Security Risk Assessment Cookbook: Incorporating Security in HL7 Standards

© 2010 Health Level Seven ® International. All Rights Reserved. HL7 and Health Level Seven are registered trademarks of Health Level Seven International. Reg. U.S. TM Office.

Security Risk Assessment Cookbook:Incorporating Security in HL7

Standards

HL7 Security Working Group

John Moehrke

Diana Proud-Madruga


Agenda

Introduce the Security Risk Assessment Cookbook Process

Break Apply the Process to Student Provided

Sample Standard Wrap up and Questions

04/21/232


Objectives

You will be able to answer: What is a security risk? What are the steps needed to complete a

security risk assessment for a standard? How to identify security and privacy gaps in a

standard’s baseline. What is the role of the Security Working Group

in the security risk assessment process?

304/21/23


Introduction

Within Healthcare today there is an increase in: Sharing of patient data Moving patient information among systems.

Therefore: HL7 domain committees and working groups need

to publish standards with privacy and security considerations in order to protect our patients.

404/21/23


The Value of the HL7 Risk Assessment Cookbook

HL7 Standards incorporate security and privacy issue from the start. Supports patient safety and improved patient

outcomes Facilitates the identification of security and

privacy gaps Encourages collaboration between the HL7

Security Working Group and other HL7 Working Groups

504/21/23


What is a Security Risk?

To quantify risk, experts use the calculation of level of threat (probability of event) to the level of vulnerability, often stated as:

Threat x Vulnerability = Risk.

• Point A: A significant vulnerability with little or no threat = low to medium risk. • Point B: A high threat with little or no vulnerabilities tied to the threat = Low to medium risk. • Point C: A high threat with a credible vulnerability = high risk.

Risk is “The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization.”

(ISO/IEC PDTR 13335-1)

604/21/23

HIGH


Risk Scenario

In this scenario:

•The vulnerability is the hole in the roof

•The threat is the rain cloud

• Rain could exploit the vulnerability

The risk is that the building and equipment in the building could be damaged as long as the vulnerability exists and there is a likely chance that rain will fall.

704/21/23


Questions?

What is a security risk? Review the relationship between vulnerabilities,

threats and risks

Start thinking about and recording health risk scenarios

804/21/23


Risk Assessment

Five Stages of the HL7 Risk Assessment

Process

904/21/23


Risk Assessment and Management

1004/21/23


Stage 1 – Identify

Step 1 - Define Scope Describe standard being assessed Establish assumptions to be used

Content (asset) Messaging Transport Existing security controls Physical/Technical environment

1104/21/23



Step 1 Example:

1204/21/23



Step 2 - Identify Threat Scenarios/Type of Impact What are the various scenarios that could lead to

an adverse event? Express the scenario as a short story

Who? What are they doing? How are they doing it? (What are they using?) What is their goal? What are the consequences (type of impact)?

1304/21/23


Brainstorm Risk Scenarios

1404/21/23


Stage 2 - Analyze

Step 1 – Assess Likelihood of OccurrenceLikelihood Description Selection Criteria

Very High > 80%

This event will probably occur in the near future. All agree (rare)

High51% to 80%

This event is likely to occur in the near future. All agree

Medium21% to 50%

This event may occur in the near future.

Disagreement between Low and High

Low 6% to 20%

This event is possible but highly unlikely to occur in the near future. All agree

Very Low 0% to 5%

This event is not expected to occur in the near future. All agree (rare)

1504/21/23


Step 2 – Assess Level of ImpactImpact Reputation NIST 800-30 Legislative and

regulatory compliance

Very HighPotential for reduction in WG or TC mandate

Potential for policy or rulings against HL7 due to non-compliance with Privacy and security regulations

High

Serious adverse attention from media, medical establishment and / or public attention to HL7

Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury.

Potential for major fines or financial loss due to non-compliance with Privacy and Security regulations.

Medium

Minor adverse attention from media, medical establishment and / or public to HL7 or to standard

Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury

Potential for non-compliance with Privacy and Security regulations

LowLoss of reputation among clients / partners

Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest.

Privacy and Security regulations in some countries may conflict with one or two elements in the standard

Very LowInternal loss of reputation

Perceived non-compliance within HL7

1604/21/23


Stage 2 - Analyze

Sample Risk Map (Source: SSHA)

Step 3 – Prioritize using Likelihood of Occurrence and Level of Impact

1704/21/23


Assessment of Risks

Complete the Analysis stage for your own standard. Example:

1804/21/23


Stage 3 - Plan

Risks with a priority rating of 3 – 5 must be mitigated to: Lower level of Impact Lower probability of occurrence Both

1904/21/23


Stage 3 – Plan

5 Mitigation Strategies:

Accept Transfer to Mitigate Avoid Assign

(Defer)

Example:Car insurance with a high deductible is an

example of partial transference and partial acceptance. In the case of an accident, expenses below the $1000 deductible need to be accepted. Any expenses above $1000 are covered by insurance, thus the risk is transferred to the insurance company. An example of mitigation would be performing regular car maintenance to reduce the risk of having an accident that is caused by mechanical failure.

2004/21/23


Risk Management

Complete the Management of risks section of the Risk Assessment and Mitigation Table.

2104/21/23


Stage 4 - Track

Review Security Risk Assessment for HL7 Standards document: When the standard is updated Concerns are voiced Technology changes To determine impact of mitigation strategies

Use Comments section to record effect of mitigation strategy

Extend Management of Risks section as needed.

2204/21/23


Stage 5 - Document

Place a “Security Considerations” section in the standard Description of scope and assumptions Description of mandatory/optional mitigations Description of unmitigated risks for implementers to

know about

Keep Security Risk Assessment for HL7 Standards document in committee knowledgebase

2304/21/23


Questions?

What are the steps needed to complete a security risk assessment for a standard?

What tools are available to help you identify security and privacy gaps in a standard’s baseline?

2404/21/23


The Role of the HL7 Security WG

Communication is at the center of the HL7 Risk Assessment Process

HL7 Security Working Group: Provides training on the HL7 Risk Assessment

process Gives direct assistance to WGs during the risk

assessment process

2504/21/23


Resources

Wiki Site: “Cookbook for Security Considerations” •http://wiki.hl7.org/index.php?title=Cookbook_for_Security_Considerations

•HL7 gForge folder with other resources •Tutorial Presentation on the Security Risk Assessment Cookbook•Formal Security Cookbook Paper•Template Spreadsheet for Risk Assessment•IHE Equivalent Process

Do NOT use this tool :-)

04/21/2326


Conclusion

Incorporating risk assessment in standards will: Help HL7 organizations when planning and

implementing standards Add value to decision-making and business

processes Require up front investment of time and

resources

The HL7 Security Risk Assessment Cookbook will facilitate that process

2704/21/23

Security Risk Assessment Cookbook: Incorporating Security in HL7 Standards

Documents

Transcript of Security Risk Assessment Cookbook: Incorporating Security in HL7 Standards