MITA Security & Privacy Documents
White Papers
- Information Security Risk Management for Healthcare Systems (
 143k) October 2007
This white paper helps device manufacturers manage IT security risks in healthcare systems by detailing the steps in security risk assessment in the context of security risk management. The process for managing healthcare systems IT security-related risks is very similar to long-standing device safety processes. This paper recommends that similar methods be applied to security risks to healthcare systems. In detailing security risk management, this paper presents a set of examples which provide insight into healthcare trends and vulnerabilities leading to the relevant steps in how to design for confidentiality, integrity and availability of systems, while maintaining an appropriate level of safety, healthcare effectiveness, privacy for both patient and staff, and interoperability.
- Management of Machine Authentication Certificates (143k) May 2007
This paper helps healthcare providers and medical device engineering organizations decide how to use digital certificates to secure machine-to-machine communications. There is a focus on privacy and security in healthcare. The breaches in security over the past five years have shown that using a “moat” approach of firewalls without further internal security is not effective. To properly secure a network environment the machines (e.g., imaging device, PACS archive, laptop, a system implementing an IHE profile, internet kiosk) that are going to receive or transmit sensitive data must be identified. This introduces a need to authenticate both machine identities and person identities. The focus of this paper is machine identity management.
- Impacts of the British Columbia Act 73-2004 (an amendment to the Freedom of Information and Protection of Privacy Act) on Medical Device Support in British Columbia (489k) August 2005
This paper is aimed at assessing the impacts of the Act on MedIS support, patient care, and business costs to the Canadian Healthcare System, resulting from unanticipated changes to MedIS equipment maintenance practices.
- Break-Glass – An Approach to Granting Emergency Access to Healthcare Systems
(238k) December 2004
This white paper discusses a simple yet effective emergency-access solution, sometimes called "break-glass". The purpose of break-glass is to allow operators emergency access to the system in cases where the normal authentication cannot be successfully completed or is not working properly. The systems include medical data acquisition devices as well as information systems which are collectively referred to as Medical Information Systems (MedIS).
- Patching Off-the-Shelf Software Used in Medical Information Systems (143k) October 2004
The purpose of this white paper is to make healthcare providers aware of the special requirements imposed on MedIS vendors and the practical constraints involved in patching COTS software. Medical Information Systems (MedIS) often incorporate commercial-off-the-shelf (COTS) software, e.g. operating systems, browsers, databases. COTS software vendors often issue patches, also called “hotfixes” or “updates,” to fix a variety of security, privacy, or stability problems. Typically, COTS software vendors’ procedures for testing or updating do not address the safety and effectiveness requirements mandated for MedIS. This means that healthcare providers must follow different procedures when patching COTS software incorporated in MedIS.
- Remote Service Interface - Solution (A) - Version 2: IPSec over the Internet Using Digital Certificates (430k) December 2003
The purpose of this white paper is to define one possible, reasonable, and practical solution for remote servicing of medical equipment addressing possible security threats to ensure availability, confidentiality, and integrity of the transmitted data. The paper describes in detail how to configure IPSec over the Internet using cryptographic certificates, and how to distribute the certificates out-of-band. It further defines the supporting conditions at the HCF and RSC. With this document vendors and health care facilities can configure a single access point using off-the-shelf-equipment.
- Defending Medical Information Systems Against Malicious Software (218k) December 2003
This white paper informs both vendors (manufacturers and integrators of Medical Information Systems (MedIS) and users (for example, hospitals and medical practices) about possible malicious software (malware) attacks. Malicious software (or malware), also referred to as a virus or malicious logic, includes such things as Trojan horses, denial of service attacks, trap doors, time bombs, and worms. The paper suggests ways to protect against such attacks that make use of exploitable MedIS vulnerabilities and offers a list of recommendations for both vendors and users to make the MedIS they produce and operate more secure. Vendors and users must cooperate to meet the challenge of safeguarding the security and privacy of data in healthcare.
HIPAA Business Associate Contract Sample Language
Press Releases
Presentations
*PDF files require the free Adobe Acrobat Reader, downloadable at www.acrobat.com.
|
75k)
970k)