Unique Challenges in Architecting a Healthcare PKI that Spans Public and Private Sectors



Similar documents
UNDERSTANDING PKI: CONCEPTS, STANDARDS, AND DEPLOYMENT CONSIDERATIONS, 2ND EDITION

Innovations in Digital Signature. Rethinking Digital Signatures

HIPAA Security Regulations: Assessing Vendor Capabilities and Negotiating Agreements re: PKI and Security

White Paper. From Policy to Practice: A Practical Guide to Implementing HIPAA Security Safeguards

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

VASCO: Compliant Digital Identity Protection for Healthcare

Department of Defense PKI Use Case/Experiences

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

A Planning Guide for Electronic Prescriptions for Controlled Substances (EPCS)

Identity: The Key to the Future of Healthcare

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

The Convergence of IT Security and Physical Access Control

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Part III-a. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

U. S. Department of Justice Information Technology Strategic Plan. Appendix E. Public Key Infrastructure at the Department of Justice.

The Costs of Managed PKI:

X.509 Certificate Policy For The Federal Bridge Certification Authority (FBCA) Version 2.24

Authorized. User Agreement

CMS Illinois Department of Central Management Services

The Benefits of an Industry Standard Platform for Enterprise Sign-On

Department of Defense INSTRUCTION. SUBJECT: Public Key Infrastructure (PKI) and Public Key (PK) Enabling

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

PKI Deployment Business Issues

PKI Disclosure Statement

An Introduction to HIPAA and how it relates to docstar

Web Access Management. RSA ClearTrust. Enhancing control. Widening access. Driving e-business growth. SSO. Identity Management.

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

How To Understand And Understand The Security Of A Key Infrastructure

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008

Class 3 Registration Authority Charter

Danske Bank Group Certificate Policy

A Strategic Approach to Enterprise Key Management

Business Issues in the implementation of Digital signatures

Certification Path Processing in the Tumbleweed Validation Authority Product Line Federal Bridge CA Meeting 10/14/2004

PRIME IDENTITY MANAGEMENT CORE

Symantec Managed PKI Service Deployment Options

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Managed Public Key Infrastructure

ESnet SSL CA service Certificate Policy And Certification Practice Statement Version 1.0

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used?

Entrust Managed Services Non-Federal Public Key Infrastructure X.509 Certificate Policy

The Convergence of IT Security and Physical Access Control

Deploying and Managing a Public Key Infrastructure

esign Online Digital Signature Service

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

CoSign by ARX for PIV Cards

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Certification Practice Statement

X.509 Certificate Policy for the Australian Department of Defence Root Certificate Authority and Subordinate Certificate Authorities

Axway Validation Authority Suite

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Electronic Prescribing of Controlled Substances: Establishing a Secure, Auditable Chain of Trust

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

Neutralus Certification Practices Statement

Subject: Public Key Infrastructure: Examples of Risks and Internal Control Objectives Associated with Certification Authorities

Conclusion and Future Directions

Securing Physician and Patient Portals for HIPAA Compliance

TMW01 Managing and Deploying BYOD Identity Solutions with a Microsoft PKI

Provide access control with innovative solutions from IBM.

associate professor BME Híradástechnikai Tanszék Lab of Cryptography and System Security (CrySyS)

Department of Defense External Interoperability Plan Version 1.0

Test Plan for Department of Defense (DoD) Public Key Infrastructure (PKI) Interagency/Partner Interoperability. Version 1.0.3

PKI: Public Key Infrastructure

TELSTRA RSS CA Subscriber Agreement (SA)

An Introduction to Entrust PKI. Last updated: September 14, 2004

Internet Banking Internal Control Questionnaire

Identity & Privacy Protection

How To Achieve Pca Compliance With Redhat Enterprise Linux

Public Key Infrastructure. A Brief Overview by Tim Sigmon

A PKI ARCHITECTURE USING OPEN SOURCE SOFTWARE FOR E- GOVERNMENT SERVICES IN ROMANIA

Audio: This overview module contains an introduction, five lessons, and a conclusion.

Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, :00 AM

How To Protect Your Data From Harm With Safenet

Transcription:

Unique Challenges in Architecting a Healthcare PKI that Spans Public and Private Sectors Dr. Sarbari Gupta President Electrosoft Services Tel: (703)757-9096 sarbari@electrosoft-inc.com http://www.electrosoft-inc.com

Why PKI in Health Care? Security functions required in health care Benefits offered by PKI Current Efforts in Health Care PKI Public sector efforts Private sector efforts Agenda Unique Challenges in Integrating PKI into Healthcare Sector Unique challenges in the health care environment PKI technical issues relevant to health care deployement Hot button issues between public and private sectors Guidelines and Recommendations for adoption of PKI in Health Care Useful Links Electrosoft, 2002 RSA 2002 2

Security Functions Req d in HC Data Confidentiality Data Integrity Data Authentication User/Entity Authentication biometrics, passwords, PINs, tokens, telephone callback Non-Repudiation Authorization Access Control role-based, context-based emergency access Audit, Event Reporting Electrosoft, 2002 RSA 2002 3

