Risk Management Approach to Cyber Security
Download as PPTX, PDF3 likes3,780 views
The document discusses implementing a risk management approach to cyber security. It emphasizes that security can no longer be outsourced and instead the security team should help others become more self-sufficient. It then discusses various cyber risks like the growing attack surface and risks to health care as a target. Finally, it discusses strategies to implement an enterprise risk management approach like determining how information flows and conducting risk analysis interviews.
Risk Management Approach to Cyber Security
- 1. RISK MANAGEMENT APPROACH TO CYBER SECURITY: WHAT YOU NEED TO KNOW ERNEST STAATS MSIA, CISSP, CEH… General Conference of SDA (South Pacific Division) Security can no longer be outsourced to the security team. Instead, the security team should be providing the resources and expertise to help others become as security self-sufficient as possible.
- 2. LEGAL DISCLAIMER: Nothing in this handout or presentation constitutes legal advice. The information in this presentation was compiled from sources believed to be reliable for informational purposes only. Any and all information contained herein is not intended to constitute legal advice. You should consult with your own attorneys when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication including any information, methods or safety suggestions contained herein.
- 3. FEAR FACTOR – OR IS THIS REAL? • 70% of the US population has been affected by at least 1 data breach • Total cost of data breaches and data theft to date (2016) exceeds the GDP of Sweden ($450B) • 99.9% of data breaches due to technology over 1 year old – patches are not being applied and unsupported technology still in use • 60% of all data losses occur within 5 minutes of the breach of systems • 80% of emails are spam; 56% of Internet-based email traffic is sent by mailbots • AVERAGE time between viewing the contaminated email and clicking on the attachment is approximately 2 seconds
- 4. CYBER RISK – THE “INTERNET OF THINGS” • Wearable and other connected devices allow detailed tracking of location. • Trading security for convenience • Open Table, Lyft, Waze, Netflix, Amazon • Average adult spends 2.5 hours daily on a smartphone doing something other than talking • Average teenager spends 27 hours daily on a smartphone • Most wearable device makers do NOT have a security plan for data exchange
- 5. GROWTH OF THE ATTACK SURFACE • 23 billion devices (estimated) are connected to the Internet as of 2018 • By 2025, that number is expected to grow to 75 billion • Industrial application risks have grown – from 10 vulnerabilities in 2010 to an average of 100 by 2013 • Power grid, hydroelectric dams, etc. • 7 out of 10 domestic devices have vulnerabilities that can be exploited (HP survey) • Door locks, thermostats, smart TVs, Internet security systems
- 6. CYBER RISK – HEALTH CARE AS A TARGET • Healthcare environment has unique risks because of patient care –need for 24/7 accessibility, integrity of data for diagnosis and treatment • November 2015 – 7 vulnerable device types, including drug infusion pumps, Bluetooth – enabled defibrillators, blood refrigeration units, and CT scanners • Hollywood Presbyterian information systems held hostage for $3.6 million • Merge Hemo tool shut down because operating software was incompatible with malware search engine • If any of these devices transmit PHI to your EHR, they should
- 7. RETHINK HOW WE APPROACH CYBERSECURITY • Check List Compliance & Security Doesn't Work • It doesn’t meet OCR Phase 2 audits • Attacks are cross departmental • Can not protect what you do no know (DATA MAP- Where is PHI?) • Without Active Ownership and Management Cyber Security is a joke • Without a comprehensive Plan it becomes incomprehensible • If not Corporate Culture -- it inculcates company to true Cyber
- 8. IMPLEMENTING A RISK-BASED SECURITY MINDSET • Examine how information flows, rather than controlling the flow of information (Cradle to the Grave) - Varonis • Accept limitations of technology and become PEOPLE CENTRIC • Do not rely on perfect protection; invest in continuous monitoring, detection, and response
- 9. DETERMINE HOW INFORMATION FLOWS • Data needs to be readily accessible • Employees, partners, suppliers, customers • IT departments do not own all infrastructure • Data is moving to 3rd party cloud applications/services • Focus on threat vectors • Accurate inventory • Proper authentication and security
- 10. DEFINE ENTERPRISE RISK MANAGEMENT (ERM) • It is the process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of risk on an organization's capital and earnings. • What is its purpose? • To cover more than just Electronic Medical Records Risk • To be a method for management to focus on business solutions as it treats risk strategically and operationally. Business disruption is a risk that is important to our clients and to our organizations.
