Call Girls Hyderabad Just Call 8250077686 Top Class Call Girl Service Available
Risk Management Approach to Cyber Security
1. RISK
MANAGEMENT APPROACH
TO CYBER SECURITY:
WHAT YOU NEED TO KNOW
ERNEST STAATS MSIA, CISSP, CEH…
General Conference of SDA (South Pacific Division)
Security can no longer be outsourced to the security team. Instead, the security
team should be providing the resources and expertise to help others become as
security self-sufficient as possible.
2. LEGAL DISCLAIMER:
Nothing in this handout or presentation constitutes legal advice.
The information in this presentation was compiled from sources
believed to be reliable for informational purposes only. Any and
all information contained herein is not intended to constitute
legal advice. You should consult with your own attorneys when
developing programs and policies.
We do not guarantee the accuracy of this information or any
results and further assume no liability in connection with this
publication including any information, methods or safety
suggestions contained herein.
3. FEAR FACTOR – OR IS THIS REAL?
• 70% of the US population has been affected by
at least 1 data breach
• Total cost of data breaches and data theft to
date (2016) exceeds the GDP of Sweden ($450B)
• 99.9% of data breaches due to technology over 1
year old – patches are not being applied and
unsupported technology still in use
• 60% of all data losses occur within 5 minutes of the breach of
systems
• 80% of emails are spam; 56% of Internet-based email traffic is sent
by mailbots
• AVERAGE time between viewing the contaminated email and
clicking on the attachment is approximately 2 seconds
4. CYBER RISK – THE “INTERNET OF THINGS”
• Wearable and other connected devices allow detailed tracking
of location.
• Trading security for convenience
• Open Table, Lyft, Waze, Netflix, Amazon
• Average adult spends 2.5 hours daily on a smartphone
doing something other than talking
• Average teenager spends 27 hours daily on a
smartphone
• Most wearable device makers do NOT have a security
plan for data exchange
5. GROWTH OF THE ATTACK SURFACE
• 23 billion devices (estimated) are connected to the Internet as
of 2018
• By 2025, that number is expected to grow to 75 billion
• Industrial application risks have grown – from 10 vulnerabilities
in 2010 to an average of 100 by 2013
• Power grid, hydroelectric dams, etc.
• 7 out of 10 domestic devices have vulnerabilities that can be
exploited (HP survey)
• Door locks, thermostats, smart TVs, Internet security systems
6. CYBER RISK – HEALTH CARE AS A TARGET
• Healthcare environment has unique risks because of patient
care –need for 24/7 accessibility, integrity of data for diagnosis
and treatment
• November 2015 – 7 vulnerable device types, including drug
infusion pumps, Bluetooth – enabled defibrillators, blood
refrigeration units, and CT scanners
• Hollywood Presbyterian information systems held hostage for
$3.6 million
• Merge Hemo tool shut down because operating software was
incompatible with malware search engine
• If any of these devices transmit PHI to your EHR, they should
7. RETHINK HOW WE APPROACH
CYBERSECURITY
• Check List Compliance & Security Doesn't Work
• It doesn’t meet OCR Phase 2 audits
• Attacks are cross departmental
• Can not protect what you do no know (DATA MAP- Where is
PHI?)
• Without Active Ownership and Management Cyber Security is a
joke
• Without a comprehensive Plan it becomes incomprehensible
• If not Corporate Culture -- it inculcates company to true Cyber
8. IMPLEMENTING A
RISK-BASED
SECURITY MINDSET
• Examine how information flows,
rather than controlling the flow
of information (Cradle to the
Grave) - Varonis
• Accept limitations of technology
and become PEOPLE CENTRIC
• Do not rely on perfect
protection; invest in continuous
monitoring, detection, and
response
9. DETERMINE HOW INFORMATION FLOWS
• Data needs to be readily accessible
• Employees, partners, suppliers, customers
• IT departments do not own all
infrastructure
• Data is moving to 3rd party cloud
applications/services
• Focus on threat vectors
• Accurate inventory
• Proper authentication and security
10. DEFINE ENTERPRISE RISK MANAGEMENT
(ERM)
• It is the process of planning, organizing, leading, and
controlling the activities of an organization in order to
minimize the effects of risk on an organization's capital and
earnings.
• What is its purpose?
• To cover more than just Electronic Medical Records Risk
• To be a method for management to focus on business solutions as it
treats risk strategically and operationally. Business disruption is a risk
that is important to our clients and to our organizations.
