preparing your organization for a hhs oig information security … · 2016-10-18 · preparing your...

10/18/2016

1

Preparing Your Organization for a HHS‐OIG Information Security Audit

David Holtzman, JD, CIPP/G CynergisTek, Inc.

Brian C. Johnson, CPA, CISA HHS‐OIG

Section 2: Preparing for a HHS‐OIG Audit

Section 1: Models for Risk Assessment

10/18/2016

2

CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek

Models for

Risk Assessment

3

CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 4

Where Do We Start? Risk Assessment…

10/18/2016

3


• The process of:

– Analyzing threats and vulnerabilities in a

specified environment,

– Determining the impact or magnitude, and

– Identifying areas needing safeguards or

controls

What is Risk Analysis?


Information Security

Risk Analysis

HIPAA Security Rule

10/18/2016

4


• An assessment of threats and vulnerabilities to information

systems that handle e‐PHI.

• This provides the starting point for determining what is

‘appropriate’and ‘reasonable’.

• Organizations determine their own technology and administrative

choices to mitigate their risks.

• The risk analysis process should be ongoing and repeated as

needed when the organization experiences changes in technology

or operating environment.

HIPAA Security Risk Assessment


Performing a Risk Analysis

Gather Information

Analyze Information

Develop Remedial Plans

• Prepare inventory lists of information assets‐data, hardware and software.• Determine potential threats to information assets.• Identify organizational and information system vulnerabilities.• Document existing security controls and processes.

• Evaluate and measure risks associated with information assets.• Rank information assets based on asset criticality and business value.• Develop and analyze multiple potential threat scenarios.

• Prioritize potential threats based on importance and criticality.• Develop remedial plans to combat potential threat scenarios.• Repeat risk analysis to evaluate success of remediation and when there are

changes in technology or operating environment.

10/18/2016

5


Administrative SafeguardsSecurity Management Process

Findings Comments

Risk Analysis

Has a policy, procedure or plan been documented & implemented that requires annual risk analysis?

Is a risk analysis conducted annually or whenever significant modifications made to a system, facility or network? If yes, then when was the last date?

Risk Management

Has a risk management policy, procedure or plan been documented and implemented to ensure security measures are in place to reduce risk to an acceptable level?

Example of Security Risk Analysis


Cybersecurity

Framework

10

10/18/2016

6


• Describing an organization’s current cybersecurity posture

• Describing its target state for cybersecurity

• Identifying and prioritize areas of improvement

• Employing a repeatable process for review

• Continuously assessing its cybersecurity posture

• Communicating cybersecurity risks to both internal and external stakeholders

• Conducting regular measurements of control effectiveness

• Demonstrating compliance

Frameworks: A Common Taxonomy For


Inventory information assets and analyze their risks

Use technical, administrative, and physical controls to mitigate the identified risks

Monitor the environment for signs of intrusion

Mobilize resources to contain and eradicate an intrusion

Remediation the effects of an intrusion and return to normal operations

A Holistic Approach To Data Security

Identify

Protect

Detect

Respond

Recover

Governan

ce

Reference: NIST Cybersecurity Framework

10/18/2016

7


CSF Crosswalks to HIPAA SR


Resources & Tools

14

10/18/2016

8


• HHS HIPAA Information Security Risk Assessment for Small Organizations (v2.0,

September, 2016)

– https://www.healthit.gov/providers‐professionals/security‐risk‐

assessment

• NIST Cybersecurity Framework

– http://www.nist.gov/cyberframework/

• HIPAA Security Crosswalk to NIST Cybersecurity Framework

– http://www.hhs.gov/sites/default/files/nist‐csf‐to‐hipaa‐security‐rule‐

crosswalk‐02‐22‐2016‐final.pdf

Resources for Getting Started


Questions

David Holtzman

[email protected]

(240)720‐1365

@HITprivacy

Questions?

?

10/18/2016

9

October 24, 2016 17

Disclaimer

What is the OIG?

What does the OIG oversee?

What are OIG’s components?

What is OIG’s oversight role in health IT?

Where does IT Audit fit in?

October 24, 2016 18

10/18/2016

10

How do we decide what to audit?

What are we working on now?

What should you expect if selected for an audit?

What are the results of our work?

What are your questions?

