In June 2023, the OPTN Board of Directors approved policy changes intending to enhance the security of the OPTN Computer System.
The OPTN Member Security Program was created to guide members through these policy changes while gaining a better understanding of the computer network security of each transplant hospital, organ procurement organization (OPO), and histocompatibility lab, and how it could impact the strength of security of the OPTN Computer System.
- OPTN member organizations must designate Information Security Contacts
- Respond to requests for security attestations
- Respond to data requests
- Report security incidents to the OPTN contractor
These policy updates were written and sponsored by the Network Operations and Oversight Committee (NOOC).
The Network Operations and Oversight Committee, known as NOOC, provides guidance to the OPTN Member Security Program with the shared goal of understanding the computer network security of the OPTN membership, assisting OPTN members with improving their security frameworks as needed and improving the dialogue between the OPTN and its members on information security concerns.
The NOOC is comprised of representatives from the OPTN Board of Directors and member organizations and subject matter expert advisors, as well as representatives from HRSA.
More information on the NOOC.
Information security contacts
The Information Security Contact is an individual designated by a member organization who is responsible for representing their organization’s information security program to the OPTN.
A member organization may appoint more than one Information Security Contact, but the minimum number required is one per institution. The individual(s) who holds this position does not need to have access to the OPTN Computer System.
The Information Security Contact:
- Acts as the main point of contact with the OPTN for all matters regarding information security, including annual attestations and audits every three years
- Notifies the OPTN of computer network security incidents at their organization, as outlined in OPTN Policy 3.1.C: Security Incident Management and Reporting
- Receives and responds to requests from the OPTN for information based on known security concerns or vulnerabilities (data requests)
Any user with appropriate permissions can designate or remove Information Security Contacts for their organization within Member Community in the OPTN Computer System.
Annual security framework attestations
OPTN Policy 3.1.A: Security Requirements for Systems Accessing the OPTN Computer System requires all transplant hospitals, organ procurement organizations (OPOs) and histocompatibility labs to perform an annual assessment of their computer security framework. Once the assessment is completed, the Information Security Contact must attest to the OPTN that the information related to the security framework at their organization is accurate and that the assessment has been completed to the best of their ability. That security attestation is sent to all Information Security Contacts but assigned to one, who is able to reassign it to the appropriate contact to respond. The Information Security Contacts must complete the attestation and return it within 90 days of receipt. The information within the attestation is validated/verified through a third-party audit process to be conducted every three years.
The assessment and attestation process may reveal security gaps. The OPTN member organization will work with the OPTN contractor if any are documented.
A security gap is the difference between the current state of computer network security at an OPTN member organization and the required state of security, as defined by the National Institute of Standards and Technology (NIST) 800-171 cybersecurity regulations.
The Information Security Contact will receive email confirmation stating the gap has been identified and recorded by the OPTN Member Security Program. The Information Security Contact will then:
- Create and submit a remediation plan to the OPTN Member Security Program, or
- Notify the OPTN Member Security Program that the Security Gap and associated risk is understood and accepted by the organization.
The security gap will be updated in the OPTN contractor’s risk management software tool based on the response. Please note: a documented security gap, and the resulting remediation plan or risk acceptance, may not impact an organization’s standing with the OPTN Member Security Program.
A remediation plan describes how your organization intends to address and/or mitigate any potential security threat to your systems. The complexity and timeframe for your remediation plan depend on the situation or incident in question. The OPTN security analysts can work with you to help determine potential remediation plans.
Reporting security incidents
Information Security Contacts are required to notify the OPTN contractor of security incidents that impact their organization’s computing environments and components used to access the OPTN Computer System. The OPTN contractor must be notified of security incidents as soon as possible, as outlined in OPTN Policy 3.1.C. The requirements listed in the policy should be included in each organization’s incident response plan.
Along with the notification requirements listed in OPTN policy, a member’s incident response plan must include name(s) of the designated Information Security Contact(s) as well as a process for acquiring third party validation of proper containment, eradication, and successful recovery if it is needed based on the scope and severity of the incident. Please see OPTN Policy 3.1.C Security Incident Management and Reporting for more information.
According to OPTN policy 3.1.A, “Transplant hospital, organ procurement organization, and histocompatibility laboratory members must also respond to OPTN requests for information within the timeframe stated by the OPTN.” These data requests will be sent to members by the OPTN as needed, and members will be asked to respond within a specified timeframe.
Generally, data requests are focused on a recently discovered vulnerability in software that may be used by an OPTN member organization. This vulnerability could by exploited in a cyber-attack to compromise sensitive information at the member organization or within the OPTN Computer System. When you receive a request for information from the OPTN, you will be asked if your organization uses the software in systems related to transplantation. If you are using the software in question, the OPTN will ask if you have a remediation plan in place or if you have already remediated the situation, perhaps with a software patch or upgrade.