Why we need to use a Risk Management Approach to Cyber Security.

1. RISK
MANAGEMENT APPROACH
TO CYBER SECURITY:
WHAT YOU NEED TO KNOW
ERNEST STAATS MSIA, CISSP, CEH…
General Conference of SDA (South Pacific Division)
Security can no longer be outsourced to the security team. Instead, the security
team should be providing the resources and expertise to help others become as
security self-sufficient as possible.

2. LEGAL DISCLAIMER:
Nothing in this handout or presentation constitutes legal advice.
The information in this presentation was compiled from sources
believed to be reliable for informational purposes only. Any and
all information contained herein is not intended to constitute
legal advice. You should consult with your own attorneys when
developing programs and policies.
We do not guarantee the accuracy of this information or any
results and further assume no liability in connection with this
publication including any information, methods or safety
suggestions contained herein.

3. FEAR FACTOR – OR IS THIS REAL?
• 70% of the US population has been affected by
at least 1 data breach
• Total cost of data breaches and data theft to
date (2016) exceeds the GDP of Sweden ($450B)
• 99.9% of data breaches due to technology over 1
year old – patches are not being applied and
unsupported technology still in use
• 60% of all data losses occur within 5 minutes of the breach of
systems
• 80% of emails are spam; 56% of Internet-based email traffic is sent
by mailbots
• AVERAGE time between viewing the contaminated email and
clicking on the attachment is approximately 2 seconds

4. CYBER RISK – THE “INTERNET OF THINGS”
• Wearable and other connected devices allow detailed tracking
of location.
• Trading security for convenience
• Open Table, Lyft, Waze, Netflix, Amazon
• Average adult spends 2.5 hours daily on a smartphone
doing something other than talking
• Average teenager spends 27 hours daily on a
smartphone
• Most wearable device makers do NOT have a security
plan for data exchange

5. GROWTH OF THE ATTACK SURFACE
• 23 billion devices (estimated) are connected to the Internet as
of 2018
• By 2025, that number is expected to grow to 75 billion
• Industrial application risks have grown – from 10 vulnerabilities
in 2010 to an average of 100 by 2013
• Power grid, hydroelectric dams, etc.
• 7 out of 10 domestic devices have vulnerabilities that can be
exploited (HP survey)
• Door locks, thermostats, smart TVs, Internet security systems

6. CYBER RISK – HEALTH CARE AS A TARGET
• Healthcare environment has unique risks because of patient
care –need for 24/7 accessibility, integrity of data for diagnosis
and treatment
• November 2015 – 7 vulnerable device types, including drug
infusion pumps, Bluetooth – enabled defibrillators, blood
refrigeration units, and CT scanners
• Hollywood Presbyterian information systems held hostage for
$3.6 million
• Merge Hemo tool shut down because operating software was
incompatible with malware search engine
• If any of these devices transmit PHI to your EHR, they should

7. RETHINK HOW WE APPROACH
CYBERSECURITY
• Check List Compliance & Security Doesn't Work
• It doesn’t meet OCR Phase 2 audits
• Attacks are cross departmental
• Can not protect what you do no know (DATA MAP- Where is
PHI?)
• Without Active Ownership and Management Cyber Security is a
joke
• Without a comprehensive Plan it becomes incomprehensible
• If not Corporate Culture -- it inculcates company to true Cyber

8. IMPLEMENTING A
RISK-BASED
SECURITY MINDSET
• Examine how information flows,
rather than controlling the flow
of information (Cradle to the
Grave) - Varonis
• Accept limitations of technology
and become PEOPLE CENTRIC
• Do not rely on perfect
protection; invest in continuous
monitoring, detection, and
response

9. DETERMINE HOW INFORMATION FLOWS
• Data needs to be readily accessible
• Employees, partners, suppliers, customers
• IT departments do not own all
infrastructure
• Data is moving to 3rd party cloud
applications/services
• Focus on threat vectors
• Accurate inventory
• Proper authentication and security

10. DEFINE ENTERPRISE RISK MANAGEMENT
(ERM)
• It is the process of planning, organizing, leading, and
controlling the activities of an organization in order to
minimize the effects of risk on an organization's capital and
earnings.
• What is its purpose?
• To cover more than just Electronic Medical Records Risk
• To be a method for management to focus on business solutions as it
treats risk strategically and operationally. Business disruption is a risk
that is important to our clients and to our organizations.

11. ENTERPRISE RISK MANAGEMENT SHOULD…
• Be enterprise wide
• Include a Risk analysis policy that has specific details (e.g.,
who will perform, who will receive results, how often will it be
updated)
• Include a Risk management policy that has specific details (e.g.,
what is an acceptable level of risk, who has what responsibility,
etc.)
• Include a Risk management plan that has been tied to a specific
risk analysis.

12. WHO TO INCLUDE IN THE INTERVIEWS
• IT Leadership
• Application owner
• Application
administration
• Network administration
• Server administration
• Facilities
administration
 Security Officer
 Privacy Officer
 Health Information
Management (Medial
Records)
 Compliance Officer
Have multiple people in the interview at once so they can learn what each
other is doing.

