08 - Installation and Maintenance of Health IT Systems - Unit 6 - System Security Procedures and Standards - Lecture B

Installation and Maintenance of
Health IT Systems
System Security
Procedures and Standards
This material Comp8_Unit6b was developed by Duke University, funded by the Department of Health and Human Services,
Office of the National Coordinator for Health Information Technology under Award Number IU24OC000024.
Lecture b
System Security Procedures and
Standards
Learning Objectives
1. Identify regulatory requirements for EHRs (lecture a)
2. Provide training for system users regarding the
methods and importance of security compliance
(lecture a)
3. Identify administrative, physical, and technical
safeguards for system security and regulatory
compliance (lectures a, b)
4. Identify best practices for system security (lecture b)
5. Identify best practices for risk / contingency
management (lecture b)
2
Health IT Workforce Curriculum
Version 3.0/Spring 2012
Installation and Maintenance of Health IT Systems
System Security Procedures and Standards
Lecture b
Technical Safeguards:
Access Control
3
Lecture b
Technical Safeguards include
Access controls
Audit controls
Integrity controls
Transmission security
Most effective: layered approach.
Multiple technologies employed concurrently.
Access controls begin with authorization:
Which persons or groups have been authorized to access ePHI?
Can be implemented with
AD (Active Directory), LDAP (Lightweight Directory Access
Protocol)
Vendor-specific controls usually part of EHR

(Summary of the HIPAA Security Rule, n.d.)
Audit Control
Hardware/software/procedural mechanisms
to record & examine access & other activity
Data to be logged can vary depending on
level of access controls to ePHI data.
In general, servers should use OS system
logging tools to track:
Who accessed (or tried to access) server.
What data/databases were accessed, any
changes made.

4
Lecture b
Audit Control(contd)
EHR should also support logging:
User access
Patient data accessed
Sign-on failures
Data changes made
Periodic proactive audits (sampling)
Consider for higher-risk patient populations (e.g.,
employees) or after publicized events
To deter abuse, make users aware.
Reactive audits triggered by defined event

(University of Wisconsin-Madison, 2004)
5
Lecture b
Integrity Control
ePHI data must not be altered or destroyed
improperly. This should be ensured through
proper
Policies
Procedures
Electronic measures and controls
Network access
Computer or Server access
Database access

6
Lecture b
Transmission Security
Transmission security technologies can include
VPNs, Firewalls, VLANs, Intrusion Detection
Network transmissions of ePHI must guard against unauthorized
access
Eavesdropping on traffic required access to network medium
Offsite access and connections are especially vulnerable
Should be limited and tightly regulated
Use Virtual Private Network (VPN) to encase traffic
Uses encryption, authentication, authorization to protect data.
Layer Two Tunneling Protocol/Internet Protocol security (L2TP/IPSec),
OpenVPN, Cisco AnyConnect or similar, but NOT Point-to-Point
Tunneling Protocol (PPTP)

7
Lecture b
What is a Virtual Private
Network (VPN)?
8
Lecture b
Technical Safeguards: Firewall
9
Lecture b
Inspects incoming network traffic; permits or
denies access based on criteria.
Hardware- or software-driven.
Blocks ports through which intruders can gain
access (e.g., port 80, which regulates web
traffic).
Most commonly placed on network perimeter
(network-based) or network device (host-based).
EHR will require certain ports to remain open.

Firewalls
10
Lecture b
Virtual Local Area Network
(VLAN)
Divides networks administratively
Multiple VLANs can separate devices and data,
so that sensitive traffic is unseen by non-
authorized devices
One physical network, multiple virtual networks
One example VLAN setup:
Administration (Internet access, appointments)
Voice (IP Phones and teleconferencing)
Labs (EHR access and lab equipment)
MedData (EHR access, billing, insurance, clinic data)

11
Lecture b
Intrusion Detection System
(IDS)
Monitors networks or systems for
malicious activities or policy violations.
Logs such activity and notifies
administrator.
Advanced systems can take preemptive
actions to stop activities (Intrusion
Prevention System, or IPS).
12
Lecture b
Common Security Vulnerabilities
and Breaches
According to the TCP/IP Core Networking Guide from
Microsoft:
Inside jobs, social engineering
Brute force
Eavesdropping, sniffing, snooping
Data modification
Identity spoofing
Password-based attacks
Denial of service attacks
Man in the middle attacks
Application layer attacks
(Microsoft/TechNet, n.d.)

