Posts

The Impact of the ONC Cures Act on API Security

In March 2020, the US Department of Health and Human Services issued the 21st Century Office of the National Coordinator (ONC) Final Rule, also known as the ONC Cures Act Final Rule. This Final Rule supports secured, limitless access, exchange, and use of Electronic Health Information (EHI).

ONC Cures Act Final Rule, apart from providing patients and their healthcare providers secure yet seamless access to health information, aims to increase innovation and trigger competition. With more competition comes innovation, as new entrants offer much wider healthcare choices and solutions for patients.

Summary of the ONC Cures Act Regulations

Due to the COVID-19 pandemic, the US Department of Health and Human Services provided an extension for compliance to the ONC Cures Act Final Rule. This extension ended on April 5, 2021.

According to the National Law Review, organizations subject to the Cures Act should have the following in place:

  • An efficient configuration of digital patient portals to provide electronic health information (EHI) to patients without needless delay
  • An up-to-date release of information policies
  • A thorough assessment of contracts and arrangements involving EHI with any third parties should be conducted to achieve compliance with information blocking prohibitions
  • Preparation of real-world testing plans, EHI data export, Application Programming Interfaces (APIs) with latest HL7 Fast Healthcare Interoperability Resources (FHIR) capabilities, and various other capabilities targeted for 2021 and 2022

ONC Cures Act Final Rule calls on the healthcare industry to adopt standardized APIs that allow individuals or patients to access and better use of EHI using smartphone applications securely and quickly.

Identity and Security Requirements of the Regulations

ONC Cures Act Final Rule, as explained in the Federal Register, lays out conditions for the compliance certification of healthcare providers. Those conditions include support for standards and published APIs that allow health information “to be accessed, exchanged, and used without special effort” and “access to all data elements of a patient’s electronic health record to the extent permissible under applicable privacy laws.” The aim of the Final Rule is nationwide transparent data portability with standardized yet agile data exchange processes.

Along with that, ONC Cures Act Final Rule can avoid many security risks associated with healthcare APIs, such as inadequate SSL certification validation, the vulnerability of Simple Object Access Protocol (SOAP), and accountability issues, to name a few.

The following are the specific identity and healthcare security requirements of the ONC Cures Act Final Rule:

ONC Cures Act Final Rule that allows agility of EHI also puts limits on information blocking and anti-competitive practices of the healthcare providers. The Code of Federal Regulations, with a few exceptions, allows patients to decide upon the healthcare applications that can access their EHI.

Vulnerabilities of the APIs

ONC Cures Act Final Rule ushers in an era of the widespread adoption of standardized APIs by the healthcare industry all over the globe. On the one hand, it helps individuals or patients securely access and easily makes use of EHI using smartphone applications. On the other hand, since APIs deal with sensitive data that can be easily accessible over the internet, they are vulnerable to sophisticated cyberattacks. Without question, healthcare organizations need enhanced digital healthcare security and vigilant monitoring to protect sensitive and private patient information.

More than anything else, implementing and maintaining enhanced API security is an exhaustive process. It also incurs extra expenditure on updating features or fixing bugs. This scenario demands a significant part of the API development lifecycle to maintain security.

Another concern is the consistent testing of API security. This complicated process requires hiring the right talent to identify and expose API security issues before the launch of the application.

Leveraging Cloud Solutions

According to IBM, The widespread global cloud migration can amplify the cost of cybercrime damage by nearly $300,000. As more enterprises migrate to the cloud, sensitive corporate data becomes vulnerable to cyberattacks, technical glitches, and data storage issues.

However, the increased technical difficulties, expenses, and larger talent pools associated with the integration, management, and dissemination of EHI can be overcome by cloud solutions. Today, many healthcare providers have embraced the power of healthcare cloud computing to meet the ONC Cures Act Final Rule requirements and to future-proof their Information Technology (IT) environment.

Cloud solutions eliminate the additional time and cost associated with traditional storage systems. An integrated data ecosystem that can feed multiple data centers can be easily deployed within a short period with lesser complications using cloud solutions.

Additionally, cloud solutions can empower healthcare providers to scale up and scale down their data processing resources as demands fluctuate. As an added benefit, the pay-per-use business model implemented by most cloud solutions providers worldwide makes the expensive resource procurement associated with traditional storage systems a thing of the past.

