For vendors

NewYork-Presbyterian

Information Technology Minimum Security Standards

Red check Requirement
Recommended Recommended

Minimum Security Standards: NYP-Supported Platforms

The NewYork-Presbyterian (NYP) Minimum Security Standards have been designed to outline information security requirements that all devices must adhere to in order to be onboarded at the hospital. Compliance with these standards must be validated before any contract can be signed between a vendor and NYP.

NYP-Supported platforms consist of any offering that involves hardware, infrastructure, or networks that are deployed in NYP-managed environments and supported by NYP. Examples include servers, routers, workstations, and cloud systems administered by NYP.

Referenced policies and standards can be provided by InfoSec upon request.

If a vendor cannot adhere to the below standards, Infosec reserves the right to review on a case by case basis. Please note: Most submissions will be rejected if they cannot comply with the minimum security standards.

System Inventory All devices must be entered into the CMDB with the appropriate information so
that owner, department and location can be obtained when necessary
Red check
Access Controls Default passwords are prohibited in order to prevent unauthorized access. The use of guest accounts is strictly prohibited. All passwords must comply with the NYP standards outlined in IT-SEC-S004. Red check
Data Security Controls All systems must follow all applicable data security controls based on the information they are processing or storing. (HIPAA/HITECH, PCI DSS, etc.) Red check
Multi-Factor Systems that have a public facing interface must use a distinct second factor to protect user access. External access to systems without MFA is prohibited. Red check
System Agents All systems must have the required security agents installed and enabled at all times. This includes agents for patching, logging, endpoint protection, DLP, FIM, and privilege management. Red check
Service Protection Assets must be protected by a firewall, WAF, intrusion prevention system (IPS), and/or other security controls that prevent system attacks. Any services and ports that are not required must be disabled. Red check
Software Support Assets cannot use software that has been deemed end-of-life by the vendor. Any asset that is beyond the extended support date is prohibited in the NYP environment. Red check
Certificates Any system hosting a website that is available from the internet must have a valid certificate issued by a member of the CAB forum list of trusted certificate authorities. (https://cabforum.org/members) Red check
Vulnerability Scanning Systems must have an NYP vulnerability scan every two weeks. Alternatively, a vendor may provide a vulnerability report to this end. Red check
System Updates All NYP-managed systems must have updates applied to them in accordance with IT-SEC-S005. It is prohibited to disable patching for NYP-managed systems. Red check

Encryption

All hosts must use encryption-at-rest and encryption-in-transit. The use of protocols with security weaknesses or unencrypted data storage is strictly prohibited. Cipher suites in use must comply with IT-SEC-S015. Requirement

Remote Access

All privileged remote access must go through PRA. All remote vendor access to NYP-hosted systems must use PRA. The use of other remote access tools is strictly prohibited. InfoSec must approve in rare cases where PRA cannot be used. Red check
Penetration Testing All externally-facing systems must have a penetration test and any remediations completed before going into production. It is recommended to have regular penetration tests scheduled for all systems that host sensitive data. Red check

Minimum Security Standards: IoT Device

The NewYork-Presbyterian (NYP) IoT Minimum Security Standards have been designed to outline information security requirements that all devices defined as “IoT” must adhere to in order to be added to an NYP-managed environment. Compliance with these standards is a requirement before any contract can be signed between NYP and the vendor.

IoT devices are defined as systems that have a limited operating system that does not support the use of agents, firewalls, or other protection mechanisms. Examples may include printers, smart speakers, cameras, smart TVs, conference room systems, network devices, or select mobile devices.

Referenced policies and standards can be provided by InfoSec upon request.

If a vendor cannot adhere to the below standards, Infosec reserves the right to review on a case by case basis. Please note: Most submissions will be rejected if they cannot comply with the minimum security standards.

System Inventory All IoT devices must be enrolled in NYP's MDM solution if supported. Unsupported devices must adhere to the hardening guidelines outlined in IT-SEC-P034. All IoT devices not enrolled in NYP's MDM solution must be entered into the CMDB with accurate owner information. Red check
Access Controls Default passwords are prohibited in order to prevent unauthorized access. The use of guest accounts is strictly prohibited. All passwords must comply with the NYP standards outlined in IT-SEC-S004. Red check
Data Security Controls All systems must follow all applicable data security controls based on the information they are processing or storing. (HIPAA/HITECH, PCI DSS, etc.). Electronic records management must be compliant with R140 - Record Retention Policy. Red check
Vulnerability Scanning It must be possible to scan the device for vulnerabilities if it is accessible on the NYP network. All systems must have a vulnerability scan every two weeks. Alternatively, a vendor may provide a vulnerability report to this end. Red check
System Updates All systems must have patches applied to the software on the device. This also includes firmware for devices that do not have a typical operating system. Red check
Software Support Assets cannot use software that has been deemed end-of-life by the vendor. Any asset that is beyond the extended support date is prohibited in the NYP environment. Red check
Penetration Testing All externally-facing systems must have a penetration test and any remediations completed before going into production.** It is recommended to have regular penetration tests scheduled for all systems that host sensitive data. Red check

** - It is understood that most IoT devices will not be externally facing. However, in cases where they are a penetration test must be scheduled.

