• Network security management
  • Metadata
  • Manage and control networks
  • Document security mechanisms, SLAs and management information in agreements
  • Segregate the networks of each each customer using virtual networks
  • Use firewalls on all servers
  • Cryptographically secure and sign communications
  • Enforcement
  • References

Network security management

MedStack Confidential

Metadata

• responsible officer: CTO
• date
  • effective: 2018-06-20
  • revised: 2018-05-14
  • reviewed: 2018-06-20
• Applicability: standard

Manage and control networks

• Establish and implement technical security measures to guard against unauthorized access to electronic PHI that is being transmitted over electronic communications networks.
• Manage and control networks to protect information in systems and applications.

  Code	Section	Title	Text
  ISO	A.13.1.1	Network controls	Networks shall be managed and controlled to protect information in systems and applications.

Document security mechanisms, SLAs and management information in agreements

• with our vendors
• with our customers

  Code	Section	Title	Text
  ISO	A.13.1.2	Security of network services	Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced.
  ISO	A.13.2.2	Agreements on information transfer	Agreements shall address the secure transfer of business information between the organization and external parties.

Segregate the networks of each each customer using virtual networks

• Implement network routing controls to restrict data flows of PHI.

  Code	Section	Title	Text
  ISO	A.13.1.3	Segregation in networks	Groups of information services, users and information systems shall be segregated on networks.
  CHI	SR66	Segregating EHRi Network Users, Services and Systems	Organizations hosting components of the EHRi must introduce network controls to segregate information services, users and information systems that are not involved in access to, or hosting of, the EHRi.
  CHI	SR67	Controlling Routing on EHRi Networks	Organizations hosting components of the EHRi must have routing controls on networks hosting those components to ensure that data flows across the network perimeter do not breach the organization’s access-control policy.

Use firewalls on all servers

• Enforce the use of encrypted ports (except to forward non-encrypted traffic to encrypted ports).
• Prevent the use of unauthorized ports.
• Manage the use of unauthorized diagnostic services such as ICMP.

  Code	Section	Title	Text
  CHI	SR65	Controlling Access to EHRi Network Diagnostics and Network Management Services	Organizations hosting components of the EHRi must securely control access to diagnostic ports and services on networks hosting those components.

Cryptographically secure and sign communications

• Communications includes
  • traffic over the internet
  • traffic over private networks
  • messaging related to PHI or admin (such as email and instant messaging)
• Encrypt all communications with encryption
  • Incoming communications in cleartext (such as HTTP) must be redirected to encryption (such as HTTPS).
  • Enable link-layer encryption over wireless communications networks such as WiFi.
• Use certificates and electronic signatures where possible
  • Protect endpoints with certificates.
  • Use commonly accepted and independently trusted signing authorities for all public endpoint certificates.
  • Use electronic signatures where feasible for electronic communications (such as email).

    Code	Section	Title	Text
    ISO	A.13.2.3	Electronic messaging	Information involved in electronic messaging shall be appropriately protected.
    HIPAA	164.312(e)	Transmission security	(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. (2) Implementation specifications: (i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. (ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title	Text
ISO	A.13.1	Network Security Management	To ensure the protection of information in networks and its supporting information processing facilities.
ISO	A.13.2	Information transfer	Objective: To maintain the security of information transferred within an organization and with any external entity.
ISO	A.13.2.1	Information transfer policies and procedures	Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.

November 13, 2019

Powered by