INFOWAY EHRI PRIVACY & SECURITY CONCEPTUAL ARCHITECTURE V1.1

Size: px
Start display at page:

Download "INFOWAY EHRI PRIVACY & SECURITY CONCEPTUAL ARCHITECTURE V1.1"

Transcription

1 INFOWAY EHRI PRIVACY & SECURITY CONCEPTUAL ARCHITECTURE V1.1 Review and Recommendation Report to the Ontario Health Informatics Standards Council (OHISC) By: Ontario Privacy & Security Architecture January 16, 2006

2 Table of Contents Background... 2 Purpose of this Report... 2 Ontario Privacy and Security Architecture Participants... 3 Overview of the Infoway EHRi Privacy & Security Conceptual Architecture v Ontario Privacy & Security Architecture Recommendations... 4 Concluding Remarks... 7 Appendix A: List of Acronyms... 8 Appendix B: References... 9 Page 1 of 9

3 Background The Ontario Privacy and Security Architecture (OPSA) was initiated to review issues and discussions emanating from the Canada Health Infoway (Infoway) Electronic Health Record Infostructure (EHRi) Privacy and Security Conceptual Architecture (PSA) project. Working group members contributed, reviewed and validated business requirements and associated standards development (adoption, adaptation, development) generated from the pan-canadian work, as to their relevance and appropriateness for Ontario. This work supports two initiatives; Infoway projects needs and analysis in support of related upcoming initiatives or affected projects that are part of Ontario s e-health Strategy, including Ontario s eventual EHR solution. To ensure continuity of communications and analysis needs between Ontario and the Infoway stakeholders, a series of working group meetings were held. Initial feedback generated from the working group discussions has been integrated with the recent version of the architecture, v1.1 [1]. Purpose of this Report This report is intended to inform the Ontario Health Informatics Council (OHISC) on the outstanding issues and concerns identified during the review of Canada Health Infoway s Electronic Health Record Infostructure (EHRi) Privacy & Security Conceptual Architecture document v1.1 [1]. Page 2 of 9

4 Ontario Privacy and Security Architecture Participants The following stakeholders and Subject Matter Experts from Ontario were consulted in the review of the Infoway EHRi Privacy & Security Conceptual Architecture document(s). We would like to acknowledge the participants for their support and contribution in producing this report. Chair(s): Gurjeet Dosanjh... SSHA Standards Management and Business Integration Pat Jeselon... MOHLTC e-health Office Participants: Iryna Bonya... MOHLTC Strategic Policy Branch Mel Casalino... MOHLTC e-health Office Fred Carter... MOHLTC Information and Privacy Commissioner Peter Catford... Continuing Care e-health Angela Chung... SSHA Standards Management and Business Integration Danna Dobson... SSHA Standards Management and Business Integration Sharan Dosanjh... SSHA Privacy & Security Brent Fraser... MOHLTC Drug Programs Branch Julia Gallo... MOHLTC Health Information Privacy Unit Martin Green... SSHA Privacy & Security Nicole Hamacher... MOHLTC Client Registry and Identification Management Dietmar Klonikowski... MOHLTC Ontario Laboratories Information System Richard Liu... SSHA e-health Solutions Patrick Lo... Ontario MD Marion Lyver... SSHA Standards Management and Business Integration Ron McEwen... SSHA Infrastructure Services Stephen Milling... MOHLTC IT Security Policy, Human Services I&IT Cluster Kees Pouw... MOHLTC IT Security Policy, Human Services I&IT Cluster Michele Sanborn... MOHLTC Health Information Privacy Unit Angela Schroen... Continuing Care e-health Brendan Seaton... SSHA Privacy & Security Martha Turner... MOHTLC Client Registry and Identification Management Duncan Weatherston... MOHLTC Ontario Laboratories Information System Page 3 of 9

