HIPAA and Network Security Curriculum This curriculum consists of an overview/syllabus and 11 lesson plans Week 5 Developed by NORTH SEATTLE COMMUNITY COLLEGE for the IT for Healthcare Short Certificate Program Funded by the Seattle Community-Based Health Care Partnership Project Seattle CENTRAL Community College NORTH Seattle Community College SOUTH Seattle Community College SVI Seattle Vocational Institute This product was funded by a grant awarded under the President s Community-Based Job Training Grants as implemented by the U.S. Department of Labor s Employment & Training Administration. The information contained in this product was created by a grantee organization and does not necessarily reflect the official position of the U.S. Department of Labor. All references to nongovernmental companies or organizations, their services, products, or resources are offered for informational purposes and should not be construed as an endorsement by the Department of Labor. This product is copyrighted by the institution that created it and is intended for individual organizational, non-commercial use only.
Lesson 5 Network Infrastructure and Security Policies Note: I have set up the entire curriculum for this class with weekly lesson plans. This will allow the Instructor to determine how to incorporate the information into lesson plans whether it is a daily class, a twice weekly class, a three times a week s class, or even a one class per week calendar. Network security is a complicated subject. A basic understanding of computer networks is required in order to understand the principles of network security. In this section, we'll cover some of the definitions of computer networking, then move on to an overview of some popular networks. What is a network? A ``network'' has been defined as ``any set of interlinking lines resembling a net, a network of roads an interconnected system, a network of alliances.'': A computer network is simply a system of interconnected computers. It involves a set of locations, or nodes, consisting of hardware, programs, and information linked together as a system that transmit and receives data and information. Oddly enough, how they're connected is irrelevant, and there are a number of ways to do this. The International Standards Organization (ISO) Open Systems Interconnect (OSI) Reference Model defines seven layers of communications types, and the interfaces among them. (See Figure draw on board) Each layer depends on the services provided by the layer below it, all the way down to the physical network hardware, such as the computer's network interface card, and the wires that connect the cards together. It isn't important to memorize the ISO/OSI Reference Model's layers; but it's useful to know that they exist, and that each layer cannot work without the services provided by the layer below it. Application Presentation Session Transport Network Data Link Physical HIPAA and Network Security Curriculum - Week 5 Page 2 of 18
Networks come in three configurations, topologies. (Write definition of topology on board: A network configuration, or the arrangement of the nodes or workstation of a network in relation to one another.) To determine which topology network to use, network designers consider the distance between nods, the frequency, and volume of transmissions, and processing capability at each node. The star topology interconnects many different sites through a central computer (a server). The central computer is typically a mainframe. Nodes may be other mainframes, midrange systems, or microcomputer. Sending a message from one node to another entails sending the message to the central server or host computer first, who receives and retransmits the message to the intended destination. In the ring topology, each node is connected to an adjacent node. There is no central note. A message is sent from one node through the network. Each location examines the identification code in the message (which is inserted by network software) and accepts the message if it has the code. Otherwise, it transmits the message to the next node. The process continues until the message reaches its destination. The bus topology is linear network a data highway, so to speak. All nodes tap onto the bus. Data transmissions from one node are sent to every other node on the network. Each node examines the identification code, accepting those messages containing its code and ignoring the others. The type of connection and the span of the network define the three types of networks: (1) wide area, (2) local area and (3) metropolitan area. Wide Area Network (WAN) is a network that connects sites dispersed across states, countries, or continents. Corporations often develop high-speed WANs that transmit over networks using a T-carrier, a very high-speed channel designed for use as the backbone of a network. A backbone is a high-speed transmission link that interconnects lower-speed networks or computers at different sites. The speed at which information is transmitted over a communication medium is determined by bandwidth. A greater bandwidth means that more information is sent through a medium in a given amount of time. The bandwidth of a network is measured (indirectly) by the bits of data transmitted per second. HIPAA and Network Security Curriculum - Week 5 Page 3 of 18
A modem frequently used for dial up transmission from a PC is said to be a t 56.6 kilobits per second, a T-1 line (T-carrier) is at 274.176 megabits per second. Local Area Networks (LAN) is a network that interconnects computers and communication devices within an office or series of offices; typically spans a distance of a few hundred feet to several miles. The network components (the LANS s nodes), including the cable linking the device, are generally owned by the company using the network. LANs are generally comprised of desktop computers, servers, storage area networks (SANs) and the printers designed to work with them. A desktop computer connect to a network may be called a workstation (alternatively, it may be called a node or a client). The computer that hosts the network and provides the resources that are shared on the network is called the server. The server provides services to each of the workstations attached to it. When workstations that is PCs access a server, they can execute (use)the software residing on the server or process data in a file or database on the server. The server typically has more primary memory and storage capacity and a higher processing speed than the other computers. Some networks have multiple servers, either to provide a backup in case one is not working or to distribute databases more quickly for faster access to information. A file server is a computer containing files available to all user connected to a LAN. In some LANs a microcomputer is designated as the file server, in others a computer with a