UConn Health Center

Security Optimization & Fortification Initiative
Bob Brandner Deputy CIO

Overall Objectives
• • • • All the Healthcare business drivers mentioned in Datacard slides apply to our scenario Use Digital Signatures to replace written signatures as approvals for internal forms routing and external electronic commerce. Single, streamlined process for employees or affiliates to obtain credentials/privileges for visual, physical or logical access. Centrally managed security administration (issuance, revision, revocation) process with emphasis on improving:
– – – – Timeliness of service delivery Audit Capabilities Accountability Measurements

• • •

Fortification of safeguards for all aspects of Security using Smart Card as single credential store Address HIPAA requirements with common sense (see Appendix two) Introduce two factor authentication in sensitive areas using any combination of:
– Password/PIN (something you know) – Smart Card/PKI (something you have) – Biometric (something you are)

Facilitate automated password administration by introducing single/reduced sign-on capability

2

Value Statement
Datacard offers a single source solution for consolidating visual, physical, and network authentication using a seamless smart card issuance process. This provides greater security at a lower cost.

Staff & Caregiver ID - Needs
• • • • One ID card for multiple functions One secure enrollment & card issuing process One secure and accurate data source Integration of “second” factor of authentication in network and physical access • Multiple applications on smart cards
– network security, cafeteria, vending

Smart Cards
• Multi-application capability – Logical security – Add single sign-on & PKI – Add biometric template – Future applications

Mirrors UConn Health Center’s Goals & Approach
Central Secured Identity Database
• ONE database to store identity information
– HR, LDAP Compliant Directory, Central ID Database

• Best choice for combining logical and physical security – Combine two or three factors of authentication Something you have (card), something you know (PIN) and something you are (biometric) – Portable, secure

– Populate from HR database – Connectivity to legacy access control & time/attendance systems – Ability to view from other locations

3

UConn Current State – Physical & Visual
• Visual & Physical Security accomplished via use of at least (6) different cards (ie Photo Badge, door access mag stripe & proximity, parking lot proximity, mag stripe vending, Etc) • Employee picture Ids have no intelligence and other types of cards mentioned do not include pictures and are all configured via different applications. • Only different color badges provide any visual differentiation for physical access between employees • Public Safety (Campus Police) office gets paper list of new employees scheduled for weekly orientation who need badge pictures taken.

4

UConn Current State – Logical (Chaos)
• • • • • • • Approximately 199 business applications in use by over 3000 employees 56 different employees manage password access for the 199 applications (only IDX Suite access managed by IT) 52% contain Protected Health Information (PHI) 40 % have ability to assign varying levels of access 34% have role-based access administration 18% have passwords with automatic expirations 15% of applications are used enterprise-wide:
– 10 applications have between 250 and 500 users – 6 applications have between 50 and 250 users – 13 applications have between 20 and 50 users

Approximately 332 users have access to at least two enterprise wide applications:
– 184 users have access to two different enterprise wide clinical applications:
• (134) IDX Suite & Lab • (28) IDX Suite & Radiology • (22) IDX Suite & Pharmacy

– 142 users with access to IDX Clinical Suite also have access to Finance System – 80 users have access to both Human Resource and Finance Systems

85% of applications (170) have between 1 and 20 users and are departmental in nature.

5

UConn Current State – Smart Cards
• In-house developed Physician Order Entry (POE) system PKI enabled for logon via Gemplus card smart card & PIN with photo and Verisign digital certificate (on-site lite product) • Digital Certificate is captured for each order in a SQL database • Over 500 cards issued for Physicians and Residents • Visual only, employee ID’s also required for smart card users. • Physicians find use of PIN cumbersome and would like Biometric option for second factor authentication. • CT Hosp Association supplied and administered smart card printing/issuance process, but discontinued this service one month into POE rollout. • Ability to manage entire smart card lifecycle in-house was required immediately. • ActivCard selected as vendor of choice via RFP for Smart Card driven pilot including cards, readers, printer, Smart Card Lifecycle management and reduced sign-on software.
6