5 Overview of the Infoway EHRi Privacy & Security Conceptual Architecture v1.1 Canada Health Infoway (Infoway) has undertaken the development of an Electronic Health Record Infostructure (EHRi) Privacy and Security Conceptual Architecture (PSA) project to help ensure that future interoperable EHR systems will comply with federal/provincial/ territorial (FPT), as well as cross-jurisdictional Privacy and Security (P&S) requirements. This robust and scalable P&S architecture will also guide Infoway s future investments in EHR systems. The architecture defines the privacy and security requirements for an interoperable EHR based on existing legal and regulatory requirements, as well as national and international standards and best practices. It provides a high-level view of how different functions and components in the system interact with one another and how they will facilitate secure interoperability. Jurisdictions can use this as a guide in the development and implementation of privacy and security requirements for organizational and FPT information technology initiatives. The architecture also addresses cross-jurisdictional data protection requirements as personal health information becomes more broadly accessible to authorized healthcare professionals. Ontario Privacy & Security Architecture Recommendations OPSA acknowledges that Infoway has addressed some of the concerns and issues that the working group identified in earlier iterations of the Privacy and Security Conceptual Architecture document. The following are some of the remaining issues and concerns for Ontario that have been identified through subsequent review sessions. The security architecture addresses controls appropriate for well-behaved users, but does not provide significant architectural defenses against malicious or hostile attackers, some of whom may be, or be acting as, authorized users. Harm caused by such attackers can often not be prevented or contained by detective controls such as intrusion detection and audit. A suggestion would be to incorporate active security features in the architecture to eliminate the possibility of substantial harm by determined attackers. Consider the incorporation of real-time, inline abuse/fraud detection systems. Also, include more advanced authentication mechanisms to recognize users based on a wide range of criteria such as location, time, client system profile, usage patterns, and dynamic personal knowledge. The document implies that EHRi trusts every other EHRi. It is recognized that trust relationships should be cautious and minimal. Strength of trust should depend on evidence that trusted parties provide regarding their security management practices. Page 4 of 9

6 Instead of an implied trust model security architecture and management systems should be used to provide a basis for trust where needed and warranted. The document fails to address the requirement for the integrity of portals, since compromise of a portal could be leveraged by an attacker. With respect to the ten P&S services, there are no services included in the document to provide an assurance that privacy and security objectives and commitments are being met on an ongoing basis. This is a common problem with security architectures. One should not assume, without evidence, that individual or integrated security controls are effective and reliable. Identified services and service functions frequently address only the functions required to initiate service, and fail to address changes during operations and termination of service, that is there is a lack of a full lifecycle perspective. With reference to User Identity Management Service, it should address all attributes of people and context within organizations. It will also be necessary to capture organizational structure, positions, incumbents, roles, and authority hierarchies. One of the most challenging requirements will be the ability to implement major changes in organizational structure while maintaining appropriate access. Additionally, User Authentication Services do not address the need to manage authentication credentials throughout their lifecycle. Runtime authentication and authorization services should employ standards such as Security Assertion Markup Language (SAML) and extensible Access Control Markup Language (XACML). The architecture, as defined, references authentication tokens but the description seems quite different from SAML assertions. There is confusion between authentication tokens and the session vectors typically used as part of session management. Access control services should include services to manage authorization work flows, including persons/positions involved in the approvals process, and to report on access permissions and changes to appropriate managers so that inappropriate entitlements will be identified and corrected. In a decentralized model this further complicates the issue of permissions management. Point of Service (POS) systems will still require session management services, but may be irrelevant within EHRS due to HL7 based messaging. It can be argued that implementation of the EHRi does not necessarily exist within a uniform high trust model as assumed by the document. Authentication of POS systems by EHRS should not be needed. Authentication should be conveyed within the XML messages, which the POS must know how to do. As noted above and in the Standards Assessment document [2], user authentication to EHRS should be based on SAML. Page 5 of 9

7 Ideally, authorization of the provider should be able to leverage additional data, such as evidence (via card swipe) that the patient is present. Authorization service should enable complex, risk-based decisions aided by the widest possible range of supporting information. Authorization rules need not always be complex, but the system should support complex rules as needed. The proposed access control model utilizes system- or application-based access control. Digital Rights Management (DRM) should be considered as a major alternative. In DRM, data is encrypted and access is mediated by controlling access to decryption keys. DRM allows policy-based control, including powerful restrictions on use of information. The document fails to address how consent instructions will be enforced if consent is denied to certain users, but EHRS does not know the true identity of all users. This suggests that it is a requirement that EHRS knows, or be able to determine at runtime, the true and unique identity of all users. The document does not substantiate the importance of secure audit service components (i.e. analyze logs and detect intrusions). These are major components of the security architecture, comparable in scale to identity management or authentication, and should have comparable coverage in the architecture. These are the only services specifically designed to detect and respond to attacks. Failure to provide adequate coverage in the architecture is likely to result in inadequate implementation. There needs to be more emphasis on assurance (i.e., policies, agreements, vulnerability assessments, security inspections, managing logs). Although the document addresses the requirement to notify privacy officers and security officers of certain specific events as an essential feature of the P&S conceptual architecture, it should be broadened to address reporting to responsible business managers at different levels of detail in order to enable effective management oversight and risk management, and to provide assurance that security controls are achieving objectives. The document identifies a provider registry as containing regulated providers information only, leaving unregulated providers to be contained within a user registry. However, both regulated and unregulated providers should in fact be contained in a provider registry; a user registry should only contain authorized providers, regulated and unregulated, that have a need to access jurisdictional systems. These users will be authenticating against a provider registry. The document generalizes that provider information is classified as personal information, where as in fact it can be categorized as business information. For example, provider s financial information requires further protection. Most of this needs to be posted in a directory that is available for , blue pages, Public Key Infrastructure (PKI), and etc., which is not discussed in the architecture document. Some attempt should be made to rationalize on the number of personal identifiers. There may be a requirement for the Enterprise Master Patient Index (EMPI) to support this in a provider registry environment. Page 6 of 9