- 11. ENTERPRISE RISK MANAGEMENT SHOULD… • Be enterprise wide • Include a Risk analysis policy that has specific details (e.g., who will perform, who will receive results, how often will it be updated) • Include a Risk management policy that has specific details (e.g., what is an acceptable level of risk, who has what responsibility, etc.) • Include a Risk management plan that has been tied to a specific risk analysis.
- 12. WHO TO INCLUDE IN THE INTERVIEWS • IT Leadership • Application owner • Application administration • Network administration • Server administration • Facilities administration Security Officer Privacy Officer Health Information Management (Medial Records) Compliance Officer Have multiple people in the interview at once so they can learn what each other is doing.
- 13. BENEFITS OF AN ERM • Support the achievement of strategic objectives • Enhance institutional decision-making • Create a “risk-aware” culture across the organization • Reduce operational surprises and losses • Be ready to act on acceptable opportunities • Assure greater business continuity • Improve use of capital by aligning resources with strategic objectives • Bridge departmental silos while drawing on the expertise of highly skilled individual managers Observe: Identify Risk Orient: Categorize & Prioritize Decide: Select & Implement Controls Act: Manage, Assess, & Monitor
- 14. FACTORS THAT CAN CAUSE FAILURE Complexity (Overlapping Solutions) Focus on Technology (Bright Shiny Object Disease) Lack of Understanding of Risk (Fear vs Reality) Lack of Cyber Security Staff
- 15. WHAT CAN CAUSE AN AUDIT FINDING? • Generic checklists do not constitute risk management • Incomplete or inaccurate assessments • Organizations did not understand and assess the scope of the proliferation of PHI • Active and ongoing management of risks not handled • Implementation of controls not tied back to risk analysis • Failure to meet reasonable and addressable requirements including encryption • Assessment not frequent or routine (I suggest annual) • Source: OCR Presentation, Update on Audits of Entity Compliance with the HIPAA Rules, September 2017
- 16. STRATEGIES TO MITIGATE RISK • Use remote connectivity only with known or trusted devices • Limit BYOD • Police off-the-shelf device connections to networks • Block tracking cookies whenever possible • Limit employee access to social media and external email • Train, train, train – teach employees about the dangers of phishing • Audit, audit, audit • Update your own devices and software to most current versions
- 17. BUILD AN ACHIEVABLE ERM NIST: https://www.nist.gov/cybersecurity- framework Information Security Risk Management SP 800-39 https://csrc.nist.gov/publications/detail/s p/800-39/final HITRUST: https://hitrustalliance.net/hitrust-csf/ Critical Security Control List –SANS Top 20 The SANS first 5 of the 20 controls will give
- 18. SELF ASSESSMENT 4% 96% Has your organization implemented scanning tools (active & passive) to identify all the devices attached to the network? Has your organization implemented a Network Access Control (NAC) solution, which requires certificates, to authenticate devices before they can connect to the network? Has your organization implemented scanning tools to identify all software applications installed in the organization? Has your organization implemented a software whitelisting tool that only allows authorized software program to execute on the organization's systems? Has your organization implemented scanning tools to identify any mis-configured security settings on systems in the organization? Has your organization implemented a security setting configuration enforcement system on the organization's systems? Has your organization implemented scanning tools to identify any software vulnerabilities on systems in the organization? Has your organization implemented an automated patch management system to continuously update the organization's systems? Risk Accepted: Risk Addressed: Select one of the Following: Critical Security Controls Executive Assessment Tool (v6.1a) Implemented on Some Systems Critical Security Control #1: Inventory of Authorized and Unauthorized Devices Select one of the Following: Critical Security Control #2: Inventory of Authorized and Unauthorized Software Select one of the Following: Select one of the Following: Critical Control #3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Select one of the Following: Select one of the Following: Critical Security Control #4: Continuous Vulnerability Assessment and Remediation Select one of the Following: Accepted vs Addressed Risk https://www.auditscripts.com/wp- content/uploads/mgm/downloads/82185300.xlsx https://www.auditscripts.com/wp- content/uploads/mgm/downloads/82185300.xlsx
- 19. HOW ERM CAN INCREASE PATIENT CARE • Trust is a factor of care • Transparency and communication • Staff will notice when you invest in them. • Make it useful for more than just work • Simon Sinek’s thoughts on why we need to care for our medical staff https://youtu.be/THjoqO-POao • Word will spread
- 20. QUESTIONS?
