chime lead fourm houston - "case studies from the field: putting cyber security strategies into...
TRANSCRIPT
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Creating an Effective Cyber Security Strategy
____________________________
The Hitchhiker’s Guide to IT Security
• Dan Nutkis, CEO HITRUST •Pamela Arora, Senior Vice President & CIO
•Aaron Miri, Chief Technology Officer
#LEAD14
2 2
Mission: To make life better for children
Vision: Children’s will be among the very best medical centers in the nation
Background:
• Serves fourth largest metro area in U.S.
• Highest projected growth of pediatric population over next 20 years
• Three campuses: Dallas, Plano and Southlake with 591 licensed beds
• $1B in assets, $2B in gross revenue, AA3 bond rating
• Over 5,000 employees and 1,000 physicians
• Over 100K inpatient days, 300K outpatient visits, 100K emergency visits
• Academic affiliation with University of Texas Southwestern Medical School
• Only Level I pediatric trauma center in North Texas (1 of 22 in U.S.)
• Only U.S. pediatric hospital with six Joint Commission disease-specific certifications
• Nursing Magnet status; <10% of hospitals in nation have achieved
• Top 10 children’s hospital in nation (U.S. News & World Report 2009)
IT Recognition:
• 2013 HIMSS Enterprise Davies Award of Excellence Winner
• HIMSS EMR Adoption Stage 7; first hospital in Texas to achieve this level
• Top 200 U.S. companies by InformationWeek 500 for IT
• HITRUST Common Security Framework Certification
• Most Wired by Hospitals & Health Networks eight times
Dallas, Texas
Plano, Texas
Southlake, Texas
Children’s Medical Center Dallas
3
• Why HITRUST certification
• Certification Process
• Engagement Matrix
• Risks to Manage
• Children’s HealthSM Layers of Defense
• HITRUST Service Offerings
• Lessons Learned
Overview
4
The Path to HITRUST CSF Certification
What is HITRUST CSF?
• HITRUST Common Security Framework (CSF)—a comprehensive set of healthcare industry best practices and compliance requirements designed to addresses HIPAA, HITECH, NIST, ISO and more.
• HITRUST Validated—Organizations may self-evaluate compliance standing using HITRUST CSF framework
• HITRUST CSF Certified—CSF Certified status represents that the organization has met HITRUST requirements and has been verified by an independent third party.
• HITRUST CSF Certification places Children’s in an elite group of organizations worldwide that have earned this certification.
• HITRUST CSF Certification required independent 3rd party auditing of 260 IT security checks and 19 different areas. The process took 12-months of vigorous review and physical audit and validation.
5
1996 HIPAA
2009 HITRUST
CSF
2010 OCR Endorses HITRUST
2009 HITECH
ACT
2012 Texas HB
300
2013 Omnibus Final Rule
2013 THSA
HITRUST
Demonstrate controls for HIPAA Compliance
• Fines for non-compliance can be several million dollars
• Clear framework: Common Security Framework (CSF)
• Ratified by Texas Health Services Authority (THSA)
Why HITRUST Certification
6
Self-Assessment against CSF
3rd party assessment
Update and implement
needed changes
Results submitted to HITRUST
HITRUST /THSA reviews and
grants Certification
Common Security Framework: Security Across an Organization
Secure Texas Heightened Privacy
Certification Process: HITRUST
Certification
7
Role CSF TX CE Engagement
Credentialing X Demonstration of process
Medical Affairs X
HIM X
Legal X Investigation and subpoenas
Privacy X Breach management process
Security X X (~10% CSF)
CSF: Owners of all controls
TX CE: Revisited policy & process
Engagement Matrix
8
9
9
Oct. 2014 FDA Cybersecurity Guidance for Industry
Copyright © 2014 Symantec Corporation
Aligned with NIST Critical Infrastructure Framework
Identify and Protect: Limit Access to trusted users
• Timed sessions
• Layered authorization
• Role-based authentication
• Strong passwords
• Physical access control
• Controls for updates
Ensure Trusted Content
• Authenticate code
• Identify versions
• Secure data transfer
Detect, Respond, Recover: • Detect and log
security events
• Provide information on response to cybersecurity event
• Protect critical functionality
• Enable retention and recovery of device configuration
Documentation: • Hazard analysis &
mitigation
- Design considerations
- Risks considered
- Cybersecurity controls
• Traceability matrix
• Software updates
• Software integrity
• Cybersecurity controls
Supported by Manufacturer Hazard Analysis & Lifecycle Management Process
Input to HDO Security Risk Analysis (HIPAA, IEC 80001)
10
Mega Breaches
• Healthcare accounted for 44% of all data breaches
• Healthcare accounted for 1% of all the identities exposed
in 2013.
