HIPAA Security Risk Management

Robert Burgett

Director, Information Technology & Security

The Elizabeth Hospice, Inc.

Escondido, CA 92025

760.796.3779 robert.burgett@ehospice.org

CHAPCA Annual Conference 10.10.2017

Introduction – Robert Burgett

Robert is a highly accomplished Head of IT for Southern California’s largest hospice. Serving as Director of Information Technology and Security Official with over 20 years of successful experience in all areas of Information Technology, Security, and Facilities Management. Highly driven proactive leadership aligned with Corporate Mission, Vision, and Values. Demonstrated high level of integrity in securing all infrastructure: physical and virtual. Implementing best practices and controls for HIPPA / Health Information Technology (HITECH) compliance.

Learning Objectives:• Describe what a GAP assessment entails

• Describe the data privacy life cycle

• Describe six ways a program can come under scrutiny

• Describe HHS HIPAA Audit Protocol Changes

Agenda HIPAA Privacy breaches are increasingly common and coupled with a high price tag. This presentation’s focus is centered around identifying your risks and protecting information and knowledge related to privacy and security in the healthcare environment. Participants will leave with a better understanding of how achieving a legally defensible posture and system will better protect an organization and its patients.

Privacy & Security; individual rights and choices around data privacy lifecycle

Requires information governance around PHI / PII

▪ Notice/consent-choice, collection, access/purpose/use, guest access/availability/correction/quality, disclosure/sharing/forward transfer,

storage/retention and secure disposal, x-border transfer rules

• Someone can compromise the Confidentiality of your ePHI

• Someone could inappropriately alter or delete ePHI

(which affects its Integrity)

– this includes personally identifiable information (PII)

» Administrative, physical, and technical controls

» About “reasonable controls” and “defense in depth”

» Customers, donors, employees, consultants

» Business partners, service providers, vendors, etc…

• Your ePHI or PII might not be Available when you need it

NOTICE COLLECTION USE DISCLOSURE DISPOSAL

• Cyber Hacking

• Loss or theft of Mobile Device or Media

• Insider Misshapes or Workarounds

• Business Associates

• Malicious Insider or Fraud

• Insider Snooping

6 Most Common Types of Healthcare Data Security Breaches

Security goals are also bigger than compliance

Steps taken to protect from theft, business disruption and compromise:

▪ Company technology and infrastructure PHI / PII data

• Internal and external vulnerability scans automated testing for weaknesses inside and outside your network

• Penetration tests—live, hands-on testing of your system’s weaknesses and vulnerabilities (through third party)

• NMAP scanning—a simple network scan that identifies open ports and services on your network

• Gap analysis—consultation on where your gaps in security and compliance exist and what steps need to occur next

7

6 ways program can come under scrutinyCan lead to loss of business/opportunity and/or enforcement action

1. Complaints to regulatory authority or law enforcement ▪ Referred cases from other agencies▪ Direct complaints from customers/patients▪ Whistle-blowers

2. Breach – entire program is scrutinized, not just cause of breach▪ Media firestorm

3. Audits/surveys ▪ HHS and SEC conduct surprise audits▪ Complaint investigations and breaches lead to audits

4. Business partner prior to contracting and periodically thereafter

5. Acquiring company (M&A) / investor conducting due diligence to mitigate “successor liability”

6. Cyber risk insurance applications also require a due diligence assessment

8

Benefits of a Risk Analysis

9

▪ Establish security measures to reduce risks to a reasonable and appropriate level

▪ Protect your ePHI against those risks that can be reasonably anticipated

▪ Completing a Risk Assessment is a core requirement for receiving Medicare and Medicaid EHR incentive Payments

▪ Called meaningful use

▪ These are required by HIPPA

▪ Good Business Practices

NORSE Live Time Attack Intelligence Map

http://map.ipviking.com/

10

Key Components of a Risk Analysis

11

▪ Scope of your Risk Analysis▪ All the ePHI that your organization creates, receives, maintains, and transmits

