it security requirements under the hitech act ra for mu and continuous monitoring lisa broome, rpms...
TRANSCRIPT
IT Security Requirements Under the HITECH Act
RA for MU and Continuous Monitoring
Lisa Broome, RPMS ISSO
Agenda
Introduction Threat Identification Vulnerability Identification Control Analysis Risk Mitigation
Privacy & Security are key to maintaining trust in health IT
Meaningful use criteria and certification standards are tools to promote health IT
Privacy and security are incorporated to address risks associated with increasing information
sharing, access and use.
Risk Analysis for Meaningful Use
CIA
Resources and Information
45 CFR 164.308(a)(1)
HITECH Act Requirements
IT security is the foundation to build TRUST in health information technology & electronic information exchange.
Risk Analysis for Meaningful Use
• Designed to access the security posture of a system or application.
• Raise Management’s awareness of major security risks in their infrastructure.
• Propose recommendations for mitigation of these risks.
• Ensures IHS meets the Federal requirements for Meaningful Use.
Risk Assessment for Meaningful Use
Covers: Physical, Environmental and Logical Controls• Physical: How access to information is protected
whether during initial, processing, storage or destruction phrase.
• Environmental: Gauges changes in the environment which could impact CIA of information.
• Logical: Include but are not limited to the use of software, collected data and hardware.
Risk Assessment for Meaningful UseWhen should the RA be completed for a hospital?• Hospitals participating in Medicare:
• Year 1, RA needed prior to the end of the 90 day reporting period
• Year 2+, RA needed prior to the end of the 365 day reporting period (Based on fiscal year)
• Hospitals participating in Medicaid:• Year 1, No RA needed• Year 2, RA needed prior to the end of their 90 day
period (any consecutive 90 day period in fiscal year)• Year 3, RA needed prior to the end of the 365 day
reporting period (Based on fiscal year)
• Note: All Federal sites must complete monthly Secure Fusion and Annual Risk Analysis survey in order to maintain SA (formerly C&A).
Risk Assessment for Meaningful Use When Should a RA be completed for an EP? EP participating in Medicare:
Year 1, RA needed prior to the end of their 90 day reporting period
Year 2+, RA needed prior to the end of their 365 day reporting period (calendar year)
EP participating in Medicaid: Year 1, no RA needed Year 2, RA needed prior to the end of their 90 day
reporting period Year 3+, RA needed prior to the end of their 365 day
reporting period (calendar year)
Threat Identification
Threat: The potential for a particular threat-source to successfully exercise a specific vulnerability.
Facilities must evaluate the potential for a particular threat source to successfully exercise a particular vulnerability, the impact to the facility and corresponding response using a hazard specific scale.
Risk Analysis (pages 12-14) U:\Desktop\Risk Analysis Revision 2.docx
Vulnerability Identification Develop a list of system vulnerabilities (flaws or
weaknesses) that could be exploited. Vulnerabilities captured via automated tools. OIT/DIS provides some vulnerability identification via
continuous monitoring. Monthly Secure Fusion Report Penetration Testing (available to sites) Intrusion Prevention System Wireless survey (available to sites utilizing wireless) Network Threat Response Log Management (RPMS logs should be reviewed periodically)
Vulnerability Identification & Secure Fusion
Monthly Reports
Reporting to HHS
Focus on HighRisks by Area
Part of the QuarterlyReport to the HHS Secretary
Implemented Across IHS Federal/Tribal/Urban Facilities in August 2009
• Each facility can access Secure Fusion reports• Provides a detailed list of vulnerabilities• Fix action for each vulnerability
Vulnerability Identification & Secure Fusion
High Risk Mitigation
80 - 100% A+
70 - 79% A
60 - 69% B
50 - 59% C
40 - 49% D
< 40% F
Vulnerability Identification & Secure Fusion
High Risk Aging
< 30 days A+
31-45 days A
46-60 days B
61-75 days C
76-90 days D
> 90 days F
Vulnerability Identification & Secure Fusion
Other vulnerability tests run by OIT/DIS
TippingPoint: IPS, insert findings in Appendix D Network Threat Response: Discovers zero-day
malware ArcSight Log Management: Logs should be
reviewed.
Vulnerability Identification & Pen Testing
Evaluates the security of a computer system or network by simulating a malicious attack.
Must be performed annually. Testing should include
Approach, methodology, procedures and results.
For each finding the following should be reported Description of finding, affected host(s), impact, recommendation for
mitigation and source(s) for corrective action.
OIT/DIS has preconfigured laptops sites may borrow in order to complete Pen Testing
Point of contact is: Dan Largo; [email protected]
Vulnerability Identification & VisiWave
For sites that utilize wireless Provides visualization of wireless devices within a
facility Can identify device interference IHS OIT/DIS has laptops with VisiWave installed.
These laptops can be loaned out to sites for VisiWave testing.
Results should be included in Appendix E.
Control Analysis
Analyze implemented controls (modify as needed) Based upon NIST (SP) 800-53, Rev 3 Common controls provided for you via GPO
settings and should not be changed ( site is responsible for ensuring correct controls are implemented.
Risk Analysis (pages 19-21) U:\My Documents\Work docs\Continuous Monitoring\
Risk Analysis Revision 2.docx
3rd Party Software Needed for MU
WinHasher: MU requirement for 107.302(s), Integrity. Allows verification of file integrity utilizing file hash comparison. Open Source, available for sites to download
IPsec: Installed on Windows based RPMS systems
VanDyke: Installation for AIX RPMS systems Each facility where RPMS is running on an AIX system the Service Unit/Site is
responsible for installing Contact OIT Support for installation instructions
For Official Use Only
3rd Party Software Needed for MU MU requirement 170.302(u), General Encryption
File Level Encryption Ability to use a NIST certified product to create a self-extracting encrypted
file
Three products certified by IHS Symantec SEE (Removable):
Federal solution provided by IHS Sites must contact OIT Support for installation instructions
Credant2Go 3rd party client/server based product I/T/Us can purchase
7-Zip Only available for Tribal sites Uses a FIPS 140-2 approved algorithm but is not certified by NIST Freeware
Risk Mitigation
Prioritizing, evaluating and implementing appropriate risk- reducing controls recommended from the risk assessment process.
Risk Analysis (Appendix G:- Risk Mitigation Worksheet)
Manual sheet
Risk Analysis (Appendix H:- Secure Fusion Mitigation Plan)
Automated plan
Storage of Completed RAs
Completed RA will be stored on SharePoint. https://workgroups.ihs.gov/sites/CAdocs/CA%20Docs/F
orms/AllItems.aspx?RootFolder=%2fsites%2fCAdocs%2fCA%20Docs%2fCompleted%20RA%20Templates&FolderCTID=&View=%7b088F5F7D%2d65C1%2d40FE%2dB719%2d20BB0AEF1220%7d
HQ ISSOs will: Perform periodic audits of stored RA. Certify annually.
Questions?
Information Security Team: [email protected]
IHS Information Security Web site: http://security.ihs.gov
Contact: Lisa Broome, RPMS ISSO: 505-248-4381 [email protected]