NIST SPECIAL PUBLICATION 1800-1


Securing Electronic Health Records on Mobile Devices


Volume D:

Standards and Controls Mapping



Gavin O’Brien

Nate Lesser

National Cybersecurity Center of Excellence

Information Technology Laboratory


Brett Pleasant

Sue Wang

Kangmin Zheng

The MITRE Corporation

McLean, VA


Colin Bowers

Kyle Kamke

Ramparts, LLC

Clarksville, MD



July 2018


This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.1800-1


The first draft of this publication is available free of charge from: https://www.nccoe.nist.gov/sites/default/files/library/sp1800/hit-ehr-nist-sp1800-1-draft.pdf


logos



DISCLAIMER

Certain commercial entities, equipment, products, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST or NCCoE, nor is it intended to imply that the entities, equipment, products, or materials are necessarily the best available for the purpose.

National Institute of Standards and Technology Special Publication 1800-1D, Natl. Inst. Stand. Technol. Spec. Publ. 1800-1D, 32 pages, (July 2018), CODEN: NSPUE2

FEEDBACK

As a private-public partnership, we are always seeking feedback on our Practice Guides. We are particularly interested in seeing how businesses apply NCCoE reference designs in the real world. If you have implemented the reference design, or have questions about applying it in your environment, please email us at hit_nccoe@nist.gov.

All comments are subject to release under the Freedom of Information Act (FOIA).

National Cybersecurity Center of Excellence
National Institute of Standards and Technology
100 Bureau Drive
Mail Stop 2002
Gaithersburg, MD 20899
Email: nccoe@nist.gov

NATIONAL CYBERSECURITY CENTER OF EXCELLENCE

The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity issues. This public-private partnership enables the creation of practical cybersecurity solutions for specific industries, as well as for broad, cross-sector technology challenges. Through consortia under Cooperative Research and Development Agreements (CRADAs), including technology partners—from Fortune 50 market leaders to smaller companies specializing in IT security—the NCCoE applies standards and best practices to develop modular, easily adaptable example cybersecurity solutions using commercially available technology. The NCCoE documents these example solutions in the NIST Special Publication 1800 series, which maps capabilities to the NIST Cyber Security Framework and details the steps needed for another entity to recreate the example solution. The NCCoE was established in 2012 by NIST in partnership with the State of Maryland and Montgomery County, Md.

To learn more about the NCCoE, visit https://www.nccoe.nist.gov/. To learn more about NIST, visit https://www.nist.gov.

NIST CYBERSECURITY PRACTICE GUIDES

NIST Cybersecurity Practice Guides (Special Publication Series 1800) target specific cybersecurity challenges in the public and private sectors. They are practical, user-friendly guides that facilitate the adoption of standards-based approaches to cybersecurity. They show members of the information security community how to implement example solutions that help them align more easily with relevant standards and best practices and provide users with the materials lists, configuration files, and other information they need to implement a similar approach.

The documents in this series describe example implementations of cybersecurity practices that businesses and other organizations may voluntarily adopt. These documents do not describe regulations or mandatory practices, nor do they carry statutory authority.

ABSTRACT

Healthcare providers increasingly use mobile devices to receive, store, process, and transmit patient clinical information. According to our own risk analysis, discussed here, and in the experience of many healthcare providers, mobile devices can introduce vulnerabilities in a healthcare organization’s networks. At the 2012 Health and Human Services Mobile Devices Roundtable, participants stressed that many providers are using mobile devices for healthcare delivery before they have implemented safeguards for privacy and security [1].

This NIST Cybersecurity Practice Guide provides a modular, open, end-to-end reference design that can be tailored and implemented by healthcare organizations of varying sizes and information technology (IT) sophistication. Specifically, the guide shows how healthcare providers, using open-source and commercially available tools and technologies that are consistent with cybersecurity standards, can more securely share patient information among caregivers who are using mobile devices. The scenario considered is that of a hypothetical primary care physician using her mobile device to perform recurring activities such as sending a referral (e.g., clinical information) to another physician or sending an electronic prescription to a pharmacy. While the design was demonstrated with a certain suite of products, the guide does not endorse these products in particular. Instead, it presents the characteristics and capabilities that an organization’s security experts can use to identify similar standards-based products that can be integrated quickly and cost-effectively with a healthcare provider’s existing tools and infrastructure.

