UConn Health Center

Security Optimization & Fortification

Initiative

Bob Brandner
Deputy CIO
 Overall Objectives
• All the Healthcare business drivers mentioned in Datacard slides apply to our
scenario
• Use Digital Signatures to replace written signatures as approvals for internal
forms routing and external electronic commerce.
• Single, streamlined process for employees or affiliates to obtain
credentials/privileges for visual, physical or logical access.
• Centrally managed security administration (issuance, revision, revocation)
process with emphasis on improving:
– Timeliness of service delivery
– Audit Capabilities
– Accountability
– Measurements
• Fortification of safeguards for all aspects of Security using Smart Card as
single credential store
• Address HIPAA requirements with common sense (see Appendix two)
• Introduce two factor authentication in sensitive areas using any combination
of:
– Password/PIN (something you know)
– Smart Card/PKI (something you have)
– Biometric (something you are)
• Facilitate automated password administration by introducing single/reduced
2
sign-on capability
Value Statement Staff & Caregiver ID - Needs

• One ID card for multiple functions

Datacard offers a single source
solution for consolidating visual,
physical, and network authentication
using a seamless smart card issuance
process. This provides greater
security at a lower cost.
• One secure enrollment & card issuing process
• One secure and accurate data source
• Integration of “second” factor of
authentication in network and physical access
• Multiple applications on smart cards
– network security, cafeteria, vending

Mirrors UConn Health Center’s

Goals & Approach
Smart Cards
Central Secured Identity Database
• Multi-application capability
– Logical security
• ONE database to store identity information
– Add single sign-on & PKI – HR, LDAP Compliant Directory, Central ID Database
– Add biometric template
– Future applications
– Populate from HR database
– Connectivity to legacy access control &
• Best choice for combining logical and physical security
time/attendance systems
– Combine two or three factors of authentication
Something you have (card), something you know – Ability to view from other locations
(PIN) and something you are (biometric) 3
– Portable, secure
 UConn Current State – Physical & Visual
• Visual & Physical Security accomplished via use of at least (6)
different cards (ie Photo Badge, door access mag stripe & proximity,
parking lot proximity, mag stripe vending, Etc)
• Employee picture Ids have no intelligence and other types of cards
mentioned do not include pictures and are all configured via different
applications.
• Only different color badges provide any visual differentiation for
physical access between employees
• Public Safety (Campus Police) office gets paper list of new employees
scheduled for weekly orientation who need badge pictures taken.

4
 UConn Current State – Logical (Chaos)
• Approximately 199 business applications in use by over 3000 employees
• 56 different employees manage password access for the 199 applications (only
IDX Suite access managed by IT)
• 52% contain Protected Health Information (PHI)
• 40 % have ability to assign varying levels of access
• 34% have role-based access administration
• 18% have passwords with automatic expirations
• 15% of applications are used enterprise-wide:
– 10 applications have between 250 and 500 users
– 6 applications have between 50 and 250 users
– 13 applications have between 20 and 50 users
• Approximately 332 users have access to at least two enterprise wide
applications:
– 184 users have access to two different enterprise wide clinical applications:
• (134) IDX Suite & Lab
• (28) IDX Suite & Radiology
• (22) IDX Suite & Pharmacy
– 142 users with access to IDX Clinical Suite also have access to Finance System
– 80 users have access to both Human Resource and Finance Systems
• 85% of applications (170) have between 1 and 20 users and are departmental 5
in nature.
 UConn Current State – Smart Cards
• In-house developed Physician Order Entry (POE) system PKI enabled
for logon via Gemplus card smart card & PIN with photo and Verisign
digital certificate (on-site lite product)
• Digital Certificate is captured for each order in a SQL database
• Over 500 cards issued for Physicians and Residents
• Visual only, employee ID’s also required for smart card users.
• Physicians find use of PIN cumbersome and would like Biometric
option for second factor authentication.
• CT Hosp Association supplied and administered smart card
printing/issuance process, but discontinued this service one month into
POE rollout.
• Ability to manage entire smart card lifecycle in-house was required
immediately.
• ActivCard selected as vendor of choice via RFP for Smart Card driven
pilot including cards, readers, printer, Smart Card Lifecycle
management and reduced sign-on software.
6
 ActivCard/Datacard - Smart Card Pilot Objectives
• Automatic creation of Cryptographic smart cards to be used for PKI,
desktop security, physical access, time reporting, copier charge debit
and photo ID badge purposes
• Reduced sign-on to Windows client server, Telnet and browser based
system logons (non-programmatic interface or vendor specific agents)
• Protection of information and transactions using PKI
• Desktop locking and session resumption
• Single, application shareable credential store (LDAP compliant)
• Web authentication using SSL and client-side certificates
• Digitally signed and encrypted e-mail (S/MIME)
• Mobile certificates using smart cards virtual smart cards
• Automatic and manual PC file encryption
• Compatible with Verisign Certificates

