IT Security Requirements Under the HITECH Act

RA for MU and Continuous Monitoring

Lisa Broome, RPMS ISSO

Agenda

Introduction Threat Identification Vulnerability Identification Control Analysis Risk Mitigation

Privacy & Security are key to maintaining trust in health IT

Meaningful use criteria and certification standards are tools to promote health IT

Privacy and security are incorporated to address risks associated with increasing information

sharing, access and use.

Risk Analysis for Meaningful Use

CIA

Resources and Information

45 CFR 164.308(a)(1)

HITECH Act Requirements

IT security is the foundation to build TRUST in health information technology & electronic information exchange.

Risk Analysis for Meaningful Use

• Designed to access the security posture of a system or application.

• Raise Management’s awareness of major security risks in their infrastructure.

• Propose recommendations for mitigation of these risks.

• Ensures IHS meets the Federal requirements for Meaningful Use.

Risk Assessment for Meaningful Use

Covers: Physical, Environmental and Logical Controls• Physical: How access to information is protected

whether during initial, processing, storage or destruction phrase.

• Environmental: Gauges changes in the environment which could impact CIA of information.

• Logical: Include but are not limited to the use of software, collected data and hardware.

Risk Assessment for Meaningful UseWhen should the RA be completed for a hospital?• Hospitals participating in Medicare:

• Year 1, RA needed prior to the end of the 90 day reporting period

• Year 2+, RA needed prior to the end of the 365 day reporting period (Based on fiscal year)

• Hospitals participating in Medicaid:• Year 1, No RA needed• Year 2, RA needed prior to the end of their 90 day

period (any consecutive 90 day period in fiscal year)• Year 3, RA needed prior to the end of the 365 day

reporting period (Based on fiscal year)

• Note: All Federal sites must complete monthly Secure Fusion and Annual Risk Analysis survey in order to maintain SA (formerly C&A).

Risk Assessment for Meaningful Use When Should a RA be completed for an EP? EP participating in Medicare:

Year 1, RA needed prior to the end of their 90 day reporting period

Year 2+, RA needed prior to the end of their 365 day reporting period (calendar year)

EP participating in Medicaid: Year 1, no RA needed Year 2, RA needed prior to the end of their 90 day

reporting period Year 3+, RA needed prior to the end of their 365 day

reporting period (calendar year)

Threat Identification

Threat: The potential for a particular threat-source to successfully exercise a specific vulnerability.

Facilities must evaluate the potential for a particular threat source to successfully exercise a particular vulnerability, the impact to the facility and corresponding response using a hazard specific scale.

Risk Analysis (pages 12-14) U:\Desktop\Risk Analysis Revision 2.docx

Vulnerability Identification Develop a list of system vulnerabilities (flaws or

weaknesses) that could be exploited. Vulnerabilities captured via automated tools. OIT/DIS provides some vulnerability identification via

continuous monitoring. Monthly Secure Fusion Report Penetration Testing (available to sites) Intrusion Prevention System Wireless survey (available to sites utilizing wireless) Network Threat Response Log Management (RPMS logs should be reviewed periodically)

Vulnerability Identification & Secure Fusion

Monthly Reports

Reporting to HHS

Focus on HighRisks by Area

Part of the QuarterlyReport to the HHS Secretary

Implemented Across IHS Federal/Tribal/Urban Facilities in August 2009

• Each facility can access Secure Fusion reports• Provides a detailed list of vulnerabilities• Fix action for each vulnerability

Vulnerability Identification & Secure Fusion

High Risk Mitigation

80 - 100% A+

70 - 79% A

60 - 69% B

50 - 59% C

40 - 49% D

< 40% F

Vulnerability Identification & Secure Fusion

High Risk Aging

< 30 days A+

31-45 days A

46-60 days B

61-75 days C

76-90 days D

> 90 days F

Vulnerability Identification & Secure Fusion

Other vulnerability tests run by OIT/DIS

TippingPoint: IPS, insert findings in Appendix D Network Threat Response: Discovers zero-day

malware ArcSight Log Management: Logs should be

reviewed.

Vulnerability Identification & Pen Testing

Evaluates the security of a computer system or network by simulating a malicious attack.

Must be performed annually. Testing should include

Approach, methodology, procedures and results.

For each finding the following should be reported Description of finding, affected host(s), impact, recommendation for

mitigation and source(s) for corrective action.

OIT/DIS has preconfigured laptops sites may borrow in order to complete Pen Testing

Point of contact is: Dan Largo; daniel.largo@IHS.gov

Vulnerability Identification & VisiWave

For sites that utilize wireless Provides visualization of wireless devices within a

facility Can identify device interference IHS OIT/DIS has laptops with VisiWave installed.

These laptops can be loaned out to sites for VisiWave testing.

Results should be included in Appendix E.

Control Analysis

Analyze implemented controls (modify as needed) Based upon NIST (SP) 800-53, Rev 3 Common controls provided for you via GPO

settings and should not be changed ( site is responsible for ensuring correct controls are implemented.

Risk Analysis (pages 19-21) U:\My Documents\Work docs\Continuous Monitoring\

Risk Analysis Revision 2.docx

3rd Party Software Needed for MU

WinHasher: MU requirement for 107.302(s), Integrity. Allows verification of file integrity utilizing file hash comparison. Open Source, available for sites to download

IPsec: Installed on Windows based RPMS systems

VanDyke: Installation for AIX RPMS systems Each facility where RPMS is running on an AIX system the Service Unit/Site is

responsible for installing Contact OIT Support for installation instructions

For Official Use Only

3rd Party Software Needed for MU MU requirement 170.302(u), General Encryption

File Level Encryption Ability to use a NIST certified product to create a self-extracting encrypted

file

Three products certified by IHS Symantec SEE (Removable):

Federal solution provided by IHS Sites must contact OIT Support for installation instructions

Credant2Go 3rd party client/server based product I/T/Us can purchase

7-Zip Only available for Tribal sites Uses a FIPS 140-2 approved algorithm but is not certified by NIST Freeware

Risk Mitigation

Prioritizing, evaluating and implementing appropriate risk- reducing controls recommended from the risk assessment process.

Risk Analysis (Appendix G:- Risk Mitigation Worksheet)

Manual sheet

Risk Analysis (Appendix H:- Secure Fusion Mitigation Plan)

Automated plan

Storage of Completed RAs

Completed RA will be stored on SharePoint. https://workgroups.ihs.gov/sites/CAdocs/CA%20Docs/F

orms/AllItems.aspx?RootFolder=%2fsites%2fCAdocs%2fCA%20Docs%2fCompleted%20RA%20Templates&FolderCTID=&View=%7b088F5F7D%2d65C1%2d40FE%2dB719%2d20BB0AEF1220%7d

HQ ISSOs will: Perform periodic audits of stored RA. Certify annually.

Questions?

Information Security Team: OITSecurity@ihs.gov

IHS Information Security Web site: http://security.ihs.gov

Contact: Lisa Broome, RPMS ISSO: 505-248-4381 lisa.broome@ihs.gov