Telemedecine Today
 
Telemedicine Today
The Magazine
    About
Telemedicine
Today		  
      Articles  
      Article
References		  
      Business
Briefs		  
      Dialogue  
      News Links  
      Past Issues  
      Product Info  
      Subscriptions  
Resources
      Search  
      State Law
Guide		  
      Glossary  
      Conference
Calendar		  
      Extras  
Contact Us
      Subscriptions  
      Advertising  
      Editorial
Submissions		  
      Customer
Service		  
      Webmaster  
   
TECHTALK: Security of Internet-based Telemedicine Systems
 

TechTalk Column - January 1998
Dave Swartz, Ph.D.
dswartz@wvu.edu
Director, Systems & Network Services
West Virginia University

Insuring the Security of Internet-based Telemedicine Systems

In the last TechTalk column we introduced some issues regarding Internet security and privacy. These are often overblown, particularly when compared to current practices. One reason for this is a dearth of information about the true risks and the available security measures. Nevertheless, there are real concerns that must be addressed before many individuals will be comfortable transporting patient data over networks, particularly the public Internet.

The challenge facing health care information systems managers is to implement a system that insures easy data access, while maintaining confidentiality. These goals of easy access and security are often at odds with one another. There is a trade-off: if we wish to tighten up security we often have to reduce the functionality. In an academic research environment, where maximal openness and functionality is prized, this can be particularly difficult.

In this column we will explore many of the different options available to insure security and privacy of data: physical security measures, access controls, private networks and firewalls, authentication, encryption, timestamping, and specific measures to secure e-mail and Web servers.

The first step in setting up a security program is the assignment of responsibility for security to an individual or group. This body will then help craft a program which addresses the range of needs of its users, while maintaining the privacy of individuals. After this, the program for security starts with an examination of the physical security of a system.

Physical Security

A security program has two fundamental aspects: physical security and logical security. Logical security refers to specific software systems and automated controls. Physical security deals with physical

measures such as doors, locks, sensors, and electric fences. Not only does physical security address concerns of intruders, but often it covers protection from environmental hazards such as fire, water, power supply, heat and natural disasters.

A security assessment includes an examination of who has access to the systems, which could include computer terminals, servers, telecommunications equipment, printers, cameras, and other devices. Major data centers, like ours in West Virginia, house mainframes, supercomputers, enterprise servers, file and print servers, tape robots, printers, video conferencing, and network switching devices. Large installations almost always have several layers of physical security. For example, the room is usually locked and is under 24 hour observation (cameras, direct vision, or security sensor). The room will have a constant source of power, cooling, and fire suppression. The information is backed up and housed offsite in a secure area, often a vaulted facility. While we may not go to these extremes for a telemedicine system, we can borrow some of these ideas in building a physical security program.

Access Controls

After looking at physical security, we should review who is permitted access to the data stored or transmitted over our system. There may need to be multiple layers of security to control access. One person may have access to the financial billing information, but not to confidential medical records. Another person, such as the janitor, may have access to the facilities, but not to data. Some systems do not permit multilevel security and once a user is admitted to the system they have access to everything and can read any chart. This was the case several weeks ago when I reviewed a CD-based medical charting system.

Access is often governed by hospital policies and will ultimately be controlled by state and federal laws. Access to data can be controlled by userids and passwords, voice recognition, retinal scanning devices, fingerprint recognition, and background personal information.

A common form of attack on systems is through the user password. The userid is generally public knowledge, since it is often the account name for the user’s e-mail address. However, the password is kept secret. The problem is that individuals choose passwords that are easy to remember, such as the name of a family member or a pet. In the past these accounts have been easy targets for attack, by repeatedly

logging on and trying new passwords. Where users are assigned a random series of 8 or more digits for a password they often have difficulty remembering the password so they write it down and may even post it by their terminal. Believe me I have seen many security problems such as this over the years. In order to deal with these risks, some places make users change their passwords periodically, or do not permit them to use common names or fewer than eight digits. More recently password access controls are being augmented or replaced with other methods, such as questions from a person’s history (e.g., social security number, mother’s maiden name), limitation on the number of tries to login, and even through palm prints and retinal scans. Another problem with password approaches is from the type of attack where someone captures the session on a terminal, through either emulating a login procedure with a program and then obtaining the user’s password or actually taping into the session over a telecommunications line using a device such as a network stiffer. The stiffer actually permits someone to observe the bytes of data as they are sent down the communications line and is usually used for identifying problems with network protocols. Higher levels of security requirements dictate additional security measures as outlined below.

