디지털핼스케어비즈니스를위한정보보안전략 박형근실장,
정보보안의현재 2
디지털병원의미래를향한현재진행형 3
디지털핼스케어산업의전략 디지털핼스케어혁신 IT 서비스와의적극적인융합 IoT 와인공지능활용 클라우드서비스도입 B2B & B2C 서비스개발 고객에대한통찰과극대화 디지털마케팅및고객발굴 사용자경험향상 로열티개발및이탈방지 소셜플랫폼활용 비즈니스프로세스혁신 헬스케어시스템최적화 가치전달및비용절감 모바일서비스강화 개인정보및데이터보호 내부통제및외부위협대응 모바일, IoT, 클라우드보안 법규제준수 4
패스워드관리는더엄격하게, 사용자는더자유롭게!! 패스워드변경은보다복잡한룰 (20 자이상복잡도상 ) 로, 보다자주 (1 주일혹은한달마다 ) 자동변경 FIDO Company Applications S OnePass O P Workplace Oracle HCM Remote Log in-off Personal Favorites B S S Banking Shopping One SNS D W Duty Free One Wallet Add Login of workplace on pc Authentication Logoff of workplace on pc Authentication 사용자는생체인증과싱글사인온통한간편인증과권한에따른자유로운접근 http://192.168.0.88:8080/iam-saas/portal_main.html http://192.168.0.88:8080/iam-saas/portal_main.html Windows Background 5
디지털헬스케어를위한차세대계정및권한관리필요 (1/2) 개인의무 / 개인정보보호 계정및접근권한관리 접근이력모니터링및이상행위분석 6
디지털헬스케어를위한차세대계정및권한관리필요 (2/2) 관련가이드라인 접근권한관리 : 최소권한, 즉알필요 (Need-to-Know) 및할필요 (Need-to-Do) 의원칙에따라업무담당자별로세분화하여권한을부여하여야함 - 적용범위 : 병원정보시스템, OCS(Order Communication System, 처방젂달시스템 ), EMR(Electronic Medical Record, 젂자의무기록 ), PACS(Picture Archiving Communication System), LIS(Lab Information System, 임상병리시스템 ), 건강검짂시스템, 병원홈페이지등의료기관에사용하는개인정보처리시스템에대하여사용자 / 직무 / 그룹 / 역할별로화면 / 메뉴 / 버튼 ( 읽기, 쓰기, 출력, 다운로드등 ) 단위의상세접근권한을설계하고적용하여야함 - 퇴직등인사변동이발생하여개인정보취급자가변경된경우, 지체없이시스템의접근권한변경또는말소 - 접근권한부여, 변경또는말소에대한내역을기록하고, 그기록을최소 3 년간보관하여야함 - 안젂한비밀번호사용을위한규칙적용및일정횟수이상비밀번호입력오류시계정잠금 보안영역및 IBM 보안솔루션 IAM: 보다정밀한통합계정및 EAM 수준의권한관리요구 Identity and Access Manager 7
머신러닝기반의사용자행위분석 8
관련가이드라인 의료기관은정보통싞망을통한불법적인접근및침해사고방지를위하여침입차단시스템 (Firewall) 또는침입방지시스템 (IPS : Intrusion Prevention System) 등접근통제시스템을설치하여운영하여야함 인터넷홈페이지운영시개인정보노출을방지하기위한보안조치를수행하여야함 고유식별정보, 비밀번호, 바이오정보등과같은주요개인정보가암호화되지않고개인정보처리시스템에저장되거나네트워크를통하여젂송될경우, 유출 노출및위 변조등의위험이있으므로암호화등의안젂한보호조치가제공되어야함 - 암호화대상개인정보는고유식별정보, 비밀번호및바이오정보 - 녹취파일, 영상정보가분실, 도난, 유출, 변조또는훼손되지않도록안젂성확보조치 개인정보취급자가개인정보처리시스템에접속한기록은최소 6 개월이상위 변조및도난, 분실되지않도록안젂하게보관하여야함 개인정보의조회, 출력, 다운로드시업무상불필요한개인정보의노출을최소화할수있도록개인정보의일부분을마스킹하여표시제한조치를취하는것이바람직함 보안영역및 IBM 보안솔루션 침입방지시스템 Network Protection (XGS) 웹취약점진단솔루션 AppScan Standard 데이터암호화시스템 Guardium Data Encryption 통합로그관리 QRadar Log Manager 데이터마스킹 Guardium Data Protection 9
건강및개인정보보호 민감정보식별 / 정의취약성평가, 권한위임관리 암호화, 정형 / 비정형마스킹 DB 트랜잭션, 파일접근실시간모니터링 접근통제 ( 제어, 마스킹, 경고, 격리 ) 상시감사, 규제지원자동화 (HIPPA 등 ) ANALYTICS 10
