HIPAA Security Risk Management
Robert Burgett
Director, Information Technology & Security
The Elizabeth Hospice, Inc.
Escondido, CA 92025
760.796.3779 [email protected]
CHAPCA Annual Conference 10.10.2017
Introduction – Robert Burgett
Robert is a highly accomplished Head of IT for Southern California’s largest hospice. Serving as Director of Information Technology and Security Official with over 20 years of successful experience in all areas of Information Technology, Security, and Facilities Management. Highly driven proactive leadership aligned with Corporate Mission, Vision, and Values. Demonstrated high level of integrity in securing all infrastructure: physical and virtual. Implementing best practices and controls for HIPPA / Health Information Technology (HITECH) compliance.
Learning Objectives:• Describe what a GAP assessment entails
• Describe the data privacy life cycle
• Describe six ways a program can come under scrutiny
• Describe HHS HIPAA Audit Protocol Changes
Agenda HIPAA Privacy breaches are increasingly common and coupled with a high price tag. This presentation’s focus is centered around identifying your risks and protecting information and knowledge related to privacy and security in the healthcare environment. Participants will leave with a better understanding of how achieving a legally defensible posture and system will better protect an organization and its patients.
Privacy & Security; individual rights and choices around data privacy lifecycle
Requires information governance around PHI / PII
▪ Notice/consent-choice, collection, access/purpose/use, guest access/availability/correction/quality, disclosure/sharing/forward transfer,
storage/retention and secure disposal, x-border transfer rules
• Someone can compromise the Confidentiality of your ePHI
• Someone could inappropriately alter or delete ePHI
(which affects its Integrity)
– this includes personally identifiable information (PII)
» Administrative, physical, and technical controls
» About “reasonable controls” and “defense in depth”
» Customers, donors, employees, consultants
» Business partners, service providers, vendors, etc…
• Your ePHI or PII might not be Available when you need it
NOTICE COLLECTION USE DISCLOSURE DISPOSAL
• Cyber Hacking
• Loss or theft of Mobile Device or Media
• Insider Misshapes or Workarounds
• Business Associates
• Malicious Insider or Fraud
• Insider Snooping
6 Most Common Types of Healthcare Data Security Breaches
Security goals are also bigger than compliance
Steps taken to protect from theft, business disruption and compromise:
▪ Company technology and infrastructure PHI / PII data
• Internal and external vulnerability scans automated testing for weaknesses inside and outside your network
• Penetration tests—live, hands-on testing of your system’s weaknesses and vulnerabilities (through third party)
• NMAP scanning—a simple network scan that identifies open ports and services on your network
• Gap analysis—consultation on where your gaps in security and compliance exist and what steps need to occur next
7
6 ways program can come under scrutinyCan lead to loss of business/opportunity and/or enforcement action
1. Complaints to regulatory authority or law enforcement ▪ Referred cases from other agencies▪ Direct complaints from customers/patients▪ Whistle-blowers
2. Breach – entire program is scrutinized, not just cause of breach▪ Media firestorm
3. Audits/surveys ▪ HHS and SEC conduct surprise audits▪ Complaint investigations and breaches lead to audits
4. Business partner prior to contracting and periodically thereafter
5. Acquiring company (M&A) / investor conducting due diligence to mitigate “successor liability”
6. Cyber risk insurance applications also require a due diligence assessment
8
Benefits of a Risk Analysis
9
▪ Establish security measures to reduce risks to a reasonable and appropriate level
▪ Protect your ePHI against those risks that can be reasonably anticipated
▪ Completing a Risk Assessment is a core requirement for receiving Medicare and Medicaid EHR incentive Payments
▪ Called meaningful use
▪ These are required by HIPPA
▪ Good Business Practices
Key Components of a Risk Analysis