ActivCard/Datacard - Smart Card Pilot Objectives
• Automatic creation of Cryptographic smart cards to be used for PKI, desktop security, physical access, time reporting, copier charge debit and photo ID badge purposes • Reduced sign-on to Windows client server, Telnet and browser based system logons (non-programmatic interface or vendor specific agents) • Protection of information and transactions using PKI • Desktop locking and session resumption • Single, application shareable credential store (LDAP compliant) • Web authentication using SSL and client-side certificates • Digitally signed and encrypted e-mail (S/MIME) • Mobile certificates using smart cards virtual smart cards • Automatic and manual PC file encryption • Compatible with Verisign Certificates

7

Pilot Results
• • • Using templates created in ID Works with support from distributor, currently using Datacard ICIV camera and printer to issue Schlumberger Smart Cards for POE application Adding Verisign certs to Smart Cards Verified ability of ActivCard Trinity software to automate the following system access functions:
– Create single credential store in LDAP directory and transfer to Smart Card individual user Ids and passwords for employees – Automate sign-on process to all systems by using tools to create software templates for various UCHC client/server, terminal emulated or web based logon dialogs. – Automate creation of new passwords by recognizing expiration notice and using rules to seamlessly create system specific new password. – Use any combination of Smart Card, PIN, password or biometric for system authentication varied by employee and or by each system access by each employee. – Automate MS Domain/Exchange and or Active Directory Logon – Assignment of access privileges to new hires via drag and drop of templates – PC session locking when smart card is removed.

• •

Verified ability to feed new employee data from HR system to MS Active Directory’s LDAP store that automatically updates both Trinity and ID Works databases (See Appendix One for data flow) Clinical IT Steering committee saw demo of Trinity automated logon capabilities and strongly endorsed the product. 8

Security Initiative Current Status
• • • • • • • • • • Initiating purchase of first 100 of 2500 to 3000 total Trinity licenses Creating temporary point to point feeds from HR system directly to ID Works and Trinity Database (Until Active Directory is in full production) Modifying com object providing PKI interface via smart card for POE logon to use Schlumberger cards and Trinity Software. Working with various individuals responsible for password administration of UCHC systems to establish IT security as single customer contract for requesting and aggregating credentials for multiple systems (Access Broker) Finalizing strategy for assigning appropriate type of ID card to requirements of various job types (ie. Plastic photo card, Picture & Mag Stripe, Picture, Mag & Proximity & Smart Card Combo. Modifying HR new employee forms to capture systems access request information and adding to electronic feed. Modifying electronic approvals for in-house forms routing to replace use of SS# and PW with PKI. Transitioning Datacard Equipment and ID Works operation to Public Safety (Security) departments to replace current visual only badges. Rolling out Trinity software to most sensitive patient care areas and to communities requiring access to multiple applications. Evaluating opportunities to interface Trinity credentialing process with 9 Verisign enrollment to further streamline administration.

Greentree Application Tracking System

Appendix One

HR applicant tracking system generates Electronic feed containing list of new employees including departmental demographic, facility access & information systems access information

MS Active Directory

LDAP v.3

Update MS Active Directory record for New employee with Digital Certificate Information via LDAP

Yes
ID Works System Full set of new employee Information fed from MS Active Directory via LDAP into Access Database for ID Works Badging System.

Feed includes Names of new employees Needing Facility, barcode & Information Systems Access Employee

No
Trinity System Only New employee names needing Systems Access fed from MS Active Directory via LDAP into Database for Trinity Authentication Application.

Required Badging Option

Need Digital Certificate

Yes

IT Security enrolls New employee in Verisign PKI system And readies certificate For download to Card

No
Picture Badge Only (Plastic Only) Picture Badge with Facility & IT Systems card Configuration only (Magnetic Stripe & Microchip) IT Security creates Trinity new employee Systems access profile Available for download To ID Badge

Picture Badge with Facility access and/or Barcode card Configuration only (Magnetic Stripe)

Print badge with Picture And with/without Barcode/mag stripe

Yes
Need IT Access Credentials on Card?

