Upload
colin-reid
View
216
Download
1
Tags:
Embed Size (px)
Citation preview
NIST’s Role in Securing Health Information
AMA-IEEE Medical TechnologyConference on Individualized Healthcare
Kevin Stine, Information Security Specialist
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
March 22, 2010
NIST’s MissionNIST’s Mission
To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology …
2Credit: NIST
Credit: R. Rathe
… in ways that enhance economic security and improve our quality of life.
Computer Security Division’s MissionComputer Security Division’s Mission
A division with the Information Technology Lab, CSD provides standards and technology to protect information systems against threats to the confidentiality, integrity, and availability of information and services …
3
… in order to build trust and confidence in Information Technology (IT) systems
AgendaAgenda
Meaningful Use, Standards, and Certification (Oh My)
NIST HIT Security Activities… Past, Present, and Near NIST HIT Security Activities… Past, Present, and Near FutureFuture
Wireless and Mobile Technology ResourcesWireless and Mobile Technology Resources
4
Meaningful Use, Standards, and Certifications (Oh My)Meaningful Use, Standards, and Certifications (Oh My)
Meaningful Use (NPRM) Adopt and meaningfully use certified electronic health record (EHR)
technology
Stage 1(beginning in 2011): Ensure adequate privacy and security protections for personal health information.
Standards and Certification (IFR) Represents the first step in an incremental approach to adopting standards,
implementation specifications, and certification criteria to enhance the interoperability, functionality, utility, and security of health information technology and to support its meaningful use.
Standards for HIT to protect Electronic Health Info (IFR, §170.210)
Encryption and decryption of EHI, Record actions related to EHI, Verification that electronic health information has not been altered in transit, Cross-enterprise authentication
Certification Criteria (IFR, §170.302) Access Control, Audit Log, Integrity, Authentication, Encryption
AgendaAgenda
6
Meaningful Use, Standards, and Certification (Oh My)Meaningful Use, Standards, and Certification (Oh My)
NIST HIT Security Activities… Past, Present, and Near Future
Wireless and Mobile Technology ResourcesWireless and Mobile Technology Resources
Risk ManagementRisk Management
7
Repeat as necessary
RISKMANAGEMENTFRAMEWORK
Security Life Cycle
Step 1
CATEGORIZEInformation
Systems
FIPS 199 / SP 800-60
Step 6
MONITORSecurity State
SP 800-37 / 800-53A
Step 3
IMPLEMENTSecurity Controls
SP 800-70
Step 2
SELECTSecurity Controls
FIPS 200 / SP 800-53
Security Plan
Step 5
AUTHORIZEInformation
Systems
SP 800-37Plan of Actions & Milestones
Step 4
ASSESSSecurity Controls
SP 800-53A
Security Assessment Report
ORGANIZATIONAL VIEWOrganizational Inputs
Laws, Directives, Policy GuidanceStrategic Goals and Objectives
Priorities and Resource AvailabilitySupply Chain Considerations
Architecture DescriptionFEA Reference Models
Segment and Solution ArchitecturesMission and Business Processes Information System Boundaries
Starting Point
Risk Executive Function
Health IT Security - What We’ve Done…Health IT Security - What We’ve Done…
Standards Harmonization
•Support ONC and HITSP in harmonizing and integrating standards to enable exchange of health information
Outreach & Awareness
•Present on application of security standards and guidelines to HIPAA and HIT security implementations
Publications & Resources
•HIPAA Security Rule Guide
•HIE Security Architecture
Health IT Security - What We Plan To Do…Health IT Security - What We Plan To Do…
Security Automation•HIPAA Security Rule toolkit
•Security configuration checklists
HIT Test Infrastructure•Provide capability for current and future EHR testing needs against standards
•Conformance and interoperability testing capabilities
AgendaAgenda
Meaningful Use, Standards, and Certification (Oh My)Meaningful Use, Standards, and Certification (Oh My)
NIST HIT Security Activities… Past, Present, and Near NIST HIT Security Activities… Past, Present, and Near FutureFuture
Wireless and Mobile Technology Resources
10
Wireless and Mobile Technology Security Wireless and Mobile Technology Security ResourcesResources
Wireless
800-127 Draft, Guide to Security for WiMAX Technologies
800-121, Guide to Bluetooth Security
800-120, Recommendations for EAP Methods Used in Wireless Network
Access Authentication
800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE
802.11i
800-48 Revision 1, Guide to Securing Legacy IEEE 802.11 Wireless
Networks
Mobile Technologies
800-124, Guidelines on Cell Phone and PDA Security
800-114, User’s Guide to Securing External Devices for Telework and
Remote Access
800-101, Guidelines on Cell Phone Forensics
800-46 Rev 1, Guide to Enterprise Telework and Remote Access Security
Thank YouThank You
Kevin [email protected]
Computer Security DivisionInformation Technology Laboratory
National Institute of Standards and Technology
Computer Security Resource Center: http://csrc.nist.govNIST Health IT Standards and Testing: http://healthcare.nist.gov
12