▪ This includes all form of paper or electronic media

▪ Hard Drives, Laptops, Desktops, tablets, or smart devices

▪ Backup tapes, Smart Cards or thumb drives

▪ All other forms of electronic media

▪ Where and how the ePHI is stored, received, maintained, or transmitted…

▪ More than ePHI▪ Billing info, Insurance claims, and appointment information…

▪ Where ePHI is stored▪ Desktops, Laptops, Tablets, copiers, scanners, smart devices

▪ CD-ROM, Thumb drives, or etc…

▪ Where is Flows?▪ Both internal and external

▪ Patients, physicians, off-site disaster recover sites,

or storage locations both paper and electronic

Key Components of a Risk Analysis Cont…

12

▪ Where is flows▪ Both internal and external

▪ Patients, physicians, off-site disaster recover sites,

or storage locations both paper and electronic

▪ How it flows▪ e-mail, fax, shared network drives, health information exchange (HIE)

▪ Review past and current projects

▪ Interview staff and IT support staff

▪ Review policy and procedures

▪ Other data collection methods▪ Data MAPS or Flow Diagrams

Key Components of a Risk Analysis Cont…

13

▪ Document Findings

▪ Identify and document possible treats and vulnerabilities

▪ Threats:

▪ Human, Natural, or Environmental

▪ Vulnerabilities:

▪ Weaknesses in your security controls

▪ Both physical and virtual

▪ Either could cause a security incident…

▪ Unencrypted laptops, copiers, smart devices

▪ Policy's and procedures

▪ Worse nothing in place

Key Components of a Risk Analysis Cont…

14

▪ Assess Current Security Measures▪ Review the administrative, technical, and physical safeguards

▪ Determine the likelihood of Threats▪ Which threats in the HIPAA Security Rule requires you to protect against because they are reasonably anticipated…

▪ Determine the impact of Potential Threats▪ If they actually occur;

▪ How will it impact the confidentiality of the information?

▪ Will unauthorized people be bale to access ePHI?

▪ Will they be able to change or compromise the integrity?

▪ If a threat; such as an outage or sever storm occurs, will

all data integrity stay protected and be available…

▪ Document all potential impacts that could be a threat to ePHI▪ Categorize the likelihood and impact of the threats and vulnerabilities

▪HIGH

▪MEDIUM

▪LOW

Key Components of a Risk Analysis Cont…

15

Key Components of a Risk Analysis Cont…

16

▪Document a list of Corrective Actions▪Putting a new policy in place▪ Training staff on new process or procedure▪Adding additional safeguards

▪ Card access readers, locks, and security surveillance cameras

▪Final step:▪Review and update your risk analysis from time to time

▪Ongoing▪Organization is always changing

▪Perform an Annual Risk Analysis ▪ www.healthIT.gov▪ www.hhs.gov/ocr

Yet, cost to protect is lowand creates legally defensible posture

17

Avg. protection cost ($16) is less than 7% of avg. breach costs per compromised record “Gartner”

97-99% of breaches are avoidable withreasonable controls (simple/intermediate) “Verizon Business Data Breach Reports”

Legal defensibility is getting to 97-99% avoid-ability - not “absolute privacy/security”, as there is no such thing

Risk Profiles Changes: Healthcare

• Primary reason for breaches– Just a couple years ago – lost or stolen mobile devices

– Now hacking (doubled in 2015), with ransomware on the rise• Hacking systems

• Hacking users to get into systems – what is meant by this?

• Why the change?– Easy target - less mature industry with less protections in

place

– Treasure trove of data - $

– Business disruption – Terrorism or threats…

Good Privacy and Security strengthens your brand▪ Trust economics – a business enabler

▪ Brand trust based on patient experience creates referrals

Breaches can cause brand erosion

What is the purpose of brakes on a car … ?not to slow a car down …

but to allow it to go fast!

Why is this important?

Why this seemingly endless parade of breaches?

