Establish Member System Access, Security Framework, and Incident Management and Reporting Requirements
At a glance
- Establish information security framework and basic requirements for all members with access to the OPTN Computer System
- Establish additional member staff requirements, including the need for information security training and an information security contact role
- Require members to develop a plan for security incidents, and creates minimum required actions for members in the event of an incident, (including reporting the incident to the OPTN Contractor)
- Require members to self-attest to the security framework and associated controls in place, and establishes auditing and compliance monitoring processes
- Create the requirement to respond to security requests for information, to be used to ensure member system security
- What it's expected to do
- Increase member information security maturity
- Establish a process for notification and addressing member security incidents
- Increase accountability for access to the OPTN Computer Systems
- What it won't do
- Establish strict requirements for the majority of security controls. Members will be able to determine how to best implement the required controls within their own organizations’ framework.
Terms to know
- Information security maturity: How advanced your system is in protecting against security threats.
- OPTN Computer System: Platform used by transplant hospitals and organ procurement organizations to register transplant candidates, register organ donors, and create a computerized ranking of transplant candidates based upon donor and candidate medical compatability and criteria defined in OPTN Policy
- Security controls (Controls): Measures which modify risk. These can include any process, policy, device, practice, or other actions that modify risk.
- Security incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.
Read the full proposal (PDF)
Kentucky Organ Donor Affiliates | 03/16/2023
Luke Preczewski | 03/16/2023
1. The proposal seeks to achieve system security on the client side. This is a recipe for failure providing a false sense of security. First, OTPN systems are not only accessed by member-controlled computers and devices. They are often and necessarily accessed from personal devices. Second, the failure of a single member to follow the guidelines could expose the system. The appropriate approach, as implemented in many critical sectors, including banking, healthcare, insurance, etc. who have important systems and sensitive information accessed by many devices the organization cannot control is to implement security on the server and interface side. OPTN already does this, requiring two-factor authentication, complex passwords, frequent resets, etc. The OPTN’s efforts should be focused on securing its systems, much as banks do, not hoping to secure all the clients that access them.
2. Having one small aspect of a hospital’s operations create the nexus for security audit is inefficient and problematic. Hospitals have more than enough incentive to secure their own systems, and largely comply with the standards proposed. However, there can be differences in interpretation and costs to compliance and audit. This has been seen painfully in areas of overlapping regulation between CMS and the OPTN where centers modify policy to comply with one set of surveyors only to have the other find fault, necessitating another change. Imagine a situation in which OPTN, CMS, state health departments, FDA, OHRP, OCR, and the multitude of agencies or contractors with authority over specific aspects of hospital operations each adopted their own audits and prescriptive interpretations of standards. It would be a nightmare of constant audits and conflicting interpretations.
3. There is no assessment of the risk-benefit of these policies. Nothing is presented that demonstrates OPTN systems have been compromised as a result of member security standards. Meanwhile, compliance and enforcement of this will add considerable cost to the OPTN and members. This is a substantial burden proposed with at best theoretical unquantified benefit. That is certainly not justified without more information.
Emory Transplant Center | 03/16/2023
While we generally support the need for increased IT security and protection of our transplant data systems, we have concerns with the policy as it is proposed. We ask for the following considerations to be reviewed:
• Consideration of the current scope of the proposal. The current proposal has requirements that apply to the entire workforce (e.g. the training requirement) as well as requirements that apply not only to member computing environments that directly interface with OPTN computer systems, but also to every other member computing system that computing environment interfaces with that may create a substantial burden on member IT centers to comply with NIST 800-171.
• A second consideration is to what degree these requirements will apply to workstations, laptops, tablets, smartphones, and other devices that only access the OPTN computer systems via a standard web browser. Since the OPTN computer system is and shall remain accessible via unmanaged personally owned computing devices that will not be required to comply with NIST 800-171, it is unreasonable to place additional burdens on individuals and/or organizations that are using company owned and managed devices to access the very same OPTN computer systems in the same manner. This mandate could drive individuals or organizations to increase their utilization of less secure personally owned devices to avoid the onerous compliance burden.
• Finally, we would like to recommend reviewing the requirements for organizations to undergo a 3rd party compliance audit every 3 years, which comes with considerable financial and opportunity costs, as scarce cybersecurity resources are redirected to assist with audit activities. In the recent webinar, OPTN representatives made representations that OPTN wanted to use the audit process as an assessment to better understand the security posture of member organizations, but that is in not reflected in the current proposal which requires member organizations to attest annually that they are in compliance with the NIST standard in order to maintain access to the OPTN computer system.
UC San Diego Center for Transplantation | 03/15/2023
The UCSD Center for Transplantation appreciates the nature of the proposal put forward by the Operations and Oversight Committee to establish member system access, security framework and incident management reporting requirements as well as the sense of urgency to move such proposal forward given the public accusations of the UNOS computer system's inefficiencies and subsequent modifications to the OPTN contract to establish minimum requirements for performance and maintenance of the system, develop annual training requirements, and perform routine security audits. We do however, have serious concerns regarding the incredibly aggressive timeline for passage and implementation of this proposal, particularly in the absence of data regarding the current state of member organizations existing frameworks or absence thereof. UNOS has always emphasized the need for data driven and evidenced policies. As such, we would recommend that the Committee first complete a member survey and the pilot program mentioned by members of the Committee during public comment presentation(s) before moving this proposal forward to avoid unintended consequences or unnecessary burden to member organizations.
New England Donor Services | 03/15/2023
While NEDS supports security standards including training for OPO staff, OPOs should not be required to complete the specific OPTN information security training. Any OPTN training would be redundant with the training already provided by NEDS and other OPOs that already require staff to complete comprehensive security training. The OPTN instead could require that trainings meet certain standards but, OPOs should be able to choose our own training tools. For example, at NEDS we use KnowB4, and require staff to complete information security training on an annual basis. It would be a waste of time and resources for staff to be required to complete multiple redundant trainings.