13
Lecture b
Server & Computer
Security Tips
Install firewall, IDS, & monitoring tools to monitor & protect all
servers using/storing ePHI
Strong policies for tracking ePHI, and limiting transmission or
storage to only approved systems.
Hide or remove default or guest accounts
Provide a method for generating and verifying strong passwords
Monitor user account usage. Disable unused accounts.
Antivirus software, with updates
Attack surface reduction: turn off unneeded server applications &
reduce attack surface.
Review and verify vendor recommendation for secure configuration
Create security baseline: scan and verify implementation
Install service packs within 48 hours of release.
Lock down database applications, regularly install updates.

(Password Strength, 2012)
14
Lecture b
Server & Computer
Updates and Security Baseline
System updates and service packs
Automatic and immediate for Internet connected
systems
Test and verify before patching critical systems
Note: many networked medical devices are only
supported by the vendor with specific software of
configurations. Check with the system vendor before
installing patches on patient medical devices.
Create security baseline: scan and verify
implementation
Database applications will have their own updates
and patching procedures
15
Lecture b
Contingency Plans
Back-up and Storage of critical data
Plan to restore systems
List of Emergency Contacts
Contingency plan for temporary office
space
Maintaining secure offsite data storage
Criteria for activating contingency plan

(Hartley, 2005)
16
Lecture b
Contingency Plans (contd)
Written plans
Risk analysis/assessment
Database backup
Database secure storage
Data restore plan
Disaster recovery plan
Critical incident response plan
Software inventory
Hardware inventory
Logs: transmission points
17
Lecture b
Data Backup Policy
Data integrity just as important as
confidentiality.
Backing up critical files, including patient or
EHR databases, helps ensure data recovery
after catastrophic failure or security breach.
Determine procedures, hardware, and
software required for reliable & efficient
backup of production databases.
18
Lecture b
Secure Data Storage
& Restore Policies
Data most susceptible to corruption or loss
in state of rest (90% of the time).
Databases need particularly thorough
analysis for risks.
Detailed guidelines for securing and safely
restoring data stored on network.
19
Lecture b
Disaster Recovery & Critical
Incident Response Plans
Address emergencies requiring immediate
intervention to protect network or restore
operational status after catastrophe.
Based on original risk analysis.
Outlines elements, procedures, & people
needed to restore network or mitigate
imminent threat in timely manner.
20
Lecture b
Hardware & Software
Inventories
Hardware inventory
Loss of hardware can mean a loss much greater
than just replacement cost.
Helps ensure equipment properly locked down
and secure.
Software inventory
Provides insight to manage/mitigate risks to
network from software vulnerability.
Facilitates proper software management
practices, patching.
21
Lecture b
Logs: Transmission Points
Effective logging and monitoring strategy is
critical to network security.
Logs can be overwhelmingly large.
Determine which data need stringent
monitoring (e.g., who is accessing); begin by
concentrating efforts there.
Written plan of what is logged & why, with
procedures for auditing & record of
accountability to ensure compliance.
22
Lecture b
System Security
Summary
23
Technical safeguards for ePHI are those
automatically enforced by systems
System vulnerabilities exist, but application of
best practices for system security will reduce
exposure and risk
Risk and contingency plan development is a
critical step in ensuring secure operation of
EHR systems and regulatory compliance
Lecture b
System Security
Reference
Reference:
Common Types of Network Attacks. (n.d.) Microsoft Windows TCP/IP Core Networking Guide. Distributed Systems
Guide, Windows 2000 Server . http://technet.microsoft.com/en-us/library/cc959354.aspx
Hartley, Carolyn (2005). A Secure EHR Foundation. [PowerPoint slides]. Retrieved from
http://www.mtech.edu/nchci/EHRConference/Attachments/Securing%20the%20EHR%20System.pdf
Health Information Privacy - Summary of the HIPAA Security Rule. (n.d.). Retrieved February 8, 2012, from U.S.
Department of Health & Human Services website:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
Password Strength (n.d.). Retrieved January 12, 2012, from Wikipedia:
http://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords
University of Wisconsin-Madison HIPAA Security Best Practices Guidelines, #3 Audit Controls, 4D. (2004, April 13).
Retrieved from University of Wisconsin Madison: http://hipaa.wisc.edu/docs/auditControls.pdf

Images:
Slide 8: VPN example, 2012. Provided by Scott Neal
Slide 10: Firewall example, 2012. Provided by Scott and Nolan Neal

24
Lecture b

08 - Installation and Maintenance of Health IT Systems - Unit 6 - System Security Procedures and Standards - Lecture B

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

08 - Installation and Maintenance of Health IT Systems - Unit 6 - System Security Procedures and Standards - Lecture B

Uploaded by

Copyright:

Available Formats

Installation and Maintenance of

You might also like