11
▪ Scope of your Risk Analysis▪ All the ePHI that your organization creates, receives, maintains, and transmits
▪ This includes all form of paper or electronic media
▪ Hard Drives, Laptops, Desktops, tablets, or smart devices
▪ Backup tapes, Smart Cards or thumb drives
▪ All other forms of electronic media
▪ Where and how the ePHI is stored, received, maintained, or transmitted…
▪ More than ePHI▪ Billing info, Insurance claims, and appointment information…
▪ Where ePHI is stored▪ Desktops, Laptops, Tablets, copiers, scanners, smart devices
▪ CD-ROM, Thumb drives, or etc…
▪ Where is Flows?▪ Both internal and external
▪ Patients, physicians, off-site disaster recover sites,
or storage locations both paper and electronic
Key Components of a Risk Analysis Cont…
12
▪ Where is flows▪ Both internal and external
▪ Patients, physicians, off-site disaster recover sites,
or storage locations both paper and electronic
▪ How it flows▪ e-mail, fax, shared network drives, health information exchange (HIE)
▪ Review past and current projects
▪ Interview staff and IT support staff
▪ Review policy and procedures
▪ Other data collection methods▪ Data MAPS or Flow Diagrams
Key Components of a Risk Analysis Cont…
13
▪ Document Findings
▪ Identify and document possible treats and vulnerabilities
▪ Threats:
▪ Human, Natural, or Environmental
▪ Vulnerabilities:
▪ Weaknesses in your security controls
▪ Both physical and virtual
▪ Either could cause a security incident…
▪ Unencrypted laptops, copiers, smart devices
▪ Policy's and procedures
▪ Worse nothing in place
Key Components of a Risk Analysis Cont…
14
▪ Assess Current Security Measures▪ Review the administrative, technical, and physical safeguards
▪ Determine the likelihood of Threats▪ Which threats in the HIPAA Security Rule requires you to protect against because they are reasonably anticipated…
▪ Determine the impact of Potential Threats▪ If they actually occur;
▪ How will it impact the confidentiality of the information?
▪ Will unauthorized people be bale to access ePHI?
▪ Will they be able to change or compromise the integrity?
▪ If a threat; such as an outage or sever storm occurs, will
all data integrity stay protected and be available…
▪ Document all potential impacts that could be a threat to ePHI▪ Categorize the likelihood and impact of the threats and vulnerabilities
▪HIGH
▪MEDIUM
▪LOW
Key Components of a Risk Analysis Cont…
16
▪Document a list of Corrective Actions▪Putting a new policy in place▪ Training staff on new process or procedure▪Adding additional safeguards
▪ Card access readers, locks, and security surveillance cameras
▪Final step:▪Review and update your risk analysis from time to time
▪Ongoing▪Organization is always changing
▪Perform an Annual Risk Analysis ▪ www.healthIT.gov▪ www.hhs.gov/ocr
Yet, cost to protect is lowand creates legally defensible posture
17
Avg. protection cost ($16) is less than 7% of avg. breach costs per compromised record “Gartner”
97-99% of breaches are avoidable withreasonable controls (simple/intermediate) “Verizon Business Data Breach Reports”
Legal defensibility is getting to 97-99% avoid-ability - not “absolute privacy/security”, as there is no such thing
Risk Profiles Changes: Healthcare
• Primary reason for breaches– Just a couple years ago – lost or stolen mobile devices
– Now hacking (doubled in 2015), with ransomware on the rise• Hacking systems
• Hacking users to get into systems – what is meant by this?
• Why the change?– Easy target - less mature industry with less protections in
place
– Treasure trove of data - $
– Business disruption – Terrorism or threats…
Good Privacy and Security strengthens your brand▪ Trust economics – a business enabler
▪ Brand trust based on patient experience creates referrals
Breaches can cause brand erosion
What is the purpose of brakes on a car … ?not to slow a car down …
but to allow it to go fast!
Why is this important?
Why this seemingly endless parade of breaches?
Question: Why are so many “compliant organizations” suffering breaches and the resulting regulatory fines and enforcement actions, class action lawsuits, and adverse brand and equity impacts?
