Date post: | 15-Dec-2015 |
Category: |
Documents |
Upload: | philip-sharpley |
View: | 216 times |
Download: | 0 times |
19/11/2013
Information security approachwithin the Belgian social &
health sector
Frank Robben
2
Context – Belgian social sector• > 11,000,000 citizens concerned• > 220,000 employers involved • about 3,000 public and private institutions active at
several levels (federal, regional, local) dealing with– collection of social security contributions– delivery of social security benefits: child benefits,
unemployment benefits, benefits in case of incapacity for work, benefits for the disabled, reimbursement of health care costs, holiday pay, old age pensions, guaranteed minimum income, …
– delivery of additional social benefits– delivery of additional benefits based on a person’s social
security status
3
Expectations – Belgian social sector• effective social protection• effective support of social policy• effective fraud prevention and detection• integrated services
– attuned to the concrete situation of citizens and companies, and personalized when possible
– delivered at the occasion of events that occur during their life cycle
– across government levels, public services and private bodies
– reliable, secure and permanently available– with minimal costs and minimal administrative burden– if possible, granted automatically
4
Context – Belgian health sector• > 11,000,000 citizens concerned• > 100,000 health care providers involved (physicians,
dentists, clinical labs, pharmacists, physiotherapists, nurses, …)
• > 300 health care institutions involved (hospitals, retirement homes, nursing homes, …)
• health insurance funds• public institutions
– federal level (Federal Public Service for Public Health, National Institute for Health & Disability Insurance, Belgian Health Care Knowledge Centre, …)
– regional level
5
Expectations – Belgian health sector• optimal health care quality • optimal patient safety• adequate support of health policy• patient-centric care and empowerment of the patient• integrated services
– multidisciplinary– holistic– continuous– across health care institutions and health care providers
• remote care (monitoring, assistance, consultation, diagnosis, operation, …), a.o. home care
• quickly evolving knowledge => need for reliable, coordinated knowledge management and accessibility
6
Risk analysis approach• increasing collaboration relating to information
management and process integration • separate government bodies are no longer free-
standing information processing entities, but rather parts of a coherent whole
• risk of consequential damage and its extent on other systems is much greater than at the location where the original damage occurs
the vision of information security and protection of privacy must thus be determined collectively
7
Risk analysis approach
8
1. policy
2. organization
3. risk analysis security requirements
4. selection of measures
5. development planning and implementation of measures
6. training and education
7. supervision, control and evaluation
feed
back
Risk analysis approach
• absolute security/protection is not a desirable objective, because it will lead to significant opportunity losses in terms of efficiency and effectiveness
• main challenge: constantly seeking the optimal balance between seizing opportunities and avoiding risks
9
Information security measures
1. structural and institutional measures
2. organizational and technical measures (based on ISO 27XXX)
3. legal measures
10
1. Structural & institutional measures1.1. no central data storage1.2. independent Sectoral Committee of the Privacy
Commission1.3. within social sector, a preventive control of the
legitimacy of personal data exchange by CBSS according to the authorizations of the independent Sectoral Committee of the Privacy Commission
1.4. information security department with each actor 1.5. specialized information security service providers1.6. information security working group
11
1.1. No central data storage (social sector)
12
R
FW
R
NEO
UsersUsers
FW
FW
FW
RR
RInternet
RFedMAN
RIsabel
…
FW
R
R
NIC
BackboneBackbone
R
…
NOSS
FW
R
CBSS
1.1. No central data storage (social sector)
• reference directory, showing– for each citizen
• at which social security institutions the citizen is already known• in what capacity• during which period
– per social security institution type and per capacity in which a person might be known to the institution
• which types of data on the person are available
– per social security institution type and per capacity in which a person might be known to the institution
• which types of data does the institution need• and is it authorized to receive from other institutions in order to
fulfil its duties
1.1. No central data storage (social sector)
• functions of the reference directory– access control– information requests routing– automatic information change transmission
1.1. No central data storage (health sector)
15
Suppliers
Basic servicesBasic serviceseHealth platformeHealth platformNetwork
Patients, health care providersPatients, health care providersand health care institutionsand health care institutions
VASVAS VASVASVASVAS
portal eHealth portal eHealth platformplatform
Health portalHealth portalAVSAVSAVSAVSAVSAVSAVSAVS Software Software
health care health care institutioninstitutionAVSAVSAVSAVSAVSAVSAVSAVSMyCareNetMyCareNet
AVSAVSAVSAVSAVSAVSAVSAVS
Software health Software health care providercare provider
AVSAVSAVSAVSAVSAVSAVSAVSWebsite Website
NIHDINIHDIAVSAVSAVSAVSAVSAVSAVSAVS
VASVASVASVASVASVAS
1.1. No central data storage (health sector)System as is
16
A
CB
1: Where can we find data?