The information security framework should be deployed after a careful risk assessment by each OPO. Organizations implement security controls based on risk, they do not implement a complete cybersecurity framework all at once. It would take months to even understand the impact of implementing every control. It is not industry standard nor is it reasonable for an entity like the OPTN to unilaterally require other organizations to adopt and implement an entire, complete information security framework. Typically, with security frameworks there is a statement of “risk acceptance”; acknowledgement that there is some risk but as an organization that this is going to be mitigated through other controls. Each OPO should determine which control is adopted and in what priority. Lastly, six months to adopt an entire information security framework is unreasonable. It would take some OPOs six months to just complete an assessment.
HonorBridge | 03/15/2023
Thank you for the opportunity to provide feedback on the proposed policy revisions to Establish Member System Access and Security Framework Requirements. I would like to specifically comment on the proposal to require annual information security training for all UNet users to be provided by and tracked through UNOS’ training application. HonorBridge fully supports thorough security training for all member organizations; however, we do not support the only option for the training to be through UNOS.
As an OPO, HonorBridge shares EMR/donor record access with dozens of other organizations, including hospitals, eye banks, and tissue processors. We are held accountable at the organizational level for maintaining appropriate security controls, including training. If each of those organizations held our individual employees accountable and required each complete provided training, our staff would spend a considerable amount of time in non-value-added (repetitive) training. We suggest that OPTN members be given the option at the organizational level to either utilize OPTN training or attest that their internal security training meets requirements. In the latter case, such documentation could be included in regular OPTN audits. This optional approach would allow smaller member organizations to use the OPTN training/application, if they would prefer or do not yet have robust training programs in place.
Anonymous | 03/15/2023
Generally agree with the establishment of a security framework, however OPTN’s proposal appears overreaching in several areas.
In general: Scope is a critical component of this process. The system boundaries should be defined prior to any control work or self-evaluation.
• Self-attestation from members on the security framework in place NIST Special Publication (SP) 800-171 is a broad range of security controls. Attestations should be scoped to specific NIST Special Publication (SP) 800-171 controls or framework more specific to healthcare (e.g. 405(d), Healthcare Industry Cybersecurity Practices (HICP) as applicable to threat surface (OPTN portal access) and data boundaries (file transfers)). This would be consistent with other third-parties without direct network connections or shared staff between each other.
• Auditing and compliance monitoring for security requirements 3 year audits may cause undue expenditures for smaller facilities however may be acceptable to larger systems.
• Security requests for information It would not be advisable for OPTN to collect detailed member hospital controls, NIST Special Publication (SP) 800-171 crosswalks as an example. Doing so would make OPTN a central repository for information that, should OPTN become compromised, may be leveraged by attackers to compromise member hospitals. This type of information is highly confidential and can be made available to view as part of an audit and not removed from a facility.
• Development of an incident management response plan, required actions for a security incident Within the first 24 hours of a substantial incident member hospitals may likely be highly engaged with containment and investigation of the potential incident. This timeframe seems aggressive and not consistent with other contracts or reporting requirements of other agencies. Agreed that member hospitals IR plans should contain procedures to quickly limit OPTN exposure. Stopping of any file transfers should be considered top priority. Potentially OPTN could provide specific measures to add to member hospital IR plans.
• Establishment of an information security contact role Agreed.
• Security training for all member organization staff Most member hospitals have security training in place and conduct ongoing simulated phishing campaigns. This could be attested to. If OPTN is asking for additional training, it should be specific to OPTN security procedures and limited to users of the OPTN database. If OPTN is requiring training on all 110 NIST Special Publication (SP) 800-171 control points that would seem unrealistic at any scale.
St. Louis Children's Hospital | 03/15/2023
We are not inclined to support this as our hospital needs to assess the cost and resource implications for our environment fully. In addition, we are concerned about how aggressive implementation of security controls may affect our ability to field offers outside the hospital using personal devices.
The ask is to meet or exceed controls in NIST 800-171. We follow NIST CSF, which is the same in theory, but we need to do a deeper dive to identify more significant concerns. We are subjecting ourselves to yet another control framework, where we already have HIPAA, PCI, GLBA, State Law, NIST CSF, etc.
Being subjected to an audit every three years would need to be planned in terms of resources. The request has a lot of overlapping overhead, and thus we do not support it.
We recommend having all transplant programs identify an information security contact as suggested in the proposal and have the OPTN obtain feedback from those stakeholders on the concepts raised before moving forward with a policy proposal.
LifeShare Transplant Donor Services of Oklahoma | 03/15/2023
As a member that has to-date invested significant resources in data security, we see and embrace the need to have a set of standards in place and we support the objective of the OPTN in this endeavor. However, we would suggest clarity is needed on the following issues before we could fully support the policy as proposed:
1) Which of the NIST 800.171 controls would be the most pertinent to OPTN and HRSA?
2) The six-month time allotment is sufficient time to report, allowing OPTN to get a baseline from the OPO’s current cyber posture for the 110 controls that are standard with NIST 800.171. However, we would be interested in knowing what the grading scale will be once the baseline has been established.
3) We agree and support the initiative of Cyber Security as an important aspect of transplantation and we would ask that more information be forthcoming to balance implementing the controls, training, and reporting the security of the data without disrupting the lifesaving work that members and the OPTN contractor perform.
In closing, we reiterate our support for the objectives of this policy and believe It is imperative that any agency, organization, or institution secure their systems. However, it is necessary to acknowledge that implementation of the proposed policy will lead to members being required to either hire in-house data security specialty personnel or retain an outside security source. Either approach represents additional overhead cost to the member that may not currently be budgeted and may or may not be reimbursable overhead. As such, additional clarity is needed before fully supporting the policy proposal.
Corewell Health | 03/15/2023
Thank you very much for the opportunity to provide a comment on the Organ Procurement and Transplantation Network’s (OPTN’s) proposed member system access and security framework requirements. Ensuring data security is a top priority for our health system. With that said, we are very concerned about the proposed requirements put forth by OPTN. These requirements, while well-intentioned, would go far beyond what is currently needed to ensure the security of the OPTN network. As such, we offer the following recommendations for consideration.