Answer:
1. Treating strictly as a compliance risk, or worse only an IT risk (vs. enterprise risk) you need both…
2. Underestimating the risk or not aware they are assuming a risk
3. Not pursuing a risk-based, legally defensible strategy
4. Not implementing risk governance and accountability
20
Preparedness for inevitable breach, regulator investigation and legal proceedings
Compliance – establishes the baseline, however too often becomes check-the-box with the “black letter” of the law / regulation
▪ Compliance does not equal privacy – laws, regulations & standards cannot
keep up with emerging threats, vulnerabilities and technologies
▪ Privacy breaches have huge financial, regulatory, legal, and reputational
impacts as well as personal D&O liability risks
Legally Defensibility – actions and inactions defendable to a regulator and plaintiff attorney, jury or judge – requires:
▪ Anticipating foreseeable risks and applying reasonable standards of care
Privacy/Security-by-Design enables legal defensibility through clear roles and responsibilities for sustainably managing risks (NIST: repeatable)
What can you do?
Security: Determining “reasonable controls”Use a standards stack to strengthen policies/SOPs and ensure no gaps
Write policies to a framework of appropriately stacked standards for legal defensibility:
HIPAA Security Rule (19 years old) ▪ 7 Elements of the U.S. Sentencing Guidelines for an Effective Compliance Program
▪ Top 20 Critical Security Controls – Center for Internet Security (VB DBIR)
▪ State requirements, e.g., MA’s requirement that PII be encrypted on mobile devices
▪ Contractual requirements, e.g., Shared Assessments SIG
▪ Regulatory guidance and enforcement actions, e.g. mobile apps, peer-to-peer file sharing
PCI:DSS Standards
ISO 27002:2013
HITRUST
NIST Cybersecurity Framework
22
Adopt an integrated privacy risk management & control frameworkA continuous process for optimizing reward vs. emerging risks and strengthening posture
GovernanceRegulatory coverage map
Strategy setting / planning
Risk tolerance
Risk policy
Risk owners and accountability
Training and education
Risk AssessmentRisk identification
Controls effectiveness review
Risk probability and impact
Risk ranking
Risk Response and Management
Avoid, transfer, monitor, accept risk
Mitigation planning and
execution
Privacy / security-by-design
Control activities
Monitoring and AdaptingControls evaluation in RM tiers
Controls effectiveness monitoring
Event / incident / breach analysis
Identifying and closing gaps
MSSP Managed Security Service Provider
Information and Communication
Key risk indicator review
Privacy Steering Committee
Board of Directors
Internal EnvironmentExecutive commitment
Management support
23
Simplified COSO RM & C Framework adapted to manage privacy / security risks
Information governance matrixRegulators expect clearly defined & operational roles/responsibilities
24
Actor High level responsibilities
Board of Directors Duty to protect corporate assets : information (PII, trade secrets, IP) and critical infrastructure. SEC cybersecurity risk disclosure.
