Upload
dora-andrews
View
230
Download
0
Tags:
Embed Size (px)
Citation preview
Healthcare Security Compliance: More Than a Check In The Box
Todd Fitzgerald CISSP, Todd Fitzgerald CISSP, CISA,CISM, CGEIT, PMPCISA,CISM, CGEIT, PMP
ISO27000 and ITIL V3 CertifiedISO27000 and ITIL V3 CertifiedNational Government ServicesNational Government Services
PMO & Strategy/Technical PMO & Strategy/Technical Audit & ComplianceAudit & Compliance
Milwaukee, WIMilwaukee, WIHIPAA Collaborative of HIPAA Collaborative of
WisconsinWisconsinOctober 15, 2010October 15, 2010
A Little ‘Presentation Disclaimer’ …
The opinions expressed are solely the opinions of Todd Fitzgerald and do not necessarily represent the opinions of his employer. You may or may not want to adopt the these concepts in your organization. Use a risk-based approach before attempting
this at home.
HOW MANY ARE HIPAA COMPLIANT WITH THE SECURITY RULE?
3
Today’s Objective
• PART 1: What We Must Be Aware Of TODAY
• PART 2: Applicable Laws, Regulations, Standards
• PART 3: Anatomy of An Audit• PART 4: What Is A Good Control?• PART 5: Key Problem Areas
4
Security Audits Necessary To Ensure Controls Are Functioning
Source: “Learning from Leading Organizations” SGAO/AIMD-98-68 Information Security Management
Assess Risk &Determine Needs
PromoteAwareness
Monitor &Evaluate
ImplementPolicies &Controls
CentralManagement
Audit
Audit
Audit
Audit
Refresher: Security Officer Job Description
Job description: This position will represent the information protection program of the’ region and requires the ability to understand business issues and processes and articulate appropriate security models to protect the assets of and entrusted to. A strong understanding of information security is necessary to manage, coordinate, plan, implement and organize the information protection and security objectives of the’ region. This position is a senior technical role within our information protection and security department. A high-level of technical and security expertise is required and will be responsible for managing information security professionals. This position will play a key role in defining acceptable and appropriate security models for protecting information and enabling secure business operations. This person must be knowledgeable of current data protection best practices, standards and applicable legislation and familiar with principles and techniques of security risk analysis, disaster recovery planning and business continuity processes and must demonstrate an understanding of the management issues involved in implementing security processes and security-aware culture in a large, global corporate environment. He or she will work with a wide variety of people from different internal organizational units, and bring them together to manifest information security controls that reflect workable compromises as well as proactive responses to current and future business risks to enable ongoing operations and protection of corporate assets. RESPONSIBILITIES INCLUDE: • Manage a cost-effective information security program for the Americas region; aligned with the global information security program, business goals and objectives • Assist with RFP and Information Security responses for clients • Implementing and maintaining documentation, policies, procedures, guidelines and processes related to ISO 9000, ISO 27000, ISO 20000, European Union Safe Harbor Framework, Payment Card Industry Data Protection Standards (PCI), SAS-70, General Computer Controls and client requirements • Performing information security risk assessments • Ensuring disaster recovery and business continuity plans for information systems are documented and tested • Participate in the system development process to ensure that applications adhere to an appropriate security model and are properly tested prior to production • Ensure appropriate and adequate information security training for employees, contractors, partners and other third parties • Manage information protection support desk and assist with resolution • Manage security incident response including performing investigative follow-up, assigning responsibility for corrective action, and auditing for effective completion • Manage the change control program • Monitor the compliance and effectiveness of Americas’ region information protection program • Develop and enhance the security skills and experience of infrastructure, development, information security and operational staff to improve the security of applications, systems, procedures and processes •
… The Complete Job Description!
