First, I wanted to thank the OpenHIE community for giving me a chance to help facilitate a discussion around data security and privacy issues facing the community.
During the discussion, there were inquiries about various IT Security frameworks that people could utilize to assess the risk of their implementations. I wanted to follow up and ensure people were aware of the standard available.
U.S. National Institute of Standards and Technology (NIST) Special Publication 800 Series
https://www.nist.gov/itl/nist-special-publication-800-series-general-information
https://csrc.nist.gov/publications/sp800
NIST develops many guidelines and frameworks to assist with addressing security issues. For an organization looking to start an IT Security program or to evaluate the risk of Health Information System, I recommend looking at the two links below.
NIST Risk Management Framework
https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview
NIST SP800-171 is a guideline for assessing an IT System including the various security controls to review.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf
The International Organization for Standardization (ISO) has equivalent guidance that is available for a fee. Their standards match the NIST publications for the most part. The same general security controls are listed for evaluation and the methodology is similar.
ISO 27001 – Information Security Management
https://www.iso.org/isoiec-27001-information-security.html
ISO IEC 82304-1:2016(en) "Health software — Part 1: General requirements for product safety"
https://www.iso.org/obp/ui/#iso:std:iec:82304:-1:ed-1:v1:en
There is additional guidance out there for those of you that want to start at a more basic level before going into hundred+ page documents.
SANS & The Center for Information Security release a yearly top 20 security controls that organizations should prioritize to keep their data safe. A post of these can be found here
https://www.sans.org/media/critical-security-controls/Poster_CIS-Security-Controls_2018.pdf
Since many of you are developers, the Open Web Application Security Project periodically releases a top 10 application vulnerabilities to look out for list
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
I hope this information helps. If you have any additional questions, please reply to this. If you have the question, I’m sure others will as well.
____________________________________
Nathan Volk, MS, CISSP
Information Systems Security Officer (ISSO)
Informatics and Information Resources Office
Center for Global Health
Centers for Disease Control and Prevention
Email: nv...@cdc.gov
(land) 404-718-4797
--
You received this message because you are subscribed to the Google Groups "OpenHIE DevOps" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ohie-devops...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ohie-devops/CH2PR09MB4054801C971B423BF252424F804C0%40CH2PR09MB4054.namprd09.prod.outlook.com.
Derek Ritz, P.Eng., CPHIMS-CA
ecGroup Inc.
+1 (905) 515-0045
Derek,
Thanks for the additional information. I wasn’t aware of the IHE cookbook or the ISO 27799 toolkit. I had a few thoughts based on the cookbook/ISO guidelines for the community to consider.
Section 2.2.3 Mitigation of relevant Risks
This is a fundamental part of doing a risk assessment and ensuring your product is protected across a multiple areas of potential cyberthreats. The challenge I’ve seen occur is they conduct the assessment without understanding threats facing the industry they’re working in. This happens because a community to leverage and teach people doesn’t exist or they’re not aware of one. This issue has caused the creation of ISACs in multiple industries across the world. In the U.S, the H-isac and the HiTrust Alliance (both linked below) were formed with the objective to improve education and information sharing to ensure cyber and IT professionals were collaborating on addressing cyber industries in the space. Do you know if this has been considered at an international or donor level at all?
Technical and Standards to reduce risk
The cookbook mentions ensuring technical mitigations are considered in the security profile of a system. Has OHIE considered looking at different standards to ensure best practice security controls are implemented across the products within the community? For example, ensuring oauth for authentication and a secure version of TLS/SSL is available. This would tie into the item above about threats, which would help ensure groups maintaining the products we use understand the threats/vulnerabilities and can update the products as soon as possible.
To view this discussion on the web visit https://groups.google.com/d/msgid/ohie-devops/CAOe53S0RY5%3DHPUcMSdp-pEhrPYrMoa55GZHhuXmcjgig7s2W2w%40mail.gmail.com.