Friday, November 16, 2018

A Risk Assessment Excercise in multiple parts: Threats

Continuing my risk assessment from last post, I'd like first to report a missing item or three from the previous list of assets being protected:

  • The USB device itself (duh).
  • Other data on that device (personal or otherwise).
  • Anything that device could connect to
Having identified what needs protection, now we need to look at what we are protecting it from:
  • Theft
  • Damage (e.g., electrical hardware damage)
  • Data Corruption
  • Loss of sensitive information
  • Exposure of sensitive information
  • Infection by malware (virus, trojan, ransomware, other)
  • Denial of Service
There are a number of downstream consequences that might result from these core threats, but these threats get at most of the root causes.  I'll look at various potential mitigations for these issues next week.

Friday, November 9, 2018

A Risk Assessment Excercise in Several Parts

Guidelines of impact relevance for IHE profiles
from the IHE Security Cookbook

One of the challenges for anyone involved in activities in Healthcare IT standards development is being able to share documents, presentations, training and other materials used in the development of the standards.  Like many in this field, I have access to not just those materials which I need to be able to share, but also access to a lot of other things that shouldn't be shared and which needs to be protected.

I've been in settings where I'm creating or revising a document or presentation, where the fastest way to get it to somebody somewhere is via a USB memory device.  But if access to external storage is locked out, then I cannot share information, or accept information from devices that may be shared with me.  In some cases, it's been nearly the only way (ever try to get to wireless or WIFI at a very busy, yet under-provisioned conference setting ... sometimes it's just not possible).  I've been in presentation settings where the presenter system is owned by the organization, and for related reasons, is the only thing that can be used for presenting, so the only way to get content may well be a USB stick.  These are infrequent, yet USB is still the fastest way often.

Yet, USB sticks (and other devices) are a two way infection vector, and also a way to enable transfers of huge amounts of information that sometimes shouldn't be shared. Even in cases where it should be, may need its own set of protections (e.g., encryption and authentication for use) to prevent it from falling into the wrong hands.

So, I need a risk assessment and mitigation strategy if I'm to justify any sort of exception to a complete lock-down.  This post represents the first of several posts that walk through a risk assessment process.  We'll start first in this post with assets to protect, move on next to threats, then assessment and mitigation.

Here's a partial list of assets that need protection.
  • My Company Issued Laptop
  • My Data
    I have pictures on my laptop that are mine, which I might want to save, my company laptop has access to many web sites I use for both personal and professional reasons.  I may have personal data related to my work (e.g., Payroll, taxes, benefits, health insurance). I want to protect that content.
  • Infrastructure
    Anything my laptop (where the USB device would be used) can access, can subsequently be attacked by my laptop were it to be infected.
    • Corporate Infrastructure
    • Customer Infrastructure
  • Intellectual Property
    Anything I have access to via that laptop could potentially be a target, including:
    • Company IP
    • Partner IP
    • Customer IP
    • SDO IP
      Examples include presentations, training material, and draft content of specifications that I may be working on.  This is material I often need to share with others.
  • Individually Identifiable Data
    Various regulation requires additional safety around certain classes of data that might be available via my laptop, including:
    • Patient Data (PHI)
    • Data about other Individuals (PII)

Consequential to the threats to any of these assets, are threats to my reputation, and those of my employer, its partners and customers, and to the financial status of those organizations.  One simply need look at what happened last year with the NotPetya attacks to see how much damage can be done.

I invite your comments and feedback below!

Thursday, November 8, 2018

Reassessing HealthIT Standards

After spending umpteen years having a pretty good handle on what's important and where to spend my time, I'm now back at (mostly) square one, having to reassess the standards in flight in HL7, IHE and various other organizations after being out of many loops over the past few years on the implementation side.  For each of about 17 standards organizations, I have to assess what they are doing, and how important it is to me (and to my employer), and then to work out what my strategy should be.  All at the same time sucking from a tremendous fire hose.

Below are links to where you can find out more information for your own assessments, and my thoughts from my current investigations.  While I track many general IT standards; W3C, IETF, Oasis, et cetera, generally require too much in the way of resources [both time and money], and others working in these are generally more qualified than I to handle that work, so those aren't listed. 

HL7: There's a lot of activity around FHIR (of course), and still some activity around CDA (new guides building on C-CDA).  Other things of note: SMART on FHIR, CQL and QUICK. Also, Argonaut and Da Vinci projects can be expected to ballot or contribute some materials back through the HL7 processes.  Attachments is undergoing a shift in focus, and given what's going on with Da Vinci, this should be an interesting time for that work group.  This is an important place to be engaged if you are interested in Health Information Exchange.

IHE: ITI and PCC don't have a lot new to speak of, there's some maintenance work that needs to happen, as well perhaps as some revival.  ITI is considering whether to go to a continuous (quarterly) work cycle, something I tried unsuccessfully to do in PCC for years.  This is a good thing, I think, because it allows for adoption of things in a more timely fashion.  QRPH on the other hand has a few things that seem to be quite attractive, including new work on Aggregate Date Exchange (ADX) [FHIR-based this time, though why they didn't start there is a mystery to me], CQL (an exotic but interestingly useful language for quality measurement and clinical decision support), and PDMP's (that we've seen popping up all over the place in the US).

ISO TC215: There's some interesting things going on here, but not much for my needs.  Much of it is either medical device, or process oriented.

ASTM: Haven't heard a peep in a few years here. Drill down to the sublinks and you'll see few if any new work items. 

OpenID: Something to watch, especially as it relates to SMART on FHIR.

NCPDP: A place to keep my eye on, especially as it relates to PDMP and APIs.

CARIN: Some interesting work on patient facing APIs, a new entre into the space that bears paying attention to.

Carequality: Some new workgroups are forming, FHIR is coming.

CommonWell: Biggest news from CommonWell over the past 12 months has been the connection to Carequality.  I'm not seeing much else, but also not digging too deeply either.

X12: Not really doing it for me.  Everything interesting happening in standards for the Payer sector seems to be discussed in either HL7 Attachments or the Da Vinci Project right now, at least as far as I'm concerned.  If you work for a payer, your mileage could certainly vary.

Thursday, November 1, 2018

What's Changing?

With a new employer will come changes.  For the most part, little enough that I barely had to make only a few small edits to the policies for this blog.  My new employer is Audacious Inquiry, and to the extent that I'm adhering to my own policies, that is about all I'll say here, other than I've known about 1/2 of the senior members of the team for quite some time and highly respect them.  There will be other venues where you can read about what I'll be doing for them in the future.

I'm looking forward to spending more time on standards work, and more time here in this, my own space, where I will talk about the standards work that I'm doing.