Social engineering- often used in conjunction with blind and double blind testing, social engineering is gaining critical or sensitive information through social interaction, typically with the organization’s employees, suppliers, and contractors. Techniques may include posing as a representative of the IT department’s help desk and gaining users account and password information, posing as an employee and gaining physical access to restricted areas, intercepting mail, or even dumpster diving to search for sensitive materials. It tests the organization’s people to contribute to or prevent unauthorized access to information and information systems.
Security posture is not static It is dynamic and can change based on the quality of the continued execution of the program elements. It requires active management of the security program to maintain a certain security posture.
Proprietary is not always more secure.Open source software is often misunderstood as “free” software. With open source software, the source code is available to the user or purchaser, whereas with most software, only the executable or object code is available. The security implications are debated, but most believe that users are able to examine open source code results in systems with fewer unanticipated vulnerabilities.
Record keeping is mandatory The OSI open system interconnect model was first dfined and published as an international standard (ISO/IEC) 7498-1). In 1984 Last revised in 1994. Strenghts and Weakensses, Estalished, flexible,Weaknesses complex,Encapsultaiotn the process of wrapping the data using headers and somethins, traliers before ending. Layering-separating function of each laayer. TCP/IP model functions like the OSI Model. Maps to the IP modle. Simplier it is network centric doesn’t/ describe the function of the applictiont in enough detail..Does your organization keep records on or otherwise keeps track of network and data , and systems intrusions. How long is it kept?How about insider intrusions?Network security is a cornerstone for business operations because network connectivity. provide an easy and consistent venue or an attack.Availability- uptime, here we look for single points of failure. Non redundant components, can be reinforced. Redundancy has to be built into the a system at the network, application, and/or process level. Backups networks.Confidentiaily =wireless network are vulnerable to sniffing. Message protection,, non repudiation is the assurance that a specific author did actually send a specific item to a specifi recipients. Effective non-repudiation is accomplished through the use of digital signatures, and encryption. Hi redundancy. 8) Defense in depth, hurdles.
Network attackers-The types of attacks, attacker would take a path of least resistance. Most know issues from both the defender and attacker. It is important to have a documented topology. Single point of failures are to be avoided.Wireless 803.11 From the wired network to station, wireless local area networks. Both wireless and wired technologies are susceptible to sniffing( the collection of sniffing)Cloud computing cloud computing is the provisioning of IT services over the cloud, the internet. The term cloud is based on the depiction of the internet as a cloud .Some of the services provided in the cloud are data storage, software, security, communications, etc. Security issues since the services are being provided at a third party, trust is a major concern. Connections-VPN?Sharing of data-Cross Border Data Transfer-cloud services are provided may be challenging to ensure cross border transmission of traffic. Network partitions- firewalls are used to make trusted vsuntrustednewtorks, again no single point of failures, defenise in depth, stateful inspection. A complete firewardcolution would be having the firewall handling traccic and denying or permitting access correctly the funcationrequiremetn and the logging and monitroing aspect addressing the assurance requirements of the firewall solution by ensuring that the fireall is workign properly and providing the expected level of protection in relation to the risks that the firewall was inteneded to control
There are a number of risk assessment models available:OCTAVE- Operational Critical Threat, Asset, and Vulnerability EvaluationNIST SP 800-30SSE-CMM System Security Engineering Capability Maturity ModelOther……..
Administrative Categories to AssessReview of Policies and ProceduresImplementationEnforcementPenetration TestingVulnerabilitiesDemonstrationLogsWalkthroughTechnical SafeguardsDetailed wired/wireless network designsSecure workstation use (documentation of specific guidelines for each class of workstation)Procedures for encryption and decryption of EPHIPhysical SafeguardsData Backup and StorageDisposalAdministration safeguardsRisk Management Methodology Information Access ManagementSecurity Awareness and TrainingPrivacy PoliciesBusiness Association AgreementsQuantative- estimate single loss expectancy, annualized rate of occurance, annual loss expectancy,- estimate potential losses.
An organization should take a positive proactive actions.National Institute of Standards and TechnologyRecognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under the Executive Order “Improving Critical Infrastructure Cybersecurity” has directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The Framework will consist of standards, guidelines, and best practices to promote the protection of information and information systems supporting critical infrastructure operations. The prioritized, flexible, repeatable, and cost-effective approach of the framework will help owners and operators of critical infrastructure to manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties.Vulnerability Assessment Tools A audit trail is a record of system activities. More specifically, an audit trail is a chronological record of system activities that makes it possible a reconstruction , review, and examination of the sequence of activities that can then be used to indicate a possible intrusion, or to investigate and incident.Data generated by the system, network, application, or user activities are recorded.The configuration of an audit trail should include data about network connections, system-level events, application-level events, user level events ie keystroke activity, event filtering. It may be necessary to use some type of event filtering or clipping level. Attackers often try to scrub audit logs to cover their attacks. Vulnerability assessment tools. Penetration Testing-pen tests (also called ethical hacking) consists of a formal set of steps and procedures similar to those tricks and techniques an intruder would be likely to use. The purpose is to evaluate how well the enterprise can thwart an attack and how it might be compromised by a potential attack.
