hmis security standards

September 13-14, 2005 St. Louis, MissouriSponsored by the U.S. Department of Housing and Urban Development

HMIS Security Standards

September 13-14, 2005St. Louis, Missouri

Sponsored by the U.S. Department of Housing and Urban Development

David Canavan, Canavan Associates

David A. Crist, Permovio, Inc.


HMIS Security StandardsOverview



David Canavan, Managing DirectorCanavan Associates


HMIS Security Standard

• The Standards seek to protect the confidentiality of personal information while allowing for reasonable, responsible, and limited uses and disclosures of data.

• These privacy and security standards are based on principles of fair information practices and on security standards recognized by the information privacy and technology communities.


Applicability

INTERNET

ProgramDirector

CaseManager

OutreachWorker

Volunteer

AgencyComputers

Secure Secure ConnectionConnection

Web ServerWeb Server Database Server

Database Server

Backup Server

Backup ServerEtc.


Baseline HMIS Agency Security Requirements

• HMIS users• Unique username and password

• HMIS should be enforcing unique username• HMIS may be enforcing complex passwords

• Signed receipt of privacy notice• Communities should have privacy notices in effect.• If not, should be under development• End users must sign a privacy policy

ProgramDirector

CaseManager

OutreachWorker

Volunteer


HMIS Computer Requirements

• Workstation username and password• Password protected locking screen saver• Stored in a secure location- locked office area

AgencyComputers

AgencyComputers

AgencyComputers

AgencyComputers


HMIS Computer Requirements

• Virus protection with auto update– • Old virus protection = no virus protection• Free virus protection is available at:

• www.free-av.com • www.nonprofit-tech.org

• Individual or network firewall• Individual firewalls can be activated in typical windows

installations through: control panel- windows security center- firewall- click “on”

• Free or low cost firewall software can be downloaded at: • www.zonelabs.com • www.techsoup.org

• Spyware Software and Adware are becoming huge obstacles to productivity. Communities should have a standardized approach to solving.

http://www.free-av.com/

http://www.nonprofit-tech.org/

http://www.zonelabs.com/

http://www.techsoup.org/


System Level Security

Overview:• Authentication• Multiple Access• Virus Protection with auto-update• Firewalls- individual workstation or network• Encryption- transmission• Public access- PKI- Public Key Infrastructure• Location Control• Backup and disaster recovery• Secure Disposal • System Monitoring


PKI: Public Key Infrastructure

• Options for implementing PKI:• Some communities are leveraging resources because a

single $20k certificate can generate thousands of user certificates. (Being investigated at NHSDC)

• Some communities are generating their own PKI• Some HMIS vendors are designing solutions

• Alternative to PKI:• Extranet (Utilized in Los Angeles)

• Each agency obtains a static IP address from their ISP which allows the HMIS to allow only authorized computers access.


Physical Access

• Access to workstations must be controlled and monitored• If not continuously staffed must be secured

• Can be very challenging to design- what are communities doing?


Backup and Disaster Recovery

• All HMIS data must be regularly backed up and stored in a secure off-site location:

•Backup your data and applications•Save them to tape•Test the tapes•A Backup tape laying next to a server won’t help if the

server room catches fire!•Alternatively, consider secure network-based offsite

backup solutions

•What procedures has your vendor documented?


Secure Disposal

• Tapes, disks and hard drives must be properly formatted and erased before disposal.

Deleting information simply turns it off Must take active steps to remove it from media Anywhere from 2 to 7 overwrites, depending on industry, is standard

What are you vendors doing with co-located servers when they are upgraded?

What are vendors doing with rented server space upon expiration of the contract?

Do you have this in writing?


System Monitoring

• All systems including central servers must be monitored and “routinely” reviewed by staff.

• Monitoring decisions:• Who monitors?• What is normal and what is abnormal usage and access?• How do I access the information?• What variables to monitor?

• How are vendors generating this information?• What procedures have you set up to review information?


System Monitoring (cont.)

• What variables to monitor…• Logon success/failure• Account management• Policy changes• Privilege use• Process tracking• System events• Connection attempts (IP and port)


Resources

• www.hmis.info – community documents, up to date information, FAQs• Upcoming white papers

• Shared forms and templates (e.g., Privacy Notice, Client Consent forms)

• Further technical assistance

http://www.hmis.info/


Security Resources

• National Institute of Standards and Technology Computer and Security Resource Center• http://csrc.ncsl.nist.gov

• Carnegie Mellon/CERT: Connecting to the Internet• http://www.cert.org/tech_tips/before_you_plug_in.html

• CERT Implementation Tips for Servers and Networks• http://www.cert.org/tech_tips/

• National Institutes of Health Center for Information Technology Security Site• http://www.alw.nih.gov/Security/security.html

• Forum of Incident Response and Security Reform• http://first.org


HMIS Security Standards inLas Vegas, Nevada



David A. CristConsultant, Permovio, Inc


Why Security?

• What is transmitted• User Data – passwords, user IDs, client information• Other headers – information useful to hackers such as web site

information or application information• IP Header – source and destination addresses that can be used

by a hacker for further attacks

• What we don’t want them to have• Anything transmitted

• How do we fix this problem?• Firewall – which is HUD mandated• VPN – Virtual Private Network which allows a secure

communication tunnel


Firewall

• Firewalls prevent unauthorized users and/or data from getting in or out of a network, using rules to specify acceptable communication

• Firewalls do not protect your data within the network or when that data gets out side of your network to the internet


Virtual Private Network (VPN)

• VPN tunnels, enabled by encryption algorithms, give you the ability to use public internet connections for secure data transmissions after it leaves the firewall

• The piece that makes it “Virtually Private” is the tunnel where by the data is encrypted such that only the recipients at either end of the transmission can see inside the protected encryption shell


Encryption

• Encryption is a technique for scrambling and unscrambling information• Encryption Algorithm – Mathematical function that

establishes the relationship between the encrypted message and the decrypted message, such as the industry DES (Data Encryption Standard) method


Doesn’t Industry Standard Mean Everyone Knows?

• Yes!

• Which is why there is a key to start the process• Example: 2 people go into a hardware store and buy

locks. They are both built the same, look the same, same industry standard, but the keys are different. That is what makes them unique

• Our key has more combinations however:

374,144,419,156,711,000,000,000,000,000,000,000,000,000,000,000,000to be exact.

• And that is only in step 1


Steps?

• The first step is to establish communication between the firewalls• This is done with the key and multiple encryption

methods

• The second step is to establish IPSec• The actual transmission of data in a secure tunnel


IPSec –Internet Protocol Securityor “The Tunnel”

• IPSec is a set of standards for creating and maintaining secure communications using:• Confidentiality – Encryption of data even if it is intercepted• Access Control – Restricting the system to authenticated

users• Authentication – Verifies the source of received data and

confirms there was no alteration of data in transit• Rejection of replayed packets – Counters a replay attack by

a hacker if the data is intercepted and resent to the firewall• Limited traffic flow confidentiality – Data information is

encrypted to mask the identities of the sending and receiving systems


We Are Almost There

• The previously described pieces are what securely connect participants in the HMIS program to the secure database

• Up until now this is all transparent to the persons using the system

• They must still login to the network where the software resides and then login to the HMIS software

• This completes a secure connection


Discussion

Any questions?

hmis security standards

Documents

information privacy

disaster recoveryall

privacy notices

pkisome hmis vendors

technology communities

nhsdcsome communities

old virus protection

secure network