- 21. THE HEALTH CARE INDUSTRY CYBERSECURITY (HCIC) TASK FORCE FINAL REPORT JUNE 2, 2017 • Taskforce Imperative No. 4: Increase healthcare industry readiness through improved cybersecurity awareness and education • “Cybersecurity can be an enabler for the healthcare industry, supporting both its business and clinical objectives, as well as facilitating the delivery of efficient, high-quality patient care. However, this requires a holistic cybersecurity strategy. Organizations that do not adopt a holistic strategy not only put their data, organizations, and reputation at risk, but also—most importantly—the welfare and safety of their patients.”
- 22. NEW PRIVACY FAMILY CONTROLS – APPENDIX J TO NIST SP 800-53 REV4 Specific overlays for privacy can also be considered to facilitate the tailoring of the security control baselines with the requisite privacy controls to ensure that both security and privacy requirements can be satisfied by organizations. Many of the security controls provide the fundamental information protection for confidentiality, integrity, and availability within organizational information systems and the environments in which those systems operate—protection that is essential
- 23. NEW PRIVACY FAMILY CONTROLS – APPENDIX J TO NIST SP 800-53 REV4 Accountability, Audit, and Risk Management • AR-7 - The organization designs information systems to support privacy by automating privacy controls. • To the extent feasible, when designing organizational information systems, organizations employ technologies and system capabilities that automate privacy controls on the collection, use, retention, and disclosure of personally identifiable information (PII). By building privacy controls into system design and development, organizations mitigate privacy risks to PII, thereby reducing the
- 24. REFERENCES • Frameworks • NIST: https://www.nist.gov/cybersecurity-framework • HITRUST: https://hitrustalliance.net/hitrust-csf/ • Risk Assessment • NIST 800-30: https://csrc.nist.gov/publications/detail/sp/800-30/archive/2002- 07-01 • Critical Security Control List –SANS Top 20 • SANS: https://www.sans.org/critical-security-controls • HITRUST Certification Criteria: • https://hitrustalliance.net/documents/assurance/csf/CSFAssuranceProgramRequirem ents.pdf • Office for Civil Rights –Audit Program Guidance
Editor's Notes
- #2: Security can no longer be outsourced to the security team. Instead, the security team should be providing the resources and expertise to help others become as security self-sufficient as possible.
- #5: Wearable and other connected devices allow detailed tracking of location. Trading security for convenience Open Table, Lyft, Waze, Netflix, Amazon Average adult spends 2.5 hours daily on a smartphone doing something other than talking Average teenager spends 27 hours daily on a smartphone Most wearable device makers do NOT have a security plan for data exchange ++++++++++++++++++++++++++++++++++++++++++++++++ The popularity and increased capabilities of wearable and other connected devices allow detailed tracking of location, Web browsing habits, application usage, etc. Trading security for convenience Open Table, Lyft, Waze, Netflix, Amazon Average adult spends 2.5 hours daily on a smartphone doing something other than talking Average teenager spends 27 hours daily on a smartphone Most wearable device makers do NOT have a security plan for data exchange, and the FDA isn’t making them
- #6: Gartner Says 8.4 Billion Connected "Things" Will Be in Use in 2017 . https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/ 23 billion devices (estimated) are connected to the Internet as of 2018 By 2025, that number is expected to grow to 75 billion Industrial application risks have grown – from 10 vulnerabilities in 2010 to an average of 100 by 2013 Power grid, hydroelectric dams, etc. 7 out of 10 domestic devices have vulnerabilities that can be exploited (HP survey) Door locks, thermostats, smart TVs, Internet security systems
- #7: Healthcare environment has unique risks because of patient care –need for 24/7 accessibility, integrity of data for diagnosis and treatment November 2015 Wired.com survey – 7 vulnerable device types, including drug infusion pumps, Bluetooth – enabled defibrillators, blood refrigeration units, and CT scanners Hollywood Presbyterian information systems held hostage in February 2016 for $3.6 million in Bitcoin February 2016 – Merge Hemo (Merge Hemo (formerly named HeartSuite Hemodynamics) monitors, measures, and records physiologic) tool shut down because operating software was incompatible with malware search engine If any of these devices transmit PHI to your EHR, they should have been included in your HIPAA security risk assessment
- #8: Check List Compliance & Security Doesn't Work It doesn’t meet OCR Phase 2 audits IT puts the focus on the wrong areas and instead of dealing with the root security issue one ends up treating symptoms and the organization can still die from the Cyber exposure. Attacks come cross departmental Without Active Ownership and Management it gets lost Without a comprehensive Plan it becomes incomprehensible If not Corporate Culture -- it inculcates company to true Cyber Risk Enterprise Governance IT Governance Security Governance Security Program Source: ITGI, 2007, p. 3
- #9: Principles for Implementing A Risk-base Security Mindset https://www.varonis.com/ Invest in awareness training Stress personal accountability address outliers Overly restrictive policies are often not followed.
