p.r. smith, september 1997. nyu medical center securing the world-wide-web p.r. smith academic...

P.R. Smith, September 1997. NYU Medical Center

Securing the World-Wide-Web

P.R. SmithAcademic Computing

NYU School of Medicine


Definition

Secure: safe against attack, impregnable, reliable,

certain not to fail or give way.


Definition

WWW: - Transport of information http - HyperText Transport Protocol

- Information on all the servers connected to the Internet.


Primary Message of this Talk

Success of a WWW site depends onthe integrity of that site, on whetherit is viewed as reliable and secure.


Why do I want a web site?

Everybody is doing itImpress the CEO.

I’m not busy enough: I need a hobby.

• My organization has important information to communicate that will

improve its ability to do business.


Planning

Who do I want reading my site?

What services will I offer?

How will they be managed?


Who do I want reading my site?

Careful inventory of the site’s potential readership.

Identify the needs of the groups and the kinds of information services they will require.

To be successful, a site needs ‘regular’ readers.


What Services will I offer?

What information resources are available here?

What is available now?

What new materials will need to be developed?

What materials will be available from other locations on the net? How long will they last?


Management Environment

WWW is an institutional resource

To be successful, the WWW effort needs support from the highest level.

Mobilize resources.Senior management can mandate change in the

environment. You probably can’t.


Management

Manage Access

Manage Services


Policy Issues

Control of Physical AccessTo machine rooms, lab equipment, stand-alone servers.

Control of Logical AccessSAF, Access via network, Audit trails, Access to Communications.

Data Integrity ControlSeparation of duties and function, Verification of data & equipment.

Ethical IssuesPrivate vs Corporate use, Criminal Activities

Preventive MeasuresBackup, Archiving, Encryption, Disaster Recovery.


Security Model

Data StewardOwns, or is responsible for the Data

Data CustodianStores/processes the data

Data User Internal, External

Data Assessment & ClassificationPublic; Internal; Resricted; Confidential

Security Monitoring and AuditsExceptions, Emergencies, Violations, Punishment


Security Policies

Mandated at the Highest LevelNecessary, since they implement the Institution’s vision.

Clearly Stated As far as possible, written in terms all understand.

Known to AllEstablish a single security-concious culture for ALL data users.

Security Acknowledgement Form

UbiquitousPolicies apply to all individuals, internal, external

Enforced ConsistentlyCommon process, CEO, faculty, staff, contractors.


pursuit of the defenselessimpeachment of the irreproachable

punishment of the innocentexculpation of the guilty

promotion of the incompetent


General Principles of Data SecurityCollected

appropriatelywith accuracy

Protected during Transport and Storageagainst damage against loss

Accessedonly with authorization

Archivedso as to be recoverable

Deletedso that no trace remains

Auditedso that activity can be traced


AuthenticationIdentifies Individuals Uniquely. Allows you to be sure that “Bob” really is “Bob” and not “Joe”. Schemes include simple passwords, one-time passwords, Secure-ID, ‘Kerberos’, fingerprints, retinal scans.

AuthorizationEstablishes what Individuals may do. If you are authenticated as “Bob” you may look at Outpatient Lab billing data, but not the lab results. If you are “Dr. Joe” you may see both.

AuditAudit logs track creation, modification and access of data and services.


What is “Security” in Relation to theWWW?

• Services offered on the Web are diverse.

• “Security” needs are service- specific.


What “Services” can be offered on theWWW?

• Document ServicesStatic information.

Anonymous client selects links or search parameters.

• Interactive ServicesIdentifiable information is elicited from client.

Registration forms, credit-card payments, on-line examinations, clinical lab results,

purchase movie tickets...


Interactive Services

Professional Advice: Second opinions, treatment options.

Medical Data / Patient Records: Records from other sites

Payment for Services: Pay hospital, doctor, therapist, HMO ....


Services: Some Basic Issues

Who owns them?Individual? Department? Third Party?

Where are they hosted?Institutional Server? Department Server? Student Dorm?

Who gets to see them?Everybody? Just this site? A limited group? Nobody?

Who decides?Me? My boss? The web committee? The lawyer?

How do you resolve CONFLICT?Shoot them all?


