 |
Requirement |
 |
Recommended |
Minimum Security Standards: NYP-Supported Platforms
The NewYork-Presbyterian (NYP) Minimum Security Standards have been designed to outline information security requirements that all devices must adhere to in order to be onboarded at the hospital. Compliance with these standards must be validated before any contract can be signed between a vendor and NYP.
NYP-Supported platforms consist of any offering that involves hardware, infrastructure, or networks that are deployed in NYP-managed environments and supported by NYP. Examples include servers, routers, workstations, and cloud systems administered by NYP.
Referenced policies and standards can be provided by InfoSec upon request.
If a vendor cannot adhere to the below standards, Infosec reserves the right to review on a case by case basis. Please note: Most submissions will be rejected if they cannot comply with the minimum security standards.
| System Inventory | All devices must be entered into the CMDB with the appropriate information so that owner, department and location can be obtained when necessary |
|
| Access Controls | Default passwords are prohibited in order to prevent unauthorized access. The use of guest accounts is strictly prohibited. All passwords must comply with the NYP standards outlined in IT-SEC-S004. | |
| Data Security Controls | All systems must follow all applicable data security controls based on the information they are processing or storing. (HIPAA/HITECH, PCI DSS, etc.) | |
| Multi-Factor | Systems that have a public facing interface must use a distinct second factor to protect user access. External access to systems without MFA is prohibited. | |
| System Agents | All systems must have the required security agents installed and enabled at all times. This includes agents for patching, logging, endpoint protection, DLP, FIM, and privilege management. | |
| Service Protection | Assets must be protected by a firewall, WAF, intrusion prevention system (IPS), and/or other security controls that prevent system attacks. Any services and ports that are not required must be disabled. | |
| Software Support | Assets cannot use software that has been deemed end-of-life by the vendor. Any asset that is beyond the extended support date is prohibited in the NYP environment. | |
| Certificates | Any system hosting a website that is available from the internet must have a valid certificate issued by a member of the CAB forum list of trusted certificate authorities. (https://cabforum.org/members) | |
| Vulnerability Scanning | Systems must have an NYP vulnerability scan every two weeks. Alternatively, a vendor may provide a vulnerability report to this end. | |
| System Updates | All NYP-managed systems must have updates applied to them in accordance with IT-SEC-S005. It is prohibited to disable patching for NYP-managed systems. | |
|
Encryption |
All hosts must use encryption-at-rest and encryption-in-transit. The use of protocols with security weaknesses or unencrypted data storage is strictly prohibited. Cipher suites in use must comply with IT-SEC-S015. | |
|
Remote Access |
All privileged remote access must go through PRA. All remote vendor access to NYP-hosted systems must use PRA. The use of other remote access tools is strictly prohibited. InfoSec must approve in rare cases where PRA cannot be used. | |
| Security Testing | All externally-facing systems must have either a third-party penetration test or an NYP-provided CEVA analysis. Any required corrective actions must be completed before the system goes into production. It is recommended to regularly schedule penetration tests or CEVA analyses for all systems that host sensitive data. | |
| Audit Logging | All systems with users or data must log user access and application data activity. Audit logs must be exportable so that NYP can correlate the logs with other security events. | |
Minimum Security Standards: IoT Device
The NewYork-Presbyterian (NYP) IoT Minimum Security Standards have been designed to outline information security requirements that all devices defined as “IoT” must adhere to in order to be added to an NYP-managed environment. Compliance with these standards is a requirement before any contract can be signed between NYP and the vendor.
IoT devices are defined as systems that have a limited operating system that does not support the use of agents, firewalls, or other protection mechanisms. Examples may include printers, smart speakers, cameras, smart TVs, conference room systems, network devices, or select mobile devices.
Referenced policies and standards can be provided by InfoSec upon request.