Public Safety logs Into Trinity System As Operator, inserts new Card into reader and downloads IT access credentials to card PKI Digital Certificate?

No
Public Safety Gives finished Badge to employee

No

Yes
Public Safety Downloads Verisign Certificate onto card Via Card Reader

Certificate Sent to Public Safety from Verisign to Special email account

10

Appendix Two
HIPAA Myth’s
I. Privacy Compliance Requirements

HIPAA Realities
Rule Calls for a balance between the ultimate protection, risk, cost and clearly states the desire not to impose patient care affecting burden. Creating a few roles with access to a broad range of patient PHI data elements is both permissible and appropriate as part of a HIPAA compliant procedure because: Most employees with ANY access rights to electronic PHI have legitimate needs to access diagnosis & procedure information Many employees with ANY access rights need to access infection precautions The minority of staff not needing access to these broad categories should be placed into a few roles with very limited PHI access. Compliance with the majority of the privacy rule provisions will be achieved by: •Securing physical access to facilities where either paper (file rooms) or systems containing PHI (Data Center) are stored. •Employee Education on sacred nature of patient privacy •Implementing & enforcing specific privacy policies •Use and tracking of paper consent/authorization forms •System modifications may be required to deliver the following capabilities that are necessary for HIPAA compliance: •Verify authorizations for repeated disclosures have not been revoked prior to each PHI disclosure •Log the nature and date of each disclosure 11 •Record amendments made to electronic PHI via patient request or staff.

a) Mandates IT system redesigns for ability to impose distinct limitations on precise data elements accessible by dozens of user roles

b) Most privacy rule provisions require modifications to existing or newly acquired electronic systems containing PHI.

HIPAA Myth’s

HIPAA Realities

c) Impersonation of a patient at the point of care represents the principal and most probable threat to unauthorized access to PHI via HCO’s electronic system.

Impersonating at patient at the point of care to illegally acquire a person’s electronic PHI is not a probable threat because: •Number of parties interested in a “non-celebrity’s” PHI, but not entitled to it, is small at any time. •There is no ready market for PHI a hacker might acquire via impersonating the individual. •Blackmail involves large sums of money is Too messy, too risky and too personal for hackers. •Exploiting the helpful nature of organization’s staff not adequately trained in patient privacy policies & procedures is a much more probable scenario for illegal/inappropriate access to PHI than stealing a password by “shoulder surfing”. Rule Calls for a balance between the ultimate protection, risk and cost

II. Security Compliance Requirements

a) Requires enormous investment in IT security specifically for HIPAA compliance.

•Majority of security rule compliance will be addressed by physical facility security enhancements and establishing policies to protect PHI. •Majority of rule’s electronic data protections will use technology organizations have installed or are planning to as part of normal business precautions and infrastructure upgrades. Rules mandate capabilities, policies and mechanisms; not specific technologies.

b) Mandates very specific security technologies & solutions

12

HIPAA Myth’s
c) Requires use of Two factor Authentication to access PHI (e.g. Password & Biometric)

HIPAA Realities
•Majority of electronic access to PHI can be sufficiently protected by ensuring the use of unique user ID’s and passwords. •Two factor authentication methods (i.e. smart card/PIN, Biometric/PIN, etc) will make sense in the most sensitive care delivery settings. •Best and most widely pursued method of ensuring adequate protection for electronic PHI is automating the provisioning and tracking of access rights via single sign-on technology. Not required; use of normal internet browser technology supporting SSL encryption, unique passwords and inactivity timeouts will address HIPAA requirements.

d) Electronic PHI remote access via the Internet requires use of password tokens (Secure ID Cards) and Virtual Private Network (VPN) Software

13