8 The document claims that there are no minimum standards for authentication for access to systems containing Personal Health Information (PHI) exists in Canada. One recommendation would be to look at the National Institute of Standards and Technology s (NIST) recently published document on an authentication standard that uses different levels of authentication [3]. The document suggests that digital signatures should be assigned to electronic health record entries in addition to digital signatures for documents. Also recommended is the incorporation of a digital signature to EHRi messaging service. In general the document does not address many of the Information Technology Infrastructure Library / Information Technology Service Management (ITIL/ITSM) processes, such as Incident Response, Change Management, etc. Concluding Remarks Understanding that this is a conceptual Privacy & Security architecture document it is possible that the target architecture will not be feasible or affordable to implement; the technology being contemplated has not been proven; there will be an enormous amount of overhead in the privacy and security controls, the XML messages and cryptography; the overhead could well account for percent of the effort and cost. The architecture document oversimplifies many aspects of the identified security services. By doing so, implementation of the services is made to look relatively straightforward. Implementation of full-featured services that address the entire life cycle that can cope with both diversity and change will be much more complex than implied. Identity management, authentication, authorization, access management, and effective audit all pose enormous challenges to large organizations that try to implement them. This architecture anticipates achievements that are well beyond current capabilities. Nowadays, the primary route of attack is through malware or other compromises to the end-user s workstation. The proposed architecture has very little to protect against such attacks. While it would not eliminate overhead costs, consideration should be given to server-based solutions, in which users have terminal interfaces to POS software. Page 7 of 9

9 Appendix A: List of Acronyms Acronym DRM HER EHRi EHRS EMPI FPT HL7 ITIL/ITSM NIST OPSA P&S PHI PKI POS PSA SAML XACML XML Definition Digital Rights Management Electronic Health Record Electronic Health Record Infostructure Electronic Health Record Solution Enterprise Master Patient Index Federal/Provincial/Territorial Health Level Seven Information Technology Infrastructure Library / Information Technology Service Management (American) National Institute for Standards in Technology Ontario Privacy and Security Architecture Privacy & Security Personal Health Information Public Key Infrastructure Point of Service Privacy and Security Conceptual Architecture Security Assertion Markup Language extensible Access Control Markup Language Extensible Markup Language Page 8 of 9

10 Appendix B: References 1. Canada Health Infoway. Electronic Health Record Infostructure (EHRi) Privacy and Security Conceptual Architecture Version 1.1, June Canada Health Infoway. Electronic Health Record (EHR), Privacy and Security Standards Assessment, June National Institute for Standards in Technology. Special Publication (SP) , Electronic Authentication Guideline, August Page 9 of 9

SOA in the pan-canadian EHR

SOA in the pan-canadian EHR SOA in the pan-canadian EHR Dennis Giokas Chief Technology Officer Solution Architecture Group Canada Health Infoway Inc. 1 Outline Infoway EHR Solution EHRS Blueprint Approach EHR Standards Oriented Architecture

More information

Privacy and Security within an Interoperable EHR

Privacy and Security within an Interoperable EHR 1 Privacy and Security within an Interoperable EHR Stan Ratajczak Director Privacy and Security Solutions Architecture Group November 30, 2005 Electronic Health Information and Privacy Conference Ottawa

More information

Electronic Health Record (EHR) Privacy and Security Requirements

Electronic Health Record (EHR) Privacy and Security Requirements Draft for discussion Electronic Health Record (EHR) Privacy and Security s Reviewed with Jurisdictions and Providers V1.1 Montreal November 30, 2004 Revised February 7, 2005 Preface This version 1.1 of

More information

Electronic Health Record Infostructure (EHRi)

Electronic Health Record Infostructure (EHRi) Electronic Health Record Infostructure (EHRi) Privacy and Security Conceptual Architecture Version 1.1 June 2005 Privacy and Security Conceptual Architecture Version 1.1 Copyright 2005 Canada Health Infoway