Security Functions: Benefits offered by PKI Data Confidentiality - secure key exchange between parties Data Integrity - Digital Signatures Data Authentication - Digital Signatures Non-Repudiation - Digital Signatures User/Entity Authentication - Digital Certificates Authorization - Digital Certificates Access Control - Digital Certificates Engineering Advantages: Establish Trust in Decentralized, Online Environment Highly Scalable Security Services Standards-based, works across heterogeneous platforms Electrosoft, 2002 RSA 2002 4

HealthKey Project Public Sector HC PKI Efforts Privacy practices and market-based pilots that focus on adapting PKI technologies to the healthcare market Massachusetts Health Data Consortium CHIMETrust Integrated and deployed PKI Solutions for e-healthcare Western Governor s Association Health Passport Project Use of a multi-function, user-controlled, smart card based system to access critical health data Federal PKI Health Care Working Group X.509 Certificate Policy for Health Care PKI Federal Bridge CA ASTM Committee on Health Informatics (E31) Health Care Certificate Policy Electrosoft, 2002 RSA 2002 5

Public Sector HC PKI Efforts (contd.) DEA Electronic Prescriptions of Controlled Substances (EPCS) specify rules for the operations of a PKI used in support of electronic prescriptions of DEA scheduled substances (narcotics) California Medical Association Runs PKI pilots with Social Security Administration Government Computerized Patient Records (GCPR) Develop technical, data, hardware and software architecture required to achieve an easily accessible, secure, life-long medical record Medical Evidence Exchange Project SSA and VA joint venture to exchange medical data securely NIH Educause Use of PKI for secure electronic grant application Electrosoft, 2002 RSA 2002 6

MEDePass Kaiser Permanente CycloneCommerce Medtegrity Arcanvs Private Sector HC PKI Efforts Electrosoft, 2002 RSA 2002 7

Difficult IT Environment Unique Challenges Heterogeneous Computing Platforms (h/w and s/w) Widely Distributed Environment Disparate Affiliations of Users and Service Providers User-base not IT-savvy Stringent Legal and Regulatory Landscape HIPAA of 1996 E-SIGN Act of 2000 High Degree of Interoperability and Scalability Required Basic operation requires communication between different organizations Very diverse user groups Electrosoft, 2002 RSA 2002 8

Unique Challenges (contd.) Security and Privacy Critical Deals with Personally Identifiable Data Authentication, confidentiality, non-repudiation, audit essential Diverse Subscriber Population Many are non-organizational (e.g. private physicians) Many are highly mobile and work from different locations Complex Authorization Model Use of role based access control (physician, nurse, etc.) Roles based on licensure which are subject to suspension Roles change with time of day, day of week, etc. Frequent need for role delegation and role proxy Need for emergency override Electrosoft, 2002 RSA 2002 9

Cost-Sensitive Unique Challenges (contd.) ROI on IT costs very hard to justify General push to reduce healthcare costs Risk-Averse Services are very crucial cannot be subjected to downtime Litigation-Prone Tolerance level for errors very low Litigation costs very high Electrosoft, 2002 RSA 2002 10

PKI Technical Issues Certificate Policies Standardize for sector Private policy proliferation Policy incompatibility Analysis of Disparate Policies for equivalence Certificate Profile Profile proliferation Use of private extensions Profile incompatibility Addition of context or authorization information to profile Identity Proofing Standardize for sector Tied to licensure burden of proof Different assurance levels Electrosoft, 2002 RSA 2002 11

PKI Technical Issues (contd.) PKI Trust Models Common PKI root Multiple roots with Trust Lists Cross-certification Bridge CA Certificate Revocation Management CRL OCSP Security Awareness Training Safeguarding subscriber credentials Password Usage Privilege Management and Delegation Attribute Certificates Delegated Certificates Authorization mechanisms Electrosoft, 2002 RSA 2002 12

PKI Technical Issues (contd.) Long term storage of secured data Long life cycle secure archives need to be accessible Key recovery essential to maintain emergency and long-term access to data PKI Interoperability Poor interoperability of commercial PKI products PKI Applications Must be widely available, popular, intuitive Must not require user education and training Electrosoft, 2002 RSA 2002 13

Public Sector Hot Button Issues Control over policies Oversight of identity proofing, security processes Private Sector Autonomy of operation Independence of trust roots and hierarchies Flexibility to use commercial products/services of choice Cost-effective Painless transition Electrosoft, 2002 RSA 2002 14

Guidelines and Recommendations Different sectors build hierarchical PKIs and later try to establish mutual trust through a bottom-up process Standardize PKI related policies and procedures for use by healthcare industry Standardize on Certificate Profiles Use PKI for I&A only Implement authorization and access control through local, non-pki mechanisms Establish a legal and audit infrastructure to establish confidence in reliance on PKI Electrosoft, 2002 RSA 2002 15

For more information: Thank You! http://www.healthkey.org http://www.tunitas.com http://www.westgov.org/wga/initiatives/hpp/ http://www.hcfa.gov/hipaa/hipaahm.htm http://www.chime.org/ http://www.mahealthdata.org/ http://www.cio.gov/fpkisc/healthcare/index.htm http://www.hl7.org/standards/astm.htm http://www.deadiversion.usdoj.gov/ecomm/e_rx/overview/pharmacies.htm http://www.educause.edu/ Electrosoft, 2002 RSA 2002 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information