•Before adopting the proposed requirements, we strongly urge OPTN to implement a risk assessment approach. All information security frameworks suggest a risk assessment approach to balance the overhead and cost with risk to avoid wasteful spending on lower-value and unneeded controls. We recommend using the NIST Risk Management Framework (RMF). OPTN should utilize this assessment to understand the risks to the OPTN data and operations from partners, then recommend a set of targeted controls (for example OPTN user identity proofing, multi-factor authentication, authentication/authorization web application protections, data security controls, incident detection etc.).
•The proposed NIST SP 800-171 is a different framework than what other regulators recommend for healthcare organizations. We would advise using 800-53r5 instead for consistency.
•We strongly oppose the requirement to report security incidents within 24 hours. It adds an undue administrative burden, overlaps, and is inconsistent with existing regulatory obligations, and would take our team members away from either patient care or addressing the security incident.
•Similarly, the third-party audit requirement is inappropriate and does not align with what is usually permitted or performed. Security incident reviews are usually privileged activities and even in the context of existing regulatory reporting requirements are controlled given the sensitivity. Further, it would add unreasonable financial and administrative burden.
•The requirement for validation and training is another administrative burden. We would suggest waiving these requirements for organizations that already have established cybersecurity training programs.
•Larger organizations likely already have more mature information security programs that align with the intent of this proposal. Smaller organizations may not and may not be able to afford to at a level this proposal would otherwise require. The result of this current proposal would either be overlapping requirements that add cost and burden to existing programs or an unfunded mandate not achievable by smaller organizations.
Again, thank you very much for the opportunity to provide comment. We recognize the positive intent of these proposed requirements; however, they seem to be overreaching and overlapping with other current regulatory requirements. Implementing as written would add an undue administrative burden on our organization and detract some of our providers’ time from what matters most, patient care.
Patrick Headley | 03/15/2023
I support the establishment of a mandatory security framework for OPTN member organizations. The adoption of a framework allows for variations in the specific implementation of each control which can reflect the differences unique to each member, and the ability to document adherence to a control via cross-reference to another framework which the member organization may have already adopted will limit duplication of effort. However, adopting 110 controls could be extremely challenging for many organizations. Six months may be enough time to conduct a gap analysis against this group of controls, but remediation of the gaps could take a significantly longer period of time. I would suggest three actions to lessen the burden on member organizations:
1) Clarify Scope - The IR plan section clearly limits scope to "machines and devices that are used to access the OPTN Computer System." It remains unclear whether this is the intended scope for the implementation of NIST SP800-171 controls.
2) Tier Controls - Instead of requiring that member organizations demonstrate compliance with all 110 controls concurrently, I would suggest adopting a model similar to CIS Critical Security Controls Implementations Groups, where subsets of controls are iteratively added in tiers of increasing maturity. Cascading target completions dates could then be established for accomplishing the first tier, second tier, etc.
3) Publish Technical Guidance - Focusing on these groups of controls, technical implementation guidance should be created and made available to member organizations. Patrick Headley, CHTM, CISSP
Region 6 | 03/15/2023
1 strongly support, 8 support, 4 neutral/abstain, 1 oppose, 0 strongly oppose
During the discussion one attendee asked for data on the actual risk to the OPTN system. Several attendees commented that the administrative burden will be huge for the transplant center when they already have stringent IT security in place. One recommendation was to develop a monitoring process base on risk stratification rather than having frequent requirements when the risk is low. Another attendee recommended limiting the burden of training requirements as much as possible.
Region 11 | 03/15/2023
3 strongly support, 13 support, 2 neutral/abstain, 6 oppose, 0 strongly oppose
Members commented that audits should be conducted more frequently than 3 years and that they should be done by a qualified entity independent of the OPTN. A member stated that most organizations already meet security access best practices and the auditing requirements are an undue burden. Members commented that system security should be the responsibility of the OPTN and not something individual members have to develop. A member recommended a longer timeline for implementation due to the financial and time investment this will require. An attendee recommended that there should be educational materials for patients. Finally, a member asked are there plans to develop training videos and other materials to educate patients?
Kasper Statz | 03/15/2023
As an OPO IT Systems professional, I broadly support this proposal with some recommendations for improvement. Although it will not be an easy or cheap undertaking, it is important for all OPTN members to be held to minimum standards for security controls and training and the NIST 800-171 framework is a very appropriate standard. As an integrated community we are only as secure as our weakest link and the security deficiencies of one member is a threat to us all.
As recommendation for improvement to this proposal, I echo the comment made by the University of Michigan for the OPTN to accept recognized 3rd party accredidations us as HITRUST, ISO 27001, FedRAMP, or SOC 2 as evidence of strong security controls and exempt members who have such certifications from the proposed auditing process. This would greatly reduce the cost of this proposal and would allow for the OPTN to focus directly on those members who need some additional support in order to acheive compliance. A more targeted auditing system will allow for the auditors to spend more of their time and attention on the members who need help and can work collaboratively instead of punitively to help them acheive and mantain compliance.
OPTN Data Advisory Committee | 03/15/2023
The Data Advisory Committee (DAC) thanks the Network Operations Oversight Committee for presenting this topic. The Committee members held mixed views of the proposal. While supportive of the need for strong security measures, the additional benefits provided by the proposal are unclear. For example, a member stated that the training requirement identified in the proposal does not appear to be that much different than what is already required of OPTN members.
Joseph Hillenburg | 03/14/2023
As a recipient parent and Information Security professional, I can't help but notice the opposition to this proposal seems to be primarily financial in nature. Some members voice concerns about increased overhead, but the system exists for the benefit of recipients, and therefore should protect them and the processes that support them. All one has to do is follow tech industry news about medical providers who are compromised due to lax security protocols, whether on a systemic or individual level.
I strongly support this proposal.
