Privacy and Security - Network - EBUS.07

Network Security is a fundamental component in protecting ministry health information exchange (HIE) systems and data assets from service disruption and other threats. Network security employs defence-in-depth where multiple security measures are used.

Your points of service are also required to have the following security measures, at the minimum, to interface with ministry HIE systems.

Local Area Networks

The local area network (LAN) must implement managed perimeter defence safeguards to mediate all traffic and to protect systems from "over the network" attacks and attempts at security breaches. If your LAN is directly connected to the Shared Provincial Network (SPANBC) or Private Physician Network, there must be no cross connection to an external network (e.g., a commercial internet provider such as Shaw).

Firewalls

Firewalls block unauthorized access. Personal firewalls (end-point protection) must be installed and running on all your point of service computers.

Anti-virus and Anti-spyware

For protection from viruses and spyware, anti-virus software must be deployed on all systems (particularly personal computers and servers). Anti-virus mechanisms must be current, actively running, and generating audit logs. Using scheduled updates or real-time update protocols is required to ensure operating system and application security patches are kept current.

Equipment Protection

To prevent unauthorized access to areas that house information technology equipment (e.g., server rooms, network or telecommunications closets) physical security measures must be used such as:

  1. locked room with solid wall (floor-to-ceiling) construction or specialized locked cabinet or equivalent;
  2. restricted key access;
  3. locks, bolts (or equivalent) on vulnerable doors and windows; and
  4. motion detectors and intrusion alarm systems.

Wireless Local Area Network

Wireless local area networks (WLAN) must be encrypted and have the following security measures:

  • Physically secure wireless access points,
  • Wi-Fi Protected Access II (WPA2) Enterprise:
    • Authentication: EAP-TLS;
    • Encryption: AES-CCMP (128 bits minimum);
  • Wi-Fi Protected Access II (WPA2) Personal:
    • Authentication Pre-shared keys (PSK) with a minimum 13 characters random passphrase;
    • PSK must be secured and changed on a regular basis;
    • PSK must be changed whenever employees/contractors that have access to the network leave the organization; and
    • Encryption: AES-CCMP (128 bits minimum).

Personal mode must only be used for small network installations that do not have authentication servers available.