3: Fetch data from hub A
3: Fetch data from hub C
4:All data available
2: In hub A and C
1.1. No central data storage (health sector)
System to be: hub-metahub
1.2. Independent Sectoral Committee
• designated by the Belgian Parliament• mandate
– information security supervision– authorizing information exchange– complaint handling– information security recommendations– extensive investigating powers– annual activity report
18
1.4. Information security department• with each social sector institution and in some health
care institutions• composition
– information security officer– one or more assistants
• Sectoral Committee carries out control on independence and enables the permanent education of the information security officers
• Sectoral Committee can allow that a task of the information security department is outsourced to a recognized specialized information security service provider
19
1.4. Information security departmentInformation security department• recommends• promotes• documents• controls• reports directly to the
executive management• formulates the blueprint of
the information security plan• elaborates the annual
information security report
Executive management• takes decisions• has the final responsibility• gives motivated feedback• approves the information
security plan• supplies the necessary
ressources
20
1.4. Information security department
• annual information security report– general overview of the information security
situation– overview of the activities
• recommendations and their effects• control activities• campaigns to promote information security
– overview of external recommendations and their effects
– overview of trainings received
21
1.6. Information security working group
• composition – information security officers of all branches in the sector– sub-working groups
• branches• themes (policy, audit, ...)
• tasks– coordination– creation of information security awareness– communication– formulating recommendations to the Sectoral Committee
22
1.6. Information security working group
• deliverables– ISMS and information security policies– minimum information security standards– information security guidelines– codes of good practice– protecting the network– organizing internal information security audits– disaster recovery methods
23
2. Organizational & technical measures2.1. ISMS and information security policies2.2. information classification2.3. human resources security2.4. physical and environmental security2.5. operations management2.6. personal data processing2.7. logical access security2.8. information system acquisition, development and
maintenance2.9. business continuity management2.10. compliance (internal and external control/audit)2.11. communication to the public of security and privacy
protection policies24
2.1. ISMS & information security policies• Information Security Management System• governing principle behind an ISMS: an organization should
– design, implement and maintain a coherent set of policies, processes and systems
– manage risks related to its information assets– thus ensuring acceptable levels of information security risks
• concerted approach of information security > General Coordination Committee
• methodology aims to lead to an optimal information security • approach based on the international ISO 27XXX standards • common methodology for all institutions
2.1. ISMS & information security policies
2.1. ISMS & information security policies
• integrated set of security policies
• elaborated through step-by-step refinement
• directives, architecture, standards, procedures and techniques are described to apply an integral set of information security policies, in accordance with the priorities set by the information security working group
27
2.1. ISMS & information security policies
• policies should always have the following structure– main field of application/personal field of application– definitions of the concepts used under the policy– general principles, rules and responsibilities– requirements– references to other policies– sanctions if the policy is not complied with, arising from
laws and regulations– references to directives, architecture, procedures,
standards and techniques to comply with the policy– version and date of validation by the appropriate parties– note of the person responsible for policy maintenance
28
2.1. ISMS & information security policies
29
2.1. CBSS information security policies
• minimum standards– annual update– applicable to all social security institutions– institutions interested in being integrated into the
CBSS network must have an up-to-date, long-term information security plan containing measures on complying with the minimum standards
– annual self-assessment executed via question and answer form
30
2.1. CBSS information security policies
• minimum standards– the Sectoral Committee can at all times engage an
external institution to verify whether the institutions complies with the minimum information security standards
– ultimate sanction: if a social security institution does not comply with these standards, the institution can, after formal notice, no longer access the network in accordance with article 46, first paragraph, 1°, of the CBSS Law
31
2.2. Information classification• determining the protection level per information
item, based on 2 aspects– importance of the business continuity of public services
(e.g. vital, critical, necessary, useful)– sensitivity in relation to protection of privacy (e.g. public,
internal, confidential, secret)• scope includes information (mainly personal data)
used for services to citizens, companies and civil servants, regardless of the equipment on which they are kept
• information is labeled depending on the classification criteria used
• continuous process without too much formalisms
32
2.3. Human resources security• information security tasks and responsibilities are
included in all job descriptions to which it applies• sensitive positions are stated as such in job
descriptions• applicants for sensitive jobs are screened carefully• a secrecy declaration is signed by every staff member• all staff members are briefed, educated and trained
on a regular basis
33
2.3. Human resources security
• at each institution– solid procedures are established and frequently
tested to report any information security breach or weakness to the information security officer in a timely manner
– a working method is established and frequently tested to analyze any information-security-related incident and weakness reported by the information security officer, and adequate remedial measures are proposed for implementation within a reasonable timeframe
34
2.3. Human resources security• (disciplinary) sanctions when measures
relating to the information security and privacy protection are circumvented or not complied with
• controls are executed to ensure that– (disciplinary) sanctions are sufficiently known
when measures relating to the information security and privacy protection are circumvented or not complied with
– adequate measures are applied when a working relationship with a staff member is terminated
35
2.4. Physical and environmental security
• availability of premises is protected against bad external influences, unauthorized access, theft, flooding, fire, …
• ICT infrastructure supporting vital and critical business processes is professionally accommodated at these premises
• power supply for ICT infrastructure supporting vital and critical business processes is guaranteed
• wireline and wireless connections are secured against wire-tapping and sniffing
36
2.4. Physical and environmental security
• proper procedures for installing and removing business equipment, also in cases of maintenance and repair, are established and tested frequently
• rules are established and tested for managing business equipment used by staff (e.g. laptops, handhelds, tablets, mobile phones, smartphones, call tokens, ...) giving access to information that needs to be protected
37
2.5. Operations management
• segregation of duties between the governance/ management and operations/maintenance of ICT infrastructure
• information security procedures, including incident management procedures, take into account segregation of duties
• internal rules are established and tested frequently for day-to-day operations (e.g. back-ups, network monitoring, equipment removal, archiving, ...)
