Are you who you claim to be

1
Are you who you claim to be?

• Daniel L. Maloney
• Director, Emerging Technologies
• Department of Veterans Affairs, VHA OI
• Silver Spring, MD., U.S.A.
• daniel.maloney_at_med.va.gov

2
Overview

• Overview of VA
• Overview of the issue
• Authentication options
• What is PKI and why would it help?
• How does this apply to real projects?
• Hard decisions

3
Mission

• To care for him who shall have borne the
  battle, and for his widow and his orphan...
• - Abraham Lincoln

4
Department of Veterans Affairs

• 26 million veterans and 43 million dependents
• Nearly one-third of the nations population are
  potentially eligible for VA benefits
• Facilities in all 50 states, Washington, DC,
  Puerto Rico, Virgin Islands, Philippines, Guam
  and Samoa
• Nations largest medical system with 173 medical
  centers, 129 nursing homes, 35 domiciliaries and
  400 community based clinics
• 58 regional veterans benefits offices providing
  monetary, disability, pension, education and
  vocational rehabilitation benefits
• 13 million home loans and the nations largest
  insurance program
• Nations largest cemetery system with 116
  national cemeteries

5
Are you who you claim to be?

• When communicating in the electronic world of the
  future, can you predict how will we prove who we
  are?
• The only way to accurately predict the future is
  to build it.

6
Major Issues

• The Web Changes Everything
• As the network services expand and network
  connectivity improves, security, privacy and
  authentication become increasingly important
• Electronic Service Delivery customers AND
  corporations are driving it because it saves them
  time and money
• Risks - If an unauthorized person got your
  passwords, what problems could develop for you?
• Because the world has already changed, we need to
  catch up with better user authentication,
  security and privacy practices
• Need a portable solutions because we are all
  mobile we interact with computers from many
  locations

7
On the Internet, nobody knows youre a DOG...
8
Basic Authentication Options

• Something you know (passwords)
• Something you have (keys, token)
• Something you are (biometrics)
• Strong Authentication - Two or more used together
  are considered to be better than any one alone

9
User Authentication

• The risk associated with the business transaction
  will determine what level of user authentication
  that is appropriate
• Multiple levels of authentication may be
  supported at one time
• Security is always a compromise involving risks,
  expenses and current practices
• The standards of good business practices will
  change over time
• As technologies become more widely adopted (smart
  cards, biometrics, etc), the mapping of actions
  to authentication levels may change over time

10
Some current VA projects

• Web server public access
• On-line 10-10 EZ form completion
• Save data from a partially completed form
• On-line Prescription Refill
• Health eVet personal health profile
• VA SSA Interagency Secure Electronic Exchange of
  Medical Evidence
• Virtual Private Network access for staff
• Pieces of the solution VA PKI and Veteran Smart
  Card

11
Levels of Authentication
12
Technical Solutions
13
Basic PKI Concepts

• PKI Defined
• Combination of policies, procedures, hardware and
  software
• Framework for Public Key Cryptography
• Asymmetric Key Pair
• Digital Signature
• Authentication
• Encryption

14
Basic PKI Concepts

• PKI Provides
• Strong Authentication
• Data Integrity
• Confidentiality
• Non-Repudiation

15
PKI - BASIC PRICIPLES c

• A pair of related keys as opposed to a single key
• When either key encrypts, the other key decrypts
• The private key is closely guarded and never
  given out - PROTECT YOUR PRIVATE KEY
• The public key and who it belongs to are publicly
  available

16
DEFINITION OF ENCRYPTION
Encryption
The process of taking a meaningful string of data
(cleartext) and converting it into an apparently
meaningless string of data (ciphertext).
Decryption
The reverse process of taking the apparently
meaningless string of data (ciphertext) and
converting it back into the original string of
meaningful data (cleartext).
17
CRYPTOGRAPHIC ALGORITHMS - PUBLIC KEY