KEYWORDS

EHR; electronic health records; HIPAA; mobile device security; patient health information; PHI; risk management; standards-based cybersecurity; stolen health records

ACKNOWLEDGMENTS

We would like to highlight and express our gratitude to Leah Kauffman, with NIST, who served as editor-in-chief of this guide.

We are grateful to the following individuals for their generous contributions of expertise and time.

Name Organization
Peter Romness Cisco
Jeff Ward IBM (Fiberlink)
Doug Bogia Intel
Matthew Taylor Intel
Steve Taylor Intel
Vicki Zagaria Intel
Robert Bruce MedTech Enginuity
Verbus Counts MedTech Enginuity
William (Curt) Barker NIST
Lisa Carnahan NIST
Leah Kauffman NIST
David Low RSA
Ben Smith RSA
Mita Majethia RSA
Steve Schmalz RSA
Adam Madlin Symantec
Sallie Edwards The MITRE Corporation

The Technology Partners/Collaborators who participated in this build submitted their capabilities in response to a notice in the Federal Register. Respondents with relevant capabilities or product components were invited to sign a Cooperative Research and Development Agreement (CRADA) with NIST, allowing them to participate in a consortium to build this example solution. We worked with:

Technology Partner/Collaborator Build Involvement
Cisco Identity Services Engine (ISE), Adaptive Security Virtual Appliance (ASAv), and RV220W
IBM MaaS360
Intel Intel® Identity Protection Technology (Intel® IPT) with Public Key Infrastructure (PKI)
MedTech Enginuity OpenEHR software
Ramparts Risk assessment and security testing
RSA Archer Governance, Risk & Compliance (GRC)
Symantec Endpoint Protection

List of Figures

Figure 5‑1 Architecture for the Secure Exchange of Electronic Health Records on Mobile Devices in a Healthcare Organization

List of Tables

Table 3‑1 Related Security Standards

Table 4‑1 Security Characteristics Mapped to Cybersecurity Standards and Best Practices, and HIPAA

Table 5‑1 Products and Technologies Used in the Secure Exchange of Electronic Health Records on Mobile Devices Reference Design

1. Practice Guide Structure

This NIST Cybersecurity Practice Guide demonstrates a standards-based reference design and provides users with the information they need to replicate this approach to securing electronic health records transferred among mobile devices. The reference design is modular and can be deployed in whole or in parts.

This Practice Guide is made up of five volumes:

  • NIST SP 1800-1A: Executive Summary
  • NIST SP 1800-1B: Approach, Architecture, and Security Characteristics – what we built and why
  • NIST SP 1800-1C: How-To Guides – instructions to build the reference design
  • NIST SP 1800-1D: Standards and Controls Mapping – listing of standards, best practices, and technologies used in the creation of this Practice Guide (you are here)
  • NIST SP 1800-1E: Risk Assessment and Outcomes – risk assessment methodology, results, test and evaluation

2. Introduction

NIST SP 1800-1D, Standards and Controls Mapping, provides a detailed listing of the standards and best practices used in the creation of the practice guide. This volume is broken into three sections:

  • Security Standards – the standards and best practices considered in development of this Practice Guide
  • Security Characteristics and Controls – mapping of the security characteristics described in NIST SP 1800-1B: Approach, Architecture, and Security Characteristics, Section 3.5, to the relevant security controls
  • Technologies – mapping of the technologies and products used in the reference design to the NIST Framework for Improving Critical Infrastructure Cybersecurity (also known as the Cybersecurity Framework) and relevant security controls

3. Security Standards

In addition to using the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Risk Management Framework [2], it is important to consider industry-specific security standards and best practices where possible. Table 3‑1 is a list of security standards used to create this architecture.