Executives ▪ Program commitment; establish as a strategic imperative; provide resources/budget
Privacy Governance Steering Committee – charter & standing agenda
▪ Provide strategic guidance and ensure management support▪ Help establish risk tolerance through risk related decision-making/guidance (risk assessments) ▪ Ensure privacy/security officials are engaged by their staff/resource owners for privacy/security related design or other issues – be their “eyes and ears”
Privacy & Security Officials Program leadership and establishment; SEC cybersecurity disclosure sign-off if public
Management Program support; on-the-job privacy/security training; ID staff AUP violations; ID prospective service providers to CPO early for due diligence; own Privacy/Security-by-Design for non-engineering activities
Privacy Liaisons Liaisons for each privacy data lifecycle function ensure adherence to privacy policy
HR Identify/schedule new hires for privacy/security training; conduct background checks
Legal / Compliance ▪ Ensure proper contracting with service providers ▪ Keep the Board abreast of privacy and cybersecurity risk exposure and posture
InfoSec Team Implementation working group: regular review of RBAC rights; ensure implementation of risk mitigation activities and report status to Steering Committee
Domain Owners Application security; technical controls; physical controls; administrative controls (or 13 domains in ISO 27002:2013)
Resource Owners Authorize RBAC roles; grant rights; periodically review rights for accuracy
Resource Custodians Implement approved RBAC rights; ensure Privacy/Security-by-Design for resources
Engineering Director / Program Manager
Provide Privacy/Security-by-Design guidance to engineers and SQA as well as code review teams for data driven initiatives, new / enhanced resources, and as changes are made to data flow process and/or data locations
Workforce Members Adhere to AUP and other policies/SOPs
Data flow, locations and inventory mapping
25
Maintain to reflect changes to data flow process and/or data locations
Use modified SIPOC to develop data flow diagramSix Sigma tool for getting a process under control; data locations = resources
Data
Suppliers /
Sources
Data Location Data Inputs Data Flow
Process Step
Data Outputs Data Location Data
Customers
Notice
Data Collection
Data Use /
Handling
Data Use /
Handling
Data Transfer -
Sharing
Data Storage -
Retention
Data Backup /
Retention
Data Disposal
- Destruction
26
Create a data flow diagram with swim lane process owners - informs risk assessment
Interview process owners and document end-to-end privacy data flows / locations
Data inventory and locations map
Data Locations Database Shared folder Box Share point File cabinet
Resource owner
Resource custodian
Data inventory
Highly sensitive
Sensitive
Less sensitive
Non-sensitive
27
▪ Executives should assign owners to resources within their organizational control (or by default they become the owner)
▪ Resources – products/services, processes, applications, internal / external systems, technologies, service providers/partners
▪ Resource Owners are responsible for ensuring RBAC design, authorizing RBAC rights, and periodically reviewing RBAC rights for accuracy
▪ Resource Custodians are responsible for the Privacy/Security-by-Design of assigned resources
Match protection to: data sensitivityOnly highly sensitive if compromised may lead to a reportable breach
Quartile 4 Data Sensitivity
ClassificationsExamples may vary by country of jurisdiction
4 Highly Sensitive includes any of the following: SSN, payment card info, user ID/password, security
question/answer (mother’s maiden name, DOB, place of birth, etc.), health insurance ID #;
genetic info (defined by GINA), medical/health info, background check info, biometric record
or identifiers
3 Sensitive PII that does not fall into quartile 4 or 2, such as other personally identifiable dates, account #,
vehicle ID/serial #, driver’s license/certificate #, other unique ID#/characteristic/code, geo-
location data, other personnel file info
2 Slightly Sensitive
published contact info: name plus address, phone#; email address, fax#, instant message
user ID, URL address, IP address, photo/video/audio file, persistent device/processor/serial
ID; any other PII used for marketing purposes (see CA’s “Shine the Light Law”)
1 Non-Sensitive non-personal information, such as session identifiers/cookies
business lead contact info is not sensitive in U.S., but is in Canada, EU, and elsewhere
28
Operational examples – adjust processes based on data sensitivity levels, e.g. pre-contract due diligence and periodic monitoring of BAs, roles-based access controls (RBAC), encryption, etc.
Risk-maturity based controls evaluationEvaluate maturity using NIST Cyber Security Framework’s RM Implementation Tiers
#Established
Performance
Criteria
Audit Procedures
Co
ntr
ol
Eff
ecti
ven
ess
Current profile RM
tier
Target profile RM
tier
1 1-4/ or
1-10
Existing controls 1-4 New or
strengthened
controls
1-4
2
3
4
5
6
7
HHS HIPAA Audit Protocol ERM NIST Cyber Security Framework Evaluation
HHS Audit Protocol
1. Privacy Rule
2. Breach Notification Rule
3. Security Rule
Risk Management (“RM”) Implementation
Tiers
1. Partial
2. Risk informed
3. Repeatable
4. Adaptive
29
RM Implementation Tiers in NIST Cyber Security Framework
Tier Definitions
1 PARTIAL
RM Process Informal, ad-hoc (and sometimes reactive) RM practices. Prioritization of RM may not be directly informed by
organizational risk objectives, the threat environment, or business requirements.
