now the next aspect of a layer defense, of course, comes in the technical realm. How we protect specifically using technical means, whether that's encryption, authentication, authorization elements that either our operating systems are filing systems are applications provide for us.
So the 1st 1 I mentioned just a moment ago I mentioned access, control
and access is all about limiting what a subject conduce with an object. And a lot of times when I talk about access control, this isn't on the screen. But I'll just mention this. I frequently talk about the I Triple A of access control
A the IEEE. So what happens is a subject must identify. First subject makes a claim. I am Kelly Hander Hand. That's me. Identify. The problem with that is you can't trust me. You don't know for sure that I am who I claim I am.
So we follow that identification up with authentication.
Give me some proof, prove it.
You can prove it with something you know, like a password,
something you have like a driver's license or something you are, which would involve biometrics.
So I identify the first A's for authenticate. The second A is for authorized I've claimed to be Kelly Hander Han. I've proved it. So what? Well, because of that, I am authorized to access certain resource is. And then we followed that up with auditing
or accountability, so identify, authenticate,
authorized and accountability. Those are the elements of access control, the I triple A. So what we want to make sure is that we implement those mechanisms in place and that we implement strong controls that would force each of those elements
audit controls again. Um, we have to ensure compliance and the way we determine if systems users, other elements of our organization are in compliance. We audit. And again, it's not just auditing. What are people do?
We've got a review. The audit logs of our hardware. Our servers are firewalls. Are proxies
the software? Most applications we would use? Certainly, operating systems we would use have audit trails that can be enabled and viewed. Now, a word of caution. We want to make sure that we audit what's necessary without making our audit logs so cumbersome
that we can't really discern what's meaningful from what's not.
There was an organization that had a tremendous compromise of credit card numbers and What was interesting is their technical control's worked perfectly well, and by that I mean they had a data loss prevention system in place
that was able to detect the fact that something weird was going on on that network.
But what happened is the logs were being written two or the files were being written to an audit log that had thousands of entries. So when I'm trying to go through or sift through an audit log with
5000 entries and their three significant events, that's like looking for a needle in the haystack. So not only is it enoughto audit, but we need audit reduction tools and Filter's in place so that we can see what's meaning.
Integrity controls again when we talk about integrity, I mentioned that earlier. That's part of that C. I. A. Triad. Confidentiality, integrity and availability and the integrity element protects against modification,
corruption and destruction. So I ought to be able to review in a log file and have the assurance that that log file has not been modified by an attacker.
But I also need to make sure that healthcare records haven't been improperly modified. Ah, that they haven't been corrupted and transmit. It ultimately comes down to making sure there's no unauthorized modification
and then once again, transmission security. If we're covered, Entity under HIPPA, we have to put technical controls in place while Dad is in transit. And a lot of times that comes down to using secure protocols to transmit data. And a lot of times that happens at the network admin standpoint
where maybe they're gonna enforce I P. SEC, for instance, would be a secure
transmission protocol. You're probably familiar with SSL or more recently, T l s. We often associate that with secure Web transactions, but the bottom line is that's a technical control By using secure protocol,
another concept of access control and I mentioned just a few minutes ago the Maur information I store
and the MAWR individual service is people processes systems that can access it, the more vulnerable I am. So a good rule of thumb is, if you don't need it, don't store it. I know that sounds like common sense, but let's talk about that, for instance.
So let's say, is a health care provider. I need your Social Security number,
and I need that to verify with your insurance company, you're correct identity. And And to make sure that I'm I'm working with patient, I think that I am so I need to collect your full Social Security number. But after I get that authentication, I don't need to continue to store your Social Security number.
So what I might do is a technique called data minimization.
I might discard all but the last four characters of your social or of your credit card number or whatever that might be. So once I get that information and I use it, discard what you don't need.
That's why many times when you call your credit card company, for instance, or a physician's office, the reason they ask you for the last four digits is that's all the information they have on you. The last four digits of your social in and of itself is not protected information, so
you know, you're you're somewhat limited as an attacker. What I could do with those last four characters.
If you don't need it, don't store it. If you do need it, get rid of it after you need it. And if you have to keep it protected again, according to the requirements of the security room.
Always, always, always follow that principle of least privilege.
You want to make sure that users just barely have access to the information that they need to do their job, and it's better to err on the side of caution. And I mentioned that earlier that thes rules protect against both internal and external disclosure of information.
Again, Just because you work at a hospital doesn't mean you have access to all patient records.
So least privilege goes hand in hand with the concept of need to know. If you don't need to know what, you don't get to know it.
So those were important ways that we limit the possibility of disclosure. I can't tell you something, or I can't leak something to the media or I can't provide or system the compromise of information that I don't have access to lease privilege and need to know are important concepts
in protecting any type of information.
But absolutely. And protecting P. H. I
get consent is the next element. If you're in doubt getaway for make it very clear how the information's to be protected, what's gonna happen with the protection and again go back to what you see in the doctor's offices today. When you go in for a visit, you'll notice you have to sign off. You have to
Who helped care Information can be shared with many times. If you're calling for a transfer of records from one doctor to the next, they make you actually come in and sign that consent form. And again, health care providers really have to protect themselves against litigation
and against being found out of compliance with hip. So if your organization isn't sure,
get permission in writing. That's kind of one of those things that's always a good rule. When in doubt, you know, see why a basically cover your assets. Make sure you've done what you need to do to demonstrate due diligence. You know that old trays
ignorance of the law is no excuse.
So if it's something I didn't know, I need sign off. That's not an excuse. If you're not sure gets sign off right up a waiver check with your organization's attorney. Now again, I'm not saying this from an inn user standpoint. I'm directing this more management and more. The folks that control the policies and procedures within an organization. But
if there's information,
um, from an end user standpoint, you're not sure if you can disclose or not. The best advice is check with management. A management will require that you get sign off in writing. That really is the best advice I can give you. Their notice is information is to be disseminated you again. We talk about that
of the protection of patient information. Not We have to notify our patients of how we are going to distribute that information again, whether it's internal or external. Who are we sharing the patient's health information with
notice and consent or two very important principles of privacy? We want to make sure people know what we're doing with that information and that they have the option to say yes or no.