Download Introduction to Healthcare Information Technology

Introduction to Healthcare
Information Technology
Chapter Eight
Advanced Healthcare Information
Security
Objectives
• Define encryption and explain how it can be used
to secure information
• Describe the vulnerabilities and protections of
wireless networks
• List the different remote access technologies
• Explain how to securely dispose of a document
Introduction to Healthcare Information Technology
2
Healthcare IT: Challenges and
Opportunities
• Properly disseminating protected health information
– A growing concern
• Solution: apply layers of defense
• Encrypting document contents
– Second level of protection for important documents
• Protecting mobile data
– Growing in importance as more data is stored on
portable media
Introduction to Healthcare Information Technology
3
Encryption
• Cryptography
– Transforming information into a secure form while it
is being transmitted or stored
– Information is “scrambled” to prevent unauthorized
persons from accessing it
Introduction to Healthcare Information Technology
4
Basic Cryptography
• Defining cryptography
– Origins date back centuries
– Used by Julius Caesar
• Encryption
– Changing the original message into a coded
message
• Decryption
– Decoding the message back to original form
• Cleartext data
– Data stored or transmitted without encryption
Introduction to Healthcare Information Technology
5
Basic Cryptography (cont’d.)
• Plaintext
– Cleartext data to be encrypted
• Algorithm
– Procedures based on a mathematical formula used
to encrypt the data
• Key
– Mathematical value entered into the algorithm to
produce ciphertext (scrambled text)
Introduction to Healthcare Information Technology
6
Figure 8-1 Cryptography process
© Cengage Learning 2013
Basic Cryptography (cont’d.)
• Five basic protections of cryptography
–
–
–
–
–
Confidentiality
Integrity
Availability
Authenticity of the sender
Nonrepudiation
• Proves that a user performed an action
• Prevents an individual from fraudulently denying an
action
Introduction to Healthcare Information Technology
8
Basic Cryptography (cont’d.)
• Symmetric cryptography
– Uses the same single key to encrypt and decrypt a
document
– Also called private key cryptography
– Can provide strong protection as long as key is kept
secure
• Data Encryption Standard (DES)
– One of the first widely popular symmetric
cryptography algorithms
Introduction to Healthcare Information Technology
9
Table 8-1 Information protections by cryptography
© Cengage Learning 2013
Figure 8-2 Symmetric (private key) cryptography
© Cengage Learning 2013
Basic Cryptography (cont’d.)
• Triple Data Encryption Standard (3DES)
– Uses three rounds of encryption instead of one
– Ciphertext from one round becomes input for second
iteration
– Employs a total of 48 iterations in its encryption
– Most secure versions of 3DES use different keys for
each round
Introduction to Healthcare Information Technology
12
Figure 8-3 3DES
© Cengage Learning 2013
Basic Cryptography (cont’d.)
• Advanced Encryption Standard (AES)
– Symmetric algorithm approved in 2000 to replace
DES
– Designed to be secure well into the future
• Asymmetric cryptography
– Also known as public key cryptography
– Uses two keys
– Public key is known to everyone and freely
distributed
– Private key is known only to one individual
Introduction to Healthcare Information Technology
14
Basic Cryptography (cont’d.)
• Asymmetric cryptography important principles
– Key pairs
– Public key
• Does not need to be protected
– Private key
• Should be kept confidential
– Both directions
• Document encrypted with a public key can be
decrypted with the corresponding private key, and vice
versa
Introduction to Healthcare Information Technology
15
Figure 8-4 Asymmetric (public key) cryptography
© Cengage Learning 2013
Applying Cryptography
• Cryptography frequently used to protect data in one
of two states
– At rest
• When data is being stored
– In motion
• As data is transported through electronic
communications
Introduction to Healthcare Information Technology
17
Applying Cryptography (cont’d.)
• Cryptography can be applied to:
–
–
–
–
Individual files
Databases
Removable storage devices
File server and LAN storage
• Network attached storage device
– Connected to the network to provide storage
• Storage area network
– Dedicated network for storage
– Not directly accessible to devices through the LAN
Introduction to Healthcare Information Technology
18
Applying Cryptography (cont’d.)
• Encryption software
– Can be used to encrypt or decrypt files one by one
• Software products
– Pretty Good Privacy (PGP)
– GNU Privacy Guard (GPG)
• Microsoft’s Encrypting File System (EFS)
– Used to protect groups of files in a specific folder
– Encrypting and decrypting processes are
transparent to the user
Introduction to Healthcare Information Technology
19
Applying Cryptography (cont’d.)
