Add to collection(s) Add to saved
  1. Business
  2. Management

Information security department

advertisement 
Information security approach
within the Belgian social &
health sector
19/11/2013
Frank Robben
2
Context – Belgian social sector
• > 11,000,000 citizens concerned
• > 220,000 employers involved
• about 3,000 public and private institutions active at
several levels (federal, regional, local) dealing with
– collection of social security contributions
– delivery of social security benefits: child benefits,
unemployment benefits, benefits in case of incapacity for
work, benefits for the disabled, reimbursement of health
care costs, holiday pay, old age pensions, guaranteed
minimum income, …
– delivery of additional social benefits
– delivery of additional benefits based on a person’s social
security status
3
Expectations – Belgian social sector
•
•
•
•
effective social protection
effective support of social policy
effective fraud prevention and detection
integrated services
– attuned to the concrete situation of citizens and
companies, and personalized when possible
– delivered at the occasion of events that occur during their
life cycle
– across government levels, public services and private
bodies
– reliable, secure and permanently available
– with minimal costs and minimal administrative burden
– if possible, granted automatically
4
Context – Belgian health sector
• > 11,000,000 citizens concerned
• > 100,000 health care providers involved (physicians,
dentists, clinical labs, pharmacists, physiotherapists,
nurses, …)
• > 300 health care institutions involved (hospitals,
retirement homes, nursing homes, …)
• health insurance funds
• public institutions
– federal level (Federal Public Service for Public Health,
National Institute for Health & Disability Insurance, Belgian
Health Care Knowledge Centre, …)
– regional level
5
Expectations – Belgian health sector
•
•
•
•
•
optimal health care quality
optimal patient safety
adequate support of health policy
patient-centric care and empowerment of the patient
integrated services
–
–
–
–
multidisciplinary
holistic
continuous
across health care institutions and health care providers
• remote care (monitoring, assistance, consultation, diagnosis,
operation, …), a.o. home care
• quickly evolving knowledge => need for reliable, coordinated
knowledge management and accessibility
6
Risk analysis approach
• increasing collaboration relating to information
management and process integration
• separate government bodies are no longer freestanding information processing entities, but rather
parts of a coherent whole
• risk of consequential damage and its extent on other
systems is much greater than at the location where
the original damage occurs
 the vision of information security and protection of
privacy must thus be determined collectively
7
Risk analysis approach
1. policy
2. organization
feedback
3. risk analysis security requirements
4. selection of measures
5. development planning and
implementation of measures
6. training and education
7. supervision, control and
evaluation
8
Risk analysis approach
• absolute security/protection is not a desirable
objective, because it will lead to significant
opportunity losses in terms of efficiency and
effectiveness
• main challenge: constantly seeking the
optimal balance between seizing
opportunities and avoiding risks
9
Information security measures
1. structural and institutional measures
2. organizational and technical measures
(based on ISO 27XXX)
3. legal measures
10
1. Structural & institutional measures
1.1. no central data storage
1.2. independent Sectoral Committee of the Privacy
Commission
1.3. within social sector, a preventive control of the
legitimacy of personal data exchange by CBSS
according to the authorizations of the independent
Sectoral Committee of the Privacy Commission
1.4. information security department with each actor
1.5. specialized information security service providers
1.6. information security working group
11
1.1. No central data storage (social sector)
Users
Internet
R
FedMAN
R
FW
Isabel
R
…
R
Backbone
FW
FW
FW
FW
FW
R
R
R
R
R
R
NIC
NEO
CBSS
NOSS
R
…
12
1.1. No central data storage (social sector)
• reference directory, showing
– for each citizen
• at which social security institutions the citizen is already known
• in what capacity
• during which period
– per social security institution type and per capacity in
which a person might be known to the institution
• which types of data on the person are available
– per social security institution type and per capacity in
which a person might be known to the institution
