Implementing Secure Solutions for PHI. Ann Geyer Tunitas Group

Transcription

1 Implementing Secure Solutions for PHI Ann Geyer Tunitas Group

2 First Observation Secure infrastructure software deployed to healthcare Early California adopters ( ): SJHS, CHW, Scripps, Sutter, PacifiCare Vendors targeting healthcare market: Tumbleweed, Sigaba, Clearswift, TFS, Omtool, Zix, CertifiedMail Few HCO have broadly utilized their encryption options Encrypted Is still the exception, even for the early adopters Where encryption occurs, it is typically the result user activity

3 What s Holding Secure Back? Administering secure is challenging! Neither of the existing mgmt models works well Secure web application Doesn t make sense to administer external recipients as if they were users of your system Ordinary SMTP mail Secure requires new skill sets for both administrators and users Encryption methods and keys must be negotiated with recipients User can be trusted to get address right But only 1 0f 10 persons found to properly install and use their encryption software ( Why Johnny can t encrypt ~ )

4 Secure Administration Policy Aspects containing PHI sent to an external recipient is a DISCLOSURE subject to HIPAA privacy & security requirements Duty of the enterprise to ensure that the disclosure is properly authorized and documented Disclosures and the method need to be governed by enterprise policy and procedure Also need some ability to monitor and enforce policy Secure management must be sensitive to policy

5 Secure Policy 3 Items relevant to policy Sender identity and role Recipient category, domain, and role Message contents, including the nature of PHI included Policy objectives Should message be sent? Is the disclosure appropriate? Is the recipient s encryption key available? Subsequent actions if message is not sent Verify authorization and purpose User training on privacy or data use policies Key acquisition Report suspected privacy/security incident Subsequent actions, if message is sent Copy to HIM dept or Acctng of Disclosure Log

6 Secure Policy Developing policy is itself challenging is a business tool Secure policy constrains its use Many internal stakeholders Compliance -- respond to privacy and disclosure regs Users -- expectations of personal privacy and convenience IT -- implement and maintain, cost Multi-disciplinary effort Comparable to creating enterprise HIPAA privacy policy, but with a strong technology component Not an administrator or security personnel assignment Requires executive approval and support

7 Secure Administration Workflow Aspects system acquires knowledge of recipients in ad hoc manner Two basic problems User needs to identify & potentially authenticate recipient System needs to acquire or exchange encryption material Argues for a new workflow Procedure to authorize the sending of secure to a particular recipient Procedure to negotiate encryption keys that minimizes sender involvement Procedure to document results Methods to minimize latency Works both ways Consider how your organization will support receiving encrypted

8 Secure Administration Peer Aspect Typical HCO has 40K plus recipients in its directory Even small orgs have too many recipients to manage secure on a case by case basis Recognize and take advantage of solutions that peers have adopted Determine how trust and interoperability issues between mail domains get resolved Recognize physicians and other independent practitioners as having their own solution requirements

9 Peers Translates into a PKI problem S/MIME (PKI) has the greatest promise for secure on an industry scale Solutions are certified and interoperable PKI Bad Rep Poor integration tools User support costs Certificate sources PKI Support from Professional Associations CMA/MEDePass -- California physicians and staff AMA/Verisign Members of AMA physician database AAMT -- US medical transcriptionists Prof assn interested in supporting secure solutions for their members

10 Conclusions Recognize that secure mail solutions require more than technology Acquire enterprise support through multistakeholder policy formation effort Avoid myopia by recognizing that external recipients are your peers in securing messages Capitalize on community solutions such as the multiple association support for PKI and S/MIME Assist security administrators to develop the workflow to support negotiation of encryption parameters Remember that encryption is only part of security Take training requirements serious, surprisingly few administrators have background in security or PKI

11 California Community Trial Motivation Recognize the limitations of SSL for peer communication Strongly motivated to protect the use of as a business tool Develop set of best practices for implementation and policy decisions Validate push certificate distribution model and improved s/mime workflow Support association certificate activities Persuade peers to add s/mime to their solution options

12 California Community Trial Activities -- Implementation Profile use CE, BA, Third Party Department to department (what type of PHI) With infrastructure requiring negotiation (B2B) Without infrastructure requiring direction (B2b) Encryption Options s/mime gateway esmtp StartTLS Push certificates for client/desktop users Association certificates for professional class users Strategies for TP with proprietary approaches Webportals, webmail, required clients

