Clinical Information Security Pre-Purchase Security Assessment Vendor Packet Instructions

Transcription

1 Clinical Information Security Pre-Purchase Security Assessment Vendor Packet Instructions Executive Summary Mayo Clinic s primary value is The needs of the patient come first. It is built into our daily work and we continually strive to make improvements and changes in all areas that impact our value. This includes clinical, administrative, as well as in the areas of safety and security. In the areas of safety and security, Mayo Clinic is now taking leadership in promoting and requiring cybersecurity of medical devices. We believe that this fits into our core values and is something we need to do to prepare for the changing, and increasingly dangerous, environment. There have been multiple incidents of cybersecurity issues in both commercial and healthcare areas that we have taken notice of and wish to proactively work with our vendors and partners to prevent any patient harm or disruption of our care processes. To do this we have used accepted standards and developed processes so we can partner with our vendors to improve the cybersecurity of medical devices moving forward. Our desire is to not only do this for Mayo Clinic, but for all patients who use medical devices and to provide a benefit to vendors. We look forward to being able to partner to make substantial changes to the cybersecurity of medical devices and provide a safe and secure experience for our patients. Clinical Information Security Date: October 4, 2017 Page 1 of 5

2 Vendor Packet Instructions for CIS Pre-Purchase Security Assessment The goal of the Clinical Information Security (CIS) Pre-Purchase Security Assessment is to analyze and understand the risk of systems being purchased at Mayo Clinic. The deliverables MUST match the EXACT system version being purchased for Mayo Clinic. At a high level, the steps that will be taken for the CIS Pre-Purchase Security Assessment are: 1. Mayo Proponent sends vendor contact the Vendor Packet for Pre-Purchase Security Assessment. 2. Vendor contact completes the Vendor Packet for Pre-Purchase Security Assessment 3. Vendor contact returns the completed Vendor Packet for Pre-Purchase Security Assessment to Mayo Proponent. 4. Mayo Proponent submits the Vendor Packet for Pre-Purchase Security Assessment to CIS. 5. CIS reviews the Vendor Packet for Pre-Purchase Security Assessment. 6. An Executive Summary is sent to the Proponent and funding committee for review prior to purchase. A. Procedure Below outlines the detailed steps required to complete the CIS Pre-Purchase Security Assessment. Responsible Step Action Mayo Proponent 01 Mayo Proponent requests vendor to complete the Vendor Packet for Pre-Purchase Security Assessment. Vendor Contact 02 Vendor completes the needed deliverables within the Vendor Packet for Pre-Purchase Security Assessment. See Appendix for Table A for the required deliverables. Vendor Contact 03 Once Table A is complete, the vendor contact can return the completed vendor packet to the Mayo Proponent. Mayo Proponent 04 Submit the completed Vendor Packet for Pre-Purchase Security Assessment to the Clinical Information Security team. Clinical Information Security Date: October 4, 2017 Page 2 of 5

3 CIS team 05 Review the completed Vendor Packet for Pre-Purchase Security Assessment: A. Ensure all documentation is completed. B. Score the vendor packet based on patient care impact and network impact. C. Determine level of assessment needed. D. Send Executive Summary to the Mayo Proponent. CIS team 06 Provide the Mayo Proponent an Executive Summary to submit as part of the funding request of the system being purchase at Mayo Clinic. The timeline of this procedure will be dependent on the following: - Timeliness of vendor to complete a vulnerability assessment of the system as well as all materials requested in the Vendor Packet for Pre-Purchase Security Assessment. - Completeness of the provided Vendor Packet for Pre-Purchase Security Assessment. This allows the CIS team member to review the materials accurately and without delays. Any missing items or follow-up meetings needed could extend the timeline of the Pre-Purchase Security Assessment. - Responsiveness of the vendor and Mayo Proponent to follow this provided procedure. Please be aware, all pre-purchase requests will be assessed for patient safety, device security, and network harm. B. Conclusion Based upon the approval of the funding request, there will be additional steps at the point of implementation or installation of the system into the Mayo Clinic environment. This will be outlined in the Executive Summary/Assessment provided to the Mayo Proponent. C. Contact Information For questions or concerns on this process, please contact the Mayo Proponent identified in the purchase process to engage a Clinical Information Security team member. Clinical Information Security Date: October 4, 2017 Page 3 of 5

4 Appendix Table A Table A outlines the required vendor deliverables to initiate the CIS Pre-Purchase Security Assessment. The deliverables MUST match the EXACT system version being purchased for Mayo Clinic. NOTE: Please complete the Mayo Clinic Medical Device Standard Workbook FIRST to determine if the remaining deliverables are required. Deliverable Description Task Resource 1. Mayo Clinic Medical Device Standard Workbook 2. Manufacturer s Disclosure Statement for Medical Device Security (MDS2) 3. Architecture Diagram of system Outlines the capabilities required for systems within the Mayo Clinic environment. Industry standard document describing the security and risk management of a system. Provides an outline of the system interaction within the Mayo Clinic environment. Respond to the provided spreadsheet for system alignment with Mayo Clinic Medical Device Standards. *If the Device tab states No need to proceed to next Tab, then deliverables 2 thru 6 are NOT required. Send workbook to Mayo Proponent. Provide most current MDS2 for the device or system. Provide an architecture diagram of the system, its components, and network connectivity. Provided is an example template as a Visio diagram and a pdf for reference. Medical Device Standard Workbook.x /Pages/Manufacturer-Disclosure- Statement-for-Medical-Device- Security.aspx Device Family Template.vsd 4. System information: List of 3 rd Party Software List of Network Ports List of firewall rules (if applicable) Provides more granular information as to how the system is setup and managed within the Mayo Clinic environment. Provide vendor documentation for the bulleted items. Device Family Template.pdf Clinical Information Security Date: October 4, 2017 Page 4 of 5

5 Documentation of Security Capabilities/Configurations for System Hardening Description of Backup Procedures Description of Disaster Recovery and Business Continuity Plans, etc. 5. Vulnerability Assessment, including: Testing Results Remediation Tracking Provides an in-depth vulnerability assessment, outstanding vulnerabilities and appropriate remediation plans and timelines to resolve the issues. This provides Mayo Clinic with appropriate information on risks that may be introduced into the patient care environment and allows for collaborative mitigation strategies to be detailed. Complete a vulnerability assessment as detailed in the Vendor Assessment Book (pdf). Once testing is completed, complete the VA Statement of Methodology and document findings and remediation plans in a report. Example VA Statement of Methodology (pdf) and Vulnerability Assessment Template report provided. Vulnerability Assessment Book.pdf VA Statement of Methodology - mockup VA Statement of Methodology.docx Vulnerability Assessment Template 6. Mayo Clinic Information Security Schedule Provides advanced copy of Mayo Clinic s Information Security Schedule that Supply Chain Management will negotiate as part of the purchase contract or vendor agreements. 1. Ensure appropriate vendor internal staff receives Mayo s Information Security Schedule for review. 2. Perform review and prepare any proposed redline items. 3. Provide a vendor contact to the Mayo proponent for the redlined ISS negotiation. Information Security Schedule w-signature Clinical Information Security Date: October 4, 2017 Page 5 of 5