Five Steps to Managing Business Associate (BA)

Risk

James Christiansen, Optiv

Vice President, Information Risk Management, Office of the CISO

Conflict of Interest James Christiansen, BS, MBA Has no real or apparent conflicts of interest to report.

Welcome – We are using a polling session today. Please answer the following question using your HIMSS application or SMS message as instructed below

• Are you enjoying HIMSS so far?

– 1) Yes – 2) No

Five Steps to Managing Business Associate (BA)

Risk

3

Agenda

The “Risk” of Business Associates • Reducing the Inherent Risk of BAs

Understanding Business Associate Risk

• Defining the Types of Risk of BAs

Managing Business Associate Risk • Matching Security Assessment Level to

Risk

Changing the Paradigm • Standardized and Automation of

Assessments by Type of Service

Key Points: • Begin due diligence on critical business associates immediately • Evaluate your risk inventory and assign risk tiers based on best practices • Start slow – Get quick wins • Create a tiered program to evaluate risk based on inherent risk • Manage a remediation plan to address deficient controls • Provide a robust reporting program for executive team and regulators • THINK DIFFERENTLY!

4

Learning Objectives • Define the different types of business associate risk • Discuss the process for managing business associate risk • Identify inherent risk in the business • Appraise the inherent risk with the required regulatory controls • Apply business associate audits matching the level of due-diligence

to the inherent risk

5

Realizing the Value of Health IT

Electronic Secure Data • Healthcare information is under attack.

It has more value and longer shelf life than credit card data

• Business Associates are often the weak link in the healthcare ecosystem and targeted by attackers

6

The Beginning of a Bad Day

CEO reads in the news that a major Business Associate provider had a security breach

Do we outsource to this Business Associate?

Did we do a recent security

review?

Do we have insurance to

cover the costs?

Are we prepared to respond to the media, our customers and the board

of directors? Have we

contacted our regulators? Have we been

contacted by the media?

©HIMSS 2016

Common Industry Challenge

Growing Problem • Sheer Volume • Costly Due-Diligence • Global Regulatory Requirements • Data and Privacy Security

Breaches • Fiduciary Board - Top of Mind

Current Practice • Costly Manual On-Site Audits • Duplication of Efforts • No Standard of Due Care • No Trusted Assessor

8

Business Associate Attacks

Your Business Supplier with Trusted Access

Service Provider

“Trusted” “Outsourcer” “Insider”

Target of Opportunity Breach a major supplier and you gain access to multiple companies’ data

Global Problem A supplier anywhere in the world can be the cause of, or suffer from a security breach

Economic Conditions Increased outsourcing and financial stress on business associate can lower defenses

Business Associate Targeted Attacks

©HIMSS 2016 9

Exploiting the “Trusted” Business Associate

Use Credentials

to Gain Access

Escalate Privileges

Lateral Movement

Hacktivists Criminal Orgs State Sponsored

ACTORS and METHODS:

=

THE ATTACKER’S TARGET Capture Login

Credentials

Business Associate or “INSIDER”

Non-critical Servers Sensitive Servers

©HIMSS 2016 10

(1) Source: Key findings from The Global State of Information Security® Survey 2014, PWC, CSO Magazine (2) 2014 Cost of Data Breach Study: Global Analysis, Ponemon Institute, May 2014

You are not in control of the response or communications

Responding is more complex and time consuming

The Cost of a Breach at an External Party is Higher than an Internal Breach (2)

Business Associate Breaches

51% of All Breaches Come from external

parties(1)

11

Understanding the Risks

Planning Steps to take to understand the inherent

risk in the Business Associate relationship

Managing How to effectively manage the residual risk of your

Business Associate

Reporting Reporting on Business Associate risk management

process

Planning, Managing and Reporting

13

Business Associate Risk Management Maturity

Development of high-level scope and inventory (program adoption)

Assessments on new relationships that leverage generic controls framework

Assessments tailored to risk tier Managed remediation process

Assessment depth/breadth appropriate for due-diligence required

Validation and tracking of remediation

Scope focused on full spectrum of BAs

Predictive intelligence

Manage to SLAs and future viability

Source: Optiv Third-Party Program Blueprint 14

Threat Intelligence

Maturity of security program; people, process and technology

Use web information as

indicator on level of control maturity

Use technology to scan system

configuration and controls

Economic Data

Financial Data

Social Data

Risk Reports Process

People

Technology

Information From External BA

Sites

Level 1

Direct Interaction with BA

Level 2

Direct Interaction with Technology

Level 3

BA Cyber Risk Monitoring

15

Business Associate Contracts

Right to Audit

Security Service Level

Agreement Breach

Notification

Restrictions on Outsourcing

Security Safeguards

Indemnification, Cyber Insurance, etc.

Exit Strategy

©HIMSS 2016

Business Associate Risk Process

Business Profile Risk – Who Are They?

2

How Are They Protecting the Information?

3

1 Relationship Risk – What Are They Doing for Us?

4

Control Validation

5

Monitoring and Reporting

- Regulatory or Contract Exposure - Data Exposure - Business Process Exposure

1

- Financial Strength - Geopolitical / Country Risk - Breach History or Indication

2

- Electronic Validation - Onsite Validation - Control Evidence

4 - Changes in Relationship - Changes in Business - Changes in Controls

5

- Standardized - Service Type, Size and Complexity - HIPAA/STAR

3

The First Question: “What data of ours was breached?”

