Tenable Core + Nessus Installation Guide

[Lore Dosher]

Certaincommercial entities, equipment, products, or materials may beidentified by name or company logo or other insignia in order toacknowledge their participation in this collaboration or to describe anexperimental procedure or concept adequately. Such identification is notintended to imply special status or relationship with NIST orrecommendation or endorsement by NIST or NCCoE; neither is it intendedto imply that the entities, equipment, products, or materials arenecessarily the best available for the purpose.

As a private-public partnership, we are always seeking feedback on ourpractice guides. We are particularly interested in seeing how businessesapply NCCoE reference designs in the real world. If you have implementedthe reference design, or have questions about applying it in yourenvironment, please email us at hit_...@nist.gov.

NIST Cybersecurity Practice Guides (Special Publication 1800 series)target specific cybersecurity challenges in the public and privatesectors. They are practical, user-friendly guides that facilitate theadoption of standards-based approaches to cybersecurity. They showmembers of the information security community how to implement examplesolutions that help them align with relevant standards and bestpractices and provide users with the lists of materials, configurationfiles, and other information they need to implement a similar approach.

The documents in this series describe example implementations ofcybersecurity practices that businesses and other organizations mayvoluntarily adopt. These documents do not describe regulations ormandatory practices, nor do they carry statutory authority.

Increasingly, healthcare delivery organizations (HDOs) are relying ontelehealth and remote patient monitoring (RPM) capabilities to treatpatients at home. RPM is convenient and cost-effective, and its adoptionrate has increased. However, without adequate privacy and cybersecuritymeasures, unauthorized individuals may expose sensitive data or disruptpatient monitoring services.

This practice guide assumes that the HDO engages with a telehealthplatform provider that is a separate entity from the HDO and patient.The telehealth platform provider manages a distinct infrastructure,applications, and set of services. The telehealth platform providercoordinates with the HDO to provision, configure, and deploy the RPMcomponents to the patient home and assures secure communication betweenthe patient and clinician.

The NCCoE analyzed risk factors regarding an RPM ecosystem by using riskassessment based on the NIST Risk Management Framework. The NCCoE alsoleveraged the NIST Cybersecurity Framework, NIST Privacy Framework,and other relevant standards to identify measures to safeguard theecosystem. In collaboration with healthcare, technology, and telehealthpartners, the NCCoE built an RPM ecosystem in a laboratory environmentto explore methods to improve the cybersecurity of an RPM.

Technology solutions alone may not be sufficient to maintain privacy andsecurity controls on external environments. This practice guide notesthe application of people, process, and technology as necessary toimplement a holistic risk mitigation strategy.

The Technology Partners/Collaborators who participated in this buildsubmitted their capabilities in response to a notice in the FederalRegister. Respondents with relevant capabilities or productcomponents were invited to sign a Cooperative Research and DevelopmentAgreement (CRADA) with NIST, allowing them to participate in aconsortium to build this example solution. We worked with:

NOTICE: The Information Technology Laboratory (ITL) has requested thatholders of patent claims whose use may be required for compliance withthe guidance or requirements of this publication disclose such patentclaims to ITL. However, holders of patents are not obligated to respondto ITL calls for patents and ITL has not undertaken a patent search inorder to identify which, if any, patents may apply to this publication.

As of the date of publication and following call(s) for theidentification of patent claims whose use may be required for compliancewith the guidance or requirements of this publication, no such patentclaims have been identified to ITL.

This National Institute of Standards and Technology (NIST) CybersecurityPractice Guide demonstrates a standards-based reference design andprovides users with the information they need to replicate thetelehealth remote patient monitoring (RPM) environment. This referencedesign is modular and can be deployed in whole or in part.

Technology or security program managers who are concerned with howto identify, understand, assess, and mitigate risk will be interested inNIST SP 1800-30B, which describes what we did and why. The followingsections will be of particular interest:

You might share the Executive Summary, NIST SP 1800-30A, with yourleadership team members to help them understand the importance ofadopting standards-based commercially available technologies that canhelp secure the RPM ecosystem.