Association of Organ Procurement Organizations | 03/14/2023
Thank you for the opportunity to submit comments on the Organ Procurement and Transportation Network’s (OPTN’s) policy development process on behalf of the Association of Organ Procurement Organizations (AOPO). AOPO collectively represents 48 federally designated, non-profit Organ Procurement Organizations (OPOs) in the United States, which together serve millions of Americans. As an organization, AOPO is dedicated to providing education, information sharing, research, technical assistance, and collaboration with OPOs, other stakeholders, and federal agencies to continue this nation’s world-leading transplantation rates while consistently improving towards the singular goal of saving as many lives as possible. We offer the following comments for your consideration:
AOPO and its members are aware of the continuously evolving threats to cybersecurity and their obligation to protect their data and electronic systems from cybersecurity threats such as phishing, malware, denial of service attacks, and ransomware. Because the National Institute of Standards and Technology (NIST) Special Publication 800-171 (800-171) is a widely recognized set of guidelines and best practices for implementing a cybersecurity framework, it seems reasonable the OPTN would propose these standards. However, we would request the OPTN reconsider the scope and timing of its proposal.
AOPO supports the OPTN’s desire to integrate formalized security standards into its contract; however, significant time, resources, and expertise are required to implement the NIST 800-171 framework effectively. Further, implementing the NIST 800-171 framework will present a monumental challenge to most AOPO members which are small, nonprofit organizations. NIST 800-171 compliance requires organizations to implement a range of cybersecurity technologies, including firewalls, intrusion detection systems, and endpoint security solutions. Purchasing and deploying these technologies is a significant expense, particularly for organizations that are starting from scratch. Further, OPOs will be required to educate IT teams to use new systems, monitor systems effectively, write reports to generate data necessary to demonstrate compliance with the OPTN requirements and complete regularly scheduled audits of the 110 controls required by the NIST 800-171 framework. Implementing the NIST controls is not a one-time expense; it requires ongoing maintenance to ensure cybersecurity controls are effective and up to date, which involves costs such as software updates, security patches, and regular security audits. These implementation challenges are further complicated by the OPTN’s proposed implementation timelines which are extremely aggressive and will require IT departments to radically shift away from internal priorities and needs to comply with the OPTN’s cybersecurity mandate.
Additionally, AOPO is concerned the OPTN’s goals of increasing the level of cybersecurity for its own “extremely secure” computer system will not be achieved by the proposed contract modifications. The OPTN’s current proposal requires OPOs to quickly implement 110 obtusely written controls with layers of applications that are subject to interpretation and inconsistent application across organizations. Further, the proposal demands OPOs implement this framework without any meaningful technical guidance or comments from the OPTN and under the threat of system shutdown. If OPOs are rushed into compliance, organizations will have less time to make well-researched decisions when determining what systems to purchase, which IT contractors to hire, and who to appoint as a knowledgeable security specialist.
While the goal of enhancing the cybersecurity of OPOs is sincerely shared by AOPO, this proposal is too aggressive in its initial scope and timing. AOPO supports the implementation of important security requirements, such as, required risk assessments, reasonable limits on user access, two-factor authentication, increased security training and audits, and increased monitoring. In addition, we suggest that the implementation of controls to address risk be based on an individualized OPO risk assessment, not an entire framework that may or may not be relevant for a particular OPO. For example, many OPOs currently provide training for staff on security measures, separate training should not be required if existing training is adequate. Finally, we support additional time for entities to comply with the new requirements.
Donor Network of Arizona | 03/14/2023
Donor Network of Arizona supports the establishment of a security framework that provides consistency across OPTN members and functions to reduce overall security risk and enhances the ability to access OPTN IT resources in as safe a manner as possible. We would like to see this framework applied as consistently as it can across member organizations. We encourage this security and reporting effort to be collaborative and supportive in nature rather than punitive. Members can strive for full compliance while maintaining safe and secure access to OPTN resources to continue donation activity. We do recommend that OPOs be given additional time to meet these requirements. We also recommend that OPOs be allowed to provide a report from an IT security auditor to UNOS verifying that the OPO meets the policy requirements, rather than have UNOS be the reviewing and certifying entity.
University of Michigan Health Transplant Center | 03/14/2023
The proposed policy changes indicate an interest in helping the network improve rigor and maturity around information security controls which we broadly support as an institution. We ask for the following considerations to determine whether the requests offer reasonable benefits over existing programs and whether there is clear understanding of the resources required to execute the policy. The concerns include, but are not limited to, the perspectives below:
- Member Security Framework and Controls The proposed policy recommends the security controls framework (NIST 800-171) designed for controlled unclassified information (CUI) residing in nonfederal systems and organizations, which is a different framework than what other USG regulating agencies compel for healthcare. There should be a discussion regarding the indication of the requirement and the implementation impact on small, medium, and large transplant centers.
- Required Training Requiring validation of training adds a burden to the healthcare providing units and seems redundant with the alignment to 800-171 and 800-53r5 controls which both contain control families for training and awareness. If companies already agree to attest to those controls and audit every three years, this seems to be already accomplished. Again, this is already an expectation of US HHS HIPAA/HITECH regulations and is redundant with those extant conditions for an HDO at the cost of additional time and resources with unclear gain.
- Routine audits We would recommend that the OPTN consider accepting existing and currently maintained third party certifications such as HITRUST, ISO 27001, FedRAMP, or SOC 2 reports in lieu of the attestation and assessment requirements. Accepting other third-party certifications will reduce the regulatory compliance burden for the OPTN member, reduce the cost to OPTN for what are essentially duplicate certifications and provide a path forward for “global” companies (doing business in the United States but based/licensed in a foreign country).
- Security requests of information The requirement to accept a third-party audit of the company after an information security event is not a condition usually permitted or performed and is a part of contractual discussions with company’s general counsel and not health care providing teams or information security professionals. The requirement to disclose post incident review information to a third party is not a reasonable expectation from an industry best practice perspective. These reports are typically under a company’s attorney-client privilege and are not expected to be disclosed voluntarily. This is not a condition appropriate for health care providing teams or information security professionals and should be a determination with company’s general counsel.
- Incidence response plan: Definition of a security as “[a]n occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.” The definition being proposed for a security incident, inclusive of “potential incidents”, in our context is overly broad when there is an expectation to report security incidents to OPTN. This would require a disproportionate effort to the potential risks where even the more mature healthcare delivery organizations are likely optimizing their capabilities to actual incidents that impact the company or cause technology damages. Ultimately, the more prescriptive and unique the OPTN security guidelines, the more burdensome it is for centers to remedy the issues.