Direct senior security personnel in order to achieve the security initiatives • Participate in the information security steering and advisory committees to address organization-wide issues involving information security matters and
concerns, establish objectives and set priorities for the information security initiatives • Work closely with different departments and regions on information security issues • Consult with and advise senior management on all major information security
related issues, incidents and violations • Update senior management regarding the security posture and initiative progress • Provide advice and assistance concerning the security of sensitive information and the processing of that information •
Participate in security planning for future application system implementations • Stay current with industry trends relating to Information Security • Monitor changes in legislation and standards that affect information security • Monitor and review new technologies • Performs other Information Security projects / duties as needed MINIMUM QUALIFICATIONS: Transferable Skills
(Competencies) • Strong communication and interpersonal skills • Strong understanding of computer networking technologies, architectures and protocols • Strong understanding of client and server technologies, architectures and systems • Strong
understanding of database technologies • Strong knowledge of information security best practices, tools and techniques • Strong conceptual understanding of Information Security theory • Strong working knowledge of security architecture and recovery
methods and concepts including encryption, firewalls, and VPNs • Knowledge of business, security and privacy requirements related to international standards and legislation (including ISO 9001, ISO 27001, ISO 20000, Payment Card Industry data protection standard (PCI), HIPPA, European Union Data Protection Directive, Canada’s Personal Information Protection and Electronic Documents Act, SAS-70 Type II, US state privacy legislation and Mexico’s E-Commerce Act) • Knowledge of risk
analysis and security techniques • Working knowledge of BCP and DR plan requirements and testing procedures • Working knowledge of Windows XP/2000/2003, Active Directory, and IT Infrastructure security and recovery methods and concepts • Working knowledge of Web-based application security and recovery methods and concepts • Working knowledge of AS400
security and recovery methods and concepts • Working knowledge of PeopleSoft security and recovery methods and concepts • Working Knowledge of anti-virus systems, vulnerability management, and violation monitoring • Strong multi-tasking and
analytical/troubleshooting skills • Knowledge of audit and control methods and concepts a plus • Knowledge of SAS-70 audit requirements a plus • Knowledge of ISO 9001 requirements a plus • Knowledge of ISO 27001 requirements a plus • Knowledge of ISO 20001 requirements a plus • Knowledge of COBIT requirements a plus • Knowledge of EU / Safe Harbor requirements a plus •
Knowledge of Linux security a plus • Knowledge of VB.NET, C++, JAVA, or similar programming languages a plus • Proficient in MS-Office suite of products • Professional, team oriented Qualifications • Bachelor’s Degree (B.A., B.S.), or equivalent
combination of education and experience in Information Security, Information Technology, Computer Science, Management Information Systems or similar curriculum • 7+ years of Information Technology or Information Security experience, including at
least 5 years dedicated to Information Security • 2+ years of Travel Industry experience preferred • Must be a Certified Information Systems Security Professional (CISSP) • Certified Information Security Manager (CISM) preferred • Strong
organizational, time management, decision making, and problem solving skills • Strong initiative and self motivated professional • Professional certifications from ISACA, (ISC)2, or SANS preferred • Experience with ISO certified systems a plus
In Other Words…
• Assess the risks• Understand laws,
regulations, standards
• Understand the technology
• Develop alternatives• Implement one or
more solutions• Evaluate residual risk
8
Why We Care… 2010 Security Threats
• Phishing reports (40,621), 56,362 unique websites, 341 high jacked brands set record in August
• Russia (13%), Brazil 8.6%) now top two sites creating attack traffic, with US (6.9%) and China (6.5%) dropping 2 positions
• Sophisticated, distributed malware• Mobile banking attacks on smart phones• Social Media sites used to learn about targets, deliver
malicious content• SQL Injection (19% of breaches in 2009 per Verizon)• Home users transferring malware• Adobe Reader and Flash Replacing MS Office as target• Zero-day exploits released on IE in Nov/Dec
Source: Akaimi State of The Internet; Anti-Phishing WorkGroup, McAffee Predictions
Data Breaches Cost $204/Record in 2009, NO CISO $236, CISO $157
– $750K-$31 Million per incident
– 24% due to botnets/ malicious attacks (doubled from 2008)
– First time Malware exceeded user negligence
– 42% involved 3rd parties– 36% involved a mobile
device
$135 Lost Business
$15 Notify Victims
$46 Monitoring
$8 Breach Detection
Source: Ponemon Institute, 2010
“RockYou.com Hacked For 32.6 Million Passwords
• Provider of services for FACEBOOK and MYSPACE
• Hacker ‘igigi’ breaks into database of 32.6 Million Records
• SQL Injection• Hacker posted
partial results
Reactive Security Follows BreachRockYou has become aware of ongoing unauthorized attempts to access the same user data identified in previous reports. RockYou is working to promptly notify our members of these ongoing attempts via email and posts to our Web site. The company is continuing to work with law enforcement to identify the perpetrators. As we stated in our earlier communications, we recommend that all users change their passwords and take other measures to protect their privacy.
RockYou has put in place measures to protect user data, including encrypting all user data and upgrading our security infrastructure. We will also be working with an outside security consulting firm to analyze and improve our security environment. We will continue to assess our security protocols and improve upon them.
