Five Steps to Managing Business Associate (BA) Risk. James Christiansen, Optiv Vice President, Information Risk Management, Office of the CISO

Transcription

1 Five Steps to Managing Business Associate (BA) Risk James Christiansen, Optiv Vice President, Information Risk Management, Office of the CISO

2 Conflict of Interest James Christiansen, BS, MBA Has no real or apparent conflicts of interest to report.

3 Five Steps to Managing Business Associate (BA) Risk Welcome We are using a polling session today. Please answer the following question using your HIMSS application or SMS message as instructed below Are you enjoying HIMSS so far? 1) Yes 2) No 3

4 Agenda The Risk of Business Associates Reducing the Inherent Risk of BAs Understanding Business Associate Risk Defining the Types of Risk of BAs Managing Business Associate Risk Matching Security Assessment Level to Risk Changing the Paradigm Standardized and Automation of Assessments by Type of Service Key Points: Begin due diligence on critical business associates immediately Evaluate your risk inventory and assign risk tiers based on best practices Start slow Get quick wins Create a tiered program to evaluate risk based on inherent risk Manage a remediation plan to address deficient controls Provide a robust reporting program for executive team and regulators THINK DIFFERENTLY! 4

5 Learning Objectives Define the different types of business associate risk Discuss the process for managing business associate risk Identify inherent risk in the business Appraise the inherent risk with the required regulatory controls Apply business associate audits matching the level of due-diligence to the inherent risk 5

6 Realizing the Value of Health IT Electronic Secure Data Healthcare information is under attack. It has more value and longer shelf life than credit card data Business Associates are often the weak link in the healthcare ecosystem and targeted by attackers 6

7 Did we do a recent security review? Do we have insurance to cover the costs? The Beginning of a Bad Day Do we outsource to this Business Associate? Have we contacted our regulators? Have we been contacted by the media? CEO reads in the news that a major Business Associate provider had a security breach Are we prepared to respond to the media, our customers and the board of directors? HIMSS 2016

8 Common Industry Challenge Growing Problem Sheer Volume Costly Due-Diligence Global Regulatory Requirements Data and Privacy Security Breaches Fiduciary Board - Top of Mind Current Practice Costly Manual On-Site Audits Duplication of Efforts No Standard of Due Care No Trusted Assessor 8

9 Business Associate Targeted Attacks Trusted Insider Outsourcer Supplier with Trusted Access Business Associate Attacks Your Business Service Provider Target of Opportunity Breach a major supplier and you gain access to multiple companies data Global Problem A supplier anywhere in the world can be the cause of, or suffer from a security breach Economic Conditions Increased outsourcing and financial stress on business associate can lower defenses HIMSS

10 Exploiting the Trusted Business Associate Business Associate or INSIDER Capture Login Credentials Non-critical Servers THE ATTACKER S TARGET Sensitive Servers Use Credentials to Gain Access Escalate Privileges Lateral Movement ACTORS and METHODS: = Hacktivists Criminal Orgs State Sponsored HIMSS

11 Business Associate Breaches The Cost of a Breach at an External Party is Higher than an Internal Breach (2) Responding is more complex and time consuming 51 % of All Breaches Come from external parties (1) You are not in control of the response or communications (1) Source: Key findings from The Global State of Information Security Survey 2014, PWC, CSO Magazine (2) 2014 Cost of Data Breach Study: Global Analysis, Ponemon Institute, May

12 Understanding the Risks

13 Planning, Managing and Reporting Planning Steps to take to understand the inherent risk in the Business Associate relationship Managing How to effectively manage the residual risk of your Business Associate Reporting Reporting on Business Associate risk management process 13

14 Business Associate Risk Management Maturity Development of high-level scope and inventory (program adoption) Assessments on new relationships that leverage generic controls framework Assessments tailored to risk tier Managed remediation process Assessment depth/breadth appropriate for due-diligence required Validation and tracking of remediation Scope focused on full spectrum of BAs Predictive intelligence Manage to SLAs and future viability Source: Optiv Third-Party Program Blueprint 14

15 BA Cyber Risk Monitoring Level 1 Information From External BA Sites Use web information as indicator on level of control maturity Threat Intelligence Financial Data Level 2 Direct Interaction with BA People Process Technology Maturity of security program; people, process and technology Risk Reports Level 3 Direct Interaction with Technology Use technology to scan system configuration and controls Social Data Economic Data 15

16 Business Associate Contracts Restrictions on Outsourcing Security Safeguards Security Service Level Agreement Right to Audit Breach Notification Exit Strategy Indemnification, Cyber Insurance, etc. HIMSS 2016

17 Business Associate Risk Process Regulatory or Contract Exposure - Data Exposure - Business Process Exposure - Financial Strength - Geopolitical / Country Risk - Breach History or Indication - Standardized - Service Type, Size and Complexity 3 - HIPAA/STAR 1 Monitoring and Reporting Relationship Risk What Are They Doing for Us? 2 Business Profile Risk Who Are They? - Electronic Validation - Onsite Validation 4 - Control Evidence 5 - Changes in Relationship - Changes in Business - Changes in Controls 5 Control Validation 4 How Are They Protecting the Information? 3

18 Relationship Exposure Inventory The First Question: What data of ours was breached? Relationship Exposure Inventory Risk Registry Maintain a relationship list (type and quantity) Relationship Creep Due diligence is performed during the first contract Relationship grows over time Increased liability without updating the risk exposure metrics 18

19 Business Profile Risk Purpose: Who is The Business Associate? Understand the Risk of Doing Business With Business Associate Financial Strength/Credit Risk Regulatory Oversight Geopolitical/Economic Risk Business Risk Breach History, Crime, Legal Suit Most often performed outside of Information Security 19

20 Mapping Risk Tiers Tier 1 Tier 2 Tier 3 Relationship Risk Strategic Risk Reputational Risk Transaction Risk Compliance Risk Data Privacy Risk Business Profile Risk Credit Risk Country Risk Other Risks High Medium Low High Medium Low $$$$ $$$$ $$$ High Medium Low High Medium Low $$$$$ $$$$ $$$ High Medium Low High Medium Low 20

21 Risk Tiers Based on Inherent Risk Inherent Risk is a Function of Relationship and Profile Risk Match the Level of Due Diligence to Inherent Risk Tier 1 Strategic accounts (high revenue dependence) Regulatory/contract requirements High reputation risk Trusted relationships Tier 2 Lower volume with no or minimal sensitive data Lower revenue risk Business operations risk Some business profile risk Tier 3 No sensitive data Minimal reputation risk Minimal or no revenue dependence Trusted relationship with low-level access HIMSS

22 Business Associate Risk Current Situation HIPPA Final Rule - Omnibus Perform a HIPPA Risk Assessment to determine risks to PHI and identify additional security measures that should be implemented to better protect PHI Business Associates are directly liable for compliance with HIPPA Security Rule Subcontractors must be included Average Enterprise Has 1000s of Business Associates 1.5% - 2% 6% - 8% 90% - 95% Tier 1 Tier 2 Tier 3 22 HIMSS

23 Control Assessments Standardized Assessments Match Due-Diligence to Risk and Type of Service Full Assessment - Large Full Assessment - Light Cloud Computing Application Development Call Center Small Office Single Person Office No Ambiguity How You Ask Questions is as Important as What You Ask 23

24 Validating IT Controls Onsite Business Associate Validation Costly and Time Prohibitive SSAE16 SOC 2 A SSAE16 SOC 2 provides information pertaining to the IT controls that has been certified by an accredited firm Tip: Make sure the scope match the services being provided. Business Associate Breach Intelligence Service that monitors for bad traffic on the internet 24

25 Polling Question Is a SSAE16 SOC 2 Type 2 good enough? 1) Yes 2) No 3) For BA s with minimal risk 25

26 Tier 1 Due Diligence Tier 1 Assessments Self Attest of Controls Validate (not a complete list) Security policies Fully Validated Incident response plan and procedures Detection & Monitoring Systems (e.g. SIEM, SOC) Business continuity/disaster recovery plan and test results Vulnerability management procedures and sample reports Security awareness, training and completion log Last independent security assessment - status of high risks Physical security Tip: Multiple sites and outsourcing by Business Associate significantly increases level of effort 26

27 Tier 2 and 3 Assessments Tier 2 Assessments Partially Validated Self Attest of Controls Electronic Validation Policies Threat Management Access Management Penetration Tests Vulnerability Management Endpoint Management Tier 3 Assessments Self Attest of Controls Review Responses Random Audit 27

28 Remediation Plan Business Associate Not Meeting Required Standards Does control deficiency impact services? Provide Business Associate list of required improvements and dates Business Associate will: Commit Require additional time Reject Remediation plan agreed upon improvements Trigger follow-up 28

29 Business Associate Due Diligence Process Review Risk Inventory Ensure Proper Changes Implemented Determine the Appropriate Risk Tier Review Results and Negotiate Remediation Plan Have Business Associate Complete Self-Attest Control Validation Dependent on Tier Level 29

30 Changing the Paradigm Inefficient, Cost Prohibitive and Sheer Volume Performing assessments - Often only small percentage assessed Responding to 100 s of risk assessments are disruptive takes incredible resources Time For a Change! A standard set standard set of criteria that serves 90% of the needs Gather the information once and share many Automate the process of audits and remediation 30

31 Polling Question Would you be willing to use a service that provides validated assessments using a standard criteria if it meant significantly less cost, move coverage and higher quality? 1) Yes 2) No 31

32 Realizing the Value of Health IT Within Three Months, You Should: Begin due diligence on critical business associates Evaluate your risk inventory and assign risk tier 90 Days Start slow Get quick wins Beyond Three Months, Establish: + 90 Days A tiered program to A remediation plan evaluate risk to address deficient Reporting program controls 32

33 Questions?