- #10: Implement centralized visibility across on-premises and cloud data
- #11: ERM both expands and elevates the risk management focus to consider the potential impact of all types of risks (strategic, human capital, compliance, financial, and operational issues, in addition to safety, hazard-related, and legal liability exposures) across the entire organization and examines risks in the context of strategic objectives. ERM both expands and elevates the risk management focus to consider the potential impact of all types of risks (strategic, human capital, compliance, financial, and operational issues, in addition to safety, hazard-related, and legal liability exposures) across the entire organization and examines risks in the context ERM includes identifying, assessing, deciding on responses to, and reporting on strategic, human capital, compliance, operational, financial, and hazard-related exposures. These exposures include both "risks" that might hinder UVM's attainment of its strategic goals, and "opportunities" that could help the University achieve its strategic goals. Security can no longer be outsourced to the security team. Instead, the security team should be providing the resources and expertise to help others become as security self-sufficient as possible.
- #12: Risk analysis must be enterprise wide (not limited to electronic medical record). Risk analysis policy should have specific details (e.g., who will perform, who will receive results, how often will it be updated). Risk management policy should be specific to HIPAA. Risk management policy should have specific details (e.g., what is an acceptable level of risk, who has what responsibility, etc.) Risk management plan should be tied to specific risk analysis. Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goal of: Providing strategic direction Ensuring that objectives are achieved Ascertaining that risks are managed appropriately Verifying that the enterprise’s resources are used responsibly
- #13: Have multiple people in the interview at once so they can learn what each other is doing. A Risk Assessment should include interviews with the following personnel: IT Leadership Application owner Application administration Network administration Server administration Facilities administration Security Officer Privacy Officer Health Information Management (Medial Records) Compliance Officer Risk assessments must include a review of the following: Overall Policy and Procedure documentation Organization charts Training and awareness materials Incident response procedures and related documentation Security governance and metrics Control process related documentation (e.g., access provisioning and de-provisioning related documentation)
- #14: http://www.uvm.edu/~erm/?Page=faqs.html Security Risk Management is an on-going process The organization must continue to update and manage the risk register Risks will change and evolve The organization will identify new risks as threats and the business evolves
- #15: Is Bright Shiny Object Disease Sabotaging Your Success? | Susan ... https://www.linkedin.com/.../bright-shiny-object-disease-sabotaging-your-success-susa... Apr 27, 2015 - When you are at work, anything and everything catches your attention, distracts you and keeps you from completion on the projects that really matter. Instead of focusing on the task at hand or a looming deadline, you could spend hours on the internet 'researching' information.
- #16: Is Bright Shiny Object Disease Sabotaging Your Success? | Susan ... https://www.linkedin.com/.../bright-shiny-object-disease-sabotaging-your-success-susa... Apr 27, 2015 - When you are at work, anything and everything catches your attention, distracts you and keeps you from completion on the projects that really matter. Instead of focusing on the task at hand or a looming deadline, you could spend hours on the internet 'researching' information. Generic checklists do not constitute risk management Incomplete or inaccurate assessments Organizations did not understand and assess the scope of the proliferation of PHI Active and ongoing management of risks not handled Implementation of controls not tied back to risk analysis Failure to meet reasonable and addressable requirements including encryption Assessment not frequent or routine (i.e. annual) Source: OCR Presentation, Update on Audits of Entity Compliance with the HIPAA Rules, September 2017
- #17: The reverse of the Benjamin Franklin quote: don’t trade security for liberty Use remote connectivity only with known or trusted devices Limit BYOD Police off-the-shelf device connections to networks Block tracking cookies whenever possible Limit employee access to social media and external email sites on employer-owned tech that has access to employer data Train, train, train – teach employees about the dangers of phishing Audit, audit, audit Update your own devices and software to most current versions – get rid of unsupported technology (change the locks if you can’t get new keys
- #18: Government Risk Management Standards –NIST Standards Risk management is a comprehensive process that requires organizations to: (i) frame risk (ii) assess risk (iii) respond to identified risk factors (iv) monitor risk on an ongoing basis (v) feedback loop for continuous improvement NIST Special Publication 800-39 is the flagship document in the series of guidelines developed by NIST in response to FISMA. The purpose is to provide guidance for a organization-wide program for managing information security risk. In describing the framework, NIST states: The framework helps an organization to better understand, manage and reduce its cybersecurity risk. It will assist in determining which activities are most important to assure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cybersecurity. The framework outlines a rigorous seven-step process that results in an action plan to implement investments that will have the greatest positive impact on an organization's cybersecurity posture. And NIST did not develop the framework in a vacuum. It was crowdsourced with the support of more than 3,000 people from diverse parts of industry, academia and government. Furthermore, the framework is not just about protecting systems and data. It also covers the cybersecurity life cycle, from identifying threats to implementing protections, and addresses how to detect, respond and recover from intrusions. According to Gartner, more than 50 percent of U.S.-based organizations will use the NIST Cybersecurity Framework by 2020, up from 30 percent in 2015. Recently, The second tool that can support organizations in their cybersecurity risk management efforts (and work in concert with the NIST framework) is the Center for Internet Security’s 20 Critical Controls. Those recommended actions provide specific and actionable ways to stop today’s most pervasive and dangerous cyberattacks. The listings and descriptions are valuable in ensuring that an organization is investigating all appropriate controls and in communicating with non-technical executives.
