1 / 12

Kevin Stine, Information Security Specialist Computer Security Division

NIST’s Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare. Kevin Stine, Information Security Specialist Computer Security Division Information Technology Laboratory National Institute of Standards and Technology. March 22, 2010.

arden
Download Presentation

Kevin Stine, Information Security Specialist Computer Security Division

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NIST’s Role in Securing Health InformationAMA-IEEE Medical TechnologyConference on Individualized Healthcare Kevin Stine, Information Security Specialist Computer Security Division Information Technology Laboratory National Institute of Standards and Technology March 22, 2010

  2. NIST’s Mission To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology … Credit: R. Rathe … in ways that enhance economic security and improve our quality of life. Credit: NIST 2

  3. Computer Security Division’s Mission A division with the Information Technology Lab, CSD provides standards and technology to protect information systems against threats to the confidentiality, integrity, and availability of information and services … … in order to build trust and confidence in Information Technology (IT) systems 3

  4. Agenda Meaningful Use, Standards, and Certification (Oh My) NIST HIT Security Activities… Past, Present, and Near Future Wireless and Mobile Technology Resources 4

  5. Meaningful Use, Standards, and Certifications (Oh My) • Meaningful Use (NPRM) • Adopt and meaningfully use certified electronic health record (EHR) technology • Stage 1(beginning in 2011): Ensure adequate privacy and security protections for personal health information. • Standards and Certification (IFR) • Represents the first step in an incremental approach to adopting standards, implementation specifications, and certification criteria to enhance the interoperability, functionality, utility, and security of health information technology and to support its meaningful use. • Standards for HIT to protect Electronic Health Info (IFR, §170.210) • Encryption and decryption of EHI, Record actions related to EHI, Verification that electronic health information has not been altered in transit, Cross-enterprise authentication • Certification Criteria (IFR, §170.302) • Access Control, Audit Log, Integrity, Authentication, Encryption

  6. Agenda • Meaningful Use, Standards, and Certification (Oh My) • NIST HIT Security Activities… Past, Present, and Near Future • Wireless and Mobile Technology Resources 6

  7. Risk Management Starting Point ORGANIZATIONAL VIEW Architecture Description FEA Reference Models Segment and Solution Architectures Mission and Business Processes Information System Boundaries Organizational Inputs Laws, Directives, Policy Guidance Strategic Goals and Objectives Priorities and Resource Availability Supply Chain Considerations Risk Executive Function Repeat as necessary RISK MANAGEMENT FRAMEWORK Security Life Cycle Security Plan Plan of Actions & Milestones Security Assessment Report Step 3 IMPLEMENT Security Controls SP 800-70 Step 2 SELECT Security Controls FIPS 200 / SP 800-53 Step 1 CATEGORIZE Information Systems FIPS 199 / SP 800-60 Step 5 AUTHORIZE Information Systems SP 800-37 Step 4 ASSESS Security Controls SP 800-53A Step 6 MONITOR Security State SP 800-37 / 800-53A 7

  8. Health IT Security - What We’ve Done… • Standards Harmonization • Support ONC and HITSP in harmonizing and integrating standards to enable exchange of health information • Outreach & Awareness • Present on application of security standards and guidelines to HIPAA and HIT security implementations • Publications & Resources • HIPAA Security Rule Guide • HIE Security Architecture

  9. Health IT Security - What We Plan To Do… • Security Automation • HIPAA Security Rule toolkit • Security configuration checklists • HIT Test Infrastructure • Provide capability for current and future EHR testing needs against standards • Conformance and interoperability testing capabilities

  10. Agenda Meaningful Use, Standards, and Certification (Oh My) NIST HIT Security Activities… Past, Present, and Near Future Wireless and Mobile Technology Resources 10

  11. Wireless and Mobile Technology Security Resources • Wireless • 800-127 Draft, Guide to Security for WiMAX Technologies • 800-121, Guide to Bluetooth Security • 800-120, Recommendations for EAP Methods Used in Wireless Network Access Authentication • 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i • 800-48 Revision 1, Guide to Securing Legacy IEEE 802.11 Wireless Networks • Mobile Technologies • 800-124, Guidelines on Cell Phone and PDA Security • 800-114, User’s Guide to Securing External Devices for Telework and Remote Access • 800-101, Guidelines on Cell Phone Forensics • 800-46 Rev 1, Guide to Enterprise Telework and Remote Access Security

  12. Thank You Kevin Stine kevin.stine@nist.gov Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Computer Security Resource Center: http://csrc.nist.gov NIST Health IT Standards and Testing: http://healthcare.nist.gov 12

More Related