• which types of data does the institution need
• and is it authorized to receive from other institutions in order to
fulfil its duties
1.1. No central data storage (social sector)
• functions of the reference directory
– access control
– information requests routing
– automatic information change transmission
1.1. No central data storage (health sector)
Patients, health care providers
and health care institutions
Health portal
AVS
AVS
AVS
AVS
AVS
AVS
AVS
AVS
portal eHealth
platform
MyCareNet
AVS
AVS
AVS
AVS
Basic services
eHealth platform
Network
VAS
Software health
care institution
AVS
AVS
AVS
AVS
Website NIHDI
Software health
care provider
AVS
AVS
AVS
AVS
VAS
VAS
VAS
VAS
VAS
Suppliers
15
1.1. No central data storage (health sector)
System as is
16
1.1. No central data storage (health sector)
System to be: hub-metahub
A
4:
All data
available
C
B
1.2. Independent Sectoral Committee
• designated by the Belgian Parliament
• mandate
– information security supervision
– authorizing information exchange
– complaint handling
– information security recommendations
– extensive investigating powers
– annual activity report
18
1.4. Information security department
• with each social sector institution and in some health
care institutions
• composition
– information security officer
– one or more assistants
• Sectoral Committee carries out control on
independence and enables the permanent education
of the information security officers
• Sectoral Committee can allow that a task of the
information security department is outsourced to a
recognized specialized information security service
provider
19
1.4. Information security department
Information security department
• recommends
• promotes
• documents
• controls
• reports directly to the
executive management
• formulates the blueprint of
the information security plan
• elaborates the annual
information security report
Executive management
• takes decisions
• has the final responsibility
• gives motivated feedback
• approves the information
security plan
• supplies the necessary
ressources
20
1.4. Information security department
• annual information security report
– general overview of the information security
situation
– overview of the activities
• recommendations and their effects
• control activities
• campaigns to promote information security
– overview of external recommendations and their
effects
– overview of trainings received
21
1.6. Information security working group
• composition
– information security officers of all branches in the sector
– sub-working groups
• branches
• themes (policy, audit, ...)
• tasks
–
–
–
–
coordination
creation of information security awareness
communication
formulating recommendations to the Sectoral Committee
22
1.6. Information security working group
• deliverables
– ISMS and information security policies
– minimum information security standards
– information security guidelines
– codes of good practice
– protecting the network
– organizing internal information security audits
– disaster recovery methods
23
2. Organizational & technical measures
2.1.
2.2.
2.3.
2.4.
2.5.
2.6.
2.7.
2.8.
ISMS and information security policies
information classification
human resources security
physical and environmental security
operations management
personal data processing
logical access security
information system acquisition, development and
maintenance
2.9. business continuity management
2.10. compliance (internal and external control/audit)
2.11. communication to the public of security and privacy
protection policies
24
2.1. ISMS & information security policies
• Information Security Management System
• governing principle behind an ISMS: an organization should
– design, implement and maintain a coherent set of policies, processes
and systems
– manage risks related to its information assets
– thus ensuring acceptable levels of information security risks
• concerted approach of information security
> General Coordination Committee
• methodology aims to lead to an optimal information security
• approach based on the international ISO 27XXX standards
• common methodology for all institutions
2.1. ISMS & information security policies
2.1. ISMS & information security policies
• integrated set of security policies
• elaborated through step-by-step refinement
• directives, architecture, standards, procedures
and techniques are described to apply an
integral set of information security policies, in
accordance with the priorities set by the
information security working group
27
2.1. ISMS & information security policies
• policies should always have the following structure
