smart card presentation for trinity9-02
TRANSCRIPT
8/14/2019 Smart Card Presentation for Trinity9-02
http://slidepdf.com/reader/full/smart-card-presentation-for-trinity9-02 1/13
UConn Health Center
Security Optimization & Fortification
Initiative
Bob Brandner
Deputy CIO
8/14/2019 Smart Card Presentation for Trinity9-02
http://slidepdf.com/reader/full/smart-card-presentation-for-trinity9-02 2/13
2
Overall Objectives• All the Healthcare business drivers mentioned in Datacard slides apply to our
scenario
• Use Digital Signatures to replace written signatures as approvals for internal
forms routing and external electronic commerce.• Single, streamlined process for employees or affiliates to obtain
credentials/privileges for visual, physical or logical access.
• Centrally managed security administration (issuance, revision, revocation) process with emphasis on improving:
– Timeliness of service delivery
– Audit Capabilities – Accountability
– Measurements
• Fortification of safeguards for all aspects of Security using Smart Card assingle credential store
• Address HIPAA requirements with common sense (see Appendix two)
• Introduce two factor authentication in sensitive areas using any combinationof:
– Password/PIN (something you know)
– Smart Card/PKI (something you have)
– Biometric (something you are)
• Facilitate automated password administration by introducing single/reducedsign-on capability
8/14/2019 Smart Card Presentation for Trinity9-02
http://slidepdf.com/reader/full/smart-card-presentation-for-trinity9-02 3/13
3
Staff & Caregiver ID - Needs
• One ID card for multiple functions
• One secure enrollment & card issuing process
• One secure and accurate data source• Integration of “second” factor of
authentication in network and physical access
• Multiple applications on smart cards
– network security, cafeteria, vending
Central Secured Identity Database
• ONE database to store identity information – HR, LDAP Compliant Directory, Central ID Database
– Populate from HR database
– Connectivity to legacy access control &time/attendance systems
– Ability to view from other locations
Smart Cards
• Multi-application capability
– Logical security
– Add single sign-on & PKI
– Add biometric template
– Future applications
• Best choice for combining logical and physical security
– Combine two or three factors of authenticationSomething you have (card), something you know
(PIN) and something you are (biometric) – Portable, secure
Value Statement
Datacard offers a single source
solution for consolidating visual,
physical, and network authentication
using a seamless smart card issuance
process. This provides greater
security at a lower cost.
Mirrors UConn Health Center’sGoals & Approach
8/14/2019 Smart Card Presentation for Trinity9-02
http://slidepdf.com/reader/full/smart-card-presentation-for-trinity9-02 4/13
4
UConn Current State – Physical & Visual
• Visual & Physical Security accomplished via use of at least (6)
different cards (ie Photo Badge, door access mag stripe & proximity,
parking lot proximity, mag stripe vending, Etc)
• Employee picture Ids have no intelligence and other types of cards
mentioned do not include pictures and are all configured via different
applications.
• Only different color badges provide any visual differentiation for
physical access between employees
• Public Safety (Campus Police) office gets paper list of new employees
scheduled for weekly orientation who need badge pictures taken.
8/14/2019 Smart Card Presentation for Trinity9-02
http://slidepdf.com/reader/full/smart-card-presentation-for-trinity9-02 5/13
5
UConn Current State – Logical (Chaos)• Approximately 199 business applications in use by over 3000 employees
• 56 different employees manage password access for the 199 applications (only
IDX Suite access managed by IT)• 52% contain Protected Health Information (PHI)
• 40 % have ability to assign varying levels of access
• 34% have role-based access administration
• 18% have passwords with automatic expirations
• 15% of applications are used enterprise-wide: – 10 applications have between 250 and 500 users
– 6 applications have between 50 and 250 users
– 13 applications have between 20 and 50 users
• Approximately 332 users have access to at least two enterprise wideapplications:
– 184 users have access to two different enterprise wide clinical applications:• (134) IDX Suite & Lab
• (28) IDX Suite & Radiology
• (22) IDX Suite & Pharmacy
– 142 users with access to IDX Clinical Suite also have access to Finance System
– 80 users have access to both Human Resource and Finance Systems
• 85% of applications (170) have between 1 and 20 users and are departmentalin nature.
8/14/2019 Smart Card Presentation for Trinity9-02
http://slidepdf.com/reader/full/smart-card-presentation-for-trinity9-02 6/13
6
UConn Current State – Smart Cards
• In-house developed Physician Order Entry (POE) system PKI enabled
for logon via Gemplus card smart card & PIN with photo and Verisigndigital certificate (on-site lite product)
• Digital Certificate is captured for each order in a SQL database
• Over 500 cards issued for Physicians and Residents
• Visual only, employee ID’s also required for smart card users.
• Physicians find use of PIN cumbersome and would like Biometricoption for second factor authentication.