• Whole disk encryption
– Can be used to protect all data on a hard drive
– Example: BitLocker drive encryption software
• Hardware encryption
– Cannot be exploited like software cryptography
• Self-encrypting hard disk drives:
– Can protect all files stored on them
– If authentication process fails, drive can be
configured to deny access or perform cryptographic
erase on certain data
Introduction to Healthcare Information Technology
20
Applying Cryptography (cont’d.)
• Trusted Platform Module (TPM)
– Chip on the computer motherboard
– Provides cryptographic services to all devices
– Prevents computer from booting if system files or
data have been altered
– If hard drive is moved to a different computer, user
must enter a recovery password to gain access
Introduction to Healthcare Information Technology
21
Applying Cryptography (cont’d.)
• Encrypting communications
– Cryptography can protect data as it moves across a
network
• Secure Sockets Layer (SSL)
– Protocol for securely transmitting documents over
the Internet
– Uses a public key to encrypt data over an SSL
connection
Introduction to Healthcare Information Technology
22
Applying Cryptography (cont’d.)
• Transport Layer Security (TLS)
– An extension of SSL
– Guarantees privacy and data integrity between
applications communicating over the Internet
• Hypertext Transport Protocol over Secure Sockets
Layer (HTTPS)
– Encryption protocol to secure Web communications
• IP Security (IPsec)
– “Transparent” security protocol
• No need to install or configure software
Introduction to Healthcare Information Technology
23
Applying Cryptography (cont’d.)
• Fax
– Can be encrypted using an SSL connection
– Or a special stand alone fax machine that encrypts
and decrypts faxes
• E-mail
– Encrypted using PGP or similar application
• Chat
– No single standard exists for encrypting chat
– Some clients use SSL or PGP
Introduction to Healthcare Information Technology
24
Applying Cryptography (cont’d.)
• Telephones
– A model telephone exists that will encrypt and
decrypt conversations
• VoIP
– Encrypted using standard LAN encryption
technologies
• Smartphone
– Encrypted with an application installed on the phone
Introduction to Healthcare Information Technology
25
Applying Cryptography (cont’d.)
• Web sites
– Secured using HTTPS
• FTP sites
– FTP using Secure Sockets Layer (FTPS)
– Secure FTP (SFTP)
Introduction to Healthcare Information Technology
26
Wireless Security
• Wireless networks have been vulnerable targets for
attackers
• Vulnerabilities of IEEE 802.11 security
– MAC address filtering
– Wired Equivalent Privacy (WEP) encryption
Introduction to Healthcare Information Technology
27
Wireless Security (cont’d.)
• MAC address filtering
– Limits a device’s access to the access point (AP)
– Each device has a unique media access control
(MAC) address
– Device’s address entered into the software running
on the AP
• Devices can be permitted or blocked
Introduction to Healthcare Information Technology
28
Figure 8-5 MAC address filtering
© Cengage Learning 2013
Wireless Security (cont’d.)
• Vulnerabilities of MAC address filtering
– MAC addresses are initially exchanged in
unencrypted format
– Difficult to manage a large number of MAC
addresses
• Wired Equivalent Privacy (WEP)
– Relies on a secret key shared between wireless
client device and the AP
– Has security vulnerabilities
– No longer recommended for protecting WLAN
transmissions
Introduction to Healthcare Information Technology
30
Wireless Security Solutions
• Initial approach to security vulnerabilities
– Temporary fixes, or patches
• Unified approach was needed
• Wi-Fi Protected Access (WPA)
– Subset of 802.11i
– Addresses both encryption and authentication
– Uses preshared key technology
• Wi-Fi Protected Access 2 (WPA2)
– Second generation of WPA security
– Introduced in 2004
Introduction to Healthcare Information Technology
31
Wireless Security Solutions (cont’d.)
• Remote Authentication Dial In User Service
(RADIUS)
– Used for more than just dial-in networks
– RADIUS client can be a wireless AP or dial-up
server
• Responsible for sending user credentials
– Detailed steps for RADIUS authentication shown in
Figure 8-6
Introduction to Healthcare Information Technology
32
Figure 8-6 RADIUS authentication
© Cengage Learning 2013
Wireless Security Solutions (cont’d.)
