Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Slides:

Advertisements

Similar presentations

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.

Advertisements

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

DoD Information Assurance Certification and Accreditation Process (DIACAP) August 2011.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

Security Controls – What Works

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

Information Security Policies and Standards

NHIN Specifications Richard Kernan, NHIN Specification Lead (Contractor), Office of the National Coordinator for Health IT Karen Witting, Contractor to.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Stephen S. Yau CSE , Fall Security Strategies.

Risk Management Framework

Minnesota Law and Health Information Exchange Oversight Activities James I. Golden, PhD State Government Health IT Coordinator Director, Health Policy.

Security and Privacy Requirements to Support the Exchange of Health Information June 30, 2009 Copyright All Rights Reserved.

Complying With The Federal Information Security Act (FISMA)

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Anita Griner, Senior Project and Program Manager Centers for Medicare & Medicaid Services Nitin Jain, C-HIEP Executive Consultant (Contractor) Centers.

Patient-Authorized Release of Information to a Trusted Entity

HIPAA COMPLIANCE WITH DELL

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.

 Computer security policy ◦ Defines the goals and elements of an organization's computer systems  Definition can be ◦ Highly formal ◦ Informal  Security.

N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa

NIST Special Publication Revision 1

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

© Copyright 2011, Alembic Foundation. All Rights Reserved. Aurion: Health Information Exchange Technology Today Alembic Foundation OSCON 2011 July 27,

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.

1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

TUESDAY, 4:00 – 4:20PM WEDNESDAY, 4:00 – 4:20PM Douglas Hill, NHIN Implementation Lead (Contractor), Office of the National Coordinator for Health IT Vanessa.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Interoperability Framework Overview Health Information Technology (HIT) Standards Committee June 24, 2010 Presented by: Douglas Fridsma, MD, PhD Acting.

Security is not just… 1 A Compliance Exercise Certification and Accreditation FISMA.

1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Developers Integration Lab (DIL) Nationwide Health Information Network Interoperability Presented By Mario Hyland, AEGIS.net, Inc. Federal Health Architect.

12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.

Working with HIT Systems

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch in Controllership : The Work of the Managerial Accountant,

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

NATIONWIDE HEALTH INFORMATION NETWORK GOVERNANCE Doug Fridsma Director, Office of Interoperability and Standards.

Ensuring Conformance & Interoperability NHIN Testing Leslie Power, NHIN Testing Lead (Contractor) Office of the National Coordinator for Health IT WEDNESDAY,

Mariann Yeager, NHIN Policy and Governance Lead (Contractor) Office of the National Coordinator for Health IT David Riley, CONNECT Lead (Contractor) Federal.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

TUESDAY, 3:30 – 3:50PM David Riley, CONNECT Lead (Contractor) Federal Health Architecture Office of the National Coordinator for Health IT CONNECT 3.0.

HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.

Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Pennsylvania Health Information Exchange NJHIMSS - DVHIMSS Enabling Healthcare Transformation Through Information Technology September, 2010.

CONNECT Architecture (Versions 2.3 and 2.4) Cross Community Patient Discovery (XCPD) and XDR Overview MONDAY, 2:00 – 2:00PM Greg Fairnak, CONNECT Chief.

Advanced Planning Brief to Industry Jerry L. Davis DAS, Office of Information Security June 9, 2011.

Safeguarding CDI - compliance with DFARS

WSU IT Risk Assessment Process

Introduction to the Federal Defense Acquisition Regulation

Standards and the National HIT Agenda John W. Loonsk, MD

Matthew Christian Dave Maddox Tim Toennies

IS4680 Security Auditing for Compliance

EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO

Capabilities Briefing

Part 1: Controlled Unclassified Information (CUI)

Presentation transcript:

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor) Federal Health Architecture, Office of the National Coordinator for Health IT Security and Privacy for the NHIN and CONNECT 1 WEDNESDAY, 5:00 – 5:30PM

Agenda Welcome Nationwide Health Information Network (NHIN) NHIN Architectural Components NHIN Network Gateway Components CONNECT Gateway Reference Implementation: FHA CONNECT Certification & Accreditation (C&A) and Security Management Program Overview C&A Procedure/Status CONNECT Security Management Program HIMSS 20102

Nationwide Health Information Network (NHIN) NHIN NHIN is not a database Harmonized standards to exchange health data Membership agreements SSL Certificates Services Registry Test Environment – Interop and conformance HIMSS 20103