Core Measure 15:Regardless of which Risk Assessment process is selected there is a likely to be a gap or need of a correction action plan Analyze current stateIdentify assets, threats, vulnerabilities and business impact.Perform technical risk assessment through appropriate testing,Review existing control documentationInterview key personnel to understand concernsDevelop Strategy for Improvement or corrective action planPrioritize identified risk and exposurePerform root cause analysisDevelop potential solutionsPrepare recommendations for improvementsAssess existing versus target process maturityCommunicate and Manage RiskConsider high-level strategies to facilitate improvementRate proposed recommendations by impact and success potentialPrepare business case for identified solutions.
Risk Mitigation Risk appetitePrioritizationAppreciation to dealing with risk accept risk transfer risk eliminate risk reduce riskEvolving process
Best practicesFirewallsPhysical security systems, electronic access, control systems, badging systems, CCTV, etc.Encryption of critical data in transitRole-based access controlIntrusion detection systems monitored by personInformation assurance technologies that track access and use of organizational dataAutomated patch managementIntrusion detection systems monitored by automate systems with built in alarmsTwo factor authenticationWireless monitoringKeystroke monitoring of individual users
INFORMATION SECURITY FORINFORMATICS PROFESSIONALSAmy M. Walker, MS, RN, CPHQ, FACHE, NEA-BCCEO OptimizeIT Consulting LLCHealthcare IT StrategistA Proud EDWOSB, Cage Code 6 TH50
Amy Walker MS, RN, CPHQ, FACHE,NEA-BC. Healthcare System Critical Care RN, Certified and Nurse Manager Director of Informatics, CIO Boot Camp-CHIME Chief Clinical Information Officer (CCIO) Technology Provider-Large Scale Development Implementation Strategic Account Management Consulting DoD Health Affairs HIPAA, Healthcare Compliance, Security, and Data Exchange Interim CIO Entrepreneur Fellow in the American College of Healthcare Executives Certified as a Healthcare Quality Professional Certified as an Advanced Nurse Executive 2010 President of the National Capital of Healthcare Executives Nominated Member of the Women’s Business Leader’s of theU.S. Healthcare Industry Foundation2
We Will Discuss Today IT Security Pillars How to Appropriately Construct Policies and Procedures Develop, Implement, Enforce Security Standards and Risk Assessment EffectiveStrategies System Architecture and Design An Overview of Security Issues and Solutions3
SWOT-Analysis• Identified Security Officer• Tight Integration Between RolesStrengths• Knowledge Deficit• Not Practicing to Standards• Deficient Risk Assessment ProcessWeaknesses• Are GreatOpportunities• Are GreatThreats4
5Obama meets with CEOs to push cyber-security legislationThe meeting in hopes of getting the stalled legislation passedcomes a day after intelligence officials warn of the threat tonational security.March 13, 2013|By Ken Dilanian and Jessica Guynn, Los AngelesTimes"What is absolutely true is thatwe have seen a steady rampingup of cyber-security threats,"President Obama said on ABCs"Good Morning America." "Someare state-sponsored. Some arejust sponsored by criminals."(Evan Vucci / Associated Press)
Security Problems Hit Close To HomeDear user:As a follow up to our last email communication about the identified security vulnerability in the XYZ system , the U.S.General Services Administration (GSA) is taking all possible steps to protect and inform xyz users, especially those thatuse their social security numbers for purposes of doing business with the federal government.Your entity’s data has been identified to be at greater risk for potential identity theft because you used your socialsecurity number as your Tax Identification Number to do business with the federal government.This vulnerability enabled government entity administrators and delegated entity registration representatives topotentially gain access to information of any entity’s registration -- enabling visibility of entity management data at allsensitivity levels.As a precaution, GSA is taking proactive steps to protect and inform xyz users. The agency is offering users at higherrisk, like you, access to credit monitoring services and will follow up with information about these services.If you wish to take additional steps to protect against possible identity theft, visit www.xyz for specific information. If youwould like additional background or have questions, you may call 1-800-FED-INFO (1-800-333-4636), from 8 a.m. to 8p.m. (ET), Monday-Friday starting Monday, March 18. We recommend that you monitor your bank accounts and notifyyour financial institution immediately if you see any discrepancies.We apologize for any inconvenience or concern this situation may cause. We believe it is important for you to be fullyinformed of any potential risk resulting from this incident. The security of your information is a critical priority to us and wewill work to ensure the system remains secure.Sincerely,6