More information

Privacy & Security Requirements: from EHRs to PHRs

Privacy & Security Requirements: from EHRs to PHRs Privacy & Security Requirements: from EHRs to PHRs Oct 28, 2010 Presented by André Carrington, P.Eng, CISSP, CISM, CISA, CIPP/C Director, Implementation, Privacy & Security, SPS Purpose As suggested by

More information

For ONC S&I DS4P. Dennis Giokas Chief Technology Officer Canada Health Infoway Inc. January 25, 2012

For ONC S&I DS4P. Dennis Giokas Chief Technology Officer Canada Health Infoway Inc. January 25, 2012 For ONC S&I DS4P Dennis Giokas Chief Technology Officer Canada Health Infoway Inc. January 25, 2012 1 Outline EHR Business Architecture EHR Solution Blueprint EHR Privacy and Security Summary & Conclusion

More information

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform White Paper Delivering Web Services Security: September 2003 Copyright 2003 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries.

More information

SECURITY INFRASTRUCTURE Standards and implementation practices for protecting the privacy and security of shared genomic and clinical data

SECURITY INFRASTRUCTURE Standards and implementation practices for protecting the privacy and security of shared genomic and clinical data Global Alliance for Genomics and Health SECURITY INFRASTRUCTURE Standards and implementation practices for protecting the privacy and security of shared genomic and clinical data VERSION 1.1 March 12,

More information

NIST s Guide to Secure Web Services

NIST s Guide to Secure Web Services NIST s Guide to Secure Web Services Presented by Gaspar Modelo-Howard and Ratsameetip Wita Secure and Dependable Web Services National Institute of Standards and Technology. Special Publication 800-95:

More information

SOA in the pan-canadian EHR

SOA in the pan-canadian EHR SOA in the pan-canadian EHR Dennis Giokas Chief Technology Officer Solutions Products and Group Canada Health Infoway Inc. 1 Outline Infoway EHR Solution EHRS Blueprint Overview Oriented Architecture Business

More information

Canada Health Infoway

Canada Health Infoway Canada Health Infoway EHR s in the Canadian Context June 7, 2005 Mike Sheridan, COO Canada Health Infoway Healthcare Renewal In Canada National Healthcare Priorities A 10-year Plan to Strengthen Healthcare

More information

E-HEALTH PLATFORMS AND ARCHITECTURES

E-HEALTH PLATFORMS AND ARCHITECTURES E-HEALTH PLATFORMS AND ARCHITECTURES E-Government Andreas Meier Nicolas Werro University of Fribourg Alfredo Santa Cruz 19.01.2007 Contents 1. Introduction 2. Existing Capabilities and Strategic Approach

More information

Strengthen security with intelligent identity and access management

Strengthen security with intelligent identity and access management Strengthen security with intelligent identity and access management IBM Security solutions help safeguard user access, boost compliance and mitigate insider threats Highlights Enable business managers

More information

Appendix B: Existing Guidance to Support HIE Implementation Opportunities

Appendix B: Existing Guidance to Support HIE Implementation Opportunities Appendix B: Existing Guidance to Support HIE Implementation Opportunities APPENDIX B: EXISTING GUIDANCE TO SUPPORT HIE IMPLEMENTATION OPPORTUNITIES There is an important opportunity for the states and

More information

Service management White paper. Manage access control effectively across the enterprise with IBM solutions.

Service management White paper. Manage access control effectively across the enterprise with IBM solutions. Service management White paper Manage access control effectively across the enterprise with IBM solutions. July 2008 2 Contents 2 Overview 2 Understand today s requirements for developing effective access

More information

Delivery date: 18 October 2014

Delivery date: 18 October 2014 Genomic and Clinical Data Sharing Policy Questions with Technology and Security Implications: Consensus s from the Data Safe Havens Task Team Delivery date: 18 October 2014 When the Security Working Group

More information

Empowering Patients and Enabling Providers

Empowering Patients and Enabling Providers Empowering Patients and Enabling Providers WITH HEALTH INFORMATION PRIVACY Terry Callahan - Managing Director Agenda About HIPAAT Provider of consent management and auditing for personal/protected health

More information

White Paper The Identity & Access Management (R)evolution

White Paper The Identity & Access Management (R)evolution White Paper The Identity & Access Management (R)evolution Federation and Attribute Based Access Control Page 2 A New Perspective on Identity & Access Management Executive Summary Identity & Access Management

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

Identity Management for Interoperable Health Information Exchanges

Identity Management for Interoperable Health Information Exchanges Identity Management for Interoperable Health Information Exchanges Presented to the NASMD Medicaid Transformation Grants HIE Workgroup - March 26, 2008 Presented by: John (Mike) Davis, Department of Veterans

