For vendors

NewYork-Presbyterian

Information Technology Minimum Security Standards

Red check Requirement
Recommended Recommended

Minimum Security Standards: NYP-Hosted Platforms

The NewYork-Presbyterian (NYP) Minimum Security Standards have been designed to outline information security requirements that all devices must adhere to in order to be onboarded at the hospital. Compliance with these standards must be validated before any contract can be signed between a vendor and NYP

NYP-Hosted platforms consist of any offering that involves hardware, infrastructure, or networks that are deployed on NYP-managed networks. Examples include servers, routers, workstations, and cloud systems administered by NYP.

System Inventory All devices must be entered into the CMDB with the appropriate information so
that owner, department and location can be obtained when necessary
Red check
Data Security Controls All systems must follow all applicable data security controls based on the information they are processing or storing. (HIPAA/HITECH, PCI DSS, etc) Red check
Multi-Factor Systems that have a public facing interface must use a distinct second factor to protect user access. External access to systems without MFA is prohibited. Red check
System Agents All systems must have the required security agents installed and enabled at all times. This includes agents for patching, logging, endpoint protection, DLP, FIM, and privilege management. Red check
Service Protection Assets must be protected by a firewall, WAF, intrusion prevention system (IPS), and/or other security controls that prevent system attacks. Any services and ports that are not required must be disabled. Red check
Certificates Any system hosting a website that is available from the internet must have a valid certficate issue by a member of the CAB forum list of trusted certificate authorities. (https://cabforum.org/members) Red check
Vulnerability Scanning Systems must have an NYP vulnerability scan every two weeks. A vendor may provide a vulnerability report if they are already scanning the devices. Red check
System Updates All NYP-managed systems must have updates applied to them in accordance with IT-SEC-S005. It is prohibited to disable patching for NYP-managed systems. Red check

Encryption

All hosts must use encryption-at-rest and encryption-in-transit. The use of protocols with security weaknesses or unencrypted data storage is strictly prohibited. Requirement
Penetration Testing It is recommended to have regular pen tests scheduled for systems that host sensitive data Recommended

Minimum Security Standards: IoT Device

The NewYork-Presbyterian (NYP) IoT Minimum Security Standards have been designed to outline information security requirements that all devices defined as “IoT” must adhere to in order to be onboarded to the hospital network. Compliance with these standards is a requirement before any contract can be signed between NYP and the vendor.

Iot devices are defined as systems that have a limited operating system that does not support the use of agents, firewalls, or other protection mechanisms. Examples may include printers, smart TVs, conference room systems, network devices, or select mobile devices.

System InventoryAll devices must be entered into the CMDB with the appropriate information so that an owner and location can be found if necessaryRed check
Access ControlsAll systems must change any default passwords on the devices to prevent unauthorized access. These passwords must comply with the NYP standards outlined in IT-SEC-S004.Red check
Vulnerability ScanningIt must be possible to scan the device for vulnerabilities if it is accessible on the NYP network. All systems must have a vulnerability scan every two weekRed check
PatchingAll systems must have patches applied to the software on the device. This also includes firmware for devices that do not have a typical operating system.Red check
Vulnerability ScanningAssets cannot use software that has been deemed end-of-life by the vendor. Any asset that is beyond the extended support date is prohibited on NYP networks.Red check

Minimum Security Standards: Vendor-Hosted Platforms

The NewYork-Presbyterian (NYP) Minimum Security Standards have been designed to outline information security requirements that all devices must adhere to in order to be onboarded at the hospital. Compliance with these standards must be validated before any contract can be signed between a vendor and NYP.

Vendor-hosted platforms consist of any devices that the vendor is responsible for cofiguring, patching, and other security related work, while the device resides on an NYP-managed network. This may include medical devices, workstations, servers or network components

System Inventory All devices must be entered into the CMDB with the appropriate information so that owner, department and location can be obtained when necessary. Requirement
Data Security Controls All systems must follow all applicable data security controls based on the information they are processing or storing. (HIPAA/HITECH, PCI DSS, etc) Requirement

Multi-Factor

 

Systems that have a public facing interface must use a distinct second factor to protect user access. External access to systems without MFA is prohibited. Requirement
Malware Protection All systems must have some form of malware/ransomware protection while on
the NYP network. The solution must be updated at all times and cannot be disabled. Allow-listing so􀈅ware is an acceptible alternative to antivirus.
Requirement
Software Support All vendor-managed devices are restricted from running any end-of-life
software that does not have a support contract or the ability to update it.
Requirement
Certificates Any system hosting a website that is available from the internet must have a
valid certficate issue by a member of the CAB forum list of trusted certificate
authorities. (https://cabforum.org/members)
Requirement
Vulnerability Scanning Any vendor-managed system must be scanned every two weeks for any new
vulnerabilities.
Requirement
System Updates Vendors must apply patches at least quarterly to systems hosted on the NYP network. Any critical vulnerabilites allowing access to the system or data must be patched within 2 weeks of having an available patch Requirement
Authentication &
Domain Membership
Systems should use federation for authentication and be joined to the NYP directory. If this cannot be done, the vendor must ensure that all accounts use a 16 character password and any default passwords are changed. Requirement
Penetration Testing It is recommended to have regular pen tests scheduled for systems that host any type of sensitive data Recommended

Minimum Security Standards: Saas Services

The NewYork-Presbyterian (NYP) Minimum Security Standards have been designed to outline information security requirements that all devices must adhere to in order to be onboarded at the hospital. Compliance with these standards must be validated before any contract can be signed between a vendor and NYP.

SaaS offerings are defined as any service that is being hosted on infrastructure and networks not managed by NYP personnel. The licensing model is also conducted on a subscription basis.

Encryption in Transit

All communication to hosts that store NYP data or host NYP services must use secure protocols. Unencrypted protocols or connections using ciphers with known security weaknesses are prohibited. Requirement
Data Security Controls All systems must follow all applicable data security controls based on the information they are processing or storing. (HIPAA/HITECH, PCI DSS, etc) Requirement
Multi-Factor Systems that have a public facing interface, and store any form of sensitive data, must use a distinct second factor to protect user access. Requirement
Authentication Systems must use federated authenication to secure user accounts. If this cannot be supported, accounts must enforce a minimum 16 character password. Use of default accounts or passwords is also strictly prohibited. Requirement
Service Protection Assets must be protected by a firewall, WAF, intrusion prevention system (IPS),
and/or other security controls that prevent system attacks.
Requirement
Certificates Any system hosting a website that is available from the internet must have a valid certficate issue by a member of the CAB forum list of trusted certificate authorities. (https://cabforum.org/members) Requirement
Vulnerability Testing Systems must have an NYP vulnerability scan every two weeks. A vendor may provide a vulnerability report if they are already scanning the devices. Requirement
Penetration Testing It is recommended to have regular pen tests scheduled for systems that host any type of sensitive data Recommended