In the NewsForget hackers, the foolnext to you is the realthreat7
Internet Security AllianceLarry Clinton, the longtime head of the InternetSecurity Alliance delivered the keynote at the MarchPHI Protection Forum. Mr. Clinton focused on PHISecurity and Privacy, he cited an important study ofthe state of health care information security, PWC’s2013 State of Info Security Survey data regardinghealth care organizations.9
PWCs 2013 State of Info Security Survey Most executives in the HC industry are confident in the effectivenessof their security practices. They believe their strategies are soundand many consider themselves to be leaders in the field (And yet, only) 42% have a strategy & (are) proactive in executing it Of the 4 key criteria of information security leadership, ONLY 6%RANK AS LEADERS 60% do NOT have a policy for third parties to comply with privacypolicies 73% use mal code detection tools; DOWN 16% 48% use tools to find unauthorized devices; DOWN 14% 51% use intrusion detection tools; DOWN 19%10PWC’s 2013 Stateof Info SecuritySurvey,http://www.pwc.com/gx/en/consulting-services/information-security-survey/index.jhtml
48% use vulnerability scanning tools; DOWN 15% 31% DON’T KNOW when info sec is part of majorprojects –ONLY 18% at project inception 90% HC respondents say protecting employee &customer data is important - few know where the data isstored (43% have an accurate inventory of data) Adopting new technology (is outpacing) security – newtechnology referring to cloud 28%, mobile 46%, socmedia 45%, personal devices 51%11PWCs 2013 State of Info Security Survey
The Reasons? As Noted by Larry Lack of funding 53% 20% top leadership “is an impediment to improved security.” Only 43% report security breaches Diminished budgets have resulted in degraded security programs, incidentsare on the rise, new technologies are being adopted faster than safeguards There are short-term economic incentives to be insecure (VoIP, use personaldevices, the Cloud) HC providers report lower $ loss from incidents but many do not performthorough or consistent analysis to appraising those losses, e.g. only 33%consider damage to brand as a financial loss12
June 26, 2012 Alaska Department ofHealth and Social ServicesA USB hard drive possibly containing ePHI was stolen fromthe vehicle of a DHHS employee. DHHS did not have adequate safeguard policies andprocedures in place. DHHS had not completed a risk analysis, implementedsufficient risk management measures, completed securitytraining for its workforce, implemented device and mediacontrols, or addressed device and media encryption. Pay a $1.7 million fine and take corrective action toensure compliance with the Security RuleStaggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers,Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier13
April 17, 2012 Phoenix Cardiac SurgeryStaff were posting clinical and surgical appointments for patients on anInternet-based calendar that was publicly accessible. PC failed to implement adequate policies and procedures tosafeguard patient information PC failed to document that it trained any employees on policies andprocedures. PC failed to identify a security official and conduct a risk analysis. PC failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the serviceincluded storage of and access to its ePHI. Pay a $100,000 fine and develop a corrective action plan to ensurecompliance with the Security RuleStaggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers,Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier14
March 13, 2012Blue Cross Blue Shield of TennesseeFifty-seven unencrypted computer hard drives were stolenfrom a leased facility. The drives contained the ePHI ofmore than 1 million individuals, including member names,Social Security numbers, diagnosis codes, dates of birth,and health plan identification numbers. BCBST failed to implement appropriate administrativesafeguards by not performing the required securityevaluation. BCBST failed to implement appropriate physicalsafeguards. Pay a $1.5 million fine and implement a corrective actionplan to address gaps in its HIPAA compliance programStaggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers,Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier15
20Operations security (OPSEC) is a process that identifies critical information to determineif friendly actions can be observed by adversary intelligence systems, determines ifinformation obtained by adversaries could be interpreted to be useful to them, and thenexecutes selected measures that eliminate or reduce adversary exploitation of friendlycritical information.
Policies and Procedures Acceptable Use Access Control Accreditation Acquisition Business Continuity Certification Change Control Management Code of Ethics Confidentiality Data Classification Internet Use25
System Architecture Components Hardware Firmware Central Processing Units Input/Output Devices Software Architectural Structures Storage and Memory27Analyze securityrisks, limitations, andpositive attributes ofeach.