More information

Nationwide and Regional Health Information Networks and Federated Identity for Authentication and HIPAA Compliance

Nationwide and Regional Health Information Networks and Federated Identity for Authentication and HIPAA Compliance Nationwide and Regional Health Information Networks and Federated Identity for Authentication and HIPAA Compliance Christina Stephan, MD Co-Chair Liberty Alliance ehealth SIG National Library of Medicine

More information

Glossary of Key Terms

Glossary of Key Terms and s Branch Glossary of Key Terms The terms and definitions listed in this glossary are used throughout the s Package to define key terms in the context of. Access Control Access The processes by which

More information

Richard Gadsden Information Security Office Office of the CIO Information Services

Richard Gadsden Information Security Office Office of the CIO Information Services Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO Information Services Sharon Knowles Information Assurance Compliance MUSC Medical Center

More information

Healthcare Interoperability Between Canada and the United States

Healthcare Interoperability Between Canada and the United States Healthcare Interoperability Between Canada and the United States A Presentation to IAPP Canada Privacy Symposium May 9, 2014 Rick Shields - nnovation LLP and Joan Roch Canada Health Infoway 1 This is not

More information

Introduction to SAML

Introduction to SAML Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access

More information

GFIPM & NIEF Single Sign-on Supporting all Levels of Government

GFIPM & NIEF Single Sign-on Supporting all Levels of Government GFIPM & NIEF Single Sign-on Supporting all Levels of Government Presenter: John Ruegg, Director LA County Information Systems Advisory Body (ISAB) & Chair, Global Federated ID & Privilege Management (GFIPM)

More information

Driving Company Security is Challenging. Centralized Management Makes it Simple.

Driving Company Security is Challenging. Centralized Management Makes it Simple. Driving Company Security is Challenging. Centralized Management Makes it Simple. Overview - P3 Security Threats, Downtime and High Costs - P3 Threats to Company Security and Profitability - P4 A Revolutionary

More information

James Williams Ontario Telemedicine Network

James Williams Ontario Telemedicine Network James Williams Ontario Telemedicine Network Objec&ves: 1. Review policy constraints for EHR systems. 2. Traditional approaches to policies in EHRs. 3. CHI consent management architecture. 4. Current research.

More information

Cloud-based Identity and Access Control for Diagnostic Imaging Systems

Cloud-based Identity and Access Control for Diagnostic Imaging Systems Cloud-based Identity and Access Control for Diagnostic Imaging Systems Weina Ma and Kamran Sartipi Department of Electrical, Computer and Software Engineering University of Ontario Institute of Technology

More information

Ensuring Security in Cloud with Multi-Level IDS and Log Management System

Ensuring Security in Cloud with Multi-Level IDS and Log Management System Ensuring Security in Cloud with Multi-Level IDS and Log Management System 1 Prema Jain, 2 Ashwin Kumar PG Scholar, Mangalore Institute of Technology & Engineering, Moodbidri, Karnataka1, Assistant Professor,

More information

Developing the Corporate Security Architecture. www.avient.ca Alex Woda July 22, 2009

Developing the Corporate Security Architecture. www.avient.ca Alex Woda July 22, 2009 Developing the Corporate Security Architecture www.avient.ca Alex Woda July 22, 2009 Avient Solutions Group Avient Solutions Group is based in Markham and is a professional services firm specializing in

More information

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS Karen Scarfone, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Many people

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES The implications for privacy and security in the emergence of HIEs The emergence of health information exchanges (HIE) is widely

More information

Sygate Secure Enterprise and Alcatel

Sygate Secure Enterprise and Alcatel Sygate Secure Enterprise and Alcatel Sygate Secure Enterprise eliminates the damage or loss of information, cost of recovery, and regulatory violation due to rogue corporate computers, applications, and

More information

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology A comprehensive approach

More information

VA Office of Inspector General

VA Office of Inspector General VA Office of Inspector General OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Audit for Fiscal Year 2013 May 29, 2014 13-01391-72 ACRONYMS AND

More information

Cloud Computing Technologies Achieving Greater Trustworthiness and Resilience

Cloud Computing Technologies Achieving Greater Trustworthiness and Resilience Cloud Computing Technologies Achieving Greater Trustworthiness and Resilience Cloud Standards Customer Council Public Sector Cloud Summit March 24, 2014 Dr. Ron Ross Computer Security Division Information

More information

Effective End-to-End Cloud Security

Effective End-to-End Cloud Security Effective End-to-End Cloud Security Securing Your Journey to the Cloud Trend Micro SecureCloud A Trend Micro & VMware White Paper August 2011 I. EXECUTIVE SUMMARY This is the first paper of a series of