- Incidence response plan: Notification to the OPTN Contractor of the declared security incidents occurring on any device that connects to the OPTN Computer System or by which the member provides information to the OPTN as soon as possible, but within 24 hours of the Information Security Contact becoming aware of the declared incident The requirement to report security incidents to OPTN with 24 hours is not realistic. In the event of a significant cybersecurity incident, the first 24 hours will likely be devoted to understanding the scope of the incident, containment processes and emergency operations. It is not reasonable that in that scenario there will be resourcing or process to communicate with third parties that an event has occurred. This is likely a matter more appropriate for discussion with company’s general counsel and not health care providing teams or information security professionals as it is a contractual condition.
In short, we agree with the intention to improve information security controls but have concerns about the current proposal. There are existing standards for health delivery organizations supporting transplant centers. In order to understand the impact of the policy recommendations, there should be legal, technical, and clinical evaluation of the need to, and resources required to execute the framework changes and incident reporting and management workflows.
IOWA DONOR NETWORK | 03/14/2023
As the CEO of an OPO, I am reluctant to be on the record as opposing IT security. In fact, I am very in favor of increasing the security of both the OPTN and my own organization's system security. I am concerned about the ability of my small OPO to adequately implement 110 standards and to maintain such standards. In order to comply with NIST standards we will need time. A period of years, to implement and properly validate that all of the security structure and traianing is actually doing what it is supposed to do. While many hospitals have IT security departments, we rely on a series of contractors and installed software to maintain our security. TO reach and maintain NIST standards, IDN will have no choice but to invest in full-time IT security staff. This will add to the costs of recovering and providing organs for transplantation. I am sure that we can get and maintain compliance with the standards. The only obstacles are time and money. Like organs, these too are precious resources. I ask that HRSA consider giving us more time to become compliant.
Region 7 | 03/14/2023
2 strongly support, 8 support, 2 neutral/abstain, 1 oppose, 1 strongly oppose
A member commented that they support the framework and although it seems like an additional burden, people should already be doing it. A member commented that personal devices should be included if they are used for patient data processing. A member commented that notifications should be required for security breaches and there should be levels of severity for types of contact where an incident is documented all the way to a serious breach where there is immediate notification.
AdventHealth | 03/14/2023
While we generally support and acknowledge the need for stringent security protocols, it would be prudent to consider that organizations meet other certifications that allow us to audit once and report to many. Our organization is HITRUST certified Since HITRUST is holding a higher level of compliance, and they audit us annually and certify us every two years, we would see the additional auditing as a redundant and onerous addition.
Region 1 | 03/14/2023
1 strongly support, 6 support, 1 neutral/abstain, 2 oppose, 1 strongly oppose
Overall, Region 1 generally supported this proposal. An attendee commented that access isn’t donor specific for subcontractors, and this is an important consideration. A member stated this proposal seems unnecessarily cumbersome and labor-intensive. Another member suggested these policy changes need to be based in on the ground reality and in close collaboration with OPTN member institutions. An attendee expressed support for the need for consistent compliance across all members with national security standards, but also commented that an appropriate timeline for implementation needs to be considered since some member institutions are small and do not have large IT resources to address this. Another attendee encouraged the use of available systems to minimize resources spent on this.
Gift of Life Michigan | 03/14/2023
Gift of Life Michigan acknowledges that not all OPOs have the level of IT security support that we have, but for our organization, these are our comments. We do believe that UNOS should consider the needs of smaller OPOs and how to support them in implementing these security measures.
- Are the initial proposed NIST SP 800-171 control values outlined in Appendix A feasible for members? Yes, we believe the proposed NIST SP 800-171 controls listed in Appendix A are feasible for our OPO.
- Should a member environment accessing the OPTN Computer System include personal devices? Yes, any member environment accessing the OPTN Computer System should include personal devices.
- Should members be required to notify the OPTN Contractor every time that there is a security incident involving a personal device? No, members should only be required to notify the OPTN Contractor of a security incident when there is evidence of a potential breach involving a personal device. The standard of any security incident involving a personal device is broad and may result in numerous reports being filed for incidents that involve no or minimal risk.
- What is a feasible timeframe for members to have an information security contact established? We believe members should be able to establish an information security contact within 3 months.
- Do you support the development of an alternative pathway for managing noncompliance with security policies? We support the development of one or more alternative pathways for managing noncompliance so long as each is substantially similar to the minimums established under the NIST standards.
- What factors should institutions consider in developing a plan to maintain operations in the case of a breach and loss of access to the OPTN Computer System is necessary? Each member and institution should address the breach or loss of access to the OPTN Computer System as part of its emergency preparedness plan, identifying alternative means based on the type of access necessary for its operations.
Center for Organ Recovery and Education | 03/14/2023
Thank you for the work on this proposal. As an OPO we do support increased security framework. The question is what will be the cost to member OPO's?
OPTN Histocompatibility Committee | 03/14/2023
While the purpose of this proposal is important, this may place an additional burden on histocompatibility labs. The Committee urges the NOOC to ensure this won’t impact the ability for data interfacing and APIs, as these are crucial to reduce data entry errors and increase patient safety.
American Society of Transplantation | 03/14/2023
The American Society of Transplantation (AST) generally opposes the proposal, “Establish Member System Access, Security Framework, and Incident Management and Reporting Requirements,” and offers the following comments for consideration:
•The AST supports the issues raised in the proposal, standards are critical and necessary to establish adequate safety measures across the system; however, as proposed, the AST has significant concerns about the potential that this policy will yield significant unintended consequences given an aggressive implementation timeline.
•Information from efforts underway to pilot the information gathering process and to gain a better understanding of what risks and improvement opportunities exist with the security frameworks and controls OPTN members currently have in place should be gathered first and inform the next steps rather than move to change requirements in parallel.
•The AST recommends identifying critical IT contacts for members impacted by this proposal to better evaluate what measures are commonly in place among OPTN members, where deficiencies exist, and what requirements are necessary to satisfactorily mitigate those system vulnerabilities.