Question: Why are so many “compliant organizations” suffering breaches and the resulting regulatory fines and enforcement actions, class action lawsuits, and adverse brand and equity impacts?

Answer:

1. Treating strictly as a compliance risk, or worse only an IT risk (vs. enterprise risk) you need both…

2. Underestimating the risk or not aware they are assuming a risk

3. Not pursuing a risk-based, legally defensible strategy

4. Not implementing risk governance and accountability

20

Preparedness for inevitable breach, regulator investigation and legal proceedings

Compliance – establishes the baseline, however too often becomes check-the-box with the “black letter” of the law / regulation

▪ Compliance does not equal privacy – laws, regulations & standards cannot

keep up with emerging threats, vulnerabilities and technologies

▪ Privacy breaches have huge financial, regulatory, legal, and reputational

impacts as well as personal D&O liability risks

Legally Defensibility – actions and inactions defendable to a regulator and plaintiff attorney, jury or judge – requires:

▪ Anticipating foreseeable risks and applying reasonable standards of care

Privacy/Security-by-Design enables legal defensibility through clear roles and responsibilities for sustainably managing risks (NIST: repeatable)

What can you do?

Security: Determining “reasonable controls”Use a standards stack to strengthen policies/SOPs and ensure no gaps

Write policies to a framework of appropriately stacked standards for legal defensibility:

HIPAA Security Rule (19 years old) ▪ 7 Elements of the U.S. Sentencing Guidelines for an Effective Compliance Program

▪ Top 20 Critical Security Controls – Center for Internet Security (VB DBIR)

▪ State requirements, e.g., MA’s requirement that PII be encrypted on mobile devices

▪ Contractual requirements, e.g., Shared Assessments SIG

▪ Regulatory guidance and enforcement actions, e.g. mobile apps, peer-to-peer file sharing

PCI:DSS Standards

ISO 27002:2013

HITRUST

NIST Cybersecurity Framework

22

Adopt an integrated privacy risk management & control frameworkA continuous process for optimizing reward vs. emerging risks and strengthening posture

GovernanceRegulatory coverage map

Strategy setting / planning

Risk tolerance

Risk policy

Risk owners and accountability

Training and education

Risk AssessmentRisk identification

Controls effectiveness review

Risk probability and impact

Risk ranking

Risk Response and Management

Avoid, transfer, monitor, accept risk

Mitigation planning and

execution

Privacy / security-by-design

Control activities

Monitoring and AdaptingControls evaluation in RM tiers

Controls effectiveness monitoring

Event / incident / breach analysis

Identifying and closing gaps

MSSP Managed Security Service Provider

Information and Communication

Key risk indicator review

Privacy Steering Committee

Board of Directors

Internal EnvironmentExecutive commitment

Management support

23

Simplified COSO RM & C Framework adapted to manage privacy / security risks

Information governance matrixRegulators expect clearly defined & operational roles/responsibilities

24

Actor High level responsibilities

Board of Directors Duty to protect corporate assets : information (PII, trade secrets, IP) and critical infrastructure. SEC cybersecurity risk disclosure.

Executives ▪ Program commitment; establish as a strategic imperative; provide resources/budget

Privacy Governance Steering Committee – charter & standing agenda

▪ Provide strategic guidance and ensure management support▪ Help establish risk tolerance through risk related decision-making/guidance (risk assessments) ▪ Ensure privacy/security officials are engaged by their staff/resource owners for privacy/security related design or other issues – be their “eyes and ears”

Privacy & Security Officials Program leadership and establishment; SEC cybersecurity disclosure sign-off if public

Management Program support; on-the-job privacy/security training; ID staff AUP violations; ID prospective service providers to CPO early for due diligence; own Privacy/Security-by-Design for non-engineering activities

Privacy Liaisons Liaisons for each privacy data lifecycle function ensure adherence to privacy policy

HR Identify/schedule new hires for privacy/security training; conduct background checks

Legal / Compliance ▪ Ensure proper contracting with service providers ▪ Keep the Board abreast of privacy and cybersecurity risk exposure and posture