October 24, 2016 19

The views I express are my own, and do not necessarily represent those of the OIG, or any other government agency or department.

October 24, 2016 20

10/18/2016

11

Mission: Protect the integrity of HHS programs and the welfare of the people they serve

October 24, 2016

1,550+employees 70+ offices

21

October 24, 2016

Audit Services

Evaluation&

Inspections

InvestigationsCounsel to

the IG

22

10/18/2016

12

• 100+ HHS programs, including those operated bythe Centers for Medicare & Medicaid Services, theOffice of the National Coordinator, and the Foodand Drug Administration

• $1 trillion in HHS spending, including grants andcontracts

October 24, 2016 23

October 24, 2016

Internal to HHSR

OCR FDA

Etc.

Contractors States

Etc.

24

CMSONC

External to HHS

Hospitals Physicians

10/18/2016

13

HHS Cybersecurity Program Mission: Foster an enterprise‐wide secure and trusted environment in support of HHS' commitment to better health and well‐being of the American people.

OIG IT Audit Mission: To provide timely, impactful, and innovative IT audits of data and information systems maintained by, or on behalf of, HHS.

Our Common Mission: To ensure that all data and systems under the jurisdiction of HHS are secure.

October 24, 2016 25

Our IT Audit work generally falls into the following areas:

Congressionally Mandated Work

Information Security General Controls Audits including Vulnerability Assessments using automated tools

Application Control Audits

Penetration Tests

October 24, 2016 26

10/18/2016

14

Two risk‐based approaches we are currently using:

Cyber Risk Assessments (Public Reconnaissance)

Enterprise Risk Management (ERM)

October 24, 2016 27

The Cyber Assessment Team has been adopting public reconnaissance to plan work at HHS OpDivs. The team used publicly available sources to provide insight on each OpDiv’sinfrastructure and to determine whether potentially vulnerable systems and web applications exist.

General and application control IT audit teams have been adopting Enterprise Risk Management to plan work.

October 24, 2016 28

10/18/2016

15

The Cyber Assessment Team identified potential targets and provided insight on various attack landscapes:

No vulnerabilities exploited and

No active attacks took place.

Information extracted included:

Currently existing vulnerabilities;

IP addresses and sub‐domains;

Insight on the network infrastructure; and

Software potentially used.

October 24, 2016 29

What is Enterprise Risk Management?

October 24, 2016 30

10/18/2016

16

Based on the risks identified, some of our top priorities for upcoming work include:

HHS Operating Division Data and Information System Security (Cyber and General Control Assessments)

Medicaid Data and Information System Security (MMIS, MCO, and Eligibility systems)

Medical Device Security

System Controls Supporting Prescription Drugs

October 24, 2016 31

Average 25 ongoing audits in various stages

Average 25 reports per year

Many significant recommendations per report (individually

or collectively)

October 24, 2016 32

10/18/2016

17

We will contact you and the HHS Operating Division responsible for the related HHS program oversight. In our audit notification letter we will typically include our:

audit objective,

an explanation of our authority to conduct the audit,

an initial request list,

who our contacts are, and

instructions on how to communicate and send information securely.

October 24, 2016 33

Here is an example of a typical IT audit objective:

The objective of our audit is to determine whether the you adequately secured your data and information systems that support a particular HHS program (e.g. Medicare, Medicaid, State Marketplaces, Electronic Heath Records, etc.) in accordance with Federal requirements (e.g. HIPAA, HITECH, ACA, Medicare, Medicaid, etc.)

October 24, 2016 34

10/18/2016

18

To accomplish our objective(s), we:

Obtain guidance the auditee received from oversight organizations, e.g. CMS;

Assess System Security Plans;

Assess Risk Management Programs

obtain an understanding of the security framework used (e.g. HIPAA, NIST SP 800‐53, ISO 27001, COBIT, SOC2, etc.) ;

October 24, 2016 35

Map data flow, decision/control points (input, processing, storage), to include external interfaces, network architecture, databases – for example:

Information flow

Hardware/software (network diagrams)

People (organization charts);

Obtain SLAs, Business Associate Agreements, contracts, MOUs, etc.;

Interview management and personnel;

Assess policies, procedures, and practices;

October 24, 2016 36

10/18/2016

19

Assess network system security;

Assess computer security patch management;

Assess access controls;

Assess device and media controls;

Assess network perimeter devices (ex. firewalls, routers, and switches);

October 24, 2016 37

Assess web application and website security;

Assess database controls; and

Assess incident response controls.

