Health Industry Implementation of the NIST Cybersecurity Framework A Collaborative Presentation by HHS, NIST, HITRUST, Deloitte and Seattle Children s Hospital 1
Your presenters HHS Steve Curren, Acting Director, Division of Resilience (ASPR/OEM) Dr. Laura Kwinn Wolf, Acting Branch Chief, Critical Infrastructure Protection (ASPR/OEM) NIST Kevin Stine, Leader, Cybersecurity and Privacy Applications Group, Applied Cybersecurity Division HITRUST Dr. Bryan Cline, Vice President, Standards & Analytics Deloitte Raj Mehta, Partner, Cyber Risk Services Seattle Children s Hospital Dr. Cris Ewell, Chief Information Security Officer 2
What we ll do today Provide information on the HPH CISR and various programs in support of industry (HHS) Provide an overview and background of the NIST CsF, along with its purpose and potential benefits (NIST) Review the cybersecurity implementation approach outlined in the updated health industry implementation guidance on cybersecurity (HITRUST) Discuss how the HITRUST CSF integrates the NIST CsF and adds industry context to help healthcare organizations improve the management of cybersecurity risk (Deloitte) Discuss how Seattle Children s Hospital and others leverage the HITRUST CSF to implement cybersecurity within their organizations (Seattle Children s) 3
HHS CRITICAL INFRASTRUCTURE & RESILIENCE (CISR) INITIATIVES 4
Critical Infrastructure Protection HHS/ASPR s Critical Infrastructure Protection Program Leveraging resources to enhance the security and resilience of our nation s healthcare and public health critical infrastructure through partnerships with FSLTT governments and the private sector http://phe.gov/cip 2015-2019 Sector Goals Risk Management Information-Sharing Partnership Coordination Response and Recovery Healthcare and Public Health Sector Direct Healthcare Pharmaceuticals Blood Plans and Payers Public Health Medical Materials Mass Fatality Management Labs Health IT Physical structures and virtual systems Critical foreign dependencies Interdependencies with other sectors: energy, water, power Climate Resilience Intelligence Sharing 5
Critical Infrastructure Protection Cybersecurity Working Group Mission: In alignment with existing policies and the NIST Cybersecurity Framework (CsF), leverage and build upon the work of existing organizations within the HPH Sector to provide a forum for discussion of issues and development of needed resources to enhance cybersecurity among a wide variety of HPH, IT and information security professionals, pharmaceuticals, device manufacturers, and health IT developers. Goals: 1) Safely and securely incorporating technology in to healthcare 2) Improving upon mechanisms of sharing information among government and private sector partners 3) Assessing threats to and vulnerabilities of Sector cyber systems to address risks 4) Coordinate development of tailored, Sector-wide Implementation Guide for the NIST Cybersecurity Framework 6
Critical Infrastructure Protection Enhancing Cybersecurity Information Sharing Outreach and Education Support for Information Sharing and Analysis Organizations (ISAOs) Information Sharing Planning Grant Homeland Security Information Network (HSIN) Information Coordination for Incident Management 7
NIST FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY 8
Cybersecurity Framework (CsF) As directed by Executive Order 13636, NIST convened industry to create the voluntary Framework for Improving Critical Infrastructure Cybersecurity. Workshops & Stakeholder Engagement EO 13636 Framework Request for Informa9on, Feedback on the Dra? & 5 Industry Workshops in 5 Different Ci9es 13 February 2013 Framework components are used to align The Framework has 3 main components Technology 12 February 2014 The Framework is used broadly Interna9onal Federal Transla'ons State Gov t Sector Guidance 10110 Mission Cybersecurity State Guidance 9 Industry White Papers
Cybersecurity Framework Components 10
Cybersecurity Framework Components Core What processes and assets need protec9on? What safeguards are available? What techniques can iden9fy incidents? What techniques can contain impacts of incidents? What techniques can restore capabili9es? 11
Cybersecurity Framework Components Core 12
Cybersecurity Framework Components Framework Profile Alignment of Functions, Categories, and Subcategories with business requirements, risk tolerance, and resources of the organization Enables organizations to establish a roadmap for reducing cybersecurity risk that is well aligned with organizational and sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities Can be used to describe current state or desired target state of cybersecurity activities To maximize value, do the following things with your security requirements using a Profile: 1) Align 2) De-conflict 3) Prioritize Identify Protect Detect Respond Recover 13