large disk drive and specialized software acts as the file server. Metropolitan area networks (MANs) transmit data and information over longer distances and may do so a greater speeds than is possible with LANs. MANs are often designed to carry more diverse forms of information than LANs, including combinations of voice, data, image, and video. MANs are usually optimized for voice and data transmission. MANs do not operate over telephone lines. Rather, to obtain the combination of highpeed performance and citywide transmission fiber-optic cables are generally used as the transmission medium. Companies are also using wireless technologies to construct local are networks, or wireless LANs (WLANs) because they enable staff members to move around the building with laptops, tablets, and PDAs and still connect to the enterprise s local area network without a wire. What kind of network does the school have? Do we have more than one? Do we have wireless? Do we have a MAN? Encourage class discussion on what students have experienced. HIPAA and Network Security Curriculum - Week 5 Page 4 of 18
Virtual private network (VPN) technology was developed to enable client systems to securely connect to server over the Internet. VPN s powerful encryption and user authentication methods have proven extremely successful in providing security for message transmissions. VPN works by establishing a secure, private connection between an external device and a VPN gateway. (A gateway is a device that connects two other wise incompatible networks, network nodes, or devices) Hand out article at this time and have open discussion, encourage questions. Much of the security-related activities in the health industry are a direct result of the increasing focus and stringent requirements of the US regulation, HIPAA (Health Insurance Portability and Accountability Act). Compliance with HIPAA and other key health regulations is often incumbent on creating a secure office network. Your codes, transactions, and identifiers may all be designed to protect privacy and adhere to standards, but if the network can serve as a gateway for hackers and other unauthorized visitors to the patients' personal information, all of the other elements of compliance processes will be wasted. Protection of information and computer systems should receive top priority. Typically, security mechanisms use a combination of logical and physical restrictions to provide greater level of protection than is possible with either approach alone. This includes measures such as firewalls and the installation of antivirus and spyware detection software. An example of a logical restriction is automatic sign-off. Automatic sign-off is a mechanism that logs a user off the system after a specified period of inactivity on their computer. This procedure is recommended in all client care areas, as well as any other area in which sensitive data exist. The healthcare organization makes business decisions about how important the computer network and the data it holds are to the practice, and how it wants to protect those key resources. Security systems are the implementation of those business decisions. Physical security measures include placement of computers, file servers, or computers in restricted areas. Especially challenging is the growing use of mobile wireless devices such as notebooks, tablet PCs, and PDAs. These items may fall into unauthorized hands. Good place to discuss with class why this is an issue. What type of information could be released? How would it impact the clients? The company? What type of security measures do they think could be used? Security cables, motion detector, alarms, secure locked cabinets when the devices aren t in use. HIPAA and Network Security Curriculum - Week 5 Page 5 of 18
A security policy is a general statement of the business rules that define the goals and purposes of security within an organization. While each individual practice will have its own unique policy, the basics of establishing a policy are the same, whether it is a small practice or a larger-sized hospital, because HIPAA security measures apply to all health organizations across the board. Security policies are considered strategic documents, and they define the overall purpose and direction for security. The process of identifying an individual usually based on a username and password. In security systems, authentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. The security requirement for authentication becomes important in the context of networked organizations. Authentication assures that the message is from a source it claims to be from. In case of an ongoing interaction between a terminal and a host, authentication takes place at two levels. First there is assurance the two entities in question are authentic. Second, the connection between the two entities is assured such that third party cannot masquerade as one of the two parties. Access codes and passwords have long been favored as a means to authenticate access to automated records, largely because they represent a familiar, available, and inexpensive technology. A password is a collection of alphanumeric characters that the user types into the computer. This may be required after the entry and acceptance of an access code, sometimes referred to as the user name. IS administrators require this information to problem-solve or reissue passwords. The password does not appear on the screen when it is typed, nor should it be known to anyone but the user and the IS administrators. Obvious passwords such as the user s name, house number, or pet are easily compromised. Strong passwords use combinations of letters, numbers, and symbols that are not easily guessed. An example is: Weak Password: seahawks Good Password: SeaHawk86d Strong Password: Se@H86!s Individuals should not share passwords or leave computers logged on and unattended. System administrators must keep files that contain password lists safe from view or copying by unauthorized individuals. One compromised password can jeopardize information and the system that contains it. For this reason, users should not use the same password for access to more than one site or system. Using the same password at HIPAA and Network Security Curriculum - Week 5 Page 6 of 18
