Managing e-health data: Security management. Marc Nyssen Medical Informatics VUB Master in Health Telematics KIST

Transcription

1 Managing e-health data: Security management Marc Nyssen Medical Informatics VUB Master in Health Telematics KIST

2 Structure of the presentation Data management: need for a clear vision Critical success factors Purpose of the data security management process Relevant standards: the ISO27000 family The ISO approach ISO and ISO27799 guidelines ISO27005 risk analysis Practical approach E-healtht: security managment 2

3 Data management: need for a clear vision information is being modelled in such a way that the model fits in as closely as possible with the real world, in order to allow multifunctional use of information information is collected from citizens and companies only once by the government as a whole, via a channel chosen by the citizens and the companies, preferably from application to application, and with the possibility of quality control by the supplier before the transmission of the information the collected information is validated once according to established task sharing criteria, by the actor that is most entitled to it or by the actor which has the greatest interest in correctly validating it a task sharing model is established indicating which actor stores which information as an authentic source, manages the information and maintains it at the disposal of the authorized users E-healtht: security managment 3

4 Data management: need for a clear vision information can be flexibly assembled according to ever changing legal concepts every actor has to report probable errors of information to the actor that is designated to validate the information every actor that has to validate information according to the agreed task sharing model, has to examine the reported probable errors, to correct them when necessary and to communicate the correct information to every known interested actor once collected and validated, information is stored, managed and exchanged electronically to avoid transcribing and re-entering it manually electronic information exchange can be initiated by - the actor that disposes of information - the actor that needs information - the service integrator that manages the interoperability framework E-healtht: security managment 4

5 Common vision on information management electronic information exchanges take place on the base of a functional and technical interoperability framework that evolves permanently but gradually according to open market standards, and is independent from the methods of information exchange available information is used for - the automatic granting of benefits - prefilling when collecting information E-healtht: security managment 5

6 Service Oriented Architecture Presentation Applications Business services Basic services Data E-healtht: security managment 6

7 Multifunctional basic services user & access mgt routing transformation ticketing decision rules orchestration state machine logging E-healtht: security managment 7

8 Application integration Clients Application Application Application Exposed services Service Bus Orchestration Orchestration Application integration and monitoring Consulted services Providers Application Application Application E-healtht: security managment 8

9 Critical success factors appropriate balance between efficiency on the one hand and information security and privacy protection on the other quick wins combined with long term vision technical and semantic interoperability legal framework adaptability to an ever changing societal and legal environment creation of a network of service integrators that stimulate, co-ordinate and assure a sound program and project management sufficient financial means for innovation: agreed possibility to reinvest efficiency gains in innovation service oriented architecture (SOA) E-healtht: security managment 9

10 Critical success factors need for radical cultural change within government, e.g. - from hierarchy to participation and team work - meeting the needs of the customer, not the government - empowering rather than serving - rewarding entrepreneurship within government - ex post evaluation on output, not ex ante control of every input when necessary, support of and access to policymakers at the highest level E-healtht: security managment 10

11 Common vision on information security security, availability, integrity and confidentiality of information is ensured by integrated structural, institutional, organizational, HR, technical and other security measures according to agreed policies personal information is only used for purposes compatible with the purposes of the collection of the information personal information is only accessible to authorized actors and users according to business needs, legislative or policy requirements the access authorization to personal information is granted by an independent Sectoral Committee of the Privacy Commission, designated by Parliament, after having checked whether the access conditions are met the access authorizations are public E-healtht: security managment 11

12 Common vision on information security every actual electronic exchange of personal information has to pass an independent trusted third party (basically the service integrator) and is preventively checked on compliance with the existing access authorizations by that trusted third party every actual electronic exchange of personal information is logged, to be able to trace possible abuse afterwards every time information is used to take a decision, the information used is communicated to the person concerned together with the decision every person has right to access and correct his/her own personal data every actor disposes of an information security officer with an advisory, stimulating, documentary and control task E-healtht: security managment 12

13 Purpose of the data secutity management process All data security aspects are identified, all risks evaluated, appropriate actions planned and all this backed by the management How to implement security management? Find our relevant methodology (internationally recognized) Which are the relevant standards? Learn the philosophy behind these standards Evaluate the relevance for your field/ Apply in a reasonable way With your own resources? Making use of consultants? Remain in control! E-healtht: security managment 13