• Public key used for encryption
• Private key used for decryption
• Public key is widely distributed
• Private key held closely by key owner
• Private key cannot be calculated from public key

Public Key
Private Key
18
Signing a Document
Requires
3
2
1
Copy of Electronic Document
Signature of Document Using Private Key
Message Digest
Message Digest Function
Digital Signature Engine
Using Private Key
Original Document
19
Verifying a Signature
Requires
Public Key (signer)
1
2
3
Copy of Original Document
Signature
Message Digest
Verification of what was signed and who signed
it

Message Digest Function
Digital Signature Engine
Using Public Key
20
VA SSA Secure Exchange of Medical Evidence Project

• GOALS
• Enable SSA and VA to evaluate viability of SSA
  receiving electronic medical evidence from VA, in
  a private and secure manner
• Decrease overall processing time, e.g. days
  elapsed per request for completion
• Save VA staff time and effort when fulfilling
  requests for medical evidence
• Move towards the goal of 95 of responses that
  can be fulfilled with electronic extracts

21
VA/SSA Secure EmailWorkstation VistA Data
Extract Delivery Flow
Step 1) Create VistA Data Attachment
VistA Data Capture
VistA
Network Drive
1. Open VistA. Use Health Summary
2. Initiate Data Capture in terminal emulator
software with Incoming Data command
3. Store the file on the network drive and close
the data capture process
Step 2) Create Email with Data File Attachment

4. Within Outlook, create a new email including
the VistA data capture file as an attachment
5. Apply encryption for message contents and
attachments and send email to Social Security
Administration
6. Delete all VistA data capture files that have
been saved to the network drive. Files will be
automatically deleted daily by the system if not
done so manually.
22
Prescriptions for Controlled Substances

• Issue - Electronic prescriptions are allowed by
  Drug Enforcement Administration (DEA) for non
  controlled substances. DEA approached VA to help
  to pilot the use of strong technical controls
  like PKI with prescriptions for controlled
  substances
• Based upon the results, DEA will consider
  revising existing regulations
• Major authentication, integrity, non repudiation,
  privacy and confidentiality requirements
• Proposed solution to be piloted is to use PKI and
  smart cards
• Requires major review and adaptation of existing
  VA Medical Automation Systems
• Analysis and Lab testing stage

23
What is Health eVet?

• Health eVet is an internet based, secure Personal
  Health Space provided to the veteran on an
  opt-in basis

24
(No Transcript)
25
What Will Health eVet Do?

• To
• Provide veterans access to their health care
  information
• So That
• The veteran is empowered to partner with their
  health care provider in achieving optimal health

26
History

• Veterans periodically ask for a copy of their
  medical record
• Veterans want to get more involved in managing
  their care
• Pre-internet technology did not provide the means
  to answer these requests electronically
• Dr. Garthwaite, VA Under Secretary For Health
  predicts That each person, including veterans,
  will be the only one with a complete medical
  record.

27
(No Transcript)
28
Health eVet Major Characteristics

• Priority for security and privacy
• Veteran opt-in
• Veterans Personal Health Space
• Copy of essential portions of VA medical data,
  personalized information
• Self entered (health related) data
• Controlled by veteran on internet
• Health education information
• Proceed with lots of input
• Status initial testing at demonstration site

29
Current Practice

• Current good business practices is to allow
  access to an individuals records using passwords
  alone.
• This practice has risks
• We should support efforts to move to strong
  authentication
• One example is PKI certificates along with
  passwords

30
One Scenario for User Authentication

• Initially Complex Passwords
• PKI Keys on Client with Passwords
• PKI Keys on Smart Cards with Passwords

31
Which future would you like to build?
32
Contacts

• email - daniel.maloney_at_med.va.gov
• Web Sites
• VA Web site - http//www.va.gov/
• 10-10EZ form - http//www.va.gov/1010ez.htm
• Health eVet - http//www.health-evet.va.gov
• VA PKI - http//www.va.gov/vapki.htm