New York DOH DSRIP Data Security and Privacy

Data Security and Information Sharing Program, also known as Delivery System Reform Incentive Payment (DSRIP) Program or DSRIP Security and Privacy. Please note that the requirement is to comply with the guidance and security framework based on the set of NIST 800–53 recommended security controls for government information systems at the moderate level with enhancements that are necessary to comply with NYS Policies and Standards.

New York Health Information Security and Privacy Collaborative

With New York Department of Health (DOH) DSRIP Security and Privacy and New York joining the expanding list of states and countries to put in place a law that protects private information, empowering protection of data, and information security for operation that utilized PII information provided by New York residence. On July 26, 2019, Gov. Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

CyberSecOp will Assess, review and revise compliance program, policies and procedures promulgated there under, in response to corrective action plans, identified risk areas, and changes in applicable federal, state, and local laws, rules, and regulations. CyberSeOp will Develop, coordinate and participate in compliance education and security training programs that focus on the elements of Department of Health (DOH) DSRIP Compliance Program; Report to the Governing Body and the Compliance Committee regarding all aspects of the Compliance Program.

New York Health Information Security & Privacy DSRIP applies to:

The New York State Department of Health (Department) is implementing a new notification

protocol that providers should use to inform the Department when they have experienced a potential cyber security incident at their facility or agency. The attached document provides the contact information for each DOH Regional Office and is in effect immediately upon your receipt of this letter. This document should also be posted as signage throughout your facility or agency locations for immediate awareness and reference by your staff. We recognize that providers must contact various other agencies in this type of event, such as local law enforcement. The Department, in collaboration with partner agencies, has been able to provide significant assistance to providers in recent cyber security events. Our timely awareness of this type of event enhances our ability to help mitigate the impact of the event and protect our healthcare system and the public health. The Department has designed a more efficient process to engage assistance for providers, as needed. Therefore, this protocol should be immediately implemented by all providers of the following types:

• Hospitals;

• Nursing homes;

• Diagnostic and treatment centers;

• Adult care facilities (ACFs);

• Certified home health agencies (CHHAs);

• Hospices; and Licensed home care services agencies (LHCSAs).

New York Health DSRIP Security and Privacy Requirements

• NYS–P03–002 NYS Information Security Policy

• NYS–S13–004 NYS Identity Assurance Policy

• NYS–P10–006 Identity Assurance Standard

• NYS–S14–006 Authentication Tokens Standard

New York Health DSRIP System Security Plan (SSP) Control

• Security Assessment

• Two–Factor Authentication

• Data Security and information Sharing

• Data Access Security

• System Security Workbooks, Cloud Services Provider Guide

• Identity Assurance Level Assessment Worksheet

• Data Security

• Two Factor Authentication

• Security System Plans

• Data Security System

• Security Plan Overview Document

New York Health New York Health DSRIP System Overview

• System Operating Environment

• Security Concerns

• Architecture and Topology

• Network Diagrams

• System Logical Diagrams

• Architecture Description

• Identity Assurance Level

NIST Information Security and Privacy Compliance

Risk Categorization: Organizations must categorize their information and information systems in order of risk to ensure that sensitive information and the systems that use it are given the highest level of security. 

System Security Plan: NIST requires agencies to create a security plan which is regularly maintained and kept up to date. The plan should cover things like the security controls implemented within the organization, security policies, and a timetable for the introduction of further controls.

Security Controls: NIST outlines an extensive catalog of suggested security controls for NIST compliance. NIST does not require an agency to implement every single control; instead, they are instructed to implement the controls that are relevant to their organization and systems. Once the appropriate controls are selected and the security requirements have been satisfied, the organizations must document the selected controls in their system security plan.

Risk Assessments: Risk assessments are a key element of NIST’s information security requirements. NIST offers some guidance on how agencies should conduct risk assessments. According to the NIST guidelines, risk assessments should be three-tiered to identify security risks at the organizational level, the business process level, and the information system level.
Certification and Accreditation: NIST requires program officials and agency heads to conduct annual security reviews to ensure risks are kept to a minimum level. Agencies can achieve NIST Certification and Accreditation (C&A) through a four-phased process which includes initiation and planning, certification, accreditation, and continuous monitoring.