A CHIME Leadership Education and Development Forum in collaboration with iHT2

Creating an Effective Cyber Security Strategy

____________________________

The Hitchhiker’s Guide to IT Security

• Dan Nutkis, CEO HITRUST •Pamela Arora, Senior Vice President & CIO

•Aaron Miri, Chief Technology Officer

#LEAD14

2 2

Mission: To make life better for children

Vision: Children’s will be among the very best medical centers in the nation

Background:

• Serves fourth largest metro area in U.S.

• Highest projected growth of pediatric population over next 20 years

• Three campuses: Dallas, Plano and Southlake with 591 licensed beds

• $1B in assets, $2B in gross revenue, AA3 bond rating

• Over 5,000 employees and 1,000 physicians

• Over 100K inpatient days, 300K outpatient visits, 100K emergency visits

• Academic affiliation with University of Texas Southwestern Medical School

• Only Level I pediatric trauma center in North Texas (1 of 22 in U.S.)

• Only U.S. pediatric hospital with six Joint Commission disease-specific certifications

• Nursing Magnet status; <10% of hospitals in nation have achieved

• Top 10 children’s hospital in nation (U.S. News & World Report 2009)

IT Recognition:

• 2013 HIMSS Enterprise Davies Award of Excellence Winner

• HIMSS EMR Adoption Stage 7; first hospital in Texas to achieve this level

• Top 200 U.S. companies by InformationWeek 500 for IT

• HITRUST Common Security Framework Certification

• Most Wired by Hospitals & Health Networks eight times

Dallas, Texas

Plano, Texas

Southlake, Texas

Children’s Medical Center Dallas

3

• Why HITRUST certification

• Certification Process

• Engagement Matrix

• Risks to Manage

• Children’s HealthSM Layers of Defense

• HITRUST Service Offerings

• Lessons Learned

Overview

4

The Path to HITRUST CSF Certification

What is HITRUST CSF?

• HITRUST Common Security Framework (CSF)—a comprehensive set of healthcare industry best practices and compliance requirements designed to addresses HIPAA, HITECH, NIST, ISO and more.

• HITRUST Validated—Organizations may self-evaluate compliance standing using HITRUST CSF framework

• HITRUST CSF Certified—CSF Certified status represents that the organization has met HITRUST requirements and has been verified by an independent third party.

• HITRUST CSF Certification places Children’s in an elite group of organizations worldwide that have earned this certification.

• HITRUST CSF Certification required independent 3rd party auditing of 260 IT security checks and 19 different areas. The process took 12-months of vigorous review and physical audit and validation.

5

1996 HIPAA

2009 HITRUST

CSF

2010 OCR Endorses HITRUST

2009 HITECH

ACT

2012 Texas HB

300

2013 Omnibus Final Rule

2013 THSA

HITRUST

Demonstrate controls for HIPAA Compliance

• Fines for non-compliance can be several million dollars

• Clear framework: Common Security Framework (CSF)

• Ratified by Texas Health Services Authority (THSA)

Why HITRUST Certification

6

Self-Assessment against CSF

3rd party assessment

Update and implement

needed changes

Results submitted to HITRUST

HITRUST /THSA reviews and

grants Certification

Common Security Framework: Security Across an Organization

Secure Texas Heightened Privacy

Certification Process: HITRUST

Certification

7

Role CSF TX CE Engagement

Credentialing X Demonstration of process

Medical Affairs X

HIM X

Legal X Investigation and subpoenas

Privacy X Breach management process

Security X X (~10% CSF)

CSF: Owners of all controls

TX CE: Revisited policy & process

Engagement Matrix

8

9

9

Oct. 2014 FDA Cybersecurity Guidance for Industry

Copyright © 2014 Symantec Corporation

Aligned with NIST Critical Infrastructure Framework

Identify and Protect: Limit Access to trusted users

• Timed sessions

• Layered authorization

• Role-based authentication

• Strong passwords

• Physical access control

• Controls for updates

Ensure Trusted Content

• Authenticate code

• Identify versions

• Secure data transfer

Detect, Respond, Recover: • Detect and log

security events

• Provide information on response to cybersecurity event

• Protect critical functionality

• Enable retention and recovery of device configuration

Documentation: • Hazard analysis &

mitigation

- Design considerations

- Risks considered

- Cybersecurity controls

• Traceability matrix

• Software updates

• Software integrity

• Cybersecurity controls

Supported by Manufacturer Hazard Analysis & Lifecycle Management Process

Input to HDO Security Risk Analysis (HIPAA, IEC 80001)

10

Mega Breaches

• Healthcare accounted for 44% of all data breaches

• Healthcare accounted for 1% of all the identities exposed

in 2013.

