HIMSS – January 28, 2002 Remote Servicing under HIPAA with proposed Solution A John F. Moehrke...
-
Upload
griselda-cook -
Category
Documents
-
view
212 -
download
0
Transcript of HIMSS – January 28, 2002 Remote Servicing under HIPAA with proposed Solution A John F. Moehrke...
![Page 1: HIMSS – January 28, 2002 Remote Servicing under HIPAA with proposed Solution A John F. Moehrke Chairmen of Remote Servicing Focus Group NEMA/COCIR/JIRA.](https://reader031.fdocuments.us/reader031/viewer/2022013101/56649e5e5503460f94b574dd/html5/thumbnails/1.jpg)
HIMSS – January 28, 2002
Remote Servicing under HIPAAwith proposed Solution A
John F. MoehrkeChairmen of Remote Servicing Focus Group
NEMA/COCIR/JIRA Security and Privacy Committee Systems Engineering – Security and Privacy in Healthcare
GE Medical Systems
![Page 2: HIMSS – January 28, 2002 Remote Servicing under HIPAA with proposed Solution A John F. Moehrke Chairmen of Remote Servicing Focus Group NEMA/COCIR/JIRA.](https://reader031.fdocuments.us/reader031/viewer/2022013101/56649e5e5503460f94b574dd/html5/thumbnails/2.jpg)
HIMSS – January 28, 2002
NEMA/JIRA/COCIR Security and Privacy Committee
What you will learn today
Remote Servicing is critical Remote Servicing presents new security risks Vendors are working on a common solution that
willa. Reduce administration (Hospital and Vendor)b. Improve Accountabilityc. Provide a more secure environment
Privacy is the Goal, Security is the way.
![Page 3: HIMSS – January 28, 2002 Remote Servicing under HIPAA with proposed Solution A John F. Moehrke Chairmen of Remote Servicing Focus Group NEMA/COCIR/JIRA.](https://reader031.fdocuments.us/reader031/viewer/2022013101/56649e5e5503460f94b574dd/html5/thumbnails/3.jpg)
HIMSS – January 28, 2002
NEMA/JIRA/COCIR Security and Privacy Committee
Security and Privacy Committee (SPC)
Joint effort by NEMA-MII, COCIR-IT, and JIRA Mission: Ensure a level of data security and data privacy in the
health care sector that: Meets legally mandated requirements Can be implemented in ways that are reasonable and appropriate Reduces Healthcare costs of compliance
Scope: All systems, devices, components, and accessories used in medical imaging informatics
Scope is not exclusive of other products and is expected to be extendable to all Equipment that maintains Patient Data (PHI)
International data security and data privacy legislation, currently focusing on the European Community, Japan, and the United States of America
![Page 4: HIMSS – January 28, 2002 Remote Servicing under HIPAA with proposed Solution A John F. Moehrke Chairmen of Remote Servicing Focus Group NEMA/COCIR/JIRA.](https://reader031.fdocuments.us/reader031/viewer/2022013101/56649e5e5503460f94b574dd/html5/thumbnails/4.jpg)
HIMSS – January 28, 2002
NEMA/JIRA/COCIR Security and Privacy Committee
Efforts of the SPC
Educational Document : http://medical.nema.org/privacy/education.pdf
Remote Servicing Proposal (This talk) http://medical.nema.org/privacy/remote.pdf
Audit Controls: http://medical.nema.org/privacy
Secure IHE Profiles Work in progress
Members: AGFA, GE, Kodak, Konica, Philips, Siemens, Toshiba
![Page 5: HIMSS – January 28, 2002 Remote Servicing under HIPAA with proposed Solution A John F. Moehrke Chairmen of Remote Servicing Focus Group NEMA/COCIR/JIRA.](https://reader031.fdocuments.us/reader031/viewer/2022013101/56649e5e5503460f94b574dd/html5/thumbnails/5.jpg)
HIMSS – January 28, 2002
NEMA/JIRA/COCIR Security and Privacy Committee
Why do Remote Servicing?
