Health IT Policy Committee Recommends Two-Factor Authentication for EHRs

The Health IT Policy Committee on June 8 accepted a recommendation that all organizations participating in the Nationwide Health Information Network initiative (NwHIN) should use digital certificates that meet the same authentication standards already required for federal agencies. Ultimate approval for the recommendation falls on the Department of Health and Human Services.

One of the main motivations for the digital certificate requirement is that most healthcare organizations, at some point, will have to exchange information with a federal agency, and that requires use of Federal Bridge standards.

The authentication recommendation, which came from the Privacy and Security Tiger Team, states, “all certificates used in NwHIN exchanges must meet Federal Bridge standards and must be issued by a certificate authority (or one of its authorized resellers) that is a member of the Federal Public Key Infrastructure Framework.”

Paul Egerman, tiger-team co-chair, told the committee that an electronic health records (EHR) vendor, for example, could serve as a certificate reseller. Plus, about six certificate authorities now offer the Federal Bridge certificates at prices of $100 or less per organization.

In addition to the authentication recommendations, the committee recommended that for stage two of the HITECH Act electronic health record incentive program participants should verify how they’re keeping stored data secure, such as through encryption.

HHS is slated to issue a proposed rule setting requirements for stage two of the EHR incentive program by year’s end, with a final rule due by mid-2012.

In light of that timeline, the HIT Policy Committee on June 8 recommended that HHS fine-tune the deadline for certain participants in the program to achieve stage two benchmarks. Under the revised plan, those that attest to qualifying for stage one in 2011 would have until 2014, instead of 2013, […]

PKI Security Made Simple

What’s better:  having a lock on your door, or having a lock on your door AND a guy standing there making sure it’s you unlocking the door?

Obviously, the more security you have the better, which is why more Government eCommerce systems are moving towards PKI.   So, what does PKI mean? The acronym stands for Public Key Infrastructure and it refers to the use of hardware and software-based “keys”, or certificates, to verify a user’s identity and credentials online.

In order to get a key/certificate, you need to contact a Certificate Authority (CA). There are several CAs available, but the Defense Logistics Agency only recognizes Verisign, Identrust, and ORC as approved CAs on DOD EMALL.  And when it comes to establishing user identity, CAs don’t take the process lightly.  Getting a certificate issued generally requires paperwork, several forms of identification, a notary signature, and on occasion, an in-person visit.

After your identify is verified, the certificate is issued in one of two ways:

1) A software-based certificate installed directly to the user’s computer.

2) A portable, hardware-based certificate that the user physically carries with them (often in the form of a smart card or USB stick).

These certificates also include a user-associated PIN.  This is called two-factor authentication, and is why PKI is significantly more secure than the traditional username/password model. It’s more than just what you know (i.e., a password); it’s what you have and what you know.

So, now that you have a certificate, what can you do?

Some sites, such as the DOD EMALL, require users to present a certificate for accessing and using the site. Additionally, certificates enable users to send digitally-signed emails that provide proof of data integrity and origin, while also enabling receipt of encrypted email.

Users […]

By |September 2nd, 2010|DOD EMALL, Government eCommerce|Comments Off on PKI Security Made Simple|

PKI Security in Large Scale Web Applications – Part 5: The Solution and the Result

This final part of our series on PKI security in large scale web applications looks at how eValidate was able to accommodate the unique, high performance demands of the DOD EMALL.

Powered by Partnet eValidate, DOD EMALL is now fully CAC-enabled, and public key access is configured for all Federal Bridge customers. This was accomplished with zero impact to system performance and availability, and in accordance with the strict DOD operating standards.

eValidate’s internal CRL application was implemented to validate regular DOD Common Access Cards. The application automatically retrieves, compiles, and indexes CRLs from a host of trusted CAs into a dedicated file system within the DOD EMALL login module. The file system is available throughout the load-balanced cluster, allowing user CACs to be checked against the indexed file system from any node within the system. eValidate’s internal server-side CRL application provides virtually seamless login and certificate-revocation processing— transparent to users and without impact to system performance and availability.

While an efficient certificate revocation method for regular DOD users, the internal CRL application was not a practical solution for validating the external certificates (i.e., VeriSign, IdenTrust, etc.) used by DOD’s Federal and commercial partners. Instead, eValidate’s OSCP web service was enabled for these user groups.

Using standard HTTP, the login module transmits an encoded OCSP query to a corresponding OCSP responder for each external public key presented (i.e.,LincPass, HSPD-12 cards). The OCSP responder checks the public key’s digital certificate and returns the revocation status to DOD EMALL in real-time. The Federal Bridge user is then granted or denied access, as appropriate.

Too many simultaneous OCSP queries can undermine network performance, however, which is why Partnet configured this solution for Federal Bridge users—representing only a small fraction of the DOD […]

PKI Security in Large Scale Web Applications – Part 4: Case Study of DOD EMALL

This part of our series on PKI security in large scale web applications examines the challenge the DOD EMALL faced in implementing PKI.

DOD EMALL is the largest eCommerce site operating within the US Government. It is a highly-available system that employs best-in-class practices and utilizes a variety of sophisticated networking and systems hardware, alongside software based clustering to enable redundancy, scaling, and load balancing.

Around the globe, DOD EMALL provides a single-entry point for more than 30,000 registered users to search and purchase from a virtual catalog of over 66 million items.

Within the Department of Defense, system performance and IT security have long been at odds. Large-scale web applications must efficiently deliver products, services, and information to end users, while at the same time, restricting unauthorized access. Faced with this dilemma, the Defense Logistics Agency (DLA) turned to Partnet for a PKI security solution for the DOD EMALL.

