• Ernst & Young Security Survey: Almost 50% of respondents rated information security issues as "less than important." (1)
• Part of the development of a client/server system is an analysis of the threats to information security, and possible steps that can be taken to mitigate these threats.
  
• Information security is defined as ". . . a set of technical and administrative procedures designed to protect data systems against unwarranted disclosure, modification, or destruction and to safeguard the system itself."(2)

Goals of information security are:

• Maintain the integrity of the data under the project's stewardship
• Make the data available easily to legitimate users
• Ensure the privacy and appropriate use of patient data (2)

Tradeoff: information security and ease of access

---

Goals of a state-wide Electronic Surveillance System are:

• Have the right individuals (or reporting sources) reporting the right information
• Have current technology for data collection and analysis
• Be enabled to identify emerging infections
• Integrate and coordinate the functions of state laboratories and state epidemiological programs with other health care services and resources

• Identify the information assets that need protecting
• Describe the architecture of the information system to be deployed
• Identify and rank the threats to those information assets based on the architecture
• Identify the most serious threats and develop solutions to mitigate the threats as much as possible
• Make specific recommendations of solutions for deployment

• Major groupings of data for a lab surveillance system:
  • Information about People: Includes patient biographical/demographic data, physician data, diagnosis data
  • Information about Labs: Identification and location information
  • Information about Observations: Information about the results of tests performed
  • Information about Technical Aspects: Includes system user profiles and permissions, system access logs
  • Code tables:Code tables for valid values of various database elements
• Patient right to privacy
  • There must be no personal data record-keeping systems whose very existence is secret
  • There must be a way for an individual to find our what information about him is in a record and how it is used.
  • There must be a way for an individual to prevent information about him that was obtained for one purpose for being used or made available for other purposes without his consent.
  • There must be a way for an individual to correct or amend a record of identifiable information about him.
  • Any organization creating, maintaining, using,or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of data.

Major components of an architecture:

• Database: For example, Oracle RDBMS running on a Unix server.
• Client Computers: For example, client computers as industry-standard personal computers running MS-Windows 3.1 (or Windows 95). Typical configuration might include a 75Mhz Intel Pentium processor, 500+MB of disk space, 16MB of RAM, and a 15 inch SVGA monitor.
• Network Protocol: For example, TCP/IP.
• Wide-area Network: The Internet might be idendified as the wide area network connecting client sites with the database server.
• Applications: If applicable.
• Query Tools: Additional "off-the-shelf" commercial SQL query tools might be expected to be deployed, likely relying on SQL*Net connectivity.
• Data Collection: Data might be harvested into the system via a standard interface, perhaps HL7-based.

• Identify threats to desktop, server, and network via a structured methodology
• Rank those threats on a high/medium/low scale as to likelihood of occurrence and the likely harm if the threat occurred.

Desktop example (7 potential threats in all):

THREAT A-1: Unauthorized access to someone's desktop resulting in disclosure of sensitive data that has been stored on the desktop.

Server example (15 potential threats in all):

THREAT B-7: Someone who has access to the system as part of their job responsibilities uses that access to destroy data or programs.

Network example (8 potential threats in all):

THREAT C-3: Someone uses a packet sniffing tool to capture accounts and passwords to gain access to host systems containing sensitive medical data.

An Internet-based, client/server environment typically has these kinds of serious security threats and possible solutions:

• Data in inappropriately disclosed or altered: inappropriate access to a "live" desktop client inherently brings potential for disclosure or alteration of data
  • Develop an information security policy that addresses these concerns, and includes descriptions of appropriate behavior and sanctions for inappropriate behavior.
  • Develop the application security with security profiles to only allow a given user to access and/or modify data appropriate to his or her role in the organization.
  • Promote awareness and good behavior to reduce the occurrence of applications being left unattended in clinical settings.
• An important local file is deleted: desktop computers at provider sites are the least controlled part of a client/server architecture
  • Develop an information security policy that requires regular data backups and compliance to participate in the Project.
  • Purchase and install software (or hardware) to secure Project files on provider site desktops.
  • Encourage sites to install Project software on local file servers which are likely better maintained and backed-up than individual desktops.
• Attack on the server via the Internet
  • Restrict the number of network services that are co-existing with the database
  • Install the most secure version of the basic operating system as possible, and keep all security patches up-to-date.
  • Use one-time passwords
  • Install utilities that require frequent password changes, that enforce rules against easily-guessable passwords, and that scan the system for easily-guessable passwords.
  • Restrict access to the database server from certain network locations
  • Deploy a network firewall to best protect the server from attack.
• Inadequate System Administration: Multi-user operating systems and commercial database products are powerful, yet difficult products to learn, master, and properly maintain.
  • Invest in necessary training for all systems staff.
  • Be sure necessary staff are cross-trained to provide sufficient backup for critical skills.
• Physical threats to server or network
  • Locate server in a secure machine room.
  • Provide upgraded environmental conditions wherever the server is located, including uninterrupted power supply, redundant network connections, and redundant systems in different locations.
  • Implement a proper backup procedure, including off-site storage of backup media, to facilitate recovery from a catastrophic failure or accident.
• Promiscuous monitoring of network traffic
  • Encrypt all data as it passes across the network.
  • Restrict database access from the public Internet by providing connectivity between the server and clients behind a firewall.
  • Restrict physical access to the subnet upon which the server is deployed.

An Internet-based, client/server environment typically has these kinds of recommended courses of action to mitigate serious security threats:

• Policy: Develop an information security policy that delineates the roles and responsibilities of the Project staff and participants with respect to data and applications. Include appropriate procedures to ensure local site data and software is properly managed.
• Security Levels for Applications: Where applicable, recognize that systems need to support different classifications of users, with different priviledges.
• Harden Server Against Network Attack: Several steps can be taken to harden the server against attack from the Internet.
• Train Staff Appropriately: Appropriate systems and operations training needs to be provided for staff, including backup personnel. Consulting assistance needs to be provided when necessary.
• Physically Secure the Server: The database server should be kept in a locked facility, alarmed whenever left unattended. Uninterrupted power should be provided. Data backups (including off-site storage of backup media) should be in place and functioning. Restoration from backups should be periodically tested.
• Prevent Promiscuous Access to Data: Provide full client/server data stream can be encrypted to prevent even accidental disclosure of data by promiscuous capture on the network.

• This presentation available via WWW. URL: Technical Papers
• Feel free to contact me later:
  

  	Dr. Noam H. Arzt
  	University of Pennsylvania
  	Information Systems and Computing
  	Suite 221A
  	3401 Walnut Street
  	Philadelphia, PA 19104-6228
  	215/898-3029 (Voice)
  	215/898-9348 (FAX)
  	URL: http://nextb.dccs.upenn.edu/noam.html
  	arzt@isc.upenn.edu (MIME is OK)