Networking and Health Information Exchange: Privacy, Confidentiality, and

Security Issues and Standards

Audio Transcript

Slide 1
Welcome to Networking and Health Information Exchange, Privacy, Confidentiality,
and Security Issues and Standards. This is lecture b.

This component, Networking and Health Information Exchange addresses what is

required to accomplish networking across and among disparate organizations that have
heterogeneous systems. It is an in-depth analysis of data mobility including the
hardware infrastructure (wires, wireless, and devices supporting them), the ISO stack,
standards, Internet protocols, federations and grids, the NHIN and other nationwide
approaches.

Slide 2
Objectives for this unit, Privacy, Confidentiality, and Security Issues and Standards,
are to:

Explain the concepts of privacy and confidentiality requirements and policies and
learn how to implement the requirements.
Describe how to secure data storage and transmission using data encryption,
signatures, validation, non-repudiation, and integrity. (PKI, certificates, and security
protocols).
Define access control methods.
Analyze access restrictions to data storage and retrieval (physical and software).

Slide 3
Access control is: who or what is allowed access to a particular resource and what level
of access is allowed. For example, which users can have access to a patient record? A
doctor may have access to all of the information, including contact information, medical
history, and medications. The doctor would probably be allowed to read the information,
and make changes to it. A receptionist would have access to the patients contact
information, but nothing else. Access control involves three steps identification,
authentication, and authorization.

Identification requires that a user present identification, like a username. Once the
identification has been provided, the system must authenticate the user. This makes
sure that the identification is true, and has not been forged. Authentication is something

Health IT Workforce Curriculum Networking and Health Information Exchange 1

Version 3.0/Spring 2012 Privacy, Confidentiality, and Security Issues and Standards
Lecture b
This material Comp9_Unit9b was developed by Duke University, funded by the Department of Health and Human Services, Office of
the National Coordinator for Health Information Technology under Award Number IU24OC000024.
you know, something you have, or something you are. A password would be an
example of authentication. Authorization is the process of allowing the user to perform
the actions that he has permission to do. For example, being able to read a file.

Slide 4
There are a couple of things to keep in mind as you are providing access to users. The
first is separation of duties. No one person should have access to perform an action
that could lead to fraudulent activity. For example, there should be multiple people
involved in the payroll process. There should be an individual who verifies an
employees hours, another who issues the paycheck and a third who signs the check. If
only one individual were involved in the process, we could have a person paid for hours
that he didnt work. Another best practice is to only give users the access they need to
perform their jobs. This is called least privilege. While it is easy for the system
administrator to allow everyone to do everything on a system, and assume they will not
do anything they shouldnt, often this isnt the case. Do you know the saying, give
them an inch, and theyll take a mile? Users will do things they shouldnt -- either
intentionally or unintentionally, so we only give them access to do the things they should
be doing.

Slide 5
There are three primary models for access control: Discretionary Access Control (DAC)
means that it is completely up to the owner of the objects who has access to them, and
what access they have. For example, if I create a file, I can decide who has access to
it, and what permissions or rights they have: read, write, delete, etc. It is up to the
discretion of the owner or administrator of a system who has access to what.

With Mandatory Access Control (MAC), an owner or administrator cannot decide who
has what access. Access is controlled by a numeric access level. This is used in the
military. For example, if a document is classified as top secret, only those users with
clearance to top secret documents will be able to access the document. Even if the
creator of a document, or an administrator, thinks that someone without top secret
clearance should have access to that document, they cannot give this authorization.

Role Based Access Control (RBAC) is access based on the role a person plays in an
organization. Access is given to a particular role inside of an organization, and then
users are associated with those roles. They inherit the access from that role. For
example, we might create a role of receptionist in a medical practice. We would figure
out what access to what resources a receptionist needs, and assign that access to the
role. Then, we would associate all of our receptionists with that role, and they would
now have all of the access that we gave that role. If a receptionist leaves the practice,
we simply disassociate her user account with the role, and she now has no access.