Background

The Federal Bridge Certificate Authority (FBCA) was established to help federal agencies better share information and resources through a more secure, interoperable PKI framework. The Federal Bridge enables department-issued public keys to be cross-certified and accepted throughout the community. The following diagram helps illustrate the FBCA trust model.

In response to the FBCA, the DOD developed Instruction 8520.2, mandating a Department-wide PKI policy to enhance security through authentication, digital signatures, and encryption. The first line of defense was the Common Access Card (CAC) — a smart card provided to DOD service members, civilians, and contractors in order to access restricted systems, networks, and facilities.

The CAC—a hard-token public key—carries a non-replicable digital certificate providing:

Data integrity and confidentiality
User identification and authentication.
User non-repudiation

The Challenge

Like every other DOD agency, the DOD EMALL Program Office was directed to provide DOD users access through the CAC, but […]

PKI Security in Large Scale Web Applications – Part 3: Partnet eValidate

This part of our series on PKI security in large scale web applications examines how the new Partnet eValidate solution effectively satisfies the unique PKI demands of large scale web applications.

Partnet eValidate™ is an ideal solution for large-scale web applications with a large number of users and transactions. eValidate protects government enterprises from potential security breaches by verifying the revocation status of digital certificates within a PKI. eValidate provides enterprises with the flexibility of using CRL and Online Certificate Status Protocol (OCSP) for validation as illustrated in this graphic.

OCSP is a fast, lightweight alternative to traditional CRLs that allow applications to query external certification-status servers, or OCSP responders, for the status of a single certificate. OCSP responds much faster than CRL downloads—quickly returning a small, signed message stating the certificate’s revocation status. For large-scale systems, Partnet eValidate provides enterprises with faster, more efficient cert validation processing and greater security protection.

Partnet eValidate Benefits

Security. Safeguards applications and networks against potential security breaches from expired or revoked digital certificates.
Reliability. Robust design provides support for backup, load balancing, and failover.
Versatility. Provides agency’s with the flexibility to use CRL- or OCSP based validation based on the particular need.
Cost Effective. Designed to efficiently plug in and scale to meet a wide range of deployment requirements.
Proven. eValidate has been proven in one of the government’s largest and most challenging e-commerce transaction environments.

The next installment in this series will look at how Partnet eValidate was able to solve the PKI security challenges faced by the DOD EMALL, one of the largest Government eCommerce sites.

PKI Security in Large Scale Web Applications – Part 2: The Limits of Off-The-Shelf Solutions

This part of our series on PKI security in large scale web applications examines the limits of traditional Off-the-Shelf PKI-validation solutions.

Per Joint Task Force Global Network Operations (JTF-GNO), the #1 method of attack on the DoD information network is compromised user IDs and passwords. Homeland Security Presidential Directive (HSPD 1) — implemented in the wake of September 11, 2001 — mandates a federal standard for secure and reliable forms of identification.

Validating a user’s identity is at the heart of PKI’s effectiveness. Certificate-validation software is currently available off-the-shelf from a variety of private companies. These products typically employ a desktop application that transmits HTTP requests to corresponding certificate-status servers whenever a smart card (or other public key) is presented. The server verifies the smart card’s digital certificate against a Certificate Revocation List (CRL)—provided by a principal Certifying Authority—and determines whether the user’s access is granted or denied.

Within a PKI, it is particularly important to ensure certificate validation is performed efficiently to minimize impact to users, networks, and system applications. And while standard off-the-shelf products have proven effective when deployed to smaller systems with relatively limited user volume, larger, more sophisticated systems typically require a more robust solution.

Many large-scale, high-volume systems use sophisticated load-balanced and clustered architectures that deploy applications redundantly across multiple nodes—optimizing availability and failover, while operating as a single virtual machine.

Traditional COTS products, however, require a one-to-one connection between the local application and the externally-hosted CRLs, which load-balanced architectures prevent. As a result, traditional COTS solutions cannot be properly configured for most large-scale systems without negatively impacting availability and performance.  While sufficient for small systems and applications, these COTS solutions are not well suited for the high volume demands of large-scale web applications.

The next installment […]

PKI Security in Large Scale Web Applications – Part 1: The Call for PKI Validation

This week, Partnet begins a five part series on PKI security in Large Scale Web Applications. We will cover the importance of PKI validation within the Federal Government, the limits of Off-the-Shelf PKI validation packages, a DOD case study for use of Partnet’s new eValidate software and a description of the solution and outcome.

Part 1:  The Call for PKI Validation

Over the past decade, technology has enabled government agencies to provide more immediate services to citizens and greater flexibility in meeting their mission objectives. As a result, these agencies have become increasingly dependent on the integrity of their information systems. In recent years, attacks on these systems have grown in size and sophistication, with the Department of Defense (DOD) now suffering more than 5,000 attacks a day on its servers.1

Security breaches have plagued nearly every agency, whether through malicious code, stolen data, or compromised IDs and passwords. The government is now fighting back with a renewed focus on cyber security and access control. Chief among these tasks is the move towards a Public Key Infrastructure (PKI) for application and network security. Unlike traditional security models that rely on usernames and passwords, PKI is based on the issuance of public keys that bind digital certificates to a user’s identity and credentials.

Major advantages of PKI include:

Centralized x.509 certification – Specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm across government agencies.
Elimination of username and password management – Cryptographic public keys preclude problems associated with forgotten or shared login credentials.
Revocation of compromised certificates – Certificate Authorities (CA) help agencies to immediately identify and revoke compromised or invalid certificates.

As PKI has matured, so has the application of digital identification cards, known […]

Google+