Cybersecurity Framework Components Risk Informed Par;al Repeatable None Adap;ve Framework Implementation Tiers Allow for flexibility in implementation and bring in concepts of maturity models Reflect how an organization implements the Framework Core functions and manages its risk Progressive, ranging from Partial (Tier 1) to Adaptive (Tier 4), with each Tier building on the previous Tier Characteristics are defined at the organizational level and can be applied to the Framework Core to determine how a category is implemented 14
Industry Use The Framework is designed to complement existing business and cybersecurity operations, and has been used to: Self-Assessment, Gap Analysis, Budget & Resourcing Decisions Standardizing Communication Between Business Units Harmonize Security Operations with Audit Communicate Requirements with Partners and Suppliers Describe Applicability of Products and Services Identify Opportunities for New or Revised Standards As a Part of Cybersecurity Certifications The Framework also supports: Consistent dialog, both within and amongst countries Common platform on which to innovate, and Identify market opportunities where tools and capabilities may not exist today http://www.nist.gov/cyberframework/cybersecurity-framework-industry-resources.cfm 15
Current & Near-Term Framework Activities Collect, Reflect, and Connect understand where industry is having success, help others understand those successes, and facilitate relationships that support use and implementation Continue education efforts, including creation of self-help and re-use materials for those who are new to the Framework Continue awareness and outreach with an eye toward industry communities who are still working toward basal Framework knowledge and implementation Educate on the relationship between the Framework and the larger risk management process, including how organizations can use Tiers Obtain feedback on Framework use and opportunities to improve Continue Community Dialogs with International Governments, Standards Organizations, Domestic Industry, Regulators, Auditors, Insurance, Legal, and others 16
Where to Learn More and Stay Current Where to learn more and stay current NIST Website is available at http://www.nist.gov NIST Computer Security Resource Center is available at http://csrc.nist.gov The Framework for Improving Critical Infrastructure Cybersecurity, the Roadmap, and related news and information are available at: http://www.nist.gov/cyberframework For additional NIST Cybersecurity Framework info and help email: cyberframework@nist.gov 17
HITRUST HEALTHCARE SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDE 18
Road to Sector-wide Guidance HITRUST has published multiple guidance documents over the past several years, e.g.: Risk Management and Analysis Risk vs. Compliance-based Information Protection Healthcare s Model Implementation of the NIST CsF New Healthcare Sector Cybersecurity Framework Implementation Guide Integrated/expanded prior documentation per discussions w/ HHS Draft guide reviewed by HITRUST community in the September and October 2015 timeframe Final version published in October 2015 and available now (https://hitrustalliance.net/documents/cybersecurity/hitrust_healthcare_sector_cybersecurity_framework_implementation_ Guide.pdf) 19
Joint HPH Sector CsF Implementation Guide Risk Management Sub-working Group (SG) of the Joint HPH Cybersecurity WG Co-chaired by HITRUST and ONC Office of the Chief Privacy Officer Formed to address Goal 4 for the development of Sector-wide guidance Joint GCC/SCC guidance to be based on existing documentation and efforts Healthcare Sector CsF Implementation Guide HITRUST guide under review by the Risk Mgmt. SG Use of existing guide will expedite development Public comment scheduled in November 2015 Anticipate submitting final draft to Joint HPH Cybersecurity WG by the end of December 2015 RM SG Review Industry Review Joint HPH Cybersecurity WG Review 20
Guidance should Be consistent with other Sector implementation guidance Fully address NIST Cybersecurity Framework implementation Use an implementation process consistent with the NIST process Provide prescriptive guidance for all NIST Cybersecurity Framework Subcategories Utilize an organizational maturity model consistent with NIST Tiers Address unique HPH-sector requirements Provide additional prescription not addressed by NIST Framework Specifically address HIPAA Security Rule requirements Integrate other relevant regulatory & best practice requirements, e.g., PCI, NIST Support broad range of HPH Sector entities, including small entities Provide additional value-added guidance, e.g., risk analysis 21
Healthcare Sector Implementation Guide Introduction to the NIST CsF NIST CsF guidance and terminology 22
Healthcare Sector Implementation Guide Healthcare s model implementation Compliance drivers Approach to risk analysis and management Relationship to the NIST CsF 23
Healthcare Sector Implementation Guide Standard NIST implementation approach outlined in NIST CsF document and other Sector-level implementation guides Energy Critical Manufacturing (Draft) 24