Health IT Workforce Curriculum Networking and Health Information Exchange 2

Version 3.0/Spring 2012 Privacy, Confidentiality, and Security Issues and Standards
Lecture b
This material Comp9_Unit9b was developed by Duke University, funded by the Department of Health and Human Services, Office of
the National Coordinator for Health Information Technology under Award Number IU24OC000024.
Slide 6
There are two types of access control: logical and physical. Logical access control is
managing access to data files, programs, and networks. Methods for controlling logical
access include: Access Controls Lists (ACLs), account restrictions, and authentication
methods. Physical access control is managing who has access to physical locations.
Methods include locks, ID badges, and mantraps. Mantraps will be explained later in
the unit.

Slide 7
An Access Control List (ACL) is a list that is associated with a file, directory or object
that lists who has access to it, and the type of access. ACLs are created by the owner of
the object. The person who creates a file or directory would be the owner of that file or
directory. On the slide, you see the ACL for the file named tev.jpg. There are 3 objects
that have access to the file: System, Michele, and Administrators. System and
Administrators are group accounts note the icon that depicts a group. Michele is a
user account. The ACL shows the permissions, or access, that SYSTEM has to the file.
The checks indicate what permissions the object has. All users that are part of a group
will inherit the permissions that are given to that group. Access control is easier to
administrator through groups than individual user accounts.

Slide 8
For each account that is created, there are associated properties: Username, First
Name, Last Name, Phone number, etc. Other properties control how the account
functions. One restriction that can be put on an account is account expiration. This
automatically disables an account at a given date. This would be a good thing to do if
you know you are creating an account for a temporary worker. If the worker is only
going to be employed for three months, chances are that you may forget at the end of
the three months to disable the account. This would be a security vulnerability, because
that employee could still access resources, even though he is no longer employed by
the company. If you were to go ahead and set up an expiration date three months in the
future, when you create the account, you wouldnt have to worry about disabling the
account. You may also want to set up restrictions on what time of day a user can login,
and where they can login from (if applicable with your system). If business hours are
from 8 am to 5 pm, there is no need for a user to be logging in at 9 pm. Who is usually
at a company after hours? Janitorial staff. We want to make sure they are not able to
get into the system. The graphic on the slide shows the time restrictions that can be put
on an account as part of the parental controls in Windows 7. Some systems will allow
you to limit the address (IP or MAC) that a user can login from. A user can only login
from his machine. This limits someone from illegally accessing the system.

Health IT Workforce Curriculum Networking and Health Information Exchange 3

Version 3.0/Spring 2012 Privacy, Confidentiality, and Security Issues and Standards
Lecture b
This material Comp9_Unit9b was developed by Duke University, funded by the Department of Health and Human Services, Office of
the National Coordinator for Health Information Technology under Award Number IU24OC000024.
Slide 9
Remember from earlier in the lecture, authentication is something you know, something
you have or something you are. A password is a type of authentication: its something
you know. Passwords are the most commonly-used method for accessing a system.
Ideally, a password is a combination of letters, numbers and special characters. It
should contain upper and lower case characters. The more characters you have in your
password, the harder it will be for the password to be compromised; 12 to 14 characters
are recommended. Passwords should be changed on a regular basis.

Slide 10
You should never use the default passwords that are set by the vendor for hardware or
software. For example, many routers come with the default password set to the word,
password. Hackers will try the typical default passwords, so these should be changed
immediately. Passwords should never be written down. They should never be a word
that can be found in a dictionary, a word spelled backwards, common misspelling or
abbreviations. This includes English words and words in other languages.

Slide 11
You should also never substitute letters with numbers, for example, a 0 (zero) for an O
(the letter O), or a number 3 for the letter E. The same password should never be used
for more than one login. For example, you should not use the same password for your
email, Facebook and bank account. If your password is compromised for your email the
hacker now has your password to access your bank account also. You should use a
different password for every account. Passwords should never contain personal
information like a birthdate, pet, childrens name, favorite team, etc. This is information
that people can learn from you. Hackers may try to use social engineering pretending
to be your friend to find out this information so they can access your accounts.

Slide 12
One-time passwords (OTP) are passwords that change frequently and can only be used
once. Users have a token that is synchronized with an authentication server. When a
user wants to access a system he obtains the password from the token. The password
must match the one on the authentication server in order for the user to have access.

