1 / 17

Security and Privacy for the NHIN and CONNECT

WEDNESDAY, 5:00 – 5:30PM. Security and Privacy for the NHIN and CONNECT. Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

clarissa-verne
Download Presentation

Security and Privacy for the NHIN and CONNECT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WEDNESDAY, 5:00 – 5:30PM Security and Privacy for the NHIN and CONNECT Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor) Federal Health Architecture, Office of the National Coordinator for Health IT

  2. Agenda Welcome • Nationwide Health Information Network (NHIN) • NHIN Architectural Components • NHIN Network Gateway Components CONNECT Gateway Reference Implementation: • FHA CONNECT Certification & Accreditation (C&A) and Security Management Program Overview • C&A Procedure/Status • CONNECT Security Management Program HIMSS 2010

  3. Nationwide Health Information Network (NHIN) NHIN • NHIN is not a database • Harmonized standards to exchange health data • Membership agreements • SSL Certificates • Services Registry • Test Environment – Interop and conformance HIMSS 2010

  4. NHIN Components Gateway Gateway Gateway Components • NHIN Network – Zone for transporting health info between gateways – Certificates, Services Registry, agreements, Test Environment, Specifications • Gateway– Systems that implement NHIN Specifications • Intra-HIO Zone – Systems within the HIO • Patient Facing Zone – Interface with patient. Provider system or Personal health record Patient-facing Zone Intra-HIOZone Intra-HIOZone Patient-facing Zone Gateway EHR Certificate Authority provides secure SSL Certificates for Gateways EHR Provider Lab Lab Provider NHIN Network Gateway EHR Patient Patient PHR PHR Gateway Provider Security HI Security NHIN Security HI Security Provider Security Trust FabricAgreements, Policy & Governance HIMSS 2010

  5. NHIN Components – Architectural View HIMSS 2010

  6. NHIN Security Infrastructure – Managed PKI • Entrust – Certificate Authority • mPKI software/service to manage SSL certificates • SSL worldwide standard • Certificates encryption between gateways • Certificates insure HIO has been vetted by NHIN 1 3 2 4 or Server HIMSS 2010

  7. NHIN SecurityData Use Reciprocal Support Agreement (DURSA) • Part of the chain of trust • Trust agreement signed by HIO • Legal framework for NHIN participation • Confidentiality, performance, data use, etc HIMSS 2010

  8. NHIN Security – HIO Security Guidelines • Non-binding best practice security guidelines for HIO • Foundational security elements to a secure system • Network security • Firewalls • Message security • Where to get more info HIMSS 2010

  9. NHIN Network Gateway Component Services Registry - UDDI • Universal Description Discovery and Integration • Service listings and associated meta data • Hosted Systinet Solution • Maintained by NHIN • Production and test platform HIMSS 2010

  10. NHIN Network Gateway Component Test Environment • Interoperability Testing – can the HIO successfully participate in a data exchange • Conformance Testing – does the HIO conform to the specifications • Methods, process, procedures, and environment to test gateway software NISTConformanceTools NHIN Interoperability Testing Lab (Internet employing CA/UDDI) 1 2 Candidate System HIMSS 2010

  11. CONNECT Reference System (CRS) Certification & Accreditation (C&A) and Security Management Overview

  12. CONNECT C&A - Procedure • A thorough understanding of the risk that the system presents to the business\technical operations of federal partners and public & private organizations • A full set of C&A documentation (system security plan, security artifacts, reports, data, etc.) • A Security Test and Evaluation (ST&E) was conducted to verify that all controls are implemented and performing as described • Identification, categorization and prioritization of action items (POAMs) to address and monitor “weaknesses” • An Authorization to Operate (ATO) from the HHS Designated Approval Authority (DAA) • Continuous Monitoring - combines input from C&A with planned lifecycle development & systems operations processes to maintain security posture HIMSS 2010

  13. CONNECT C&A - Status • CRS ver. 2.1 C&A package completed, delivered and reviewed by the HHS Certifying Authority, Dan Galik (HHS CISO) on 1/15/2010 • Approved on 1/22/2010 by the HHS Designated Approval Authority (DAA), Michael Carleton (HHS CIO) with an Authorization to Operate (ATO) granted • CRS ver. 2.2 has been through a “Change Risk Assessment” which was reviewed and approved by the CRS Business Owner and Information System Security Officer (ISSO) • CRS ver. 2.3 re-assessment is in process • Future releases of CRS will be re-assessed in accordance with the CRS Continuous Monitoring Plan HIMSS 2010

  14. CONNECT Security Management Program Continuous Risk Management • Risk Assessment and Security Planning Policies & Procedures • Risk Analysis as part of the development cycle • Periodic Risk Assessments Risk Mitigation • Vulnerability scanning • Patching • Incident response coordination • Feedback loop with installed base Security Controls and Continuous Monitoring • FISMA controls cover a wide breadth of technical, management and operational safeguards • ST&E, POAMs and Re-Assessments C&A and the Non-Federal Community HIMSS 2010

  15. CONNECT C&A: Extended ImpactOperational Security Impact – Security Program • A one-time, narrowly enforced C&A effort misses overlap opportunities with security program management and risk management requirements • Opening up C&A by including continuous monitoring blends the complementary security goals of compliance and ongoing operational security • Doing so will also leverage the spending and resource time spent on compliance into effective and efficient ongoing security practices Operational Security Impact: Configuration baselines Implementation guidelines “Defensive” mechanisms (IDS, firewall rule sets, etc.) Repeated HIMSS 2010

  16. CONNECT C&A – Extended ImpactOperational Security Impact – Monitoring Select controls & monitoring approach System baseline categorization Operational Security Impact: Vulnerability discovery and mitigation Continual update of SSP and ST&E documents More efficient risk analysis and resource planning Control effectiveness Impact of system or environment change HIMSS 2010

  17. The participation of any company or organization in the NHIN and CONNECT area within the HIMSS Interoperability showcase does not represent an endorsement by the Office of the National Coordinator for Health Information Technology, the Federal Health Architecture or the Department of Health and Human Services. Thank You

More Related