38
2.5. Operations management• each stage in the life-cycle of an application,
including acceptance scenarios, is established and tested frequently, also in terms of legal and regulatory compliance
• new applications or changes to existing applications are submitted for acceptance tests in a separate acceptance environment, distinct from the production environment, before being released into production, with special attention towards test data
• ITIL v3 and COBIT 5 frameworks are used as inspiration sources for ICT operations management
39
2.5. Operations management
• preventive measures for securing information systems against viruses and other types of harmful software (malware)
• networks are managed following approved and defined procedures, especially when connected to external networks
• interchange agreements are written down and approved for the use of network services, especially for network services required for external collaboration
40
2.6. Personal data processing
• for each processing a controller is designated, i.e. a person who determines the purposes and means of the processing and who is responsible for the processing
• personal data are processed in conformance with the EU principles* on the protection of individuals with regard to the processing of personal data and on the free movement of such data
41*Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995
2.6. Personal data processing
• following principles are complied with– purpose limitation principle– proportionality principle– data quality principle– reasonable storage duration principle
• sensitive personal data, personal data relating to health, and legal personal data, are processed in conformance with the relevant special rules laid down by EU law*
42*Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995
2.6. Personal data processing • controller of the processing
– informs the person concerned when personal data are collected/recorded/reported
– notifies the processing to the Commission for the Protection of Privacy
– provides information to his staff members concerning data protection provisions
– regularly checks for conformance of information systems that process personal data with the notification made to the Commission for the Protection of Privacy
• procedures are established and tested frequently to deal with persons exercising rights of access, reporting, correction, deletion, blocking access or objection
43
2.7. Logical access security
• logical access management policy– roles and functions– authorizations on the basis of those roles and
functions – authorization time-limits
• authorizations are managed at the levels of– people– resources– applications
44
2.7. Logical access security• identification and authentication methods (user ID,
password, token, digital certificate, electronic signature, ...) are established for people, resources, applications and services
• buildings are properly partitioned, security access layers are implemented and access control measures to premises are implemented
• access control measures to physical ICT resources (computers, networks, ...) by users (people, resources or applications) are established and tested frequently
45
2.7. Logical access security• particular attention to business equipment relating
to people (e.g. laptops, handhelds, tablets, mobile phones, smartphones, call tokens, ...)
• access control measures to – (sections of) application code – applications (parts) and services (parts) by internal and
external users (people, resources or applications)
• ICT equipment is automatically timed out after a defined period of inactivity
• all access attempts are time-logged (importance of clock synchronization)
46
2.7. Logical access security
47
2.7. Logical access security: vault system
VaultGovernance Archiving Management
Vault data
Authentication ... Authorisation
Data quality
EncryptionDecryption Authentication
Vault connector
Threshold decryptionTr
uste
d 3r
d pa
rty
2 1
Vaul
t Cor
e • having a “health care relationship”
• depending on their role
No access for
• ICT administrators, host provider,..
• the eHealth-platform
• authorities
without the active cooperation of the owner of the second key
Access for health care providers
2.7. Logical access security: vault system
Data sharing• each actor keeps his own
file up to date
• however, he can decide to share parts of the file with other actors
• examples:
• medication schedule
• SUMEHR
• parameters
• journal
• ...
Vault ecosystemGeneral practitioner
Actor ecosystem
Home care
Citizen
PharmacyHospital
Vault
Actor ecosystem
Acto
r ec
osys
tem
...