We apologize for any inconvenience this has caused our user base and assure our dedicated users that we continue to take their privacy seriously. The RockYou team
Incident Revealed that the Most Common Password Was… ‘123456’
1. 290,731 ‘123456’2. 79.038 ‘12345’3. 76,790 ‘123456789’4. 61,958 ‘password’5. Followed by Princess,
Rockyou, abc123,daniel,nicole,babygirl,monkey,jessica,lovely,michael,ashley,654321,and QWERTY.
Source: Imperva Application Defense Center
Factors Causing Breaches…In 1 Month Alone
Third Party Financial Firm Burglarized
Opened accounts with 10 employee stolen data
Ukraine hackers took control of web domains, redirected traffic
Intercepted payroll mailing to annuity company
Laptops stolen from cars, locked offices
Office backup drive stolen
Emails to personal email SSN spreadsheet
Temp worker steals flu shot records
Financial info from unsecured dumpster
Playlist on MP3 player at thrift shop- US Soldiers
SSNs in US Govt sold filing cabinet Source: www.privacyrights.org
In Our Own Backyard…Milwaukee-based Koss CFO Indicted for Embezzling $31M
• $4.5M on clothing– 461 Boxes of shoes– 34 Fur Coats– 65 Racks of clothes
• Wire Transfers to personal account
• Possible 120 Years In Prison, restitution, $1.5M in fines
Emerging Technologies
• Social Media– LinkedIn– Facebook– Twitter
• Virtualization• Cloud Computing• Mobile Devices
Today's Data Demand: The Right Data, At The Right Time, At The Right Place…
• 1980– Can We Get A Report Run Off the
Mainframe?• 1990’s
– Decision Support Systems, End User Queries
– Synchronized To PDA• 2000’s
– Laptops, FedEx CDs• 2010’s
– Smart Phones, Cloud applications, Virtual Working Environments, Convergence
Where Is The Data Today?
Sylvia
Marc
Julie
Dena
StanProgramming Team
Source: Steve Fried, Mobile Security, Reprinted with Permission
The Evolution of Technology over almost 3 decades
• Huggable Luggables introduced in 1983
• Spreadsheet primary use
• 128K Memory
19
Mobile Computing Is Taking Center Stage
• “Office less” work-at-home
• Telecommuters• Road Warriors• Employees at work
working in distributed environments
• After hours work at home
20
RECENT STUDY OF WORKERS AT HOME REVEALED THEY WORKED 19 MORE HOURS A WEEK WITHOUT NEGATIVELY IMPACTING FAMILY
OF COURSE… THERE WILL ALWAYS BE EXCEPTIONS…
There Are Inherent Risks
Previous Generation Mobile Device Risks Limited
• WAP-enabled cell phones
• Personal Digital Assistants
• Wireless Data Entry Systems
25
Now They Have The Same Risks As Conventional Systems
• Complete operating Systems
• Specially-built Applications
• Users physically removed from immediate security staff control
More Viruses
More Malware
Less Sophistication Required
Different Ways of Approaching The Problem – Data vs. Device Centric
© 2010 Stephen Fried. Reproduction prohibited without written permission.22
Different ways of approaching the problem
Device Centric Data Centric
Data Is Not Static
Data At Rest Data In Motion
Devices Are Converging
• Cell Phones• Cameras• Televisions• Game Consoles• DVRs, DVD
Players• Ipods, IPads, I-?
• Why???
This Company Was One of The Biggest Contributors….
The Connected World We Live In Changes The Role of ‘The Device’
©7
The Workforce THINKS Differently
• Baby Boomers (1946-65) loyal, dependable, workaholics
• Gen Xers (1965-1980) cynical & independent, reject rules
• Gen Y (1980+) short attention span, tech savvy
The Same Security Question Arises.. Our Customers Want It…
How Do We Enable It?
Smartphones: Hacker Opportunity
• UK Dept of Trade Survey:– More than 50% of
companies do not have any controls for securing company data on Smartphones
• Few have invested in technology
Smartphone Application Vulnerabilities• Weak or no authentication (single user
context)– Default passwords– Very few characters
• Missing security functions– Data Encryption– Auditing– Padlocks on Web Browsers– Security Updates– Applications not limited in what they can access– Apps can cause DOS by draining battery
• Unable to determine if Malicious until downloaded!
Major SmartPhone Security Controls
• Appropriate Policy & Standards
• Anti-virus and anti-spyware• Remediation of
vulnerabilities• Strong authentication• Encrypted transmissions
VPN, SSH, SFTP• Secure Wireless Application
Protocol Gateways• Personal Firewalls• Hard Drive Encryption• Regular backups• Security Training &
Awareness
Important Audit Questions
• Policy storing sensitive data? Encrypted? Backups?
