Security Risk Assessment Cookbook: Incorporating Security in HL7 Standards
description
Transcript of Security Risk Assessment Cookbook: Incorporating Security in HL7 Standards
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Security Risk Assessment Cookbook:Incorporating Security in HL7
Standards
HL7 Security Working Group
John Moehrke
Diana Proud-Madruga
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Agenda
Introduce the Security Risk Assessment Cookbook Process
Break Apply the Process to Student Provided
Sample Standard Wrap up and Questions
04/21/232
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Objectives
You will be able to answer: What is a security risk? What are the steps needed to complete a
security risk assessment for a standard? How to identify security and privacy gaps in a
standard’s baseline. What is the role of the Security Working Group
in the security risk assessment process?
304/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Introduction
Within Healthcare today there is an increase in: Sharing of patient data Moving patient information among systems.
Therefore: HL7 domain committees and working groups need
to publish standards with privacy and security considerations in order to protect our patients.
404/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
The Value of the HL7 Risk Assessment Cookbook
HL7 Standards incorporate security and privacy issue from the start. Supports patient safety and improved patient
outcomes Facilitates the identification of security and
privacy gaps Encourages collaboration between the HL7
Security Working Group and other HL7 Working Groups
504/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
What is a Security Risk?
To quantify risk, experts use the calculation of level of threat (probability of event) to the level of vulnerability, often stated as:
Threat x Vulnerability = Risk.
• Point A: A significant vulnerability with little or no threat = low to medium risk. • Point B: A high threat with little or no vulnerabilities tied to the threat = Low to medium risk. • Point C: A high threat with a credible vulnerability = high risk.
Risk is “The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.”
(ISO/IEC PDTR 13335-1)
604/21/23
HIGH
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Risk Scenario
In this scenario:
•The vulnerability is the hole in the roof
•The threat is the rain cloud
• Rain could exploit the vulnerability
The risk is that the building and equipment in the building could be damaged as long as the vulnerability exists and there is a likely chance that rain will fall.
704/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Questions?
What is a security risk? Review the relationship between vulnerabilities,
threats and risks
Start thinking about and recording health risk scenarios
804/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Risk Assessment
Five Stages of the HL7 Risk Assessment
Process
904/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Risk Assessment and Management
1004/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Stage 1 – Identify
Step 1 - Define Scope Describe standard being assessed Establish assumptions to be used
Content (asset) Messaging Transport Existing security controls Physical/Technical environment
1104/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Stage 1 – Identify
Step 1 Example:
1204/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Stage 1 – Identify
Step 2 - Identify Threat Scenarios/Type of Impact What are the various scenarios that could lead to
an adverse event? Express the scenario as a short story
Who? What are they doing? How are they doing it? (What are they using?) What is their goal? What are the consequences (type of impact)?
1304/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Brainstorm Risk Scenarios
1404/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Stage 2 - Analyze
Step 1 – Assess Likelihood of OccurrenceLikelihood Description Selection Criteria
Very High > 80%
This event will probably occur in the near future. All agree (rare)
High51% to 80%
This event is likely to occur in the near future. All agree
Medium21% to 50%
This event may occur in the near future.
Disagreement between Low and High
Low 6% to 20%
This event is possible but highly unlikely to occur in the near future. All agree
Very Low 0% to 5%
This event is not expected to occur in the near future. All agree (rare)
1504/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Step 2 – Assess Level of ImpactImpact Reputation NIST 800-30 Legislative and
regulatory compliance
Very HighPotential for reduction in WG or TC mandate
Potential for policy or rulings against HL7 due to non-compliance with Privacy and security regulations
High
Serious adverse attention from media, medical establishment and / or public attention to HL7
Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury.
Potential for major fines or financial loss due to non-compliance with Privacy and Security regulations.
Medium
Minor adverse attention from media, medical establishment and / or public to HL7 or to standard
Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury
Potential for non-compliance with Privacy and Security regulations
LowLoss of reputation among clients / partners
Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest.
Privacy and Security regulations in some countries may conflict with one or two elements in the standard
Very LowInternal loss of reputation
Perceived non-compliance within HL7
1604/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Stage 2 - Analyze
Sample Risk Map (Source: SSHA)
Step 3 – Prioritize using Likelihood of Occurrence and Level of Impact
1704/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Assessment of Risks
Complete the Analysis stage for your own standard. Example:
1804/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Stage 3 - Plan
Risks with a priority rating of 3 – 5 must be mitigated to: Lower level of Impact Lower probability of occurrence Both
1904/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Stage 3 – Plan
5 Mitigation Strategies:
Accept Transfer to Mitigate Avoid Assign
(Defer)
Example:Car insurance with a high deductible is an
example of partial transference and partial acceptance. In the case of an accident, expenses below the $1000 deductible need to be accepted. Any expenses above $1000 are covered by insurance, thus the risk is transferred to the insurance company. An example of mitigation would be performing regular car maintenance to reduce the risk of having an accident that is caused by mechanical failure.
2004/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Risk Management
Complete the Management of risks section of the Risk Assessment and Mitigation Table.
2104/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Stage 4 - Track
Review Security Risk Assessment for HL7 Standards document: When the standard is updated Concerns are voiced Technology changes To determine impact of mitigation strategies
Use Comments section to record effect of mitigation strategy
Extend Management of Risks section as needed.
2204/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Stage 5 - Document
Place a “Security Considerations” section in the standard Description of scope and assumptions Description of mandatory/optional mitigations Description of unmitigated risks for implementers to
know about
Keep Security Risk Assessment for HL7 Standards document in committee knowledgebase
2304/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Questions?
What are the steps needed to complete a security risk assessment for a standard?
What tools are available to help you identify security and privacy gaps in a standard’s baseline?
2404/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
The Role of the HL7 Security WG
Communication is at the center of the HL7 Risk Assessment Process
HL7 Security Working Group: Provides training on the HL7 Risk Assessment
process Gives direct assistance to WGs during the risk
assessment process
2504/21/23
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Resources
Wiki Site: “Cookbook for Security Considerations” •http://wiki.hl7.org/index.php?title=Cookbook_for_Security_Considerations
•HL7 gForge folder with other resources •Tutorial Presentation on the Security Risk Assessment Cookbook•Formal Security Cookbook Paper•Template Spreadsheet for Risk Assessment•IHE Equivalent Process
Do NOT use this tool :-)
04/21/2326
© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.
Conclusion
Incorporating risk assessment in standards will: Help HL7 organizations when planning and
implementing standards Add value to decision-making and business
processes Require up front investment of time and
resources
The HL7 Security Risk Assessment Cookbook will facilitate that process
2704/21/23