11. ENTERPRISE RISK MANAGEMENT SHOULD…
• Be enterprise wide
• Include a Risk analysis policy that has specific details (e.g.,
who will perform, who will receive results, how often will it be
updated)
• Include a Risk management policy that has specific details (e.g.,
what is an acceptable level of risk, who has what responsibility,
etc.)
• Include a Risk management plan that has been tied to a specific
risk analysis.
12. WHO TO INCLUDE IN THE INTERVIEWS
• IT Leadership
• Application owner
• Application
administration
• Network administration
• Server administration
• Facilities
administration
Security Officer
Privacy Officer
Health Information
Management (Medial
Records)
Compliance Officer
Have multiple people in the interview at once so they can learn what each
other is doing.
13. BENEFITS OF AN ERM
• Support the achievement of strategic objectives
• Enhance institutional decision-making
• Create a “risk-aware” culture across the organization
• Reduce operational surprises and losses
• Be ready to act on acceptable opportunities
• Assure greater business continuity
• Improve use of capital by aligning resources with strategic objectives
• Bridge departmental silos while drawing on the expertise of highly
skilled individual managers
Observe:
Identify Risk
Orient:
Categorize &
Prioritize
Decide:
Select &
Implement
Controls
Act:
Manage,
Assess, &
Monitor
14. FACTORS THAT CAN CAUSE FAILURE
Complexity
(Overlapping Solutions)
Focus on Technology
(Bright Shiny Object Disease)
Lack of Understanding of Risk
(Fear vs Reality)
Lack of Cyber Security Staff
15. WHAT CAN CAUSE AN AUDIT FINDING?
• Generic checklists do not constitute risk management
• Incomplete or inaccurate assessments
• Organizations did not understand and assess the scope of the
proliferation of PHI
• Active and ongoing management of risks not handled
• Implementation of controls not tied back to risk analysis
• Failure to meet reasonable and addressable requirements
including encryption
• Assessment not frequent or routine (I suggest annual)
• Source: OCR Presentation, Update on Audits of Entity Compliance with the HIPAA Rules, September
2017
16. STRATEGIES TO MITIGATE RISK
• Use remote connectivity only with known or trusted devices
• Limit BYOD
• Police off-the-shelf device connections to networks
• Block tracking cookies whenever possible
• Limit employee access to social media and external email
• Train, train, train – teach employees about the dangers of
phishing
• Audit, audit, audit
• Update your own devices and software to most current versions
17. BUILD AN ACHIEVABLE ERM
NIST: https://www.nist.gov/cybersecurity-
framework
Information Security Risk Management SP
800-39
https://csrc.nist.gov/publications/detail/s
p/800-39/final
HITRUST:
https://hitrustalliance.net/hitrust-csf/
Critical Security Control List –SANS Top 20
The SANS first 5 of the 20 controls will give
18. SELF ASSESSMENT
4%
96%
Has your organization implemented scanning tools (active & passive) to identify all the devices attached to the network?
Has your organization implemented a Network Access Control (NAC) solution, which requires certificates, to authenticate devices before they can connect to the network?
Has your organization implemented scanning tools to identify all software applications installed in the organization?
Has your organization implemented a software whitelisting tool that only allows authorized software program to execute on the organization's systems?
Has your organization implemented scanning tools to identify any mis-configured security settings on systems in the organization?
Has your organization implemented a security setting configuration enforcement system on the organization's systems?
Has your organization implemented scanning tools to identify any software vulnerabilities on systems in the organization?
Has your organization implemented an automated patch management system to continuously update the organization's systems?
Risk Accepted:
Risk Addressed:
Select one of the Following:
Critical Security Controls Executive Assessment Tool (v6.1a)
Implemented on Some Systems
Critical Security Control #1: Inventory of Authorized and Unauthorized Devices
Select one of the Following:
Critical Security Control #2: Inventory of Authorized and Unauthorized Software
Select one of the Following:
Select one of the Following:
Critical Control #3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Select one of the Following:
Select one of the Following:
Critical Security Control #4: Continuous Vulnerability Assessment and Remediation
Select one of the Following:
Accepted vs Addressed Risk
https://www.auditscripts.com/wp-
content/uploads/mgm/downloads/82185300.xlsx
https://www.auditscripts.com/wp-
content/uploads/mgm/downloads/82185300.xlsx
19. HOW ERM CAN INCREASE PATIENT CARE
• Trust is a factor of care
• Transparency and communication
• Staff will notice when you invest in them.
