Big Data, Big Risk, Big Rewards. Hussein Syed

Transcription

1 Big Data, Big Risk, Big Rewards Hussein Syed

2 Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance

3 Big Data

4 Government incentives along with advancements in digitally enhanced clinical processes have transformed healthcare IT in the last two decades.

5 This transformation and the proliferation of digital devices in all areas of our business has created a hotbed for cyber criminals.

6 In health care, big data encompasses a whole range of data types, including the following to form big data: Clinical data Claims and cost data Biometric data Data provided patients Genomic information, which is showing significant reductions in the time and cost associated with genetic sequencing; Data on other determinants of health Social media data.

7 This high value of healthcare information has led cyber criminals to focus on healthcare on a global basis.

8 Information Security Each of these elements has risks that should be considered and controls that should be implemented in order to meet compliance standards. Confidentiality refers to preventing the disclosure of information to unauthorized individuals or systems. Integrity denotes ensuring that data cannot be modified without detection. Availability means that information must be accessible when it is needed.

9 CIA Risks Controls Confidentiality Loss of privacy, Unauthorized access to the information, Encryption Authentication Access Controls Integrity Information is no longer reliable or accurate, Fraud Loss of confidence in data Quality Assurance Audit Logs Availability Business disruption, Loss of value proposition Business Continuity planning, Capacity Management

10 Information Security strategy in healthcare requires.. Data and Network security Cyber Security Regulatory compliance requirements HIPAA covered data PCI DSS Compliance Non HIPAA covered data Privacy compliance OCR FTC concerns And Big Data Security

11 A good security plan must include the following areas Governance, Risk and Compliance IT Risk Management Identity and Access Management Information Lifecycle Management Mobility Security Network and System Security Incident Response planning Application Security Management Business Continuity Management Awareness & Training Logging, Analytics, Metrics and Reporting

12 NIST Cybersecurity Framework

13 Big Data environments vs. traditional data environments The data collected, aggregated, and analyzed for big data analysis The infrastructure used to store and house big data The technologies applied to analyze structured and unstructured big data are very different than the traditional technologies A Holistic approach to security is needed due to the complex and heterogeneous nature of Big Data

14 The collection, storage, manipulation and retention of massive amounts of data have resulted in serious security and privacy considerations.

15 Gartner Research.

16 Big data Security Infrastructure security Access control and authentication Secure data management Application software security Data protection Logging and Monitoring Change Management Source validation and filtering

17 Policy challenges in Big Data Develop Big data policies; collection, retention, use etc. Ambiguity of state and federal laws Misunderstanding of state and federal laws Risks of misuse of data

18 Information Security is built with People Build and retain a high performing security team Provide training to stay current with threats and mitigation Implement strategies to keep team members engaged Process Build repeatable and measurable processes to attain maturity Implement Cyber Security Framework Use the Cyber Security Framework and Center for Internet Security (CIS) 20 Critical Security Controls to design safeguards Technology Implement solutions to build a Defense in Depth security model Partner Solution providers Product vendors

19 Infrastructure Security Secure Configurations for Hardware and Software Only approved software is used Network Segmentation of Big Data environment Implement Patching of all software used Regular vulnerability assessments and penetration testing is performed Ensure Cloud security assessment is performed

20 Access control and authentication Implement Account management, use federated access managment Require strong password PCS DSS requires two factor authentication Control privileged access to the system, consider two factor authentication.

21 Secure data management Encrypt data in transit and at rest, to ensure data confidentiality and integrity. Ensure proper encryption key management solution Design databases with confidentiality in scope Consider the timeframe for which the data should be kept

22 Logging and Monitoring Implement audit logging Build UBA (User Behavior Analytics) detection and alerts Monitor and detect Insider threats Monitor and detect external threats

23 Incident Response Incident response plan to include Big data Build forensics capabilities Response plan Insider Threat Include big data in Incident Response retainers Breach Management Planning

24 Privacy requirements Privacy Impact Analysis Patient consent for clinical use Privacy auditing requirements De identification where possible Make sure cyber liability insurance cover the big data

25

26 Reasons Big Data Projects Get delayed or Stopped. Hidden Risks in Big Data Adoption Breach Risks Internal users External shares Backup s, data stores, data feeds Data Concentration Risks Financial position Market position Corporate Compliance risk Data Sharing Risks Compliance challenges with 3 rd party risk Cross border, data residency Data in and out of the enterprise Big Data Enables deeper data analysis More value from old data New risks if data is not protected Cloud Adoption Risks Sensitive data in untrusted systems Data in storage, in use, transmitted to cloud 26

27 The National Institute of Standards and Technology (NIST) is attempting to create standards for Big Data The NIST Big Data interoperability framework is a massive work consisting of 7 volumes. All are open for comments Volume 1: Definitions Volume 2: Taxonomies Volume 3: Use Cases and General Requirements Volume 4: Security and Privacy Volume 5: Architectures White Paper Survey Volume 6: Reference Architecture Volume 7: Standards Roadmap.

28

29 References Big Data Security; Good Practices and Recommendations on the Security of Big Data Systems by Enisa certification The NIST Big Data interoperability framework is a massive work consisting of 7 volumes. All are open for comments Gartner

30 Data Governance Information & Data Governance People & Culture Policy, Procedures, Processes Data Enablers Data Quality Training & Communication Information Lifecycle Management Security, Compliance & Privacy Core disciplines Architecture & Standards Metadata, Master Data Management Audit, Monitoring, Reporting Supporting disciplines Process Technology

31 Control areas 00 Source: 2015 enisa report on Big data ( (European Union Agency for Network and Information Security) report

32 Key challenges related to the secure use of Big Data Access control and authentication in a Big Data environment access to data is given to different people and entities in order to make computation and decisions. Maintaining the desired level of access control and authentication is a potential problem, as some of the entities might not have the capabilities to use the required security level. Secure data management the vast amount of logs the Big Data system collects is a key issue because the big volume of logs needs to be stored and protected. Proper protection is one issue, but there is also another it should be possible to restore them in a secure way. Source validation and filtering the essential use of a Big Data system is that it could collect information from many sources. Some of these sources may not be verified or trusted. Making analysis or decisions based on input that has not been verified could lead to potentially incorrect results. Source: Enisa Study December 2015

33 Key Considerations Most Big Data projects are associated with Data Warehouse projects What is your data warehouse strategy (e.g. expansion, ETL offload to Data Warehouse, integrating new data sources )? What is your use case(s)? What does the business need? If you use de identified data in data warehouse, would you ever need to get back to the original data? Will you have sensitive data going into Data warehouse(pii, PCI, PHI)? What compliance or privacy regulations are you concerned about addressing? Do you need data protection across disparate systems (open systems to mainframe)? 33

34 Data analytics for security Privacy preserving/enhancing technologies Big data scale crypto Cloud Attack Surface Reduction Policy and Governance To address data governance challenges and contribute to development of standards in the areas of security and governance in big data technologies. Define Big Data Framework & Taxonomy to (i) get a common understanding of Big Data terms & definitions and (ii) act as a structure to which all the Big Data Initiatives can be linked. Two separate initiatives now, but may become one. Framework and Taxonomy Legal Issues Top 10

35

36 Risks and Threats Incident response plan to include Big data Forensics capabilities Insider Threat Incident Response retainers Breach Management Planning