NHIN Components Components NHIN Network – Zone for transporting health info between gateways – Certificates, Services Registry, agreements, Test Environment, Specifications Gateway – Systems that implement NHIN Specifications Intra-HIO Zone – Systems within the HIO Patient Facing Zone – Interface with patient. Provider system or Personal health record HIMSS Patient-facing Zone Intra-HIO Zone Trust Fabric Agreements, Policy & Governance NHIN Security HI Security Provider Security HI Security Patient-facing Zone Intra-HIO Zone NHIN Network Gateway Provider Patient PHR EHR Lab EHR Gateway Certificate Authority provides secure SSL Certificates for Gateways Provider Patient Gateway

NHIN Components – Architectural View HIMSS 20105

NHIN Security Infrastructure – Managed PKI Entrust – Certificate Authority mPKI software/service to manage SSL certificates SSL worldwide standard Certificates encryption between gateways Certificates insure HIO has been vetted by NHIN HIMSS or Server

NHIN Security Data Use Reciprocal Support Agreement (DURSA) Part of the chain of trust Trust agreement signed by HIO Legal framework for NHIN participation Confidentiality, performance, data use, etc HIMSS 20107

NHIN Security – HIO Security Guidelines Non-binding best practice security guidelines for HIO Foundational security elements to a secure system – Network security – Firewalls – Message security – Where to get more info HIMSS 20108

NHIN Network Gateway Component Services Registry - UDDI Universal Description Discovery and Integration Service listings and associated meta data Hosted Systinet Solution Maintained by NHIN Production and test platform HIMSS 20109

NHIN Network Gateway Component Test Environment Interoperability Testing – can the HIO successfully participate in a data exchange Conformance Testing – does the HIO conform to the specifications Methods, process, procedures, and environment to test gateway software HIMSS (Internet employing CA/UDDI) NHIN Interoperability Testing Lab NIST Conformance Tools 12 Candidate System

CONNECT Reference System (CRS) Certification & Accreditation (C&A) and Security Management Overview 11

CONNECT C&A - Procedure A thorough understanding of the risk that the system presents to the business\technical operations of federal partners and public & private organizations A full set of C&A documentation (system security plan, security artifacts, reports, data, etc.) A Security Test and Evaluation (ST&E) was conducted to verify that all controls are implemented and performing as described Identification, categorization and prioritization of action items (POAMs) to address and monitor “weaknesses” An Authorization to Operate (ATO) from the HHS Designated Approval Authority (DAA) Continuous Monitoring - combines input from C&A with planned lifecycle development & systems operations processes to maintain security posture 12 HIMSS 2010

CONNECT C&A - Status CRS ver. 2.1 C&A package completed, delivered and reviewed by the HHS Certifying Authority, Dan Galik (HHS CISO) on 1/15/2010 Approved on 1/22/2010 by the HHS Designated Approval Authority (DAA), Michael Carleton (HHS CIO) with an Authorization to Operate (ATO) granted CRS ver. 2.2 has been through a “Change Risk Assessment” which was reviewed and approved by the CRS Business Owner and Information System Security Officer (ISSO) CRS ver. 2.3 re-assessment is in process Future releases of CRS will be re-assessed in accordance with the CRS Continuous Monitoring Plan 13 HIMSS 2010

CONNECT Security Management Program Continuous Risk Management Risk Assessment and Security Planning Policies & Procedures Risk Analysis as part of the development cycle Periodic Risk Assessments Risk Mitigation Vulnerability scanning Patching Incident response coordination Feedback loop with installed base Security Controls and Continuous Monitoring FISMA controls cover a wide breadth of technical, management and operational safeguards ST&E, POAMs and Re-Assessments C&A and the Non-Federal Community 14 HIMSS 2010

CONNECT C&A: Extended Impact Operational Security Impact – Security Program A one-time, narrowly enforced C&A effort misses overlap opportunities with security program management and risk management requirements Opening up C&A by including continuous monitoring blends the complementary security goals of compliance and ongoing operational security Doing so will also leverage the spending and resource time spent on compliance into effective and efficient ongoing security practices HIMSS C&A Process – System Information Revealed information types contained relative importance of the system to the organization security controls that protect the system system risks system boundaries Operational Security Impact: Configuration baselines Implementation guidelines “Defensive” mechanisms (IDS, firewall rule sets, etc.) Repeated

CONNECT C&A – Extended Impact Operational Security Impact – Monitoring HIMSS C&A – Continuous Monitoring Strategy Continuous Monitoring Methods Automated processes IT management systems C&A re-assessment Periodic audits Select controls & monitoring approach System baseline categorization Control effectiveness Impact of system or environment change Operational Security Impact: Vulnerability discovery and mitigation Continual update of SSP and ST&E documents More efficient risk analysis and resource planning

Thank You 17 The participation of any company or organization in the NHIN and CONNECT area within the HIMSS Interoperability showcase does not represent an endorsement by the Office of the National Coordinator for Health Information Technology, the Federal Health Architecture or the Department of Health and Human Services.