• CT Hosp Association supplied and administered smart card printing/issuance process, but discontinued this service one month intoPOE rollout.
• Ability to manage entire smart card lifecycle in-house was requiredimmediately.
• ActivCard selected as vendor of choice via RFP for Smart Card driven pilot including cards, readers, printer, Smart Card Lifecyclemanagement and reduced sign-on software.
8/14/2019 Smart Card Presentation for Trinity9-02
http://slidepdf.com/reader/full/smart-card-presentation-for-trinity9-02 7/13
7
ActivCard/Datacard - Smart Card Pilot Objectives
•Automatic creation of Cryptographic smart cards to be used for PKI,desktop security, physical access, time reporting, copier charge debitand photo ID badge purposes
• Reduced sign-on to Windows client server, Telnet and browser basedsystem logons (non-programmatic interface or vendor specific agents)
• Protection of information and transactions using PKI
• Desktop locking and session resumption
• Single, application shareable credential store (LDAP compliant)
• Web authentication using SSL and client-side certificates
• Digitally signed and encrypted e-mail (S/MIME)
• Mobile certificates using smart cards virtual smart cards
• Automatic and manual PC file encryption
• Compatible with Verisign Certificates
8/14/2019 Smart Card Presentation for Trinity9-02
http://slidepdf.com/reader/full/smart-card-presentation-for-trinity9-02 8/13
8
Pilot Results• Using templates created in ID Works with support from distributor, currently
using Datacard ICIV camera and printer to issue Schlumberger Smart Cardsfor POE application
• Adding Verisign certs to Smart Cards
• Verified ability of ActivCard Trinity software to automate the followingsystem access functions:
– Create single credential store in LDAP directory and transfer to Smart Cardindividual user Ids and passwords for employees
– Automate sign-on process to all systems by using tools to create software templates
for various UCHC client/server, terminal emulated or web based logon dialogs. – Automate creation of new passwords by recognizing expiration notice and using
rules to seamlessly create system specific new password.
– Use any combination of Smart Card, PIN, password or biometric for systemauthentication varied by employee and or by each system access by each employee.
– Automate MS Domain/Exchange and or Active Directory Logon
– Assignment of access privileges to new hires via drag and drop of templates – PC session locking when smart card is removed.
• Verified ability to feed new employee data from HR system to MS ActiveDirectory’s LDAP store that automatically updates both Trinity and ID Worksdatabases (See Appendix One for data flow)
• Clinical IT Steering committee saw demo of Trinity automated logon
capabilities and strongly endorsed the product.
8/14/2019 Smart Card Presentation for Trinity9-02
http://slidepdf.com/reader/full/smart-card-presentation-for-trinity9-02 9/13
9
Security Initiative Current Status
• Initiating purchase of first 100 of 2500 to 3000 total Trinity licenses
• Creating temporary point to point feeds from HR system directly to ID Works
and Trinity Database (Until Active Directory is in full production)• Modifying com object providing PKI interface via smart card for POE logon
to use Schlumberger cards and Trinity Software.
• Working with various individuals responsible for password administration of UCHC systems to establish IT security as single customer contract for requesting and aggregating credentials for multiple systems (Access Broker)
• Finalizing strategy for assigning appropriate type of ID card to requirementsof various job types (ie. Plastic photo card, Picture & Mag Stripe, Picture,Mag & Proximity & Smart Card Combo.
• Modifying HR new employee forms to capture systems access requestinformation and adding to electronic feed.
• Modifying electronic approvals for in-house forms routing to replace use of
SS# and PW with PKI.• Transitioning Datacard Equipment and ID Works operation to Public Safety
(Security) departments to replace current visual only badges.
• Rolling out Trinity software to most sensitive patient care areas and tocommunities requiring access to multiple applications.
• Evaluating opportunities to interface Trinity credentialing process with
Verisign enrollment to further streamline administration.
8/14/2019 Smart Card Presentation for Trinity9-02
http://slidepdf.com/reader/full/smart-card-presentation-for-trinity9-02 10/13
10
HR applicant tracking system generates
Electronic feed containing list of new employees
including departmental demographic, facility access
& information systems access information
MS Active DirectoryLDAP
v.3
Feed includes Names of
new employees
Needing Facility, barcode &Information Systems
Access Employee
Only New employee names needing
Systems Access fed from MS Active
Directory via LDAP into
Database for Trinity Authentication
Application.
Full set of new employee
Information fed from MS Active
Directory via LDAP into Access
Database for ID Works Badging
System.