Table 3‑1 Related Security Standards

Related Technology Relevant Standards URL
Cybersecurity — General NIST Cybersecurity Framework — Standards, guidelines, and best practices to promote the protection of critical infrastructure https://www.nist.gov/itl/cyberframework.cfm
NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls https://www.iso.org/iso/catalogue_detail?csnumber=54533
20 Critical Security Controls http://www.sans.org/critical-security-controls/
Healthcare Related Health Insurance Portability and Accountability Act (HIPAA) Security Rule https://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
NIST SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-66r1.pdf
U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment (SRA) Tool Technical Safeguards Content https://www.healthit.gov/sites/default/files/20140320_sratool_content_-_technical_volume_v1.docx
US Department of Health & Human Services (DHHS) Office for Civil Rights (OCR) HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework http://www.hhs.gov/sites/default/files/NIST CSF to HIPAA Security Rule Crosswalk 02-22-2016 Final.pdf
Mobile Wireless Security NIST SP 800-164, Guidelines on Hardware-Rooted Security in Mobile Devices (Draft) http://csrc.nist.gov/publications/drafts/800-164/sp800_164_draft.pdf
NIST SP 800-124r1, Guidelines for Managing the Security of Mobile Devices in the Enterprise http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-124r1.pdf
NIST SP 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-97.pdf
NIST SP 800-48 rev1, Guide to Securing Legacy IEEE 802.11 Wireless Networks http://csrc.nist.gov/publications/nistpubs/800-48-rev1/SP800-48r1.pdf
Network Security (Firewall) NIST SP 800-41 rev1, Guidelines on Firewalls and Firewall Policy http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf
Network Security (Remote Access) NIST SP 800-114, Userʼs Guide to Securing External Devices for Telework and Remote Access https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-114r1.pdf
NIST SP 800-46 rev2, Guide to Enterprise Telework and Remote Access Security https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf
Network Security (VPN) NIST SP 800-77, Guide to IPsec VPNs http://csrc.nist.gov/publications/nistpubs/800-77/sp800-77.pdf
NIST SP 800-52, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf
Protocol (RADIUS) RFC 2138, Remote Authentication Dial In User Service (RADIUS) http://tools.ietf.org/html/rfc2138
RFC 2139, RADIUS Accounting http://tools.ietf.org/html/rfc2139
RFC 2865, Remote Authentication Dial In User Service (RADIUS) http://tools.ietf.org/html/rfc2865
RFC 2866, RADIUS Accounting http://tools.ietf.org/html/rfc2866
RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support http://tools.ietf.org/html/rfc2867
RFC 2869, RADIUS Extensions http://tools.ietf.org/html/rfc2869
Protocol (PPP) RFC 2284, Point-to-Point Protocol (PPP) Extensible Authentication Protocol (EAP) https://tools.ietf.org/html/rfc2284
RFC 2716, PPP EAP TLS Authentication Protocol http://tools.ietf.org/html/rfc2716
Protocol (TLS) NIST SP 800-52 rev1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf
RFC 2246, The TLS Protocol Version 1.0 http://tools.ietf.org/html/rfc2246
RFC 4346, The Transport Layer Security (TLS) Protocol Version 1.1 http://tools.ietf.org/html/rfc4346
RFC 5246, The Transport Layer Security (TLS) Protocol Version 1.2 https://tools.ietf.org/html/rfc5246
Protocol (EAP) RFC 3748, Extensible Authentication Protocol (EAP) http://tools.ietf.org/html/rfc3748
RCF 5247, Extensible Authentication Protocol (EAP) Key Management Framework http://tools.ietf.org/html/rfc5247
RFC 5216, The EAP-TLS Authentication Protocol http://tools.ietf.org/html/rfc5216
Key Management NIST SP 800-57 Part 1 – rev4, Recommendation for Key Management, Part 1: General (Revision 4) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf
NIST SP 800-57 Recommendation for Key Management — Part 2: Best Practices for Key Management Organization http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-57p2.pdf
NIST SP 800-57 Part 3 rev1, Recommendation for Key Management: Part 3: Application-Specific Key Management Guidance http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
NIST SP 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-32.pdf
Risk Management NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf
NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

4. Security Characteristics and Controls

To establish the architectural boundaries of the use case, we mapped the components to the NIST Cybersecurity Framework, relevant NIST standards, industry standards, and best practices. From this map, we identified the set of security characteristics that our example solution would address. We then cross-referenced the characteristics to the security controls in NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations; in the ISO and IEC Information Technology – Security techniques – Code of practice for information security management (ISO/IEC 27002) [3]; in the Center for Internet Security (CIS) Critical Security Controls [4]; and in the Health Insurance Portability and Accountability Act of 1996 [5].

