210 likes | 352 Views
RA for MU and Continuous Monitoring. IT Security Requirements Under the HITECH Act. Lisa Broome, RPMS ISSO. Agenda. Introduction Threat Identification Vulnerability Identification Control Analysis Risk Mitigation HIPAA Questions?.
E N D
RA for MU and Continuous Monitoring IT Security Requirements Under the HITECH Act Lisa Broome, RPMSISSO
Agenda • Introduction • Threat Identification • Vulnerability Identification • Control Analysis • Risk Mitigation • HIPAA • Questions?
Privacy & Security are key to maintaining trust in health IT Meaningful use criteria and certification standards are tools to promote health IT Privacy and security are incorporated to address risks associated with increasing information sharing, access and use.
IT security is the foundation to build TRUST in health information technology & electronic information exchange. Risk Analysis for MU and Continuous Monitoring HITECH Act Requirements 45 CFR 164.308(a)(1) CIA Resources and Information
Risk Analysis for MU and Continuous Monitoring • Designed to access the security posture of a system or application. • Raise Management’s awareness of major security risks in their infrastructure. • Propose recommendations for mitigation of these risks. • Ensures IHS meets the Federal requirements for Meaningful Use.
Risk Assessment for MU and Continuous Monitoring • Covers: Physical, Environmental and Logical Controls • Physical: How access to information is protected whether during initial, processing, storage or destruction phrase. • Environmental: Gauges changes in the environment which could impact CIA of information. • Logical: Include but are not limited to the use of software, collected data and hardware.
Risk Assessment for MU and Continuous Monitoring • When should the RA be completed? • Hospitals participating in: • Medicare: Completion is based on fiscal year. Must be completed by September 30, 2011 • Medicaid: If participating for 1 year do not need to complete a RA. • EP participating in: • Medicare: Completion is based on calendar year. Must be completed by December 31, 2011. • Medicaid: If participating for 1 year do not need to complete the RA. • Note: All Federal sites must complete monthly Secure Fusion and Annual Risk Analysis survey in order to maintain SA (formerly C&A).
Threat Identification • Threat: The potential for a particular threat-source to successfully exercise a specific vulnerability. • Facilities must evaluate the potential for a particular threat source to successfully exercise a particular vulnerability, the impact to the facility and corresponding response using a hazard specific scale. • Risk Analysis (pages 12-14) • U:\Desktop\Risk Analysis Revision 2.docx
Vulnerability Identification • Develop a list of system vulnerabilities (flaws or weaknesses) that could be exploited. • Vulnerabilities captured via automated tools. • OIT/DIS provides some vulnerability identification via continuous monitoring. • Monthly Secure Fusion Report • Penetration Testing (available to sites) • Intrusion Prevention System • Wireless survey (available to sites utilizing wireless) • Network Threat Response • Log Management (available June 2011)
Vulnerability Identification & Secure Fusion Implemented Across IHS Federal/Tribal/Urban Facilities in August 2009 Monthly Reports Focus on HighRisks by Area Reporting to HHS Part of the QuarterlyReport to the HHS Secretary • Each facility can access Secure Fusion reports • Provides a detailed list of vulnerabilities • Fix action for each vulnerability
Vulnerability Identification & Secure Fusion Other vulnerability tests run by OIT/DIS • TippingPoint: IPS, insert findings in Appendix D • Network Threat Response: Discovers zero-day malware • ArcSight Log Management: Logs should be reviewed.
Vulnerability Identification & Pen Testing • Evaluates the security of a computer system or network by simulating a malicious attack. • Must be performed annually. • Testing should include • Approach, methodology, procedures and results. • For each finding the following should be reported • Description of finding, affected host(s), impact, recommendation for mitigation and source(s) for corrective action. • OIT/DIS has preconfigured laptops sites may borrow in order to complete Pen Testing • Points of contact are: Dan Largo; daniel.largo@IHS.gov or Shad Malloy; shad.malloy@IHS.gov
Vulnerability Identification & VisiWave • For sites that utilize wireless • Provides visualization of wireless devices within a facility • Can identify device interference • IHS OIT/DIS has laptops with VisiWave installed. These laptops can be loaned out to sites for VisiWave testing. • Results should be included in Appendix E.
Control Analysis • Analyze implemented controls (modify as needed) • Based upon NIST (SP) 800-53, Rev 3 • Common controls provided for you( site is responsible for ensuring correct controls are implemented. • Risk Analysis (pages 19-21) • U:\My Documents\Work docs\Continuous Monitoring\Risk Analysis Revision 2.docx
For Official Use Only 3rd Party Software Needed for MU • Symantec: • MU requirement for 170.302(u), General Encryption. • Allows file level encryption. • Installed on IHS owned equipment NLT July 2011. • WinHasher: • MU requirement for 107.302(s), Integrity. • Allows verification of file integrity utilizing file hash comparison. • Open Source, available for sites to download • IPSec: • Installed on Windows based RPMS systems • VanDyke: • Currently being installed across the AIX RPMS enterprise. • Two-factor authentication for EHR access (While it technically needed to meet the standard, facilities will NOT be required to utilize 2-factor under Stage 1.
Risk Mitigation • Prioritizing, evaluating and implementing appropriate risk- reducing controls recommended from the risk assessment process. • Risk Analysis (Appendix G:- Risk Mitigation Worksheet) • Manual sheet • Risk Analysis (Appendix H:- Secure Fusion Mitigation Plan) • Automated plan
Storage of Completed RAs • Completed RA will be stored on SharePoint. • https://workgroups.ihs.gov/sites/CAdocs/CA%20Docs/Forms/AllItems.aspx?RootFolder=%2fsites%2fCAdocs%2fCA%20Docs%2fCompleted%20RA%20Templates&FolderCTID=&View=%7b088F5F7D%2d65C1%2d40FE%2dB719%2d20BB0AEF1220%7d • HQ ISSOs will: • Perform periodic audits of stored RA. • Certify annually.
HIPAA Upcoming changes • Photocopier/Fax/MFD: • Have hard drives installed. • Must be disposed of properly. • http://home.security.ihs.gov/CompNotes/Copier_Research_Special_Bulletin_Final.pdf • Business Associates: • Now responsible for their breaches as an independent entity. • Patient requests for medical information • Must be provided to the patient within 30 days. • If patient requests electronic format such as CD/DVD/Flash/E-mail • We must provide encrypted. • Patient may request unencrypted format and we must accommodate. • Note: These are upcoming rules we are taking a first look at. No decisions have been made in regards to media funding.
Questions? Information Security Team: OITSecurity@ihs.govIHS Information Security Web site: http://security.ihs.govContact: Lisa Broome, RPMSISSO: 505-248-4381 lisa.broome@ihs.gov