Management TeamInstitution-specific

Oversight CommitteeWebmaster

Web Technician / Associate Webmaster

Graphic Designer

Programmer

Systems Manager


WWW Security Issues

Accuracy of the informationIntegrity of the serverSecure CGI programs

Secure Java/Script appletsSecure transport to client

Bug-free browserSelective management of ‘cookies’

Sensible, honest, user.


Document Security

Document/Information AccuracyWho may create a document?

What are update policies? Does a document expire?How does a reader know to trust the information?

Signed documents.Disclaimers.

Access control (by location, password)

Integrity of the ServerAccess to the server is tightly controlled:

only authorized individuals can make document changes.Rigorous password policies. NFS access.

Secure CGI and Java/ScriptCareful design and testing to detect security defects.


Secure Transport to Client

Are Networks Safe?Yes. And no. There are no absolutely clear answers.Decision requires a risk assessment by the Institution.

Result depends on the perceived risks and thetools available to manage them.

Is the Internet Safe for Medical Data?Yes. And no.

Review tools that enhance secure data transport.SSL, https

Phone system. School Buses.


Secure Client

Is your Browser Secure?Yes. For the most part, browsers (Netscape / Explorer) aresecure. However, there are known bugs in some versions.

Few people are diligent in obtaining the latest fixes.

What about ‘Cookies’?‘Cookies’ are data left by a server to allow ‘you’ to be

identified next time you connect.

UsersUsers are dishonest. They steal. They lie. They take your

‘stuff’ and pretend it is their own. They treat confidences asgossip. They are the root of all evil.


Risk Assessment

Evaluate Current Practices. What are people actually doing? Who actually reads records? Do they need to? Does it matter?

Distinguish Policy and Actual Practice. Sure you have a policy that medical records not leave the floor: so why is the attending walking down the street with those files? How are you to deal with that?

Consistent Policy Can’t protect one area and leave another wide open. This is a significant problem with electronic records. Useless having triple passwords on the computer and allow anyone walk into the records room.


The ‘Mediæval’ Security Model

Highway

City Gate

Cross-Roads

Homestead

Small Walled Town

Walled CityHamlet

Highway Robbers - outsideFootpads/Pickpockets - inside


‘Firewalls’ and ‘Proxys’

Firewall: Stands between two networks and limits connections between the ‘inside’ and the ‘outside’. Usually, between your net and the Internet, but sometimes between different parts of a single corporate net.

Proxy: Allows web users to access the Internet without having direct access. The proxy server passes requests out and redirects packets that return.

Internet

Firewall/Proxy


Security Assumption

Inside my ‘Walled City’ I’m SafeIn principle, I should have more control over users, network access

and desktops. In fact, this may not be true.

Outside, I’m Vulnerable.There is a concern that network traffic outside is vulnerable to theft.

In fact data ‘on the Internet’ is probably much safer.Vulnerability arises again as soon as packets enter someone else’s

local network.


Packet ‘Sniffers’

‘Sniffer’sees all packets on the localEthernet segment.

Node Node NodeSniffer


A Switched Network Defeats ‘Sniffers’

The switch sends data to each node separately. Nodes don’t see each other’s

data.


switch


Defeat ‘Sniffers’ with Encrypted Traffic

‘Sniffer’sees all packets, but can’t read any of them.



EncryptionEncryption protects data by scrambling it in a recoverable way. ‘Strong’ encryption is hard (maybe impossible) to ‘crack’with a computer. ‘Weak’ encryption is easier.

Private Key Encryption. A single key (string of characters) is used to encrypt and to decrypt a message. To be secure, the private key has to be a secret shared by the people who share the encrypted information.

Public Key Encryption. Keys are used in pairs, one is used to encrypt a message, the other to decrypt it. One key is called the ‘public’ key and is distributed freely. The ‘private’ key is kept secret, known to a single individual.

Key length. Lengths are counted in ‘bits’. Messages encrypted with long keys (>56bits) are hard to crack.


Public Key Encryption:Establishing Trust

Public Key Certificate - associates a given public key with an individual (or a role) through the signature of a trusted authority.

PGP: “Web of trust” I trust this key because I trust Joe and Fredwho signed the key. Good for e-mail, but scales poorly.