• Make it useful for more than just work
• Simon Sinek’s thoughts on why we need to care for our medical staff
https://youtu.be/THjoqO-POao
• Word will spread
21. THE HEALTH CARE INDUSTRY
CYBERSECURITY (HCIC) TASK FORCE FINAL
REPORT JUNE 2, 2017
• Taskforce Imperative No. 4: Increase healthcare industry
readiness through improved cybersecurity awareness and
education
• “Cybersecurity can be an enabler for the healthcare industry,
supporting both its business and clinical objectives, as well as
facilitating the delivery of efficient, high-quality patient care.
However, this requires a holistic cybersecurity strategy.
Organizations that do not adopt a holistic strategy not only put
their data, organizations, and reputation at risk, but also—most
importantly—the welfare and safety of their patients.”
22. NEW PRIVACY FAMILY CONTROLS –
APPENDIX J TO NIST SP 800-53
REV4
Specific overlays for privacy can also be
considered to facilitate the tailoring of the
security control baselines with the requisite
privacy controls to ensure that both security
and privacy requirements can be satisfied by
organizations. Many of the security controls
provide the fundamental information
protection for confidentiality, integrity, and
availability within organizational information
systems and the environments in which those
systems operate—protection that is essential
23. NEW PRIVACY FAMILY CONTROLS –
APPENDIX J TO NIST SP 800-53 REV4
Accountability, Audit, and Risk Management
• AR-7 - The organization designs
information systems to support privacy by
automating privacy controls.
• To the extent feasible, when designing
organizational information systems, organizations
employ technologies and system capabilities that
automate privacy controls on the collection, use,
retention, and disclosure of personally identifiable
information (PII). By building privacy controls into
system design and development, organizations
mitigate privacy risks to PII, thereby reducing the
24. REFERENCES
• Frameworks
• NIST: https://www.nist.gov/cybersecurity-framework
• HITRUST: https://hitrustalliance.net/hitrust-csf/
• Risk Assessment
• NIST 800-30: https://csrc.nist.gov/publications/detail/sp/800-30/archive/2002-
07-01
• Critical Security Control List –SANS Top 20
• SANS: https://www.sans.org/critical-security-controls
• HITRUST Certification Criteria:
• https://hitrustalliance.net/documents/assurance/csf/CSFAssuranceProgramRequirem
ents.pdf
• Office for Civil Rights –Audit Program Guidance
Editor's Notes
Security can no longer be outsourced to the security team. Instead, the security team should be providing the resources and expertise to help others become as security self-sufficient as possible.
Wearable and other connected devices allow detailed tracking of location.
Trading security for convenience
Open Table, Lyft, Waze, Netflix, Amazon
Average adult spends 2.5 hours daily on a smartphone doing something other than talking
Average teenager spends 27 hours daily on a smartphone
Most wearable device makers do NOT have a security plan for data exchange
++++++++++++++++++++++++++++++++++++++++++++++++
The popularity and increased capabilities of wearable and other connected devices allow detailed tracking of location, Web browsing habits, application usage, etc.
Trading security for convenience
Open Table, Lyft, Waze, Netflix, Amazon
Average adult spends 2.5 hours daily on a smartphone doing something other than talking
Average teenager spends 27 hours daily on a smartphone
Most wearable device makers do NOT have a security plan for data exchange, and the FDA isn’t making them
Gartner Says 8.4 Billion Connected "Things" Will Be in Use in 2017 .
https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/
23 billion devices (estimated) are connected to the Internet as of 2018
By 2025, that number is expected to grow to 75 billion
Industrial application risks have grown – from 10 vulnerabilities in 2010 to an average of 100 by 2013
Power grid, hydroelectric dams, etc.
7 out of 10 domestic devices have vulnerabilities that can be exploited (HP survey)
Door locks, thermostats, smart TVs, Internet security systems
Healthcare environment has unique risks because of patient care –need for 24/7 accessibility, integrity of data for diagnosis and treatment
November 2015 Wired.com survey – 7 vulnerable device types, including drug infusion pumps, Bluetooth – enabled defibrillators, blood refrigeration units, and CT scanners
Hollywood Presbyterian information systems held hostage in February 2016 for $3.6 million in Bitcoin
February 2016 – Merge Hemo (Merge Hemo (formerly named HeartSuite Hemodynamics) monitors, measures, and records physiologic) tool shut down because operating software was incompatible with malware search engine
If any of these devices transmit PHI to your EHR, they should have been included in your HIPAA security risk assessment
Check List Compliance & Security Doesn't Work
It doesn’t meet OCR Phase 2 audits
IT puts the focus on the wrong areas and instead of dealing with the root security issue one ends up treating symptoms and the organization can still die from the Cyber exposure.
