Security and Privacy Follow Up

First, I wanted to thank the OpenHIE community for giving me a chance to help facilitate a discussion around data security and privacy issues facing the community.

During the discussion, there were inquiries about various IT Security frameworks that people could utilize to assess the risk of their implementations. I wanted to follow up and ensure people were aware of the standard available.

U.S. National Institute of Standards and Technology (NIST) Special Publication 800 Series

https://www.nist.gov/itl/nist-special-publication-800-series-general-information

https://csrc.nist.gov/publications/sp800

NIST develops many guidelines and frameworks to assist with addressing security issues. For an organization looking to start an IT Security program or to evaluate the risk of Health Information System, I recommend looking at the two links
below.

NIST Risk Management Framework

https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview

NIST SP800-171 is a guideline for assessing an IT System including the various security controls to review.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf

The International Organization for Standardization (ISO) has equivalent guidance that is available for a fee. Their standards match the NIST publications for the most part. The same general security controls are listed for evaluation and
the methodology is similar.

ISO 27001 – Information Security Management


https://www.iso.org/isoiec-27001-information-security.html

ISO IEC 82304-1:2016(en) “Health software — Part 1: General requirements for product safety”

         [https://www.iso.org/obp/ui/#iso:std:iec:82304:-1:ed-1:v1:en](https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.iso.org%2Fobp%2Fui%2F%23iso%3Astd%3Aiec%3A82304%3A-1%3Aed-1%3Av1%3Aen&data=02%7C01%7Ccleitner%40path.org%7Cb1175091be044fe5009708d70eedeb50%7C29ca3f4f6d6749a5a001e1db48252717%7C0%7C0%7C636994287348537252&sdata=qMkkLx3Ij0yv%2Fjx8Vtw3u87Q5WiGNgy19Fp3BRNsGJw%3D&reserved=0)

There is additional guidance out there for those of you that want to start at a more basic level before going into hundred+ page documents.

SANS & The Center for Information Security release a yearly top 20 security controls that organizations should prioritize to keep their data safe. A post of these can be found here

https://www.sans.org/media/critical-security-controls/Poster_CIS-Security-Controls_2018.pdf

Since many of you are developers, the
Open Web Application Security Project
periodically releases a top 10 application vulnerabilities to look out for list

https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

I hope this information helps. If you have any additional questions, please reply to this. If you have the question, I’m sure others will as well.

Nathan – thank you for this very excellent summary of applicable content… and for facilitating the discussion related to this topic at the Addis meeting.

As an additional comment – I would like to point out that many countries have adopted ISO-27799 as the root of their health data security and privacy framework. ISO-27799 is a healthcare-focused specialization of the ISO-27k series of specifications. The very-helpful NIST documents are US-specific specifications; for our global work it may be helpful to go the underlying “source” (ISO-27k). There is an excellent (and free!) collection of ISO-27k artefacts and tools available here: https://www.iso27001security.com/html/toolkit.html.

IHE has also developed a security and privacy “cookbook”. There are useful notes and procedures, there, especially related to risk assessment. The cookbook can be found, here: https://wiki.ihe.net/index.php/Cookbook_for_Security_Considerations.

Warmest regards,

Derek

···

Derek Ritz, P.Eng., CPHIMS-CA
ecGroup Inc.
+1 (905) 515-0045

Derek,

Thanks for the additional information. I wasn’t aware of the IHE cookbook or the ISO 27799 toolkit. I had a few thoughts based on the cookbook/ISO guidelines for the community to consider.

Section 2.2.3 Mitigation of relevant Risks

This is a fundamental part of doing a risk assessment and ensuring your product is protected across a multiple areas of potential cyberthreats. The challenge I’ve seen occur is they conduct the assessment without understanding threats facing
the industry they’re working in. This happens because a community to leverage and teach people doesn’t exist or they’re not aware of one. This issue has caused the creation of ISACs in multiple industries across the world. In the U.S, the H-isac and the HiTrust
Alliance (both linked below) were formed with the objective to improve education and information sharing to ensure cyber and IT professionals were collaborating on addressing cyber industries in the space. Do you know if this has been considered at an international
or donor level at all?

https://hitrustalliance.net/

https://h-isac.org/

Technical and Standards to reduce risk

The cookbook mentions ensuring technical mitigations are considered in the security profile of a system. Has OHIE considered looking at different standards to ensure best practice security controls are implemented across the products within
the community? For example, ensuring oauth for authentication and a secure version of TLS/SSL is available. This would tie into the item above about threats, which would help ensure groups maintaining the products we use understand the threats/vulnerabilities
and can update the products as soon as possible.

···

Nathan – thank you for this very excellent summary of applicable content… and for facilitating the discussion related to this topic at the Addis meeting.

As an additional comment – I would like to point out that many countries have adopted ISO-27799 as the root of their health data security and privacy framework. ISO-27799 is a healthcare-focused specialization of the ISO-27k series of
specifications. The very-helpful NIST documents are US-specific specifications; for our global work it may be helpful to go the underlying “source” (ISO-27k). There is an excellent (and free!) collection of ISO-27k artefacts and tools available here: https://www.iso27001security.com/html/toolkit.html.