Firewalls

A common approach to help insure network security is to not connect it to the Internet or other public network. A study done by the Air Force a few years ago showed that, of the Air Force local area networks and servers connected to the Internet, about 10% were attacked and about 5% were penetrated. The problem with this approach, as noted previously, is that while an isolated network may be more secure, it has limited functionality since it cannot link to the rest of world through the Internet or other large networks. In addition, it suffers from the assumption that most security threats come from outside an organization. Studies suggest that a majority of problems actually arise from within an organization, so aninternal network may not really be secure after all. An approach that is now being broadly adopted to reduce external threats to networks, yet permit a broader range of functionality and access to outside networks, is the firewall.

The firewall gets it name from the structure in a car that isolates the source of a fire from the rest of the vehicle. The role of a network firewall is to insulate the users of a local private network from external threats. Generally the firewall works as a filter to incoming packets of information, which are often commands issued to the local system server. Filters can be set up to prevent certain users from coming in to the network, or to permit a restricted set of access privileges. Basically there are two main functions: to block and permit certain forms of data traffic. While firewalls generally focus on preventing unintended external access to a private network, they can also be set up to prevent the unintended transfer of internal data to the external network.

A tradeoff of using some types of firewalls is the resulting overhead or slower performance. For example, when we set up a filter on a network router to check the source and destination of an IP packet it takes extra time and may slow data traffic down. Some firewalls, however, can perform these operations very quickly and the overhead may not be noticeable. Most firewalls implement some form of filters, and some implement something known as a Bastion Host – named after the highly fortified part of a medieval castle overlooking points that are critical to its defense, and used to discourage attack through the use of a tub of scalding oil. A Bastion Host is a centralized host which resides on the both the external network and the internal network. It is a closely managed machine which is set up to permit external users to only reach certain ports on it. However, users from within the network can be permitted to reach the external network through the Bastion Host. By restricting external users to the Bastion Host the security and administration of the system can be closely managed and tracked.

There are many possible configurations of firewalls. An especially interesting one is the proxy gateway. These operate at the applications layer, a higher layer than filters, and do a better job at protecting against applications layer attacks like the famous "sendmail hole" that the Morris worm exploited several years ago. One application of the proxy gateway is the mail gateway host, from and to which all mail much be routed. Another use of the proxy gateway is to restrict access to certain Web sites. On our network in West Virginia we have 860 public K-12 schools and are going to limit the ability of students to reach certain sites through a service which updates the gateway to be able to check a requested URL site. All URL requests have to go through the gateway. The gateway does a table look up and if it is not on the restricted list, then it passes the query out to the network.

Encryption

Encryption is a scheme which scrambles data using a mathematical algorithm and a unique key for encrypting and decrypting. With regard to passwords, the client software running on the PC encrypts it and sends it over the network. The host or server decrypts the password and then checks it for accuracy. One such password protection scheme is called CHAP—Challenge Handshake Authentication Protocol. A problem with CHAP is that the database of passwords on the host is saved. Another approach to secure the passing of passwords and the authentication of users is Kerberos.

Both store-and-forward and real-time communications sessions, including voice, data and video, can be encrypted. A challenge to the use of encryption is the management of keys. In one popular form of encryption called DES—Data Encryption Standard—the same key encrypts and decrypts the information. Therefore, there needs to be a scheme to distribute keys and insure they are in place when an authorized person wishes to read a message. The problem with key management has lead to the popularity of another approach called public key encryption, which makes use of two different keys – one public and the other private. You encrypt the message with a publicly available key, and a different private key is used to decrypt the message. The key management job is not nearly as difficult, due to the availability of the public key for an organization or individual.

Authentication, Digital Signatures and Timestamps

An authentication scheme can be used to verify that a particular message has not been modified since it was sent. It can also be used to verify that a message is from a particular party, through a digital signature scheme. The National Institute of Standards (NIST) announced the Digital Signature Standard (DSS) in 1994. Digital signature should open up a whole range of electronic transactions, including verified credit card usage. Today all you need is the number and expiration date, name and address to charge on someone’s account. Digital signatures should help put an end to many forms of credit card fraud that this enables. Do not confuse the cryptographic process used in digital signature authentication with the electronic signature system in use by companies like Sears. A growing number of stores actually capture your handwritten signature for each transaction and compare it to a stored original signature as their authentication process. Another process which is about to become commonplace is the digital timestamp. Whenever we create, send or receive a document it will create a verified timestamp that will eliminate any intentional or unintentional tampering with the time and dating of medical records, contracts, e-mail, etc. While today if you reset the clock on your PC you are effectively changing the timestamp, in the future there will be services linked to our networks which will provide accurate timestamps for documentation purposes. We will no longer be able to say the check is in the mail, I wrote it out yesterday – unless it is true!

