White Paper Strengthening Information Assurance in Healthcare

Transcription

1 White Paper Strengthening Information Assurance in Healthcare Date: April, 2011 Provided by: Concurrent Technologies Corporation (CTC) 100 CTC Drive Johnstown, PA wwwctccom Business Point of Contact: Mr Dave Davis Senior Director, Healthcare Initiatives Phone: (814)

2 The 2009 changes to the Health Insurance Portability and Accountability Act (HIPPA) Privacy Rules and Security Safeguards have had a major impact on healthcare providers as well as noncovered entities as there is no longer the option of voluntary compliance The changes include mandatory audits for HIPPA compliance, significant fines for non-compliance and criminal charges for violations HIPPA s rules authorization requirements (fines can range from $10K- $50K per violation) This paper focuses on the HIPPA regulations as it pertains to information technology security and an approach to address information assurance Covered entities and business associates should note that while successful compliance assessments may be a starting point for information security, it really only provides a minimal level of information assurance and does not provide a practical indication of the overall security posture of the organization It is not sufficient to concentrate only on infrastructure controls as the majority of cyber attacks are increasingly occurring at the application layer and unprotected endpoints Data from MITRE indicates that compliance only assessments provide approximately 45% coverage of known vulnerabilities Attackers know this, and will assume that you are compliant, and therefore concentrate on the remaining 55% of the attack surface As electronic exchange of Protected Health Information (PHI) becomes the norm, covered entities must have assurances that PHI is safeguarded as it is transmitted between corporate and local facilities, third party service providers, governmental entities, or other public health entities What assurances do you have that other facilities have appropriate safeguards for PHI you provide? What assurances do you have that the health information technology software that you have deployed was developed using industry standard software assurance practices? Have your employees been sufficiently trained in information security practices? Do you have a good understanding of what security controls you have in place, what they protect, their effectiveness, and where the gaps are if any? Are all endpoints protected (including business and personal mobile devices such as laptops, phones)? How often are you reassessing security safeguards, policies and procedures? Is there too much focus on protection and too little on detection and response? When choosing security safeguards, entities must assess these controls and understand how the controls relate to the various states and places in which information assets can exist The McCumber Cube provides a concise framework that models the perspectives that one must consider for information assurance and how information assets can coexist in multiple dimensions When assessing an information security problem, it provides a good reference for thinking about the problem from each perspective 1

3 Security Goals/Services Transmission Confidentiality Integrity Availability Storage Processing Information States Policies & Practices Technology Human Factors Counter-Measures Figure 1 McCumber Cube Information Security Goals/Services Confidentiality information should not be disclosed to unauthorized users Integrity information (and systems) should not be modified (maliciously or accidentally) outside of authorized processes Availability information should be reliably accessible to authorized users Information States Transmission information moving from source to destination Storage information at rest, waiting to be accessed Processing information is being examined or modified Security Counter-Measures Technology hardware and software used to limit threats and vulnerabilities Policies & Practices defined goals and procedures for mitigating risks Human Factors - awareness, education, and training For example, file or disk encryption is a technology that addresses confidentiality of information in storage However, it does not address availability if the password is lost, or human factors and policies if the password is weak or obtained through social engineering (awareness, education), or transmission if the data must be decrypted for another office or entity to receive who then retains the information unencrypted in a mobile device (unprotected endpoint) Identification of Critical Program Information (CPI) and Critical Technology (CT) is the backbone for all risk management strategic scheduling and resource decisions Given the fact that resources are not unlimited and that entities may not have the ability to conduct full-scale 2

4 risk management activities on all of its critical assets, it is still crucial to identify and collect knowledge of these assets to aid in the appropriate prioritization and allocation of resources across the entire enterprise This knowledge is also useful for characterizing and prioritizing the potential risks to critical assets and determining the entity s overall security posture CTC advocates a more positive approach to information assurance through both compliance assessments, CPI/CT identification and threat modeling with more emphasis on the effectiveness that security controls have in limiting or mitigating threats in each dimension of information assurance Compliance only assessments at most, provide half of the threat coverage and are more negatively focused on the non-compliance gaps CTC utilizes a multi-tiered approach to risk management that minimizes effort for lower risk areas and maximizes understanding and mitigation planning for higher risk areas Tier 1 Assessment Objectives: Identify critical technology (CT) and critical program information (CPI) likely to pose increased risk (ie critical asset identification) Activities: Identify and collect basic information about all critical assets This information consists of very high-level indicators (criticality) of critical assets Mechanisms: Interviews and survey Investment: Minimal cost and effort to interview and fill in survey information Deliverables: Report containing results of surveys, prioritized list of critical assets by criticality Tier 2 Assessment Objectives: Identify which critical assets will require more immediate investigation and assessment to quantify and mitigate risk Review policies and procedures for compliance to HIPPA privacy rule Initial review of security controls for compliance with HIPPA Security Safeguards Activities: Includes Tier 1 activities Collect more detailed information about specific technologies utilized to provide confidentiality, integrity, availability of critical assets Review policies and procedures documentation for HIPPA compliance Review and determination of the existence and effectiveness of required HIPPA Security Safeguards Mechanisms: Interviews, surveys, documentation review, threat modeling Investment: Additional cost for documentation reviews, additional interviews and surveys, and threat modeling Deliverables: Report containing results of surveys, compliance checks, and results of threat modeling providing further detail of criticality, risks and mitigations for identified critical assets Tier 3 Assessment Objectives: Determine the overall health of security safeguards applied to the critical assets with a high criticality Test and identify issues/vulnerabilities with associated security safeguards and recommend appropriate mitigations In-depth review of policies 3

5 and procedures for potential recommendations of changes to improve and reduce security management costs Activities: Includes all tier 2 activities Analysis of security safeguards which include basic application penetration-tests In-depth review of policies and procedures Mechanisms: Interviews, surveys, document reviews, penetration-test and scanning tools Investment: Additional costs for in-depth reviews, application penetration-tests, scanning and analysis Deliverables: Report containing results of reviews and application penetration and scan tests providing further detail of criticality, risks and mitigations for identified critical assets Tier 4 Assessment Objectives: Determine the overall health of critical assets with a criticality of Medium or higher Test and identify issues/vulnerabilities with associated security safeguards and recommend appropriate mitigations Review of auditing procedures and electronic monitoring of security controls Review of education, training, and security awareness programs with recommendations to address identified gaps Review of compliance with HIPPA, Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG), National Institute of Standards and Technology (NIST) , and International Organization for Standardization (ISO) Activities: Includes Tier 3 activities Complete review of policies and procedures and security safeguards against HIPPA, DISA STIG, NIST , ISO In-depth review of education, training, and security awareness documents and procedures Mechanisms: Interviews, surveys, document reviews, penetration-test and scanning tools Investment: Additional costs for compliance checks, education and training reviews, and added application penetration-tests, scanning and analysis Deliverables: Report containing results of reviews, compliance checks, and results of application penetration and scan tests providing further detail of criticality, risks and mitigations for identified critical assets In summary, CTC provides our customers with end-to-end risk management solutions that focus on security risk management across the HIT enterprise 4