American Society for Histocompatibility and Immunogenetics (ASHI) | 03/14/2023
ASHI has no objection to this proposal.
Mayo Clinic | 03/14/2023
Feedback to questions for public comment.
Anonymous | 03/14/2023
I believe that OPTN is overreaching here. Our own organization has implemented significant security measures to keep our data safe which I'm sure OPTN is not aware of nor has investigated in anyway. For those of us who work remotely, dealing with our internal security issues would no doubt be further impacted by whatever OPTN ends up doing and ultimately there would be concerns about delays in the access of information particularly for those working on donor referrals and transplants. Even small security changes make a big impact on transplant programs. Just taking in consideration the recent change in the frequency required to access the UNOS portal has had a big impact on the workflow of our transplant program. As one of the security administrators for the program, we are often resetting accounts for those who haven't heeded the 14 day, 7 day, 3 day, 1 day email warnings. And this can occur after hours and on weekends. In many ways this proposal appears to be a knee jerk response that may be unnecessary and costly for transplant centers and OPOs. Maybe the place to start is to find out what organizations have in place before implementing policies that may not be necessary.
OPTN Transplant Administrators Committee | 03/14/2023
The Transplant Administrators Committee thanks the Network Operations Oversight Committee for their efforts in developing this proposal.
TAC members offer the following comments and questions:
Concern about the annual certification process. Most hospitals have secure systems because healthcare systems are often targeted and an audit by the OPTN will not identify weaknesses in security while creating extra burden to members without a true benefit.
Cybersecurity is taken seriously, and some institutions employ an entire cybersecurity team. Requiring audits and attestation is an overreach when there have only been a few instances of vulnerability identified.
Support for designating a security contact.
Smaller organizations will be the ones most impacted by these requirements. Recommend the ability for larger institutions to “opt out” if they already have robust security frameworks in place.
Explore aligning proposed OPTN requirements with existing US Department of Health and Human Services (HHS) and Centers for Medicare and Medicaid Services (CMS) requirements for cybersecurity so there is not duplication or conflict with other requirements.
Question about the OPTN Contractor also meeting the requirements that are being proposed for members.
Concern about access to the network being suspended in the case of a breach and how transplant centers can continue to provide services to their patients if this happens.
Question about whether the audits would be similar to the typical UNOS site visits or would it be a virtual audit.
Region 8 | 03/14/2023
1 strongly support, 5 support, 2 neutral/abstain, 8 oppose, 4 strongly oppose
Region 8 mostly opposes this proposal, with some in support. An attendee said this is a valid concept but premature in process. The attendee suggested the committee move in incremental steps – the first step being that every member designates an IT contact. Several attendees commented on the need for more clarity about accessing UNet from personal devices. There was concern about how aggressive implementation of security controls may affect members’ ability to field offers from outside the hospital while using personal devices. There was discussion that there could be too many unintended consequences and that the policy shouldn’t be implemented until there is a complete understanding amongst all members.
Several members said that the proposed policy is an over-reach and that this is too much all at once, but support the notion of heightened security. Another member explained that its’ IT department believe this proposal is an overreach. That they would expect these types of requirements from a risk management consultant, but not a clinical partner. An attendee explained that the proposed requirements are not unreasonable and are likely in place at most institutions, but feels it is unreasonable for the OPTN to audit members security. An attendee cited a concern for small OPOs and the associated implementation expense.
In addition to the financial costs that a member will incur, an attendee pointed out that most institutions already have internal security measures in place. Several members pointed out the financial burden this proposal will cause and questioned whether that cost is worth the benefit when security measures already exist – even when those members support having secure IT systems. An attendee expressed concern that this proposal may impede members’ ability to do their jobs. The member pointed out that they need to be able to access donor information in an efficient, yet safe, manner.
NATCO | 03/14/2023
The membership of NATCO are fully aware of the ever increasing cybersecurity threats occurring nationally and fully support a system that takes additional steps to minimize threats and maximize security. Looking at the overall scope of what is looking to be implemented, it is important to fully understand the impact this will have on OPOs and transplant centers. This can have substantial implementation impact on smaller sized programs as additional staff, infrastructure and costs will/could be needed. The overall proposed timing also seems to be potentially too aggressive and consideration to slow down the timing should be considered.
OPTN Transplant Coordinators Committee | 03/14/2023
The Transplant Coordinators Committee thanks the Network Operations Oversight Committee for their efforts in developing this proposal.
A member commented that this is a worthwhile policy proposal, but the initial contact between member institutions and information technology (IT) departments may be confusing. He added that transplant center members are more clinical with no direct contact with the IT leadership within their healthcare system, which is where the expertise exists to help implement future requirements. He further added that larger institutions are probably better prepared for these proposed requirements, while the smaller organizations such as OPOs and histocompatibility labs are not. Lastly, he didn’t think that the second site administrator requirement would be an issue to implement.
Additional comments and questions from TCC members:
If organizations already utilize third party auditors, it seems redundant to require another auditor and creates extra burden on institutions.
Suggestion to develop a toolkit or frequently asked questions (FAQ) to assist members during discussions with their IT departments about these proposed requirements.
Recommendation that training discussions that focus on more in-depth training for member IT contacts, so they are more engaged if something were to occur.
Some organizations conduct “tabletop exercises” for emergency planning so will the OPTN provide such a guide for how to handle an emergency.
Comment about the security requirements for the different devices used by members. For example, accessing the system on a hospital owned computer is much different than a personal device such as a cell phone or tablet.
Comment about how large institutions and healthcare systems already have robust security framework, so a lot of what is being proposed is standard for them.
Concern was the proposed timeline with implementation starting in early Spring 2023. Without clarifications regarding the auditing or guidance documents to provide to IT departments it will be difficult for member institutions to implement. At larger institutions, the transplant programs have little control over the security framework.
Comment about the scope of authority and suggested that since IT security is a national problem, maybe the Centers for Medicare and Medicaid Services (CMS) should provide oversight.
Suggestion to conduct a readiness exercise before trying to identify mandates. This could help inform questions and provide implementation information for a more robust public comment proposal. Also, concerns about significant post-public comment changes being added without public input.