7
 Pilot Results
• Using templates created in ID Works with support from distributor, currently
using Datacard ICIV camera and printer to issue Schlumberger Smart Cards
for POE application
• Adding Verisign certs to Smart Cards
• Verified ability of ActivCard Trinity software to automate the following
system access functions:
– Create single credential store in LDAP directory and transfer to Smart Card
individual user Ids and passwords for employees
– Automate sign-on process to all systems by using tools to create software templates
for various UCHC client/server, terminal emulated or web based logon dialogs.
– Automate creation of new passwords by recognizing expiration notice and using
rules to seamlessly create system specific new password.
– Use any combination of Smart Card, PIN, password or biometric for system
authentication varied by employee and or by each system access by each employee.
– Automate MS Domain/Exchange and or Active Directory Logon
– Assignment of access privileges to new hires via drag and drop of templates
– PC session locking when smart card is removed.
• Verified ability to feed new employee data from HR system to MS Active
Directory’s LDAP store that automatically updates both Trinity and ID Works
databases (See Appendix One for data flow)
• Clinical IT Steering committee saw demo of Trinity automated logon
capabilities and strongly endorsed the product. 8
 Security Initiative Current Status
• Initiating purchase of first 100 of 2500 to 3000 total Trinity licenses
• Creating temporary point to point feeds from HR system directly to ID Works
and Trinity Database (Until Active Directory is in full production)
• Modifying com object providing PKI interface via smart card for POE logon
to use Schlumberger cards and Trinity Software.
• Working with various individuals responsible for password administration of
UCHC systems to establish IT security as single customer contract for
requesting and aggregating credentials for multiple systems (Access Broker)
• Finalizing strategy for assigning appropriate type of ID card to requirements
of various job types (ie. Plastic photo card, Picture & Mag Stripe, Picture,
Mag & Proximity & Smart Card Combo.
• Modifying HR new employee forms to capture systems access request
information and adding to electronic feed.
• Modifying electronic approvals for in-house forms routing to replace use of
SS# and PW with PKI.
• Transitioning Datacard Equipment and ID Works operation to Public Safety
(Security) departments to replace current visual only badges.
• Rolling out Trinity software to most sensitive patient care areas and to
communities requiring access to multiple applications.
• Evaluating opportunities to interface Trinity credentialing process with
Verisign enrollment to further streamline administration. 9
 Greentree Application Tracking System

Appendix One
HR applicant tracking system generates
Electronic feed containing list of new employees
including departmental demographic, facility access
& information systems access information

LDAP
MS Active Directory
v.3
Update MS Active
Directory record for
New employee with
Digital Certificate
Information via LDAP

Feed includes Names of

Yes new employees No
Needing Facility, barcode &
Information Systems
Access Employee
ID Works System Trinity System

Full set of new employee

Only New employee names needing
Information fed from MS Active
Systems Access fed from MS Active
Directory via LDAP into Access
Directory via LDAP into
Database for ID Works Badging
Database for Trinity Authentication
System.
Application.