InfoSec Team Implementation working group: regular review of RBAC rights; ensure implementation of risk mitigation activities and report status to Steering Committee

Domain Owners Application security; technical controls; physical controls; administrative controls (or 13 domains in ISO 27002:2013)

Resource Owners Authorize RBAC roles; grant rights; periodically review rights for accuracy

Resource Custodians Implement approved RBAC rights; ensure Privacy/Security-by-Design for resources

Engineering Director / Program Manager

Provide Privacy/Security-by-Design guidance to engineers and SQA as well as code review teams for data driven initiatives, new / enhanced resources, and as changes are made to data flow process and/or data locations

Workforce Members Adhere to AUP and other policies/SOPs

Data flow, locations and inventory mapping

25

Maintain to reflect changes to data flow process and/or data locations

Use modified SIPOC to develop data flow diagramSix Sigma tool for getting a process under control; data locations = resources

Data

Suppliers /

Sources

Data Location Data Inputs Data Flow

Process Step

Data Outputs Data Location Data

Customers

Notice

Data Collection

Data Use /

Handling

Data Use /

Handling

Data Transfer -

Sharing

Data Storage -

Retention

Data Backup /

Retention

Data Disposal

- Destruction

26

Create a data flow diagram with swim lane process owners - informs risk assessment

Interview process owners and document end-to-end privacy data flows / locations

Data inventory and locations map

Data Locations Database Shared folder Box Share point File cabinet

Resource owner

Resource custodian

Data inventory

Highly sensitive

Sensitive

Less sensitive

Non-sensitive

27

▪ Executives should assign owners to resources within their organizational control (or by default they become the owner)

▪ Resources – products/services, processes, applications, internal / external systems, technologies, service providers/partners

▪ Resource Owners are responsible for ensuring RBAC design, authorizing RBAC rights, and periodically reviewing RBAC rights for accuracy

▪ Resource Custodians are responsible for the Privacy/Security-by-Design of assigned resources

Match protection to: data sensitivityOnly highly sensitive if compromised may lead to a reportable breach

Quartile 4 Data Sensitivity

ClassificationsExamples may vary by country of jurisdiction

4 Highly Sensitive includes any of the following: SSN, payment card info, user ID/password, security

question/answer (mother’s maiden name, DOB, place of birth, etc.), health insurance ID #;

genetic info (defined by GINA), medical/health info, background check info, biometric record

or identifiers

3 Sensitive PII that does not fall into quartile 4 or 2, such as other personally identifiable dates, account #,

vehicle ID/serial #, driver’s license/certificate #, other unique ID#/characteristic/code, geo-

location data, other personnel file info

2 Slightly Sensitive

published contact info: name plus address, phone#; email address, fax#, instant message

user ID, URL address, IP address, photo/video/audio file, persistent device/processor/serial

ID; any other PII used for marketing purposes (see CA’s “Shine the Light Law”)

1 Non-Sensitive non-personal information, such as session identifiers/cookies

business lead contact info is not sensitive in U.S., but is in Canada, EU, and elsewhere

28

Operational examples – adjust processes based on data sensitivity levels, e.g. pre-contract due diligence and periodic monitoring of BAs, roles-based access controls (RBAC), encryption, etc.

Risk-maturity based controls evaluationEvaluate maturity using NIST Cyber Security Framework’s RM Implementation Tiers

#Established

Performance

Criteria

Audit Procedures

Co

ntr

ol

Eff

ecti

ven

ess

Current profile RM

tier

Target profile RM

tier

1 1-4/ or

1-10

Existing controls 1-4 New or

strengthened

controls

1-4

2

3

4

5

6

7

HHS HIPAA Audit Protocol ERM NIST Cyber Security Framework Evaluation

HHS Audit Protocol

1. Privacy Rule

2. Breach Notification Rule

3. Security Rule

Risk Management (“RM”) Implementation

Tiers

1. Partial

2. Risk informed

3. Repeatable

4. Adaptive

29

RM Implementation Tiers in NIST Cyber Security Framework

Tier Definitions

1 PARTIAL

RM Process Informal, ad-hoc (and sometimes reactive) RM practices. Prioritization of RM may not be directly informed by

organizational risk objectives, the threat environment, or business requirements.

