Columbus Convention Center - October 1, 2008
Meeting Room E171
James Matheke
Greg Perkins
Securing Data Transmission is becoming a growing
concern for Security Professionals in both private and
public sectors especially health related. Business
requires that many forms of data be transmitted
securely.
HIPAA
 HIPAA – Health Insurance Portability &
Accountability Act of 1996.
 HIPAA protects PHI
 PHI – Protected Health Information
 Several ODH applications transmit PHI
 HIPAA Title II – regulates & establishes
health care related IT systems.
When you begin to discuss Secure Data Transmissions there are
several questions that need to be ask.
 What data needs secured?
 Where is your sensitive data?
 Who uses the sensitive data?
 How does the data move?
 What data needs secured?





Data transmitted to Business Partners
Data sent via email
Data transmitted internally over the WAN
Data transmitted from Remote Users
Wireless data communication


As you can see Securing Data Communications is a broad topic
due to the types of data transmission avenues. So I would like to
give you an overview of the various technologies available to
assist you with this task.
Securing Data Transmission is most likely some part of every IT
staff individual’s responsibility. Hopefully if this does not make
sense now it will by the time we are finished.
Focus Points






Network Level encryption
Securing Remote users
External Organization- Secure data
transmissions with business partners
Application encryption
Wireless encryption
E-mail encryption
Network Level Encryption



Network level encryption is an easy way to encrypt data
without modifying or rewriting your applications. This
is all done at the network layer on your organization.
This level of encryption enables the security
professionals to protect data transmissions at a network
layer between entire source networks and destination
networks as well as host to host communication.
This type of encryption is typically done on networks
within an organization across the WAN but not typically
between organizations.
Network Level Encryption

Example:
Confidential data identified
Client/Server Application
Data runs across WAN … private point to point T1
Why do you still need to encrypt this data? It a private
T1.
◦ It may be quicker, easier and/or more cost effective to
implement network level encryption. This is a good
example of how organizations use this technology.
◦
◦
◦
◦
◦
Network Level Encryption

The State of Ohio also utilizes this type of
encryption between the Cabinet Level Agencies.
◦ Has anyone heard of the Inter-Agency VPN … or
State VPN?
Network Level Encryption







ODH utilizes the technology with our Local Health Departments
in each County & larger cities
Dedicated server farm centrally located.
Encrypted all traffic to these server networks
Advantage: This allows ease of management.
Disadvantage: Obviously it takes slightly more network resources
(router CPU etc…) to encrypted traffic but for us (and most
organizations) network resources are not the issue.
Advantage: Each time an application changes or a new
application is put in place it would considerable work to modify
the network each time.
Advantage: Also we don’t have to worry about
miscommunication or no communicate that a new application
requires secure communication.
Network Level Encryption






WIC offices – non co-located
Inexpensive Broadband for these offices
How do secure data transmissions?
Encrypt or tunnel all network traffic back from the
small office back to the Central Office, across the
Internet for access to agency applications.
Good small office solution (1-30 users).
Local 1.5 Mb broadband access is available for as
low as $70/month (w/ 2 year contract).
Securing Remote Users





Remote users create additional security concerns
because of where they communicate from
Secure Remote users with a VPN solution
There are numerous VPN solution products
How they typically work: Configured on a security
device i.e. VPN concentrator or Firewall as well as
adding VPN software to the client PC/Laptop.
SSL VPN can also be done without a client
Securing Remote Users
Concerns/Recommendations:



No Split Tunneling. A term for a specific VPN configuration that
allows the users to connect to the “users at home” LAN/Internet as
well as the organizations network. This possible allows other LAN
users to connect via the VPN to the organization resources.
Be sure to group your incoming VPN users (say by IP address) so that
if you have a security incident that you can identify the individual or
group.
Migrate RAS dial-up to DMZ and limit access.
External Organization Data Communication

What is external organization data communication

How do we secure data transmissions with our business
partners?
◦ Communication with your various business partners
◦ i.e. ODH receives various lab results and hospital info.
◦ T1 to every business partner? No.
◦ Use the Internet
◦ Create “site to site” VPN connections.
 These connections encrypt the data communication as it flows across the
Internet.

Like Securing Remote Access this is done with a security
device such as a VPN concentrator or firewall at each
organization.
Application encryption





Secure Data transmissions with application
encryption
SSL based html code
Examples: Banking, Internet purchasing,
personal health related or other sites with
confidential data.
What if you need to encrypt new data content
on your web servers?
Load Balancing devices can “encrypted” data
Application encryption

ODH Migration Project from BigIP to NetScaler.
◦ Terminate SSL connection on both devices.
 Communicate via http to back end servers … can encrypt also
 More efficient and speeds up your web applications.

Additional features (off subject)
◦ Cache static content (*.gif, *.jpeg, *.pdf, *.css and java scripts
◦ Compression of these file types
◦ Additional speed with these features.

There are also ways to implement a PKI solution to
secure/encrypt your applications.
Wireless Security


Wireless networks are increasing as are wireless security
issues.
Unsecured wireless networks can be a huge vulnerability
of an organization.
◦ Rouge access points brought in by staff, public wireless access or
mis-configured AP’s in an unsecure manner can be a big issue.
◦ Secure your confidential information accessed via your wireless
network. Hackers can captures data out of the air.

Wireless Internet access from Hotel
E-mail encryption


Numerous email encryption applications are available
on the market.
How do they work?
◦ They work by sending a web link to the recipient of the email who
then logs into to the secure email server to retrieve the email

ODH uses ZIX Corp email encryption which has built in
algorithms or dictionaries called Lexicons that inspect
outbound email traffic for 1000’s of keywords, phrases
including PHI information signatures as well as other
confidential indentifying information.
Securing Data Transmission
Questions?