Does Your Information Security Program Measure Up? Session #74

Transcription

1 Does Your Information Security Program Measure Up? Session #74 DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.

2 Conflict of Interest Disclosure Alain Bouit Has no real or apparent conflicts of interest to report Tom Walsh Has no real or apparent conflicts of interest to report 2013 HIMSS

3 Measuring Why measure? "What gets measured gets done." Peter Drucker, Tom Peters, Edwards Deming What to measure? The overall effectiveness of the program How to measure? We ll provide some examples

4 Objectives Review the core elements that govern an information security program (Tom) Summarize the common findings from past OCR audits and some of the triggers that would increase the likelihood of an audit (Tom)

5 Objectives Determine appropriate matrices for measuring the effectiveness of an information security program (Alain) Identify the best ways to periodically communicate program measures to executive management (Alain)

6 Objectives Assess what other organizations are doing (common practices) to manage their information security programs (Tom) Present indicators to determine if an organization s program is on the right path toward compliance (Tom)

7 Alain Bouit, CISSP Introductions Director IT Security, Adventist Health, Roseville, CA 8 years with Adventist Health Factoid: Lived all over the world Tom Walsh, CISSP Independent consultant, Overland Park, KS Co-authored four books Factoid: It s my 16 th consecutive year at HIMSS

8 Steps to Building a Program 5. Optimizing Desired state Maintain 4. Measuring Monitor and evaluate 3. Implementing Safeguards and controls 2. Defining expectations Policies, procedures, and plans 1. Getting started Risk analysis and compliance (program drivers)

9 Governance Defined Setting clear expectations for the conduct (behaviors and actions) Directing, controlling, and strongly influencing to achieve expectations Using a framework for guidance Doing things right and at the right time GRC = Governance, Risk, and Compliance

10 Drivers for GRC Besides HIPAA, there is a wide range of legislation and industry requirements: State law Massachusetts Data Protection Law California data security breach notification law Payment Card Industry Data Security Standards Joint Commission IM Standards

11 Some Governance Frameworks ISO (current); ISO (old std.) NIST National Institute of Standards and Technology, Special Publications, 800 series ITIL Information Technology Infrastructure Library COBIT Control Objectives for Information and (Related) Technology HITRUST Health Information Trust Alliance established the Common Security Framework

12 Sample Elements of Governance Access Control and Management Audit and Accountability Awareness and Training Business Continuity and Contingency Planning Computer Workstation and Mobile Device Security Configuration Management and Change Control Disaster Recovery Planning Evaluation and Validation Identification and Authentication Incident Reporting and Response Information Integrity Information Security Responsibilities Media Protection and Controls Network Connectivity and Interfacing Personnel Security Procedures Physical and Environmental Protection Policies, Procedures, and Plans Risk Analysis and Management Sanctions

13 Security Governance Example Information Security Governance Description Organizational Policy HIPAA PCI DSS Access Control and Management Requesting user accounts, modifying user access privileges, authorizations, removal of accounts (a)(4)(i) (a)(4)(ii)B (a)(4)(ii)C (a)(1) Requirement 7 Requirement 8 Audit and Accountability Monitoring and auditing access to or use of resources (a)(1)(ii)(D) (b) Requirement 10 Awareness and Training Conducting comprehensive security training, education and awareness program (a)(5)(i) (a)(5)(ii)(A) Requirement 12.6 Business Continuity and Contingency Planning Implementing Business Continuity Planning including criticality / business impact analysis, data backup, contingency and disaster recovery planning (a)(7)(i) (a)(7)(ii)(A) (a)(7)(ii)(B) (a)(7)(ii)(C) (a)(7)(ii)(D) (a)(7)(ii)(E) Requirement Configuration Management and Change Control Managing, communicating and documenting configuration changes to information systems None Requirement 6.3 Requirement 6.4 Requirement 2

14 Timeline of Compliance Audits Date Action Taken CMS HIPAA Compliance Reviews 2012 HIPAA Security audits conducted by KPMG June 2012 November 2012 HIPAA Audit Protocol released Medicare EHR incentive program audits

15 CMS Audit Reports Seven common areas of concern 1. Risk Assessment 2. Currency of Policies and Procedures 3. Security Awareness and Training 4. Workforce Clearance 5. Workstation Security 6. Encryption 7. Business Associate Contracts and Other Arrangements 15

16 CMS Audit Reports 2012 Source: 2012 HIPAA Privacy and Security Audits, Linda Sanches, OCR Senior Advisor, Health Information Privacy Lead, HIPAA Compliance Audits 16

17 Adventist Health (AH) 19 hospitals with more than 2,700 beds California, Hawaii, Oregon and Washington More than 150 clinics and outpatient centers 39 rural health clinics 14 home care agencies and 6 hospice agencies Four joint-venture retirement centers Workforce of 28,700 includes: 21,000 employees 4,500 medical staff physicians

18 Three Levels of Measurement at AH 1. Enterprise (corporate) level Is the program based upon GRC? 2. Entity (facility) level Are corporate policies being implemented? Does each facility have a plan to address risks? 3. Control level Has the control been implemented? How effective is the control?