–
–
–
–
–
–
main field of application/personal field of application
definitions of the concepts used under the policy
general principles, rules and responsibilities
requirements
references to other policies
sanctions if the policy is not complied with, arising from
laws and regulations
– references to directives, architecture, procedures,
standards and techniques to comply with the policy
– version and date of validation by the appropriate parties
– note of the person responsible for policy maintenance
28
2.1. ISMS & information security policies
29
2.1. CBSS information security policies
• minimum standards
– annual update
– applicable to all social security institutions
– institutions interested in being integrated into the
CBSS network must have an up-to-date, long-term
information security plan containing measures on
complying with the minimum standards
– annual self-assessment executed via question and
answer form
30
2.1. CBSS information security policies
• minimum standards
– the Sectoral Committee can at all times engage an
external institution to verify whether the
institutions complies with the minimum
information security standards
– ultimate sanction: if a social security institution
does not comply with these standards, the
institution can, after formal notice, no longer
access the network in accordance with article 46,
first paragraph, 1°, of the CBSS Law
31
2.2. Information classification
• determining the protection level per information
item, based on 2 aspects
– importance of the business continuity of public services
(e.g. vital, critical, necessary, useful)
– sensitivity in relation to protection of privacy (e.g. public,
internal, confidential, secret)
• scope includes information (mainly personal data)
used for services to citizens, companies and civil
servants, regardless of the equipment on which they
are kept
• information is labeled depending on the classification
criteria used
• continuous process without too much formalisms
32
2.3. Human resources security
• information security tasks and responsibilities are
included in all job descriptions to which it applies
• sensitive positions are stated as such in job
descriptions
• applicants for sensitive jobs are screened carefully
• a secrecy declaration is signed by every staff member
• all staff members are briefed, educated and trained
on a regular basis
33
2.3. Human resources security
• at each institution
– solid procedures are established and frequently
tested to report any information security breach
or weakness to the information security officer in
a timely manner
– a working method is established and frequently
tested to analyze any information-security-related
incident and weakness reported by the
information security officer, and adequate
remedial measures are proposed for
implementation within a reasonable timeframe
34
2.3. Human resources security
• (disciplinary) sanctions when measures
relating to the information security and
privacy protection are circumvented or not
complied with
• controls are executed to ensure that
– (disciplinary) sanctions are sufficiently known
when measures relating to the information
security and privacy protection are circumvented
or not complied with
– adequate measures are applied when a working
relationship with a staff member is terminated
35
2.4. Physical and environmental security
• availability of premises is protected against bad
external influences, unauthorized access, theft,
flooding, fire, …
• ICT infrastructure supporting vital and critical
business processes is professionally accommodated
at these premises
• power supply for ICT infrastructure supporting vital
and critical business processes is guaranteed
• wireline and wireless connections are secured
against wire-tapping and sniffing
36
2.4. Physical and environmental security
• proper procedures for installing and removing
business equipment, also in cases of
maintenance and repair, are established and
tested frequently
• rules are established and tested for managing
business equipment used by staff (e.g.
laptops, handhelds, tablets, mobile phones,
smartphones, call tokens, ...) giving access to
information that needs to be protected
37
2.5. Operations management
• segregation of duties between the
governance/ management and
operations/maintenance of ICT infrastructure
• information security procedures, including
incident management procedures, take into
account segregation of duties
• internal rules are established and tested
frequently for day-to-day operations (e.g.
back-ups, network monitoring, equipment
removal, archiving, ...)
