| Requirement | |
| Recommended |
Minimum Security Standards: NYP-Hosted Platforms
The NewYork-Presbyterian (NYP) Minimum Security Standards have been designed to outline information security requirements that all devices must adhere to in order to be onboarded at the hospital. Compliance with these standards must be validated before any contract can be signed between a vendor and NYP
NYP-Hosted platforms consist of any offering that involves hardware, infrastructure, or networks that are deployed on NYP-managed networks. Examples include servers, routers, workstations, and cloud systems administered by NYP.
| System Inventory | All devices must be entered into the CMDB with the appropriate information so that owner, department and location can be obtained when necessary |
|
| Data Security Controls | All systems must follow all applicable data security controls based on the information they are processing or storing. (HIPAA/HITECH, PCI DSS, etc) | |
| Multi-Factor | Systems that have a public facing interface must use a distinct second factor to protect user access. External access to systems without MFA is prohibited. | |
| System Agents | All systems must have the required security agents installed and enabled at all times. This includes agents for patching, logging, endpoint protection, DLP, FIM, and privilege management. | |
| Service Protection | Assets must be protected by a firewall, WAF, intrusion prevention system (IPS), and/or other security controls that prevent system attacks. Any services and ports that are not required must be disabled. | |
| Certificates | Any system hosting a website that is available from the internet must have a valid certficate issue by a member of the CAB forum list of trusted certificate authorities. (https://cabforum.org/members) | |
| Vulnerability Scanning | Systems must have an NYP vulnerability scan every two weeks. A vendor may provide a vulnerability report if they are already scanning the devices. | |
| System Updates | All NYP-managed systems must have updates applied to them in accordance with IT-SEC-S005. It is prohibited to disable patching for NYP-managed systems. | |
|
Encryption |
All hosts must use encryption-at-rest and encryption-in-transit. The use of protocols with security weaknesses or unencrypted data storage is strictly prohibited. | |
| Penetration Testing | It is recommended to have regular pen tests scheduled for systems that host sensitive data |
Minimum Security Standards: IoT Device
The NewYork-Presbyterian (NYP) IoT Minimum Security Standards have been designed to outline information security requirements that all devices defined as “IoT” must adhere to in order to be onboarded to the hospital network. Compliance with these standards is a requirement before any contract can be signed between NYP and the vendor.
Iot devices are defined as systems that have a limited operating system that does not support the use of agents, firewalls, or other protection mechanisms. Examples may include printers, smart TVs, conference room systems, network devices, or select mobile devices.
| System Inventory | All devices must be entered into the CMDB with the appropriate information so that an owner and location can be found if necessary | |
| Access Controls | All systems must change any default passwords on the devices to prevent unauthorized access. These passwords must comply with the NYP standards outlined in IT-SEC-S004. | |
| Vulnerability Scanning | It must be possible to scan the device for vulnerabilities if it is accessible on the NYP network. All systems must have a vulnerability scan every two week | |
| Patching | All systems must have patches applied to the software on the device. This also includes firmware for devices that do not have a typical operating system. | |
| Vulnerability Scanning | Assets cannot use software that has been deemed end-of-life by the vendor. Any asset that is beyond the extended support date is prohibited on NYP networks. |
Minimum Security Standards: Vendor-Hosted Platforms
The NewYork-Presbyterian (NYP) Minimum Security Standards have been designed to outline information security requirements that all devices must adhere to in order to be onboarded at the hospital. Compliance with these standards must be validated before any contract can be signed between a vendor and NYP.
Vendor-hosted platforms consist of any devices that the vendor is responsible for cofiguring, patching, and other security related work, while the device resides on an NYP-managed network. This may include medical devices, workstations, servers or network components
| System Inventory | All devices must be entered into the CMDB with the appropriate information so that owner, department and location can be obtained when necessary. | |
| Data Security Controls | All systems must follow all applicable data security controls based on the information they are processing or storing. (HIPAA/HITECH, PCI DSS, etc) | |
|
Multi-Factor
|
Systems that have a public facing interface must use a distinct second factor to protect user access. External access to systems without MFA is prohibited. | |
| Malware Protection | All systems must have some form of malware/ransomware protection while on the NYP network. The solution must be updated at all times and cannot be disabled. Allow-listing soware is an acceptible alternative to antivirus. |
|
| Software Support | All vendor-managed devices are restricted from running any end-of-life software that does not have a support contract or the ability to update it. |
|
| Certificates | Any system hosting a website that is available from the internet must have a valid certficate issue by a member of the CAB forum list of trusted certificate authorities. (https://cabforum.org/members) |
|
| Vulnerability Scanning | Any vendor-managed system must be scanned every two weeks for any new vulnerabilities. |
|
| System Updates | Vendors must apply patches at least quarterly to systems hosted on the NYP network. Any critical vulnerabilites allowing access to the system or data must be patched within 2 weeks of having an available patch | |
| Authentication & Domain Membership |
Systems should use federation for authentication and be joined to the NYP directory. If this cannot be done, the vendor must ensure that all accounts use a 16 character password and any default passwords are changed. | |
| Penetration Testing | It is recommended to have regular pen tests scheduled for systems that host any type of sensitive data |
Minimum Security Standards: Saas Services
The NewYork-Presbyterian (NYP) Minimum Security Standards have been designed to outline information security requirements that all devices must adhere to in order to be onboarded at the hospital. Compliance with these standards must be validated before any contract can be signed between a vendor and NYP.
SaaS offerings are defined as any service that is being hosted on infrastructure and networks not managed by NYP personnel. The licensing model is also conducted on a subscription basis.
|
Encryption in Transit |
All communication to hosts that store NYP data or host NYP services must use secure protocols. Unencrypted protocols or connections using ciphers with known security weaknesses are prohibited. | |
| Data Security Controls | All systems must follow all applicable data security controls based on the information they are processing or storing. (HIPAA/HITECH, PCI DSS, etc) | |
| Multi-Factor | Systems that have a public facing interface, and store any form of sensitive data, must use a distinct second factor to protect user access. | |
| Authentication | Systems must use federated authenication to secure user accounts. If this cannot be supported, accounts must enforce a minimum 16 character password. Use of default accounts or passwords is also strictly prohibited. | |
| Service Protection | Assets must be protected by a firewall, WAF, intrusion prevention system (IPS), and/or other security controls that prevent system attacks. |
|
| Certificates | Any system hosting a website that is available from the internet must have a valid certficate issue by a member of the CAB forum list of trusted certificate authorities. (https://cabforum.org/members) | |
| Vulnerability Testing | Systems must have an NYP vulnerability scan every two weeks. A vendor may provide a vulnerability report if they are already scanning the devices. | |
| Penetration Testing | It is recommended to have regular pen tests scheduled for systems that host any type of sensitive data |