19 Steps to Building a Program 5. Optimizing Maintain 4. Measuring Monitor and evaluate 3. Implementing 2. Defining expectations Safeguards and controls 3. Control level Policies, procedures, and plans 2. Entity Level 1. Getting started Risk analysis and compliance (program drivers) 1. Enterprise Level

20 1. Enterprise Level Example Threat: Policy: Measures: Noncompliance with HIPAA Security Rule Maintain compliance with government and state regulations # of high and moderate risk findings identified in the annual HIPAA review Completed PCI DSS Self assessments

21 2. Entity Level Example Threat: Policy: Measures: Disaster in local data center Maintain and test a disaster recovery plan Inventory of locally hosted applications An updated disaster recovery plan Results from most recent exercise or test

22 3. Control Level Example #1 Threat: Policy: Measure: Unauthorized access to PHI Encrypt devices storing PHI Monthly report of the # of laptops and workstations that store PHI and that are not encrypted

23 3. Control Level Example #2 Threat: Policy: Measures: Authorized user misusing their privileges Audit and monitor user activity in the EHR Reports on the # of individuals audited # of users caught accessing a patient s record inappropriately

24 Measuring Effectiveness Sample Level Maturity Description Grade 0 Absence There is absolutely no evidence of any activities supporting the process 1 Initiation There are ad-hoc activities present, but we are not aware of how they relate to each other within a single process F F 2 Awareness We are aware of the process but some activities are still incomplete or inconsistent; there is no overall measuring or control 3 Control The process is well defined, understood and implemented 4 Integration Inputs from this process come from other well controlled processes; outputs from this process go to other well controlled processes 5 Optimization This process drives quality improvements and new business opportunities beyond the process D C B A ITIL Maturity Model

25 Measuring Effectiveness Sample Maturity Level Description Breakdown 0 Nonexistent Processes are not applied at all 1 1 Initial/Ad Hoc Processes are ad hoc & disorganized 12 2 Repeatable but Intuitive Processes follow a regular pattern 30 3 Defined Process Processes are documented & communicated 10 4 Managed & Measurable Processes are monitored & measured 0 5 Optimized Industry practices are followed & automated 0 N/A Not Applicable Control does not apply 1 Total 54 Maturity levels for management and control over information security processes is based on an approach defined by the Control Objectives for Information and related Technology (CobiT) framework (

26 Original Maturity Model at AH Based on ISO Security Framework

27 Communicating Program Measures Executives primary concerns: Does the program support the AH mission? Does the program meet the Information Technology Services (ITS) department goals? Do we comply with regulation and legal statutes? Are risks managed appropriately? Are we maintaining efficient, uninterrupted operational processes for our caregivers? Are we fostering a positive public image?

28 HIPAA Compliance Dashboard

29 PCI Compliance Dashboard

30 Common Practices Hiring consultants to conduct a review Using tools to monitor the program NIST HIPAA Security Toolkit Measuring the program against the HIPAA Audit Protocol Participating in forums and workgroups to share best and common practices

31 Managing Your Program What are you doing? Audience Participation

32 Positive Program Indicators (1) Regulations a good understanding Risk analysis documented proof, signed off by management Risk management remediation plan Responsibilities for security well defined Policies, procedures, and plans easy to find, periodically reviewed and updated

33 Positive Indicators (2) Security education, awareness, & training strategy or plan exists Incident reporting and response evidence that incidents are tracked Monitoring and measuring matrices Evaluation (technical and nontechnical) controls are monitored; periodic review Contingency and disaster plans tested

34 Summary Information Security programs should be based upon a governance structure HIPAA compliance is becoming more critical due to increasing audit activity Create objects and measure Present results to executive management Find out what others are doing Keep on the right path and manage risks

35 Questions?

36 Thanks for Attending Alain Bouit Adventist Health Roseville, CA Tom Walsh Tom Walsh Consulting, LLC Overland Park, KS