Securing Applications: E-mail and Web Servers

It is becoming more challenging to secure the distributed environment of servers and clients. In the past, in a mainframe environment, we used IBM’s scheme of CICS and Computer Associates’s (CA) TopSecret software to secure online transactions. The CICS scheme insured that the transaction was originating from an intended terminal. Through passwords and physical security of the 3270 terminal we could be confident of the security of the system. In fact, you do not read much about break-ins occurring today on this type of environment even when it is connected to the Internet. The break-ins are still occurring on UNIX host machines. Modern IBM CMOS Enterprise Servers have come out in the last year and support all the mainframe applications and security systems and provide many of the benefits of NT and UNIX servers. Unfortunately these new superservers suffer from the past impressions of users concerning the difficulty of using mainframes.

Privacy for Internet mail covers several areas: confidentiality, originator authenticity, and message integrity. Today in many Internet e-mail systems it is possible to spoof the origin of a message. Most "spam" mail originates from a user who creates a fake ID. When we attempt to track it down we are fortunate if we can determine the network it originates from and it is very difficult to identify the user. This is because current SMTP Internet mail schemes do not validate the user. It is possible to use a number of enhanced e-mail systems to overcome this problem, but there needs to be coordination among users to apply an authentication process. One such program is Lotus Notes, which supplies a user verification process to validate the origin of the message as well as address the other requirements of confidentiality and message integrity. Another publicly available secure e-mail system, which uses public key encryption, is called Pretty Good Privacy (PGP). Unfortunately, many of the existing systems are not compatible. In the future we will have Internet mail schemes which will address these problems.

Another popular application which needs to be secured is the Web server. More and more the Web browser is being used as a tool to enable easy distribution of health care information through linkage to databases. In the last edition of TT we discussed how our Web server could be linked to our databases using CGI scripts or Oracle’s WebServer. How do we secure this process?

The main protocol used on the Web is the Hypertext Transfer Protocol (HTTP), which allows access and transfer of documents formatted in the Hypertext Markup Language (HTML). HTTP servers are available for many operating systems, but the main OS are NT, UNIX, DEC VMS, and Macintosh OS. A number of vulnerabilities exist among all Web servers. A problem is that the Web server may allow access to files that are located outside of the area designated for Web usage. Intruders may be able to trick the HTTP server into returning other critical files, such as a password file. Another area of concern is the usage of Common Gateway Interface (CGI) scripts. The HTTP server actually runs the scripts or program. Input to the process is obtained by forms running on the browser client. It is possible to subvert the script and execute unintended commands on the Web server. One problem is that the Web server may reside on a system which also supports other servers, which tends to compound the risks.

Several configuration options are available to lessen these risks. Often overlooked is to set up the HTTP server as a nonprivileged user rather than as a root user. A root user is provided many system manager privileges, and is often reserved for just the systems manager or those that need access to a broader set of functions. This will limit the user from access to files and executable programs. Another thing to do is turn off new Server Side Includes (SSI) options for certain directories. The SSI feature of modern HTTP servers allows us automatically to insert information such as dynamic date tagging to our reports. There are other features such as shutting off the ability of CGI scripts to send remote user input to command interpreters such as UNIX Shells. Obviously, it takes someone that knows what they are doing to set up a secure Web site.

Anther problem, common to other forms of communications, is where the information is transmitted in the clear over the network. To protect Web information from traveling in the clear there are a number of possible approaches available. One interesting approach has been proposed by Enterprise Integration Technologies and is a new protocol designated S-HTTP or Secure Hypertext Transfer Protocol. S-HTTP is backward compatible with standard HTTP and incorporates a number of cryptographic schemes into Web browsing. With S-HTTP you do not have to pre-establish public keys as with other security schemes, and it authenticates the user. Netscape has an approach called the Secure Sockets Layer (SSL) that is designed to ensure private and authenticated communications using public key encryption, and is proprietary to Netscape browsers and servers. There are a growing number of approaches available to secure Web sites which will accommodate the needs of electronic funds transfers and transactions. One such model specific for the sale of information is NetBill, developed by Carnegie Mellon University, which provides a set of protocols and software to enable customers to pay owners and retailers of information in a secure manner. Other Internet payment approaches are being proposed such as the NetCheque system developed at the University of Southern California. This system also accommodates a wider range of requirements including the need for anonymity of parties and ease of use in addition to the security requirements. With all the development going on there will be very good standard solutions available in a short period of time.

There! You’ve just completed Data Security 101. It should be evident that we have many tools available to secure our distributed information systems and telemedicine environment. Provided we make judicious use of the available tools, the Internet doesn’t have to be a scary place where all data is open to view. However, it is important that the tools be applied in an intelligent, integrated manner. This often requires considerable expertise. In addition, until we have broadly accepted standards, we will need to coordinate the application of some of the encryption and authentication schemes used in different applications to insure everyone is using the same approach. This is possible in today’s integrated health care environment through coordination provided by a security committee which sets standards for the health system.

Drop me a line if you have some security questions about your telemedicine systems.
   
© 2001-2002 - B2BMedia Inc.