If a vendor cannot adhere to the below standards, Infosec reserves the right to review on a case by case basis. Please note: Most submissions will be rejected if they cannot comply with the minimum security standards.
| System Inventory | All IoT devices must be enrolled in NYP's MDM solution if supported. Unsupported devices must adhere to the hardening guidelines outlined in IT-SEC-P034. All IoT devices not enrolled in NYP's MDM solution must be entered into the CMDB with accurate owner information. | |
| Access Controls | Default passwords are prohibited in order to prevent unauthorized access. The use of guest accounts is strictly prohibited. All passwords must comply with the NYP standards outlined in IT-SEC-S004. | |
| Data Security Controls | All systems must follow all applicable data security controls based on the information they are processing or storing. (HIPAA/HITECH, PCI DSS, etc.). Electronic records management must be compliant with R140 - Record Retention Policy. | |
| Vulnerability Scanning | It must be possible to scan the device for vulnerabilities if it is accessible on the NYP network. All systems must have a vulnerability scan every two weeks. Alternatively, a vendor may provide a vulnerability report to this end. | |
| System Updates | All systems must have patches applied to the software on the device. This also includes firmware for devices that do not have a typical operating system. | |
| Software Support | Assets cannot use software that has been deemed end-of-life by the vendor. Any asset that is beyond the extended support date is prohibited in the NYP environment. | |
| Security Testing | All externally-facing systems must have either a third-party penetration test or an NYP-provided CEVA analysis.** Any required corrective actions must be completed before the system goes into production. It is recommended to regularly schedule penetration tests or CEVA analyses for all systems that host sensitive data. | |
| Audit Logging | All systems with users or data must log user access and application data activity. Audit logs must be exportable so that NYP can correlate the logs with other security events. | |
** - It is understood that most IoT devices will not be externally facing. However, in cases where they are a penetration test must be scheduled.
Minimum Security Standards: Vendor-Supported Platforms
The NewYork-Presbyterian (NYP) Minimum Security Standards have been designed to outline information security requirements that all devices must adhere to in order to be onboarded at the hospital. Compliance with these standards must be validated before any contract can be signed between a vendor and NYP.
Vendor-Supported platforms consist of any devices that the vendor is responsible for configuring, patching, and other security related work, while the device resides in an NYP-managed environment. This may include medical devices, workstations, servers, network components, and IoT devices (see IoT standards).
Referenced policies and standards can be provided by InfoSec upon request.
If a vendor cannot adhere to the below standards, Infosec reserves the right to review on a case by case basis. Please note: Most submissions will be rejected if they cannot comply with the minimum security standards.
| System Inventory | All devices must be entered into the CMDB with the appropriate information so that owner, department and location can be obtained when necessary. | |
| Access Controls | Default passwords are prohibited in order to prevent unauthorized access. The use of guest accounts is strictly prohibited. All passwords must comply with the NYP standards outlined in IT-SEC-S004. | |
| Data Security Controls | All systems must follow all applicable data security controls based on the information they are processing or storing. (HIPAA/HITECH, PCI DSS, etc.) | |
|
Multi-Factor |
Systems that have a public facing interface must use a distinct second factor to protect user access. External access to systems without MFA is prohibited. | |
| Malware Protection | All systems must have an acceptable form of malware protection. Acceptable examples include antivirus, application allow-listing, and read-only mounts. Other controls may be accepted if they prevent writing and/or executing malware on the device. Devices running real-time operating systems (RTOS) are not exempt from this requirement. | |
| Service Protection | Assets must be protected by a firewall, WAF, intrusion prevention system (IPS), and/or other security controls that prevent system attacks. Any services and ports that are not required must be disabled. | |
| Software Support | Assets cannot use software that has been deemed end-of-life by the vendor. Any asset that is beyond the extended support date is prohibited in the NYP environment. | |