Example provided of a ransomware attack at a large healthcare system that prevented transplants from being performed and shut down hospital operations. Suggestion that the NOOC could provide some resources or guidelines for transplant programs to provide access to care in the absence of access to EMRs.
Does the NOOC anticipate the site security administrators and information security personnel being the same individuals.
Will institutions with both an HLA department as well as the transplant center be required to fulfill the requirements separately.
If the network is down at a hospital, what policies need to be adjusted to allow transplant programs to perform transplants.
OPTN Organ Procurement Organization Committee | 03/14/2023
The OPO Committee thanks the Network Operations Oversight Committee for their efforts in developing this proposal and offers the following comments and questions:
Is the intent to protect the OPTN Computer Systems from malware or the entire transplant network?
Concerns that the OPTN is trying to control security requirements for members when it is really the responsibility of the members to address.
Concerns about how breaches are reported and how members will provide transplant services if access to the system is denied. She added that it is impossible to be 100% protected due to the number of devices being used and there are also third-party users to consider.
Comment that the security aspect of the proposal is less of a concern than the 24-hour notification requirement and how that will be defined.
Gift of Life Donor Program | 03/14/2023
Gift of Life Donor Program (PADV) thanks the OPTN Network Operations Oversight Committee for their important work on this proposal and appreciates the opportunity to make public comment. We believe it is our collective responsibility to secure all data, including where this data resides and is transmitted. Both NIST 800-171 and CIS provide a framework for organizations to safeguard their sensitive information as well as prevent and respond to cyber threats, it must be noted that all organizations have a threshold for risk. For example, an organization may accept the risk that allows for flexibility of employees to log into OPTN resources from devices not issued by the OPTN member such as a computer made available to our staff by the donor hospital. The OPTN is comprised of members of varying size and budget. These members must focus their efforts on improving their security posture with their limited resources based on the risks and thresholds they recognize as most immediate to them. Prior to finalizing and approving the proposed policy, we suggest that OPTN members complete the NIST assessment to determine their score and partner with the OPTN to determine what an acceptable score is and what reasonable improvements should be demonstrated by an organization that does not meet the defined score over an allotted period. Greater concern should be given to the financial impact on smaller OPTN members, particularly non-hospital based OPOs who may not have a large information systems team and would have to make significant increases in both budget and staff to meet the requirements within this proposal. Consideration must also be given to the potential burden and redundancy of the annual training requirements, much of which is already completed annually by OPTN members who frequently interact with other secure systems.
OPTN Operations & Safety Committee | 03/13/2023
The Operations and Safety Committee thanks the OPTN Network Operations Oversight Committee (NOOC) for their efforts on the Establish Member System Access, Security Requirements, Incident Management, and Reporting Requirements proposal.
The Committee supports the proposal in general. The Committee asked about the action that would follow a program failing their information security audit and added that a process for holding members accountable does need to be developed. The Committee asked if these requirements would be similar for Organ Procurement Organizations (OPOs).
The Committee suggest that while the OPTN Membership and Professional Standards Committee (MPSC) might not be the correct body to discuss member accountability for these proposed changes, a similar body with information technology (IT) expertise might be a more appropriate fit; it could be beneficial to have one IT staff member in the transplant program and another in the hospital, as transplant is just one piece of the larger hospital system.
The Committee also asks if there is consideration on which technology should be used by the OPTN, as recent feedback suggests it should be updated. The Committee feels this proposal presents an opportunity for the OPTN Contractor to assess their own processes.
OPTN Membership & Professional Standards Committee | 03/13/2023
The Membership and Professional Standards Committee (MPSC) thanks the Network Operations Oversight Committee (NOOC) for the opportunity to review and comment on the Establish Member System Access, Security Framework, and Incident Management and Reporting Requirements proposal.
The MPSC agreed that there should be security in place to protect OPTN Members and the OPTN Computer System, but noted concerns around the potential cost and impacts to members who are unable to meet the requirements, smaller members in particular. The MPSC also mentioned that the proposed new OPTN role of Information Security Contact may be filled by individuals who are not familiar with the OPTN and asked for clarity on what training or expectations would be required of this role. There was overall support for the idea of a direct contact with the OPTN so that the OPTN is made aware of any security incidents in a timely manner. It was also noted that hospital system IT has pushed back on the use of patient Social Security Numbers within the OPTN Computer System in order to protect patient information, which may come up as an issue as members are implementing these requirements.
The MPSC also discussed audit and attestation requirements with potential consideration for audits being waived for programs exceeding requirements since these may be a considerable burden for members.
The MPSC also sought clarity on how the MPSC would be involved in member non-compliance with these requirements and would like more information on the process for member referral to the MPSC, especially since the MPSC already has a heavy workload. The MPSC recommended that the NOOC consider unintended consequences of members not being able to meet these requirements and consequences of a member losing access to the OPTN Computer System.
The MPSC shared support for the proposal but would like the NOOC to consider their concerns.
Hospital of the University of Pennsylvania | 03/10/2023
We support the evolution and importance of secure data systems but definitely have concerns regarding operational burden, unfunded mandates and the need for adequate lead time for planning. The allocation changes have already increased financial burden to institutions and, in some cases, impacted volumes. Additional financial outlay would further strain the transplant hospitals across the U.S. Specific concerns and questions are detailed below:
• Request for clarification on the application of the new standards to personal networks, mobile networks, and personal computers. Most, if not all, staff access UNet from home networks or mobile devices and mobile networks.
• Concern for the risk that the annual training could be a potential barrier for our clinicians that may impact organ offer management.
• We would value a deeper explanation and affirmation if the NIST 800-171 parameters apply to accessing UNOS only, or if the impact is across each and every Member Organization.
• What is the timeline expected for adherence to “all of the NIST SP 800-171 framework controls” that are expected at a minimum?
• NIST 800-171 is a fairly demanding standard. Is this expected to apply it to all of a Member Organization systems, or only a limited subset of UNOS users and systems? For example, there would need to be new policies implemented, and funding for additional technologies to close gaps if this is to be adopted across the organization. A NIST 800-171 program would need to be developed if not already in existence which requires added cost and additional resources for the Member Organization.