14 Purpose of the data secutity management process A (standardized) process rather than fixed in time ISO method: can be screened Not a guarantee for security! Guarantee (if applied well) for documentation / controlability Make use of experiences by others (risks lists, countermeasures,...) Apply in a reasonable way With your own resources?.. toolkits Making use of consultants? Remain in control! E-healtht: security managment 14

15 Relevant standards: the ISO27000 family The ISO27000 timeline 1992: Dept. of Trade and Industry (UK) 'Code of Practice for Information Security Management 1995: British Standards Institute: BS : enhanced BS : BS 7799 amended and becomes ISO/IEC : BS published: in line with management standards as ISO : ISO improved and into ISO 27001/ISO including ISMS (Information Security Management System) 2008: ISO 2005: risk management continuous development... E-healtht: security managment 15

16 Relevant standards: the ISO27000 family The ISO27000 standards: ISO Principles and concepts published 09 ISO Certification requirements for ISMS Published 05 ISO Code of practice Published 05 ISO IS management metric Published 08 ISO Risk management Published 08 ISO Certification. registration process Published 08 ISO ISMS implementation guide Proposed ISO Guideline for auditing IMSM's Proposed ISO Guidelines for auditors Proposed ISO Guidelines for inter-sector communication Proposed ISO Guidelines for telecommunication Proposed ISO Guideline for implementing and Proposed ISO Information security governance Proposed Several sector-specific standards are pending E-healtht: security managment 16

17 Relevant standards: the ISO27000 family E-healtht: security managment 17

18 The ISO27001 approach ISO Information Security Management Systems Requirements Standard specification for information Security Management Systems (ISMS): the process by which senior management can control their security, minimizing the residual business risk and ensuring that security continues to fulfill corporate, customer and legal requirements The means an organization is certified to a quality system of implementing the best practice security controls Organized arount the Plan Do Check Act cycle to ensure continuous review and improvement Aligned with ISO 9000 E-healtht: security managment 18

19 The ISO27001 approach ISO Information Security Management Systems Requirements clauses Framework Responsibility Audits/Review Improvements Annex A- Control objectives and controls 39 Control Objectives 133 Controls E-healtht: security managment 19

20 The ISO27001 approach: terms and definitions 3.1 asset: anything that has value for the organization 3.2 availability: the property of being accessible and usable upon demand by an authorized entity 3.3 confidentiality: the property that information is not made available or disclosed to unauthorized individuals, entities or processes 3.4 information security: preservation of confidentiality, integrity and availability of information; in addition other properties such as authenticity, accountability, non-repudiation and reliability can be involved E-healtht: security managment 20

21 The ISO27001 approach: terms and definitions 3.5 information security event: an identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant 3.6 information security incident: a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security 3.7 information security management system ISMS: that part of the overall management system, based on a business risk approach to establish, implement, operate, monitor, review, maintain and improve information security 3.8 integrity: the property of safeguarding the accuracy and completeness of assets 3.9 residual risk: the risk remaining after risk treatment E-healtht: security managment 21

22 The ISO27001 approach: terms and definitions 3.10 risk acceptance: decision to accept a risk 3.11 risk analysis: systematic use of information to identify sources and to estimate the risk 3.12 risk assessment: overall process of risk analysis and risk evaluation 3.13 risk evaluation: process of comparing the estimated risk against given risk criteria to determine the significance of the risk 3.14 risk management: coordinated activities to direct and control an organization with regard of risk E-healtht: security managment 22

23 The ISO27001 approach: terms and definitions 3.15 risk treatment: process of selection and implementation of measures to modify risk 3.16 statement of applicability: documented statement describing the control objectives and controls that are relevant and applicable to the organization of an ISMS E-healtht: security managment 23

24 The ISO27001 approach Components of a ISMS General Records of key management decisions Information security policy set Information security policy Controls documentation Risk assessment methods Risk assessment reports Risk treatment plan Information security metrics Statement of applicability E-healtht: security managment 24

25 The ISO27001 approach Components of a ISMS: Document control procedures Record control procedures Security awareness training and education records Internal ISMS audit plans and procedures Management review of the ISMS Corrective action procedures Preventive action procedures E-healtht: security managment 25