Attacks come cross departmental
Without Active Ownership and Management it gets lost
Without a comprehensive Plan it becomes incomprehensible
If not Corporate Culture -- it inculcates company to true Cyber Risk
Enterprise Governance
IT Governance
Security Governance
Security Program
Source: ITGI, 2007, p. 3
Principles for Implementing A Risk-base Security Mindset
https://www.varonis.com/
Invest in awareness training
Stress personal accountability address outliers
Overly restrictive policies are often not followed.
Implement centralized visibility across on-premises and cloud data
ERM both expands and elevates the risk management focus to consider the potential impact of all types of risks (strategic, human capital, compliance, financial, and operational issues, in addition to safety, hazard-related, and legal liability exposures) across the entire organization and examines risks in the context of strategic objectives.
ERM both expands and elevates the risk management focus to consider the potential impact of all types of risks (strategic, human capital, compliance, financial, and operational issues, in addition to safety, hazard-related, and legal liability exposures) across the entire organization and examines risks in the context
ERM includes identifying, assessing, deciding on responses to, and reporting on strategic, human capital, compliance, operational, financial, and hazard-related exposures. These exposures include both "risks" that might hinder UVM's attainment of its strategic goals, and "opportunities" that could help the University achieve its strategic goals.
Security can no longer be outsourced to the security team. Instead, the security team should be providing the resources and expertise to help others become as security self-sufficient as possible.
Risk analysis must be enterprise wide (not limited to electronic medical record).
Risk analysis policy should have specific details (e.g., who will perform, who will receive results, how often will it be updated).
Risk management policy should be specific to HIPAA.
Risk management policy should have specific details (e.g., what is an acceptable level of risk, who has what responsibility, etc.)
Risk management plan should be tied to specific risk analysis.
Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goal of:
Providing strategic direction
Ensuring that objectives are achieved
Ascertaining that risks are managed appropriately
Verifying that the enterprise’s resources are used responsibly
Have multiple people in the interview at once so they can learn what each other is doing.
A Risk Assessment should include interviews with the following personnel:
IT Leadership
Application owner
Application administration
Network administration
Server administration
Facilities administrationSecurity Officer
Privacy Officer
Health Information Management (Medial Records)
Compliance Officer
Risk assessments must include a review of the following:
Overall Policy and Procedure documentation
Organization charts
Training and awareness materials
Incident response procedures and related documentation
Security governance and metrics
Control process related documentation (e.g., access provisioning and de-provisioning related documentation)
http://www.uvm.edu/~erm/?Page=faqs.html
Security Risk Management is an on-going process
The organization must continue to update and manage the risk register
Risks will change and evolve
The organization will identify new risks as threats and the business evolves
Is Bright Shiny Object Disease Sabotaging Your Success? | Susan ...
https://www.linkedin.com/.../bright-shiny-object-disease-sabotaging-your-success-susa...
Apr 27, 2015 - When you are at work, anything and everything catches your attention, distracts you and keeps you from completion on the projects that really matter. Instead of focusing on the task at hand or a looming deadline, you could spend hours on the internet 'researching' information.
Is Bright Shiny Object Disease Sabotaging Your Success? | Susan ...
https://www.linkedin.com/.../bright-shiny-object-disease-sabotaging-your-success-susa...
Apr 27, 2015 - When you are at work, anything and everything catches your attention, distracts you and keeps you from completion on the projects that really matter. Instead of focusing on the task at hand or a looming deadline, you could spend hours on the internet 'researching' information.
Generic checklists do not constitute risk management
Incomplete or inaccurate assessments
Organizations did not understand and assess the scope of the proliferation of PHI
Active and ongoing management of risks not handled
Implementation of controls not tied back to risk analysis
Failure to meet reasonable and addressable requirements including encryption
Assessment not frequent or routine (i.e. annual)
Source: OCR Presentation, Update on Audits of Entity Compliance with the HIPAA Rules, September 2017
The reverse of the Benjamin Franklin quote: don’t trade security for liberty
Use remote connectivity only with known or trusted devices
Limit BYOD
Police off-the-shelf device connections to networks
Block tracking cookies whenever possible
Limit employee access to social media and external email sites on employer-owned tech that has access to employer data
Train, train, train – teach employees about the dangers of phishing
Audit, audit, audit
Update your own devices and software to most current versions – get rid of unsupported technology (change the locks if you can’t get new keys
Government Risk Management Standards –NIST Standards
Risk management is a comprehensive process that requires organizations to:
(i) frame risk
(ii) assess risk
(iii) respond to identified risk factors
(iv) monitor risk on an ongoing basis
(v) feedback loop for continuous improvement
NIST Special Publication 800-39 is the flagship document in the series of guidelines developed by NIST in response to FISMA.