Integrated RM Program Limited RM awareness. RM implemented on an irregular, case-by-case basis. Processes do not enable risk

information to be shared within the organization.

External Actions No processes in place to share information with other entities.

2 RISK INFORMED

RM Process Management approved RM practices are not established in policy. Prioritization of RM is directly informed by

organizational risk objectives, threat environment, or business/mission requirements.

Integrated RM Program Risk awareness but informal RM. RM procedures are implemented. Staff has adequate resources to perform

their RM duties. Risk information is informally shared within the organization.

External Actions Awareness, but no formalized capabilities to interact and share information externally.

3 REPEATABLERM Process Formal RM practices in policy. RM practices are regularly updated based on changes in business

requirements and a changing threat and technology landscape.

Integrated RM Program Formal RM and policies/procedures are implemented/reviewed and respond effectively to changes in risk.

Personnel possess knowledge/skills to perform appointed roles/responsibilities.

External Actions Understanding of dependencies and collaborates and receives information with other entities.

4 ADAPTIVE

Risk Management

Process

Lessons learned and predictive indicators inform RM practices. Actively adapts to a changing risk landscape

and responds to evolving/sophisticated threats in a timely manner.

Integrated RM Program RM is part of the culture and evolves from an awareness of previous activities, information shared by other

sources, and continuous awareness of activities on systems/networks.

External Actions Collaborate to ensure accurate, current information to improve RM actions before events occur.

30

4 data statesEvaluate control effectiveness in these data states

4 Data States Examples

Data at Rest structured data: database, online backup, offsite backup,

printer/scanner hard drive, fax server; unstructured –

shared/restricted folders

Data in Motion email, sFTP, fax, point-to-point

Data at Endpoints desktops, laptops, tablets, mobile phones, USB devices,

DVDs/CDs

Data at

Disposal/Destruction

paper shredding, electronic device/data wiping/destruction

31

HHS HIPAA Audit Protocol Changes

HHS HIPAA Audit Protocol Previous Version Updated Version

Breach Notification Rule 10 19

Privacy Rule 78 89

Security Rule 77 72

Total 165 180

# of Requirements

Comments:• Some previous criteria were consolidated, others broken out into separate requirements,

and new requirements added.• Every requirement requires expression in policies and procedures, many require being

addressed in training, and many also require documentation or evidence of compliance that a regulator can review for compliance.

• Very easy to be found not in compliance when have to fulfill a “requested documents list” as a result of an inquiry, investigation or audit.

32

Risk assessment and management

Formal risk assessment process▪ Formalize with attorney client privilege process

▪ Invite appropriate participants and appoint a facilitator and record keeper

▪ Identify risks through brainstorming using data mapping and other tools

▪ Determine effectiveness of existing controls

▪ Determine likelihood of occurrence and severity of impact

▪ Rank based on total risk value and determine material risks requiring response

▪ Assign risk owner and agree on risk response based on organization risk tolerance

Risk mitigation planning and execution▪ Develop risk mitigation plans including milestones

▪ Ensure mitigation plans are developed into requirements, implemented and tested prior to roll-out

Approval and tracking by Privacy Steering Committee ▪ Obtain approval of identified and material risks, risk owners, risk response, and

mitigation plans

▪ Track / report on implementation progress of mitigation plans

Update policies/SOPs and training as appropriate

33

Basic risk assessment templateRisk Scope Controls Evaluation Risk Valuation

# Risk Scope In/Out Domain /

Domain Owner

Key Potential Root

Causes

Existing Key

Controls

Controls

Effectiveness 1-4/10

Potential

Effects /

Impacts

Net Likelihood

1-7

Net Impact

1-6

Net Loss

1-7

5 Medium Damaging High

34

Net Loss: Negligible, Very Low, Low, Medium, High, Very High, Extreme

5 Risk Responses▪ Accept – Business decides to accept the current level of risk because: a) the

mitigation costs outweigh the benefits; or b) the key causes are out of its control (inescapable part of doing business)

