CDC moves disease surveillance system to the cloud

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

CDC's BioSense, originally developed as an anti-terrorism program, is remaking itself to provide a cloud-based platform for federal, state and local health care coordination.

Details of the new model still are being worked out, but it was decided that the program was an ideal candidate for deployment in the cloud. “It supports the business model,” Kass-Hout said. “And you end up saving quite a bit.”

The BioSense program, created by the Centers for Disease Control and Prevention in the wake of the 2001 terrorist attacks, is remaking itself to provide a cloud-based collaboration platform for federal, state and local health officials.

“It essentially is for the rapid, automated collection and dissemination of data,” said Dr. Taha Kass-Hout, BioSense program manager at CDC’s Public Health Surveillance Program Office. “The original mandate was to look at bioterrorism incidents,” but that is being expanded to include all human health-related conditions.

Making a broader range of information available will help public health officials spot, predict, prepare for and respond to outbreaks and events. In the course of this change, CDC has decided that maintaining a centralized infrastructure for gathering and using data no longer makes sense.

Related coverage:

Options expand for online authentication

ID management’s weakness: ‘There is no demand’

ID management's weakness: Few want to use it


That means money can be shifted from IT acquisition and maintenance to lowering the cost of participation for state and local offices. However, the cloud also comes with its own set of security concerns as resources, including hardware, software and data, are moved to a third-party environment.

There is a saying, “you can outsource security, but you can’t outsource responsibility,” said Jon Geater, director of technical strategy at Thales e-Security,  an electronics and systems security firm.

Securing data, managing identities and controlling access are different in the cloud but not necessarily more difficult. In theory, the economy of scale and centralized management in a cloud environment could make best security practices such as real-time monitoring, patch management and configuration management easier — if the service provider is doing these things, that is. Not all of them are.

“The cloud is a marketplace,” Geater said. “Some people will be better than others.”

BioSense security

Security and access control are among the criteria that will be considered when the BioSense community makes its decision on a cloud provider later this year. Both the customer and the provider will have to work together to ensure that the appropriate levels of security are maintained to safeguard public but sensitive health data.

“There is a responsibility for the organization to maintain a level of security” for the data it owns, Geater said. But the service provider also must provide appropriate information and tools to the customer. “It’s a shared thing.”

BioSense was authorized in 2002 and established in 2003 to provide early detection and rapid assessment of illnesses and outbreaks that could be an indication of a terrorist attack. That mission is not being abandoned, but the information is being used to improve public health situational awareness by allowing threats to be detected earlier, to support public health practice, and to allow the collaboration of public health officials in different parts of the country that are facing similar situations or have information that is needed by someone else.

Recent uses of the evolving BioSense program include monitoring health problems related to the Gulf oil spill in Alabama, Florida, Louisiana, Mississippi and Texas and tracking possible rabies infections and flu-like illnesses.

BioSense data currently is being collected from local hospitals, health departments, laboratories and the pharmaceutical industry, as well as from federal health care providers, including the Defense and Veterans Affairs departments.

“The data comes in various forms, but primarily in some electronic form,” Kass-Hout said. DOD, VA and some labs have automated systems that pass the information to CDC.

Socialized health data

In the past, CDC has gathered data centrally and produced reports and other products for BioSense participants. The new model will provide a user-centric environment rich with social features for sharing information. Participants will have more control over and access to their data and will be able to form ad hoc teams to collaborate in developing products needed at the time. The collection system also will be standardized so that data will come to CDC from public health departments rather than directly from local hospitals.

“In the new model, we are going to embrace the health department,” Kass-Hout said. “They own that relationship with the hospital,” and it is important that the local departments see the data as it is being passed on. The platform also will provide tools to allow state and local users to slice and dice the data as they need to.

The redesign process began about two years ago, the cloud approach was selected about a year ago and discussions now are under way with service providers. Requirements for the provider will include compliance with basic Federal Information Security Management Act requirements, additional security as required to adequately protect data, and a large enough customer base to ensure the service provider will be around for a while.

RTI International, a research institute based in Research Triangle Park, N.C., has been brought in to help in the redesign while the Association of State and Territorial Health Officials is the lead representative for state and local offices. Design prototypes for the system were developed in collaboration with stakeholders from 22 guiding principles and still are evolving. The idea is to allow collaboration between peers with the ability to download and save reports in a variety of formats.