정형, 비정형암호화를위한 IBM Multi-Data Encryption IBM Multi-Data Encryption 은데이터암호화및암호화 Key 관리를위한포괄적인솔루션으로서헬스케어산업에서사용하는주요플랫폼및클라우드홖경의암호화를지원하며, 암호화를통하여건강및개인정보를보호하고법규제준수를강화합니다. DATA 암호화 데이터유출원천적차단 정형및비정형데이터암호화 IBM Multi-Data Encryption 쉬운설치및구현 애플리케이션수정없음 투명한연동 OS 접근제어 OS User & Process 접근제어 File/Volume 에대한접근제어 클라우드환경에서의암호화제공 모든정형 / 비정형데이터중앙에서관리 중앙관리 암호화 KEY 관리 별도의분리된안전한 Key 서버 FIPS 140-2 키관리인증기술기반 암호화후최소성능 Impact 인덱스검색등조회변화없음 암호화후성능보장 11
Client Example Crohn s & Colitis Foundation of America (CCFA) text Who? Non-profit dedicated to finding cures for Crohn' s Disease and ulcerative colitis. Need Protect patient info in public database Personal Healthcare Information (PHI) Personally Identifiable Information (PII) Research, Academic and Medical Communities Various Patient, Academic & Research Data Cache Object Storage Comply with the federal and state privacy laws HIPAA/HITECH healthcare compliance. Solution Data Platform Application protected by MDE IBM Cloud hosted infrastructure for their applic ations MDE used to secure data Shared Data without PHI / PII information Analytic Platform Application protected by MDE 12
정형및비정형데이터내건강및민감정보식별 고유식별번호등의개인정보를비롯하여파일시스템내에존재하는건강정보및민감데이터식별을통해암호화대상및보호정책을정의하도록지원합니다. File Server (Unix/Win) Activity Monitor FAM Crawler and Discovery 13
건강및민감정보에대한접근기록모니터링및통제 건강및민감정보에대한접근모니터링중보안정책에위배되는트랜잭션발생시해당트랜잭션을차단하여데이터유출을통한침해사고를방지할수있도록지원합니다. 14
이상트랜잭션감지 젂사내다양한정형, 비정형데이터접근에대해실시간모니터링중이상트랜잭션을감지하고, 모니터링된내역에대해침해요소를파악및관리할수있는가시성을제공합니다. Anomaly hours flagged red or yellow Click bubble for Outlier view 15
IBM 은보다능동적이고선제적인보안면역시스템을만들어갑니다. App Exchange X-Force Exchange BigFix QRadar Network Security (XGS) QRadar Incident Forensics MaaS360 SECURITY OPERATIONS AND RESPONSE QRadar SIEM QRadar Vulnerability / Risk Manager QRadar Advisor with Watson QRadar User Behavior Analytics Resilient Incident Response i2 Enterprise Insight Analysis Trusteer Pinpoint Trusteer Mobile Trusteer Rapport INFORMATION RISK AND PROTECTION Guardium Key Manager AppScan Cloud Security Identity Governance and Access Privileged Identity Manager Cloud Identity Service zsecure SECURITY TRANSFORMATION SERVICES Management consulting Systems integration Managed security 16
THANK YOU FOLLOW US ON: ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.