▪ Avoid - Eliminate a process or product to avoid the risk or condition as the risks outweigh the rewards▪ E.g., eliminate installing a faulty slide that could hurt children from the

project plan▪ Transfer/Share - Contractually shift or share the consequences of a risk to a

third party or insure the risk▪ Monitor – Temporarily delay selecting another response until more

information, usually research, is obtained▪ Timeframe should be agreed upon, usually no more than 30-60 days and

tracked▪ Mitigate – Improve control effectiveness to control the risk to an acceptable

threshold, either by reducing the frequency and/or the effect

Rationales and approving authorities must be documented for all responses

35

Controls effectiveness scaleThe greater the risk, the stronger the controls should be

36

Scale Controls Effectiveness Examples

10 preventive, detective &

corrective controls

IPS, account lock-out on failed log-ins

7-9 preventive and detective

controls

4-6 preventive controls privacy/security-by-design, policies/SOPs, training (awareness/on-the-job),

keycards, authentication, RBAC system controls, encryption, hardening,

firewalls/IDS, real-time log correlation/response, white/black listing, code

testing prior to release, DLP, database activity monitoring

1-3 detective controls risk assessments, control evaluations, alerts, reports, periodic review of

logs, file integrity monitoring, vulnerability scans, penetration testing, threat

watch

0 no controls

▪ Controls must be documented in a procedure, implemented, tested, monitored, and trained on

where appropriate.

▪ Higher control effectiveness rankings within a category are based on multiple layers of controls -

defense in depth.▪ Controls can take into account: company’s size, complexity and capabilities; reasonability standard; costs vs.

benefit; company’s administrative, physical and technical infrastructure.

Basic risk mitigation planning template

Risk Response Risk Mitigation Status Update Post Mitigation Valuation

# Risk Risk

Response

Mitigation

Plan

Owner

Mitigation

Strategy

Action

Plans

Planne

d Due

Date

On-Track

Completio

n

Progress:

G, Y, R

Controls

Effectivenes

s 1-10

Post

Mitigation

Likelihood:

1-7

Post

Mitigatio

n Impact:

1-6

Post

Mitigatio

n Loss:

1-7

37

On-Track Completion Progress: Green, Yellow, Red – allows a quick status update to inquire abut issues/obstacles where appropriate

Post Mitigation Loss: Negligible, Very Low, Low, Medium, High, Very High, Extreme

Assessing and Mitigating Risk Annual risk assessment

▪ Enterprise-oriented

Privacy impact assessment (PIA) - (Privacy/Security-by-Design)

▪ Work with CPO/CISO to define requirements for new / enhanced resources and implement and test prior to rollout▪ e.g., agile teams, product development, etc.

38

▪ Executives should assign owners to resources within their organizational control (or by default become the owner) ▪ Resources – products/services, processes, applications, internal / external systems, technologies, service providers/partners▪ Resource Owners are responsible for ensuring RBAC design (now and in the future), authorizing RBAC rights, and periodically

reviewing RBAC rights for accuracy▪ Resource Custodians are responsible for Privacy/Security-by-Design implementation of assigned resources

3 Important Risk Mitigation Activities

▪Thin - Zero Client / virtual desktop infrastructure (VDI) to access PII

▪Segment network vs. flat network

▪Encryption by default─ mobile devices, e.g laptops, USBs, cell phones, etc.

