RISK MANAGEMENT APPROACH TO CYBER SECURITY: WHAT YOU NEED TO KNOW

ERNEST STAATS MSIA, CISSP, CEH…

General Conference of SDA (South Pacific Division)

Security can no longer be outsourced to the security team. Instead, the security team should be providing the resources and expertise to help others become as security self-sufficient as possible.

LEGAL DISCLAIMER:

Nothing in this handout or presentation constitutes legal advice.

The information in this presentation was compiled from sources

believed to be reliable for informational purposes only. Any and

all information contained herein is not intended to constitute

legal advice. You should consult with your own attorneys when

developing programs and policies.

We do not guarantee the accuracy of this information or any

results and further assume no liability in connection with this

publication including any information, methods or safety

suggestions contained herein.

FEAR FACTOR – OR IS THIS REAL?

• 70% of the US population has been affected by at least 1 data breach

• Total cost of data breaches and data theft to date (2016) exceeds the GDP of Sweden ($450B)

• 99.9% of data breaches due to technology over 1 year old – patches are not being applied and unsupported technology still in use

• 60% of all data losses occur within 5 minutes of the breach of

systems

• 80% of emails are spam; 56% of Internet-based email traffic is sent

by mailbots

• AVERAGE time between viewing the contaminated email and

clicking on the attachment is approximately 2 seconds

CYBER RISK – THE “INTERNET OF THINGS”

• Wearable and other connected devices allow detailed tracking

of location.

• Trading security for convenience

• Open Table, Lyft, Waze, Netflix, Amazon

• Average adult spends 2.5 hours daily on a smartphone

doing something other than talking

•Average teenager spends 27 hours daily on a

smartphone

•Most wearable device makers do NOT have a security

plan for data exchange

GROWTH OF THE ATTACK SURFACE

• 23 billion devices (estimated) are connected to the Internet as

of 2018

• By 2025, that number is expected to grow to 75 billion

• Industrial application risks have grown – from 10 vulnerabilities

in 2010 to an average of 100 by 2013

• Power grid, hydroelectric dams, etc.

• 7 out of 10 domestic devices have vulnerabilities that can be

exploited (HP survey)

• Door locks, thermostats, smart TVs, Internet security systems

CYBER RISK – HEALTH CARE AS A TARGET

• Healthcare environment has unique risks because of patient

care –need for 24/7 accessibility, integrity of data for diagnosis

and treatment

• November 2015 – 7 vulnerable device types, including drug

infusion pumps, Bluetooth – enabled defibrillators, blood

refrigeration units, and CT scanners

• Hollywood Presbyterian information systems held hostage for

$3.6 million

• Merge Hemo tool shut down because operating software was

incompatible with malware search engine

• If any of these devices transmit PHI to your EHR, they should

have been included in your HIPAA security risk assessment

RETHINK HOW WE APPROACH CYBERSECURITY

• Check List Compliance & Security Doesn't Work

• It doesn’t meet OCR Phase 2 audits

• Attacks are cross departmental

• Can not protect what you do no know (DATA MAP- Where is

PHI?)

• Without Active Ownership and Management Cyber Security is a

joke

• Without a comprehensive Plan it becomes incomprehensible

• If not Corporate Culture -- it inculcates company to true Cyber

Risk

IMPLEMENTING A RISK-BASED SECURITY MINDSET

• Examine how information flows,

rather than controlling the flow

of information (Cradle to the

Grave) - Varonis

• Accept limitations of technology

and become PEOPLE CENTRIC

• Do not rely on perfect

protection; invest in continuous

monitoring, detection, and

response

DETERMINE HOW INFORMATION FLOWS

• Data needs to be readily accessible

• Employees, partners, suppliers, customers

• IT departments do not own all

infrastructure

• Data is moving to 3rd party cloud

applications/services

• Focus on threat vectors

• Accurate inventory

• Proper authentication and security

DEFINE ENTERPRISE RISK MANAGEMENT(ERM)

• It is the process of planning, organizing, leading, and

controlling the activities of an organization in order to

minimize the effects of risk on an organization's capital and

earnings.

• What is its purpose?

• To cover more than just Electronic Medical Records Risk

• To be a method for management to focus on business solutions as it

treats risk strategically and operationally. Business disruption is a risk

that is important to our clients and to our organizations.

ENTERPRISE RISK MANAGEMENT SHOULD…

• Be enterprise wide

• Include a Risk analysis policy that has specific details (e.g.,

who will perform, who will receive results, how often will it be

updated)

• Include a Risk management policy that has specific details (e.g.,

what is an acceptable level of risk, who has what responsibility,

etc.)

• Include a Risk management plan that has been tied to a specific

risk analysis.

WHO TO INCLUDE IN THE INTERVIEWS

• IT Leadership

• Application owner

• Application

administration

• Network administration

• Server administration

• Facilities

administration

Security Officer

Privacy Officer

Health Information

Management (Medial

Records)

Compliance Officer

Have multiple people in the interview at once so they can learn what each other is doing.

BENEFITS OF AN ERM

• Support the achievement of strategic objectives

• Enhance institutional decision-making

• Create a “risk-aware” culture across the organization

• Reduce operational surprises and losses

• Be ready to act on acceptable opportunities

• Assure greater business continuity

• Improve use of capital by aligning resources with strategic objectives

• Bridge departmental silos while drawing on the expertise of highly skilled individual managers

Observe:

Identify Risk

Orient:

Categorize &

Prioritize

Decide:

Select &

Implement

Controls

Act:

Manage,

Assess, &

Monitor

FACTORS THAT CAN CAUSE FAILURE

Complexity

(Overlapping Solutions)

Focus on Technology

(Bright Shiny Object Disease)

Lack of Understanding of Risk

(Fear vs Reality)

Lack of Cyber Security Staff

WHAT CAN CAUSE AN AUDIT FINDING?