By mapping each of the more general security characteristics to specific and multiple security controls, we define each characteristic more granularly and understand safeguards necessary to implement the characteristic. Another benefit of results from these mappings is traceability from a security characteristic to the evaluation of its security control. NIST SP 1800-1E, Section 4, Security Controls Assessment, builds on these mappings by illustrating tests of each countermeasure. In our example implementation, we also used some relevant technologies and products with the security characteristics that mapped to the Respond or Recover functions of the NIST Cybersecurity Framework. See details in NIST SP 1800-1B, Section 3.6, Technologies.

Table 4‑1 Security Characteristics Mapped to Cybersecurity Standards and Best Practices, and HIPAA

Security Characteristics NIST Cybersecurity Framework v1.1 Sector-Specific Standards & Best Practices
Function Category Subcategory NIST SP800-53 Rev 4 IEC/ISO27002 20 Critical Security Controls HIPAA Security Rule [2]
Access control Protect (PR) Identity Management, Authentication and Access Control (PR.AC) PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes AC-2, IA Family 8.3.3, 11.2.1, 11.2.2, 11.2.4, 15.2.1, 11.4.3 CSC-9

45 C.F.R. §§

164.308(a)(3)(ii )(B), 164.308(a)(3)(ii )(C), 164.308(a)(4)(i) , 164.308(a)(4)(ii )(B), 164.308(a)(4)(ii )(C), 164.312(a)(2)(i) , 164.312(a)(2)(ii ), 164.312(a)(2)(ii i), 164.312(d)

PR.AC-3: Remote access is managed AC‑17, AC-19, AC-20 7.1.3, 8.1.1, 8.1.3, 10.4.1, 10.6.1, 10.8.1, 11.1.1, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.6, 11.4.7, 11.7.1, 11.7.2 CSC-17

45 C.F.R. §§

164.308(a)(4)(i) , 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii )

PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties AC-1, AC-2, AC-3, AC-5, AC-6, AC-14, AC-16, AC-24 6.1.3, 7.2.2, 8.1.1, 8.3.3, 10.1.3, 10.8.1, 11.1.1, 11.2.1, 11.2.2, 11.2.4, 11.4.1, 11.4.4, 11.4.6, 11.5.4, 11.6.1, 12.4.2, 12.4.3, 15.2.1 CSC-9

45 C.F.R. §§

164.308(a)(3), 164.308(a)(4), 164.310(a)(2)(ii i), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i) , 164.312(a)(2)(ii )

Audit controls/ monitoring Detect (DE) Security Continuous Monitoring (DE.CM) DE.CM-1: The network is monitored to detect potential cybersecurity events AC-2, AU-12, CA-7, CM-3, SC-5, SC-7, SI-4 6.1.8, 6.2.1, 8.3.3, 10.1.1, 10.1.2, 10.3.1, 10.3.2, 10.4.1, 10.4.2, 10.6.1, 10.8.1, 10.9.1, 10.9.2, 10.10.1, 10.10.2, 10.10.4, 10.10.5, 11.2.1, 11.2.2, 11.2.4, 11.4.5, 11.4.6, 12.4.1, 12.5.1, 12.5.2, 12.5.3, 13.1.1, 13.1.2, 15.2.1, 15.2.2 CSC-2, CSC-3, CSC-5, CSC-6, CSC-11

45 C.F.R. §§

164.308(a)(1)(ii )(D), 164.308(a)(5)(ii )(B), 164.308(a)(5)(ii )(C), 164.308(a)(8), 164.312(b), 164.312(e)(2)(i)

DE.CM-3 Personnel activity is monitored to detect potential cybersecurity events AC-2, AU-12, AU-13, CA-7, CM-10, CM-11 6.1.8, 8.3.3, 10.10.1, 10.10.4, 10.10.5, 11.2.1, 11.2.2, 11.2.4, 15.2.1, 15.2.2 CSC-6, CSC-11

