framework forPrivate and Secure Health Information Exchangehttp://www.markle.org/health/markle-common-framework/connecting-professionalsDeloitte: (Issue Brief) Privacy and Security in Health Care: A fresh lookhttps://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/Health%20Reform%20Issues%20Briefs/US_CHS_PrivacyandSecurityinHealthCare_022111.pdfA Primer on Health Information Technology Standards and Data Exchange in the US todayhttp://www.mhtransformation.org/documents/word/MHT_HIT_Standards_081409.doc
Security goals for HINsderived from:NHIN project /* National Health Information Network */HIPAA security and privacy rules /* Health Insurance Portability and Accountability Act*/Connecting for Health Common Framework /* Markle Common Framework for Private and Secure Health Information Exchange */[PHI] [PHR] [PCHR] /* “empowering individuals to control access to their own healthcare information” */(Protected Health Information)(Personal Health Record)(Personally Controlled Health Record)Trust Domains -> conceptually as nodes: could be a single computer on a local network, or abstracted as an organization on a larger (inter)network.Consumer <-> ProviderConsumer <-> Intermediary <-> Provider/* an intermediary could be a firewall, proxy, organization, or HIE as examples (depending on level of node abstraction) */Trust Models->Centralizeddistributed (transitive)federatedWhenthe data provider and data consumer do not share a direct trust relationship, they may rely on trusted intermediaries to act as brokers. /* Transitive or Distributed Trust (i.e. partnerships) */-----------------------------------------------------------------------------------{garden variety networks and information systems security measures adapted/updated for the special requirements of PHI}
(Kailar, Rajashekar 2007)Simplified ERD (Entity Relationship Diagram) => closed loop system (entity relationship model -> mandatory one to many relationships ) /* ERD: database development and data modeling tool standard */[Security Threats and Countermeasures] => [Security Requirements] => [Security Mechanisms] <- [Environmental Assumptions]
(Kailar, Rajashekar 2007)
(Kailar, Rajashekar 2007)
(Kailar, Rajashekar 2007)
(Kailar, Rajashekar 2007)
[A graphic model/visualization of the concepts in slides 3-7] /* [Tool] GraphML=> yEd Graph Editor (yWorks) */HIN Security in a Nutshell. There’s more to it, but this is a solid model/framework (HIT/HIN InfoSec)./* model/framework lacks granularity => i.e. sw security patches, nw vulnerability scans (sophisticated port-scan -> ‘script kiddies’), VPN/SSH Tunneling => extension of trusted domain (virtual), etc.*/