Checklist for Breach Readiness. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow

Transcription

1 Checklist for Breach Readiness Enabling a Resilient Organization Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow Agenda Facts about breach violation impact to organizations Checklist to ensure incident response readiness Preparing your organization to comply with mandates 1

2 A Single Incident/Breach Significant Risk! Hackers broke into the computer system of the United Nations and hid there unnoticed for almost two years, and quietly combed through reams of secret data McAfee, August 2011 Hackers gained unauthorized access to the internal Zappos network and its 24 million customer accounts We spent over 12 years building our reputation, brand and trust with our customers. It is painful to see us take so many steps back due to a single incident. Mr. Tony Hsieh, Zappos, CEO The Wall Street Journal, January 17, 2012 Data Breach: 400 entities reported breaches of 500 or more (OCR) Rising Compliance Mandates State Regulations Are Not Insignificant! Massachusetts rules a ZIP code can indeed be Personal Identification Information (PII) UCLA hospitals facing $16M class action for stolen patient information The intervening criminal acts of burglars are unlikely to shield the UCLA Health System from liability under California's Confidentiality of Medical Information Act (CMIA) for patient data breach California, Illinois and Texas amend their breach notification obligations for 2012 As of January 1, 2012, California has amended its data privacy statute requiring significantly more information to be included in data breach notification letters to California residents Hacker releases 100,000 Facebook log-in credentials! IDG News, Jan 24,

3 BCBST Incident: Fast Facts Understanding the Problem OCR s first HITECH enforcement action related to a breach What Happened: 57 unencrypted hard drives stolen from a leased facility (discovered on October 5, 2009) # of Individuals Impacted: Contained EPHI of 1,023,209 individuals Financial Impact: $1.5M fine; $17M in breach response costs CAP Term: 450 days Data Breach: 400 entities reported breaches of 500 or more (OCR) BCBST Incident: Fast Facts The Corrective Action Plan (CAP) Must review, revise and maintain its Privacy & Security policies and procedures (App A, Pg 3) Ensure policies are implemented within 220 days of policy review/approval from HHS Written or electronic compliance certification form from each workforce member (read, understands & abides) Conduct risk assessment (App A, Pg 3) Conduct risk management plan (App A, Pg 3) Complete facility access controls & facility security plan (App A, Pg 4) Conduct regular and robust training for all employees (App 1, Pg 4) Perform monitor reviews to ensure compliance with CAP (App A, Pg 5) Unannounced site visits to facilities housing portable devices Interviews with random selection of 25 workforce members who use portable devices Review use, retention, destruction of portable devices/e-media Inspection of random sample of 25 portable devices that contain EPHI to ensure compliance with policies 3

4 The Breach Notification Form Notice of Breach Organizations must: Identify if breach affects 500 or more OR Less than 500 Initial Report, Addendum to Previous Report Provide covered entity contact information Identify if breach occurred at or by a Business Associate Breach Date of breach, Date of Discovery Approx # of impacted individuals Type of Breach Theft, Loss, Improper disposal, Unauthorized access, Hacking/IT incident Other, Unknown Type of Sensitive Information Involved in Breach: Demographic information Financial information Clinical Information Other All Rights Reserved. ecfirst. The Breach Notification Form Notice of Breach Brief Description of Breach Location How it occurred? Additional information: type of breach, type of media, type of PHI Safeguards in Place Prior to Breach Firewalls, Packet filtering (router based) Secure Browser Sessions, Logical Access Control Strong Authentication, Encrypted Wireless, Physical Security Anti-virus Software, Intrusion Detection, Biometrics Action in Response to Breach: Security and/or Privacy Safeguards Mitigation Sanctions Policies & Procedures Other Attestation All Rights Reserved. ecfirst. 4

5 Breaches Not If, But When! Response will be costly; especially notification! Is your strategy for incident response management and breach aligned? Tested? Employees trained on policies? Incident response team prepared? Controls deployed? Addressed federal and state breach mandates? 963,434 cyber attacks in October 2011! SC Magazine, November 2011 OIG Findings: Security Weaknesses Excellent Reference for Security Audit Readiness! Examples of weaknesses identified by the sites visited, included: Unprotected wireless networks Lack of vendor support for operating systems Inadequate system patching Outdated or missing antivirus software Lack of encryption data on portable devices and media Lack of system event logging or review Shared user accounts Excessive user access and administrative rights External threats rising daily highly targeted & persistent Can your Security Strategy defend these threats? 5