Required
Badging IT Security enrolls
Option New employee in
Need Yes
Digital Verisign PKI system
Certificate And readies certificate
For download to Card

No
Picture Badge with
Picture
Facility & IT Systems
Badge Only IT Security creates
card Configuration only
(Plastic Only) Trinity new employee
(Magnetic Stripe &
Systems access profile
Microchip)
Available for download
To ID Badge

Picture Badge with

Facility access and/or
Barcode card
Configuration only
(Magnetic Stripe)

Print badge with Picture

And with/without
Barcode/mag stripe

Public Safety logs

Into Trinity System
As Operator, inserts new
Yes Card into reader and downloads
Need IT Access IT access credentials to card
Credentials on
Card?
PKI
No Digital Certificate? Certificate
Sent to Public
Safety from
Yes Verisign to
Public Safety No Special email
Gives finished Public Safety account
Badge to employee Downloads Verisign
Certificate onto card
Via Card Reader 10
 Appendix Two
HIPAA Myth’s
I. Privacy Compliance Requirements
a) Mandates IT system redesigns for ability to impose distinct
limitations on precise data elements accessible by dozens of
user roles
b) Most privacy rule provisions require modifications to
existing or newly acquired electronic systems containing PHI.
HIPAA Realities
Rule Calls for a balance between the ultimate protection,
risk, cost and clearly states the desire not to impose patient
care affecting burden.
Creating a few roles with access to a broad range of patient PHI
data elements is both permissible and appropriate as part of a
HIPAA compliant procedure because:
Most employees with ANY access rights to electronic PHI have
legitimate needs to access diagnosis & procedure information
Many employees with ANY access rights need to access
infection precautions
The minority of staff not needing access to these broad
categories should be placed into a few roles with very limited
PHI access.
Compliance with the majority of the privacy rule provisions will
be achieved by:
•Securing physical access to facilities where either paper (file
rooms) or systems containing PHI (Data Center) are stored.
•Employee Education on sacred nature of patient privacy
•Implementing & enforcing specific privacy policies
•Use and tracking of paper consent/authorization forms
•System modifications may be required to deliver the following
capabilities that are necessary for HIPAA compliance:
•Verify authorizations for repeated disclosures have not been
revoked prior to each PHI disclosure
•Log the nature and date of each disclosure
11
•Record amendments made to electronic PHI via patient request
or staff.
HIPAA Myth’s
c) Impersonation of a patient at the point of care represents the
principal and most probable threat to unauthorized access to
PHI via HCO’s electronic system.
II. Security Compliance Requirements
a) Requires enormous investment in IT security specifically for
HIPAA compliance.
b) Mandates very specific security technologies & solutions
HIPAA Realities
Impersonating at patient at the point of care to illegally acquire a
person’s electronic PHI is not a probable threat because:
•Number of parties interested in a “non-celebrity’s” PHI, but not
entitled to it, is small at any time.
•There is no ready market for PHI a hacker might acquire via
impersonating the individual.
•Blackmail involves large sums of money is Too messy, too
risky and too personal for hackers.
•Exploiting the helpful nature of organization’s staff not
adequately trained in patient privacy policies & procedures is a
much more probable scenario for illegal/inappropriate access to
PHI than stealing a password by “shoulder surfing”.
Rule Calls for a balance between the ultimate protection,
risk and cost
•Majority of security rule compliance will be addressed by
physical facility security enhancements and establishing policies
to protect PHI.
•Majority of rule’s electronic data protections will use
technology organizations have installed or are planning to as
part of normal business precautions and infrastructure upgrades.
Rules mandate capabilities, policies and mechanisms; not
specific technologies.
12
HIPAA Myth’s
c) Requires use of Two factor Authentication to access PHI (e.g.
Password & Biometric)
d) Electronic PHI remote access via the Internet requires use of
password tokens (Secure ID Cards) and Virtual Private Network
(VPN) Software
HIPAA Realities
•Majority of electronic access to PHI can be sufficiently
protected by ensuring the use of unique user ID’s and
passwords.
•Two factor authentication methods (i.e. smart card/PIN,
Biometric/PIN, etc) will make sense in the most sensitive care
delivery settings.
•Best and most widely pursued method of ensuring adequate
protection for electronic PHI is automating the provisioning and
tracking of access rights via single sign-on technology.
Not required; use of normal internet browser technology
supporting SSL encryption, unique passwords and inactivity
timeouts will address HIPAA requirements.
13