Benefit to Health Care Provider Better Availability and Integrity of the systems Quick response as no Travel involved Higher quality of service
Knowledge base available at the Vendor Expert can be applied to the problem/solution
Benefit to Vendor Lower costs to service equipment More service offerings (preemptive diagnosis) Remote Service Centers (RSC) centralize
knowledge and expertise
![Page 6: HIMSS – January 28, 2002 Remote Servicing under HIPAA with proposed Solution A John F. Moehrke Chairmen of Remote Servicing Focus Group NEMA/COCIR/JIRA.](https://reader031.fdocuments.us/reader031/viewer/2022013101/56649e5e5503460f94b574dd/html5/thumbnails/6.jpg)
HIMSS – January 28, 2002
Hospital
Remote Servicing today
Vendor Z
Vendor Y
Complex Wired Infrastructure
Vendor X
Remote Service Center
Modem Connections
Hospital Network
![Page 7: HIMSS – January 28, 2002 Remote Servicing under HIPAA with proposed Solution A John F. Moehrke Chairmen of Remote Servicing Focus Group NEMA/COCIR/JIRA.](https://reader031.fdocuments.us/reader031/viewer/2022013101/56649e5e5503460f94b574dd/html5/thumbnails/7.jpg)
HIMSS – January 28, 2002
Hospital
Remote Servicing Solution
Vendor Z
Vendor Y
Vendor X
Ex. Internet VPN
Uses Hospital Network
Access pointsAccess pointsAccess pointsAccess points
![Page 8: HIMSS – January 28, 2002 Remote Servicing under HIPAA with proposed Solution A John F. Moehrke Chairmen of Remote Servicing Focus Group NEMA/COCIR/JIRA.](https://reader031.fdocuments.us/reader031/viewer/2022013101/56649e5e5503460f94b574dd/html5/thumbnails/8.jpg)
HIMSS – January 28, 2002
Hospital
Access Control
Vendor Z
Vendor Y
Vendor X
2. Device under
service
1. Individual Service Personal
3. Access point Edges3. Access
point Edges3. Access
point Edges
1. Individual Service Personal
1. Individual Service Personal
1. Individual Service Personal
1. Individual Service Personal
2. Device under
service
2. Device under
service
2. Device under
service
2. Device under
service
2. Device under
service
![Page 9: HIMSS – January 28, 2002 Remote Servicing under HIPAA with proposed Solution A John F. Moehrke Chairmen of Remote Servicing Focus Group NEMA/COCIR/JIRA.](https://reader031.fdocuments.us/reader031/viewer/2022013101/56649e5e5503460f94b574dd/html5/thumbnails/9.jpg)
HIMSS – January 28, 2002
Hospital
Audit Trails
Vendor Z
Vendor Y
Vendor X
2. Device under
service
1. Individual Service Personal
3. Access point Edges3. Access
point Edges3. Session
specifics where and when
1. Individual Service Personal
1. Individual Service Personal
1. Individual Service Personal
1. who, what, where, when & why
2. Device under
service
2. Device under
service
2. Device under
service
2. Device under
service
2. when, and what
![Page 10: HIMSS – January 28, 2002 Remote Servicing under HIPAA with proposed Solution A John F. Moehrke Chairmen of Remote Servicing Focus Group NEMA/COCIR/JIRA.](https://reader031.fdocuments.us/reader031/viewer/2022013101/56649e5e5503460f94b574dd/html5/thumbnails/10.jpg)
HIMSS – January 28, 2002
NEMA/JIRA/COCIR Security and Privacy Committee
Health Care Provider gains Control and Manageability
Control of each session and/or vendor Rules that restrict where vendor X can
go, what tools they can use, when they can connect, etc
Strong Access Point Authentication Audit trails to prove accountability
![Page 11: HIMSS – January 28, 2002 Remote Servicing under HIPAA with proposed Solution A John F. Moehrke Chairmen of Remote Servicing Focus Group NEMA/COCIR/JIRA.](https://reader031.fdocuments.us/reader031/viewer/2022013101/56649e5e5503460f94b574dd/html5/thumbnails/11.jpg)
HIMSS – January 28, 2002
NEMA/JIRA/COCIR Security and Privacy Committee
Next Steps for SPC Focus Group Charter
Define a Reasonable and Practical solution that follows this architectureCandidate ‘A’ -- IPSec tunneling over the Internet
ESP/AH – 3DES and SHA1 IKE – Session Key negotiation Certificates – communicated out-of-band (mail, courier, etc) Filtering and Routing rules maintained by the Healthcare
facility Audit trails maintained at RSC Individual Authentication maintained at the RSC
![Page 12: HIMSS – January 28, 2002 Remote Servicing under HIPAA with proposed Solution A John F. Moehrke Chairmen of Remote Servicing Focus Group NEMA/COCIR/JIRA.](https://reader031.fdocuments.us/reader031/viewer/2022013101/56649e5e5503460f94b574dd/html5/thumbnails/12.jpg)
HIMSS – January 28, 2002
Hospital
Solution A: IPSec on Internet
Vendor Z
Vendor Y
Vendor X
IPSec Tunnel, ESP+AH 3DES, SHA1 IKE-RSA, PKI out-of-band
![Page 13: HIMSS – January 28, 2002 Remote Servicing under HIPAA with proposed Solution A John F. Moehrke Chairmen of Remote Servicing Focus Group NEMA/COCIR/JIRA.](https://reader031.fdocuments.us/reader031/viewer/2022013101/56649e5e5503460f94b574dd/html5/thumbnails/13.jpg)
HIMSS – January 28, 2002
NEMA/JIRA/COCIR Security and Privacy Committee
Conclusion
The Focus Group is actively creating these Descriptions of Candidate Implementations
Vendors are providing experts from their Service organizations
AGFA, GE, Kodak, Philips, Siemens, Toshiba, +
Targeting End of 2002 with demonstration at RSNA Will seek approval by NEMA, COCIR, and JIRA early
2002 Likely Vendor implementations mid 2002