On Tue, 19 Nov 2019 at 15:40, 'Volk, Nathan (CDC/DDPHSIS/CGH/OD)' via OpenHIE DevOps <ohie-devops@googlegroups.com> wrote:
Derek,
Thanks for the additional information. I wasn’t aware of the IHE cookbook or the ISO 27799 toolkit. I had a few thoughts based on the cookbook/ISO guidelines for the community to consider.
Section 2.2.3 Mitigation of relevant Risks
This is a fundamental part of doing a risk assessment and ensuring your product is protected across a multiple areas of potential cyberthreats. The challenge I’ve seen occur is they conduct the assessment without understanding threats facing the industry they’re working in. This happens because a community to leverage and teach people doesn’t exist or they’re not aware of one. This issue has caused the creation of ISACs in multiple industries across the world. In the U.S, the H-isac and the HiTrust Alliance (both linked below) were formed with the objective to improve education and information sharing to ensure cyber and IT professionals were collaborating on addressing cyber industries in the space. Do you know if this has been considered at an international or donor level at all?
https://hitrustalliance.net/
https://h-isac.org/
Technical and Standards to reduce risk
The cookbook mentions ensuring technical mitigations are considered in the security profile of a system. Has OHIE considered looking at different standards to ensure best practice security controls are implemented across the products within the community? For example, ensuring oauth for authentication and a secure version of TLS/SSL is available. This would tie into the item above about threats, which would help ensure groups maintaining the products we use understand the threats/vulnerabilities and can update the products as soon as possible.
____________________________________
Nathan Volk, MS, CISSP
Information Systems Security Officer (ISSO)
Informatics and Information Resources Office
Center for Global Health
Centers for Disease Control and Prevention
Email: nvolk@cdc.gov
(land) 404-718-4797
From: ohie-devops@googlegroups.com <ohie-devops@googlegroups.com> On Behalf Of Derek Ritz
Sent: Tuesday, November 19, 2019 10:00 AM
To: ohie-devops@googlegroups.com
Subject: Re: Security and Privacy Follow Up
Nathan -- thank you for this very excellent summary of applicable content... and for facilitating the discussion related to this topic at the Addis meeting.
As an additional comment -- I would like to point out that many countries have adopted ISO-27799 as the root of their health data security and privacy framework. ISO-27799 is a healthcare-focused specialization of the ISO-27k series of specifications. The very-helpful NIST documents are US-specific specifications; for our global work it may be helpful to go the underlying "source" (ISO-27k). There is an excellent (and free!) collection of ISO-27k artefacts and tools available here: Free ISO27k Toolkit.
IHE has also developed a security and privacy "cookbook". There are useful notes and procedures, there, especially related to risk assessment. The cookbook can be found, here: Cookbook for Security Considerations - IHE Wiki.
Warmest regards,
Derek
On Tue, Nov 19, 2019 at 7:39 AM 'Volk, Nathan (CDC/DDPHSIS/CGH/OD)' via OpenHIE DevOps <ohie-devops@googlegroups.com> wrote:
First, I wanted to thank the OpenHIE community for giving me a chance to help facilitate a discussion around data security and privacy issues facing the community.
During the discussion, there were inquiries about various IT Security frameworks that people could utilize to assess the risk of their implementations. I wanted to follow up and ensure people were aware of the standard available.
U.S. National Institute of Standards and Technology (NIST) Special Publication 800 Series
https://www.nist.gov/itl/nist-special-publication-800-series-general-information
Search | CSRC
NIST develops many guidelines and frameworks to assist with addressing security issues. For an organization looking to start an IT Security program or to evaluate the risk of Health Information System, I recommend looking at the two links below.
NIST Risk Management Framework
NIST Risk Management Framework | CSRC
NIST SP800-171 is a guideline for assessing an IT System including the various security controls to review.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf
The International Organization for Standardization (ISO) has equivalent guidance that is available for a fee. Their standards match the NIST publications for the most part. The same general security controls are listed for evaluation and the methodology is similar.
ISO 27001 – Information Security Management
ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection — Information security management systems — Requirements
ISO IEC 82304-1:2016(en) "Health software — Part 1: General requirements for product safety"
https://www.iso.org/obp/ui/#iso:std:iec:82304:-1:ed-1:v1:en
There is additional guidance out there for those of you that want to start at a more basic level before going into hundred+ page documents.
SANS & The Center for Information Security release a yearly top 20 security controls that organizations should prioritize to keep their data safe. A post of these can be found here
https://www.sans.org/media/critical-security-controls/Poster_CIS-Security-Controls_2018.pdf
Since many of you are developers, the Open Web Application Security Project periodically releases a top 10 application vulnerabilities to look out for list
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_(en).pdf.pdf
I hope this information helps. If you have any additional questions, please reply to this. If you have the question, I’m sure others will as well.
____________________________________
Nathan Volk, MS, CISSP
Information Systems Security Officer (ISSO)
Informatics and Information Resources Office
Center for Global Health
Centers for Disease Control and Prevention
Email: nvolk@cdc.gov
(land) 404-718-4797
--
You received this message because you are subscribed to the Google Groups "OpenHIE DevOps" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ohie-devops+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ohie-devops/CH2PR09MB4054801C971B423BF252424F804C0%40CH2PR09MB4054.namprd09.prod.outlook.com.
--
Derek Ritz, P.Eng., CPHIMS-CA
ecGroup Inc.
+1 (905) 515-0045
--
You received this message because you are subscribed to the Google Groups "OpenHIE DevOps" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ohie-devops+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ohie-devops/CAOe53S0RY5%3DHPUcMSdp-pEhrPYrMoa55GZHhuXmcjgig7s2W2w%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "OpenHIE DevOps" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ohie-devops+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ohie-devops/CH2PR09MB4054AB8C18E6F4C869734AD0804C0%40CH2PR09MB4054.namprd09.prod.outlook.com.