Slide 13
The primary element in securing physical access is location. Servers and connectivity
devices like routers, switches, and firewalls should be in a place that is not easily
accessed. We commonly refer to the rooms that house these devices as server or
telecommunication rooms. These rooms should have limited access and have at least
one of the physical access control methods we will discuss next.

Health IT Workforce Curriculum Networking and Health Information Exchange 4

Version 3.0/Spring 2012 Privacy, Confidentiality, and Security Issues and Standards
Lecture b
This material Comp9_Unit9b was developed by Duke University, funded by the Department of Health and Human Services, Office of
the National Coordinator for Health Information Technology under Award Number IU24OC000024.
One way of controlling access to physical locations is to lock the door. A door can be
secured with a key-in-knob lock, or a deadbolt. These locks require a user to have a
key. A cipher lock can also be used. A cipher lock requires a user to know the code.
Codes should be changed frequently and especially after an employee leaves. RFID, or
radio frequency ID cards, or badges are being used more frequently. These cards have
an RFID that transmits a radio signal to a receiver. A database is checked to make sure
the user can have access to the location. RFID access and electronic cipher locks are
able to keep a record of the people who have accessed the physical locations.

Some physical locations may have video surveillance that records anyone entering or
leaving a location. There are still locations that have access logs that require a person
to sign in and out. Mantraps are an area between two locked doors that are used to
connect an unsecure area to a secure area. You may have seen this in jails in movies
or on TV. Initially, both doors would be closed. Someone would enter one door and it
would close behind them. The second door would then open, allowing them to enter the
restricted area.

Slide 14
Biometrics are unique to an individual. Typical biometrics are fingerprints, faces, hands,
irises, or retinas. These are scanned by a system and compared to the image on file. If
they match, the user is authenticated and granted the appropriate access. Another type
of biometrics is behavioral biometrics. An example is looking at how a person types.
The system measures the amount of time a user dwells on a key and the time it takes
them to move between keys. This behavior is compared to the stored behavior. If it
matches, the user is given access. Another behavioral biometric is someones voice.
The system listens to the way a user says a particular phrase. A new form of
biometrics is cognitive biometrics. This type of biometrics looks at how a user responds
to a situation or his thought process.

Slide 15
Layering is a best practice for authentication. This requires users to have multiple
authentications to have access. The authentications should be of different types. For
example, in order to have access to a secure area, they have to have a key to unlock
the door and then enter into a mantrap. To get into the second locked door, they must
know the code for the cipher lock and have a fingerprint scan. In this scenario, they are
required to have something (a key), know something (a code), and be something (as
identified by their fingerprint). There are also systems that only require a user to login
once and then they are able to access other resources. Their authentication credentials
are passed between systems. Microsofts Windows Live ID is an example of single
sign-on. You sign in once, and you can access your email, Messenger, Xbox Live and
other Microsoft services.

Health IT Workforce Curriculum Networking and Health Information Exchange 5

Version 3.0/Spring 2012 Privacy, Confidentiality, and Security Issues and Standards
Lecture b
This material Comp9_Unit9b was developed by Duke University, funded by the Department of Health and Human Services, Office of
the National Coordinator for Health Information Technology under Award Number IU24OC000024.
Slide 16
Virtual private networks (VPNs) use Internet technology to transmit data between sites.
The data is encrypted as it travels from site to site. This data is kept separate from the
other data traveling on the Internet. Think of it as an HOV (High Occupancy Vehicle)
lane on a four-lane highway.

Slide 17
Security policies are a collection of policies that lay out specific rules and requirements
that must be followed in order to provide a secure environment. Some common security
policies are: Acceptable Use Policy (AUP), Password Policy, and Ethics Policy.

An AUP would lay out what a user can and cannot do on a computer system.

Slide 18
This concludes Privacy, Confidentiality, and Security Issues and Standards. This
unit has covered concepts of privacy and confidentiality and how to secure data. In
addition it has covered access control methods and access restrictions to data storage
and retrieval.

Slide 19
No audio.

End.

Health IT Workforce Curriculum Networking and Health Information Exchange 6

Version 3.0/Spring 2012 Privacy, Confidentiality, and Security Issues and Standards
Lecture b
This material Comp9_Unit9b was developed by Duke University, funded by the Department of Health and Human Services, Office of
the National Coordinator for Health Information Technology under Award Number IU24OC000024.