Copyright © 2014 Symantec Corporation
11
Top Causes of Breaches
2013
34%
29%
27%
Hackers
Accidental Made Public
Lost/Stolen Device
Insiders
Fraud
Unknown
6%
2%
2%
Healthcare 2013
12%
29%
49%
6%
1%
2%
12
Copyright © 2014 Symantec Corporation
Price on Underground Economy • Credit Card = $1-$2 • Medical Record = $20
PII Lost • Retail = 165,154,040 • Healthcare = 6,279,270
The Cost of Avoidance
13
Copyright © 2014 Symantec Corporation
Cloud
Hackers
Authentication & Encryption
Virtualization
Cyber Threats
Compliance
Remote Clinics, Practitioners/Employees
Mobile Devices
Insider Threat
Social Media Patient Engagement
Advanced Persistent Attacks
Mail & Web Security
Risk & Compliance
Infrastructure Protection
Endpoint Management
Identity Protection
Information Intelligence &
Encryption
Incident Response
Enterprise Mobility
Addressing the Threat
14
Copyright © 2014 Symantec Corporation
Perimeter Defense Internal Network
Defense Host Defense Application Defense Data Defense
Firewall Management
Virtual Private Network
Firewall Log Monitoring Intrusion Prevention (IPS)
Penetration Testing
Secure Web Gateway/Content Filtering
Secure Messaging Gateway/SPAM Filtering
Network Discovery
Network Access Control
Identity and Access Management
User Account Management
Vulnerability Scanning/Assessment
Log Management and Security Information and Event Management
APT Detection
Endpoint Security
Vulnerability Scanning/Assessment
Patch and Security Configuration Management
Host IPS/IDS
Device Control
Host Based IPS
Host based application specific Data Loss Prevention
Mobile Data Protection/Encryption
Data Loss Prevention (DLP)
Enterprise Data Protection/Encryption
APT Detection
Reactive Proactive Predictive
Continuous Monitoring/Policies and Procedures
Threat Intelligence/Security Assessments
Children’s Health Layers of Defense
15
• HITRUST Board Participation
• Vendor Partnerships
• CHIME
• HIMSS
• Legislative Activity - Calls to Action
• Department of Health and Human Services
• Department of Homeland Security
• Federal Bureau of Investigation
• Federal Drug Administration
Industry Involvement
16
HITRUST Snapshot
• Industry Challenges: Catalyst for HITRUST (September 2007)
• Best known for Common Security Framework (CSF)
• Adopted by 76% of hospitals and 78% of health plans2
• Adoption of CSF Assurance--19,000 + assessments in three years
• Runs Cyber Threat Intelligence, Incident Coordination Center, & Cyber Threat Xchange
• Provides information, protection, and education—12,000+ CCSFP professionals
– Developing broader healthcare certified information security professional credential – ISC2 partnership
– Annual conference: In 2012 began holding health information protection professional annual conference
1 – Based on facilities in the 2011 AHA hospital and health system data as of Dec 2012
2 – Based on health plans with over 500,000 members as of Dec 2012
HITRUST exists to ensure information protection becomes a core pillar of the broad adoption of HIS and HIEs
17
Common Security Framework (CSF)
• Practical and efficient approach to managing risk that is scalable, prescriptive and certifiable
• HITRUST maintains, supports and ensures the relevancy and applicability
• Released v6 in Jan 2014 and will release v7 in Jan 2015 will incorporate privacy
• Now includes more than 17 authoritative sources (federal and state regulations, globally recognized
standards, and industry best practices)
NIST
ISO 27001/2
COBIT
.
FTC
Red
Flags
PCI
Meaningful
Use
HIPAA Omnibus
Final Rule
Texas Health &
Safety Code
NIST
ISO 27001/2
COBIT
.
FTC
Red
Flags
PCI
Meaningful
Use
HIPAA Omnibus
Final Rule
Texas Health &
Safety Code
HITRUST CSF
The ambiguity of standards and regulations distract from protecting healthcare organizations…
18
The HITRUST Common Security Framework (CSF) provides coverage across multiple healthcare-specific standards and
includes significant components from other well-respected IT security standards bodies and governance sources
Common Security Framework (CSF)
Included Standards
HIPAA
HITECH Act
ISO/IEC 27001:2005, 27002:2005, 27799:2008
CFR Part 11
COBIT 4.1
NIST SP 800-53 Revision 4
NIST SP 800-66
PCI DSS version 1.2
FTC Red Flags Rule
JCAHO IM
201 CMR 17.00 (State of Mass.)
NRS 603A (State of Nev.)