38
2.5. Operations management
• each stage in the life-cycle of an application,
including acceptance scenarios, is established and
tested frequently, also in terms of legal and
regulatory compliance
• new applications or changes to existing applications
are submitted for acceptance tests in a separate
acceptance environment, distinct from the
production environment, before being released into
production, with special attention towards test data
• ITIL v3 and COBIT 5 frameworks are used as
inspiration sources for ICT operations management
39
2.5. Operations management
• preventive measures for securing information
systems against viruses and other types of
harmful software (malware)
• networks are managed following approved
and defined procedures, especially when
connected to external networks
• interchange agreements are written down and
approved for the use of network services,
especially for network services required for
external collaboration
40
2.6. Personal data processing
• for each processing a controller is designated,
i.e. a person who determines the purposes
and means of the processing and who is
responsible for the processing
• personal data are processed in conformance
with the EU principles* on the protection of
individuals with regard to the processing of
personal data and on the free movement of
such data
*Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995
41
2.6. Personal data processing
• following principles are complied with
– purpose limitation principle
– proportionality principle
– data quality principle
– reasonable storage duration principle
• sensitive personal data, personal data relating
to health, and legal personal data, are
processed in conformance with the relevant
special rules laid down by EU law*
*Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995
42
2.6. Personal data processing
• controller of the processing
– informs the person concerned when personal data are
collected/recorded/reported
– notifies the processing to the Commission for the
Protection of Privacy
– provides information to his staff members concerning data
protection provisions
– regularly checks for conformance of information systems
that process personal data with the notification made to
the Commission for the Protection of Privacy
• procedures are established and tested frequently to
deal with persons exercising rights of access,
reporting, correction, deletion, blocking access or
objection
43
2.7. Logical access security
• logical access management policy
– roles and functions
– authorizations on the basis of those roles and
functions
– authorization time-limits
• authorizations are managed at the levels of
– people
– resources
– applications
44
2.7. Logical access security
• identification and authentication methods (user ID,
password, token, digital certificate, electronic
signature, ...) are established for people, resources,
applications and services
• buildings are properly partitioned, security access
layers are implemented and access control measures
to premises are implemented
• access control measures to physical ICT resources
(computers, networks, ...) by users (people,
resources or applications) are established and tested
frequently
45
2.7. Logical access security
• particular attention to business equipment relating
to people (e.g. laptops, handhelds, tablets, mobile
phones, smartphones, call tokens, ...)
• access control measures to
– (sections of) application code
– applications (parts) and services (parts) by internal and
external users (people, resources or applications)
• ICT equipment is automatically timed out after a
defined period of inactivity
• all access attempts are time-logged (importance of
clock synchronization)
46
2.7. Logical access security
47
2.7. Logical access security: vault system
Access for health care
providers
Governance
Archiving
Management
Vault data
...
Trusted
3rd party
Authentication
Authorisation
2
Threshold
decryption
1
Vault Core
Vault
• having a “health care
relationship”
• depending on their role
No access for
• ICT administrators, host
provider,..
• the eHealth-platform
• authorities
Vault connector
Data
quality
Encryption
Decryption
Authentication
without the active
cooperation of the owner
of the second key
2.7. Logical access security: vault system
Vault ecosystem
General
practitioner
Data sharing
Home care
• each actor keeps his own
file up to date
Actor ecosystem
Citizen
Actor
ecosystem
Actor ecosystem
Vault
• however, he can decide to
share parts of the file with
other actors
• examples:
...
• medication schedule
• SUMEHR
Hospital
Pharmacy
• parameters
• journal
Actor ecosystem
Actor ecosystem
• ...
Internet
2.7. Logical access security: encryption
1
2
Sends
public key
Identification
certificate
Connector or
other software to
generate key pair
Web service
Register key
3
eHealth-platform
Authenticates sender
Identification
certificate
Healthcare actor
Person or entity
4
Stores
public key
2
Stores private key
in a secure way
Public keys
repository
50
1
Asks for public
key
Web service
Ask public key
Internet
Identification
certificate
Message originator
Identification
certificate
2.7. Logical access security: encryption
eHealth-platform
2
Authenticates
sender
3
4
Sends
public key
Encrypts
message
Identification
certificate
Message recipient
5
Decrypts message
Stored
private
key
Public keys
repository
51
2.7. Logical access security: encryption
Key
Management
/ Depot
2 sends key
5 receives key
1 asks for key
4 justifies right to
obtain key
User 1
Originator
User 2
Recipient
4 justifies right to
obtain message
3 sends encrypted message