Another advantage of cloud computing infrastructure is that it provides access to data through open-source tools. That means no more data locked in silos and unwanted license expirations common with other proprietary storage solutions.

Cloud Is the Future of Healthcare

The future is healthcare cloud computing. ONC Cures Act Final Rule is the call from the future. EHI should flow smoothly and safely. Healthcare IT should provide more portable, interoperable, and patient-centric healthcare solutions. And cloud solutions are the only way forward.

RedSeal, a hybrid cloud security solution provider, helps you identify all your resources and how they are connected in your complex network environment. It allows easier validation of your security policies and prioritizes the security issues that can breach your most valuable network assets. RedSeal constantly monitors your network to find out glitches in your networking setup and ensure whether it meets the compliance standards and organizational policy.

RedSeal Stratus is a Software as a Service (SaaS)-based Cloud Security Posture Management solution that provides your cloud solutions security team with increased visibility and understanding of the provider’s infrastructure. RedSeal Stratus can help you manage the increased digital healthcare security risks with an up-to-date visualization of cloud solutions infrastructure and detailed identification of digital resources exposed to the internet. Your security team will also be bestowed with updated knowledge of Kubernetes accounts and policies.

Register for a demo to see RedSeal Stratus in action.

DOD’s Forecast Post-JEDI: Multi-Cloud with a Chance of Peril

NexGov | July 20, 2021

The Pentagon’s abandonment of the Joint Enterprise Defense Infrastructure, or JEDI, contract was an anticlimactic demise for the once visionary single-cloud network.

…the protracted legal battle pushed JEDI past viability. While the cloud titans fought for their slice of the pie, other actors within the federal government, most significantly the intelligence community, transitioned to a multi-cloud network. As a result, the decision to retire JEDI is best seen as an inevitable step toward DOD’s multi-vendor destiny.

Zero Trust Is Here to Stay, So How Can I Prepare My Network?

Whether you agree or not with the concept–zero trust architecture is here for the foreseeable future.

Unless your organization is cloud-native, you are going to have to prepare to implement zero trust on your existing enterprise. If you are the one responsible for deploying and maintaining networks for the Federal government, zero trust is most likely at the top of your to-do list.

The President’s latest executive order, dated May 12, 2021, compels Federal agencies to move to zero trust architectures and adoption of cloud services. This is meant to modernize departmental and agency IT infrastructures, and the security technologies that protect them. However, Federal agencies are not cloud-native companies. Most have large on-premise networks that will need to have their networks inventoried, along with all their applications and services identified, prior to implementing zero trust. Like any good implementation strategy, you are going to have to plan.

Zero trust is not a destination, but a continuous journey that is going to require rigorous configuration management and continuous monitoring.  RedSeal is not a magic zero trust platform, but it can help you on your journey to prepare and maintain specific aspects.

One major step of this journey is just understanding what you have (network devices, mobile, desktops, IOT, etc.) and how your data moves through the network, as well as existing segmentation policies to comply with standards and regulations. One of the first steps in this journey will require enumeration of all the possible pathways, from every source to every destination, and you will have the challenge of also having to account for NAT IP address, along with load balancers. That is a daunting task by itself.

This is where the power of RedSeal’s Netmap analysis comes in. RedSeal automatically calculates every possible path through the network accounting for the effect of NATs and load balancing. Then you can ask RedSeal to show you these pathways to determine if they are approved and needed for business and mission success.

A side benefit of this analysis is RedSeal creates an inventory of all your network gear and IP space, as well as your cloud and software defined network (SDN) assets.  You cannot secure it if you do not know about it, and the output of RedSeal gives you a great start on understanding what you have.  Remember, with zero trust you are going to have to identify not only who, but what can, or should have access, so an inventory is an absolute must have.

As you move along this journey, and if your journey takes some, or most of your assets to the cloud, you can test the network segmentation of your cloud configuration in RedSeal before you deploy to the cloud to verify it is configured securely. Finally, RedSeal can continuously monitor your network segmentation and micro segmentation policies to make sure they stay compliant with your zero-trust architecture goals.

If you’d like to learn more about securing both your cloud and on-premise networks, visit our Cloud Security page.

We’ve also partnered with MeriTalk on a new infographic report on “Braving the Cloud Storm” – a look at how agencies are addressing cybersecurity across a multitude of clouds and on-premise environments.

EO Gives Momentum to Federal Cloud Movement

Communications Daily | May 27, 2021

President Joe Biden’s cybersecurity executive order will boost the federal government’s reliance on cloud services and information sharing, experts told us. The EO directs federal civilian agencies to “accelerate movement to secure cloud services,” including software as a service (SaaS), infrastructure as a service (IaaS) and platform as a service (PaaS).

“That’s really the best way for the government” to secure data, said RedSeal Federal Chief Technology Officer Wayne Lloyd. He expects the EO to drag agencies “kicking and screaming” into the cloud: “It’s something that’s long overdue,” from which the commercial sector has long seen the benefits.

Be Prepared with RedSeal: DOD-Required Cybersecurity Maturity Model Certification

Cybersecurity Maturity Model Certification (CMMC) is a tiered system in which defense contractors—or any organization holding Controlled Unclassified Information (CUI) must be vetted by a third-party assessor on a five-level scale to determine the maturity of their enterprise security. This requires companies that do business with the Department of Defense to protect their data since it is critical to national security and America’s competitive military edge.

Even though China and other countries have been stealing plans and other intellectual property (IP )for some time now, the defense industrial base have been allowed to sign off on their own audit of compliance with cybersecurity regulations concerning unclassified information.

As cyber theft of IP has continued, it is important and worth doing to hold contractors to a higher, enforceable standard.

Essentially, CMMC is an expanded, enhanced and enforced version of NIST SP 800-171 compliance. The key differences are:

  • Enhanced controls for Levels 4 and 5
  • Requirement for third-party audit instead of self-certification

A non-profit organization, the CMMC Accreditation Body has been established to oversee certification of Third-Party Assessment Organizations (3PAOs), assessors who will serve as auditors. A certification is expected to be valid for three years.

The 110 security controls established by SP 800-171 are the foundation of the 171 practices across 17 security domains required to reach the highest level of CMMC. Each Request for Proposal (RFP) will state the level of certification required to be awarded the contract. Based on what we know right now, it is expected for CMMC Level 3 certification to be the de facto standard for most organizations to do business with the DOD— with Levels 4 and 5 reserved for more sensitive projects. The DOD is working on a DFARS rule change to incorporate CMMC into contracts by Fall 2020, although full roll-out is targeted for 2025.

How Can RedSeal Help?

For defense contractors who want to continue to bid and win business, maintaining CMMC standards will now be mandatory. For large organizations, adding CMMC to already existing audit and compliance processes may not be that hard of a lift. However, smaller companies will not have sufficient staff or resources. Therefore, automating and simplifying as much of the process as possible is key to success.

RedSeal’s cyber terrain analytics platform helps automate 67 of the 171 controls mandated by CMMC. Many of the controls are tedious to complete and must be checked repeatedly at specific intervals determined by NIST 800-171. By using RedSeal, your team can quickly identify where your network has drifted out of compliance, allowing them to rapidly remediate identified misconfigurations without having to pore over hundreds of spreadsheets, reviewing tens of thousands of lines of firewall rules and access control lists to determine if you are still compliant.

Additionally, when it comes time for re-certification you can rest assured that your company is prepared for the audit because RedSeal has been continuously monitoring the configuration state of those 67 controls, allowing your network and cybersecurity teams to efficiently use their time by keeping the business prepared and mission ready.

This comprehensive, continuous inspection allows RedSeal to report a risk-based audit of a network and then continuously monitor its security posture. Operators, analysts, and members of your leadership team can track how defensive operations are trending over time via RedSeal’s Digital Resilience Score, which also measures vulnerability management, secure configuration management, and overall understanding of the network.

RedSeal’s platform shows you what is on your network, how it’s connected, and the full context of the associated risk. With RedSeal, you can visualize end-to-end access, intended and unintended, between any two points of the network to accelerate incident response. This visualization includes detailed access and attack paths for individual devices in the context of exploitable vulnerabilities to speed decision making during a mission.

RedSeal builds a complete model of your network—including cloud, SDN, and physical environments—using configuration files retrieved either dynamically or completely offline. It brings in vulnerability and all available endpoint information. Your teams will be able to validate that network segmentation is in place and configured as intended. RedSeal checks all network devices to see if they comply with industry best practices and standards such as DISA STIGs and NIST guidelines. This proactive automation greatly reduces audit prep time (CCRI, others) and assists with speedy and better informed remediation.