• Generic checklists do not constitute risk management

• Incomplete or inaccurate assessments

• Organizations did not understand and assess the scope of the

proliferation of PHI

• Active and ongoing management of risks not handled

• Implementation of controls not tied back to risk analysis

• Failure to meet reasonable and addressable requirements

including encryption

• Assessment not frequent or routine (I suggest annual)

• Source: OCR Presentation, Update on Audits of Entity Compliance with the HIPAA Rules, September

2017

STRATEGIES TO MITIGATE RISK

• Use remote connectivity only with known or trusted devices

• Limit BYOD

• Police off-the-shelf device connections to networks

• Block tracking cookies whenever possible

• Limit employee access to social media and external email

• Train, train, train – teach employees about the dangers of

phishing

• Audit, audit, audit

• Update your own devices and software to most current versions

BUILD AN ACHIEVABLE ERM

NIST: https://www.nist.gov/cybersecurity-

framework

Information Security Risk Management SP

800-39

https://csrc.nist.gov/publications/detail/s

p/800-39/final

HITRUST:

https://hitrustalliance.net/hitrust-csf/

Critical Security Control List –SANS Top 20

The SANS first 5 of the 20 controls will give

you 85% reduction in risk

SELF ASSESSMENT

4%

96%

Has your organization implemented scanning tools (active & passive) to identify all the devices attached to the network?

Has your organization implemented a Network Access Control (NAC) solution, which requires certificates, to authenticate devices before they can connect to the network?

Has your organization implemented scanning tools to identify all software applications installed in the organization?

Has your organization implemented a software whitelisting tool that only allows authorized software program to execute on the organization's systems?

Has your organization implemented scanning tools to identify any mis-configured security settings on systems in the organization?

Has your organization implemented a security setting configuration enforcement system on the organization's systems?

Has your organization implemented scanning tools to identify any software vulnerabilities on systems in the organization?

Has your organization implemented an automated patch management system to continuously update the organization's systems?

Risk Accepted:

Risk Addressed:

Select one of the Following:

Critical Security Controls Executive Assessment Tool (v6.1a)

Implemented on Some Systems

Critical Security Control #1: Inventory of Authorized and Unauthorized Devices

Select one of the Following:

Critical Security Control #2: Inventory of Authorized and Unauthorized Software

Select one of the Following:

Select one of the Following:

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Critical Control #3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Select one of the Following:

Select one of the Following:

Critical Security Control #4: Continuous Vulnerability Assessment and Remediation

Select one of the Following:

Accepted vs Addressed Risk

https://www.auditscripts.com/wp-content/uploads/mgm/downloads/82185300.xlsx

https://www.auditscripts.com/wp-content/uploads/mgm/downloads/82185300.xlsx

HOW ERM CAN INCREASE PATIENT CARE

• Trust is a factor of care

• Transparency and communication

• Staff will notice when you invest in them.

• Make it useful for more than just work

• Simon Sinek’s thoughts on why we need to care for our medical staff

https://youtu.be/THjoqO-POao

• Word will spread

QUESTIONS?

THE HEALTH CARE INDUSTRY CYBERSECURITY (HCIC) TASK FORCE FINAL REPORT JUNE 2, 2017

• Taskforce Imperative No. 4: Increase healthcare industry

readiness through improved cybersecurity awareness and

education

• “Cybersecurity can be an enabler for the healthcare industry,

supporting both its business and clinical objectives, as well as

facilitating the delivery of efficient, high-quality patient care.

However, this requires a holistic cybersecurity strategy.

Organizations that do not adopt a holistic strategy not only put

their data, organizations, and reputation at risk, but also—most

importantly—the welfare and safety of their patients.”

NEW PRIVACY FAMILY CONTROLS –APPENDIX J TO NIST SP 800-53 REV4

Specific overlays for privacy can also be

considered to facilitate the tailoring of the

security control baselines with the requisite

privacy controls to ensure that both security

and privacy requirements can be satisfied by

organizations. Many of the security controls

provide the fundamental information

protection for confidentiality, integrity, and

availability within organizational information

systems and the environments in which those

systems operate—protection that is essential

for strong and effective privacy.

NEW PRIVACY FAMILY CONTROLS –APPENDIX J TO NIST SP 800-53 REV4

Accountability, Audit, and Risk Management

• AR-7 - The organization designs

information systems to support privacy by

automating privacy controls.

• To the extent feasible, when designing

organizational information systems, organizations

employ technologies and system capabilities that

automate privacy controls on the collection, use,

retention, and disclosure of personally identifiable

information (PII). By building privacy controls into

system design and development, organizations

mitigate privacy risks to PII, thereby reducing the

likelihood of information system breaches and other

REFERENCES• Frameworks

• NIST: https://www.nist.gov/cybersecurity-framework

• HITRUST: https://hitrustalliance.net/hitrust-csf/

• Risk Assessment

• NIST 800-30: https://csrc.nist.gov/publications/detail/sp/800-30/archive/2002-07-01

• Critical Security Control List –SANS Top 20

• SANS: https://www.sans.org/critical-security-controls

• HITRUST Certification Criteria:

• https://hitrustalliance.net/documents/assurance/csf/CSFAssuranceProgramRequirements.pdf

• Office for Civil Rights –Audit Program Guidance

•