We conduct our audits in accordance with generally accepted government auditing standards.

October 24, 2016 38

10/18/2016

20

Based on the auditee’s environment, systems and applications, and in coordination with the OIG OAS IT Cyber Threat and Assessment Team, we will use various automated tools to assess the security of the system or applications.

We are also developing a strategy and tools for identifying Incidents of Compromise. We believe this could become a valuable service to our auditees.

October 24, 2016 39

Two Risk Factors for Management: Compliance and Security

Being in compliance does not mean data and systems are secure.

In general, HHS OIG IT Audits are performance audits. Compliance audits are a subset of performance audits.

We are advocates for the security of data and systems supporting HHS programs; therefore, to provide a better service to our stakeholders, our IT audit teams use a hierarchy of criteria to focus on IT security.

October 24, 2016 40

10/18/2016

21

We use laws, regulations, guidance, and best practices to support our findings and recommendations. For example:

FISMA (Federal agencies and contractors)

HIPAA/HITECH (for covered entities and their business associates)

ACA (meaningful use)

Regulations (Code of Federal Regulations)

Guidance (NIST SP 800 Series)

Industry Best Practices (Manufacturer/vendor support for OS, patches, etc.)

October 24, 2016 41

Many of our findings involve vulnerabilities in the following control areas:

Security Program Management,

Access Controls,

Configuration Management (patching and current, supported systems and applications), and

Contract and service level agreement oversight, as well as interagency coordination.

October 24, 2016 42

10/18/2016

22

Security management. The auditee had inadequate security management, i.e., no security plan for its claims processing system.

Access controls.The auditee had inadequate access controls:

a lack of encryption for systems and claims data stored on backup tapes, an inadequate password history setting for securing its Windows network, no policy requiring two‐factor authentication for remote network access, inadequate documentation of remote network access requests and authorizations,

untimely disabling of user accounts for terminated employees, and inadequate physical access security controls.

October 24, 2016 43

Configuration management.The auditee had inadequate configuration management:

outdated software on production servers no longer supported by the vendor,

outdated antivirus definitions on production servers, inadequate security settings for network devices, no encryption on the claims processing database, critical software patches not applied to all workstations in a timely manner, an inadequately secured Web site for providers, and no use of centralized logging on Windows servers hosting the claims processing system.

October 24, 2016 44

10/18/2016

23

The auditee did not adequately secure its data and information systems in accordance with Federal requirements. Although the auditee adopted a security program for the [processing system], we identified numerous significant system vulnerabilities. These vulnerabilities existed because the auditee did not implement sufficient controls over its data and information systems or provide sufficient oversight to ensure that [its contractor] implemented contract security requirements.

October 24, 2016 45

Although we did not find evidence that anyone had exploited these vulnerabilities, exploitation could have resulted in unauthorized access to and disclosure of [##] beneficiaries’ data that also supported paid claims totaling more than [$$] billion in FY 2015, as well as disruption of critical [program] operations. These vulnerabilities were collectively and, in some cases, individually significant and could have compromised the integrity of the auditee’s [HHS] program.

October 24, 2016 46

10/18/2016

24

We issue a draft audit report to the auditee.

We allow 30 calendar days for auditees to comment on our draft report.

We incorporate the auditee’s comments in a restricted final report to the auditee, attach them in their entirety as an appendix, and provide a copy of our report to CMS (or other appropriate HHS Division(s)).

We also publish a public summary report.

Due to security considerations, we omit from the public summary report certain details regarding specific system vulnerabilities.

October 24, 2016 47

Stay Connected:

oig.hhs.gov

twitter.com/OIGatHHS

youtube.com/OIGatHHS

Questions

October 24, 2016 48

10/18/2016

25

October 24, 2016 49

October 24, 2016 50

Brian C. Johnson, CPA, CISAIT Audit Manager

U.S. Department of Health and Human Services (HHS)Office of Inspector General (OIG)

[email protected]‐562‐7788

preparing your organization for a hhs oig information security … · 2016-10-18 · preparing your...

Documents