• Our organization performs our own cybersecurity audits annually - which are labor intensive. Additional audits will be resource constrained – thus require funding for additional resources to support additional audit responses.
Region 9 | 03/09/2023
5 strongly support, 7 support, 3 neutral/abstain, 0 oppose, 0 strongly oppose
Region 9 supported this proposal. A member stated that security is mandatory and to do this the system needs to be simple, effective, and inexpensive, so as not to disadvantage patients. Another member shared that overall this is a good idea, but integrating individual transplant programs and medical system needs with the overall needs of the OPTN seems like a complex undertaking.
UAB Medicine | 03/08/2023
Hello, as the CISO for a large academic medical center I would like to humbly suggest that you don't try to apply additional security regulations across all organization types. As a security professional, I 100% support efforts to increase security and protect patient data and safety.
That being said, the organ transplant programs in a hospital system are already protected via multiple other regulatory requirements such as HIPAA, HITECH, Meaningful Use, Laboratory and Pharmacy regulations, cyber-insurance requirements, etc.
I think it makes sense to establish a uniform security program for organizations that are separate from hospital or health systems and do not already have to adhere to multiple security regulations. I would suggest that you have an "attestation" for the group of systems that is already covered vs trying to establish another set of standards to conform to (where they may or may not be conflict but certainly duplicate effort).
I would also recommend you consider how you plan to address the use of personal devices that access the OPTN. These devices are not usually managed by an organization and present a far greater risk to the security of the OPTN systems than corporate devices which are tightly controlled in most environments.
I would be happy to discuss further.
American Nephrology Nurses Association (ANNA) | 03/08/2023
Region 5 | 03/03/2023
4 strongly support, 20 support, 4 neutral/abstain, 1 oppose, 0 strongly oppose
Region 5 supports the proposal. A member commented that PHI is more at risk – that this project is timely and needed. A member requested a more robust definition for “Security Framework”. A member commented that we must ensure the safety of patient data to prevent disruption of organ allocation. However, the member noted that excess complexity to access to the network may decrease safety. In addition, dual factor authentication without frequent password changes is an acceptable method. Several members inquired about funding for implementation costs associated with this proposal. And a member suggested that the OPTN absorb the implementation cost. In support of the proposal a member institution expressed its support of the concept but noted there need to be more work on the logistics, operations, etc.
Anonymous | 03/02/2023
Overall this is great. My one comment is the right to audit - we need a better mechanism, expectation setting, timely notice, not imposing undue burden, etc. For instance, accepting a third party assessment performed within the last 12 months based on NIST standards.
Cook Children's Medical Center | 03/02/2023
Our recommendation for OPTN will be to consider using existing security frameworks that are aligned around the Cybersecurity Act of 2015 405(d) programs that have been developed over the past few years to help small, medium and large healthcare systems with the very issue OPTN is attempting to work through. This will allow us to leverage the security practices that we already do today to comply with requirements that they are proposing.
Region 10 | 02/28/2023
1 strongly support, 17 support, 2 neutral/abstain, 1 oppose, 1 strongly oppose
Members in the region were supportive of the proposal. An attendee noted that it is important to ensure security of all data and having a multi-stakeholder group is essential. However, it is important that it is not too cumbersome to adhere to the recommendations or future requirements of the OPTN. Another attendee added that it quite common in the OPO world to have these items in place, but the community can always do better. Another attendee noted their support, but obviously the devil is in the details. Safe personal device use is essential for transplant professionals. Another attendee voiced concern with the amount of work burden placed on institutions to complete this work. A questionnaire of compliance would be reasonable, but to require IT changes will be a real challenge across institutions. The attendee added that most transplant hospitals already have very secure spyware and infrastructure in place. Another attendee added that this is an important goal, but high risk for creating cumbersome barriers to efficient organ offer and acceptance, as well as robust waitlist management processes.
Region 3 | 02/24/2023
1 strongly support, 7 support, 1 neutral/abstain, 4 oppose, 2 strongly oppose
Region 3 had mixed support for this proposal. During the discussion one attendee commented that pieces of the proposal are fine, but as a whole, it is too prescriptive and an unreasonable level of burden to place on member hospitals who have their own needs to maintain security. They went on to recommend that this be pared down and focused on things that are appropriate like user management. Two attendees recommended that the OPTN should get together with hospital IT leadership to get feedback about feasibility of proposal. One attendee commented that their institution has a security plan and was concerned that if their plan does not align with the OPTN requirements it will be difficult to resolve.
Region 2 | 02/21/2023
4 strongly support, 9 support, 3 neutral/abstain, 5 oppose, 3 strongly oppose
There was mixed support for the proposal. One attendee noted that data security is important, but the committee should consider users workload when developing additional security measures and training modules. Complicating the ability for users to access the system could impede patient care. Another attendee noted that care providers already spend a lot of time on training modules and would encourage the OPTN to partner with member institutions to utilize existing modules in order to prevent duplication. It was also mentioned that this poses a potential financial burden to member institutions. The proposed measures seem extreme, as there is no way to be 100% secure from infiltration. Lastly, one attendee noted that there needs to be additional information on how this will apply to personal devices and home networks.
Region 4 | 02/21/2023
3 strongly support, 17 support, 2 neutral/abstain, 2 oppose, 0 strongly oppose
Region 4 generally supported this proposal. One attendee commented that adding additional training requirements without evidence that user activity is increasing network vulnerability seems to be an overreach. They added that there needs to be evidence for network vulnerabilities and suggested corrections rather than adding more barriers to accessing the system. Another attendee recommended interfacing with members’ IT teams. One attendee commented that all members should strive for excellent data and system security, not only for the national database, but for their own systems and patients.
University Health | 02/15/2023
I think this is needed however making a requirement for organizations to conduct an audit every 3 years in an already tight budget should be removed. Most orgs already get audited already via Financial and CMS, therefore another audit is not necessary. I believe the attestation should be sufficient.
Steven Weitzen | 01/29/2023
If not too burdensome to all participating, I support the concept.