Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Security and Open Source Community Call Seong K. Mun, PhD Don Hewitt, CISSP OSEHRA Arlington, Virginia Webex: https://osehra.webex.com/osehra/onstage/g.php?M.

Published byAndrea Alexander Modified over 8 years ago

Similar presentations

Presentation on theme: "Cyber Security and Open Source Community Call Seong K. Mun, PhD Don Hewitt, CISSP OSEHRA Arlington, Virginia Webex: https://osehra.webex.com/osehra/onstage/g.php?M."— Presentation transcript:

1 Cyber Security and Open Source Community Call Seong K. Mun, PhD Don Hewitt, CISSP OSEHRA Arlington, Virginia Webex: https://osehra.webex.com/osehra/onstage/g.php?M TID=ed80e9e1ef7191574fe28dc5f063d03edhttps://osehra.webex.com/osehra/onstage/g.php?M TID=ed80e9e1ef7191574fe28dc5f063d03ed Call-in number: 1-650-479-32071-650-479-3207 Access code: 661 832 679 1:00 pm (Eastern) Wednesday, March 23, 2016

2 Specific Questions and Lead Volunteers Workgroup Reports Question 1 Question 3 Question 4 Work Schedule Any Questions or Comments? Please Note: Calls are Recorded for Future Reference and Collected Documents are Open Agenda 2

3 OSEHRA Cybersecurity Workgroup - https://www.osehra.org/groups/cybersecurity-and-open-source https://www.osehra.org/groups/cybersecurity-and-open-source Onboarding 1.Join OSEHRA as an Associate member (free)Join OSEHRA 2.Join Cybersecurity Workgroup to receive meeting notice and minutes.Join Cybersecurity Workgroup Workgroup Resources (located at the Group homepage)Group homepage –Section Leaders - –Reference Documents List –Draft Response Documents –Members Weekly Call Meetings (Weekly: Wed, 1:00 PM Eastern) –Webex: https://osehra.webex.com/osehra/onstage/g.php?MTID=ed80e9 e1ef7191574fe28dc5f063d03edhttps://osehra.webex.com/osehra/onstage/g.php?MTID=ed80e9 e1ef7191574fe28dc5f063d03ed Call-in number: 1-650-479-3207, Access code: 661 832 6791-650-479-3207 Cybersecurity Workgroup 3

4 1.Does the open source community have a focus on cyber security? Mun - OSEHRA 2.Are projects to enhance cybersecurity proposed to OSEHRA by the open source community? If so, have any been completed? Hewitt – OSEHRA 3.Are there lessons learned from Red Hat/LINUX WRT cybersecurity that might be applicable to health IT? Hilburger – Redhat 4.What is the relationship of OSEHRA certification to cybersecurity? Hewitt - OSEHRA Need Lead Volunteers 4

5 OSEHRA does not (yet) Some examples in greater OS community – http://www.open-scap.org/ http://www.open-scap.org/ Available OS Security Resources – NIST – DHS (Q1) Focus on Cyber Security 5

6 Previous special project for vulnerability remediation –M2M Broker Vulnerability –Joint effort, closed project group under non-disclosure –Precedent and process established No project proposals for explicit security upgrades Project Metron and Apache NiFi proposed as items of interest VA has proposed an open source project for a code scanning tool (similar to HP Fortify) for M code –OSEHRA recommends enhancing the existing Xindex tool rather than starting from scratch –Most effective approach would be a funded community open source project (Q2) Open Source Projects 6

7 Are there lessons learned from Red Hat/LINUX WRT cybersecurity that might be applicable to health IT? (Q3) – Red Hat Reporting 7

8 8

9 9

10 10

11 11

12 12

13 What is the relationship of OSEHRA Certification to cyber security? Brief answer: OSEHRA Certification is intended as a prerequisite for, not a replacement of, the in-depth testing required for specific implementations. As such, while specific tools may be run during code review, OSEHRA does not intend to certify the security of code. However… (Q4) Certification 13

14 (Q4) Certification Components 14

15 Standards and Conventions Compliance –Critical aspect of security –Dependent upon quality / breadth of SAC rule base –Example: scope checking Susceptible to use of scanning tools –Fortify –Xindex (currently limited) (Q4) SAC Checking 15

16 Major advantage of open source – More eyes on code is better – Security through obscurity is a myth Proper facilitation is key – Bugs – Possible improvements – Possible (or definite) vulnerabilities Documented issues and results (Q4) Code Review 16

17 Continuous Unit Testing – Emergent best practice – Critical part of defense in depth – Required for higher OSEHRA certification levels M-Unit available for M code (Q4) Regression Testing 17

18 No overt security certification by OSEHRA Substantial contribution to security of incoming open source code – Use of automated scan tools – Open code review – Requirement for unit tests As tools improve (e.g. Xindex), OSEHRA contribution to security will increase (Q4) Summary 18

19 Weekly Calls 1:00 PM (Eastern) – Volunteer Leaders Will Facilitate Wednesday, March 30 Wednesday, April 6 Wednesday, April 13– SUBMISSION TO VA Workgroup Schedule 19

20 Thoughts? Comments? Questions? Closing… 20

21 Adjournment

Download ppt "Cyber Security and Open Source Community Call Seong K. Mun, PhD Don Hewitt, CISSP OSEHRA Arlington, Virginia Webex: https://osehra.webex.com/osehra/onstage/g.php?M."