Copyright © 2014 Symantec Corporation

11

Top Causes of Breaches

2013

34%

29%

27%

Hackers

Accidental Made Public

Lost/Stolen Device

Insiders

Fraud

Unknown

6%

2%

2%

Healthcare 2013

12%

29%

49%

6%

1%

2%

12

Copyright © 2014 Symantec Corporation

Price on Underground Economy • Credit Card = $1-$2 • Medical Record = $20

PII Lost • Retail = 165,154,040 • Healthcare = 6,279,270

The Cost of Avoidance

13

Copyright © 2014 Symantec Corporation

Cloud

Hackers

Authentication & Encryption

Virtualization

Cyber Threats

Compliance

Remote Clinics, Practitioners/Employees

Mobile Devices

Insider Threat

Social Media Patient Engagement

Advanced Persistent Attacks

Mail & Web Security

Risk & Compliance

Infrastructure Protection

Endpoint Management

Identity Protection

Information Intelligence &

Encryption

Incident Response

Enterprise Mobility

Addressing the Threat

14

Copyright © 2014 Symantec Corporation

Perimeter Defense Internal Network

Defense Host Defense Application Defense Data Defense

Firewall Management

Virtual Private Network

Firewall Log Monitoring Intrusion Prevention (IPS)

Penetration Testing

Secure Web Gateway/Content Filtering

Secure Messaging Gateway/SPAM Filtering

Network Discovery

Network Access Control

Identity and Access Management

User Account Management

Vulnerability Scanning/Assessment

Log Management and Security Information and Event Management

APT Detection

Endpoint Security

Vulnerability Scanning/Assessment

Patch and Security Configuration Management

Host IPS/IDS

Device Control

Host Based IPS

Host based application specific Data Loss Prevention

Mobile Data Protection/Encryption

Data Loss Prevention (DLP)

Enterprise Data Protection/Encryption

APT Detection

Reactive Proactive Predictive

Continuous Monitoring/Policies and Procedures

Threat Intelligence/Security Assessments

Children’s Health Layers of Defense

15

• HITRUST Board Participation

• Vendor Partnerships

• CHIME

• HIMSS

• Legislative Activity - Calls to Action

• Department of Health and Human Services

• Department of Homeland Security

• Federal Bureau of Investigation

• Federal Drug Administration

Industry Involvement

16

HITRUST Snapshot

• Industry Challenges: Catalyst for HITRUST (September 2007)

• Best known for Common Security Framework (CSF)

• Adopted by 76% of hospitals and 78% of health plans2

• Adoption of CSF Assurance--19,000 + assessments in three years

• Runs Cyber Threat Intelligence, Incident Coordination Center, & Cyber Threat Xchange

• Provides information, protection, and education—12,000+ CCSFP professionals

– Developing broader healthcare certified information security professional credential – ISC2 partnership

– Annual conference: In 2012 began holding health information protection professional annual conference

1 – Based on facilities in the 2011 AHA hospital and health system data as of Dec 2012

2 – Based on health plans with over 500,000 members as of Dec 2012

HITRUST exists to ensure information protection becomes a core pillar of the broad adoption of HIS and HIEs

17

Common Security Framework (CSF)

• Practical and efficient approach to managing risk that is scalable, prescriptive and certifiable

• HITRUST maintains, supports and ensures the relevancy and applicability

• Released v6 in Jan 2014 and will release v7 in Jan 2015 will incorporate privacy

• Now includes more than 17 authoritative sources (federal and state regulations, globally recognized

standards, and industry best practices)

NIST

ISO 27001/2

COBIT

.

FTC

Red

Flags

PCI

Meaningful

Use

HIPAA Omnibus

Final Rule

Texas Health &

Safety Code

NIST

ISO 27001/2

COBIT

.

FTC

Red

Flags

PCI

Meaningful

Use

HIPAA Omnibus

Final Rule

Texas Health &

Safety Code

HITRUST CSF

The ambiguity of standards and regulations distract from protecting healthcare organizations…

18

The HITRUST Common Security Framework (CSF) provides coverage across multiple healthcare-specific standards and

includes significant components from other well-respected IT security standards bodies and governance sources

Common Security Framework (CSF)

Included Standards

HIPAA

HITECH Act

ISO/IEC 27001:2005, 27002:2005, 27799:2008

CFR Part 11

COBIT 4.1

NIST SP 800-53 Revision 4

NIST SP 800-66

PCI DSS version 1.2

FTC Red Flags Rule

JCAHO IM

201 CMR 17.00 (State of Mass.)

NRS 603A (State of Nev.)