IHE has also developed a security and privacy “cookbook”. There are useful notes and procedures, there, especially related to risk assessment. The cookbook can be found, here: https://wiki.ihe.net/index.php/Cookbook_for_Security_Considerations.

Warmest regards,

Derek

On Tue, Nov 19, 2019 at 7:39 AM ‘Volk, Nathan (CDC/DDPHSIS/CGH/OD)’ via OpenHIE DevOps ohie-devops@googlegroups.com wrote:

First, I wanted to thank the OpenHIE community for giving me a chance to help facilitate a discussion around data security and privacy issues facing the community.

During the discussion, there were inquiries about various IT Security frameworks that people could utilize to assess the risk of their implementations. I wanted to follow up and
ensure people were aware of the standard available.

U.S. National Institute of Standards and Technology (NIST) Special Publication 800 Series

https://www.nist.gov/itl/nist-special-publication-800-series-general-information

https://csrc.nist.gov/publications/sp800

NIST develops many guidelines and frameworks to assist with addressing security issues. For an organization looking to start an IT Security program or to evaluate the risk of Health
Information System, I recommend looking at the two links below.

NIST Risk Management Framework

https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview

NIST SP800-171 is a guideline for assessing an IT System including the various security controls to review.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf

The International Organization for Standardization (ISO) has equivalent guidance that is available for a fee. Their standards match the NIST publications for the most part. The
same general security controls are listed for evaluation and the methodology is similar.

ISO 27001 – Information Security Management


https://www.iso.org/isoiec-27001-information-security.html

ISO IEC 82304-1:2016(en) “Health software — Part 1: General requirements for product safety”

         [https://www.iso.org/obp/ui/#iso:std:iec:82304:-1:ed-1:v1:en](https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.iso.org%2Fobp%2Fui%2F%23iso%3Astd%3Aiec%3A82304%3A-1%3Aed-1%3Av1%3Aen&data=02%7C01%7Ccleitner%40path.org%7Cb1175091be044fe5009708d70eedeb50%7C29ca3f4f6d6749a5a001e1db48252717%7C0%7C0%7C636994287348537252&sdata=qMkkLx3Ij0yv%2Fjx8Vtw3u87Q5WiGNgy19Fp3BRNsGJw%3D&reserved=0)

There is additional guidance out there for those of you that want to start at a more basic level before going into hundred+ page documents.

SANS & The Center for Information Security release a yearly top 20 security controls that organizations should prioritize to keep their data safe.
A post of these can be found here

https://www.sans.org/media/critical-security-controls/Poster_CIS-Security-Controls_2018.pdf

Since many of you are developers, the
Open Web Application Security Project
periodically releases a top 10 application vulnerabilities to look out for list

https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

I hope this information helps. If you have any additional questions, please reply to this. If you have the question, I’m sure others will as well.


Nathan Volk, MS, CISSP

Information Systems Security Officer (ISSO)

Informatics and Information Resources Office

Center for Global Health

Centers for Disease Control and Prevention

Email:
nvolk@cdc.gov

(land) 404-718-4797


You received this message because you are subscribed to the Google Groups “OpenHIE DevOps” group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ohie-devops+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ohie-devops/CH2PR09MB4054801C971B423BF252424F804C0%40CH2PR09MB4054.namprd09.prod.outlook.com
.

Derek Ritz, P.Eng., CPHIMS-CA
ecGroup Inc.

+1 (905) 515-0045


You received this message because you are subscribed to the Google Groups “OpenHIE DevOps” group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ohie-devops+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ohie-devops/CAOe53S0RY5%3DHPUcMSdp-pEhrPYrMoa55GZHhuXmcjgig7s2W2w%40mail.gmail.com
.

Thanks Nathan for starting this conversation. (And Derek I have used
the free iso27k toolkit a lot. very useful).

For developers (and reviewers), I think the OWASP Application Security
Verification Standard is also very relevant:
OWASP Application Security Verification Standard | OWASP Foundation.

A bit more comprehensive than the venerable top 10.

···

On Tue, 19 Nov 2019 at 15:40, 'Volk, Nathan (CDC/DDPHSIS/CGH/OD)' via OpenHIE DevOps <ohie-devops@googlegroups.com> wrote:

Derek,

Thanks for the additional information. I wasn’t aware of the IHE cookbook or the ISO 27799 toolkit. I had a few thoughts based on the cookbook/ISO guidelines for the community to consider.

Section 2.2.3 Mitigation of relevant Risks

This is a fundamental part of doing a risk assessment and ensuring your product is protected across a multiple areas of potential cyberthreats. The challenge I’ve seen occur is they conduct the assessment without understanding threats facing the industry they’re working in. This happens because a community to leverage and teach people doesn’t exist or they’re not aware of one. This issue has caused the creation of ISACs in multiple industries across the world. In the U.S, the H-isac and the HiTrust Alliance (both linked below) were formed with the objective to improve education and information sharing to ensure cyber and IT professionals were collaborating on addressing cyber industries in the space. Do you know if this has been considered at an international or donor level at all?

https://hitrustalliance.net/

https://h-isac.org/

Technical and Standards to reduce risk

The cookbook mentions ensuring technical mitigations are considered in the security profile of a system. Has OHIE considered looking at different standards to ensure best practice security controls are implemented across the products within the community? For example, ensuring oauth for authentication and a secure version of TLS/SSL is available. This would tie into the item above about threats, which would help ensure groups maintaining the products we use understand the threats/vulnerabilities and can update the products as soon as possible.

