ITL FOCUSES ON HEALTHCARE ISSUES

Privacy and Security in Healthcare

To participate in the development of a common set of IT security requirements for healthcare, ITL works with healthcare organizations through the Forum on Privacy and Security in Healthcare (FPSH). The forum was organized in November 1998 under the sponsorship of the National Information Assurance Partnership (NIAP, a joint National Institute of Standards and Technology and National Security Agency initiative) and the Healthcare Open Systems and Trial (HOST). The FPSH is incorporated as a nonprofit charitable organization consisting of participating members from approximately 50 healthcare organizations. The organization's board of directors consists of representatives from SAIC, Exodus (Arca), DataCert, Enterworks, Arthur Anderson, Open Network Technologies, the National Association of Chain Drug Stores (NACS), and NIAP (invited ex-officio member).

The goals of the forum are:

• To provide education and awareness to the healthcare community on the Common Criteria (CC) (ISO/IEC 15408);
• To demonstrate the application of the CC (and Protection Profile) paradigm as a way of mapping emerging federal, state, and organizational policies, laws, and regulations pertaining to IT security policy to technology requirements, measurement and compliance; and
• To serve as a venue for healthcare stakeholders to define common, user-defined security requirements in the form of CC-based Protection Profiles.
  

With support from NIST's Advanced Technology Program and NIAP, we are developing guidance material and reference CC-based profiles to assist and educate the healthcare community in specifying Protection Profile security requirements using the ISO/IEC 15408 Common Criteria standard. The guidance documents and reference CC-based profiles being developed include:

• A Framework for defining a family of integrated/related protection profiles for healthcare information systems (e.g., Laboratory Information System [LIS], Patient Admission Discharge and Transfer [ADT]), which includes a methodology for translating high-level policy (e.g., Healthcare Insurance Portability and Accountability Act) into system security specifications for various healthcare information systems (expressed in ISO/IEC 15408 Common Criteria protection profiles or security targets);
• A Common Criteria functional package, which is a mapping of the Department of Health and Human Services (HHS), Healthcare Financing Agency (HCFA) Internet Security Policy into Common Criteria constructs that can be re-used, and imported into, user-defined Protection Profiles or vendor-defined Security Targets;
• A Common Criteria functional package, which is a mapping of the HHS Health Insurance Portability and Accountability Act of 1996 Proposed Rule for Security Standards into the Common Criteria constructs that could be re-used, and imported into, user-defined Protection Profiles or vendor-defined Security Targets; and
• A Reference Healthcare Insurance Portability and Accountability Act based on the Common Criteria Protection Profile for patient “Point-of-Care Admission, Discharge and Transfer (ADT).”

Drafts of these documents have been prepared and will soon be submitted to the forum membership for review and feedback. We are seeking community consensus on the documents as a common set of IT security requirements for healthcare. For more information, visit the Web site http://niap.nist.gov or contact L. Arnold Johnson, (301) 975-3247, arnold.johnson@nist.gov.

Healthcare Information Systems

Another ITL project, initiated in 1996, focuses on healthcare information systems. Our Software Diagnostics and Conformance Testing Division is assisting the Department of Veterans Affairs (VA) in making informed decisions with regard to technology choices for their healthcare information system VistA. We are designing distributed models and architectures for VistA and developing reference implementations for these designs. We designed the RPC (Remote Procedure Call) Broker, which enabled remote client/server access to individual large hospital servers. We then designed and implemented the Enterprise Single Sign-On (ESSO) Facility, which provides an enterprise-wide single logon to all hospital servers. In FY 2000, we designed and implemented the prototype Inter-Organizational Role Based Access Control (IORBAC) authorization mechanism, which enters national trials this year.

This work benefits companies that develop healthcare information systems for the federal government. We also participate with other federal agencies in the development of standards in the healthcare industry. See http://www.nist.gov/va/ or contact Bill Majurski, (301) 975-2931, william.majurski@nist.gov.

FEDERAL INFORMATION PROCESSING STANDARDS (FIPS) ACTIVITIES

Cryptographic Algorithm for the Proposed Advanced Encryption Standard (AES) Selected

Following a three-year, worldwide competition to identify a new data encryption technique for a proposed AES Federal Information Processing Standard (FIPS), Secretary of Commerce Norman Y. Mineta announced, on October 2, 2000, the selection of Rijndael as the winner of the competition. Belgian cryptographers Joan Daemen, Proton World International, and Vincent Rijmen, Katholieke Universiteit Leuven, developed Rijndael.

The algorithm was selected from five finalist candidates because of its high degree of security combined with performance, efficiency, implementability, and flexibility. ITL's Computer Security Division worked closely with private sector cryptographers from around the world to conduct the competition. The next step is a public comment period, after which ITL will revise the proposed standard if appropriate and submit it to the Secretary of Commerce for approval as a FIPS. ITL hopes to complete the process by the spring of 2001. The Web site is http://csrc.nist.gov/encryption/aes/.

Check out our new ITL Web Site

We invite you to visit our redesigned Web site at http://www.itl.nist.gov. We have created a user-friendly format, added links to related pages, enhanced the search capability, and ensured that the site is fully accessible to people with disabilities.