ID Works System Trinity System
NoYes
Greentree Application Tracking System
IT Security creates
Trinity new employee
Systems access profile
Available for download
To ID Badge
Required
BadgingOption
Picture
Badge Only
(Plastic Only)
Picture Badge with
Facility access and/or
Barcode card
Configuration only
(Magnetic Stripe)
Picture Badge with
Facility & IT Systems
card Configuration only
(Magnetic Stripe &
Microchip)
IT Security enrolls New employee in
Verisign PKI system
And readies certificateFor download to Card
Need
DigitalCertificate
Yes
Print badge with Picture
And with/withoutBarcode/mag stripe
No
Need IT Access
Credentials on
Card?
No
Public Safety
Gives finished
Badge to employee
Update MS Active
Directory record for
New employee withDigital Certificate
Information via LDAP
Yes
Public Safety logs
Into Trinity System
As Operator, inserts new
Card into reader and downloads
IT access credentials to card
PKI
Digital Certificate?
NoYes
Public Safety
Downloads Verisign
Certificate onto card
Via Card Reader
Certificate
Sent to Public
Safety from
Verisignto
Special email
account
Appendix One
8/14/2019 Smart Card Presentation for Trinity9-02
http://slidepdf.com/reader/full/smart-card-presentation-for-trinity9-02 11/13
11
Compliance with the majority of the privacy rule provisions will
be achieved by:
•Securing physical access to facilities where either paper (file
rooms) or systems containing PHI (Data Center) are stored.
•Employee Education on sacred nature of patient privacy
•Implementing & enforcing specific privacy policies
•Use and tracking of paper consent/authorization forms
•System modifications may be required to deliver the following
capabilities that are necessary for HIPAA compliance:
•Verify authorizations for repeated disclosures have not been
revoked prior to each PHI disclosure
•Log the nature and date of each disclosure
•Record amendments made to electronic PHI via patient request
or staff.
b) Most privacy rule provisions require modifications to
existing or newly acquired electronic systems containing PHI.
Creating a few roles with access to a broad range of patient PHI
data elements is both permissible and appropriate as part of a
HIPAA compliant procedure because:
Most employees with ANY access rights to electronic PHI have
legitimate needs to access diagnosis & procedure information
Many employees with ANY access rights need to access
infection precautionsThe minority of staff not needing access to these broad
categories should be placed into a few roles with very limited
PHI access.
a) Mandates IT system redesigns for ability to impose distinct
limitations on precise data elements accessible by dozens of
user roles
HIPAA RealitiesHIPAA Myth’s
Rule Calls for a balance between the ultimate protection,
risk, cost and clearly states the desire not to impose patientcare affecting burden.
I. Privacy Compliance Requirements
Appendix Two
8/14/2019 Smart Card Presentation for Trinity9-02
http://slidepdf.com/reader/full/smart-card-presentation-for-trinity9-02 12/13
12
HIPAA RealitiesHIPAA Myth’s
Rules mandate capabilities, policies and mechanisms; not
specific technologies.
b) Mandates very specific security technologies & solutions
•Majority of security rule compliance will be addressed by
physical facility security enhancements and establishing policies
to protect PHI.
•Majority of rule’s electronic data protections will use
technology organizations have installed or are planning to as
part of normal business precautions and infrastructure upgrades.
a) Requires enormous investment in IT security specifically for
HIPAA compliance.
Rule Calls for a balance between the ultimate protection,
risk and cost
II. Security Compliance Requirements
Impersonating at patient at the point of care to illegally acquire a
person’s electronic PHI is not a probable threat because:• Number of parties interested in a “non-celebrity’s” PHI, but not
entitled to it, is small at any time.
•There is no ready market for PHI a hacker might acquire via
impersonating the individual.
•Blackmail involves large sums of money is Too messy, too
risky and too personal for hackers.
•Exploiting the helpful nature of organization’s staff not
adequately trained in patient privacy policies & procedures is amuch more probable scenario for illegal/inappropriate access to
PHI than stealing a password by “shoulder surfing”.
c) Impersonation of a patient at the point of care represents the
principal and most probable threat to unauthorized access toPHI via HCO’s electronic system.
8/14/2019 Smart Card Presentation for Trinity9-02
http://slidepdf.com/reader/full/smart-card-presentation-for-trinity9-02 13/13
13
HIPAA RealitiesHIPAA Myth’s
Not required; use of normal internet browser technologysupporting SSL encryption, unique passwords and inactivity
timeouts will address HIPAA requirements.
d) Electronic PHI remote access via the Internet requires use of password tokens (Secure ID Cards) and Virtual Private Network
(VPN) Software
•Majority of electronic access to PHI can be sufficiently
protected by ensuring the use of unique user ID’s and passwords.
•Two factor authentication methods (i.e. smart card/PIN,
Biometric/PIN, etc) will make sense in the most sensitive care
delivery settings.
•Best and most widely pursued method of ensuring adequate
protection for electronic PHI is automating the provisioning and
tracking of access rights via single sign-on technology.
c) Requires use of Two factor Authentication to access PHI (e.g.
Password & Biometric)