____________________________________

Nathan Volk, MS, CISSP

Information Systems Security Officer (ISSO)

Informatics and Information Resources Office

Center for Global Health

Centers for Disease Control and Prevention

Email: nvolk@cdc.gov

(land) 404-718-4797

From: ohie-devops@googlegroups.com <ohie-devops@googlegroups.com> On Behalf Of Derek Ritz
Sent: Tuesday, November 19, 2019 10:00 AM
To: ohie-devops@googlegroups.com
Subject: Re: Security and Privacy Follow Up

Nathan -- thank you for this very excellent summary of applicable content... and for facilitating the discussion related to this topic at the Addis meeting.

As an additional comment -- I would like to point out that many countries have adopted ISO-27799 as the root of their health data security and privacy framework. ISO-27799 is a healthcare-focused specialization of the ISO-27k series of specifications. The very-helpful NIST documents are US-specific specifications; for our global work it may be helpful to go the underlying "source" (ISO-27k). There is an excellent (and free!) collection of ISO-27k artefacts and tools available here: Free ISO27k Toolkit.

IHE has also developed a security and privacy "cookbook". There are useful notes and procedures, there, especially related to risk assessment. The cookbook can be found, here: Cookbook for Security Considerations - IHE Wiki.

Warmest regards,

Derek

On Tue, Nov 19, 2019 at 7:39 AM 'Volk, Nathan (CDC/DDPHSIS/CGH/OD)' via OpenHIE DevOps <ohie-devops@googlegroups.com> wrote:

First, I wanted to thank the OpenHIE community for giving me a chance to help facilitate a discussion around data security and privacy issues facing the community.

During the discussion, there were inquiries about various IT Security frameworks that people could utilize to assess the risk of their implementations. I wanted to follow up and ensure people were aware of the standard available.

U.S. National Institute of Standards and Technology (NIST) Special Publication 800 Series

https://www.nist.gov/itl/nist-special-publication-800-series-general-information

Search | CSRC

NIST develops many guidelines and frameworks to assist with addressing security issues. For an organization looking to start an IT Security program or to evaluate the risk of Health Information System, I recommend looking at the two links below.

NIST Risk Management Framework

NIST Risk Management Framework | CSRC

NIST SP800-171 is a guideline for assessing an IT System including the various security controls to review.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf

The International Organization for Standardization (ISO) has equivalent guidance that is available for a fee. Their standards match the NIST publications for the most part. The same general security controls are listed for evaluation and the methodology is similar.

                ISO 27001 – Information Security Management

                ISO/IEC 27001:2022 - Information security, cybersecurity and privacy protection — Information security management systems — Requirements

                ISO IEC 82304-1:2016(en) "Health software — Part 1: General requirements for product safety"

             https://www.iso.org/obp/ui/#iso:std:iec:82304:-1:ed-1:v1:en

There is additional guidance out there for those of you that want to start at a more basic level before going into hundred+ page documents.

SANS & The Center for Information Security release a yearly top 20 security controls that organizations should prioritize to keep their data safe. A post of these can be found here

https://www.sans.org/media/critical-security-controls/Poster_CIS-Security-Controls_2018.pdf

Since many of you are developers, the Open Web Application Security Project periodically releases a top 10 application vulnerabilities to look out for list

https://www.owasp.org/images/7/72/OWASP_Top_10-2017_(en).pdf.pdf

I hope this information helps. If you have any additional questions, please reply to this. If you have the question, I’m sure others will as well.

____________________________________

Nathan Volk, MS, CISSP

Information Systems Security Officer (ISSO)

Informatics and Information Resources Office

Center for Global Health

Centers for Disease Control and Prevention

Email: nvolk@cdc.gov

(land) 404-718-4797

--
You received this message because you are subscribed to the Google Groups "OpenHIE DevOps" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ohie-devops+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ohie-devops/CH2PR09MB4054801C971B423BF252424F804C0%40CH2PR09MB4054.namprd09.prod.outlook.com.

--

Derek Ritz, P.Eng., CPHIMS-CA
ecGroup Inc.
+1 (905) 515-0045

--
You received this message because you are subscribed to the Google Groups "OpenHIE DevOps" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ohie-devops+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ohie-devops/CAOe53S0RY5%3DHPUcMSdp-pEhrPYrMoa55GZHhuXmcjgig7s2W2w%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "OpenHIE DevOps" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ohie-devops+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ohie-devops/CH2PR09MB4054AB8C18E6F4C869734AD0804C0%40CH2PR09MB4054.namprd09.prod.outlook.com.