X.509: A trusted certifying authority signs keys. Verisign, AT&TUsed for the Web, scales well, but many certificates are worthless.


E-Mail

Used widely for message exchange

Plain-text E-mail messages are not secure.SMTP transfers mail in multiple ‘hops’ to destination. Mail can be viewed

at each one. Postmasters get ‘bounced’ messages.

Origin

Destination

Solution: Mail packages that allow end-to-end encryption of messages and attachments

Management issue: Postmaster must be an Institutionally trusted individual.


Who Owns Patient Records?

Professional Records are owned by the professional who collects them, either personally or as an agent of an institution.

Who can Access Patient Records?The Patient: can always get access, albeit with difficulty in some cases.

Payor: as a part of an audit has access to establish quality of care.

Many non-professionals have anecdotal access as a part of their job functions (unit clerks, finance clerks, phlebotomists, ...)

Who Doesn’t have Access?Just about everyone else: e.g. Hospitals require consent to transfer records between institutions.


Medical Data Repository

Database that holds Consolidated Medical Data from many patients

Benefits: • Facilitates communication between in- and out-patient caregivers• Facilitates longtitudinal care for patients• Provides key information in an emergency situation• Provides data to help establish the ‘state-of-the-art’• A resource to compare quality of care, care-giver by care-giver.

Risks:• Many, poorly authenticated or erroneously authorized accesses• Catastrophic loss of the repository can be a disaster for patient care.• Data may be missed due to physician reluctance to key-in the data.


Why do some people find a Computerized Medical Record Really

Scary?

A large-scale attack with the loss of large amounts of data can be hard to detect on a compromised computer, and it will take place really QUICKLY. In the worst case, it can be mounted from anywhere in the world.

A similar attack to seize paper records on the same scale may require a truck. You should be able to spot the truck.


What is ‘Dangerous’ Information

‘Dangerous’ is defined by the individual> Broad consensus on many items: House keys, SSN, ATM PIN.> Disagreement on other items: Gay? HIV+? Marriages? Abortions? Cholesterol? BP? Mental illness? Substance abuse history? Genetic profile?> People want to choose

How do you lose control?> ‘Publication’. You tell someone. A really good friend.> Inference. You’re sick and are seen visiting a physician who specializes in HIV. You visit your probation officer.> Observation. You take Prozac (Anxiety), Atenolol (HTN)....> Someone gets hold of personal records.


Risks to Privacy

> Friends and family> Colleagues> Employers> Insurance Companies> Landlords> Coop Boards


How do I protect myself and my Patients?


Simple Security Measures can make a Significant Difference

Users need unique, robust passwordsShared passwords, stupid passwords and passwords that get guessedhave been the source of all the MC’s break-ins (that we’ve detected).

Users must subscribe to your security goalsProtect their passwords, change them regularly, never share,

disconnect from authorized services when finished, and report issues that suggest a security violation.

Education / Training


Greatest Exposure from Individuals in Positions of Trust.

Network Manager, Systems Manager, Webmaster, Programmers, Secretary


Ask for HELP!

Central siteColleagues at other Institutions

Read the LiteratureEmploy a Consultant


Summary

Supportive AdministrationRealistic policies for security and the Web

Create a culture that supports security Motivated, technically competent staff

A committment to development & change


AcknowledgementsBob Holzman, Loren Buhle, Bruce Kraus, Carey Ramos, Marty Nachbar,

Mark Selby, Anton Saarimaki, Stuart Brown, Suzy Gottesman, Frieda Pavel, Roy Smith, Marc Waldman, Libby Flanagan

ArtLucas Cranach the Elder, The Martyrdom of St. Barbara, oil on wood,

Metropolitan Museum of Art, New York. http://www.yawp.com/cjackson/cranach1/p-cran1-12.htm

Hieronymus Bosch, The Last Judgment (left and right panels), oil on panel (triptych); Akademie der Bildenden Künste, Vienna.

http://watt.emf.net/wm/paint/auth/bosch/judge/

SupportProvided by the NSF, and the NIH through NYU’s GCRC grant.

p.r. smith, september 1997. nyu medical center securing the world-wide-web p.r. smith academic...

Documents