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute

More information

The EHR Agenda in Canada

The EHR Agenda in Canada The EHR Agenda in Canada IHE Workshop June 28, 2005 Dennis Giokas, Chief Technology Officer Agenda Background on Canadian Healthcare System About Canada Health Infoway Interoperable EHR Solution Definitions

More information

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006 Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates September 2006 Copyright 2006 Entrust. All rights reserved. www.entrust.com Entrust is a registered trademark

More information

GOVERNANCE OPTIMIZATION

GOVERNANCE OPTIMIZATION GOVERNANCE OPTIMIZATION Hire Wire EHR Governance Balancing Needs of Internal and External Stakeholders Peter Bascom, Chief Architect, ehealth Ontario Julia Peters, Director, ehealth Ontario. 1 Today s

More information

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 2 How does IBM deliver cloud security? Contents 2 Introduction 3 Cloud governance 3 Security governance, risk management

More information

OpenHRE Security Architecture. (DRAFT v0.5)

OpenHRE Security Architecture. (DRAFT v0.5) OpenHRE Security Architecture (DRAFT v0.5) Table of Contents Introduction -----------------------------------------------------------------------------------------------------------------------2 Assumptions----------------------------------------------------------------------------------------------------------------------2

More information

Security Services. 30 years of experience in IT business

Security Services. 30 years of experience in IT business Security Services 30 years of experience in IT business Table of Contents 1 Security Audit services!...!3 1.1 Audit of processes!...!3 1.1.1 Information security audit...3 1.1.2 Internal audit support...3

More information

Personal Health Information Privacy Policy

Personal Health Information Privacy Policy Personal Health Information Privacy Policy Privacy Office Document ID: 2478 Version: 6.2 Owner: Chief Privacy Officer Sensitivity Level: Low Copyright Notice Copyright 2014, ehealth Ontario All rights

More information

Cyber Security Risk Management: A New and Holistic Approach

Cyber Security Risk Management: A New and Holistic Approach Cyber Security Risk Management: A New and Holistic Approach Understanding and Applying NIST SP 800-39 WebEx Hosted by: Business of Security and Federal InfoSec Forum April 12, 2011 Dr. Ron Ross Computer

More information

ITL BULLETIN FOR JULY 2012. Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance

ITL BULLETIN FOR JULY 2012. Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance ITL BULLETIN FOR JULY 2012 Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance Paul Turner, Venafi William Polk, Computer Security Division, Information

More information

Certification Report

Certification Report Certification Report McAfee Network Security Platform v7.1 (M-series sensors) Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification

More information

Compliance and Security Solutions

Compliance and Security Solutions Content-aware Compliance and Security Solutions for Microsoft SharePoint SharePoint and the ECM Challenge The numbers tell the story. According to the consulting firm Doculabs, 80 percent of the information

More information

CryptoNET: Security Management Protocols

CryptoNET: Security Management Protocols CryptoNET: Security Management Protocols ABDUL GHAFOOR ABBASI, SEAD MUFTIC CoS, School of Information and Communication Technology Royal Institute of Technology Borgarfjordsgatan 15, SE-164 40, Kista,

More information

The problem of cloud data governance

The problem of cloud data governance The problem of cloud data governance Vasilis Tountopoulos, Athens Technology Center S.A. (ATC) CSP EU Forum 2014 - Thursday, 22 nd May, 2014 Focus on data protection in the cloud Why data governance in

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

Direct Secure Messaging: Improving the Secure and Interoperable Exchange of Health Information

Direct Secure Messaging: Improving the Secure and Interoperable Exchange of Health Information Direct Secure Messaging: Improving the Secure and Interoperable Exchange of Health Information Within the healthcare industry, the exchange of protected health information (PHI) is governed by regulations

More information

A Blueprint for Digital Health

A Blueprint for Digital Health A Blueprint for Digital Health Beyond the EHR Presented by: Ron Parker Group Director Emerging Technologies Canada Health Infoway Inc. ehealth 2014 June 4, 2014 The EHRS Blueprint The EHR Solutions (EHRS)

More information

Industrial-Strength Interoperability Platform for Health (IOP-H)

Industrial-Strength Interoperability Platform for Health (IOP-H) Industrial-Strength Interoperability Platform for Health (IOP-H) Pierre Coderre To sustain the evolution toward pan-canadian electronic health records, Fujitsu was mandated to develop the InterOperability

More information

HIPAA: Compliance Essentials

HIPAA: Compliance Essentials HIPAA: Compliance Essentials Presented by: Health Security Solutions August 15, 2014 What is HIPAA?? HIPAA is Law that governs a person s ability to qualify immediately for health coverage when they change

