Presentation delivered by FRSecure president, Evan Francen to the 100+ Iowa CPSI User Group attendees on October 18th, 2011.
Meaningful Use Core Requirement "Security Risk Analysis"
How to Troubleshoot Apps for the Modern Connected Worker
Meaningful Use and Security Risk Analysis
1. Meaningful Use and Security
Risk Analysis
Iowa CPSI User Group – October18th 2011
Presented by Evan Francen, President – FRSecure, LLC
2. Introduction
Speaker – Evan Francen, CISSP CISM CCSK
• President & Co-founder of FRSecure
• 20 years of information security experience
• Security evangelist with more than 700 published articles
• Experience with 150+ public & private organizations.
3. Introduction
Topics
• Healthcare Regulation
• Meaningful Use Requirements
• Measure 14 of 14 – Protect Health Information
• “Conduct or review a security risk analysis” Fundamental
Concepts
• Security Risk Analysis Best Practices
• Security Risk Analysis Common Mistakes
4. Healthcare Regulation
In General:
Health care regulation has gotten more officious and granular.
With respect to security and privacy, HIPAA has always been aimed at
protecting sensitive health information. HIPAA has been ineffective in this
regard due to lack of focus and confusion.
“Navigating the Meaningful Use and Standards and Certification Criteria
Final Rules can sometimes be a challenge.” –
Source: U.S. Department of Health & Human Services
(http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&objID=3584)
5. Meaningful Use Requirements
Meaningful use of health information technology is an umbrella term for rules
and regulations that hospitals and physicians must meet to qualify for federal
incentive funding under the American Recovery and Reinvestment Act of 2009
(ARRA).
But you already knew this…
Eligible Hospital and CAH Meaningful Use –
(14) Core and (10) Menu Set Objectives
6. Measure 14 of 14 - Protect Electronic Health
Information
Objective: Protect electronic health information created or maintained by the
certified EHR technology through the implementation of appropriate technical
capabilities.
Measure: Conduct or review a security risk analysis in accordance with the
requirements under 45 CFR 164.308(a)(1) and implement security updates as
necessary and correct identified security deficiencies as part of its risk
management process.
Measure 14 of 14 is NOT A NEW REQUIREMENT!
The Final Rule on Security Standards was issued on February 20, 2003. It took effect on
April 21, 2003 with a compliance date of April 21, 2005 for most covered entities and
April 21, 2006 for "small plans".
7. Measure 14 of 14 - Protect Electronic Health
Information
45 CFR Section 164.308(a)(1)(ii)(A) of the HIPAA Security Rule requires that
the organization "Conduct an accurate and thorough assessment of the
potential risks and vulnerabilities to the confidentiality, integrity and
availability of electronic protected health information [ePHI] held by the
covered entity.”
45 CFR Section 164.308(a)(1)(ii)(B) requires an organization to ―implement
security measures sufficient to reduce risks and vulnerabilities to a reasonable
and appropriate level to comply with CFR 45 164.306(a) which is the General
Requirements of the Security Rule.
8. “Conduct or review a security risk analysis”
Fundamental Concepts
What is “security”?
(question for you)
9. “Conduct or review a security risk analysis”
Fundamental Concepts
Information Security is:
The application of Administrative, Physical and Technical controls in an effort to
protect the Confidentiality, Integrity, and Availability of Information.
Controls:
• Administrative – Policies, procedures, processes
• Physical – Locks, cameras, alarm systems
• Technical – Firewalls, anti-virus software, permissions
Protect:
• Confidentiality – Disclosure to authorized entities
• Integrity – Accuracy and completeness
• Availability – Accessible when required and authorized
10. “Conduct or review a security risk analysis”
Fundamental Concepts
What is “risk”?
11. “Conduct or review a security risk analysis”
Fundamental Concepts
Risk is a function of two criteria:
1. The likelihood of a threat exploiting a vulnerability, and
2. The resulting impact it would have on the organization.
Threat - These are things that can go wrong or that can 'attack' the system.
Examples might include fire or fraud. Threats are ever present for every
system.
Vulnerability – A weakness in a system or gap in a control
Risk = Likelihood x Impact
12. “Conduct or review a security risk analysis”
Fundamental Concepts
A “security risk analysis” is the process of identifying,
prioritizing, and estimating information security risks.
Risks (likelihood & impact) of unauthorized:
• Disclosure
• Alteration (or modification), and/or;
• Destruction
of information under the custodial care of an organization.