6 Challenges Complex Computing Environment Cloud computing Virtualization Servers Desktop Mobile devices TBs of data across several storage media Security PII is at Significant Risk! Struggling with fast, secure access to client information Generic accounts still in active use Struggling with password management Need to uniquely identify who accessed what, when, how Audit controls are not consolidated and typically not automated, nor complete Risk to PII is a Risk to the Organization! Compliance Mandates Key Regulations & Standards State Regulations PCI DSS HIPAA Privacy/Security HITECH Meaningful Use HITECH Breach Notification Your security plan must identify regulations that impact your organization! Is your enterprise system security plan ready? 6

7 Information Security Incident Management: ISO Clause 9 Provides guidance for the development and maintenance of a comprehensive strategy for responding to a security violation Key areas addressed: Reporting Information Security Events and Weaknesses Management of Information Security Incidents and Improvements Conduct formal reviews of past security incident responses Determine how to further improve response and remediation time during security incidents State regulations, e.g. CA, may require breach notification within five days NIST SP : Requirement #8, Incident Response Checklist for Compliance All Rights Reserved. ecfirst. 7

8 Security Checklist All Rights Reserved. ecfirst. Checklist for Breach Notification Addressing Federal & State Mandates 1. Develop policy on Discovery, Reporting & Notification of Information Breaches 2. Review, update and integrate security controls and reporting capabilities for incident management Create a specific procedure for information breach management Develop specific procedure for information breach notification 3. Conduct training for all members of the workforce 2012 & Beyond: It s About Securing PII Personally Identifiable Information 8

9 Incident Response for Breaches of PII What is Your Formal Plan? 1. Preparation 1. Build PII breach response as part of incident response 2. Develop appropriate policies & procedures 3. Employees must understand what constitutes a PII breach 4. Develop a comprehensive breach notification plan 2. Detection and Analysis 1. Implement detection & analysis technologies & techniques 2. Make adjustments as needed 3. Containment, Eradication & Recovery 1. Perform additional media sanitization steps 2. Ensure proper forensics techniques are practiced 4. Post-Incident Activity 1. Learn and update PII breach response plan All Rights Reserved. ecfirst. Information Security Program Strategy Think 2012: Think Active Security Physical Security Firewall Systems IDS/IPS Identity Management Encryption Critical Info & Vital Assets Beyond Infrastructure Security. Focus on Data Security. 9

10 Your Security Controls? Indian Spices All Rights Reserved. ecfirst. 10 Key Next Steps Security Incidents = Security Intelligence 1. Ensure risk analysis budgeted & completed very regularly 2. Review policies and procedures thoroughly - update! System Security Plan Developed? Approved? Business Associate Agreements, Reviewed/Updated? 3. Risk Management Plan this is your CAP Must discuss/review with executive management; Board aware of current risk? 4. Incident Response Program establish it formally 5. Contingency Plan conduct BIA 6. Train the workforce: Compliance & policies Scenarios, Assessments In-depth training if workforce member accesses portable devices/media 7. Thoroughly review of facility access controls (facility security plan) Site security & Equipment security 8. Examine, monitor, enhance current security controls Encrypt. Encrypt. Encrypt. 9. Proactive audits & unannounced site visits (e.g. facilities housing portable devices) 10. Review/Evaluation of Current Residual Risk & Report to Exec Mgmt All Rights Reserved. ecfirst. 10

11 OCR Comments on Compliance Breach Enforcement Perform security evaluation in response to operational changes Must have appropriate access controls at leased facility Wherever PII moves must ensure it is not accessible to unauthorized parties; only by authenticated parties Ensure BAA with cloud provider or other contractors covers compliance requirements Additional regulations under consideration being finalized OCR Deputy Director Modern Healthcare Interview, March 18, 2012 What OCR Expects Today! HITECH Breach Enforcement Establish a carefully designed, delivered & monitored compliance program. OCR Director, March 13, 2012 Are you prepared for an audit now? 11

12 It Starts with Strategy The true organization is so prepared for battle that battle has been rendered unnecessary. Much strategy prevails over little strategy, so those with no strategy cannot but be defeated (defenses penetrated). Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win. Sun Tzu The Art of War Critical for information security officers to seriously develop their strategy first, then execute. Did you get information of value from this brief? Like ecfirst on 12

13 Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) Follow ecfirst for Daily Tips Healthcare Information Security & Compliance Expert Created bizshield TM an ecfirst Signature Methodology - to address compliance and information security priorities Featured speaker at compliance and security conferences worldwide Presented at Microsoft, Intuit, Kaiser, E&Y, Federal & State Government agencies & many others Consults extensively with healthcare organizations, government agencies and business associates Established the HIPAA Academy and CSCS Program gold standard for HIPAA, HITECH compliance solutions Member InfraGard (FBI) Daily Compliance Tips: Keep in touch, Pabrai@ecfirst.com and ecfirst Over 1,600 Clients served including Microsoft, Cerner, HP, PNC Bank & hundreds of hospitals, government agencies 13