More information

OntarioMD Inc. Electronic Medical Records EMR SPECIFICATION FINAL. Date: January 17, 2011 Version: 4.0. 2007-2011 OntarioMD Inc. All rights reserved

OntarioMD Inc. Electronic Medical Records EMR SPECIFICATION FINAL. Date: January 17, 2011 Version: 4.0. 2007-2011 OntarioMD Inc. All rights reserved OntarioMD Inc. Electronic Medical Records EMR SPECIFICATION FINAL Date: January 17, 2011 Version: 4.0 2007-2011 OntarioMD Inc. All rights reserved TABLE OF CONTENTS 1. ADMINISTRATIVE INFORMATION... 3 1.1

More information

Mobile Security. Policies, Standards, Frameworks, Guidelines

Mobile Security. Policies, Standards, Frameworks, Guidelines Mobile Security Policies, Standards, Frameworks, Guidelines Guidelines for Managing and Securing Mobile Devices in the Enterprise (SP 800-124 Rev. 1) http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pdf

More information

Security Architecture Whitepaper

Security Architecture Whitepaper Security Architecture Whitepaper 2015 by Network2Share Pty Ltd. All rights reserved. 1 Table of Contents CloudFileSync Security 1 Introduction 1 Data Security 2 Local Encryption - Data on the local computer

More information

University System of Maryland University of Maryland, College Park Division of Information Technology

University System of Maryland University of Maryland, College Park Division of Information Technology Audit Report University System of Maryland University of Maryland, College Park Division of Information Technology December 2014 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND

More information

Guideline on Auditing and Log Management

Guideline on Auditing and Log Management CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius

More information

Building Reference Security Architecture

Building Reference Security Architecture Information Security, Privacy and Compliance Building Reference Security Architecture Bob Steadman, Sr. Director Predrag Zivic, Sr. Security Architect Information Security Too many organizations still

More information

Canada's Global Viewpoint: Emerging Technologies and Healthcare Interoperability

Canada's Global Viewpoint: Emerging Technologies and Healthcare Interoperability Canada's Global Viewpoint: Emerging Technologies and Healthcare Interoperability Ron G. Parker, Group Director Canada Health Infoway Inc. 1/31/2013 www.iheusa.org 1 About The Speaker 2 28 years in IT/IM

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: University of Lethbridge 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources

More information

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement

More information

Managing Security and Privacy Risk in Healthcare Applications

Managing Security and Privacy Risk in Healthcare Applications Managing Security and Privacy Risk in Healthcare Applications 5 th Annual OCR / NIST HIPAA Security Rule Conference June 6, 2012 Dr. Ron Ross Computer Security Division Information Technology Laboratory

More information

Certification Report

Certification Report Certification Report EAL 2 Evaluation of with Gateway and Key Management v2.9 running on Fedora Core 6 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria

More information

BACKGROUND PAPER REGULATION OF THE SECURITY OF ELECTRONIC HEALTH RECORDS

BACKGROUND PAPER REGULATION OF THE SECURITY OF ELECTRONIC HEALTH RECORDS BACKGROUND PAPER REGULATION OF THE SECURITY OF ELECTRONIC HEALTH RECORDS David M. W. Young Partner, Lang Michener LLP with the assistance of Fern Karsh, student-at-law Presented to Shared Risks, Shared

More information

elearning for Secure Application Development

elearning for Secure Application Development elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security

More information

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &

More information

Security in Internet of Things using Delegation of Trust to a Provisioning Server

Security in Internet of Things using Delegation of Trust to a Provisioning Server Security in Internet of Things using Delegation of Trust to a Provisioning Server Architecture overview Peter Waher Clayster Laboratorios Chile S.A, Blanco 1623, of. 1402, Valparaíso, Chile peter.waher@clayster.com

More information

Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management

Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management Leveraging Common Resources and Investments to Achieve Premium Levels of Security Summary The ecosystem of traditional

More information

Electronic Health Records: A Global Perspective. Overview

Electronic Health Records: A Global Perspective. Overview Electronic Health Records: A Global Perspective Overview Steve Arnold, MD, MS, MBA, CPE Joseph Wagner, MPA, FHIMSS Susan J Hyatt, BSc (PT), MBA Gary M. Klein, MD, MPH, MBA And the Global EHR Task Force

More information

Securing Enterprise: Employability and HR

Securing Enterprise: Employability and HR 1 Securing Enterprise: Employability and HR Federation and XACML as Security and Access Control Layer Open Standards Forum 2 Employability and HR Vertical Multiple Players - Excellent case for federation

