Introduction

NCSA logically divides its network into several different trust zones. Traffic between these zones is monitored by a Network Intrusion Detection System (NIDS), but traffic within a single zone may not be visible to the NIDS. Therefore, systems within a single zone must be trusted and hence hardened to a similar level.

...

The Advanced Computational Health Enclave (ACHE) is a physically and virtually segmented zone used exclusively for processing and storing electronic personal health information Protected Health Information (ePHI). 

Types of Systems:

ACHE is the only approved space for storing and processing ePHI, and both physical and electronic access is restricted to those staff who need it covered entity workforce members with approved access. These systems often have high-availability needs, and hence this zone has a separate UPS backup system. Like the HPDC zone, these systems are first built in a firewalled subzone until fully vetted by the security team, which is responsible for the regular auditing of the systems against the additional security requirements below.

...

• The authorized set of administrators must all be in workforce members of the NCSA Health Care Component (NHCC), and this group's access must be automated by a process approved by the NCSA HIPAA liaisonLiaison.
  • The security operations team is part of this group and must be able to access systems 24/7 in an emergency.
• It is assumed that ePHI, which is high risk data, is on these systems. These are not dual-use systems but are only for work related to health and medicine. The NCSA HIPAA liaison Liaison must be informed of any data from new type of data sources on these systems, especially when personally identifying information is recorded.
• Accepted Approved (by the NCSA HIPAA liaisonLiaison) vulnerability and patch management procedures must be in place.
• Accepted Approved (by the NCSA HIPAA liaisonLiaison) change control procedures must be implemented and documented.
• Local and privileged account passwords are managed with the NCSA-provided, two-factor password management solution.

Host Configuration Requirements:

• Disable any All unnecessary services and accounts must be disabled, and enforce with host-based firewalls where possible.
• Enable hostHost-based brute-force mitigations utilizing the security team's host-based IDS must be enabled if possible.
• Forward system System logs must be forwarded to the security team's log collector.
• Two-factor authentication is required for remote access. Single-sign-on is limited to 10 million seconds, the lifetime of a short-lived grid certificate
• User are automatically logged-off after 12 hours of inactivity. 
• for inactivity, and SSH sessions do not last more than 24 hours.
• Require Access to administrative interfaces requires two-factor bastions, jump-hosts or VPNs for access to administrative interfaces.
• Routing, traffic forwarding, bridging subnets and other forms of internetwork traffic proxy is prohibited without expressed permission from Security & Networking.
• ePHI is encrypted on storage devices and only accessible to proper customer/data owner.
• Shared, writable file-systems must be securely wiped between jobs from different users or organizations.
• Data transfer endpoints must be whitelisted and scoped to the customer's networks.
• Only encrypted methods of data movement are allowed that also protect the integrity of data in transit.
• Motd and other welcome screens for users or administrators must remind them of the systems's sensitivity, the requirement for laptop encryption, that the system is only for authorized staff and clients, and the University's policies for HIPAA protected data.

...

All external links in and out of this zone are monitored by the NIDS. New hosts that appear on this network but that have not been vetted and approved may be automatically or manually blocked at the border gateway until investigated and vetted. Network traffic entirely within this zone is unmonitored by the NIDS, but network flows are collected.

...