HIMSS – January 28, 2002

Remote Servicing under HIPAAwith proposed Solution A

John F. MoehrkeChairmen of Remote Servicing Focus Group

NEMA/COCIR/JIRA Security and Privacy Committee Systems Engineering – Security and Privacy in Healthcare

GE Medical Systems

HIMSS – January 28, 2002

NEMA/JIRA/COCIR Security and Privacy Committee

What you will learn today

Remote Servicing is critical Remote Servicing presents new security risks Vendors are working on a common solution that

willa. Reduce administration (Hospital and Vendor)b. Improve Accountabilityc. Provide a more secure environment

Privacy is the Goal, Security is the way.

HIMSS – January 28, 2002

NEMA/JIRA/COCIR Security and Privacy Committee

Security and Privacy Committee (SPC)

Joint effort by NEMA-MII, COCIR-IT, and JIRA Mission: Ensure a level of data security and data privacy in the

health care sector that: Meets legally mandated requirements Can be implemented in ways that are reasonable and appropriate Reduces Healthcare costs of compliance

Scope: All systems, devices, components, and accessories used in medical imaging informatics

Scope is not exclusive of other products and is expected to be extendable to all Equipment that maintains Patient Data (PHI)

International data security and data privacy legislation, currently focusing on the European Community, Japan, and the United States of America

HIMSS – January 28, 2002

NEMA/JIRA/COCIR Security and Privacy Committee

Efforts of the SPC

Educational Document : http://medical.nema.org/privacy/education.pdf

Remote Servicing Proposal (This talk) http://medical.nema.org/privacy/remote.pdf

Audit Controls: http://medical.nema.org/privacy

Secure IHE Profiles Work in progress

Members: AGFA, GE, Kodak, Konica, Philips, Siemens, Toshiba

HIMSS – January 28, 2002

NEMA/JIRA/COCIR Security and Privacy Committee

Why do Remote Servicing?

Benefit to Health Care Provider Better Availability and Integrity of the systems Quick response as no Travel involved Higher quality of service

Knowledge base available at the Vendor Expert can be applied to the problem/solution

Benefit to Vendor Lower costs to service equipment More service offerings (preemptive diagnosis) Remote Service Centers (RSC) centralize

knowledge and expertise

HIMSS – January 28, 2002

Hospital

Remote Servicing today

Vendor Z

Vendor Y

Complex Wired Infrastructure

Vendor X

Remote Service Center

Modem Connections

Hospital Network

HIMSS – January 28, 2002

Hospital

Remote Servicing Solution

Vendor Z

Vendor Y

Vendor X

Ex. Internet VPN

Uses Hospital Network

Access pointsAccess pointsAccess pointsAccess points

HIMSS – January 28, 2002

Hospital

Access Control

Vendor Z

Vendor Y

Vendor X

2. Device under

service

1. Individual Service Personal

3. Access point Edges3. Access

point Edges3. Access

point Edges

1. Individual Service Personal

1. Individual Service Personal

1. Individual Service Personal

1. Individual Service Personal

2. Device under

service

2. Device under

service

2. Device under

service

2. Device under

service

2. Device under

service

HIMSS – January 28, 2002

Hospital

Audit Trails

Vendor Z

Vendor Y

Vendor X

2. Device under

service

1. Individual Service Personal

3. Access point Edges3. Access

point Edges3. Session

specifics where and when

1. Individual Service Personal

1. Individual Service Personal

1. Individual Service Personal

1. who, what, where, when & why

2. Device under

service

2. Device under

service

2. Device under

service

2. Device under

service

2. when, and what

HIMSS – January 28, 2002

NEMA/JIRA/COCIR Security and Privacy Committee

Health Care Provider gains Control and Manageability

Control of each session and/or vendor Rules that restrict where vendor X can

go, what tools they can use, when they can connect, etc

Strong Access Point Authentication Audit trails to prove accountability

HIMSS – January 28, 2002

NEMA/JIRA/COCIR Security and Privacy Committee

Next Steps for SPC Focus Group Charter

Define a Reasonable and Practical solution that follows this architectureCandidate ‘A’ -- IPSec tunneling over the Internet

ESP/AH – 3DES and SHA1 IKE – Session Key negotiation Certificates – communicated out-of-band (mail, courier, etc) Filtering and Routing rules maintained by the Healthcare

facility Audit trails maintained at RSC Individual Authentication maintained at the RSC

HIMSS – January 28, 2002

Hospital

Solution A: IPSec on Internet

Vendor Z

Vendor Y

Vendor X

IPSec Tunnel, ESP+AH 3DES, SHA1 IKE-RSA, PKI out-of-band

HIMSS – January 28, 2002

NEMA/JIRA/COCIR Security and Privacy Committee

Conclusion

The Focus Group is actively creating these Descriptions of Candidate Implementations

Vendors are providing experts from their Service organizations

AGFA, GE, Kodak, Philips, Siemens, Toshiba, +

Targeting End of 2002 with demonstration at RSNA Will seek approval by NEMA, COCIR, and JIRA early

2002 Likely Vendor implementations mid 2002

HIMSS – January 28, 2002

John F. Moehrke

GE Medical Systems262-293-1667John.Moehrke@med.ge.com