Electronic Laboratory Surveillance:
System Security Functions

Sponsored by the Centers for Disease Control and Prevention
Atlanta, GA, February 28, 1996
Noam H. Arzt, Ph.D.
University of Pennsylvania, Leonard Davis Institute of Health Economics

Introduction

Ernst & Young Security Survey: Almost 50% of respondents rated information security issues as "less than important." (1)
Part of the development of a client/server system is an analysis of the threats to information security, and possible steps that can be taken to mitigate these threats.

Information security is defined as ". . . a set of technical and administrative procedures designed to protect data systems against unwarranted disclosure, modification, or destruction and to safeguard the system itself."(2)
Goals of information security are:

Maintain the integrity of the data under the project's stewardship
Make the data available easily to legitimate users
Ensure the privacy and appropriate use of patient data (2)
Tradeoff: information security and ease of access

Goals of a state-wide Electronic Surveillance System are:

Have the right individuals (or reporting sources) reporting the right information
Have current technology for data collection and analysis
Be enabled to identify emerging infections
Integrate and coordinate the functions of state laboratories and state epidemiological programs with other health care services and resources

(1) Ernst & Young/Information Week, "2nd Annual Information Security Survey," Sept., 1994.
(2) Lawrence O. Gostin, et al., "Privacy and Security of Personal Information in a New Health Care System," Journal of the American Medical Association, 270(20), Nov. 24, 1993, p 2487.

Methodology

Identify the information assets that need protecting
Describe the architecture of the information system to be deployed
Identify and rank the threats to those information assets based on the architecture
Identify the most serious threats and develop solutions to mitigate the threats as much as possible
Make specific recommendations of solutions for deployment

Information Assets

Major groupings of data for a lab surveillance system:

Information about People: Includes patient biographical/demographic data, physician data, diagnosis data
Information about Labs: Identification and location information
Information about Observations: Information about the results of tests performed
Information about Technical Aspects: Includes system user profiles and permissions, system access logs
Code tables:Code tables for valid values of various database elements

Patient right to privacy

There must be no personal data record-keeping systems whose very existence is secret
There must be a way for an individual to find our what information about him is in a record and how it is used.
There must be a way for an individual to prevent information about him that was obtained for one purpose for being used or made available for other purposes without his consent.
There must be a way for an individual to correct or amend a record of identifiable information about him.
Any organization creating, maintaining, using,or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of data.

Technical Architecture

Major components of an architecture:

Database: For example, Oracle RDBMS running on a Unix server.
Client Computers: For example, client computers as industry-standard personal computers running MS-Windows 3.1 (or Windows 95). Typical configuration might include a 75Mhz Intel Pentium processor, 500+MB of disk space, 16MB of RAM, and a 15 inch SVGA monitor.
Network Protocol: For example, TCP/IP.
Wide-area Network: The Internet might be idendified as the wide area network connecting client sites with the database server.
Applications: If applicable.
Query Tools: Additional "off-the-shelf" commercial SQL query tools might be expected to be deployed, likely relying on SQL*Net connectivity.
Data Collection: Data might be harvested into the system via a standard interface, perhaps HL7-based.

Threat Analysis

Identify threats to desktop, server, and network via a structured methodology
Rank those threats on a high/medium/low scale as to likelihood of occurrence and the likely harm if the threat occurred.

Desktop example (7 potential threats in all):
THREAT A-1: Unauthorized access to someone's desktop resulting in disclosure of sensitive data that has been stored on the desktop.

Server example (15 potential threats in all):
THREAT B-7: Someone who has access to the system as part of their job responsibilities uses that access to destroy data or programs.

Network example (8 potential threats in all):
THREAT C-3: Someone uses a packet sniffing tool to capture accounts and passwords to gain access to host systems containing sensitive medical data.

Serious Threats and Possible Solutions

An Internet-based, client/server environment typically has these kinds of serious security threats and possible solutions:

Data in inappropriately disclosed or altered: inappropriate access to a "live" desktop client inherently brings potential for disclosure or alteration of data

Develop an information security policy that addresses these concerns, and includes descriptions of appropriate behavior and sanctions for inappropriate behavior.
Develop the application security with security profiles to only allow a given user to access and/or modify data appropriate to his or her role in the organization.
Promote awareness and good behavior to reduce the occurrence of applications being left unattended in clinical settings.

An important local file is deleted: desktop computers at provider sites are the least controlled part of a client/server architecture

Develop an information security policy that requires regular data backups and compliance to participate in the Project.
Purchase and install software (or hardware) to secure Project files on provider site desktops.
Encourage sites to install Project software on local file servers which are likely better maintained and backed-up than individual desktops.

Attack on the server via the Internet

Restrict the number of network services that are co-existing with the database
Install the most secure version of the basic operating system as possible, and keep all security patches up-to-date.
Use one-time passwords
Install utilities that require frequent password changes, that enforce rules against easily-guessable passwords, and that scan the system for easily-guessable passwords.
Restrict access to the database server from certain network locations
Deploy a network firewall to best protect the server from attack.

Inadequate System Administration: Multi-user operating systems and commercial database products are powerful, yet difficult products to learn, master, and properly maintain.

Invest in necessary training for all systems staff.
Be sure necessary staff are cross-trained to provide sufficient backup for critical skills.

Physical threats to server or network

Locate server in a secure machine room.
Provide upgraded environmental conditions wherever the server is located, including uninterrupted power supply, redundant network connections, and redundant systems in different locations.
Implement a proper backup procedure, including off-site storage of backup media, to facilitate recovery from a catastrophic failure or accident.

Promiscuous monitoring of network traffic

Encrypt all data as it passes across the network.
Restrict database access from the public Internet by providing connectivity between the server and clients behind a firewall.
Restrict physical access to the subnet upon which the server is deployed.

Recommendations

An Internet-based, client/server environment typically has these kinds of recommended courses of action to mitigate serious security threats:

Policy: Develop an information security policy that delineates the roles and responsibilities of the Project staff and participants with respect to data and applications. Include appropriate procedures to ensure local site data and software is properly managed.
Security Levels for Applications: Where applicable, recognize that systems need to support different classifications of users, with different priviledges.
Harden Server Against Network Attack: Several steps can be taken to harden the server against attack from the Internet.
Train Staff Appropriately: Appropriate systems and operations training needs to be provided for staff, including backup personnel. Consulting assistance needs to be provided when necessary.
Physically Secure the Server: The database server should be kept in a locked facility, alarmed whenever left unattended. Uninterrupted power should be provided. Data backups (including off-site storage of backup media) should be in place and functioning. Restoration from backups should be periodically tested.
Prevent Promiscuous Access to Data: Provide full client/server data stream can be encrypted to prevent even accidental disclosure of data by promiscuous capture on the network.

Wrap-up

This presentation available via WWW. URL: http://www.cip.upenn.edu/cip/, select Technical Papers

Feel free to contact me later:

	Dr. Noam H. Arzt
	University of Pennsylvania
	Information Systems and Computing
	Suite 221A
	3401 Walnut Street
	Philadelphia, PA 19104-6228
	215/898-3029 (Voice)
	215/898-9348 (FAX)
	URL: http://nextb.dccs.upenn.edu/noam.html
	arzt@isc.upenn.edu (MIME is OK)

Direct comments and questions to Dr. Noam Arzt, arzt@isc.upenn.edu [2/26/96]
URL: http://www.cip.upenn.edu/cip/cdc/lab/feb28-1996-complete.html

Electronic Laboratory Surveillance: System Security Functions