• Default passwords• Policy downloading untrusted
applications?• Communication ports turned
off when not in use?• Anti virus updated? Anti-
spyware?• Procedures for finding pirated
mobile apps exist? Enforced?• Prohibitions against Jailbreaking?• Vulnerability Remediation
Process?• Systematic incident response?
• Risk Assessment• Targeted security
awareness training?• Random audits of
devices & applications?• Power-on password?• Personal devices
prohibited?• Know how to report lost
device?• Stored securely?• Security Assessment
tools?• Independent tests nse?
performed?
Sounds Familiar…
May Not Be Pretty Getting There…
PART 2: Laws, Regulations, Standards
38
There Are The U.S. Government Regulations That We Are Familiar With…
• NIST 800-53 Controls• FISMA (Federal
Information Security Management Act 2002)
• HIPAA Final Security Rule• Medicare Modernization
Act of 2003 (Section 912)• DISA Security Technical
Implementation Guides (STIGs)
• IRS Regulations
…And These
• Graham-Leach-Bliley (GLBA)• Sarbanes-Oxley• NERC Critical Infrastructure
Protection• Federal Financial Institution
Examination Council (FFEIC)• Federal Information System
Controls Audit Manual (FISCAM)
…And International Control Standards /Frameworks/ and of Course [insert here] Practices
• ISO27001/2 Information Security Management System (ISMS)
• Control Objectives for Information and related Technology (COBIT 4.1)
• Payment Card Industry Data Security Standard (PCI DSS 1.2)
• Information Technology Infrastructure Library (ITIL)
• Vendor Guidance
And More Laws & Regulations Which Impact Privacy• Children’s Online Privacy
protection Act of 1998• Consumer Credit Reporting
Act of 1996• Driver’s Privacy Protection
Act of 1994• Electronic Funds Transfer
Act• European Union Data
Protection Directive of 1995
• Fair Credit Reporting Act of 1999
• Telemarketing and Consumer Fraud Abuse Act
• Family Educational Rights & Privacy Act (FERPA)
• Federal Trade Commission Act (FTCA)
• Freedom of Information Act
• Privacy Act of 1974• USA Patriot Act of 2001
Health Information Technology for Economic and Clinical Health Act (HITECH) Increases Security and Privacy Protections
• Mandatory penalties for willful neglect
• New rules for ‘unsecured breach’– Patients notified– HHS notified >500– Website posting– Local Media– Internal vs. External
• Providers with EHRs must provide ePHI for cost of labor
• Business associates must comply with security rule– Follow safeguards– Report incidents to CE– Civil and Criminal
penalties• HHS Required to
provide audits of CE’s and BA’s
• Penalties increased to $250K, 1.5M for repeated violations
State Attorney Brings First Cause of Action under HITECH Act Jan 13, 2010
Connecticut Attorney General's OfficePress ReleaseAttorney General Sues Health Net For Massive
Security Breach Involving Private Medical Records
And Financial Information On 446,000 Enrollees
PCI DSS V1.2 Requirements
Build & Maintain a Secure Network
• Install/maintain firewall configuration• Don’t use vendor-supplied defaults
Protect Cardholder Data • Protect stored cardholder data• Encrypt across open networks
Maintain a Vulnerability Management Program
• Use and regularly update anti-virus• Develop secure systems/applications
Implement Strong Access Control Measures
• Restrict access by need-to-know• Assign unique ID to each person• Restrict physical access
Regularly Monitor & Test Networks
• Track and monitor all access• Regularly test security systems/processes
Maintain an Information Security Policy
• Policy must address infosec
Part 3: Anatomony Of An Audit
1. Planning2. Onsite Arrival3. Execution4. Entrance/Exit/
Status Conferences
5. Report Issuance/Remediation
46
Request List
SampleSelection
AgreedUpon
Procedure
Testing
Findings
CorrectiveAction
ANATOMY OF AN AUDIT
1. PLANNING • Receive Prepared By Client (PBC) List; Client Assistance List (CAL)
• Review Requests/Clarify Scope
• Assign to Dir/Mgr/SME• Create Directory
Structure• Schedule Interviews
47
Policies & Procedures Requested For 24 e-PHI Security-Related Issues
• Establish/Terminate User Access• Emergency IT System Access• Inactive Sessions• Recording/examining activity• Risk Assessments• Employee violations/sanctions• Electronic transmission• Incident
prevention,detection,containing• Regular access review• Security violation logging• Monitoring systems and network• Physical access to systems
• Types of security access controls
• Remote access• Internet usage• Wireless security• Firewalls, routers, switches• Physical security repair• Encryption/decryption• Transmission • Password and server
