Risk Assessment and Mitigation
Risk Assessment and Mitigation
The IHE ITI Security Cookbook presents an approach to documenting potential security risks, assessing them, and documenting a mitigation plan. Going through such an exercise with NHIN Direct may help clarify (and justify) why certain security mechanisms or policies are needed and why others are not.
The Characterization of Risk section contains a story describing a risk scenario, the assets affected, and the type of impact. The Assessment of Risk section makes a determination about the level of impact and probability of occurrence of the risk. The Mitigation of Risk section describes possible approaches to reducing the potential of the risk (mitigation) and states what the new level of impact and probability of occurrence are with the mitigation in place.
The risks to address/mitigate are those with either a high level of probability or a high level of impact as described in the Assessment of Risk sections. The values of the assessments should be on a scale of Very Low, Low, Medium, High, and Very High as documented in the IHE ITI Security Cookbook. The appropriate NHIN Direct workgroup (and overall community) will decide (via discussion) what the right values are for a given scenario.
Some of the terms below are explained in the Abstract Model.
Scenario 1
Characterization of Risk
A message Source (e.g., provider) sends an NHIN Direct Message to its HSP over the Internet; however, Ima Crook redirects the TCP packets to her fake HSP server. Ima reads the messages and obtains private details regarding the health of a celebrity. This loss of privacy allows Ima to use the information to extort money from the celebrity.
Assessment of Risk
The probability of this risk is High although unlikely to be frequent. The level of impact is High in the context of a loss of privacy.
Mitigation of Risk
Utilizing an X.509 server certificate on the HSP server in the context of a TLS handshake in which the Source verifies the certificate correctly would authenticate the server to the client. Assuming Ima Crook does not hold the associated private key, this would prevent the attack. This mitigation does not lower the level of impact (it is still High) but it does reduce the probability of risk to Very Low.
Scenario 2
Characterization of Risk
A message Source (e.g., provider) sends an NHIN Direct Message to its HSP over the Internet; however, the nefarious Jerry Mander sniffs the TCP packets and obtains private details regarding the health of the city mayor which he uses in his blog to undermine his re-election campaign. The mayor's privacy has been violated and the fabric of democracy has been damaged.
Assessment of Risk
The probability of this risk is High although unlikely to be frequent. The level of impact is High in the context of a loss of privacy.
Mitigation of Risk
Utilizing TLS along with an X.509 server certificate on the HSP server would allow for on-the-wire encryption of the data thus preventing Jerry's attack (assuming a reasonable cipher suite such as TLS_RSA_WITH_AES_256_CBC_SHA). This mitigation does not lower the level of impact (it is still High) but it does reduce the probability of risk to Very Low.
Scenario 3
Characterization of Risk
A message Source (e.g., provider) sends an NHIN Direct Message containing Protected Health Information (PHI) to its source HSP over the Internet using a mutually authenticated and encrypted TLS connection. The source HSP writes the message to disk and queues it up to send outbound to the destination HSP. Before the message is able to be sent, the source HSP's tape backup system executes and makes a copy of the PHI which is archived for a matter of years. A tape is lost or stolen and unprotected PHI is potentially exposed.
Assessment of Risk
The probability of this risk is High. The level of impact is Medium in the context of a loss of privacy.
Mitigation of Risk
To avoid this risk, all data-at-rest needs to be encrypted as it streams from memory to disk. This could be done on a per-message basis with a symmetric encryption algorithm of adequate strength (e.g., AES-256) as long as the private key is not backed up on the tape (but is backed up in some secure manner). This can also be done using asymmetric encryption via an X.509 certificate tied to the receiving provider (thus providing privacy even on intervening servers if intervening servers are part of the deployment architecture). Another option is to symmetrically encrypt content at the file system level. These mitigations do not lower the level of impact (it is still Medium) but they do reduce the probability of risk to Very Low.
Scenario 4
Characterization of Risk
A message Source (e.g., provider) sends an NHIN Direct Message containing Protected Health Information (PHI) to its source HSP over the Internet using a mutually authenticated and encrypted TLS connection. The source HSP symmetrically encrypts the message as it writes it to disk and then routes it to an intervening server on its way to the destination HSP. The intervening server also symmetrically encrypts the message as it hits disk; however, the intervening server has been compromised and the nefarious Able Tocrack possesses the symmetric key. Able decrypts the messages that flow through and uses the PHI for criminal endeavors.
Assessment of Risk
The probability of this risk is Medium. The level of impact is High in the context of a loss of privacy.
Mitigation of Risk
To avoid this risk, X.509 asymmetric encryption of the message (using the receiving provider's public key) can be used at the source HSP such that only the destination HSP/provider can view the message. Possessing the symmetric encryption key of an intervening server would not allow for the exposure of the PHI. This mitigation does not lower the level of impact (it is still High) but it does reduce the probability of risk to Very Low.