─ desktops when individuals have RBAC rights to PII

─ servers

─ backups

39

Summary of key points✓ Compelling business case for Privacy, yet many compliant

organizations continue to suffer breaches

✓ No absolute privacy – Compliance is not enough

✓ Breaches are inevitable despite reasonable efforts – must assume resulting investigation(s) and lawsuits

✓ Be prepared – to fulfill requested documents and legally defend your actions / inactions to regulator(s) and plaintiff attorney, judge or jury

✓ Achieving a legally defensible posture better protects an organization and its patients

✓ ERM establishes a legally defensible system by creating accountability for risk and making informed decisions within a company’s risk tolerance

40

First step – have a Gap Assessment done by an independent firm (under attorney client privilege)

▪ Create data flow, inventory, and locations map

▪ Conduct controls evaluation of your current program against applicable regulations and standards

▪ Perform risk assessment

▪ Provide report of findings and prioritized roadmap for you to establish or strengthen your program

▪ Areas of focus include HIPAA, NIST Cybersecurity Framework, SEC Cybersecurity Alert, Big Data,

cloud strategies, and mobile etc…

Second step - Implementation

▪ Assist with custom implementation first step recommendations, including policies and procedures

an effective transfer of knowledge and all our tools are provided to enable you to establish a

Privacy and Security Program that is sustainable and legally defensible.

41

Next Steps…

But the cyber security gap is growingYou must assume you will be breached, and thus investigated and sued

43

Life changing impact on compromised individuals When customers are compromised, so is the business

PHI / PII Identifiers Theft Category Useful For/To

Employee PHI/PII Employee data, emails E.g., Sony’s breach consequences

Name, address, phone #s, email addresses Basic personal identification data Spamming, data mining, profiling, appending to re-identify

DOB, SSN, driver’s license Non-public identifiers Commit all kinds of ID theft

User ID, password, security questions Logon credentials Access to all kinds of PHI/PII

Payment card, bank account Financial data Financial fraud, billing scams, theft

Medical Insurer ID# Insurance data Obtain medical goods, services & prescriptions - billing fraud & medical record compromise (could harm/kill)

Blood type, allergies, symptoms, conditions, prescriptions

Health data Support medical ID theft (see above)

Request for/receipt of genetic test, sample, markers, predispositions

Genetic data Discrimination (life/disability/long-term insurance), reputation risks

44

Risk-based privacy practicesEmbed ERM into daily decision-making for legal defensibility

Principle Explained Examples / Comments

Legal Defensibility Compliance is not adequate privacy / security, however there is no absolute privacy / security – more on this in a moment

Understand common root causes of breaches (VB DBIR – Top 20 CSC)

Risk Governance Model Institutionalize accountability and clear roles and responsibilities

Governance Committee, Privacy and Security Officials, clear roles and responsibilities

Data Flow, Locations and Inventory Mapping

Document end-to-end privacy data flows and locations (resources) and identify highest data sensitivity – informs risk assessment

Document owner, swim lane process owners, resource owners, resource custodians

Data Sensitivity Drives a Risk-Based Approach

Determine strength of controls based on data sensitivity levels: highly sensitive, sensitive, slightly sensitive, not sensitive

Pre-contract due diligence and periodic monitoring of service providers, roles-based access controls

Privacy/Security-by-Design Embed risk assessments in daily decision-making (not just annually)Use privacy impact analysis in SLDC

FTC / Dep’t of Commerce argued for this vs. more prescriptive EU regulations (self-regulatory – be responsible)

Overarching Risk Prevention Strategies

Establish key strategies that mitigate risk Thin Client to access PII (solves many risks), isolate PII to a separate network, encryption by default

45

Event vs. Incident vs. Breach - definitions

46

1. EVENT 2. INCIDENT

Policy: Observable privacy / infosec issue, e.g., a violation of policy, that must be reported to an InfoSec Team member▪ E.g., no encrypted USB or password

enabled screensaver

Policy: Attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system▪ E.g., attempted insider theft or external hacking

3. Reportable BREACH

HIPAA: Acquisition, access, use, or disclosure of unsecured PHI not permitted by the Privacy Rule which compromises the security or privacy of PHI – based on 4 risk factors▪ E.g., confirmation that PHI of patients / workforce members has been compromised

CA law: Unauthorized access, use or disclosure of PHI [Confidentiality of Medical Information Act (CMIA)]

▪ E.g., peeking at a medical record / report of celebrity, politician, friend, relative, neighbor, etc.