• Service Set Identifier (SSID)
– Typically set to WLAN, wireless, or the name of the
vendor
– Should be renamed to a generic word that does not
give information about the owner or network location
• Site surveys
– In-depth examination of a proposed wireless LAN
site
– Determine the number and placement of access
points, and types of antennas needed
Introduction to Healthcare Information Technology
34
Wireless Security Solutions (cont’d.)
• Antenna placement
– Should be located near the center of the coverage
area
– Recommended to mount as high as possible
• Power level controls
– Adjust the power so less of the signal leaves the
premises
Introduction to Healthcare Information Technology
35
Wireless Security Solutions (cont’d.)
• Rogue access points
– Serious threats to network security
– Allow attackers to intercept the RF signal and
bypass network security
• Methods of detecting rogue access points
– Security personnel walk the area with a protocol
analyzer
– Continually monitor the RF airspace with a wireless
probe
Introduction to Healthcare Information Technology
36
Wireless Security Solutions (cont’d.)
• Types of wireless probes
–
–
–
–
Wireless device probe
Desktop probe
Access point probe
Dedicated probe
Introduction to Healthcare Information Technology
37
Remote Access
• Security for remote access connections is
important
• Three typical types of remote access
– Virtual private networks
– Terminal emulation
– Remote control applications
Introduction to Healthcare Information Technology
38
Virtual Private Network
• Uses an unsecured public network as if it were a
secure private network
– Encrypts all data transmitted between remote device
and the network
– Encrypted packets are encapsulated in a second
packet
• Endpoint
– End of the tunnel between VPN devices
– Can be software on a local computer, or a dedicated
hardware device
Introduction to Healthcare Information Technology
39
Virtual Private Network (cont’d.)
• VPNs can be software or hardware-based
– Software-based VPNs offer the most flexibility in
managing network traffic
– Hardware-based VPNs are more secure and have
better performance
• Tunneling protocols used for VPN transmissions
– Point-to-Point Tunneling Protocol (PPTP)
• Illustrated in Figure 8-7
– Layer 2 Tunneling Protocol (L2TP)
Introduction to Healthcare Information Technology
40
Figure 8-7 Point-to-Point Tunneling Protocol
© Cengage Learning 2013
Terminal Emulation
• Software application that allows a desktop
computer to function as a terminal
• Telnet protocol
– One of the most widely used applications
• Secure Shell (SSH)
– Encrypted alternative to Telnet used to access
remote computers
Introduction to Healthcare Information Technology
42
Table 8-2 SSH commands
© Cengage Learning 2013
Remote Control Applications
• Remote Desktop Connection (RDC)
– Software that allows a user to connect to a remote
computer
– User can function as if he/she were sitting at the
remote computer
Introduction to Healthcare Information Technology
44
Figure 8-8 Remote Desktop
Connection (RDC)
© Cengage Learning 2013
Secure Disposal
• Securely destroying sensitive documents:
– Important to prevent unauthorized retrieval from the
“dumpster”
• Types of records
– Public records
– Private records
– Legal health record
• Documentation of healthcare services provided to an
individual
• Contains various types of information
Introduction to Healthcare Information Technology
46
Retention of Medical Records
• Length of time for record retention varies based on
regulations
• LHR retention by individual providers
– Seven years after the last treatment date
– Or three years after the patient’s death
• Hospital retention guidelines
– 25 years after discharge for adults
– Up to age 18 for children
– Images of the documents are sufficient
Introduction to Healthcare Information Technology
47
Methods of Record Disposal
• Secure shredding
– Used to destroy paper documents
• Sanitizing
– Removing only sensitive information from a
document
– May involve blacking out text
• Degaussing
– Used with electronic records
– Resets magnetic charge to a neutral state
Introduction to Healthcare Information Technology
48
Summary
• Cryptography transforms information into a secure
form so that unauthorized persons cannot access it
• Symmetric cryptography uses a single key to
encrypt and decrypt a message
• Asymmetric cryptography uses two keys: a public
and a private key
• Cryptography can be applied through hardware or
software
• Encryption can protect data that is stored or being
transmitted across a network
Introduction to Healthcare Information Technology
49
Summary (cont’d.)
• WPA2 and IEEE 802.11i are foundations of
wireless security protections today
• A virtual private network uses tunneling protocols
to communicate over a public network as if it were
a secure private network
• A legal health record is the documentation of
healthcare services provided to an individual
• Legal health records may be disposed of by
shredding, sanitizing, or degaussing (for electronic
records)
Introduction to Healthcare Information Technology
50