Healthcare Sector Implementation Guide Modified implementation approach that leverages use of a control frameworkbased risk analysis Target Profile created first Then risk (control) assessment Gaps identify Current Profile Gap analysis used to prioritize gaps and support corrective action planning 25
Healthcare Sector Implementation Guide Control-level maturity model that can be used to estimate NIST CsF Implementation Tier level Cybersecurity Implementation Tiers Cybersecurity Implementation Tier Description Approximate HITRUST Maturity Levels Approximate HITRUST Maturity Rating Tier 0: Partial Organization has not yet implemented a formal, threat-aware risk management process and may implement some portions of the framework on an irregular, case-by-case basis; may not have capability to share cybersecurity information internally and might not have processes in place to participate, coordinate or collaborate with other entities. Level 1 Partial Level 2 Partial Level 3 Partial Level 4 Non-compliant Level 5 Non-compliant 1 to 3- Tier 1: Risk-Informed Organization uses a formal, threat-aware risk management process to develop [target] profile [control requirements]; formal, approved processes and procedures are defined and implemented; adequate training & resources exist for cybersecurity; organization aware of role in ecosystem but has not formalized capabilities to interact/share info externally. Level 1 Partial Level 2 Compliant Level 3 Compliant Level 4 Non-compliant Level 5 Non-compliant 3- to 3+ Tier 2: Repeatable Organization regularly updates [target] profile [control requirements] due to changing threats; riskinformed policies, processes and procedures are defined, implemented as intended, and validated; consistent methods are in place to provide updates when a risk change occurs; personnel have adequate skills & knowledge to perform tasks; organization understands dependencies/partners and can consume information from these partners. Level 1 Compliant Level 2 Compliant Level 3 Compliant Level 4 Partial Level 5 Partial 4- to 5- Tier 3: Adaptive Organization proactively updates [target] profile [control requirements] based on predictive indicators; actively adapts to changing/evolving cyber threats; risk-informed decisions are part of organizational culture; manages and actively shares information with partners to ensure accurate, current information is distributed and consumed to improve cybersecurity before an event occurs. Level 1 Compliant Level 2 Compliant Level 3 Compliant Level 4 Compliant Level 5 Compliant 5 to 5+ 26
Healthcare Sector Implementation Guide Impact ratings to help organizations evaluate relative residual risk Ctrl Code Ctrl Code Ctrl Code Ctrl Code Ctrl Code Ctrl Code Ctrl Code Ctrl Code Ctrl Code 0.a 3 01.o 3 02.e 5 05.e 3 06.i 4 08.i 4 09.k 3 09.z 5 10.i 4 01.a 5 01.p 3 02.f 5 05.f 4 06.j 3 08.j 4 09.l 3 09.aa 3 10.j 4 01.b 5 01.q 5 02.g 5 05.g 4 07.a 4 08.k 5 09.m 4 09.ab 3 10.k 4 01.c 5 01.r 4 02.h 5 05.h 5 07.b 3 08.l 5 09.n 4 09.ac 3 10.l 3 01.d 5 01.s 4 02.i 5 05.i 4 07.c 5 08.m 5 09.o 3 09.ad 3 10.m 3 01.e 5 01.t 3 03.a 3 05.j 5 07.d 4 09.a 5 09.p 5 09.ae 3 11.a 3 01.f 5 01.u 3 03.b 3 05.k 5 07.e 5 09.b 4 09.q 4 09.af 3 11.b 4 01.g 4 01.v 3 03.c 3 06.a 4 08.a 5 09.c 5 09.r 4 10.a 4 11.c 3 01.h 3 01.w 3 03.d 3 06.b 4 08.b 5 09.d 4 09.s 5 10.b 4 11.d 3 01.i 4 01.x 5 04.a 3 06.c 3 08.c 5 09.e 4 09.t 3 10.c 4 11.e 3 01.j 5 01.y 5 04.b 3 06.d 3 08.d 4 09.f 4 09.u 3 10.d 3 12.a 3 01.k 4 02.a 4 05.a 4 06.e 5 08.e 5 09.g 4 09.v 4 10.e 4 12.b 3 01.l 4 02.b 5 05.b 5 06.f 4 08.f 4 09.h 3 09.w 4 10.f 3 12.c 3 01.m 3 02.c 5 05.c 3 06.g 4 08.g 4 09.i 4 09.x 4 10.g 3 12.d 3 01.n 4 02.d 4 05.d 3 06.h 4 08.h 3 09.j 4 09.y 4 10.h 4 12.e 3 27
Healthcare Sector Implementation Guide Meaningful measures for comparison, benchmarking amongst entities and the sharing of meaningful assurances 28
Healthcare Sector Implementation Guide Mapping of HITRUST CSF controls to NIST CsF subcategories 29
Healthcare Sector Implementation Guide Mapping of healthcare CsF implementation process to control framework-based DHS risk analysis process Cyber Implementation Process 1. Prioritize & Scope Modified DHS Risk Analysis Process Conduct a complete inventory of where ephi lives Perform a BIA on all systems with ephi (criticality) Categorize & evaluate these systems based on sensitivity & criticality 2. Orient Conduct a complete inventory of where ephi lives 3. Create a Target Profile 4. Conduct a Risk Assessment 5. Create a Current Profile 6. Perform Gap Analysis Select an appropriate framework baseline set of controls Apply an overlay based on a targeted assessment of threats unique to the organization Evaluate residual risk (risk assessment) Rank risks and determine risk treatments Make contextual adjustments to likelihood & impact, if needed, as part of the corrective action planning process 7. Implement Action Plan Implement corrective actions and monitor the threat environment 30
Healthcare Sector Implementation Guide Cyber Threat Maturity Model 31