Other state laws have no unsecured requirement

▪ Every event must be reported to the CPO/InfoSec Team regardless of whether this leads to a breach▪ Verizon Business DBIR finds that those who violate policies increase the organizations’ breach risk

▪ Policy violators must face sanctions (company’s progressive disciplinary measures)

U.S. Sentencing Guidelines for Effective Compliance

ProgramsFor remedying harm from criminal conduct, and effective compliance and ethics program

Seven criteria used by state AGs and regulatory authorities to determine corporate culpability and impose appropriate sanctions

1. Designate a privacy/security official for day-to-day compliance and clearly define roles and responsibilities for personnel, management and executive governance committee

2. Establish written, comprehensive policies, procedures and standards to prevent and detect criminal conduct / unacceptable behavior and promote a culture of compliance

3. Conduct on-boarding and annual training and continual education - communicate company standards/procedures to officers, employees, and agents as appropriate

4. Develop open lines of communication for reporting security incidents and other compliance issues that should include providing an anonymous hotline and conducting exit interviews to uncover unreported issues

5. Monitor and self-audit by regularly conducting risk assessments and control assessments and reporting program effectiveness to the executive governance committee, and continually updating and improving the program

6. Respond appropriately to incidents and take steps to prevent recurrence, including investigation, mitigation plans, and, as appropriate, breach notification

7. Ensure consistently enforcement and discipline of violations of well-publicized policies to demonstrate program credibility and integrity, commitment to compliance and prevent recurrence

Regulators refer to this as a “culture of compliance”

47

Center of Internet Security’s Top 20 Critical Security Controls for Effective Cyber

Defense

Strengthens 19 year old HIPAA Security Rule with well vetted “Standard of Care”

48

Originally developed by the Consortium for Cyber Action that includes government agencies and private organizations, such as SANS, Verizon Business,

American Express, Booz Allen Hamilton, Center for Internet Security, Core Security, Department of Defense Cyber Crime Center, Defense Information Systems

Agency, Goldman Sachs, McAfee, nCircle, Qualys, Tenable, Australian Government - Innovations, Citibank, Centre for the Protection of National Infrastructure, Department of Homeland Security, Department of Defense, Mandiant, Mitre, National Security Agency, Symantec, others).

Tier 1. VERY HIGH Tier 4. Medium

Inventory of Authorized & Unauthorized Devices (1) Data Recovery Capability

Inventory of Authorized & Unauthorized Software (1) Security Skills Assessment & Appropriate Training to Fill Gaps

Secure Configurations for Hardware & Software on Mobile Devices, Laptops,

Workstations, & Servers (1a.)

Maintenance, Monitoring, & Analysis of Audit Logs

Continuous Vulnerability Assessment & Remediation (1a.) Controlled Access Based on Need to Know

Tier 2. HIGH Account Monitoring & Control

Application Software Security Incident Response & Management

Wireless Device Control Tier 5. Medium / Low

Tier 3. HIGH / Medium Data Loss Prevention

Malware Defenses Tier 6. Low

Security Configurations for Network Devices, e.g. Firewalls, Routers, &

Switches

Secure Network Engineering

Limitation & Control of Network Ports, Protocols, & Services Penetration Tests & Red Team Exercises

Controlled Use of Administrative Privileges

Boundary Defense

Tiers are based on assessment by NSA alone. All are considered important controls. The tiers may help with prioritization o f efforts.

1st 5 Quick Wins: application white-listing; using common, secure configurations; patch application software w/in 48 hrs; patch systems software w/in 48 hrs; reduce # of users w/ administrative privileges.

Verizon Business no longer includes a list of remediation recommendation to its common root cause findings in its annual Data Breach Investigations Report and instead refers to the Top SANS 20

CSCs.

Top 20 Critical Security Controls

49