The NCCoE constructed a virtual lab environment to evaluate ways toimplement security capabilities across an RPM ecosystem, which consistsof three separate domains: patient home, telehealth platform provider,and healthcare delivery organization (HDO). The project implementsvirtual environments for the HDO and patient home while collaboratingwith a telehealth platform provider to implement a cloud-basedtelehealth RPM environment. The telehealth environments containsimulated patient data that portray relevant cases that clinicians couldencounter in real-world scenarios. The project then applies securitycontrols to the virtual environments. Refer to NIST Special Publication(SP) 1800-30B, Section 5, Security and Privacy Characteristic Analysis, for anexplanation of why we used each technology.

This section of the practice guide contains detailed instructions forinstalling and configuring all the products used to build an instance ofthe example solution. The project team implemented several capabilitiesthat included deploying components received from telehealth platformproviders and components that represent the HDO. The telehealth platformproviders provisioned biometric devices that were deployed to a patienthome environment. Within the HDO, the engineers deployed networkinfrastructure devices to implement network zoning and configureperimeter devices. The engineers also deployed security capabilitiesthat supported vulnerability management and a security incident andevent management (SIEM) tool. The following sections detail deploymentand configuration of these components.

The project team implemented a model where an HDO partners withtelehealth platform providers to enable RPM programs. Telehealthplatform providers are third parties that, for this practice guide,configured, deployed, and managed biometric devices and mobile devices(e.g., tablets) that were sent to the patient home. The telehealthplatform provider managed data communications over cellular andbroadband where patients send biometric data to the telehealth platformprovider. The telehealth platform provider implemented an applicationthat allowed clinicians to access the biometric data.

Accuhealth provided biometric devices that included cellular datacommunication. Accuhealth also included a cloud-hosted application forHDOs to access patient-sent biometric data. Accuhealth provisionedbiomedical devices with subscriber identity module (SIM) cards thatenabled biomedical devices to transmit data via cellular datacommunications to the Accuhealth telehealth platform. Accuhealth storedpatient-transmitted data in an application. Individuals assigned withclinician roles accessed transmitted data hosted in the Accuhealthapplication. The biomedical data displayed in the following screencaptures are notional in nature and do not relate to an actual patient.

The Accuhealth solution includes installing an application within theHDO environment. Clinicians access a portal hosted by Accuhealth thatallows a clinician to view patient biometric data. The applicationrequires unique user accounts and role-based access control. Systemadministrators create accounts and assign roles through anadministrative console. Sessions from the clinician to the hostedapplication use encryption to ensure data-in-transit protection.

For communication paths C and D, a simulated cloud environment wascreated to represent a telehealth platform provider that supportsbroadband-capable biometric devices. A sample Vivify Pathways Care TeamPortal was obtained to demonstrate how patient data could be transmittedvia broadband communications. Practitioners should note, however, thatVivify as an entity may not support this use case. Vivify engineersfacilitated deploying the Vivify Pathways Care Team Portal asrepresentative of how a telehealth platform provider may support thecommunications pathway. Communication paths A and B used telehealthplatform providers that were located outside the NCCoE lab, and datawere transmitted via cellular communications.

Communication path D required more add-on security controls to beconfigured in the virtual cloud environment. For this communicationpathway, the representative Vivify Pathways Care Team Portal wasconnected to an Onclave Telehealth Gateway. This gateway accepted datatransmissions from the RPM interface connected to the Onclave HomeGateway housed in the patient home environment.

Using a web browser interface, clinicians access a portal hosted byVivify that allows access to view patient biometric data. Portalinteraction requires unique user accounts and role-based access control.System administrators create accounts and assign roles through anadministrative console. Sessions from the clinician to the hostedapplication use encryption to ensure data-in-transit protection.

The following instruction and configuration steps depict how the NCCoEengineers and project collaborators implemented the providedcybersecurity tools to achieve the desired security capabilitiesidentified in NIST SP 1800-30B, Section 4.4, Security Capabilities.

3a8082e126