Cyber-Security White Paper Final 1Q2013 Version. to HIT Commission Feb. 21, 2013

Transcription

1 Cyber-Security White Paper Final 1Q2013 Version Recommended Priorities to HIT Commission Feb. 21, 2013

2 Background White Paper Origins June 2012 White paper development & security workshop Broad stakeholder involvement and authorship July 2012 through December 2012 Continued stakeholder involvement and reviews of draft January 2013 HIT Commission Meeting Draft Cyber-Security White Paper presented MiHIN tasked with prioritizing recommendations and producing Final 1Q2013 Cyber Security White Paper for February 2013 HIT Commission meeting

3 Prioritization Process Surveyed 50 experts and key stakeholders involved in developing/reviewing Cyber Security White Paper Respondents ranked recommendations as low, medium, high or essential priorities 26 responses received between Jan Feb % response rate Essential and high priorities recommended for action by HIT Commission and State being presented today

4 Recommendation Summary Section 7 Essential Priorities Conduct a risk assessment every (3) years Essential Establish a minimum set of safeguards Establish framework for identity management Develop and conduct an auditing program Develop an identity management infrastructure High Reduce financial burden with privacy and security compliance Endorse the National Institute of Standards and Technology (NIST) definitions of assurance levels These items are recommended for the HITC to act upon Medium Low 5 8

5 Recommendation Summary y 11 High Priorities Implement information security educational programs Essential Section Develop Level of Assurance (LOA) 3 roadmap Establish workgroup on security/privacy legislative issues Establish workgroup on establishing a Michigan Identity Trust Federation Build an Identity Trust Federation High Monitor Federal Trust Identity Federation efforts Fund HIE Identity Federation framework pilot Create a liability risk assessment program Provide online security risk assessment tool/audit service Endorse an Identity Trust Federation approach *These items are recommended for the HITC to act upon Medium Low 5 8

6 Proposed Next Steps HIT Commission determine essential and high priority recommendations to advance to the Director of MDCH Suggest a response requested by date Receive response from the Director of MDCH Review and act upon Director of MDCH response at next HIT Commission meeting

7 Questions? Contact Us: Timothy Pletcher Executive Director Jeff Livesay Associate Director Brian Seggie Brian Seggie Security Director / Chief Security Officer seggie@mihin.org

8 THANK YOU!

9 Essential and High Recommendations in Priority Order

10 Risk Assessment e and Mitigation Recommendation e o Section 5.3.1: Direct an entity designated by the State to develop a requirement that organizations exchanging health information should conduct a risk assessment every three (3) years and review all supporting policies and procedures annually. Priority rating = Essential

11 Security Baseline Recommendation Section 5.1.1: Direct an entity designated by the State to establish a minimum required set of safeguards (physical, administrative, i ti and technical) for all organizations that t engage in health information exchange. Priority rating = Essential

12 Identity ty Management age e Infrastructure Recommendation e o Section 6.2.1: The HIT Commission should work with appropriate organizations within the State of Michigan towards developing a formally accepted framework for identity management. Pi Priority it rating = Essential

13 Security Baseline Recommendation Section 5.1.2: Direct an entity designated by the State to develop and conduct an auditing program to enforce that organizations engaged in health information exchange have met a minimum set of security requirements. Qualified organizations should be audited every three (3) years. Priority rating = Essential

14 Identity ty Management age e Infrastructure Recommendation e o Section 6.2.2: The HIT Commission should work with appropriate organizations within the State of Michigan towards developing an identity management infrastructure that is both secure and interoperable across the all of the systems involved in statewide health information sharing that provides the ability to know what information is allowed to be shared and how information in one system may be exchanged with another system so that only those with appropriate rights can access information across systems. Priority rating = Essential

15 Addressing Violations Recommendation Section 3.2.1: Explore opportunities for entities participating in HIE to receive State of Michigan level protections to help reduce the financial i burden and costs associated with privacy and security compliance and data breach related issues. Priority rating = Essential

16 Assurance Levels Recommendation Section 6.1.1: The HIT Commission should formally endorse the National Institute of Standards and Technology (NIST) definitions of assurance levels. l Priority rating = Essential

17 Limitation of Liability Recommendations Section 3.1.1: Direct an entity designated by the State to create and implement information security educational programs (e.g., encryption of servers and portable devices), including an online resource center. Priority rating = High

18 Assurance Levels Recommendation Section 6.1.2: The HIT Commission should develop a roadmap for moving organizations to at least LOA #3 for all health information sharing activities iti that t fall into the HIPAA defined categories of Treatment, Payment, and Health Care Operations. Any such plans must provide reasonable and workable exemptions for emergency situations where human life is at risk. Priority rating = High

19 Training and Education Recommendation Section 5.2.5: Direct an entity designated by the State to develop an education and training program with a security risk and awareness curriculum to provide organizations that t exchange health information with options for implementing the framework requirements, social engineering techniques, and holding their users accountable for adhering to the safeguards. Priority rating = High

20 Chartering Additional Workgroups oups Recommendation e o Section 7.1.1: The HIT Commission should establish a working group on security and privacy legislative issues related to health information sharing. Priority rating = High

21 Chartering Additional Workgroups oups Recommendation e o Section 7.1.2: The HIT Commission should establish a working group on establishing a Michigan Identity Trust Federation to enable secure identity management for use in the Michigan HIE. Priority rating = High

22 Identity Trust Federation Recommendation Section 6.3.2: The HIT Commission should encourage the State of Michigan to endeavor to build an Identity Trust Federation that can operate and register as a Trust Framework Provider within the Federal Identity, Credentialing and Access Management (FICAM) Trust Framework Provider Adoption Process (TFPAP). This will allow identities within the Michigan HIE Identity Trust Federation to be trusted for access to systems operated by the Federal government such as those used for managing Medicare and Medicaid benefits. Priority rating = High

23 Identity Trust Federation Recommendation Section 6.3.3: The HIT Commission should establish a formal mechanism to continue to monitor Federal efforts such as National Strategy t for Trusted Identity in Cyberspace (NSTIC), which h is also developing models for trusted identity federations. NSTIC is strongly behind the idea of trust federations as the right model, as opposed to a single government operated identity management system. Priority rating = High

24 Chartering Additional Workgroups oups Recommendation e o Section 7.1.3: The HIT Commission should encourage funding for one or more pilot projects in establishing a framework for an HIE Identity Federation and working operational models for such an identity federation. Pi Priority it rating = High

25 Cyber Liability Recommendation Section 4.1.1: Direct an entity designated by the State to create a liability risk assessment program, based in part on the MiHIN sub- state t HIE security audit program and the Nebraska HIE model, where the entity designated by the State and/or its approved contractors shall offer the Risk Assessment Plus audit program. This audit program will provide organizations with the basic HIPAA risk assessment, a vulnerability penetration test and remediation services. Priority rating = High

26 Risk Assessment e and Mitigation Recommendation e o Section 5.3.2: Direct an entity designated by the State to provide an online security risk assessment tool and/or audit service (at an affordable fee). Said entity should also develop and issue a request for qualifications (RFQ) to identify companies that can conduct a risk assessment in accordance with established program requirements. Approved companies will provide to organizations that exchange health information and their participants/users online security risk assessment tools and/or auditing services as well as discounted rates when purchasing a full security audit. Priority rating = High

27 Identity Trust Federation Recommendation Section 6.3.1: The HIT Commission should endorse an Identity Trust Federation approach versus a centralized model. Priority rating = High