13. “Conduct or review a security risk analysis”
Fundamental Concepts
Types of risk analysis:
Quantitative Risk Analysis
• Uses hard metrics, such as dollars.
• Objective
• Difficult
• Costly
Qualitative Risk Analysis
• Uses best estimates based on experience
• Subjective
• Less Difficult
• Less Expensive
Gap Analysis
14. “Conduct or review a security risk analysis”
Best Practices
“The Security Rule does not prescribe a specific
risk analysis methodology” -
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/radraftguidance
.pdf
A “methodology” is nothing more than a way of doing
something.
15. “Conduct or review a security risk analysis”
Best Practices
For organizations with an informal risk
management program, an ideal approach may be
a qualitative gap risk analysis.
Qualitative – Subjective, best-effort criteria and metrics
assigned based upon experience and knowledge.
Gap – Assess the risks inherent in gaps with a chosen
information security framework.
16. “Conduct or review a security risk analysis”
Qualitative Gap Risk Analysis
1. Choose a well-known information security
framework
• ISO 27002 (17799:2005)
• NIST
• COBIT
The information security framework is a reference to/from
which you will manage your information security efforts.
17. “Conduct or review a security risk analysis”
Qualitative Gap Risk Analysis
2. Compare your existing information security
controls against the information security
framework you have chosen.
Example:
Control 5.1.2 in the ISO 27002 standard states:
“The information security policy should be reviewed at planned intervals or if
significant changes occur to ensure its continuing suitability, adequacy, and
effectiveness.”
Questions:
Does your organization review information security policy at planned intervals?
18. “Conduct or review a security risk analysis”
Qualitative Gap Risk Analysis
3. Where there are gaps, assign best-effort metrics,
based on experience (qualitative).
Example:
In the previous example, let’s assume that the answer is “Yes”, but the requirement to
review information security policies has not been documented.
Metrics:
Likelihood that the lack of documentation will lead to a compromise, on a scale of 1 -5
(5 being most likely). – 2
Impact that a potential compromise would have on the organization, on a scale of 1 – 5
(5 being most impactful/catastrophic) – 2
19. “Conduct or review a security risk analysis”
Qualitative Gap Risk Analysis
4. Assign risk “rating” based upon the metrics (use a
risk matrix).
20. “Conduct or review a security risk analysis”
Qualitative Gap Risk Analysis
5. Define and document risk decision criteria.
When confronted with a risk, you have four choices:
• Risk Avoidance
• Risk Acceptance What are the
• Risk Transference criteria for risk
decision making?
• Risk Mitigation
21. Keep in mind…
A risk analysis is an integral part of an organization’s overall
risk management program.
Some “security risk analysis” best practices:
• The risk analysis methodology should be documented.
• The risk analysis methodology should be repeatable.
• The risk analysis methodology should be auditable
• Internal risk analyses should be conducted no less than
annually.
• Independent risk analyses should be conducted periodically.
22. Common Mistakes
When conducting a security risk analysis:
• Scope is too narrow
• Too technically focused – People are the most significant risk
• Convenience shouldn’t always trump security
• Lack of documentation
• Assessment is only done once
• Lack of management buy-in or involvement
23. Common Mistakes
Common risks that are often overlooked:
• Physical risks
• Policies are hard to understand and follow
• Vendor risk management
• Inventory of assets is incomplete or informal
• Internal and external vulnerability scans are not regularly
conducted.
• Incident management
• Disaster recovery planning
• Poor training and awareness
24. About RK Dixon & FRSecure
RK Dixon is a market leader when it comes to copiers, printers, networks, and
pure drinking water systems. Our products and services allow customers to
streamline operations while reducing costs at the same time. We serve thousands
of companies, organizations, and government entities in Iowa, Illinois, and
Wisconsin. Visit us online at http://www.rkdixon.com.
FRSecure LLC is a full-service information security consulting company; dedicated
to information security education, awareness, application, and improvement.
FRSecure helps our clients understand, design, implement, and manage best-in-
class information security solutions; thereby achieving optimal value for every
information security dollar spent. Visit us online at http://www.frsecure.com.
RK Dixon and FRSecure have partnered to offer services throughout Iowa, Illinois,
and Wisconsin.
25. Questions?
You made it!
If you would like a
copy of this
presentation, please
be sure to give me
your business card.