Network security management
MedStack Confidential
Metadata
- responsible officer: CTO
- approved by: CTO
- date
- effective: 2018-06-20
- revised: 2020-08-05
- reviewed: 2022-08-31
- Applicability: standard
Manage and control networks
- Establish and implement technical security measures to guard against unauthorized access to electronic PHI that is being transmitted over electronic communications networks.
- Manage and control networks to protect information in systems and applications.
| Code | Section | Title |
|---|---|---|
| ISO | A.13.1.1 | Network controls |
| SOC2 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
| SOC2 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
Segregate the networks of each each customer using virtual networks
- Implement network routing controls to restrict data flows of PHI.
| Code | Section | Title |
|---|---|---|
| ISO | A.13.1.3 | Segregation in networks |
| CHI | SR66 | Segregating EHRi Network Users, Services and Systems |
| CHI | SR67 | Controlling Routing on EHRi Networks |
| SOC2 | CC6.1 | The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. |
Use firewalls on all virtual networks and servers
- Enforce the use of encrypted ports (except to forward non-encrypted traffic to encrypted ports).
- Prevent the use of unauthorized ports.
- Manage the use of unauthorized diagnostic services such as ICMP.
| Code | Section | Title |
|---|---|---|
| CHI | SR65 | Controlling Access to EHRi Network Diagnostics and Network Management Services |
| SOC2 | CC6.6 | The entity implements logical access security measures to protect against threats from sources outside its system boundaries. |
Enforcement
- Responsible party: All managers and supervisors
- sanctions: standard
References
| Code | Section | Title |
|---|---|---|
| ISO | A.13.1 | Network Security Management |
| SOC2 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |
| SOC2 | CC6.7 | The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives. |