45 C.F.R. §§

164.308(a)(1)(ii )(D), 164.308(a)(3)(ii )(A), 164.308(a)(5)(ii )(C), 164.312(a)(2)(i) , 164.312(b), 164.312(d), 164.312(e)

DE.CM-4: Malicious code is detected SI-3, SI-8 10.4.1 CSC-7

45 C.F.R. §§

164.308(a)(1)(ii )(D), 164.308(a)(5)(ii )(B)

DE.CM-5: Unauthorized mobile code is detected SC-18, SI-4, SC-44 10.4.2, 10.10.2, 13.1.1, 13.1.2 CSC-5, CSC-6

45 C.F.R. §§

164.308(a)(1)(ii )(D), 164.308(a)(5)(ii )(B)

DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events CA-7, PS-7, SA-4, SA-9, SI-4 6.1.8, 6.1.5, 6.2.1, 6.2.3, 8.1.1, 8.1.3, 8.2.1, 10.2.1, 10.2.2, 10.2.3, 10.6.2, 10.8.2, 10.10.2, 12.1.1, 12.5.5, 13.1.1, 13.1.2, 15.2.1, 15.2.2 CSC-5, CSC-6, CSC-7

45 C.F.R. §

164.308(a)(1)(ii )(D)

DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed AU-12, CA-7, CM-3, CM-8, PE-3, PE-6, PE-20, SI-4 6.1.8, 7.1.1, 7.1.2, 9.1.1, 9.1.2, 9.1.3, 9.1.5, 9.1.6, 10.1.1, 10.1.2, 10.3.2, 10.10.1, 10.10.2, 10.10.4, 10.10.5, 11.3.2, 11.4.4, 12.4.1, 12.5.1, 12.5.2, 12.5.3, 13.1.1, 13.1.2, 15.2.1, 15.2.2 CSC-1, CSC-2, CSC-5, CSC-6, CSC-7

45 C.F.R. §§

164.308(a)(1)(ii )(D), 164.308(a)(5)(ii )(B), 164.308(a)(5)(ii )(C), 164.310(a)(1), 164.310(a)(2)(ii ), 164.310(a)(2)(ii i), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(ii i), 164.312(b), 164.314(b)(2)(i)

DE.CM-8: Vulnerability scans are performed RA-5 12.6.1, 15.2.2 CSC-7, CSC-10

45 C.F.R. §§

164.308(a)(1)(i) , 164.308(a)(8)

Device integrity Protect (PR) Identity Management, Authentication and Access Control (PR.AC) PR.AC-3: Remote access is managed AC-1, AC‑17, AC-19, AC-20, SC-15 7.1.3, 8.1.1, 8.1.3, 10.4.1, 10.6.1, 10.8.1, 11.1.1, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.6, 11.4.7, 11.7.1, 11.7.2 CSC-5, CSC-6, CSC-8, CSC-14

45 C.F.R. §§

164.308(a)(4)(i) , 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii )

Data Security (PR.DS) PR.DS-1: Data-at-rest is protected MP-8, SC-12, SC-28 None CSC-15

45 C.F.R. §§

164.308(a)(1)(ii )(D), 164.308(b)(1), 164.310(d), 164.312(a)(1), 164.312(a)(2)(ii i), 164.312(a)(2)(iv ), 164.312(b), 164.312(c), 164.314(b)(2)(i) , 164.312(d)

PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition CM-8, MP-6, PE-16 7.1.1, 7.1.2, 9.1.6, 9.2.6, 9.2.7, 10.7.1, 10.7.2, 10.7.3 CSC-1, CSC-2

45 C.F.R. §§

164.308(a)(1)(ii )(A), 164.310(a)(2)(ii ), 164.310(a)(2)(ii i), 164.310(a)(2)(iv ), 164.310(d)(1), 164.310(d)(2)

PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity SC-16, SI-7 10.4.1, 12.2.2, 12.2.3 CSC-3

45 C.F.R. §§

164.308(a)(1)(ii )(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i)