Integrated RM Program Limited RM awareness. RM implemented on an irregular, case-by-case basis. Processes do not enable risk
information to be shared within the organization.
External Actions No processes in place to share information with other entities.
2 RISK INFORMED
RM Process Management approved RM practices are not established in policy. Prioritization of RM is directly informed by
organizational risk objectives, threat environment, or business/mission requirements.
Integrated RM Program Risk awareness but informal RM. RM procedures are implemented. Staff has adequate resources to perform
their RM duties. Risk information is informally shared within the organization.
External Actions Awareness, but no formalized capabilities to interact and share information externally.
3 REPEATABLERM Process Formal RM practices in policy. RM practices are regularly updated based on changes in business
requirements and a changing threat and technology landscape.
Integrated RM Program Formal RM and policies/procedures are implemented/reviewed and respond effectively to changes in risk.
Personnel possess knowledge/skills to perform appointed roles/responsibilities.
External Actions Understanding of dependencies and collaborates and receives information with other entities.
4 ADAPTIVE
Risk Management
Process
Lessons learned and predictive indicators inform RM practices. Actively adapts to a changing risk landscape
and responds to evolving/sophisticated threats in a timely manner.
Integrated RM Program RM is part of the culture and evolves from an awareness of previous activities, information shared by other
sources, and continuous awareness of activities on systems/networks.
External Actions Collaborate to ensure accurate, current information to improve RM actions before events occur.
30
4 data statesEvaluate control effectiveness in these data states
4 Data States Examples
Data at Rest structured data: database, online backup, offsite backup,
printer/scanner hard drive, fax server; unstructured –
shared/restricted folders
Data in Motion email, sFTP, fax, point-to-point
Data at Endpoints desktops, laptops, tablets, mobile phones, USB devices,
DVDs/CDs
Data at
Disposal/Destruction
paper shredding, electronic device/data wiping/destruction
31
HHS HIPAA Audit Protocol Changes
HHS HIPAA Audit Protocol Previous Version Updated Version
Breach Notification Rule 10 19
Privacy Rule 78 89
Security Rule 77 72
Total 165 180
# of Requirements
Comments:• Some previous criteria were consolidated, others broken out into separate requirements,
and new requirements added.• Every requirement requires expression in policies and procedures, many require being
addressed in training, and many also require documentation or evidence of compliance that a regulator can review for compliance.
• Very easy to be found not in compliance when have to fulfill a “requested documents list” as a result of an inquiry, investigation or audit.
32
Risk assessment and management
Formal risk assessment process▪ Formalize with attorney client privilege process
▪ Invite appropriate participants and appoint a facilitator and record keeper
▪ Identify risks through brainstorming using data mapping and other tools
▪ Determine effectiveness of existing controls
▪ Determine likelihood of occurrence and severity of impact
▪ Rank based on total risk value and determine material risks requiring response
▪ Assign risk owner and agree on risk response based on organization risk tolerance
Risk mitigation planning and execution▪ Develop risk mitigation plans including milestones
▪ Ensure mitigation plans are developed into requirements, implemented and tested prior to roll-out
Approval and tracking by Privacy Steering Committee ▪ Obtain approval of identified and material risks, risk owners, risk response, and
mitigation plans
▪ Track / report on implementation progress of mitigation plans
Update policies/SOPs and training as appropriate
33
Basic risk assessment templateRisk Scope Controls Evaluation Risk Valuation