Kass-Hout said the new platform is expected to be up and running by November.

Trust chain stretched

Although the technology for managing identity and controlling access does not change significantly in a cloud environment, the chain of trust becomes more stretched out, Geater said. Without infrastructure being under the control of a single IT team, “things that were implicitly trusted now have to be explicitly trusted.”

The business model for security and access control also changes. Because the customer suffers the primary loss in the event of a breach, security becomes a secondary business consideration for the provider. “The cost/benefit calculation is different, so the investment decision is very different,” Geater said.

The result is caveat emptor — it is up to the customer to ensure that the service provider provides adequate controls and can demonstrate the controls for an auditor.

Small organizations that cannot afford a dedicated IT team will often will be better off in a cloud environment, because a capable provider will offer better security and better identity management than the small organization can manage on its own, Geater said. But a larger organization with higher requirements will have to look much more carefully to find a provider that meets its expectations.

Tools used for authentication and access control do not change in the cloud. Choice will depend on the level of assurance required, which in turn depends on the sensitivity of the information being protected and the likely impact of a breach. But although the default user ID and password combination will work in the cloud, Geater is not a fan.

“Passwords are easily guessed or stolen and they are hard to revoke,” he said. And if passwords are being sent via the Internet to a cloud, “they are going to be stolen. No question.”

PKI fan base

A flexible — but complex — alternative to passwords is public-key infrastructure, which uses cryptographic keys for authentication and protection of data. “Here at Adobe, we have been big fans of PKI since the late '90s, when we first began incorporating it into our documents,” said John Landwehr, senior director of enterprise security solutions at Adobe Systems.

When embedded in documents, PKI can be used to digitally sign and verify a document, as well as authenticate users through a variety of ID management sources, including Active Directory and LDAP.

Although PKI has been around for quite a while, its drawback is complexity. It is a scheme that uses mathematically related cryptographic key pairs, one public and one private, to encrypt and decrypt data for a wide variety of uses.

The chore of managing these keys has also given it the name painful key infrastructure, Landwehr said. “But there have been advances to ease the pain both of deployment and use.”

Much of the advance has come in government, in the form of the military’s Common Access Card (CAC) and its civilian counterpart, the Personal Identity Verification (PIV) card, both of which incorporate keys for PKI. Tying the keys to ID cards as well as the introduction of an infrastructure that includes card readers and authorities for verifying keys are helping to make PKI a more versatile tool.

One of the advantages of PKI is that it can be used not only to verify the identity of someone accessing online resources but also to authenticate the resources being accessed. This is an important consideration when using the Web to publish official public documents, as the Government Printing Office does. GPO uses digital signatures to verify that information in public documents being viewed such as legislation and public laws has not been changed, a step that can be handled by a Web browser without any effort on the part of the viewer.

PKI for BioSense?

PKI can take the process one step further in a system such as BioSense, which includes sensitive data and which goes beyond one-way publishing. PKI can verify that users are accessing genuine data repositories and that the data has not been modified, and it also can be used to control access to that data contribution of new data.

But despite advances in PKI, it remains largely a stovepipe environment with single-purpose certificates being used in closed populations, such as government employees.

The ubiquity of CAC and PIV within government offers an opportunity to expand the use of PKI to new applications. “The next challenge we’re going to watch is how to roll it out to more of the public,” Landwehr said.

The National Strategy for Trusted Identities in Cyberspace, a federal initiative to establish an “identity ecosystem” with user-friendly credentials that can be widely accepted online, could be a step in this direction.

But to make credentials simple and useful, digital certificates issued by one provider would have to be accepted for a variety of uses, and this will require an infrastructure for federation that would allow verification across a variety of applications. Government has been in a leader in this area also with its Federal PKI Bridge, and the creation of standards for PIV Interoperability, which would allow the use of public digital certificates that could be accepted by government, also is a step in that direction.

But the infrastructure is far from fully deployed, and challenges remain.

“When properly implemented, we’ve seen technology like PKI bring not only cost savings but improve the privacy of the participants and the security of the transaction,” Landwehr said. But the job of building out an infrastructure and managing creating a model for sharing the costs among users, “that’s a tough one."

NEXT STORY: Which cities have the fastest broadband?

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.