Information Protection Processes and Procedures (PR.IP) PR.IP-1: A baseline configuration of information technology/indus trial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10 12.4.1, 10.1.4, 10.1.1, 10.1.2, 10.3.2, 12.4.1, 12.5.1, 12.5.2, 12.5.3, 10.1.2, 10.3.2, 12.4.1, 12.5.2, 12.5.3, 10.1.2, 11.1.1, 11.6.1, 12.4.1, 12.4.3, 12.5.3, 6.1.3, 7.1.1, 7.1.2, 8.1.1, 10.1.1, 10.1.2, 10.3.2, 12.4.1, 12.4.3, 12.5.1, 12.5.2, 12.5.3 CSC-2, CSC-3, CSC-4, CSC-7, CSC-13

45 C.F.R. §§

164.308(a)(8), 164.308(a)(7)(i) , 164.308(a)(7)(ii )

Protective Technology (PR.PT) PR.PT-2: Removable media is protected and its use restricted according to policy MP-2, MP-3, MP-4, MP-5, MP-7, MP-8 6.1.3, 7.1.1, 7.1.2, 8.1.1, 10.1.1, 10.1.2, 10.1.4, 10.3.2, 11.1.1, 11.6.1, 12.4.1, 12.4.3, 12.5.1, 12.5.2, 12.5.3 CSC-3, CSC-7

45 C.F.R. §§

164.308(a)(3)(i) , 164.308(a)(3)(ii )(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv ), 164.312(b)

Detect (DE) Security Continuous Monitoring (DE.CM) DE.CM-5: Unauthorized mobile code is detected SC-18, SI-4. SC-44 10.4.2, 9.10.2, 13.1.1, 13.1.2 CSC-5, CSC-6, CSC-12, CSC-14

45 C.F.R. §§

164.308(a)(1)(ii )(D), 164.308(a)(5)(ii )(B)

DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events CA-7, PS-7, SA-4, SA-9, SI-4 6.1.5, 6.1.8, 6.2.1, 6.2.3, 8.1.1, 8.1.3, 8.2.1, 10.2.1, 10.2.2, 10.2.3, 10.6.2, 10.8.2, 9.10.2, 12.1.1, 12.5.5, 13.1.1, 13.1.2, 15.2.1, 15.2.2 CSC-3, CSC-5, CSC-6, CSC-7, CSC-14, CSC-15, CSC-17

45 C.F.R. §

164.308(a)(1)(ii )(D)

DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed AU-12, CA-7, CM-3, CM-8, PE-3, PE-6, PE-20, SI-4 6.1.8, 7.1.1, 7.1.2, 9.1.1, 9.1.2, 9.1.3, 9.1.5, 9.1.6, 9.1.1, 9.1.2, 9.10.1, 9.10.2, 9.10.4, 9.10.5, 10.3.2, 11.4.4, 12.4.1, 12.5.1, 12.5.2, 12.5.3, 13.1.1, 13.1.2, 15.2.1, 15.2.2 CSC-1, CSC-2, CSC-3, CSC-4, CSC-5, CSC-6, CSC-14, CSC-17

45 C.F.R. §§

164.308(a)(1)(ii )(D), 164.308(a)(5)(ii )(B), 164.308(a)(5)(ii )(C), 164.310(a)(1), 164.310(a)(2)(ii ), 164.310(a)(2)(ii i), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(ii i), 164.312(b), 164.314(b)(2)(i)

Person or entity authentication Protect (PR) Identity Management, Authentication and Access Control (PR.AC) PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes AC-1, AC-2, IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-9, IA-10, IA-11 8.3.3, 11.2.1, 11.2.2, 11.2.4, 15.2.1, 11.4.3 CSC-5, CSC-9, CSC-11

45 C.F.R. §§

164.308(a)(3)(ii )(B), 164.308(a)(3)(ii )(C), 164.308(a)(4)(i) , 164.308(a)(4)(ii )(B), 164.308(a)(4)(ii )(C), 164.312(a)(2)(i) , 164.312(a)(2)(ii ), 164.312(a)(2)(ii i), 164.312(d)

PR.AC-3: Remote access is managed AC-1, AC-17, AC-19, AC-20, SC-15 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.2, 9.2.3, 10.6.1, 11.2.1, 11.2.2, 11.2.4, 11.3.2, 11.4.4