Relationship Exposure Inventory – Risk Registry • Maintain a relationship list (type and quantity)

Relationship “Creep” • Due diligence is performed during the first contract • Relationship grows over time • Increased liability without updating the risk exposure metrics

Relationship Exposure Inventory

18

Business Profile Risk

Purpose: Who is The Business Associate?

Understand the Risk of Doing Business With Business Associate

• Financial Strength/Credit Risk

• Regulatory Oversight

• Geopolitical/Economic Risk

• Business Risk

• Breach History, Crime, Legal Suit

Most often performed outside of Information Security

19

Relationship Risk Tier 1 Tier 2 Tier 3

High Medium Low Strategic Risk High Medium Low Reputational Risk $$$$ $$$$ $$$ Transaction Risk High Medium Low Compliance Risk High Medium Low Data Privacy Risk

Business Profile Risk $$$$$ $$$$ $$$ Credit Risk High Medium Low Country Risk High Medium Low Other Risks

Mapping Risk Tiers

20

Match the Level of Due Diligence to Inherent Risk

Inherent Risk is a Function of Relationship and Profile Risk

Tier 1

• Strategic accounts (high revenue dependence)

• Regulatory/contract requirements

• High reputation risk

• “Trusted” relationships

Tier 2 • Lower volume with no or

minimal sensitive data

• Lower revenue risk

• Business operations risk

• Some business profile risk

Tier 3 • No sensitive data

• Minimal reputation risk

• Minimal or no revenue dependence

• “Trusted” relationship with low-level access

Risk Tiers Based on Inherent Risk

©HIMSS 2016

21

HIPPA Final Rule - Omnibus • Perform a HIPPA Risk Assessment to determine risks to PHI and identify

additional security measures that should be implemented to better protect PHI • Business Associates are directly liable for compliance with HIPPA Security

Rule • Subcontractors must be included

22

1.5% - 2% 6% - 8% 90% - 95%

Average Enterprise Has 1000s of Business Associates

Tier 1 Tier 2 Tier 3

Business Associate Risk – Current Situation

©HIMSS 2016

22

Standardized Assessments

• Match Due-Diligence to Risk and Type of Service

• No Ambiguity

• How You Ask Questions is as Important as What You Ask

• Call Center • Small Office • Single Person Office

• Full Assessment - Large • Full Assessment - Light • Cloud Computing • Application Development

Control Assessments

23

Onsite Business Associate Validation

• Costly and Time Prohibitive

SSAE16 SOC 2 • A SSAE16 SOC 2 provides information

pertaining to the IT controls that has been certified by an accredited firm

Tip: Make sure the scope match the services being provided.

Business Associate Breach Intelligence

• Service that monitors for bad traffic on the internet

Validating IT Controls

24

Polling Question • Is a SSAE16 SOC 2 Type 2 good enough?

– 1) Yes – 2) No – 3) For BA’s with minimal risk

25

Tier 1 Assessments

Fully Validated

• Self Attest of Controls • Validate (not a complete list)

• Security policies • Incident response plan and procedures • Detection & Monitoring Systems (e.g. SIEM, SOC) • Business continuity/disaster recovery plan and test results • Vulnerability management procedures and sample reports • Security awareness, training and completion log • Last independent security assessment - status of high risks • Physical security

Tip: Multiple sites and outsourcing by Business Associate significantly increases level of effort

Tier 1 Due Diligence

26

• Random Audit

Tier 2 Assessments

Tier 3 Assessments

Self Attest of Controls Electronic Validation • Policies • Access Management • Vulnerability Management

• Threat Management • Penetration Tests • Endpoint Management

Self Attest of Controls • Review Responses

Tier 2 and 3 Assessments

Partially Validated

27

Remediation Plan

Business Associate Not Meeting Required Standards – Does control deficiency impact services?

– Provide Business Associate list of required improvements and dates

– Business Associate will: • Commit • Require additional time • Reject

– Remediation plan – agreed upon improvements • Trigger follow-up

28

Business Associate Due Diligence Process

Review Risk Inventory

Determine the Appropriate Risk Tier

Have Business Associate Complete Self-Attest

Ensure Proper Changes Implemented

Review Results and Negotiate Remediation Plan

Control Validation – Dependent on Tier Level

29

Changing the Paradigm

• Inefficient, Cost Prohibitive and Sheer Volume – Performing assessments - Often only small

percentage assessed – Responding to 100’s of risk assessments are

disruptive takes incredible resources

• Time For a Change! – A standard set standard set of criteria that

serves 90% of the needs – Gather the information once and share many – Automate the process of audits and

remediation

30

Polling Question

• Would you be willing to use a service that provides validated assessments using a standard criteria if it meant significantly less cost, move coverage and higher quality?

– 1) Yes – 2) No

31

90 Days

+ 90 Days

Begin due diligence on critical business associates

Evaluate your risk inventory and assign risk tier

Start slow – Get quick wins

Within Three Months, You Should:

Beyond Three Months, Establish:

✓ ✓ ✓

A tiered program to evaluate risk

A remediation plan to address deficient controls

Reporting program ✓ ✓ ✓

Realizing the Value of Health IT

32

Questions?

James.Christiansen@Optiv.com www.optiv.com