UPDATE ON NEW PUBLICATIONS

ITL publishes the results of studies, investigations, and research. The reports listed below may be ordered from the following sources as indicated for each:

Superintendent of Documents
U.S. Government Printing Office (GPO)
P.O. Box 371954
Pittsburgh, PA 15250-7954
Telephone (202)512-1800
Fax (202)512-2250
Home Page: http://www.acess.gpo.gov

National Technical Information Service (NTIS)
5285 Port Royal Road
Springfield, VA 22161
Telephone (703)605-6000
Rush Service (800) 553-6847
Fax (703)321-8547 or (703) 321-9038
Home Page: http://www.ntis.gov/onow

Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products -- Recommendations of the National Institute of Standards and Technology
By Edward A. Roback
NIST Special Publication 800-23
August 2000
PB2001-100173 $23.00 paper
Order from NTIS $12.00 microfiche

Computer security assurance provides a basis for one to have confidence that security measures, both technical and operational, work as intended. Use of products with an appropriate degree of assurance contributes to security and assurance of the system as a whole and thus should be an important factor in IT procurement decisions. This document describes two government programs of particular interest -- the National Information Assurance Partnership (NIAP)’s Common Criteria Evaluation and Validation Program and NIST’s Cryptographic Module Validation Program (CMVP).

The document is available at http://csrc.nist.gov/publications/nistpubs/index.html.

On Weakly Analytic and Faithfully Convex Functions in Convex Programming
By G.P. McCormick and Christoph Witzgall
NISTIR 6426
June 2000
PB2000-101375 $23.00 paper
Order from NTIS $12.00 microfiche

This report considers weakly analytic convex, faithfully convex, and self-concordant functions and describes their relationship. It provides complete proof of results that illustrate circumstances under which weak analyticity occurs for convex functions.

Mars, RC6, Rijndael, Serpent and Twofish were selected as finalists for the Advanced Encryption Standard (AES). To evaluate the finalists’ suitability as random number generators, empirical statistical testing is commonly employed. Although it is widely believed that these five algorithms are indeed random, randomness testing was conducted to show that there is empirical evidence supporting this belief. In this paper, NIST reports on the studies that were conducted on the finalists for the 192-bit key size and 256-bit key size. The results to date suggest that all five of the finalists appear to be random.

Filamentary streamers evolve rapidly in a surrounding voltage field, which influences their shape and density. This report describes a simplified "stochastic Laplacian fractal" simulation for this phenomenon. The purpose was to capture the global features of the growth.

Image Compression and Deblurring
By Anastase Nakassis and Alfred Carasso
NISTIR 6521
May 2000
PB2000-105545 $25.50 paper
Order from NTIS $12.00 microfiche

This report describes an experiment in which ITL investigated the possibility that blurring techniques and lossless compression could be combined as an alternative to lossy compression techniques for still images. Results show that while blurred images compress losslessly better than their originals, this technique offers relatively modest compression ratios that can be matched by lossily compressed images (jpeg) having less noticeable artifacts.

NIST Special Database 27 Fingerprint Minutiae From Latent and Matching Tenprint Images
By Michael D. Garris and R. Michael McCabe
NISTIR 6534
June 2000
PB2000-107350 $25.50 paper
Order from NTIS $12.00 microfiche

In conjunction with the Federal Bureau of Investigation, ITL developed a database of grayscale fingerprint images and corresponding minutiae data. The database contains latent fingerprints from crime scenes and their matching rolled fingerprint mates. It can be used to develop and test new fingerprint algorithms, test commercial and research automated fingerprint identification systems, train latent examiners, and promote the ANSI/NIST file format standard. NISTIR 6534 includes the CD and documentation.

High Speed Network Applications and Implications for Fiberoptic and Copper Connections
By Dean Collins, John Antonishek, Sean Sell, and Alan Mink
NISTIR 6536
June 2000
PB2001-100758 $23.00 paper
Order from NTIS $12.00 microfiche

This report presents an analysis of the current tradeoffs between using copper wire versus fiberoptic cable for rewiring buildings at NIST for data communications to the desktop. Tradeoffs are considered from two different viewpoints: the cost of installing and maintaining the wiring, and the computer-imposed limitations on the use of the wiring. These findings substantiate NIST's decision to use copper wiring.

From 2D to 3D: Numerical Grid Generation and the Visualization of Complex Surfaces
By Bonita Saunders and Qiming Wang
NISTIR 6555
August 2000
PB2000-107703 $23.00 paper
Order from NTIS $12.00 microfiche

A key feature of the NIST Digital Library of Mathematical Functions will be 3D visualization capabilities that allow a user to interactively examine the unique features of complicated mathematical functions. This paper discusses the use of grid-generation techniques to facilitate the plotting of the complicated 3D surfaces that represent these higher mathematical functions.

We welcome your comments

We have posted for public review the first draft of Engineering Principles for IT Security (EP-ITS). (An outline was previously posted under the title IS Security Principles.) Comments on the draft document are requested by December 1, 2000. The document contains information for reviewers, including where to send comments. The draft document is available in two formats at http://csrc.nist.gov/publications/drafts/issep.html.

UPCOMING TECHNICAL CONFERENCES

NIST Digital Cinema Conference

The objectives of the conference are to articulate a vision for digital cinema, identify technological and business issue barriers to achieving that vision and develop strategies for breaching the barriers, including standards, technology development, and research. The audience will be end users of digital cinema technology, post-production, image and mapping, theater owners, etc.

14^th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference

Founded in 1987, FISSEA is an organization run by and for federal information systems security professionals. The annual FISSEA conference addresses the major challenges confronting information security trainers and educators; this year’s theme is “From Y2K to T E A (training, education, awareness) with FISSEA.”
Dates: March 13-15, 2001
Place: Hilton Hotel, Gaithersburg, Maryland
Contact: Mark Wilson, (301) 975-3870, mark.wilson@nist.gov
http://csrc.nist.gov/organizations/fissea.html

National Information Assurance Partnership (NIAP) Training Courses

Check out the NIAP Web site at http://niap.nist.gov, click on Events, and click on Training Classes.

Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose.