Perspectives on Navigating the Challenges of Cybersecurity in Healthcare

Transcription

1 Perspectives on Navigating the Challenges of Cybersecurity in Healthcare May

2 Agenda 1. Why the Healthcare Industry Established HITRUST 2. What We Are and What We Do 3. How We Can Help Health Plans Manage Cyber Risk 4. What Are Common Questions and Misconceptions 5. How To Get Engaged and Locate Resources 2

3 WHY THE HEALTHCARE INDUSTRY ESTABLISHED HITRUST 3

4 Industry Challenges as Catalyst for HITRUST In 2006, healthcare organizations faced multiple challenges with regards to information security: Costs and complexities of redundant and inconsistent requirements and standards Confusion around implementation and acceptable baseline controls Information security audits subject to different interpretations of control objectives and safeguards Increasing scrutiny and similar queries from regulators, auditors, underwriters, customers and business partners Growing risk and liability associated with information protection Lack of educational resources available to health information security professionals 4

5 Confusion with Existing Standards (Circa 2007) The multitude of standards and regulations in the healthcare industry introduces ambiguity, inefficiencies, cost and distraction from the complicated business of protecting healthcare organizations The corresponding table denotes how a variety of standards address Access Control. Standard CPA Firm (SAS 70, SysTrust, SoX) PCI CCHIT ISO Access Control Variations The logical access to and use of IT computing resources should be restricted by the implementation of adequate identification, authentication and authorization mechanisms, linking users and resources with access rules. Such mechanisms should prevent unauthorized personnel, dial-up connections and other system (network) entry ports from accessing computer resources and minimize the need for authorized users to use multiple sign-ons. Procedures should also be in place to keep authentication and access mechanisms effective (e.g., regular password changes.) Limit access to computing resources and cardholder information to only those individuals whose job requires such access. Identify all users with a unique username before allowing them to access system components or cardholder data. The system shall enforce the most restrictive set of rights/privileges or accesses needed by users/groups (e.g. System administration, Clerical, Nurse, Doctor, etc.), or processes acting on behalf of users, for the performance of specified tasks. There shall be a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services. The allocation and use of privileges shall be restricted and controlled. Example Implementation Standards Access Control Human Resources Security Risk Assessment Security Policy Organization of Information Security Compliance Asset Management Physical and Environmental Communications and Operations Management Information Systems Acquisition, Development, and Maintenance Incident Management Business Continuity URAC HITSP NIST COBIT ITIL HIPAA Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights. Access Control is managed (created, modified, deleted, suspended, or restored, and provisioned based on defined rules and attributes). Data access policy is enforced. User data are located by an entity with the ability (privileges) to search across systems. Protected data are accessed based on access control decisions information attributes for data access. Select protected data are blocked from users otherwise authorized to access the information resource. A subject can execute a transaction only if the subject has selected or been assigned a role. The identification and authentication process (e.g. login) is not considered a transaction. All other user activities on the system are conducted through transactions. Thus all active users are required to have some active role. A subject s active role must be authorized for the subject. With (1) above, this rule ensures that users can take on only roles for which they are authorized. A subject can execute a transaction only if the transaction is authorized through the subject s role memberships, and subject to any constraints that may be applied across users, roles, and permissions. This rule ensures that users can execute only transactions for which they are authorized. The logical access to and use of IT computing resources should be restricted by the implementation of adequate identification, authentication and authorization mechanisms, linking users and resources with access rules. Such mechanisms should prevent unauthorized personnel, dial-up connections and other system (network) entry ports from accessing computer resources and minimize the need for authorized users to use multiple sign-ons. Procedures should also be in place to keep authentication and access mechanisms effective (e.g., regular password changes). Access Management is effectively the execution of both Availability and Information Security Management, in that it enables the organization to manage the confidentiality, availability and integrity of the organization s data and intellectual property. Access Management ensures that users are given the right to use a service, but it does not ensure that this access is available at all agreed times - this is provided by Availability Management. Implement policies and procedures for granting access to electronic PHI through access to a workstation, transaction, program, process or other mechanism. Implement policies and procedures that based upon the entity s access authorization policies, establish, document, review, and modify a user right of access to a workstation, transaction, program or process. 5

6 HITRUST Mission and Objectives In 2007, the Health Information Trust Alliance or HITRUST was formed by a group of concerned healthcare organizations out of the belief improvements in the state of information security and privacy in the industry are critical to the broad adoption, utilization and confidence in health information systems, medical technologies and electronic exchanges of health information, all of which are necessary to improve the quality of patient care while lowering the cost of healthcare delivery. Key focus: Increase the protection of protected health and other sensitive information Mitigate and aid in the management of risk associated with health information Contain and manage costs associated with appropriately protecting sensitive information Increase consumer and governments confidence in the industry's ability to safeguard health information Address increasing concerns associated with business associate and 3rd party privacy, security and compliance Work with federal and state governments and agencies and other oversight bodies to collaborate with industry on information protection Facilitate sharing and collaboration relating to information protection amongst and between healthcare organizations of varying types and sizes Enhance and mature the knowledge and competency of health information protection professionals 6

7 WHAT WE ARE AND WHAT WE DO 7

8 HITRUST in a Snapshot Best known for: Developing HITRUST CSF-- in 7th major release Annual health information breach and loss analysis report Cyber preparedness and response exercises CyberRX Adoption of CSF By 83% of hospitals 1 (most widely adopted) By 82% of health plans 2 (most widely adopted) Adoption of CSF Assurance Over 23,000 CSF assessments in last three years (10,000 in 2014) Most widely utilized approach by healthcare organizations and 3rd party risk assessments Supports State of Texas Privacy and Security Certification SecureTexas Supporting Cyber Threat Intelligence Sharing and Incident Preparedness and Response Operates Cyber Threat Exchange (CTX) as industry cyber threat early warning system and to automate indicator of compromise distribution Federally recognized Information Sharing and Analysis Organization (ISAO) Information sharing agreement with Department of Health and Human Services (HHS) Information sharing agreement with the Department of Homeland Security as part of critical infrastructure program Partnership with HHS for monthly industry cyber threat briefings Partnership with HHS for industry cyber threat preparedness and response exercises CyberRX Information Protection Education and Training Over 1500 professionals obtained Certified Common Security Framework Practitioner (CCSFP) designation CSF specific Partnered with International Information System Security Certification Consortium, Inc., (ISC)² to develop broader healthcare certified information security professional credential HealthCare Information Security and Privacy Practitioner (HCISPP) Annual conference: In 2012 HITRUST began holding health information protection professional annual conference 1 Based on facilities in the 2011 AHA hospital and health system data as of Dec Based on health plans with over 500,000 members as of Dec

9 HITRUST Primary Focus Areas in 2015 Risk Management and Compliance CSF CSF Assurance Other Programs Third-party Assurance MyCSF SecureTexas Standards Scorecards Combined Program Reporting Cybersecurity Threat Intelligence and Incident Coordination Center (C3) Cyber Threat XChange CyberVision CyberRX Cyber Threat Briefings Cyber Discovery Study Education and Research HITRUST Academy Leadership Roundtable White papers and guidance documents Information protection-related studies 9

10 Risk Management and Compliance HITRUST CSF Prescriptive, Scalable and Certifiable Risk Framework Built for Healthcare HITRUST CSF, a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information Incorporates both information security and privacy ISO being used as the foundation upon which the CSF controls were built. ISO/IEC provides an international standard for the implementation and maintenance of an information security management system (ISMS) Harmonizes multiple healthcare specific regulations and standards Now includes 25 major authoritative sources including federal and state regulations, globally recognized standards, and industry best practices Addresses industry challenges by leveraging and enhancing existing standards and regulations to provide organizations of varying sizes and risk profiles with prescriptive implementation requirements Implementation requirements based on specific risk factors allows organizations to focus on implementing the requirements and measuring excessive residual risk by the maturity of their implementation Resulting in a risk- rather than compliance-based information protection approach Standards Incorporated Into the CSF 16 CFR Part 681 Identity Theft Red Flags 201 CMR State of Massachusetts Data Protection Act Cloud Security Alliance (CSA) Cloud Controls Matrix v1.1 CMS IS ARS 2012 v2 COBIT 4.1 and 5 Encryption and Destruction Guidance Federal Register 45 CFR Parts 160 and 164 Federal Register 21 CFR Part 11 HIPAA Federal Register 45 CFR Part 164 (Omnibus) ISO/IEC 27001/2:2005 & 2011 ISO/IEC 27799:2008 Joint Commission NIST Cybersecurity Framework (CsF) NIST Special Publication r4 NIST Special Publication NRS: Chapter 603A State of Nevada PCI Data Standard v3 Texas Health and Safety Code 181 State of Texas Texas Administrative Code State of Texas 10

11 Risk Management and Compliance HITRUST CSF HITRUST maintains, supports and ensures the relevancy and applicability Updates authoritative sources and incorporated frameworks, standards and regulations Performs analysis on breach incidents to determine impact on CSF guidance and risk factors Updated no less frequently than annually and is available for comment by the healthcare industry and professional services firms Adds addition sources based on industry input and CSF Advisory Committee Public comment period for each release Mapping and analysis provided for review Recent updates Release v6.1 in Apr 2014 integrated the NIST cybersecurity framework Release v7 in Jan 2015 incorporated Mars-E and HIPAA-based privacy requirements Upcoming Release v8 in Dec 2015 will incorporate PCI updates and streamlined assessment requirements for privacy and small organizations such as physician practices Meaningful Use Meaningful Use COBIT COBIT HIPAA Omnibus Final Rule ISO 27001/2 Texas Health & Safety Code NIST ISO 27001/2 HIPAA Omnibus Final Rule HITRUST CSF Texas Health & Safety Code NIST FTC Red Flag s PCI FTC Red Flag s PCI 11

12 Risk Management and Compliance HITRUST CSF Comparison With Other Frameworks Requirement CSF COBIT PCI ISO NIST HIPAA Comprehensive general security Yes Yes Yes Yes Yes Partial Comprehensive regulatory, statutory, and business requirements Yes No No No No No Prescriptive Yes No Yes Partial Yes No Practical and scalable Yes Yes No No No Yes Audit or assessment guidelines Yes Yes Yes Yes Yes No Certifiable Yes Yes Yes Yes No No Support for third-party assurance Yes Yes Yes Yes No No Open and transparent update process Yes No Yes Yes Yes Yes Cost Free Free Free Subsc. Free Free Ongoing enhancements and maintenance reduce organizations from the complexity and expense of integrating and tailoring these multiple requirements and best practices into a custom framework The HITRUST CSF is supported by a broader risk management framework (RMF), which includes the CSF Assurance Program and supporting methodologies and tools 12

13 Risk Management and Compliance CSF Assurance Organizations face multiple and varied assurance requirements from a variety of parties, including increased pressure and penalties associated with HHS enforcement efforts and an inordinate level of effort on negotiation of requirements, data collection, assessment and reporting. Healthcare Organization Healthcare Organization Healthcare Organization Analyze Results and Mitigate HITRUST CSF Assurance Program Assess and Report Status with Corrective Actions Business Associate Business Associate Business Associate The HITRUST CSF Assurance Program provides: A risk-based approach to selecting controls for assessment and formal certification A common, standardized methodology to effectively and consistently measure compliance and risk Simplified information collection and reporting Consistent testing procedures and scoring Demonstrable efficiencies and cost-containment Assessments performed by qualified professional services firms CSF Assessors 13

14 Risk Management and Compliance CSF Assurance Combined CSF and SOC2 Reports HITRUST and the American Institute of CPAs (AICPA) have partnered to enable organizations to utilize the HITRUST CSF as the controls for their SSAE16 SOC2 A converged HITRUST and AICPA reporting model helps organizations leverage the work invested in a CSF implementation to meet their Service Organization Control (SOC2) reporting requirements Final guidance should be available in June

15 Risk Management and Compliance Other Programs Third-party Assurance Streamlines the business associate assurance process Utilizes the tools and methodologies of the CSF Assurance Program Allows healthcare organizations to efficiently and effectively assess their business partners and manage risk Allows assessed organizations to undergo one assessment and report to multiple entities Many healthcare entities accept a CSF validated and certified reports for evaluating 3rd party information protection and some require We have seen the list requiring it growing in the last three months Many business associates are CSF Certified recent additions: Microsoft Office365 Amazon AWS 15

16 Risk Management and Compliance Other Programs MyCSF: Provides a cost-effective, comprehensive tool to perform assessments and manage compliance. Full or customized views of the CSF Multiple questionnaires with increasing levels of granularity Industry benchmarking data Supports reporting and remediation 16

17 Risk Management and Compliance Other Programs SecureTexas Texas Health Services Authority awarded HITRUST to provide the first state-sponsored covered entity privacy and security certification in the United States Allows THSA to provide certification specified in Texas House Bill 300 Certification offers penalty reduction and risk mitigation Current bill in Texas Senate to provide safe harbor Model that other states are reviewing 17

18 Risk Management and Compliance Alignment with NIST CsF NIST Cybersecurity Framework provides a high-level incident response-oriented framework by which critical infrastructure industries can develop and implement industry, sector, or organizational-level risk management programs that are holistic, based upon a common set of principles, and can be communicated with stakeholders regardless of organization, sector or industry. HITRUST provides an RMF that is consistent with the NIST Cybersecurity Framework for the healthcare industry and either meets or exceeds the requirements and also addresses non-cyber threats and incorporates a robust assurance program More specifically: NIST Cybersecurity Framework categorizes cybersecurity controls according to an incident response process (functions and sub-functions) as opposed to a traditional RMF NIST Cybersecurity Framework incorporates 80% of the NIST SP r4 security controls for the moderate level baseline by reference, whereas the CSF fully incorporates the NIST security and privacy controls HITRUST CSF provides an integrated, harmonized set of requirements specific to healthcare as compared to individual references to controls in NIST and other frameworks HITRUST CSF Assurance Program provides an integrated set of tailorable requirements, which are fully supported by an integrated maturity model HITRUST CSF Assurance Program provides a pool of vetted assessor organizations and centralized quality assurance processes to ensure consistent and repeatable assessments 18

19 Risk Management and Compliance Alignment with NIST CsF NIST Cybersecurity Scorecard HITRUST mapped the HITRUST CSF to the NIST Cybersecurity Framework to provide organizations with a healthcare-centric cybersecurity scorecard based on the NIST Framework s subcategories The ability for organizations to use the HITRUST CSF and NIST Cyber Security Framework reporting model helps organizations leverage the work invested in a CSF implementation to assess once and report on their various requirements 19

20 Cybersecurity HITRUST Cyber Threat Xchange (CTX) HITRUST Cyber Threat XChange (CTX) automates the process of collecting and analyzing cyber threats and distributing actionable indicators in electronically consumable formats that organizations of varying sizes and cyber security maturity can utilize to improve their cyber defenses Designed to optimize the way organizations defend against cyber-attacks, complementing traditional signature and anomaly based technologies, CTX delivers a data driven security approach that enables your existing security investments to function more effectively. HITRUST CTX is available in multiple subscription levels; the basic subscription (available free) includes the following features: Advanced intelligence specific to the healthcare industry Intelligence from DHS,US CERT, DHHS and many healthcare organizations Tracking of top threat actors observed targeting the healthcare sector Suspicious domain registrations Key word alerting for compromised credentials Indicators of compromise specific to healthcare industry Integrated sandboxing for malware analysis SIEM Integration and automated alerting Additional features are available in the premium subscription levels Added 500 organizations in last 8 weeks with many health plans IOC sharing circle specific to health plans 20

21 Cybersecurity CyberRX HITRUST CyberRX is a series of no cost, industry-wide exercises coordinated by HITRUST in conjunction with the U.S. Department of Health and Human Services, with the mission to mobilize healthcare organizations and explore innovative ways of improving preparedness and response against cyber attacks intended to disrupt the nation s healthcare operations Driven by lessons learned and recommendations from the Spring 2014 event, the expanded CyberRX 2.0 program features progressive local-, regional- and national-level exercises that will allow more participants at all levels of maturity to join based on their type of organization, size and experience with cyber prevention and simulations HITRUST has added a CyberRX Health Plan exercise for the Summer of 2015 with 20 health plans, HITRUST, CMS and HHS participating 21

22 Cybersecurity HITRUST Cybervision HITRUST CyberVision is the first real-time situational awareness and threat assessment tool tailored to the healthcare industry It can automatically notify healthcare organizations and information security vendors of the emerging cyber threats for which a counter measure is not available, and before the exploit has been weaponized 22

23 Cybersecurity Monthly Cyber Threat Briefings As the number of cyber-attacks targeted at the healthcare industry rises, HITRUST and the Departments of Health and Human Services and Homeland Security have partnered to provide a monthly cyber threat briefing to aid organizations in better understanding current and probable cyber threats relevant to the healthcare industry and to share best practices for cyber threat defense and response 23

24 Cybersecurity Cyber Discovery Study HITRUST Cyber Discovery Study was undertaken to enable a better understanding Actual Magnitude Complexity Relations of Cyberattacks Commonalities of Target Organizations and Data Degree of Cyber Threats Persisting Within Organizations The goal is to accurately identify attack patterns and persistence, as well as the magnitude and sophistication of specific threats across enterprises. Participants will benefit from having access to highly sophisticated collection and analysis tools and resources to provide detailed information regarding cyber events and threats within their environment free of charge. 24

25 Education and Research HITRUST Academy: HITRUST Academy offers the only training courses designed to educate healthcare security professionals about information protection in the healthcare industry and the utilization of the HITRUST CSF to manage risk. The courses are intended to prepare security professionals for assessing against the evolving compliance landscape shaped by Omnibus, HIPAA, CMS and various other federal, state and business requirements. Leadership Roundtable: This program is intended exclusively for executives responsible for the protection of healthcare information and for the purpose of exploring, discussing, learning, collaborating and, where appropriate, agreeing upon a variety of topics relating to information security in the healthcare industry. Educational White Paper and Webinar Series: Best Practices & Lessons Learned Implementing the CSF Webinar and white paper series that features detailed information and analysis on relevant and timely topics and real world examples from organizations using the HITRUST CSF and CSF Assurance Program to manage their information security programs. Hear from a diverse group of presenters covering best practices, lessons learned and practical information that can be leveraged by other organizations facing the same requirements and challenges. Annual HITRUST Conference: The HITRUST Conference is the only event dedicated to exploring all aspects of healthcare information protection and utilization of the HITRUST CSF and CSF Assurance Program; with the goal of enabling attendees to more effectively meet compliance requirements and improve information protection. 25

26 HOW CAN WE HELP HEALTHCARE ORGS MANAGE CYBER RISK? 26

27 Things to Do Leverage and adopt the HITRUST CSF Incorporates key controls and guidance related to cyber risk Incorporates and harmonizes the NIST Cybersecurity Framework In addition to the other controls relating to regulatory and business requirements Leverage CSF Assurance program Assess against cyber and other controls to understand current level of control maturity, gaps and risks Participate in Cyber Threat Exchange Access to threat indicators and other intel Engage in active sharing not just consuming Health plan and BCBS trust circle for additional sharing Leverage SIEM integration to make more actionable and consumable Participate in the CyberRX program Great resource for developing and testing response plans Specific exercise this summer 2015 for health plans Crisis and incident response plan best practices session for health plans on May 21,

28 Things to Consider Evaluate CyberVision Provides situational awareness Cyber Discovery study There are some significant benefits that organizations will derive from participating in the study Access to best in class and state of the art cyber threat detection technology1 to identify cyber threats, attack and events for the duration of the study, or approximately 90 days Access to highly skilled resources to help you understand more about cyber-attacks and incidents Better understanding of cyber forensics and use of analytical tools as part of an organizations cyber risk management program Detailed analysis and understanding of cyber threats and events directly affecting your organization Utilize MyCSF to create a NIST Cybersecurity Scorecard Leverages the CSF Control guidance to provide industry context for a NIST Cybersecurity Framework assessment 28

29 WHAT ARE SOME COMMON QUESTIONS AND MISCONCEPTIONS? 29

30 Common Questions and Misconceptions Should a healthcare entity choose the HITRUST CSF, NIST Cybersecurity Framework, or the NIST or ISO control frameworks? With adoption of the HITRUST CSF a healthcare organization can leverage and benefit from them all The HITRUST RMF, which consists of the CSF, CSF Assurance Program and supporting tools, methods and services, is actually a model implementation of the NIST Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) for the healthcare industry. The HITRUST RMF provides the necessary context for a healthcare-specific implementation of the NIST Cybersecurity Framework by integrating multiple healthcare-relevant legislative, regulatory and best practice guidelines and frameworks such as the HIPAA Security Rule and NIST SP 800-series and ISO series guidance. These integrated controls are then tailored further by allowing organizations to select a reasonable and appropriate subset of these controls based on their specific organizational, system and regulatory risk factors. 30

31 Common Questions and Misconceptions Is the HITRUST CSF a replacement standard for HIPAA or NIST ? No, the HITRUST CSF integrates NIST SP and other relevant information protection standards to provide the prescription necessary to fully implement the requirements specified in the HIPAA Security Rule. Why is the HITRUST CSF needed? Why can t we use HIPAA or NIST? As risk analysis can be difficult for many healthcare organizations, HITRUST leverages frameworks like NIST to provide a common baseline of protection against reasonably anticipated threats to ephi. HITRUST then tailors all the controls in the CSF to provide a healthcare-specific context and support the selection of multiple framework overlays essentially new control baselines for a common type or class of healthcare entity based on defined organizational, system and regulatory risk factors. Although additional tailoring by an organization is necessary, this common set of baselines supplemented by a common assessment and certification methodology provides for the standardized reporting of risk and sharing of assurances with internal and external stakeholders (e.g., management, business partners and regulators) around the efficient and effective implementation of those standards by healthcare organizations. 31

32 HOW TO LOCATE RESOURCES AND GET ENGAGED 32

33 Engage with HITRUST Download or signup for access to these no-cost resources and subscriptions: HITRUST CSF HITRUST Cyber Threat XChange CyberRX Playbook and Exercise Participation Cyber Discovery Study Monthly Cyber Threat Briefings MyCSF HITRUST CyberVision 33

34 Engage with HITRUST Download these Whitepapers and Presentations: Leveraging Healthcare s Risk Management Framework to Manage Business Risk How to Approach/Simplify Meaningful Use and Privacy Risk Assessments Webinar_Final.pdf Streamlining and Enhancing the NIST Framework to Achieve HIPAA Compliance Guidance for Healthcare Organizations to Assess Cybersecurity Preparedness 34

35 Engage with HITRUST More Whitepapers and Presentations: Implementing the NIST Cybersecurity Framework in Healthcare Risk vs. Compliance-based Information Protection Risk Analysis Guidance Why your HIPAA Risk Analysis May Not Actually Be HIPAA-compliant 35