Similar presentations

EDOS Workgroup Update July 16, 2013 Laboratory Orders Interface Initiative.

EDOS Workgroup Update July 16, 2013 Laboratory Orders Interface Initiative.
Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Calista AVCP Regional Energy Plan. Preliminary Planning and Stakeholder Involvement Resource Inventory and Data Analysis Develop and Review Draft Energy.

Calista AVCP Regional Energy Plan. Preliminary Planning and Stakeholder Involvement Resource Inventory and Data Analysis Develop and Review Draft Energy.
Roadmap for Sourcing Decision Review Board (DRB)

Roadmap for Sourcing Decision Review Board (DRB)
Summit 2011 Outcomes PRESENTED BY __________. About the Summit Over 180 application security experts from over 120 companies, 30 different countries,

Summit 2011 Outcomes PRESENTED BY __________. About the Summit Over 180 application security experts from over 120 companies, 30 different countries,
[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO] [ENTITY NAME] [FUNCTION CERTIFYING] Certification [LOCATION] – [DATES OF ON-SITE VISIT] [Presenter Name,

[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO] [ENTITY NAME] [FUNCTION CERTIFYING] Certification [LOCATION] – [DATES OF ON-SITE VISIT] [Presenter Name,
SOFTWARE QUALITY ASSURANCE Maltepe University Faculty of Engineering SE 410.

SOFTWARE QUALITY ASSURANCE Maltepe University Faculty of Engineering SE 410.
8/4/2015 Support Services Review (SSR) is a representative, responsive form of assessment and self-evaluation to ensure continuous quality improvement.

8/4/2015 Support Services Review (SSR) is a representative, responsive form of assessment and self-evaluation to ensure continuous quality improvement.
Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.

Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.
LSU 07/07/2004Communication1 Communication & Documentation Project Management Unit – Lecture 8.

LSU 07/07/2004Communication1 Communication & Documentation Project Management Unit – Lecture 8.
Query Health Business Working Group Kick-Off September 8, 2011.

Query Health Business Working Group Kick-Off September 8, 2011.
Electronic Submission of Medical Documentation (esMD) Author of Record Workgroup Wednesday June 20, 2012 1.

Electronic Submission of Medical Documentation (esMD) Author of Record Workgroup Wednesday June 20,
IWCE Conference - Project 25 Compliance Assessment Program and Beyond Wednesday, March 26, 2014 – 4:15-5:30 PM Chris Essid Deputy Director DHS Office of.

IWCE Conference - Project 25 Compliance Assessment Program and Beyond Wednesday, March 26, 2014 – 4:15-5:30 PM Chris Essid Deputy Director DHS Office of.
Security Assessments FITSP-A Module 5

Security Assessments FITSP-A Module 5
[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO] [ENTITY NAME] [FUNCTION CERTIFYING] Certification Review for [RELATED ENTITIES] [LOCATION] – [DATES OF ON-SITE.

[INSERT APPLICABLE REGIONAL ENTITY NAME/LOGO] [ENTITY NAME] [FUNCTION CERTIFYING] Certification Review for [RELATED ENTITIES] [LOCATION] – [DATES OF ON-SITE.
Automate Blue Button Initiative Push Workgroup Meeting January 7, 2013.

Automate Blue Button Initiative Push Workgroup Meeting January 7, 2013.
Project Tracking. Questions... Why should we track a project that is underway? What aspects of a project need tracking?

Project Tracking. Questions... Why should we track a project that is underway? What aspects of a project need tracking?
Interoperability and Health Information Exchange Workgroup April 2, 2015 Micky Tripathi, chair Chris Lehmann, co-chair 1.

Interoperability and Health Information Exchange Workgroup April 2, 2015 Micky Tripathi, chair Chris Lehmann, co-chair 1.
SALSA-NetAuth Joint Techs Vancouver, BC July 2005.

SALSA-NetAuth Joint Techs Vancouver, BC July 2005.
1 Collaboration and Concept Exploration Nationwide Health Information Organization (NHIO) Gateway March 28, 2007.

1 Collaboration and Concept Exploration Nationwide Health Information Organization (NHIO) Gateway March 28, 2007.

Similar presentations

Ads by Google