configurations• Antivirus software• Network remote access• Patch management
Documentation Requests…
• Information systems, network diagrams
• Terminated employees• New hires• Encryption mechanisms• Authentication methods• Outsourced/contractor access• Transmission methods• Org chart for IT, Security• Systems Security Plans
• All users with access, including rights
• System Administrators, backup operators
• Antivirus servers• Internet access control
software• Desktop antivirus software• Users with remote access• Database security
requirements/settings• Domain controllers, servers• Authentication approaches
The Auditors Have Landed…
2. ONSITE AUDITOR ARRIVAL
• Entrance Meeting• Internet
Connections• Develop
‘communication protocol’
• Establish start/end/status dates
50
What? Didn’t I Give That To You Already? (Maybe..Maybe Not)
3. EXECUTION • Track every communication
• Obtain requests in writing
• Encrypt all files• Schedule all
follow-ups via central person
• Review, Review, Review
51
Surprises are for Birthdays & The Holidays, Not Audits4. ENTRANCE
CONFERENCES/STATUS CALLS/EXIT CONFERENCE
• Daily Status Calls
• Weekly Status Reports
• No Surprises?• Risk Ranking of
Issue
52
Remediation of Findings Should Be Swift• REPORT
ISSUANCE/REMEDIATION
• Final Draft Report• Management Response• Prior Finding Closure• Corrective Action Plan
(CAP)• 5 Business Days• 30 Calendar Days• 90 Calendar Days• Ink Is Now Dry
53
PART 4: A Good Control
54
Discussion
PART 5: Audit Problem Area Discussion
55
Problem Area #1: Policies/Procedures
• Process Changed Mid-Audit Cycle
• Not updated• No Revision History• Improper
Management Approval• Inability to retrieve
w/Revision History• Not Followed
56
Problem Area #2: Security Baseline Configurations
• Not compliant with latest standard (i.e., FDCC, DISA)
• Not documented• No monitoring• No management
approval• New servers, test
servers out of compliance
57
Problem Area #3: Software Patching
• Critical security patches not applied timely (7,15,30 days)
• Adobe, vendor products• Servers, Desktops,
network devices not consistently patched to latest levels
• Time to test patch• Monitoring used to fix
servers?
58
Problem Area #4: Lack of Software Testing
• Applies to all production applications
• Every program should be tested within X years or when changed
• Documented processes followed
59
Problem Area #5: Change Control
• Segregation of duties– Requestor– Developer– Implementer– Tester/End User– Change Control/CCB
• Approvals before production implementation
• Emergency Requests• Signoffs
60
Problem Area #6: User Access Administration
• Too much access for function
• Unapproved Access (no documentation)
• Terminations too long (> 3 days)
• Lack of recertification of access
• Scope not including all platforms
• Transfers• Contracted background
checks
61
Problem Area #7: Vulnerability Assessment/Pen Testing
• Will always find something… always
• Schedule after hours• Schedule during non-
production• Limit testing period• Contracts
62
Problem Area #8: Media Sanitization
• Include copiers, scanners, fax machines, routers, servers, USB drives, CDs, desktops, laptops…
• Tapes/Documents shredded onsite
• Inventory assets• Document
sanitization/disposal• Encrypt everywhere
63
Problem Area #9: PHI Disclosure/Incident Handling
• Encrypt all external email• Establish Incident
discovery reporting within 1 hour
• Escalation processes• Retain written actions• Automate
monitoring/correlation process
• Management reporting• Documentation of follow-
up
64
Remember The Earlier Issue?…
NIST 800-124 Issued Guidance For Smart Phones….• Organization-wide policy for mobile
handheld devices• Risk assessment and management• Security awareness and training• Configuration control and management• Certification and accreditation• Apply critical patches and upgrades• Eliminate unnecessary services and
applications• Install and configure additional
applications that are needed
More NIST 800-124 Guidance
• Configure resource controls• Install content encryption, remote content
erasure, firewall, AV, intrusion detection, antispam,VPN software.
• Perform security testing• User control of device, backup frequently• Enable non-cellular wireless access only when
needed• Report and deactivate compromised devices• Enable log files for compliance• … and the list goes on…
JUST LIKE BLOWING BUBBLES…
Just When Security Problem Gets Bigger
Another Never Materializes
And Another Bursts- Good Luck!
68
Thank You For Your Participation!
[email protected]@WellPoint.com
WWW.linkedin.com/in/toddfitzgerald