26 The ISO27001 approach Plan Do Act Check cycle: E-healtht: security managment 26

27 The ISO27001 approach E-healtht: security managment 27

28 The ISO27001 approach Benefits: Information Security corporate governance Market differentiation Improved effectiveness Committed and focused staff Better awareness of security by all committed parties ISO certification Usually 3-stage audit process Stage 1: table top review Stage 2: detailed in-depth audit Stage 3: follow-up reassessment audit See ISO E-healtht: security managment 28

29 The ISO27002 and ISO27799 guidelines HOW to put ISO in practice? ISO 27002: general guidelines ISO 27799: guidelines additions for the healthcare sector ISO provides best practice recommendations in IS seccurity management systems (ISMS): twelve main sections Risk assessment: determine vulnerability of assets (ISO 27005) Security Policy Organization and governance of information security Assets management: inventory and classification information assets Human resources security: about employees joining, moving inside and leaving the organization Physical and environmental security: protecting of computer facilities Communications and operations management, management of technical security control E-healtht: security managment 29

30 The ISO27002 and ISO27799 guidelines (ctd) ISO provides best practice recommendations in IS seccurity management systems (ISMS): twelve main sections (ctd) Access Control restrictions of access rights to networks, systems, applications, functions and data Information systems acquisition, development and maintenance, building security into applications Information Security Incident management anticipating and responding appropriately to security breaches Business continuity management protectng, maintaining and recovering business-critical processes and systems Compliance ensuring conformance with information security policies, standards, laws and regulations Within each section, information security controls and their objectives are specified and outlined (controls depend on risk assessment and on sector-specific implementation guidance (eg. ISO 27799) E-healtht: security managment 30

31 The ISO27002 and ISO27799 guidelines E-healtht: security managment 31

32 The ISO27002 and ISO27799 guidelines Guidelines: how to implement ISO and ISO ISO 27002: general guidelines (not sector specific) ISO 27799: health care specific points of attention E-healtht: security managment 32

33 The ISO27002 and ISO27799 guidelines: plan E-healtht: security managment 33

34 The ISO27002 and ISO27799 guidelines: do E-healtht: security managment 34

35 The ISO27002 and ISO27799 guidelines: check E-healtht: security managment 35

36 The ISO27002 and ISO27799 guidelines E-healtht: security managment 36

37 ISO27005: risk analysis Steps involved: 1. Organize the risk management process 2. Identify the risks 3. Evaluate risks impact 4. Evaluate risk importance (establish a hierarchy) 5. select solutions E-healtht: security managment 37

38 ISO27005: risk analysis E-healtht: security managment 38

39 ISO27005: risk analysis E-healtht: security managment 39

40 Practical approach: plan 1- Determine the scope (department, application, institution?) (step 1) 2- Determine the information/privacy policy (step 2) 3- Comprehensive risk analysis (steps 3, 4, 5) 4- Plan risk treatment (step 6) 5- Select management goals and controls (step 7) 6- Prepare statement of applicability (step 8) 7- Approve residual risk allowing ISMS to be carried out E-healtht: security managment 40

41 Practical approach: Do 1- Perform risk treatment, with resources allocated and controls (steps 1, 2, 3) 2- Educating and training (step 4) 3- Manage operations and business resources (steps 5, 6) 4- Deal with security incidents (step 7) E-healtht: security managment 41

42 Practical approach: Do (4) incident management E-healtht: security managment 42

43 Practical approach: Act 1- Carry out improvement measures (step 1) 2- Communicate the actions that have been taken (step 2) E-healtht: security managment 43

44 Practical approach: Check 1- Monitor procedures and controls (step 1) 2- Review ISMS regularly (step 2) 3- Management review (step 3) E-healtht: security managment 44

45 References and more information website Crossroads Bank for Social Security website ehealth-platform History and timeline: Introduction to ISO 2002 and friends, Martin Dolphin ISO standards 27001, 27002, and Anne Lupfer, Gestion des risques et sécurité de l'information, Eyrolles, 2010, ISBN: E-healtht: security managment 45

46 Thank you for your attention! Any questions? Medical Informatics VUB, KIST