CSA Cloud Controls Matrix v1
CMS IS ARS
Texas Health and Safety Code (THSC) 181
Title 1 Texas Administrative Code (TAC) 390.2
Control Categories
0. Information Security Management Program
1. Access Control
2. Human Resources Security
3. Risk Management
4. Security Policy
5. Organization of Information Security
6. Compliance
7. Asset Management
8. Physical and Environmental Security
9. Communications and Operations Management
10. Information Systems Acquisition,
Development & Maintenance
11. Information Security Incident Management
12. Business Continuity Management
Scoping Factors
Regulatory • Federal, state and domain specific
compliance requirements
Organization
• Geographic factors
• Number of covered lives
System
• Data stores
• External connections
• Number of users/transactions
Analyzed, Rationalized & Consolidated
Control Specifications
Control Objectives
Control Categories
Common Security Framework (CSF)
19
Security &
Privacy
Common
Control
Framework
• Single compliance program to manage
versus managing compliance against a
myriad of requirements
• Incorporates existing security regulations,
standards, and frameworks
• Rationalizes duplications and
inconsistent requirements
• Common definition of controls and
detailed implementation requirements
• Focuses security efforts on actual risk
identification and remediation
• Instills confidence through public
pronouncement of compliance
• Vendors demonstrate security
compliance to healthcare covered
entities
• Future enhancements provide guidance
for securing specific vendor products
Security controls
• 13 control categories, 42 control
objectives, and 135 control
specifications
• Three levels of requirements based on
organization’s scale & operations
• Implementation & inspect guidance
• Maps controls to authoritative sources
• Process for accepting alternate controls
(compensating and mitigating) for
systems that are not in compliance
• Security Configuration Packs will
recommend configuration and
maintenance of security in critical
applications (e.g., electronic health
medical record systems and medical
devices)
• Products and Services Guide link to
solutions based on security framework
ISO 27000 series
NIST 800
series
PCI DSS
COBIT HIPAA
21 CFR Part 11
Framework Components
The HITRUST CSF serves as the baseline set of controls as it provides an efficient method to assess once
and satisfy many regulatory, legal and leading practice requirements.
Benefits of Adopting CSF
Common Security Framework (CSF)
20
Key Elements of HITRUST’s Cyber Strategy • Provide a managed framework with healthcare-specific
guidance that addresses cyber risks in a comprehensive and timely manner
• Ensure healthcare organizations have comprehensive, timely, and consumable threat intelligence
• Enable the timely exchange of relevant, timely and actionable cyber threat indicators (IOC, TTPs, malware signatures)
• Support collaboration on cyber incidents among industry and government resources
– US Cert, HHS, FBI, DHS, USSS
• Facilitate testing and evaluating of cyber threat preparedness and response and intelligence sharing activities
• Educating legislators on the issues, progress and areas support is needed
Protect industry from cyber threats and aid in response while supporting organizational maturity
21
CSF Assurance
• Methodology and compliance program to effectively and consistently measure CSF
compliance
• Risk-based methodology
• Simplified information collection and reporting
• Consistent testing procedures and scoring
• Creates efficiencies and contains costs
• Assessments performed by leading professional services firms
22
Programs – Third Party Assurance
• Streamlines the business associate assurance process
• Utilizes the tools and methodologies of the CSF Assurance Program
• Allows healthcare organizations to efficiently and effectively assess their business
partners and manage risk
• Allows assessed organizations to undergo one assessment and report to multiple entities
23
Programs – Secure Texas
• Texas Health Services Authority awarded HITRUST to provide the Texas Covered Entity
Privacy/Security Certification (Secure Texas)
• Allows for THSA to provide certification under Texas House Bill 300
• Certification offers penalty reduction and risk mitigation
24
• Managing risk vs. compliance
• Implications of cyber
• Distinction between best practice, regulations, standards, and implementation
• A framework helps to strengthen your security programs
Lessons Learned
25
Visit www.HITRUSTAlliance.net for more information
To view our latest documents, visit the Content Spotlight
State of Texas Privacy and Security Certification (http://hitrustalliance.net/texas/)
Monthly industry cyber threat briefings with HHS (http://hitrustalliance.net/cyber-
threat-briefings/)
Industry cyber threat preparedness exercises – CyberRX
(http://hitrustalliance.net/cyberrx/)
26
Q & A
[email protected] [email protected]
A CHIME Leadership Education and Development Forum in collaboration with iHT2