IT Security Requirements Under the HITECH Act RA for MU and Continuous Monitoring Lisa Broome, RPMS ISSO

Agenda  Introduction  Threat Identification  Vulnerability Identification  Control Analysis  Risk Mitigation

Privacy & Security are key to maintaining trust in health IT Meaningful use criteria and certification standards are tools to promote health IT Meaningful use criteria and certification standards are tools to promote health IT Privacy and security are incorporated to address risks associated with increasing information sharing, access and use. Privacy and security are incorporated to address risks associated with increasing information sharing, access and use.

Risk Analysis for Meaningful Use CIA Resources and Information 45 CFR (a)(1) HITECH Act Requirements IT security is the foundation to build TRUST in health information technology & electronic information exchange.

Risk Analysis for Meaningful Use Designed to access the security posture of a system or application. Raise Management’s awareness of major security risks in their infrastructure. Propose recommendations for mitigation of these risks. Ensures IHS meets the Federal requirements for Meaningful Use.

Risk Assessment for Meaningful Use Covers: Physical, Environmental and Logical Controls Physical: How access to information is protected whether during initial, processing, storage or destruction phrase. Environmental: Gauges changes in the environment which could impact CIA of information. Logical: Include but are not limited to the use of software, collected data and hardware.

Risk Assessment for Meaningful Use When should the RA be completed for a hospital? Hospitals participating in Medicare: Year 1, RA needed prior to the end of the 90 day reporting period Year 2+, RA needed prior to the end of the 365 day reporting period (Based on fiscal year) Hospitals participating in Medicaid: Year 1, No RA needed Year 2, RA needed prior to the end of their 90 day period (any consecutive 90 day period in fiscal year) Year 3, RA needed prior to the end of the 365 day reporting period (Based on fiscal year) Note: All Federal sites must complete monthly Secure Fusion and Annual Risk Analysis survey in order to maintain SA (formerly C&A).

Risk Assessment for Meaningful Use  When Should a RA be completed for an EP?  EP participating in Medicare:  Year 1, RA needed prior to the end of their 90 day reporting period  Year 2+, RA needed prior to the end of their 365 day reporting period (calendar year)  EP participating in Medicaid:  Year 1, no RA needed  Year 2, RA needed prior to the end of their 90 day reporting period  Year 3+, RA needed prior to the end of their 365 day reporting period (calendar year)

Threat Identification  Threat: The potential for a particular threat-source to successfully exercise a specific vulnerability.  Facilities must evaluate the potential for a particular threat source to successfully exercise a particular vulnerability, the impact to the facility and corresponding response using a hazard specific scale.  Risk Analysis (pages 12-14)  U:\Desktop\Risk Analysis Revision 2.docx U:\Desktop\Risk Analysis Revision 2.docx

Vulnerability Identification  Develop a list of system vulnerabilities (flaws or weaknesses) that could be exploited.  Vulnerabilities captured via automated tools.  OIT/DIS provides some vulnerability identification via continuous monitoring.  Monthly Secure Fusion Report  Penetration Testing (available to sites)  Intrusion Prevention System  Wireless survey (available to sites utilizing wireless)  Network Threat Response  Log Management (RPMS logs should be reviewed periodically)

Vulnerability Identification & Secure Fusion Monthly Reports Reporting to HHS Focus on High Risks by Area Part of the Quarterly Report to the HHS Secretary Implemented Across IHS Federal/Tribal/Urban Facilities in August 2009 Each facility can access Secure Fusion reports Provides a detailed list of vulnerabilities Fix action for each vulnerability

Vulnerability Identification & Secure Fusion High Risk Mitigation %A %A %B %C %D < 40%F

Vulnerability Identification & Secure Fusion High Risk Aging < 30 daysA daysA daysB daysC daysD > 90 daysF

Vulnerability Identification & Secure Fusion Other vulnerability tests run by OIT/DIS  TippingPoint: IPS, insert findings in Appendix D  Network Threat Response: Discovers zero-day malware  ArcSight Log Management: Logs should be reviewed.

Vulnerability Identification & Pen Testing  Evaluates the security of a computer system or network by simulating a malicious attack.  Must be performed annually.  Testing should include  Approach, methodology, procedures and results.  For each finding the following should be reported  Description of finding, affected host(s), impact, recommendation for mitigation and source(s) for corrective action.  OIT/DIS has preconfigured laptops sites may borrow in order to complete Pen Testing  Point of contact is: Dan Largo;

Vulnerability Identification & VisiWave  For sites that utilize wireless  Provides visualization of wireless devices within a facility  Can identify device interference  IHS OIT/DIS has laptops with VisiWave installed. These laptops can be loaned out to sites for VisiWave testing.  Results should be included in Appendix E.

Control Analysis  Analyze implemented controls (modify as needed)  Based upon NIST (SP) , Rev 3  Common controls provided for you via GPO settings and should not be changed ( site is responsible for ensuring correct controls are implemented.  Risk Analysis (pages 19-21)  U:\My Documents\Work docs\Continuous Monitoring\Risk Analysis Revision 2.docx U:\My Documents\Work docs\Continuous Monitoring\Risk Analysis Revision 2.docx

3 rd Party Software Needed for MU  WinHasher:  MU requirement for (s), Integrity.  Allows verification of file integrity utilizing file hash comparison.  Open Source, available for sites to download  IPsec:  Installed on Windows based RPMS systems  VanDyke:  Installation for AIX RPMS systems  Each facility where RPMS is running on an AIX system the Service Unit/Site is responsible for installing  Contact OIT Support for installation instructions For Official Use Only

3 rd Party Software Needed for MU  MU requirement (u), General Encryption  File Level Encryption  Ability to use a NIST certified product to create a self-extracting encrypted file  Three products certified by IHS  Symantec SEE (Removable):  Federal solution provided by IHS  Sites must contact OIT Support for installation instructions  Credant2Go  3 rd party client/server based product I/T/Us can purchase  7-Zip  Only available for Tribal sites  Uses a FIPS approved algorithm but is not certified by NIST  Freeware

Risk Mitigation  Prioritizing, evaluating and implementing appropriate risk- reducing controls recommended from the risk assessment process.  Risk Analysis (Appendix G:- Risk Mitigation Worksheet)  Manual sheet  Risk Analysis (Appendix H:- Secure Fusion Mitigation Plan)  Automated plan

Storage of Completed RAs  Completed RA will be stored on SharePoint.  orms/AllItems.aspx?RootFolder=%2fsites%2fCAdocs% 2fCA%20Docs%2fCompleted%20RA%20Templates&F olderCTID=&View=%7b088F5F7D%2d65C1%2d40FE %2dB719%2d20BB0AEF1220%7d orms/AllItems.aspx?RootFolder=%2fsites%2fCAdocs% 2fCA%20Docs%2fCompleted%20RA%20Templates&F olderCTID=&View=%7b088F5F7D%2d65C1%2d40FE %2dB719%2d20BB0AEF1220%7d  HQ ISSOs will:  Perform periodic audits of stored RA.  Certify annually.

Questions? Information Security Team: IHS Information Security Web site: Contact:Lisa Broome, RPMS ISSO: