Download What is the relationship of OSEHRA Certification to cyber security?

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
Document related concepts

Security printing wikipedia , lookup

Computer security wikipedia , lookup

Transcript 
Cyber Security and
Open Source
Community Call
Webex: https://osehra.webex.com/osehra/onstage/g.php?M
TID=ed80e9e1ef7191574fe28dc5f063d03ed
Call-in number: 1-650-479-3207
Access code: 661 832 679
1:00 pm (Eastern)
Wednesday, March 23, 2016
Seong K. Mun, PhD
Don Hewitt, CISSP
OSEHRA
Arlington, Virginia
Agenda
Specific Questions and Lead Volunteers
Workgroup Reports
Question
Question
Question
Question
1
1
3
4
Work Schedule
Any Questions or Comments?
Please Note: Calls are Recorded for Future Reference
and Collected Documents are Open
2
Cybersecurity Workgroup
• OSEHRA Cybersecurity Workgroup https://www.osehra.org/groups/cybersecurity-and-open-source
• Onboarding
1.
2.
Join OSEHRA as an Associate member (free)
Join Cybersecurity Workgroup to receive meeting notice and minutes.
• Workgroup Resources (located at the Group homepage)
–
–
–
–
Section Leaders Reference Documents List
Draft Response Documents
Members
• Weekly Call Meetings (Weekly: Wed, 1:00 PM Eastern)
– Webex: https://osehra.webex.com/osehra/onstage/g.php?MTID=ed80e9
e1ef7191574fe28dc5f063d03ed
Call-in number: 1-650-479-3207, Access code: 661 832 679
3
Need Lead Volunteers
1.
Does the open source community have a focus on cyber
security? Mun - OSEHRA
2.
Are projects to enhance cybersecurity proposed to OSEHRA
by the open source community? If so, have any been
completed? Hewitt – OSEHRA
3.
Are there lessons learned from Red Hat/LINUX WRT
cybersecurity that might be applicable to health IT?
Hilburger – Redhat
4.
What is the relationship of OSEHRA certification to
cybersecurity? Hewitt - OSEHRA
4
(Q1) Focus on Cyber Security
• OSEHRA does not (yet)
• Some examples in greater OS
community
– http://www.open-scap.org/
• Available OS Security Resources
– NIST
– DHS
5
(Q2) Open Source Projects
• Previous special project for vulnerability remediation
– M2M Broker Vulnerability
– Joint effort, closed project group under non-disclosure
– Precedent and process established
• No project proposals for explicit security upgrades
• Project Metron and Apache NiFi proposed as items of
interest
• VA has proposed an open source project for a code
scanning tool (similar to HP Fortify) for M code
– OSEHRA recommends enhancing the existing Xindex tool rather
than starting from scratch
– Most effective approach would be a funded community open
source project
6
(Q3) – Red Hat Reporting
• Are there lessons learned from Red
Hat/LINUX WRT cybersecurity that
might be applicable to health IT?
7
8
9
10
11
12
(Q4) Certification
What is the relationship of OSEHRA
Certification to cyber security?
Brief answer: OSEHRA Certification is
intended as a prerequisite for, not a
replacement of, the in-depth testing
required for specific implementations. As
such, while specific tools may be run during
code review, OSEHRA does not intend to
certify the security of code. However…
13
(Q4) Certification Components
14
(Q4) SAC Checking
• Standards and Conventions Compliance
– Critical aspect of security
– Dependent upon quality / breadth of SAC rule
base
– Example: scope checking
• Susceptible to use of scanning tools
– Fortify
– Xindex (currently limited)
15
(Q4) Code Review
• Major advantage of open source
– More eyes on code is better
– Security through obscurity is a myth
• Proper facilitation is key
– Bugs
– Possible improvements
– Possible (or definite) vulnerabilities
• Documented issues and results
16
(Q4) Regression Testing
• Continuous Unit Testing
– Emergent best practice
– Critical part of defense in depth
– Required for higher OSEHRA certification
levels
• M-Unit available for M code
17
(Q4) Summary
• No overt security certification by OSEHRA
• Substantial contribution to security of
incoming open source code
– Use of automated scan tools
– Open code review
– Requirement for unit tests
• As tools improve (e.g. Xindex), OSEHRA
contribution to security will increase
18
Workgroup Schedule
• Weekly Calls 1:00 PM (Eastern)
– Volunteer Leaders Will Facilitate
• Wednesday, March 30
• Wednesday, April 6
• Wednesday, April 13– SUBMISSION TO VA
19
Closing…
• Thoughts?
• Comments?
• Questions?
20
Adjournment
Related documents
TODAY’S TECHNOLOGY CAN CHANGE IN THE BLINK OF AN EYE.
TODAY’S TECHNOLOGY CAN CHANGE IN THE BLINK OF AN EYE.
Interagency Cybersecurity Forum Launched; NRC Chairman Allison Macfarlane Chairs Inaugural Meeting
Interagency Cybersecurity Forum Launched; NRC Chairman Allison Macfarlane Chairs Inaugural Meeting
French cybersecurity firms increasingly successful in fast
French cybersecurity firms increasingly successful in fast
Applied Cybersecurity
Applied Cybersecurity
SQL vs NOSQL Discussion
SQL vs NOSQL Discussion
Cybersecurity of Medical Devices
Cybersecurity of Medical Devices
your cybersecurity solution must do
your cybersecurity solution must do
Upon successful completion of this course, students will be eligible
Upon successful completion of this course, students will be eligible
Meeting Notes (PDF)
Meeting Notes (PDF)
Information Security - Georgia Libraries Tech Center
Information Security - Georgia Libraries Tech Center