Ra for mu and continuous monitoring
Sponsored Links
This presentation is the property of its rightful owner.
1 / 21

RA for MU and Continuous Monitoring PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

RA for MU and Continuous Monitoring. IT Security Requirements Under the HITECH Act. Lisa Broome, RPMS ISSO. Agenda. Introduction Threat Identification Vulnerability Identification Control Analysis Risk Mitigation HIPAA Questions?.

Download Presentation

RA for MU and Continuous Monitoring

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

RA for MU and Continuous Monitoring

IT Security Requirements Under the HITECH Act

Lisa Broome, RPMSISSO


  • Introduction

  • Threat Identification

  • Vulnerability Identification

  • Control Analysis

  • Risk Mitigation


  • Questions?

Privacy & Security are key to maintaining trust in health IT

Meaningful use criteria and certification

standards are tools to promote health IT

Privacy and security are incorporated to

address risks associated with increasing information

sharing, access and use.

IT security is the foundation to build TRUST in health information technology & electronic information exchange.

Risk Analysis for MU and Continuous Monitoring

HITECH Act Requirements

45 CFR 164.308(a)(1)


Resources and Information

Risk Analysis for MU and Continuous Monitoring

  • Designed to access the security posture of a system or application.

  • Raise Management’s awareness of major security risks in their infrastructure.

  • Propose recommendations for mitigation of these risks.

  • Ensures IHS meets the Federal requirements for Meaningful Use.

Risk Assessment for MU and Continuous Monitoring

  • Covers: Physical, Environmental and Logical Controls

  • Physical: How access to information is protected whether during initial, processing, storage or destruction phrase.

  • Environmental: Gauges changes in the environment which could impact CIA of information.

  • Logical: Include but are not limited to the use of software, collected data and hardware.

Risk Assessment for MU and Continuous Monitoring

  • When should the RA be completed?

  • Hospitals participating in:

    • Medicare: Completion is based on fiscal year. Must be completed by September 30, 2011

    • Medicaid: If participating for 1 year do not need to complete a RA.

  • EP participating in:

    • Medicare: Completion is based on calendar year. Must be completed by December 31, 2011.

    • Medicaid: If participating for 1 year do not need to complete the RA.

  • Note: All Federal sites must complete monthly Secure Fusion and Annual Risk Analysis survey in order to maintain SA (formerly C&A).

Threat Identification

  • Threat: The potential for a particular threat-source to successfully exercise a specific vulnerability.

  • Facilities must evaluate the potential for a particular threat source to successfully exercise a particular vulnerability, the impact to the facility and corresponding response using a hazard specific scale.

    • Risk Analysis (pages 12-14)

      • U:\Desktop\Risk Analysis Revision 2.docx

Vulnerability Identification

  • Develop a list of system vulnerabilities (flaws or weaknesses) that could be exploited.

  • Vulnerabilities captured via automated tools.

  • OIT/DIS provides some vulnerability identification via continuous monitoring.

    • Monthly Secure Fusion Report

    • Penetration Testing (available to sites)

    • Intrusion Prevention System

    • Wireless survey (available to sites utilizing wireless)

    • Network Threat Response

    • Log Management (available June 2011)

Vulnerability Identification & Secure Fusion

Implemented Across IHS Federal/Tribal/Urban Facilities in August 2009

Monthly Reports

Focus on HighRisks by Area

Reporting to HHS

Part of the QuarterlyReport to the HHS Secretary

  • Each facility can access Secure Fusion reports

    • Provides a detailed list of vulnerabilities

    • Fix action for each vulnerability

Vulnerability Identification & Secure Fusion

Vulnerability Identification & Secure Fusion

Vulnerability Identification & Secure Fusion

Other vulnerability tests run by OIT/DIS

  • TippingPoint: IPS, insert findings in Appendix D

  • Network Threat Response: Discovers zero-day malware

  • ArcSight Log Management: Logs should be reviewed.

Vulnerability Identification & Pen Testing

  • Evaluates the security of a computer system or network by simulating a malicious attack.

  • Must be performed annually.

  • Testing should include

    • Approach, methodology, procedures and results.

  • For each finding the following should be reported

    • Description of finding, affected host(s), impact, recommendation for mitigation and source(s) for corrective action.

  • OIT/DIS has preconfigured laptops sites may borrow in order to complete Pen Testing

  • Points of contact are: Dan Largo; [email protected] or Shad Malloy; [email protected]

Vulnerability Identification & VisiWave

  • For sites that utilize wireless

  • Provides visualization of wireless devices within a facility

  • Can identify device interference

  • IHS OIT/DIS has laptops with VisiWave installed. These laptops can be loaned out to sites for VisiWave testing.

  • Results should be included in Appendix E.

Control Analysis

  • Analyze implemented controls (modify as needed)

  • Based upon NIST (SP) 800-53, Rev 3

  • Common controls provided for you( site is responsible for ensuring correct controls are implemented.

    • Risk Analysis (pages 19-21)

      • U:\My Documents\Work docs\Continuous Monitoring\Risk Analysis Revision 2.docx

For Official Use Only

3rd Party Software Needed for MU

  • Symantec:

    • MU requirement for 170.302(u), General Encryption.

    • Allows file level encryption.

    • Installed on IHS owned equipment NLT July 2011.

  • WinHasher:

    • MU requirement for 107.302(s), Integrity.

    • Allows verification of file integrity utilizing file hash comparison.

    • Open Source, available for sites to download

  • IPSec:

    • Installed on Windows based RPMS systems

  • VanDyke:

    • Currently being installed across the AIX RPMS enterprise.

  • Two-factor authentication for EHR access

    (While it technically needed to meet the standard, facilities will NOT be

    required to utilize 2-factor under Stage 1.

Risk Mitigation

  • Prioritizing, evaluating and implementing appropriate risk- reducing controls recommended from the risk assessment process.

  • Risk Analysis (Appendix G:- Risk Mitigation Worksheet)

    • Manual sheet

  • Risk Analysis (Appendix H:- Secure Fusion Mitigation Plan)

    • Automated plan

Storage of Completed RAs

  • Completed RA will be stored on SharePoint.

    • https://workgroups.ihs.gov/sites/CAdocs/CA%20Docs/Forms/AllItems.aspx?RootFolder=%2fsites%2fCAdocs%2fCA%20Docs%2fCompleted%20RA%20Templates&FolderCTID=&View=%7b088F5F7D%2d65C1%2d40FE%2dB719%2d20BB0AEF1220%7d

  • HQ ISSOs will:

    • Perform periodic audits of stored RA.

    • Certify annually.


Upcoming changes

  • Photocopier/Fax/MFD:

    • Have hard drives installed.

    • Must be disposed of properly.

    • http://home.security.ihs.gov/CompNotes/Copier_Research_Special_Bulletin_Final.pdf

  • Business Associates:

    • Now responsible for their breaches as an independent entity.

  • Patient requests for medical information

    • Must be provided to the patient within 30 days.

    • If patient requests electronic format such as CD/DVD/Flash/E-mail

      • We must provide encrypted.

      • Patient may request unencrypted format and we must accommodate.

  • Note: These are upcoming rules we are taking a first look at. No decisions have been made in regards to media funding.


Information Security Team: [email protected] Information Security Web site: http://security.ihs.govContact:Lisa Broome, RPMSISSO: 505-248-4381 [email protected]

  • Login