# Risk Scope In/Out Domain /
Domain Owner
Key Potential Root
Causes
Existing Key
Controls
Controls
Effectiveness 1-4/10
Potential
Effects /
Impacts
Net Likelihood
1-7
Net Impact
1-6
Net Loss
1-7
5 Medium Damaging High
34
Net Loss: Negligible, Very Low, Low, Medium, High, Very High, Extreme
5 Risk Responses▪ Accept – Business decides to accept the current level of risk because: a) the
mitigation costs outweigh the benefits; or b) the key causes are out of its control (inescapable part of doing business)
▪ Avoid - Eliminate a process or product to avoid the risk or condition as the risks outweigh the rewards▪ E.g., eliminate installing a faulty slide that could hurt children from the
project plan▪ Transfer/Share - Contractually shift or share the consequences of a risk to a
third party or insure the risk▪ Monitor – Temporarily delay selecting another response until more
information, usually research, is obtained▪ Timeframe should be agreed upon, usually no more than 30-60 days and
tracked▪ Mitigate – Improve control effectiveness to control the risk to an acceptable
threshold, either by reducing the frequency and/or the effect
Rationales and approving authorities must be documented for all responses
35
Controls effectiveness scaleThe greater the risk, the stronger the controls should be
36
Scale Controls Effectiveness Examples
10 preventive, detective &
corrective controls
IPS, account lock-out on failed log-ins
7-9 preventive and detective
controls
4-6 preventive controls privacy/security-by-design, policies/SOPs, training (awareness/on-the-job),
keycards, authentication, RBAC system controls, encryption, hardening,
firewalls/IDS, real-time log correlation/response, white/black listing, code
testing prior to release, DLP, database activity monitoring
1-3 detective controls risk assessments, control evaluations, alerts, reports, periodic review of
logs, file integrity monitoring, vulnerability scans, penetration testing, threat
watch
0 no controls
▪ Controls must be documented in a procedure, implemented, tested, monitored, and trained on
where appropriate.
▪ Higher control effectiveness rankings within a category are based on multiple layers of controls -
defense in depth.▪ Controls can take into account: company’s size, complexity and capabilities; reasonability standard; costs vs.
benefit; company’s administrative, physical and technical infrastructure.
Basic risk mitigation planning template
Risk Response Risk Mitigation Status Update Post Mitigation Valuation
# Risk Risk
Response
Mitigation
Plan
Owner
Mitigation
Strategy
Action
Plans
Planne
d Due
Date
On-Track
Completio
n
Progress:
G, Y, R
Controls
Effectivenes
s 1-10
Post
Mitigation
Likelihood:
1-7
Post
Mitigatio
n Impact:
1-6
Post
Mitigatio
n Loss:
1-7
37
On-Track Completion Progress: Green, Yellow, Red – allows a quick status update to inquire abut issues/obstacles where appropriate
Post Mitigation Loss: Negligible, Very Low, Low, Medium, High, Very High, Extreme
Assessing and Mitigating Risk Annual risk assessment
▪ Enterprise-oriented
Privacy impact assessment (PIA) - (Privacy/Security-by-Design)
▪ Work with CPO/CISO to define requirements for new / enhanced resources and implement and test prior to rollout▪ e.g., agile teams, product development, etc.
38
▪ Executives should assign owners to resources within their organizational control (or by default become the owner) ▪ Resources – products/services, processes, applications, internal / external systems, technologies, service providers/partners▪ Resource Owners are responsible for ensuring RBAC design (now and in the future), authorizing RBAC rights, and periodically
reviewing RBAC rights for accuracy▪ Resource Custodians are responsible for Privacy/Security-by-Design implementation of assigned resources
3 Important Risk Mitigation Activities
▪Thin - Zero Client / virtual desktop infrastructure (VDI) to access PII
▪Segment network vs. flat network
▪Encryption by default─ mobile devices, e.g laptops, USBs, cell phones, etc.