5 receives message
Messages
Depot
Message encrypted with
symmetric key
52
2.8. Information system acquisition,
development and maintenance
• information security directives to be complied with
during development or maintenance of applications
and services
• secured development environment (remember how
to securely handle development test data)
• rules to design/build information security directly
into applications and services (mainly externally
accessible applications and services)
• procedures concerning technical and functional tests
are established and tested in an acceptance
environment, distinct from the production
environment, with clear go/no-go areas
53
2.8. Information system acquisition,
development and maintenance
• methods, procedures to establish and apply
for
– analyzing the impact of amendments to operating
systems and applications on information security
– analyzing the impact of changes to standard
software used on information security
– proper destruction of information when further
processing is no longer authorized
54
2.9. Business continuity management
• back-up and restore procedures for information and
applications
• source code and (development, test, installation,
configuration) documentation of the latest version of
all relevant applications are kept at a secure site,
distinct from the production location
• parts of information systems, certainly those
supporting vital and critical business processes, are
split up geographically in sites with a different risk
profile
• in eHealth: next release environment
55
2.9. Business continuity management
• a business continuity plan is established and
available at each institution
– indicating vital and critical components and processes
– with an inventory of necessary infrastructure and skills for
each component and process
– with a description of actions, responsibilities and
procedures in the event of an (internal or external)
emergency ( + order to return to normal operation)
– with a description of test scenarios for the business
continuity plan with the relevant third parties affected
56
2.9. Business continuity management
• the business continuity plan is tested annually
with the relevant third parties affected and
with a report of the results, aimed at
permanent improvement
• information systems are insured against
physical risks such as fire, flooding or
earthquake, but also against theft
57
2.10. Compliance
• permanent internal controls performed by the
information security officer and/or the internal
auditor
• regular external controls performed by an external
auditor by the executive management of the
institution or by the Commission for the Protection
of Privacy or the competent Sectoral Committee
• the internal control methods and the information
systems and logs are easily accessible to the people
carrying out internal or external assurance functions
58
2.10. Compliance
• monitoring systems, that raise potential risks linked
to the infringements of laws, policies, directives,
architecture, standards and procedures, and on any
undesirable use made of ICT facilities, are easily
accessible for the information security officer
• a regular check is carried out by the controller of the
processing on the security measures currently
embedded in contracts with third parties
• COBIT 5 framework is used as inspiration source for
information security audits
59
2.11. Communication to the public
• reporting information security information to
the Parliament, press, integrators’ websites
• special attention to advice on information
security and protection of privacy by
producing the results of the risk analysis
• communication strategy is established in order
to provide information on security facts and
on measures taken to prevent immediate
further damage and similar damage in the
future
60
3. Legal measures
• obligations of the controller of the processing
– criteria for making data processing legitimate
– respect of basic privacy protection principles, such
as the purpose limitation principle and the
proportionality principle
– specific rules for the processing of sensitive data
– information to be given to the data subject
– processing confidentiality, integrity and availability
– notification of personal data processing
61
3. Legal measures
• rights of the data subject
– right to information
– right to access
– right to rectify, erase or block his/her data
– right to a judicial remedy
• sanctions and penalties
62
Thank you !
Any question ?
Frank Robben
General manager
- Crossroads Bank for Social Security
- eHealth-platform
frank.robben@ksz.fgov.be
@FrRobben
http://www.kszfgov.be
https://www.ehealth.fgov.be
http://www.law.kuleuven.be/icri/frobben
63
Related documents
from AVS Student Chapter @ CNSE and - NCCAVS
from AVS Student Chapter @ CNSE and - NCCAVS
Router - Care About Nursing
Router - Care About Nursing
Trip Report Template for the AVS International Symposium
Trip Report Template for the AVS International Symposium
AVS system comparison - National Centre for Vocational Education
AVS system comparison - National Centre for Vocational Education
AUTOGOV ASSET VERIFICATION SYSTEM FOR...Sep 20 2013
AUTOGOV ASSET VERIFICATION SYSTEM FOR...Sep 20 2013
SamplePoster
SamplePoster
VIP Panel Discussion- By T.Bristol & P.Gilligan
VIP Panel Discussion- By T.Bristol & P.Gilligan
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
Measures of EEG in the context of long-term audio
Measures of EEG in the context of long-term audio
Lecture for Chapter 2.3 (Fall 09)
Lecture for Chapter 2.3 (Fall 09)
Download
advertisement