Healthcare Sector Implementation Guide Support for meaningful consumption of threat intelligence 32
Healthcare CsF Scorecard / Cyber Certification CsF to CSF mappings complete and available from NIST CsF Industry Resources Website: http://www.nist.gov/cyberframework/cybersecurity-frameworkindustry-resources.cfm Healthcare Sector CsF Scorecard available with the HITRUST CSF v8 release in early 2016 Scores NIST CsF subcategories Scores generated granularly at the HITRUST CSF implementation requirement-level Cyber preparedness cert under development Based on pre-nist CsF cybersecurity control analysis: https://hitrustalliance.net/content/uploads/2014/06/hitrust CSFCybersecurityTable.pdf 33
Deloitte IMPLEMENTING THE NIST CSF THROUGH THE HITRUST RISK MGMT FRAMEWORK 34
What is the Role of Frameworks? Helps to translate program direction or leverage to guide actions Provides a model for evaluation of an organization s maturity or readiness Provides confidence on program and actions taken Helps identify opportunities to improve management processes for cybersecurity risk Provides a taxonomy to describe their current cyber security posture Supports Risk and/or Compliance Management Aids in Communication with Management Helps benchmark programs 35
High-level HITRUST and NIST CSF Comparison HITRUST NIST Purpose A scalable, prescrip9ve and cer9fiable framework specific created in response to mul9ple compliance requirements, many of which are subject to interpreta9on In response to the President s Execu9ve Order 13636, Improving Cri9cal Infrastructure Cybersecurity (2013). It s a framework based on exis9ng standards, guidelines, and prac9ces - for reducing cyber risks to cri9cal infrastructure Industry Healthcare-specific Applies broadly across mul9ple industries Objec9ve Illustra9ve Sources A framework that can be leveraged to communicate, compare and benchmark cybersecurity AND can be used for cer9fica9on ISO, HIPAA, NIST, CMS, MARS-E, IRS, PCI, CSA-CCM, state laws A framework that can be leveraged to communicate, compare, and benchmark cyber security COBIT, NIST, ISA, CCS, ISO 36
High-level HITRUST and NIST CSF Comparison HITRUST and NIST CSF can be and are complementary frameworks While an organization can leverage either frameworks on its own, there is value in leveraging HITRUST as the Healthcare standard, with the NIST CSF being the mechanism to communicate maturity and comparison between industries NIST CSF was primarily created as a way to compare, communicate, and standardize how we think about cybersecurity HITRUST was primarily created to make healthcare security and privacy considerations clearer and more prescriptive as well as compare, communicate, and standardize how we think about information protection. 37
Illustrative Example HITRUST Informs cyber risk management prac9ces based on healthcare industry NIST CSF Demonstrates coordinated industry ac9on Sets industry-level direc9on consistent with other industries Priori9zes focus areas based on industry s inherent risk Shares peer-level insights Allows for flexibility to demonstrate risk-based responses to threats that are inherent to both the industry and the organiza9on and residual to only the organiza9on ID.GV-1: Organizational information security policy is established Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. NIST CSF: Sub-category NIST CSF: Func;on NIST CSF: Category HITRUST CSF Control 38
Illustrative Example Categories based on NIST Backend data based on HITRUST 39
Framework Implementation Considerations Already aligned with HITRUST? If yes, it is mostly a mapping & reporting exercise And communication Have not adopted a framework? Organization alignment Scoping and implementation plan 40
Seattle Children s Hospital CASE STUDY LEVERAGING HITRUST 41
Case Study Seattle Children s Hospital 42
Organization vs. Cybersecurity Risk Key elements of our risk program The is a continual process not a one time event Understand that the risk is a organizational risk, not strictly information security or compliance Integrated in our operational and business practices Integrated with our enterprise risk management (ERM) process 43
Understand the framework & regulations 21 CFR Part 11 PCI DSS HIPAA HITECH Act FISMA 44
Frameworks and risk help to determine What risks are we willing to accept that support the business and compliance needs What risks do we need to protect against to enable the business? 45
Identify Understand your assets Intellectual property Key service or products Applica9ons Business partners Key people Data 46
Dashboard examples 47
Keys to success Start by understanding both NIST and HITRUST Frameworks HITRUST guide to CsF implementation available now Joint private/public guidance should become available in 1Q FY16 Focus on what s important Continuous risk and improvement process Maintain a series of checks & balances DO SOMETHING determine the place to start 48
Q&A 49
Visit for more information To view our latest documents, visit the Content Spotlight 50