Open Source A study by Mitre corporation, sponsored by the Defense InformationSystems Agency, found extensive and diverse use of open softwareat the DoD, with over 100 open products being used in more than250 applications. Security applications were most noted as a reason open sourceshould be expanded. Widely used open security tools included SNORT, a light weightintrusion detection tool used for plugging “network security holeswhen new attacks emerge” and SARA, the security auditorsresearch Assistant, used for relatively straightforward networksecurity risk analyses. The MITRE report lists more than 100 opensource products that have demonstrated superior records ofsecurity and reliability.28
The Abdus Salam International Centrefor Theoretical Physics
Risk Management Purpose The purpose of an organization’s risk managementprocess should be to protect the organization and it’sability to perform it’s mission-including but not limitedto its IT assets. Risk is a function of the likelihood of a given threatsource’s exercising a particular vulnerability and theresulting impact of that adverse event.NIST SP 800-30www.csrc.nist.gov31
Risk AnalysisConduct an accurate and thorough assessment ofthe potential risks and vulnerabilities to theconfidentiality, integrity, and availability of electronicprotected health information held by theorganization.32
Details of a System Security RiskAssessment Qualitative Scenario oriented No $$ values Ranking of threats Perform to the goal of reasonableness Quantitative Assign $$ values Resource extensive More difficult to determine Hybrid33International InformationSystems SecurityCertification Consortiumhttps://www.isc2.org/
Risk Assessment SP 800-30 Step 1 Characterization Step 2 Threat Identification Step 3 Vulnerability Identification Step 4 Control Analysis Step 5 Likelihood Determination Step 6 Impact Analysis Step 7 Risk Determination Step 8 Control Recommendations Step 9 Results Documentation Steps 2, 3, 4, and 6 can be conducted in parallel after Step 1 hasbeen completed.34
10 Best Practices for theSmall Health Care Environment Use Strong Passwords and Change Them Regularly Passwords and Strong Authentication Install and Maintain Anti-Virus Software Use a Firewall Control Access to Protected Health Information Limit Network Access Plan for the Unexpected Maintain Good Computer Habits Software Maintenance Protect Mobile Devices Establish a Security Culture37CMS, Information Security Overview,http://cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/index.html?redirect=/InformationSecurity/
Overview of Healthcare ITSecurity Issues and Solutions Lack of Effective Ecosystem Governance Lack of Budget Lack of Appropriate Risk Assessment with CAP MU Core Objective and Measure 12 Core Objective and Measure 15 HIPAA Privacy and Security Federal Regulations39
Overview of Healthcare ITSecurity Issues and Solutions Attacks Vulnerabilities Complex Systems Change Control Doing More with Less Mobile and Wireless Technologies Outsourcing40
HITRUST ™ The Health Information Trust Alliance (HITRUST) was born out of the beliefthat information security should be a core pillar of, rather than an obstacle to,the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology andinformation security leaders, has established the Common SecurityFramework (CSF), a certifiable framework that can be used by any and allorganizations that create, access, store or exchange personal health andfinancial information. The CSF is an information security framework that harmonizes therequirements of existing standards and regulations, including federal(HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). Asa framework, the CSF provides organizations with the needed structure,detail and clarity relating to information security tailored to the healthcareindustry. The CSF is available through HITRUST Central.41
Retain absolute faith that you can and willprevail in the end, regardless of thedifficulties, and at the same time confrontthe most brutal facts of your current reality,whatever they might be.(Jim Collins Good to Great)42
Thought Questions1. In your own experience, what are yourrecommendations on the highest IT securitypriorities?2. Are there resources related to IT security that yousuggest must be given greater visibility?3. What is your organization’s SWOT analysis tellyou?43
References CMS, Information Security Overview, http://cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/index.html?redirect=/InformationSecurity/ HITRUST, http://hitrustalliance.net/ International Information Systems Security Certification Consortiumhttps://www.isc2.org/ National Institute of Standards and Technology,http://csrc.nist.gov/publications/PubsSPs.html Office of the National Coordinator,http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf44
References PHI Protection Network, Linked In Group PWC’s 2013 State of Info Security Survey,http://www.pwc.com/gx/en/consulting-services/information-security-survey/index.jhtml Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press).Confidentiality, safety and security. In R. Nelson & N. Staggers,Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier The Betterly Report,http://thebetterleyreport.wordpress.com/2013/03/18/larry-clinton-of-the-internet-security-alliance-and-some-startling-statistics-about-privacy-security-in-the-health-care-industry/?goback=%2Egde_4493923_member_223850708 The Operations Security Professional’s Association,http://www.opsecprofessionals.org/45
SWOT-Analysis• Identified Security Officer• Tight Integration Between RolesStrengths• Knowledge Deficit• Not Practicing to Standards• Deficient Risk Assessment ProcessWeaknessesOpportunitiesThreats46
Thank You!Contact us at:4031 University Drive, Suite 100Fairfax, Virginia 22030 P: 703-283-4678E: email@example.comOptimizeIT Consulting LLC is a proudEDWOSBCage Code 6TH50