Wireless Security and Health Care Information Systems

Similar documents
Wireless Security and Healthcare Going Beyond IEEE i to Truly Ensure HIPAA Compliance

Wireless Security for Hotspots & Home PCCW Feb, 2009

The following chart provides the breakdown of exam as to the weight of each section of the exam.

United States Trustee Program s Wireless LAN Security Checklist

Security Awareness. Wireless Network Security

Ensuring HIPAA Compliance in Healthcare

Ensuring HIPAA Compliance in Healthcare

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

State of Kansas. Interim Wireless Local Area Networks Security and Technical Architecture

How To Protect A Wireless Lan From A Rogue Access Point

WLAN Security Why Your Firewall, VPN, and IEEE i Aren t Enough to Protect Your Network

How To Secure Wireless Networks

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Beyond the Firewall No. 72 March, 2012 Wireless LAN Edition

WIRELESS NETWORKING SECURITY

WHITE PAPER. Wireless LAN Security for Healthcare and HIPAA Compliance

Avaya TM G700 Media Gateway Security. White Paper

Avaya G700 Media Gateway Security - Issue 1.0

CHIS, Inc. Privacy General Guidelines

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Closing Wireless Loopholes for PCI Compliance and Security

The Impact of Wireless LAN Technology on Compliance to the PCI Data Security Standard

CTS2134 Introduction to Networking. Module Network Security

External Supplier Control Requirements

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Agenda. Wireless LAN Security. TCP/IP Protocol Suite (Internet Model) Security for TCP/IP. Agenda. Car Security Story

Best Practices for Outdoor Wireless Security

Industrial Communication. Securing Industrial Wireless

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

05.0 Application Development

Particularities of security design for wireless networks in small and medium business (SMB)

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Potential Security Vulnerabilities of a Wireless Network. Implementation in a Military Healthcare Environment. Jason Meyer. East Carolina University

WLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.

IBX Business Network Platform Information Security Controls Document Classification [Public]

Wireless Intrusion Detection Systems (WIDS)

Wireless Security: Secure and Public Networks Kory Kirk

Implementing Security for Wireless Networks

WHITEPAPER. Wireless LAN Security for Healthcare and HIPAA Compliance

chap18.wireless Network Security

Networking: EC Council Network Security Administrator NSA

1.1 Demonstrate how to recognize, perform, and prevent the following types of attacks, and discuss their impact on the organization:

Running Head: WIRELESS DATA NETWORK SECURITY FOR HOSTPITALS

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

Network Security: Introduction

Introduction to Cyber Security / Information Security

Securing SharePoint 101. Rob Rachwald Imperva

information security and its Describe what drives the need for information security.

INSTANT MESSAGING SECURITY

Effective Methods to Detect Current Security Threats

AccessEnforcer. HTTPS web filter overview

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Wireless LAN Security:

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Securing Patient Data in Today s Mobilized Healthcare Industry. A Good Technology Whitepaper

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

Online Banking Fraud Prevention Recommendations and Best Practices

All vulnerabilities that exist in conventional wired networks apply and likely easier Theft, tampering of devices

Information Security Basic Concepts

Security and privacy in public WLAN networks

PCI DSS Requirements - Security Controls and Processes

Catapult PCI Compliance

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Sarbanes-Oxley Compliance and Wireless LAN Security

UF IT Risk Assessment Standard

White Paper. BD Assurity Linc Software Security. Overview

Information Technology Branch Access Control Technical Standard

Best Practices For Department Server and Enterprise System Checklist

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Wireless Network Standard and Guidelines

SCADA/Business Network Separation: Securing an Integrated SCADA System

Technical Brief. Wireless Intrusion Protection

SCADA SYSTEMS AND SECURITY WHITEPAPER

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

Evaluation Report. Office of Inspector General

CS 356 Lecture 29 Wireless Security. Spring 2013

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

BLACKJACKING: SECURITY THREATS TO BLACKBERRY DEVICES, PDAS, AND CELL PHONES IN THE ENTERPRISE

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS

Cyber Security Awareness

PwC. Outline. The case for wireless networking. Access points and network cards. Introduction: OSI layers and 802 structure

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Fortinet Solutions for Compliance Requirements

Wireless Security. CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger.

Windows Remote Access

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Chapter 2 Configuring Your Wireless Network and Security Settings

Reliance Bank Fraud Prevention Best Practices

Transcription:

Wireless Security and Health Care Information Systems Vladimir Oleshchuk Faculty of Engineering and Science Agder University College Grimstad, Norway WIM meeting Vilnius 12-13 December 2003 1 Outline Wireless communication: (dis)advantages. Wire(less) (un)security Healthcare information systems Wireless healthcare information systems Security of wireless healthcare information systems WIM meeting Vilnius 12-13 December 2003 2

Advantages of Wireless Communications Freedom of mobility: "Access to any application from any device on any network". Reasons to use wireless communications: Improve productivity: real-time access and faster distribution important business information Growing mobility customers and employees Improved customer service (fast response increase customer satisfaction) Competitive advantage (contact with customers, partners, suppliers and employees) Major benefit (for healthcare sector): Streamlining doctor/patient relationship Patient data can be updated in real-time y doctor Online track of medication prescriptions and billing information WIM meeting Vilnius 12-13 December 2003 3 Disadvantages of Wireless Communications Wireless networks are vulnerable to attack Threats Uncontrolled terrain: (anonymous, uncontrolled coverage area between end points); Eavesdropping: (gather information about who use the network, what is accessible, equipment capability, coverage area, etc.) Communication jamming (DoS): Client jamming, base station jamming etc. WIM meeting Vilnius 12-13 December 2003 4