- #19: Critical Security Controls Initial Assessment Tool - AuditScripts.com https://www.auditscripts.com/wp-content/uploads/mgm/downloads/82185300.xlsx 20, ID, Category, Critical Security Control Detail, NIST Core Framework, Sensor or Baseline, Policy
- #22: Health Care Industry Cybersecurity Task Force Report: Analysis and Recommendations http://www.himss.org/news/health-care-industry-cybersecurity-task-force-report-analysis-and-recommendations Taskforce Imperative No. 1: Define and streamline leadership, governance, and expectations for healthcare industry cybersecurity. The Taskforce recommends adoption of a standardized NIST Cybersecurity Framework. Specifically, Recommendation 1.2 calls for the establishment of a “consistent, consensus-based health care-specific Cybersecurity Framework” based on the NIST Cybersecurity Framework. Taskforce Imperative No. 2: Increase the Security and Resilience of Medical Devices and Health IT. The Taskforce noted that many providers still have legacy operating systems, legacy medical devices, and the like. However, these legacy systems and devices still need to be secured. Taskforce Imperative No. 3 Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities The Taskforce identified the need for healthcare organizations to have a healthcare cybersecurity role that drives more robust cybersecurity policies, processes, and functions with clear engagement from executives (Recommendation 3.1). Taskforce Imperative No. 4: Increase healthcare industry readiness through improved cybersecurity awareness and education Cybersecurity can be an enabler for the healthcare industry, supporting both its business and clinical objectives, as well as facilitating the delivery of efficient, high-quality patient care. However, this requires a holistic cybersecurity strategy. Organizations that do not adopt a holistic strategy not only put their data, organizations, and reputation at risk, but also—most importantly—the welfare and safety of their patients. Taskforce Imperative No. 6: Improve information sharing of industry threats, risks, and mitigations The healthcare industry is no longer in an era where it can be “willfully blind” to the cyber threat. Everyone (including rural, small, medium, and large healthcare organizations) should have the opportunity to participate in information sharing of cyber threat, risk, and mitigation information. The Taskforce also recommends that annual readiness exercises by the healthcare industry should be encouraged (Recommendation 6.3). The Taskforce notes that these exercises can be conducted regularly to test response plans and create and utilize a variety of relative incident scenarios. In these scenario-based attacks, the exercises should also include scenarios for regional, national, and global attacks. Conclusion Looking to the future, the Taskforce encouraged others in the healthcare industry to work on possible solutions. Among its recommendations for future work, the Taskforce recommended that a public-private forum should be established to further discussions of healthcare industry cybersecurity as the industry evolves. [1] Section 405 of the Cybersecurity Act of 2015 was developed, in part, from the 2015 Congressional Ask #2: Support Healthcare's Efforts to Combat Cyber Threats.
- #25: Frameworks NIST: https://www.nist.gov/cybersecurity-framework HITRUST: https://hitrustalliance.net/hitrust-csf/ Risk Assessment NIST 800-30: https://csrc.nist.gov/publications/detail/sp/800-30/archive/2002-07-01 Critical Security Control List –SANS Top 20 SANS: https://www.sans.org/critical-security-controls HITRUST Certification Criteria: https://hitrustalliance.net/documents/assurance/csf/CSFAssuranceProgramRequirements.pdf Office forCivil Rights –Audit Program Guidance https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html Meditlogy Strengthening Your Risk Management Program: Lessons Learned from the OCR’s Phase 2 Audits https://www.meditologyservices.com/webinar-playback-strengthening-your-risk-management-program-lessons-learned-from-the-ocrs-phase-2-a