CSA Cloud Controls Matrix v1

CMS IS ARS

Texas Health and Safety Code (THSC) 181

Title 1 Texas Administrative Code (TAC) 390.2

Control Categories

0. Information Security Management Program

1. Access Control

2. Human Resources Security

3. Risk Management

4. Security Policy

5. Organization of Information Security

6. Compliance

7. Asset Management

8. Physical and Environmental Security

9. Communications and Operations Management

10. Information Systems Acquisition,

Development & Maintenance

11. Information Security Incident Management

12. Business Continuity Management

Scoping Factors

Regulatory • Federal, state and domain specific

compliance requirements

Organization

• Geographic factors

• Number of covered lives

System

• Data stores

• External connections

• Number of users/transactions

Analyzed, Rationalized & Consolidated

Control Specifications

Control Objectives

Control Categories

Common Security Framework (CSF)

19

Security &

Privacy

Common

Control

Framework

• Single compliance program to manage

versus managing compliance against a

myriad of requirements

• Incorporates existing security regulations,

standards, and frameworks

• Rationalizes duplications and

inconsistent requirements

• Common definition of controls and

detailed implementation requirements

• Focuses security efforts on actual risk

identification and remediation

• Instills confidence through public

pronouncement of compliance

• Vendors demonstrate security

compliance to healthcare covered

entities

• Future enhancements provide guidance

for securing specific vendor products

Security controls

• 13 control categories, 42 control

objectives, and 135 control

specifications

• Three levels of requirements based on

organization’s scale & operations

• Implementation & inspect guidance

• Maps controls to authoritative sources

• Process for accepting alternate controls

(compensating and mitigating) for

systems that are not in compliance

• Security Configuration Packs will

recommend configuration and

maintenance of security in critical

applications (e.g., electronic health

medical record systems and medical

devices)

• Products and Services Guide link to

solutions based on security framework

ISO 27000 series

NIST 800

series

PCI DSS

COBIT HIPAA

21 CFR Part 11

Framework Components

The HITRUST CSF serves as the baseline set of controls as it provides an efficient method to assess once

and satisfy many regulatory, legal and leading practice requirements.

Benefits of Adopting CSF

Common Security Framework (CSF)

20

Key Elements of HITRUST’s Cyber Strategy • Provide a managed framework with healthcare-specific

guidance that addresses cyber risks in a comprehensive and timely manner

• Ensure healthcare organizations have comprehensive, timely, and consumable threat intelligence

• Enable the timely exchange of relevant, timely and actionable cyber threat indicators (IOC, TTPs, malware signatures)

• Support collaboration on cyber incidents among industry and government resources

– US Cert, HHS, FBI, DHS, USSS

• Facilitate testing and evaluating of cyber threat preparedness and response and intelligence sharing activities

• Educating legislators on the issues, progress and areas support is needed

Protect industry from cyber threats and aid in response while supporting organizational maturity

21

CSF Assurance

• Methodology and compliance program to effectively and consistently measure CSF

compliance

• Risk-based methodology

• Simplified information collection and reporting

• Consistent testing procedures and scoring

• Creates efficiencies and contains costs

• Assessments performed by leading professional services firms

22

Programs – Third Party Assurance

• Streamlines the business associate assurance process

• Utilizes the tools and methodologies of the CSF Assurance Program

• Allows healthcare organizations to efficiently and effectively assess their business

partners and manage risk

• Allows assessed organizations to undergo one assessment and report to multiple entities

23

Programs – Secure Texas

• Texas Health Services Authority awarded HITRUST to provide the Texas Covered Entity

Privacy/Security Certification (Secure Texas)

• Allows for THSA to provide certification under Texas House Bill 300

• Certification offers penalty reduction and risk mitigation

24

• Managing risk vs. compliance

• Implications of cyber

• Distinction between best practice, regulations, standards, and implementation

• A framework helps to strengthen your security programs

Lessons Learned

25

Visit www.HITRUSTAlliance.net for more information

To view our latest documents, visit the Content Spotlight

State of Texas Privacy and Security Certification (http://hitrustalliance.net/texas/)

Monthly industry cyber threat briefings with HHS (http://hitrustalliance.net/cyber-

threat-briefings/)

Industry cyber threat preparedness exercises – CyberRX

(http://hitrustalliance.net/cyberrx/)

26

Q & A

Pamela.Arora@childrens.com Aaron.Miri@childrens.com

Daniel.Nutkis@hitrustalliance.net

A CHIME Leadership Education and Development Forum in collaboration with iHT2