The purpose is to provide guidance for a organization-wide program for managing information security risk.
In describing the framework, NIST states:
The framework helps an organization to better understand, manage and reduce its cybersecurity risk. It will assist in determining which activities are most important to assure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cybersecurity.
The framework outlines a rigorous seven-step process that results in an action plan to implement investments that will have the greatest positive impact on an organization's cybersecurity posture. And NIST did not develop the framework in a vacuum. It was crowdsourced with the support of more than 3,000 people from diverse parts of industry, academia and government.
Furthermore, the framework is not just about protecting systems and data. It also covers the cybersecurity life cycle, from identifying threats to implementing protections, and addresses how to detect, respond and recover from intrusions.
According to Gartner, more than 50 percent of U.S.-based organizations will use the NIST Cybersecurity Framework by 2020, up from 30 percent in 2015. Recently,
The second tool that can support organizations in their cybersecurity risk management efforts (and work in concert with the NIST framework) is the Center for Internet Security’s 20 Critical Controls. Those recommended actions provide specific and actionable ways to stop today’s most pervasive and dangerous cyberattacks.
The listings and descriptions are valuable in ensuring that an organization is investigating all appropriate controls and in communicating with non-technical executives.
Health Care Industry Cybersecurity Task Force Report: Analysis and Recommendations
http://www.himss.org/news/health-care-industry-cybersecurity-task-force-report-analysis-and-recommendations
Taskforce Imperative No. 1: Define and streamline leadership, governance, and expectations for healthcare industry cybersecurity.
The Taskforce recommends adoption of a standardized NIST Cybersecurity Framework. Specifically, Recommendation 1.2 calls for the establishment of a “consistent, consensus-based health care-specific Cybersecurity Framework” based on the NIST Cybersecurity Framework.
Taskforce Imperative No. 2: Increase the Security and Resilience of Medical Devices and Health IT.
The Taskforce noted that many providers still have legacy operating systems, legacy medical devices, and the like. However, these legacy systems and devices still need to be secured.
Taskforce Imperative No. 3 Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities
The Taskforce identified the need for healthcare organizations to have a healthcare cybersecurity role that drives more robust cybersecurity policies, processes, and functions with clear engagement from executives (Recommendation 3.1).
Taskforce Imperative No. 4: Increase healthcare industry readiness through improved cybersecurity awareness and education
Cybersecurity can be an enabler for the healthcare industry, supporting both its business and clinical objectives, as well as facilitating the delivery of efficient, high-quality patient care.
However, this requires a holistic cybersecurity strategy.
Organizations that do not adopt a holistic strategy not only put their data, organizations, and reputation at risk, but also—most importantly—the welfare and safety of their patients.
Taskforce Imperative No. 6: Improve information sharing of industry threats, risks, and mitigations
The healthcare industry is no longer in an era where it can be “willfully blind” to the cyber threat. Everyone (including rural, small, medium, and large healthcare organizations) should have the opportunity to participate in information sharing of cyber threat, risk, and mitigation information.
The Taskforce also recommends that annual readiness exercises by the healthcare industry should be encouraged (Recommendation 6.3). The Taskforce notes that these exercises can be conducted regularly to test response plans and create and utilize a variety of relative incident scenarios. In these scenario-based attacks, the exercises should also include scenarios for regional, national, and global attacks.
Conclusion
Looking to the future, the Taskforce encouraged others in the healthcare industry to work on possible solutions. Among its recommendations for future work, the Taskforce recommended that a public-private forum should be established to further discussions of healthcare industry cybersecurity as the industry evolves.
[1] Section 405 of the Cybersecurity Act of 2015 was developed, in part, from the 2015 Congressional Ask #2: Support Healthcare's Efforts to Combat Cyber Threats.
Frameworks
NIST: https://www.nist.gov/cybersecurity-framework
HITRUST: https://hitrustalliance.net/hitrust-csf/
Risk Assessment
NIST 800-30: https://csrc.nist.gov/publications/detail/sp/800-30/archive/2002-07-01
Critical Security Control List –SANS Top 20
SANS: https://www.sans.org/critical-security-controls
HITRUST Certification Criteria: https://hitrustalliance.net/documents/assurance/csf/CSFAssuranceProgramRequirements.pdf
Office forCivil Rights –Audit Program Guidance
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html
Meditlogy Strengthening Your Risk Management Program: Lessons Learned from the OCR’s Phase 2 Audits
https://www.meditologyservices.com/webinar-playback-strengthening-your-risk-management-program-lessons-learned-from-the-ocrs-phase-2-a