More information

Structuring the Chief Information Security Officer Organization

Structuring the Chief Information Security Officer Organization Structuring the Chief Information Security Officer Organization December 1, 2015 Julia Allen Nader Mehravari Cyber Risk and Resilience Management Team CERT Division Software Engineering Institute Carnegie

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and

More information

XACML and Access Management. A Business Case for Fine-Grained Authorization and Centralized Policy Management

XACML and Access Management. A Business Case for Fine-Grained Authorization and Centralized Policy Management A Business Case for Fine-Grained Authorization and Centralized Policy Management Dissolving Infrastructures A recent Roundtable with CIOs from a dozen multinational companies concurred that Identity &

More information

ONEID IDENTITY & ACCESS SERVICES. Ron Soper & Alan Douthwaite

ONEID IDENTITY & ACCESS SERVICES. Ron Soper & Alan Douthwaite ONEID IDENTITY & ACCESS SERVICES Ron Soper & Alan Douthwaite Today s session What is ONEID & Why do I care? Why is ONEID Important to the ehr? How does ONEID get the job done? 2 What is ONEID Province

More information

ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector

ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments

More information

Title Draft Pan-Canadian Primary Health Care Electronic Medical Record Content Standard, Version 2.0 Data Extract Specifi cation Business View

Title Draft Pan-Canadian Primary Health Care Electronic Medical Record Content Standard, Version 2.0 Data Extract Specifi cation Business View pic Title Draft Pan-Canadian Primary Health Care Electronic Medical Record Content Standard, Version 2.0 Data Extract Specifi cation Business View Primary Health Care Who We Are Established in 1994, CIHI

More information

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &

More information

ITL BULLETIN FOR MARCH 2012 GUIDELINES FOR IMPROVING SECURITY AND PRIVACY IN PUBLIC CLOUD COMPUTING

ITL BULLETIN FOR MARCH 2012 GUIDELINES FOR IMPROVING SECURITY AND PRIVACY IN PUBLIC CLOUD COMPUTING ITL BULLETIN FOR MARCH 2012 GUIDELINES FOR IMPROVING SECURITY AND PRIVACY IN PUBLIC CLOUD COMPUTING Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute

More information

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February 2010 www.alvandsolutions.

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February 2010 www.alvandsolutions. Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH White Paper February 2010 www.alvandsolutions.com Overview Today s increasing security threats and regulatory

More information

Health Record Banking Alliance White Paper

Health Record Banking Alliance White Paper Health Record Banking Alliance White Paper A Proposed National Infrastructure for HIE Using Personally Controlled Records January 4, 2013 Table of Contents Executive Summary...3 I. Overview...5 II. Architectural

More information

CIHI Submission: 2011 Prescribed Entity Review

CIHI Submission: 2011 Prescribed Entity Review pic pic CIHI Submission: 2011 Prescribed Entity Review October 2011 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination

More information

WEB SERVICES SECURITY

WEB SERVICES SECURITY WEB SERVICES SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Cloud Security Who do you trust?

Cloud Security Who do you trust? Thought Leadership White Paper Cloud Computing Cloud Security Who do you trust? Nick Coleman, IBM Cloud Security Leader Martin Borrett, IBM Lead Security Architect 2 Cloud Security Who do you trust? Cloud

More information

Data Security and Healthcare

Data Security and Healthcare Data Security and Healthcare Complex data flows Millions of electronic medical records across many systems New and emerging business relationships Changing and maturing compliance frameworks Diverse population

More information

Electronic Health Record Privacy Policies

Electronic Health Record Privacy Policies Electronic Health Record Privacy Policies Table of Contents 1. Access and Correction Policy v1.1 2. Assurance Policy v1.1 3. Consent Management Policy v1.2 4. Inquiries and Complaints Policy v1.1 5. Logging

More information

Extending Threat Protection and Control to Mobile Workers with Cloud-Based Security Services > White Paper

Extending Threat Protection and Control to Mobile Workers with Cloud-Based Security Services > White Paper with Cloud-Based Security Services > White Paper It s a phenomenon and a fact: employees are always on today. They connect to the network whenever they want, from wherever they happen to be, with laptops,

More information

HiSoftware Policy Sheriff. SP HiSoftware Security Sheriff SP. Content-aware. Compliance and Security Solutions for. Microsoft SharePoint

HiSoftware Policy Sheriff. SP HiSoftware Security Sheriff SP. Content-aware. Compliance and Security Solutions for. Microsoft SharePoint HiSoftware Policy Sheriff SP HiSoftware Security Sheriff SP Content-aware Compliance and Security Solutions for Microsoft SharePoint SharePoint and the ECM Challenge The numbers tell the story. According

More information