13 California Community Trial Activities Policy Key initiation and exchange When is secure channel required What pre-requisites are required to establish a secure channel Can employees individually establish secure channels with TP What enterprise communication is required Will enterprise accept unencrypted PHI Will enterprise send unencrypted PHI if TP will not establish a secure channel

14 California Community Trial PKI Certificates for Client/Desktop Recipients Any available source of certificates Enterprise knows recipients addresses As long a certificate has known address, it is useful Push Certificates from PK3I Association Certificates California Medical Association providing certificates for physicians and staff American Association for Medical Transcription providing certificates for transcriptionists and clients All certificates will conform to ASTM Healthcare Certificate Policy and its certificate profile

15 California Community Trial New Key Distribution Model Push certificates from PKI Innovations, Inc (PK3I) Enterprise requests certificate from server Server generates the keypair and creates the certificate Send certificate to requestor Sends certificate and keypair to recipient Requestor communicates one-time pin/password to recipient to install keys and certificate in client For Microsoft products, one click install For other products, 2-5 steps depending on how the product has deviated from IETF standards for key storage

16 Typical Workflow

17 Typical Workflow

18 Typical Workflow

19 Improved Workflow

20 Success Factors Maintaining compliance Employees will use for communications Without an encryption alternative, enterprise risks non-compliance Preventing unnecessary costs Implementing a non- alternative will only add costs will not be turned off Registration and user support for trading partner employees is significant Maintaining business independence Adding an security solution to other options

21 Background Resources

22 HealthKey Sponsored Collaboration Mass HealthData Consortiumn domsec interop trails Demonstrated s/mime based interoperability between vendor s/mime gateway implementations Tumbleweed, TFS, Clearswift (as Baltimore), DICA, Vanguard Ongoing multi-enterprise s/mime gateway project CareGroup, Tufts, Commonwealth of Mass For more info: Joe Miller,

23 Vendor ~ Tumbleweed Early product entrant Significant healthcare installed base S/mime gateway and redirect products Imports any X509 certificate stores in directory Creates proxy certificates for enterprise accounts Full service product line Gateway, malicious content, virus scanning For more information Mike Fiore, [email protected],

24 Vendor ~ TFS Technologies Feature rich gateway product Includes openpgp support in addition to s/mime Includes certificate server for optional certificates for end users Consider use for individual signature at the desktop Free server solution for non-pki based security Supports automated distribution of symmetric key (password) via IVR (voice response), fax, (possibly alternate address) For more info John Casey, [email protected]

25 Vendor ~ Clearswift Inheritor of Content Technologies Sold off by Baltimore in its downsizing Emphasis on policy creation and management Supports distributed policy management Supports multiple message delivery mechanism with optional plugins s/mime gateway; http; technology licensed from sigaba For more information Farren West, [email protected],

26 Vendor ~ OmTool Secure gateway integrated with Exchange / Outlook Supports s/mime Alternate non-pki solutions based on zip / pdf encryption Always acquires receipts / supports security / signature of return mail Provides integration of with fax systems Fax / scan -> secure ; fax -> (internal) Provides security layer for HP Digital Sender Very slick solution, a Tunitas Group favorite For more information, Thad Bouchard, [email protected]

27 California Healthcare PKI Solutions CMA / MEDePass Focus on California physicians & staff High assurance model 2nd year of operation Will help market PKI based solution to your physician community Contact Terry Fotre DO, [email protected], American Association for Medical Transcription Certificates for transcriptionist (certified / non-certified) High assurance model for certified transcriptionist Online registry Go live in 3Q, 2003 Will train subscribers in secure use Contact Ray Smith, [email protected],

28 Technical Resources IETF DomSec spec RFC Domain Security Services using S/MIME Standards basis for use of s/mime gateways NIST guidelines on security RFC.pdf Excellent technical resource Network design discussion SMTP / POP server hardenning Common vulnerabilities and exposures security is not just about encryption!

29 About Tunitas Group Tunitas Group specializes in electronic commerce, communications and data exchange strategies for healthcare organizations. Core Expertise Biometrics and smart cards Directory applications and schema Electronic signature and EDI security solutions mgmt Internet security solutions HIPAA compliance planning Privacy & security policy design PKI planning and design Security assessment project Security risk analysis Internet technologies and protocols Workflow design Clients include Blue Shield of California California DHS California Medical Assn Catholic Healthcare West El Camino Hospital PacifiCare St. Joseph Health System Social Security Administration