Minimum Security Standards: Vendor-Supported Platforms

The NewYork-Presbyterian (NYP) Minimum Security Standards have been designed to outline information security requirements that all devices must adhere to in order to be onboarded at the hospital. Compliance with these standards must be validated before any contract can be signed between a vendor and NYP.

Vendor-Supported platforms consist of any devices that the vendor is responsible for configuring, patching, and other security related work, while the device resides in an NYP-managed environment. This may include medical devices, workstations, servers, network components, and IoT devices (see IoT standards).

Referenced policies and standards can be provided by InfoSec upon request.

If a vendor cannot adhere to the below standards, Infosec reserves the right to review on a case by case basis. Please note: Most submissions will be rejected if they cannot comply with the minimum security standards.

System Inventory All devices must be entered into the CMDB with the appropriate information so that owner, department and location can be obtained when necessary. Requirement
Access Controls Default passwords are prohibited in order to prevent unauthorized access. The use of guest accounts is strictly prohibited. All passwords must comply with the NYP standards outlined in IT-SEC-S004. Requirement
Data Security Controls All systems must follow all applicable data security controls based on the information they are processing or storing. (HIPAA/HITECH, PCI DSS, etc.) Requirement

Multi-Factor

Systems that have a public facing interface must use a distinct second factor to protect user access. External access to systems without MFA is prohibited. Requirement
Malware Protection All systems must have some form of malware/ransomware protection. The solution must be updated at all times and cannot be disabled. Allow-listing software is an acceptable alternative to antivirus. Requirement
Service Protection Assets must be protected by a firewall, WAF, intrusion prevention system (IPS), and/or other security controls that prevent system attacks. Any services and ports that are not required must be disabled. Requirement
Software Support Assets cannot use software that has been deemed end-of-life by the vendor. Any asset that is beyond the extended support date is prohibited in the NYP environment. Requirement
Certificates Any system hosting a website that is available from the internet must have a
valid certificate issued by a member of the CAB forum list of trusted certificate
authorities. (https://cabforum.org/members)
Requirement
Vulnerability Scanning Any vendor-managed system must be scanned every two weeks for any new vulnerabilities. Alternatively, a vendor may provide a vulnerability report to this end. Requirement
System Updates Vendors must apply patches at least quarterly to systems in the NYP environment. Any critical vulnerabilities allowing access to the system or data must be patched within 2 weeks of having an available patch. Requirement
Encryption All hosts must use encryption-at-rest and encryption-in-transit. The use of protocols with security weaknesses or unencrypted data storage is strictly prohibited. Cipher suites in use must comply with IT-SEC-S015. Requirement
Authentication &
Domain Membership
Systems should use federation for authentication and be joined to the NYP directory. If this cannot be done, the vendor must ensure that all account passwords comply with the NYP standards outlined in IT-SEC-S004. Requirement
Remote Access All remote vendor access to NYP-hosted systems must use PRA. Other remote access tools are strictly prohibited. InfoSec must approve in rare cases where PRA cannot be used. Requirement
Isolation Placing vendor systems on separate networks logically separated from NYP is not permitted. Requirement
Penetration Testing All externally-facing systems must have a penetration test and any remediations completed before going into production. It is recommended to have regular penetration tests scheduled for all systems that host sensitive data. Requirement

Minimum Security Standards: SaaS Services

The NewYork-Presbyterian (NYP) Minimum Security Standards have been designed to outline information security requirements that all devices must adhere to in order to be onboarded at the hospital. Compliance with these standards must be validated before any contract can be signed between a vendor and NYP.

SaaS offerings are defined as any service that is being hosted on infrastructure and networks not managed by NYP personnel. The licensing model is also conducted on a subscription basis.

Referenced policies and standards can be provided by InfoSec upon request.

If a vendor cannot adhere to the below standards, Infosec reserves the right to review on a case by case basis. Please note: Most submissions will be rejected if they cannot comply with the minimum security standards.

Access Controls

Default passwords are prohibited in order to prevent unauthorized access. The use of guest accounts is strictly prohibited. All passwords must comply with the NYP standards outlined in IT-SEC-S004. Requirement

Encryption in Transit

All communication to hosts that store NYP data or host NYP services must use secure protocols. Unencrypted protocols or protocols with known security weaknesses are prohibited. TLS ciphers must comply with IT-SEC-S015. Requirement
Data Security Controls All systems must follow all applicable data security controls based on the information they are processing or storing. (HIPAA/HITECH, PCI DSS, etc.) Requirement
Multi-Factor Systems that have a public facing interface, and store any form of sensitive data, must use a distinct second factor to protect user access. Requirement
Authentication Systems must use federated authentication to secure user accounts. If this cannot be done, the vendor must ensure that all account passwords comply with the NYP standards outlined in IT-SEC-S004. Use of default accounts or passwords is also strictly prohibited. Requirement
Service Protection Assets must be protected by a firewall, WAF, intrusion prevention system (IPS),
and/or other security controls that prevent system attacks.
Requirement
Certificates Any system hosting a website that is available from the internet must have a valid certificate issued by a member of the CAB forum list of trusted certificate authorities. (https://cabforum.org/members) Requirement
Vulnerability Testing Systems must have an NYP vulnerability scan every two weeks. A vendor may provide a vulnerability report if they are already scanning the devices. Requirement
Penetration Testing It is recommended to have regular penetration tests scheduled for all systems that host sensitive data. Vendors can provide a penetration test report if they are already testing the service. Recommended