Presentation is loading. Please wait.

Presentation is loading. Please wait.

© by Seclarity Inc. 2005, Slide: 1 Seclarity, Inc. 11705 Lightfall Court Columbia, MD 21044 A Blumberg Capital, Valley Ventures and Intel Capital Funded.

Published byTheresa Cobb Modified over 9 years ago

Similar presentations

Presentation on theme: "© by Seclarity Inc. 2005, Slide: 1 Seclarity, Inc. 11705 Lightfall Court Columbia, MD 21044 A Blumberg Capital, Valley Ventures and Intel Capital Funded."— Presentation transcript:

1 © by Seclarity Inc. 2005, Slide: 1 Seclarity, Inc. 11705 Lightfall Court Columbia, MD 21044 A Blumberg Capital, Valley Ventures and Intel Capital Funded Security Company Gary Christoph, Ph.D. Sr. VP Government and Healthcare gchristoph@seclarity.com 410-884-1313 Session 4.05 10:30am April 8, 2005 End Point Security and HIPAA

2 © by Seclarity Inc. 2005, Slide: 2 Why is Network Security hard? Network Security perimeter solutions are inadequate –New technologies, like wireless, render the “perimeter” fuzzy –Insider threat persistently at the 50-70% level –Management of the collection of perimeter point solutions is complex Historically, network security was never “designed in” to IP networks—a new approach is needed

3 © by Seclarity Inc. 2005, Slide: 3 Instead of the Bastion perimeter model: –Install a trusted “guard” at every host in your network –Let this individual “guard” have the power of a firewall –Let the “guards” mediate all user access to the network –Make the “guards” be under central management, rather than under user control –Let the “guards” authenticate to each other –Allow the “guards” to encrypt traffic between legitimate users, wherever they may be What do we mean by “End Point Security”?

4 © by Seclarity Inc. 2005, Slide: 4 A Simplified View of a Contemporary “Secured” Network: VPN IDS Proxy Wireless Remote users With Software VPN agents Unencrypted Traffic Encrypted Traffic Internet Firewall Unencrypted Traffic

5 © by Seclarity Inc. 2005, Slide: 5 A Simple view of an Endpoint-Secured Network: Wireless Remote user Encrypted Traffic Internet Firewall Encrypted Traffic

6 © by Seclarity Inc. 2005, Slide: 6 What Does HIPAA Really Require? YOU MUST: Think about the risks you face Develop coherent, enforceable policy Write it down Implement/operate whatever controls this requires Train/educate staff Periodically test & document

7 © by Seclarity Inc. 2005, Slide: 7 Administrative Procedures Technical Security Services Not currently required Electronic Signature Physical Safeguards General Rules Limitations Technical Security Mechanisms HIPAA Title II Administrative Simplification Transaction Standards Standard Code Sets Unique Health Identifiers Security Privacy Chain of Trust Agreement Certification, Secure Workstation Physical Access Controls, Media Controls, etc. Security Awareness PHI data elements defined Notice of Privacy Practices mandated Consent required for routine use Authorization required for non-routine use Business associate contracts required Designated Privacy Officer stored, in any medium (electronic, paper, oral) Data Authentication Internal Audit, Training, Written Policies & Procedures, etc. Training Basic Network Safeguards Integrity and Protection Basic Network Safeguards Integrity and Protection Access Controls Authorization Access Controls Authorization Entity Authentication Covers Protected Health Information (PHI) transmitted or Minimum necessary disclosure/use of data

8 © by Seclarity Inc. 2005, Slide: 8 People are involved –People are neither repeatable nor logical –People on the job make inappropriate assumptions Technical Solutions are too complex –Point products do not tile the floor –Management of many solutions is not easy or cheap –Pace of technological change adds new vulnerabilities (e.g., wireless) Administrative Solutions that are not –Processes get in the way of work –Controls violated without your knowledge or without consequence HIPAA NW Security/Privacy Issues:

9 © by Seclarity Inc. 2005, Slide: 9 Technical Solution Target Want transparency –Easy for users to comply –Easy for admins to enforce Want universality –Everywhere same policy enforced the same –Use technology to reduce administrative controls Want simplicity –Complexity is the enemy –Easy to manage Want verifiability –Documentable Want cheap –Do not want to go out of business