─ desktops when individuals have RBAC rights to PII
─ servers
─ backups
39
Summary of key points✓ Compelling business case for Privacy, yet many compliant
organizations continue to suffer breaches
✓ No absolute privacy – Compliance is not enough
✓ Breaches are inevitable despite reasonable efforts – must assume resulting investigation(s) and lawsuits
✓ Be prepared – to fulfill requested documents and legally defend your actions / inactions to regulator(s) and plaintiff attorney, judge or jury
✓ Achieving a legally defensible posture better protects an organization and its patients
✓ ERM establishes a legally defensible system by creating accountability for risk and making informed decisions within a company’s risk tolerance
40
First step – have a Gap Assessment done by an independent firm (under attorney client privilege)
▪ Create data flow, inventory, and locations map
▪ Conduct controls evaluation of your current program against applicable regulations and standards
▪ Perform risk assessment
▪ Provide report of findings and prioritized roadmap for you to establish or strengthen your program
▪ Areas of focus include HIPAA, NIST Cybersecurity Framework, SEC Cybersecurity Alert, Big Data,
cloud strategies, and mobile etc…
Second step - Implementation
▪ Assist with custom implementation first step recommendations, including policies and procedures
an effective transfer of knowledge and all our tools are provided to enable you to establish a
Privacy and Security Program that is sustainable and legally defensible.
41
Next Steps…
But the cyber security gap is growingYou must assume you will be breached, and thus investigated and sued
43
Life changing impact on compromised individuals When customers are compromised, so is the business
PHI / PII Identifiers Theft Category Useful For/To
Employee PHI/PII Employee data, emails E.g., Sony’s breach consequences
Name, address, phone #s, email addresses Basic personal identification data Spamming, data mining, profiling, appending to re-identify
DOB, SSN, driver’s license Non-public identifiers Commit all kinds of ID theft
User ID, password, security questions Logon credentials Access to all kinds of PHI/PII
Payment card, bank account Financial data Financial fraud, billing scams, theft
Medical Insurer ID# Insurance data Obtain medical goods, services & prescriptions - billing fraud & medical record compromise (could harm/kill)
Blood type, allergies, symptoms, conditions, prescriptions
Health data Support medical ID theft (see above)
Request for/receipt of genetic test, sample, markers, predispositions
Genetic data Discrimination (life/disability/long-term insurance), reputation risks
44
Risk-based privacy practicesEmbed ERM into daily decision-making for legal defensibility
Principle Explained Examples / Comments
Legal Defensibility Compliance is not adequate privacy / security, however there is no absolute privacy / security – more on this in a moment
Understand common root causes of breaches (VB DBIR – Top 20 CSC)
Risk Governance Model Institutionalize accountability and clear roles and responsibilities
Governance Committee, Privacy and Security Officials, clear roles and responsibilities
Data Flow, Locations and Inventory Mapping
Document end-to-end privacy data flows and locations (resources) and identify highest data sensitivity – informs risk assessment
Document owner, swim lane process owners, resource owners, resource custodians
Data Sensitivity Drives a Risk-Based Approach
Determine strength of controls based on data sensitivity levels: highly sensitive, sensitive, slightly sensitive, not sensitive
Pre-contract due diligence and periodic monitoring of service providers, roles-based access controls
Privacy/Security-by-Design Embed risk assessments in daily decision-making (not just annually)Use privacy impact analysis in SLDC
FTC / Dep’t of Commerce argued for this vs. more prescriptive EU regulations (self-regulatory – be responsible)
Overarching Risk Prevention Strategies
Establish key strategies that mitigate risk Thin Client to access PII (solves many risks), isolate PII to a separate network, encryption by default
45
Event vs. Incident vs. Breach - definitions
46
1. EVENT 2. INCIDENT
Policy: Observable privacy / infosec issue, e.g., a violation of policy, that must be reported to an InfoSec Team member▪ E.g., no encrypted USB or password
enabled screensaver
Policy: Attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system▪ E.g., attempted insider theft or external hacking
3. Reportable BREACH
HIPAA: Acquisition, access, use, or disclosure of unsecured PHI not permitted by the Privacy Rule which compromises the security or privacy of PHI – based on 4 risk factors▪ E.g., confirmation that PHI of patients / workforce members has been compromised
CA law: Unauthorized access, use or disclosure of PHI [Confidentiality of Medical Information Act (CMIA)]
▪ E.g., peeking at a medical record / report of celebrity, politician, friend, relative, neighbor, etc.