RedSeal provides the DOD—as well as commercial, civilian, intelligence organizations—with real-time understanding and a model of their cyber terrain so they can discover, detect, analyze, and mitigate threats and deliver resilience to the mission.

For more information, click here to read the RedSeal and CMMC PDF or click here to visit our webpage focused on CMMC.

How network modeling and cyber hygiene improve security odds for federal agencies

FedScoop | March 16, 2020

Agencies that have built network infrastructure over decades may not be doing enough to manage basic cyber-hygiene practices and stay ahead of modern threats, cautions a new report.

When out-of-date configuration rules lurk on networks, attackers essentially have a back door to walk into government systems. However, modern network modeling platforms, capable of integrating into existing infrastructure, can help agency IT departments identify and manage cyber risks and accelerate essential hygiene practices.

A Resilient Infrastructure for US Customs and Border Protection

The Customs and Border Protection agency recently announced an official 2020-2025 strategy to accomplish their mission to “protect the American people and facilitate trade and travel.”

The strategy comprises only three goals, one of which is to invest in technology and partnerships to confront emerging threats. This includes an IT Infrastructure that provides fast and reliable access to resilient, secure infrastructure to streamline CBP work.

So, of everything CBP wants to accomplish in the next five years, delivering a resilient, secure infrastructure is right near the top.

Both Verizon’s Data Breach Investigations Report and Crowdstrike’s Global Threat Report agree that more than 90 percent of intrusions are due to failures in basic, continuous cyber fundamentals. These include patching, ensuring network devices are deployed securely, and firewall rules and access control lists enforce the network segmentation you intended.

These cybersecurity fundamentals can be tedious and repetitive, but they are the foundation of security and beyond that, cyber resilience.

Cyber resilience has three parts:

  1. Being hard to hit
  2. Having the ability to detect immediately
  3. Responding rapidly.

RedSeal is a solution purpose built to improve and track resilience.

We give you a way to measure resilience and improve the security of your infrastructure.

RedSeal’s cyber terrain analytics platform identifies cyber defensive gaps, runs continuous virtual penetration tests to measure readiness, and helps an organization capture a map of its entire network infrastructure. The RedSeal platform delivers continuous monitoring through the collection and correlation of change, configuration assessment and vulnerability exposure information. Turning these capabilities into cyber resilience measurements gives managers, boards of directors and executive management the understandable and actionable security metrics they need to drive towards digital resilience.

Cyberattack surfaces and complexity are only expanding as all commercial, US government and DOD networks modernize and move to cloud and software defined networks (SDN). Automating the basics so organizations and departments can be digitally resilient continuously in the face of an attack has never been more necessary.

To ensure its IT infrastructure is resilient and secure as it is rolled out, the CBP needs to focus on mastering the cyber fundamentals and measuring that progress by deploying RedSeal’s cyber terrain analytics platform. Click here to learn more.

How Defense Contractors Should Prepare for a Cyber Proxy War With Iran

ClearanceJobs | January 10, 2020

A plan of action should include some key fundamentals, explained Wayne Lloyd, federal CTO for RedSeal, a cyber terrain modeling company. This can include: Identifying critical data and where it is housed; knowing what assets – physical and virtual – are on your network; hardening your network devices, making sure they are securely configured; reviewing endpoint data sources to make sure you have full coverage of all endpoints on your network; and ensure that your vulnerability scanner is scanning every subnet.

What’s your agency’s cyber resiliency score?

FedScoop | January 8, 2020

Eighteen months have passed since that day on June 27, 2017, when an IT administrator, working for the world’s largest shipping conglomerate, watched helplessly as one computer monitor screen after another in Maersk’s Copenhagen headquarters went black.

The question as we head into 2020 is, what lessons can we take away from that incident — and in particular, what should leaders operating federal agencies be doing differently today as a result?

RedSeal Named GSN HSA Platinum Winners In Two Categories

Government Security News | April 4, 2019

We are pleased to announce that RedSeal has been named the 2018 Homeland Security Awards Platinum winner for both Best Cyber Operational Risk Intelligence and Best Compliance/Vulnerability Assessment by Government Security News Magazine. Judging in this category is based on a combination of client organization, technological innovation or improvement, filling a recognized government IT security need and flexibility of a solution to meet current and future organizational needs.