45 C.F.R. §§

164.308(a)(4)(i) , 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii )

PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties AC-1, AC-2, AC-3, AC-5, AC-6, AC-16 6.1.3, 7.2.2, 8.1.1, 8.3.3, 10.1.3, 10.8.1, 11.1.1, 11.2.1, 11.2.2, 11.2.4, 11.4.1, 11.4.4, 11.4.6, 11.5.4, 11.6.1, 12.4.2, 12.4.3, 15.2.1 CSC-8, CSC-9

45 C.F.R. §§

164.308(a)(3), 164.308(a)(4), 164.310(a)(2)(ii i), 164.310(b), 164.312(a)(1), 164.312(a)(2)(i) , 164.312(a)(2)(ii )

Transmission security Protect (PR) Access Control (PR.AC) PR.AC-3: Remote access is managed AC-1, AC-17, AC-19, AC-20, SC-15 7.1.3, 8.1.1, 8.1.3, 10.4.1, 10.6.1, 10.8.1, 11.1.1, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.4.6, 11.4.7, 11.7.1, 11.7.2 CSC-5, CSC-6, CSC-8, CSC-14

45 C.F.R. §§

164.308(a)(4)(i) , 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii )

PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation) AC-4, AC-10, SC-7 6.2.1, 10.4.1, 10.4.2, 10.6.1, 10.8.1, 10.9.1, 10.9.2, 11.4.5, 11.4.6, 11.4.7, 11.7.2, 12.4.2, 12.5.4 CSC-4, CSC-5, CSC-9, CSC-13, CSC-15, CSC-16

45 C.F.R. §§

164.308(a)(4)(ii )(B), 164.310(a)(1), 164.310(b), 164.312(a)(1), 164.312(b), 164.312(c), 164.312(e)

Data Security (PR.DS) PR.DS-2: Data-in-transit is protected SC-8, SC-11, SC-12 10.4.2, 10.6.1, 10.6.2, 10.9.1, 10.9.2, 12.2.3, 12.3.1

45 C.F.R. §§

164.308(b)(1), 164.308(b)(2), 164.312(e)(1), 164.312(e)(2)(i) , 164.312(e)(2)(ii ), 164.314(b)(2)(i)

Technology (PR.PT) PR.PT-4: Communications and control networks are protected AC-4, AC-17, AC-18, CP-8, SC-7, SC-19, SC-20, SC-21, SC-22, SC-23, SC-24, SC-25, SC-29, SC-32, SC-36, SC-37, SC-38, SC-39, SC-40, SC-41, SC-43 9.1.4, 10.4.2, 10.6.1, 10.6.2, 10.8.1, 10.9.1, 10.9.2, 11.1.1, 11.4.1, 11.4.2, 11.4.4, 11.4.5, 11.4.6, 11.4.7, 11.7.1, 11.7.2, 12.2.3, 12.3.1, 12.4.2, 12.5.4, 14.1.3

45 C.F.R. §§

164.308(a)(1)(ii )(D), 164.312(a)(1), 164.312(b), 164.312(e)

5. Technologies

To build an example solution (reference design), we needed to use multiple commercially available and open-source technologies. Table 5‑1 shows how the products used to create the reference design are mapped to security controls and architectural components listed in Figure 5‑1.

Figure 5‑1 Architecture for the Secure Exchange of Electronic Health Records on Mobile Devices in a Healthcare Organization

image0

Table 5‑1 Products and Technologies Used in the Secure Exchange of Electronic Health Records on Mobile Devices Reference Design

