Network Protection
Healthy.io’s security gateways enforce security policies. It configures these gateways to filter traffic between domains, block unauthorized access, and uses them to maintain segregation between internal wired, internal wireless, and external network segments, including DMZs, and enforce access control policies for each of the domains. Healthy.io monitors all authorized and unauthorized wireless access to the information system and prohibits the installation of wireless access points.
Healthy.io’s network is logically and physically segmented with a defined security perimeter and a graduated set of controls, including subnetworks for publicly-accessible system components. It logically separates these components from the internal network based on organizational requirements. It controls traffic based on the functionality required and classification of the data/systems based on risk assessments and security requirements.
The company restricts the ability of users to connect to the internal network using a deny-by-default and allow-by-exception policy at managed interfaces according to the access control policy and the requirements of clinical and business applications.
Health.io controls the network traffic under its access control policy through a firewall and other network-related restrictions for each network access point or external telecommunication service’s managed interface. It secures transmitted information and, at a minimum, encrypts it over open, public networks. It documents exceptions to the traffic flow policy with a supporting mission/business need, duration of the exception and reviews it at least annually. When no longer supported by an explicit mission/business need, the company removes the traffic flow policy exceptions.
Healthy.io does not allow remote devices to establish a non-remote connection to communicate with external (remote) resources. It implements routing controls through security gateways used between internal and external networks. It explicitly defines the sensitivity of applications/systems, and the application/system owner documents them. Unless the data owner identifies and accepts the risk, the company isolates sensitive systems (physically or logically) from non-sensitive applications/systems.
Healthy.io ensures information systems protect the confidentiality and integrity of transmitted information, including during transmission and reception preparation. It releases shared system resources back to the system, protects them from disclosure to other systems/applications/users, and users cannot intentionally or unintentionally access information remnants.
Healthy.io has an existing current network diagram and updates it whenever there are network changes and no less than every six months. Healthy.io ensures the security of information in networks, availability of network services, information services using the network, and the protection of connected services from unauthorized access.
Healthy.io uniquely identifies and authenticates network devices that require authentication mechanisms before establishing a connection. This connection uses, at a minimum, shared information and access control lists to control remote network access. Healthy.io uses secured and encrypted communication channels when migrating servers, applications, or data to virtualized servers.Healthy.io tests and approves all network connections and firewall, router, and switch configuration changes before implementation. It documents and approves any deviations or updates to the standard configuration in a change control system. It records all new configuration rules beyond a baseline-hardened format that allows traffic to flow through network security devices, such as firewalls. This documentation includes the specific business reason for each change, the individual’s name responsible for that business, and the expected duration of the need. It also implements application-level firewalls to control traffic for any public-facing web applications. The firewalls restrict inbound and outbound traffic to the minimum necessary.
Healthy.io defines the impact of the loss of network services on the business. It establishes a DMZ with system components storing or processing covered information placed behind it to limit external network traffic to the internal network. It uses at least two DNS servers that perform different roles (internal and external) located on different subnets and separated geographically to eliminate single points of failure and enhance redundancy.
Healthy.io defines and implements, and reviews firewall and router configuration standards every six months. It implements MAC address authentication and static IP addresses and performs quarterly network scans to identify unauthorized components/devices. Healthy.io ensures network diagrams identify all data connections and data flows. It formally manages and monitors agreed services provided by a network service provider/manager to ensure they provide these services securely.