Wireless Threats (cont.) Injection and modification of data Connection hijacking Man-in-the-middle attacks Rouge client (mimic client identity) Rouge network access points (attacker set up a rouge access points to impersonate a network resource) Client-to-client attacks (get sensitive information to access other resources) WIM meeting Vilnius 12-13 December 2003 5 Security Vulnerability and Risks Exposed access points (APs): WLAN radiates data that may exceed the area physically controlled by enterprise Service Set Identifier (SSID) used for authorization: Compromised, default password etc. Invisible WLAN access points: Ad hoc networks establishment between devices with built-in WLAN cards or unauthorized APs Overlapping spectral footprints Accidental or intentional networks overlapping MAC used as identifier Lack of flood protection Client platform security vulnerabilities WIM meeting Vilnius 12-13 December 2003 6

Security protection levels: Hardware protection should be (authentication, authorization and encryption) integrated into hardware. Wireless security policy: developing and enforcing a strong wireless security policy based on sound risk analysis Monitoring and Intrusion detection Discovering wireless vulnerabilities, detection intruders and attacks Virtual private networks Install VPN client software on all wireless available PC WIM meeting Vilnius 12-13 December 2003 7 Security Considerations for Wireless Devices Security of wireless devices impacts the security of entire network Physical security Information leakage WIM meeting Vilnius 12-13 December 2003 8

Some suggestions to information leakage threats Laptops: Pay attention to storage of passwords and keys (f.ex., some wireless cards store WEP keys in registry in cleartext). Use host-based IDS, personal firewalls. PDAs: Minimize storage of data that PDA access Do not rely on client-side security (compromised sensitive data in PDA can be compromise the whole application; PDA-based encryption mechanisms have been found to be vulnerable) Wireless infrastructure (APs, bridges, etc.) Use secure protocols to access infrastructure (SSH, SSL, SNMPv3 etc.) Disable insecure protocols (HTTP, SNMPv1) Improve physical security Mobile phones Similar to PDAs and laptops Encrypt sensitive information before sending (f. ex., use WTLS while using WAP) WIM meeting Vilnius 12-13 December 2003 9 Info security in the health care system The range of technical and procedural mechanisms that aim to preserve confidentiality, restricting information access and modification to authorized users for authorized purposes. The goal is to insure the accuracy and timely availability of data for the legitimate users Electronic healthcare records can be protected by applications and servers that incorporate authenticated, authorized and audited access control. Encryption can protect the integrity of data while in transit. User authentication and screen locks can prevent improper access and accidental disclosure. Enterprise security policies consistent with emerging recommendations can help ensure that appropriate technical, administrative and procedural measures are employed to protect patient data. Legislative and regulatory measures can provide guidelines for protection of electronic health information and provide punitive damages for violations. WIM meeting Vilnius 12-13 December 2003 10

Norwegian laws and regulations In Norway, there are strict regulations with respect to the security required when medical information is electronically processed: 1. Helseregisterloven (Health Act) 5 and 6 give the necessary legal background for allowing medical electronic health records. 2. Security requirements for these records is in Helseregisterloven 36 regulated by The Personal Data Act (Personopplysningsloven) and the corresponding regulations. 3. These regulations require the responsible enterprise to perform a Vulnerability Assessment in order to decide both the security needed, if the security established is good enough and possible need for improved security measures. 4. The Norwegian Data Inspectorate (Datatilsynet) gives more detailed guidance (reference model, encryption strength etc.), and recommendations to indicate the minimum need of security for information like medical health records. WIM meeting Vilnius 12-13 December 2003 11 Exchange of medical information In Norway health services are organized in hierarchic pyramids reporting to a Managing Director. It is established solutions for secure exchange of messages between different Health Services using XML, Digital Certificates and 128 bit DES encryption. A Primary Doctor are not allowed to log into an EPR-system at a hospital because he is not administrative reporting to the hospitals Managing Director and thus not covered by the hospitals responsibility for the information security management system (ISMS). Secure exchange of messages EPR-system in a Hospital EPR-system at Primary doctor WIM meeting Vilnius 12-13 December 2003 12

Example: Access to the patient's EPR EPR-system in a community public health service EPR-system in a Hospital Integrated portal EPR-system at Primary doctor PKI RBAC Workflow Patient may need a limited access to the electronic patient records (EPR). Health services should be able to share information. It must be possible to give input of biomedical recordings. Should be able to control access (deny) to EPR. WIM meeting Vilnius 12-13 December 2003 13 Risk management Risk management includes examination of three factors: Assets (patient and business information, critical data etc.) Threats (dissatisfied patients, ) Vulnerabilities WIM meeting Vilnius 12-13 December 2003 14

Plans Use cases and possible future scenarios for using healthcare information systems. Security analysis of existing solutions and make risk assessments future scenarios. Risk assessment of using wireless communication (vulnerabilities, threats, etc.) Development of new secure solutions for wireless healthcare information systems. WIM meeting Vilnius 12-13 December 2003 15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information