10 © by Seclarity Inc. 2005, Slide: 10 Change the paradigm: –Control access to the network at the individual End Points –Give users only the network access they need –Give back control to the enterprise of those access rights –Eliminate depending on the network infrastructure to enforce separation End Point Security Can Help:

11 © by Seclarity Inc. 2005, Slide: 11 A More Realistic “Secured” Network: IDS VPN Proxy GW Internet IDS VPN Proxy GW IDS VPN Proxy GW Hospital Labs Physicians’ Office Wireless Encrypted path Unencrypted path

12 © by Seclarity Inc. 2005, Slide: 12 An “End Point” Secured Network: IDS Internet IDS Hospital Labs Physicians’ Office Wireless Encrypted path Unencrypted path Encrypted path Encrypted paths Encrypted path

13 © by Seclarity Inc. 2005, Slide: 13 Informational Low Medium High Serious Blocked Before Sinic Install After Sinic Install Three Generic Windows 2000 Servers OS Installed from CD Media with SP1 Updated via Windows Update to the Latest Available Patches Vulnerability Scan Results

14 © by Seclarity Inc. 2005, Slide: 14 Securing End Points : Network Virtualization Set up separate “user communities” – Encrypt All PHI Traffic Laboratory Analyst Hospital PHI DB Server Remote User Hospital Mainframe Internal Network Doctor’s Office PP P P P Doctor on Rounds Accounting PC’s Accounting Office Servers P Hospital Network

15 © by Seclarity Inc. 2005, Slide: 15 Five kinds based on where the “guard” resides: 1)Software in the host’s user space 2)Software in the host’s operating system 3)Hardware TPM in the host 4)Hardware at the NIC level 5)Hardware at the Host’s edge Different Kinds of End Point Security

16 © by Seclarity Inc. 2005, Slide: 16 Different Kinds of End Point Security OS Agent PHI OS Agent PHI OS Agent PHI OS Agent PHI OS Agent PHI Software Agents Hardware Agents Ex: Sygate Ex: Microsoft Ex: TBA: TCG- TPM Ex: 14-South, Seclarity Ex: TBA INCREASING TRUST Host on network

17 © by Seclarity Inc. 2005, Slide: 17 Benefits of Centrally managed End-Point Security –Not capturable by the user—users only get those rights you want them to have –Distributed enforcement can be fine-grained –Addresses many Insider Threat issues –Separates security from network management –Policy enforcement is everywhere the same –Simplified audit reporting –Do not have to modify user behavior—reduced training –Better security at lower overall cost –Reduces urgency of patch-in-a-hurry –Secures remote and distant users End Point Security Can Help:

18 © by Seclarity Inc. 2005, Slide: 18 Secure PHI for mobile users, e.g., Doctor on Hospital Rounds Patients/visitors given access to the Internet from Hospital networks (RJ-45 jacks), without fear of compromise of PHI Concessions (e.g., POS devices) can have completely isolated use of the enterprise network Prompt containment of compromised satellite hosts or workstations Securely manage PHI-containing servers from sysadmins at home or from Starbucks Simply demonstrate to auditors that “no connection from PHI containing servers to unauthorized users has occurred” Some Scenarios:

19 © by Seclarity Inc. 2005, Slide: 19 Questions?

Download ppt "© by Seclarity Inc. 2005, Slide: 1 Seclarity, Inc. 11705 Lightfall Court Columbia, MD 21044 A Blumberg Capital, Valley Ventures and Intel Capital Funded."

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA, Computer Security, and Domino/Notes Chuck Connell, www.chc-3.comwww.chc-3.com.

HIPAA, Computer Security, and Domino/Notes Chuck Connell,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Westbrook Technologies from Document Management’s Role in HIPAA.

Westbrook Technologies from Document Management’s Role in HIPAA.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.

© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
HIPAA Security Standards What’s happening in your office?

HIPAA Security Standards What’s happening in your office?
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Similar presentations

Ads by Google