various sites reduce security. System administrators need to allow legitimate users the opportunity to access the system while refusing entry to others. One means to accomplish this is to shut down a workstation after a random number of unsuccessful access attempts and send security to check that area. Sign on access codes and passwords are generally assigned on successful completion of system training. Passwords may be difficult for the user to recall. This leads some people to write passwords down and post them in conspicuous places, like with a post it note on their computer. Users also have a tendency to share passwords if a coworker has not yet gone through system training, coworkers tend to let that worker have access to the system with their own user ID and password. This is a huge HIPAA violation and a security violation, the password has to be regarded as the electronic signature! Frequent and random password change is recommended as a routine security mechanism. This can be set by Information Services as required by most software. Users find this unpleasant because of the difficulty of learning new passwords. There are situations that mandate immediate change or deletion of access codes and passwords, including suspicion of unauthorized access and termination of employees. Codes and passwords should also be deleted with status changes such as resignations, leaves of absence, and the completion of rotations for students, faculty, and residents. It is important to develop authentication policies jointly with information technology personnel, business staff, and the end users. It is also critical to factor in the time and resources required to enroll and update users with these policies. Support costs and training times increase as the complexity of authentication process increases. User Authentication can be verified with passwords; passwords used along with either a passkey type of deice or scanned employee identification. Encrypted key-based authentication is another technology. An example is public key infrastructure (PKI). PKI uses an encrypted passkey that can be provided to the user in various formats, including a smartcard, token, or wireless transmitter. Hand out article on smartcard. The passkey provides a secret number that is verified against a registered digital certificate. The user submits the passkey information during the sign-on process and the PKI system compares it against the registered digital certificate ID to very a match. Scanned employee identification may include a name badge (frequently used in Information Services Departments) but generally refers to biometric authentication which is based on a unique biological trait, such as a fingerprint, voice, or iris pattern, retinal scan, hand geometry, face recognition, ear pattern, smell, or gat recognition. This is now feasible technology which is very accurate. Talk with class about what types of authentication they have had to use, encourage questions and answers. HIPAA and Network Security Curriculum - Week 5 Page 7 of 18
. HIPAA and Network Security Curriculum - Week 5 Page 8 of 18
General Security Policies and Procedures 1. Change access passwords frequently: Users should be required to enter personal identification codes and individually assigned code words in order to access the system. Passwords should be kept strictly confidential. 2. Restrict system use: Users should be given access to only the functions they need to use, rather than full-system access. 3. Limit access to data: Users should be allowed to access only the data they need to perform processing within their area of responsibility 4. Set up physical access controls: Access cards and biometric devices which recognize voice patterns, finger or palm prints, retinal eye patterns, and signatures-are among the most effective physical security systems. It is difficult to fool these systems. 5. Partition responsibilities: Critical functions involving high risk or high value in the data being processed should be separated so that more than one person must be involved to perform the processing. Database and network administrators should be given separate (but important) responsibilities for controlling access to the system. 6. Encrypt data: Changing the appearance of data through scrambling and coding makes it more difficult to use information even if a hacker is able to access it. 7. Establish procedural controls: When clearly stated security procedures guide users and IT staff members, it is more difficult to breach security 8. Institute educational program: There is no substitute for well informed staff members. Security education programs stress the threat of intrusion, explain hackers methods and tactics, and provide guidelines on how to respond when intrusions are detected. 9. Audit system activities: In an audit, independent parties review transactions and computer processing to analyze their origin and their impact on the system, as well as to determine that these activities were approved and performed by authorized individuals. 10. Log all transactions and user activities: Keep a record of each activity and the individual responsible for that activity. HIPAA and Network Security Curriculum - Week 5 Page 9 of 18
Week 5 Quiz 2 1. Threats to information technology include threats to a. Hardware b. Software c. Data d. All of the above Answer: D 2. Which of the following is a way of attempting to protect computer systems and data from unauthorized use? a. Encryption b. Codes of conduct c. Restricting access through the use of passkey d. All of the above Answer: D 3. Biometric security methods include a. Use of passwords b. Locking the computer room c. Iris scans, lip prints, and body odor sensors d. Carrying ID cards Answer: C HIPAA and Network Security Curriculum - Week 5 Page 10 of 18
4. To remember her computer system password, hospital nurse Sherri Brinkman taped her password to the back of her name badge. When Mrs. Brinkman lost her name badge recently, it was turned into hospital security and subsequently the IS department with her password still attached. When Mrs. Brinkman picked up her name badge, she stated she would continue to use her current password. Is this an appropriate way to treat a password? Should she use the same password again? Provide your rationale. Answer: looking to see if the student understands the rational for password security, should have mention of strong passwords, IS security policies, and that the password is the nurse s electronic signature and legal difficulties could occur from misues. 5. Name two types of networks Answer: WAN, LAN, MAN, WLAN HIPAA and Network Security Curriculum - Week 5 Page 11 of 18
LAB Week 5 This week lab should be focused on identifying what type of Network does the school have? Who has used VPN? How did that work? In the IT Healthcare lab I will walk the students thru a VPN connection setup, look at security profiles (authorization), and different form of authentication used in the student s lives. Practice should include changing passwords, and the use of strong passwords. HIPAA and Network Security Curriculum - Week 5 Page 12 of 18
HIPAA and Network Security Curriculum - Week 5 Page 13 of 18
HIPAA and Network Security Curriculum - Week 5 Page 14 of 18
HIPAA and Network Security Curriculum - Week 5 Page 15 of 18
HIPAA and Network Security Curriculum - Week 5 Page 16 of 18
HIPAA and Network Security Curriculum - Week 5 Page 17 of 18
HIPAA and Network Security Curriculum - Week 5 Page 18 of 18