| Certificates | Any system hosting a website that is available from the internet must have a valid certificate issued by a member of the CAB forum list of trusted certificate authorities. (https://cabforum.org/members) |
|
| Vulnerability Scanning | Any vendor-managed system must be scanned every two weeks for any new vulnerabilities. Alternatively, a vendor may provide a vulnerability report to this end. | |
| System Updates | Vendors must apply patches at least quarterly to systems in the NYP environment. Any critical vulnerabilities allowing access to the system or data must be patched within 2 weeks of having an available patch. | |
| Encryption | All hosts must use encryption-at-rest and encryption-in-transit. The use of protocols with security weaknesses or unencrypted data storage is strictly prohibited. Cipher suites in use must comply with IT-SEC-S015. | |
| Authentication & Domain Membership |
Systems should use federation for authentication and be joined to the NYP directory. If this cannot be done, the vendor must ensure that all account passwords comply with the NYP standards outlined in IT-SEC-S004. | |
| Remote Access | All remote vendor access to NYP-hosted systems must use PRA. Oher remote access tools are strictly prohibited. InfoSec must approve in rare cases where PRA cannot be used. | |
| Isolation | Placing vendor systems on separate networks logically separated from NYP is not permitted. | |
| Security Testing | All externally-facing systems must have either a third-party penetration test or an NYP-provided CEVA analysis. Any required corrective actions must be completed before the system goes into production. It is recommended to regularly schedule penetration tests or CEVA analyses for all systems that host sensitive data. | |
| Audit Logging | All systems with users or data must log user access and application data activity. Audit logs must be exportable so that NYP can correlate the logs with other security events. | |
Minimum Security Standards: SaaS Services
The NewYork-Presbyterian (NYP) Minimum Security Standards have been designed to outline information security requirements that all devices must adhere to in order to be onboarded at the hospital. Compliance with these standards must be validated before any contract can be signed between a vendor and NYP.
SaaS offerings are defined as any service that is being hosted on infrastructure and networks not managed by NYP personnel. The licensing model is also conducted on a subscription basis.
Referenced policies and standards can be provided by InfoSec upon request.
If a vendor cannot adhere to the below standards, Infosec reserves the right to review on a case by case basis. Please note: Most submissions will be rejected if they cannot comply with the minimum security standards.
|
Access Controls |
Default passwords are prohibited in order to prevent unauthorized access. The use of guest accounts is strictly prohibited. All passwords must comply with the NYP standards outlined in IT-SEC-S004. | |
|
Encryption in Transit |
All communication to hosts that store NYP data or host NYP services must use secure protocols. Unencrypted protocols or protocols with known security weaknesses are prohibited. TLS ciphers must comply with IT-SEC-S015. | |
| Data Security Controls | All systems must follow all applicable data security controls based on the information they are processing or storing. (HIPAA/HITECH, PCI DSS, etc.) | |
| Multi-Factor | Systems that have a public facing interface, and store any form of sensitive data, must use a distinct second factor to protect user access. | |
| Authentication | Systems must use federated authentication to secure user accounts. If this cannot be done, the vendor must ensure that all account passwords comply with the NYP standards outlined in IT-SEC-S004. Use of default accounts or passwords is also strictly prohibited. | |
| Service Protection | Assets must be protected by a firewall, WAF, intrusion prevention system (IPS), and/or other security controls that prevent system attacks. |
|
| Certificates | Any system hosting a website that is available from the internet must have a valid certificate issued by a member of the CAB forum list of trusted certificate authorities. (https://cabforum.org/members) | |
| Vulnerability Scanning | Systems must have an NYP vulnerability scan every two weeks. Alternatively, a vendor may provide a vulnerability report to this end. | |
| Security Testing | NYP requires an annual third-party penetration test report for all SaaS services. The report may be from a third-party firm of the vendor’s choosing. Alternatively, NYP can perform a CEVA analysis on the service. CEVA analyses are limited in scope and subject to strict rules of engagement. | |
| Audit Logging | All systems with users or data must log user access and application data activity. Audit logs must be exportable so that NYP can correlate the logs with other security events. | |