Organizing Security

1
Organizing Security Privacy in Medical Imaging
Technology

• Presented by
• Dr. David Gobuty, SPC Vice-Chair
• Director of Systems Security Chief Security
  Officer
• Eastman Kodak Company, Health Imaging Group, USA
• david.gobuty_at_kodak.com
• Dr. Wolfgang Leetz, SPC Chair
• Data Privacy Data Security for Products
• Siemens Medical Solutions, Germany
• wolfgang.leetz_at_siemens.com

RSNA December 1-5, 2002 v1.0
2
What You Will Learn Today

• Introduction to Joint NEMA/COCIR/JIRA Security
  Privacy Committee
• Privacy is the Goal, Security is the Way
• Define Rules, Then Work To Enforce Them
• Both Technology Procedures Needed
• Toward a Logical Allocation of Methods

3
Security Privacy Committee (SPC)

• Joint with NEMA-MII (USA), COCIR-IT (Europe),
  JIRA (Japan)
• Mission ensure a level of data security
  privacy in health care sector that
• meets legally mandated requirements (e.g., HIPAA,
  95/46/EC, HPB-517)
• implementable in ways that are reasonable
  appropriate
• reduces cost of healthcare compliance
• Scope systems, devices, components, accessories
  used in medical imaging informatics that
  access/contain/exchange patient-identifiable
  information
• Goal common understanding of solutions for
  health care institution compliance with data
  security privacy legislation

4
SPC Efforts Outcome

• Jointly-approved white paper series
• Security Privacy An Introduction to HIPAA
             
• Security Privacy Auditing In Health Care
  Information Technology
• Security Privacy Requirements for Remote
  Servicing                 
• Remote Service Interface Solution (A) IPSec
  Over The Internet Using Digital Certificates
• Identification Allocation of Basic Security
  Rules in Healthcare Imaging Systems (subject of
  this presentation)
• All papers available at http//www.nema.org/medica
  l
• Current SPC Membership AGFA, GE, Kodak, Konica,
  Merge eFilm, Nihon Kohden, Philips, Siemens,
  Toshiba
• Note All members of NEMA, COCIR, JIRA are
  eligible to participate

5
Patients Privacy The Goal

• Regulations legislation assertpatient
  privacy is a fundamental right that must be
  protected by
• Confidentiality limiting access (e.g., user
  login authorization)
• Integrity of data (e.g., control of changes)
• Availability of service (e.g., emergencies)

6
Law Compliance

• Country-specific law governs all forms of such
  data oral, written, electronic
• Customer-specific activity toward compliance
  calls for policies, procedures, IT solutions,
  training

7
Security Rules

• SPC paper identifies a basic set of security
  rules
• Security rules need to be enforced to accomplish
  patients privacy
• Are based on contemporary security
• engineering concepts
• SPC recommends enforcement via procedures or
  technology depending on
• type of information to be protected
• capabilities of current IT
• Security rules revolve around security services

AdheretoSecurityRules
8
Security Services Define the Way

• Guidance for secure management of sensitive
  information based on basic security services
• data confidentiality
• data integrity
• provision of service/availability of data
• individual accountability
• non-repudiation
• immutability
• configuration management
• Implementation non-specific what, not how
• Future source for technical requirements, product
  designs, implementations

9
Procedures Technology Two Lanes of a One-Way
Road

• Procedures sometimes are best
• least complex
• cost effective
• timely
• routinely in use
• However, technology is common increasingly
  found in medical imaging workplace

10
Automation The Logical Step

• Soon to be required for several functions (when
  PHI is processed in/protected by IT), e.g.,
• user identification authentication
• protection of data exchanges between systems
• accountability of user access to patient data
• Can relieve toil, reduce/eliminate human error,
  increase productivity, control cost

11
Local Implementation Issues Balancing Comfort
Costs

• What should be automated by technology?
• What should be accomplished by procedures?

12
Suggested Allocation Between Technology
Procedures

• SPC security rules allocations white paper
  considers variations in IT complexity
  capability, including characteristics like
• equipment mobility
• access of equipment to media (e.g., paper, film,
  CDs)
• networking of equipment with other devices
• medical imaging systems that also host other
  software
• group-use
• storage capacity
• presence of patient identifiers

13
Some Complexity Capability Factors Considered

• Equipment mobility, including
• physical access control
• supervision available for device users
• Access of equipment to media (e.g., paper, film,
  CDs)
• technical protection for the media
• Controls on creation removal of media
• Networking of equipment with other devices
• logical isolation from public networks (e.g., the
  Internet)
• unauthorized activity by otherwise authorized
  users

14
Some Complexity Capability Factors Considered
(contd)

• Medical imaging systems that also host other
  software, e.g.
• office-, e-mail-, web-applications
• PACS software running on a modality
• Group-use equipment
• difficulties with user identification,
  authentication, authorization
• tracking actions of individuals when only one
  logs on but many gather around to use

15
Some Complexity Capability Factors Considered
(contd)

• Storage capacity - the more patient data can be
  stored the higher the security privacy concerns
• Patient identifiers
• data containing many identifiers a larger risk
  than data where ID is obscure
• use of parameters instead of patient names
• safeguarding true identification of patients

16
Excerpts from Security Rules Allocations Table
17
Security Rules Allocations

• 38 individual security rules are presented
  allocated
• Divided into 9 topics
• 1. User Management
• 2. Security of Data
• 3. Security of Electronic Media Hardcopy
• 4. Individual Accountability (Auditing,
  Logging)/Signals (Alarms)
• 5. Electronic Signature (no rules yet identified)
• 6. Privacy
• 7. Environment
• 8. Documentation
• 9. Availability of Service

18
Security Rules Allocations (contd)

• Some rules are easily allocated only to
  technology
• e.g. 4.3 Provide Audit Trails or Gathered Log
  Files
• Others should clearly be enforced procedurally
• e.g. 9.4 Provide for Emergency Access of
  Unregistered but Authorized IT Users
• Allocation sometimes depends on attributes - both
  procedures technology are appropriate
• e.g. 9.2 Discover Presence of Malicious
  Software

19
Comparison With IHE Basic Security Integration
Profile

• IHE Profile
• addresses ?50 of SPC-identified security rules
• focuses on interoperability of solutions
• Outside the scope of the IHE Profile (but covered
  in SPC white paper)
• disaster recovery, emergency operation, user
  interface (e.g., logon/off, inactivity blanking)
• user procedures administrative policies

20
Summary

• Privacy security of patient-identifiable data
  is required in most jurisdictions
• Security rules organize basic services necessary
  for compliance
• Manual procedures automation both have value
• Joint NEMA/COCIR JIRA Security Privacy
  Committee white paper Identification Allocation
  of Basic Security Rules In Healthcare Imaging
  Systems at http//www.nema.org/medical presents a
  logical allocation of these rules

21
For More Information or to Participate

• Contact the Secretariat
• Mr. Stephen Vastagh
• National Electrical Manufacturers Association
• Suite 1847
• 1300 N. 17th Street
• Arlington, VA 22209, USA
• E-mail ste_vastagh_at_nema.org
• Telephone 1-703-841-3281