Actor ecosystem Actor ecosystem
50
2.7. Logical access security: encryption
eHealth-platformHealthcare actorPerson or entity
Inte
rnet
Iden
tifica
tion
certi
ficat
e
Iden
tifica
tion
certi
ficat
e
Web serviceRegister key
Connector or other software togenerate key pair
Sendspublic key
Stores private keyin a secure way
Public keysrepository
1
2
2
Authenticates sender
Storespublic key
3
4
2.7. Logical access security: encryption
51
Iden
tifica
tion
certi
ficat
e
Internet
eHealth-platform
Public keysrepository
Authenticates sender
Sendspublic key
2
3
Message originator
Iden
tifica
tion
certi
ficat
e
Asks for public key
Encryptsmessage
4
1
Message recipient
Decrypts message5 Stored
privatekey
Identificationcertificate
Web serviceAsk public key
Send message
Any protocol
2.7. Logical access security: encryption
52
User 2Recipient
User 1Originator
Key Management
/ Depot
MessagesDepot
1 asks for key
2 sends keySymmetric keyEncrypted with public
key of user 1
3 sends encrypted message
Message encrypted with
symmetric key
Encrypted with public key of
Message depot
Message encrypted withsymmetric key
4 justifies right toobtain key
4 justifies right toobtain message
Symmetric key
Encrypted with public
key of user 2
5 receives key
5 receives message
Message encrypted with
symmetric keyEncrypted with public key of User
2
2.8. Information system acquisition, development and maintenance• information security directives to be complied with
during development or maintenance of applications and services
• secured development environment (remember how to securely handle development test data)
• rules to design/build information security directly into applications and services (mainly externally accessible applications and services)
• procedures concerning technical and functional tests are established and tested in an acceptance environment, distinct from the production environment, with clear go/no-go areas
53
2.8. Information system acquisition, development and maintenance
• methods, procedures to establish and apply for– analyzing the impact of amendments to operating
systems and applications on information security– analyzing the impact of changes to standard
software used on information security – proper destruction of information when further
processing is no longer authorized
54
2.9. Business continuity management• back-up and restore procedures for information and
applications• source code and (development, test, installation,
configuration) documentation of the latest version of all relevant applications are kept at a secure site, distinct from the production location
• parts of information systems, certainly those supporting vital and critical business processes, are split up geographically in sites with a different risk profile
• in eHealth: next release environment55
2.9. Business continuity management• a business continuity plan is established and
available at each institution– indicating vital and critical components and processes– with an inventory of necessary infrastructure and skills for
each component and process– with a description of actions, responsibilities and
procedures in the event of an (internal or external) emergency ( + order to return to normal operation)
– with a description of test scenarios for the business continuity plan with the relevant third parties affected
56
2.9. Business continuity management
• the business continuity plan is tested annually with the relevant third parties affected and with a report of the results, aimed at permanent improvement
• information systems are insured against physical risks such as fire, flooding or earthquake, but also against theft
57
2.10. Compliance• permanent internal controls performed by the
information security officer and/or the internal auditor
• regular external controls performed by an external auditor by the executive management of the institution or by the Commission for the Protection of Privacy or the competent Sectoral Committee
• the internal control methods and the information systems and logs are easily accessible to the people carrying out internal or external assurance functions
58
2.10. Compliance• monitoring systems, that raise potential risks linked
to the infringements of laws, policies, directives, architecture, standards and procedures, and on any undesirable use made of ICT facilities, are easily accessible for the information security officer
• a regular check is carried out by the controller of the processing on the security measures currently embedded in contracts with third parties
• COBIT 5 framework is used as inspiration source for information security audits
59
2.11. Communication to the public
• reporting information security information to the Parliament, press, integrators’ websites
• special attention to advice on information security and protection of privacy by producing the results of the risk analysis
• communication strategy is established in order to provide information on security facts and on measures taken to prevent immediate further damage and similar damage in the future
60
3. Legal measures
• obligations of the controller of the processing– criteria for making data processing legitimate– respect of basic privacy protection principles, such
as the purpose limitation principle and the proportionality principle
– specific rules for the processing of sensitive data– information to be given to the data subject– processing confidentiality, integrity and
availability– notification of personal data processing
61
3. Legal measures
• rights of the data subject– right to information– right to access– right to rectify, erase or block his/her data– right to a judicial remedy
• sanctions and penalties
62
63
Frank RobbenGeneral manager - Crossroads Bank for Social Security- [email protected]
@FrRobben
http://www.kszfgov.behttps://www.ehealth.fgov.behttp://www.law.kuleuven.be/icri/frobben
Thank you !Any question ?