13. BENEFITS OF AN ERM
• Support the achievement of strategic objectives
• Enhance institutional decision-making
• Create a “risk-aware” culture across the organization
• Reduce operational surprises and losses
• Be ready to act on acceptable opportunities
• Assure greater business continuity
• Improve use of capital by aligning resources with strategic objectives
• Bridge departmental silos while drawing on the expertise of highly
skilled individual managers
Observe:
Identify Risk
Orient:
Categorize &
Prioritize
Decide:
Select &
Implement
Controls
Act:
Manage,
Assess, &
Monitor

14. FACTORS THAT CAN CAUSE FAILURE
Complexity
(Overlapping Solutions)
Focus on Technology
(Bright Shiny Object Disease)
Lack of Understanding of Risk
(Fear vs Reality)
Lack of Cyber Security Staff

15. WHAT CAN CAUSE AN AUDIT FINDING?
• Generic checklists do not constitute risk management
• Incomplete or inaccurate assessments
• Organizations did not understand and assess the scope of the
proliferation of PHI
• Active and ongoing management of risks not handled
• Implementation of controls not tied back to risk analysis
• Failure to meet reasonable and addressable requirements
including encryption
• Assessment not frequent or routine (I suggest annual)
• Source: OCR Presentation, Update on Audits of Entity Compliance with the HIPAA Rules, September
2017

16. STRATEGIES TO MITIGATE RISK
• Use remote connectivity only with known or trusted devices
• Limit BYOD
• Police off-the-shelf device connections to networks
• Block tracking cookies whenever possible
• Limit employee access to social media and external email
• Train, train, train – teach employees about the dangers of
phishing
• Audit, audit, audit
• Update your own devices and software to most current versions

17. BUILD AN ACHIEVABLE ERM
NIST: https://www.nist.gov/cybersecurity-
framework
Information Security Risk Management SP
800-39
https://csrc.nist.gov/publications/detail/s
p/800-39/final
HITRUST:
https://hitrustalliance.net/hitrust-csf/
Critical Security Control List –SANS Top 20
The SANS first 5 of the 20 controls will give

18. SELF ASSESSMENT
4%
96%
Has your organization implemented scanning tools (active & passive) to identify all the devices attached to the network?
Has your organization implemented a Network Access Control (NAC) solution, which requires certificates, to authenticate devices before they can connect to the network?
Has your organization implemented scanning tools to identify all software applications installed in the organization?
Has your organization implemented a software whitelisting tool that only allows authorized software program to execute on the organization's systems?
Has your organization implemented scanning tools to identify any mis-configured security settings on systems in the organization?
Has your organization implemented a security setting configuration enforcement system on the organization's systems?
Has your organization implemented scanning tools to identify any software vulnerabilities on systems in the organization?
Has your organization implemented an automated patch management system to continuously update the organization's systems?
Risk Accepted:
Risk Addressed:
Select one of the Following:
Critical Security Controls Executive Assessment Tool (v6.1a)
Implemented on Some Systems
Critical Security Control #1: Inventory of Authorized and Unauthorized Devices
Select one of the Following:
Critical Security Control #2: Inventory of Authorized and Unauthorized Software
Select one of the Following:
Select one of the Following:
Critical Control #3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Select one of the Following:
Select one of the Following:
Critical Security Control #4: Continuous Vulnerability Assessment and Remediation
Select one of the Following:
Accepted vs Addressed Risk
https://www.auditscripts.com/wp-
content/uploads/mgm/downloads/82185300.xlsx
https://www.auditscripts.com/wp-
content/uploads/mgm/downloads/82185300.xlsx

19. HOW ERM CAN INCREASE PATIENT CARE
• Trust is a factor of care
• Transparency and communication
• Staff will notice when you invest in them.
• Make it useful for more than just work
• Simon Sinek’s thoughts on why we need to care for our medical staff
https://youtu.be/THjoqO-POao
• Word will spread

20. QUESTIONS?

21. THE HEALTH CARE INDUSTRY
CYBERSECURITY (HCIC) TASK FORCE FINAL
REPORT JUNE 2, 2017
• Taskforce Imperative No. 4: Increase healthcare industry
readiness through improved cybersecurity awareness and
education
• “Cybersecurity can be an enabler for the healthcare industry,
supporting both its business and clinical objectives, as well as
facilitating the delivery of efficient, high-quality patient care.
However, this requires a holistic cybersecurity strategy.
Organizations that do not adopt a holistic strategy not only put
their data, organizations, and reputation at risk, but also—most
importantly—the welfare and safety of their patients.”

22. NEW PRIVACY FAMILY CONTROLS –
APPENDIX J TO NIST SP 800-53
REV4
Specific overlays for privacy can also be
considered to facilitate the tailoring of the
security control baselines with the requisite
privacy controls to ensure that both security
and privacy requirements can be satisfied by
organizations. Many of the security controls
provide the fundamental information
protection for confidentiality, integrity, and
availability within organizational information
systems and the environments in which those
systems operate—protection that is essential

23. NEW PRIVACY FAMILY CONTROLS –
APPENDIX J TO NIST SP 800-53 REV4
Accountability, Audit, and Risk Management
• AR-7 - The organization designs
information systems to support privacy by
automating privacy controls.
• To the extent feasible, when designing
organizational information systems, organizations
employ technologies and system capabilities that
automate privacy controls on the collection, use,
retention, and disclosure of personally identifiable
information (PII). By building privacy controls into
system design and development, organizations
mitigate privacy risks to PII, thereby reducing the

24. REFERENCES
• Frameworks
• NIST: https://www.nist.gov/cybersecurity-framework
• HITRUST: https://hitrustalliance.net/hitrust-csf/
• Risk Assessment
• NIST 800-30: https://csrc.nist.gov/publications/detail/sp/800-30/archive/2002-
07-01
• Critical Security Control List –SANS Top 20
• SANS: https://www.sans.org/critical-security-controls
• HITRUST Certification Criteria:
• https://hitrustalliance.net/documents/assurance/csf/CSFAssuranceProgramRequirem
ents.pdf
• Office for Civil Rights –Audit Program Guidance