NIST Cybersecurity Framework Function Reference to NIST 800-53 Rev 4 Controls Company Product V. Architecture Element* Use
Identify (ID) CA-2, CA-7, CA-8, CM-8, CP-2, PM-4, PM-9, PM-11, PM-12, PM-15, PM-16, RA-2, RA-3, RA-5, SA-5, SA-11, SA-14, SI-2, SI-4, SI-5 RSA Archer GRC 5.5 10 Centralized enterprise, risk and compliance management tool
Protect (PR) AC-2, AC-3, AC-4, AC-5, AC-6, AC-16, AC‑17, AC-18, AC-19, AC-20, AU-12, CA-7, CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-8, CM-9, CP-4, CP-6, CP-8, CP-9, IA Family, MP-6, PE-3, PE-6, PE-16, PE-20, SA-10, SC-7, SC-8, SC-12, SC-18, SC-20, SC-21, SC-22, SC-23, SC-28, SC-44, SI-4, SI-7 MedTech Enginuity OpenEMR 4.1.2 1 Web-based and open-source electronic health record and supporting technologies
Open source Apache Web Server 2.4 1  
Open source OpenSSL 1.0.1e-fips 1, 3, 4 Cryptographically secures transmissions between mobile devices and the OpenEMR web portal service
Various Mobile devices   14, 19, 23 Windows, IOS, and Android tablets
Fiberlink MaaS360 Current 20 Cloud-based Mobile Device Management (MDM)
Open source Iptables firewall 1.4 1, 2, 3, 4, 5, 22 Stateful inspection firewall
Open source Fedora PKI Manager 9 2 Root CA cryptographically signs identity certificates to prove authenticity of users and devices
Open source BIND 9.9.4 3, 5 Domain name system (DNS) server performs host or fully qualified domain resolution to Internet Protocol (IP) addresses
Open source Puppet Enterprise 3.7 5 Secure configuration manager for creation, continuous monitoring, and maintenance of secure server and user hosts
Cisco Identity Services Engine 1.2 7, 15 Local and remote mobile network access control (NAC), RADIUSbased authentication, authorization, and accounting management server
Cisco ASAv 9.4   Enterprise-class VPN server based on both TLS and IPsec
Open source UrBackup 1.4.8 12 Online remote backup system used to provide disaster recovery
Cisco RV220W 6.0.4 16, 17 Wi-Fi access point
Detect (DE) AC-2, AC-4, AU-12, CA-3, CA-7, CM-2, CM-3, CM-8, PE-3, PE-6, PE-20, RA-5, SC-5, SC-7, SI-3, SI-4 Open source Iptables firewall 1.4 1, 2, 3, 4, 5, 22 Stateful inspection firewall
Open source Puppet Enterprise 3.7 5 Secure configuration manager for creation, continuous monitoring, and maintenance of secure server and user hosts
Open source Security Onion IDS 12.04 6 Intrusion detection server (IDS) monitors network for threats via mirrored switch ports
Open source Host-based security manager (freeware)   8 Host-based virus and malware scanner
Open source Vulnerability scanner (freeware) Current 9 Cloud-based proactive network and system vulnerability scanning tool
Respond (RS) AU-6, CA-2, CA-7, CP-2, PE-6, IR-4, IR-5, IR-8, SI-4 Open source Iptables firewall 1.4 1, 2, 3, 4, 5, 22 Stateful inspection firewall
Open source Puppet Enterprise 3.7 5 Secure configuration manager for creation, continuous monitoring, and maintenance of secure server and user hosts
RSA Archer GRC 5.5 10 Centralized enterprise, risk and compliance management tool
Recover (RC) CP-2, CP-10, IR-4, IR-8 Open source UrBackup 1.4.8 12 Online remote backup system used to provide disaster recovery
RSA Archer GRC 5.5 10 Centralized enterprise, risk and compliance management tool

*See Figure 5‑1.


Appendix A       References

[1]Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, NIST Special Publication 800-37 Revision 1, National Institute of Standards and Technology, Gaithersburg, Maryland, June 2014. http://doi.org/10.6028/NIST.SP.800-37r1 [accessed 5/1/18].
[2](1, 2) U.S. Department of Health and Human Services, HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework, February 2016. https://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf [accessed 5/1/18].
[3]International Organization for Standardization/International Electrotechnical Commission, Information technology — Security techniques — Code of practice for information security controls, ISO/IEC 27002:2013, 2013. http://www.iso.org/standard/54533.html [accessed 5/1/18].
[4]CIS Critical Security Controls, SANS CAG20 [Website], https://www.sans.org/critical-security-controls/ [accessed 5/1/18].
[5]Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. 104–191, 110 Stat 1936. https://www.gpo.gov/fdsys/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf [accessed 5/1/18].