Other state laws have no unsecured requirement
▪ Every event must be reported to the CPO/InfoSec Team regardless of whether this leads to a breach▪ Verizon Business DBIR finds that those who violate policies increase the organizations’ breach risk
▪ Policy violators must face sanctions (company’s progressive disciplinary measures)
U.S. Sentencing Guidelines for Effective Compliance
ProgramsFor remedying harm from criminal conduct, and effective compliance and ethics program
Seven criteria used by state AGs and regulatory authorities to determine corporate culpability and impose appropriate sanctions
1. Designate a privacy/security official for day-to-day compliance and clearly define roles and responsibilities for personnel, management and executive governance committee
2. Establish written, comprehensive policies, procedures and standards to prevent and detect criminal conduct / unacceptable behavior and promote a culture of compliance
3. Conduct on-boarding and annual training and continual education - communicate company standards/procedures to officers, employees, and agents as appropriate
4. Develop open lines of communication for reporting security incidents and other compliance issues that should include providing an anonymous hotline and conducting exit interviews to uncover unreported issues
5. Monitor and self-audit by regularly conducting risk assessments and control assessments and reporting program effectiveness to the executive governance committee, and continually updating and improving the program
6. Respond appropriately to incidents and take steps to prevent recurrence, including investigation, mitigation plans, and, as appropriate, breach notification
7. Ensure consistently enforcement and discipline of violations of well-publicized policies to demonstrate program credibility and integrity, commitment to compliance and prevent recurrence
Regulators refer to this as a “culture of compliance”
47
Center of Internet Security’s Top 20 Critical Security Controls for Effective Cyber
Defense
Strengthens 19 year old HIPAA Security Rule with well vetted “Standard of Care”
48
Originally developed by the Consortium for Cyber Action that includes government agencies and private organizations, such as SANS, Verizon Business,
American Express, Booz Allen Hamilton, Center for Internet Security, Core Security, Department of Defense Cyber Crime Center, Defense Information Systems
Agency, Goldman Sachs, McAfee, nCircle, Qualys, Tenable, Australian Government - Innovations, Citibank, Centre for the Protection of National Infrastructure, Department of Homeland Security, Department of Defense, Mandiant, Mitre, National Security Agency, Symantec, others).
Tier 1. VERY HIGH Tier 4. Medium
Inventory of Authorized & Unauthorized Devices (1) Data Recovery Capability
Inventory of Authorized & Unauthorized Software (1) Security Skills Assessment & Appropriate Training to Fill Gaps
Secure Configurations for Hardware & Software on Mobile Devices, Laptops,
Workstations, & Servers (1a.)
Maintenance, Monitoring, & Analysis of Audit Logs
Continuous Vulnerability Assessment & Remediation (1a.) Controlled Access Based on Need to Know
Tier 2. HIGH Account Monitoring & Control
Application Software Security Incident Response & Management
Wireless Device Control Tier 5. Medium / Low
Tier 3. HIGH / Medium Data Loss Prevention
Malware Defenses Tier 6. Low
Security Configurations for Network Devices, e.g. Firewalls, Routers, &
Switches
Secure Network Engineering
Limitation & Control of Network Ports, Protocols, & Services Penetration Tests & Red Team Exercises
Controlled Use of Administrative Privileges
Boundary Defense
Tiers are based on assessment by NSA alone. All are considered important controls. The tiers may help with prioritization o f efforts.
1st 5 Quick Wins: application white-listing; using common, secure configurations; patch application software w/in 48 hrs; patch systems software w/in 48 hrs; reduce # of users w/ administrative privileges.
Verizon Business no longer includes a list of remediation recommendation to its common root cause findings in its annual Data Breach Investigations Report and instead refers to the Top SANS 20
CSCs.
Top Related