Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Information+security rutgers(final)

588 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Information+security rutgers(final)

  1. 1. INFORMATION SECURITY FORINFORMATICS PROFESSIONALSAmy M. Walker, MS, RN, CPHQ, FACHE, NEA-BCCEO OptimizeIT Consulting LLCHealthcare IT StrategistA Proud EDWOSB, Cage Code 6 TH50
  2. 2. Amy Walker MS, RN, CPHQ, FACHE,NEA-BC. Healthcare System Critical Care RN, Certified and Nurse Manager Director of Informatics, CIO Boot Camp-CHIME Chief Clinical Information Officer (CCIO) Technology Provider-Large Scale Development Implementation Strategic Account Management Consulting DoD Health Affairs HIPAA, Healthcare Compliance, Security, and Data Exchange Interim CIO Entrepreneur Fellow in the American College of Healthcare Executives Certified as a Healthcare Quality Professional Certified as an Advanced Nurse Executive 2010 President of the National Capital of Healthcare Executives Nominated Member of the Women’s Business Leader’s of theU.S. Healthcare Industry Foundation2
  3. 3. We Will Discuss Today IT Security Pillars How to Appropriately Construct Policies and Procedures Develop, Implement, Enforce Security Standards and Risk Assessment EffectiveStrategies System Architecture and Design An Overview of Security Issues and Solutions3
  4. 4. SWOT-Analysis• Identified Security Officer• Tight Integration Between RolesStrengths• Knowledge Deficit• Not Practicing to Standards• Deficient Risk Assessment ProcessWeaknesses• Are GreatOpportunities• Are GreatThreats4
  5. 5. 5Obama meets with CEOs to push cyber-security legislationThe meeting in hopes of getting the stalled legislation passedcomes a day after intelligence officials warn of the threat tonational security.March 13, 2013|By Ken Dilanian and Jessica Guynn, Los AngelesTimes"What is absolutely true is thatwe have seen a steady rampingup of cyber-security threats,"President Obama said on ABCs"Good Morning America." "Someare state-sponsored. Some arejust sponsored by criminals."(Evan Vucci / Associated Press)
  6. 6. Security Problems Hit Close To HomeDear user:As a follow up to our last email communication about the identified security vulnerability in the XYZ system , the U.S.General Services Administration (GSA) is taking all possible steps to protect and inform xyz users, especially those thatuse their social security numbers for purposes of doing business with the federal government.Your entity’s data has been identified to be at greater risk for potential identity theft because you used your socialsecurity number as your Tax Identification Number to do business with the federal government.This vulnerability enabled government entity administrators and delegated entity registration representatives topotentially gain access to information of any entity’s registration -- enabling visibility of entity management data at allsensitivity levels.As a precaution, GSA is taking proactive steps to protect and inform xyz users. The agency is offering users at higherrisk, like you, access to credit monitoring services and will follow up with information about these services.If you wish to take additional steps to protect against possible identity theft, visit www.xyz for specific information. If youwould like additional background or have questions, you may call 1-800-FED-INFO (1-800-333-4636), from 8 a.m. to 8p.m. (ET), Monday-Friday starting Monday, March 18. We recommend that you monitor your bank accounts and notifyyour financial institution immediately if you see any discrepancies.We apologize for any inconvenience or concern this situation may cause. We believe it is important for you to be fullyinformed of any potential risk resulting from this incident. The security of your information is a critical priority to us and wewill work to ensure the system remains secure.Sincerely,6
  7. 7. In the NewsForget hackers, the foolnext to you is the realthreat7
  8. 8. Statistics on Data Breaches8
  9. 9. Internet Security AllianceLarry Clinton, the longtime head of the InternetSecurity Alliance delivered the keynote at the MarchPHI Protection Forum. Mr. Clinton focused on PHISecurity and Privacy, he cited an important study ofthe state of health care information security, PWC’s2013 State of Info Security Survey data regardinghealth care organizations.9
  10. 10. PWCs 2013 State of Info Security Survey Most executives in the HC industry are confident in the effectivenessof their security practices. They believe their strategies are soundand many consider themselves to be leaders in the field (And yet, only) 42% have a strategy & (are) proactive in executing it Of the 4 key criteria of information security leadership, ONLY 6%RANK AS LEADERS 60% do NOT have a policy for third parties to comply with privacypolicies 73% use mal code detection tools; DOWN 16% 48% use tools to find unauthorized devices; DOWN 14% 51% use intrusion detection tools; DOWN 19%10PWC’s 2013 Stateof Info SecuritySurvey,http://www.pwc.com/gx/en/consulting-services/information-security-survey/index.jhtml
  11. 11.  48% use vulnerability scanning tools; DOWN 15% 31% DON’T KNOW when info sec is part of majorprojects –ONLY 18% at project inception 90% HC respondents say protecting employee &customer data is important - few know where the data isstored (43% have an accurate inventory of data) Adopting new technology (is outpacing) security – newtechnology referring to cloud 28%, mobile 46%, socmedia 45%, personal devices 51%11PWCs 2013 State of Info Security Survey
  12. 12. The Reasons? As Noted by Larry Lack of funding 53% 20% top leadership “is an impediment to improved security.” Only 43% report security breaches Diminished budgets have resulted in degraded security programs, incidentsare on the rise, new technologies are being adopted faster than safeguards There are short-term economic incentives to be insecure (VoIP, use personaldevices, the Cloud) HC providers report lower $ loss from incidents but many do not performthorough or consistent analysis to appraising those losses, e.g. only 33%consider damage to brand as a financial loss12
  13. 13. June 26, 2012 Alaska Department ofHealth and Social ServicesA USB hard drive possibly containing ePHI was stolen fromthe vehicle of a DHHS employee. DHHS did not have adequate safeguard policies andprocedures in place. DHHS had not completed a risk analysis, implementedsufficient risk management measures, completed securitytraining for its workforce, implemented device and mediacontrols, or addressed device and media encryption. Pay a $1.7 million fine and take corrective action toensure compliance with the Security RuleStaggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers,Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier13
  14. 14. April 17, 2012 Phoenix Cardiac SurgeryStaff were posting clinical and surgical appointments for patients on anInternet-based calendar that was publicly accessible. PC failed to implement adequate policies and procedures tosafeguard patient information PC failed to document that it trained any employees on policies andprocedures. PC failed to identify a security official and conduct a risk analysis. PC failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the serviceincluded storage of and access to its ePHI. Pay a $100,000 fine and develop a corrective action plan to ensurecompliance with the Security RuleStaggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers,Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier14
  15. 15. March 13, 2012Blue Cross Blue Shield of TennesseeFifty-seven unencrypted computer hard drives were stolenfrom a leased facility. The drives contained the ePHI ofmore than 1 million individuals, including member names,Social Security numbers, diagnosis codes, dates of birth,and health plan identification numbers. BCBST failed to implement appropriate administrativesafeguards by not performing the required securityevaluation. BCBST failed to implement appropriate physicalsafeguards. Pay a $1.5 million fine and implement a corrective actionplan to address gaps in its HIPAA compliance programStaggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers,Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier15
  16. 16. The Foundation16
  17. 17. Security TriangleConfidentialityIntegrityAvailability17
  18. 18. 10 Domains of Information SecurityAccess Control •Operations SecurityBusiness Continuity andDisaster Recover Planning•Physical (EnvironmentSecurity)Cryptography •Security Architecture andDesignInformation SecurityGovernance and RiskManagement•Software DevelopmentSecurityLegal, Regulations,Investigation, andCompliance•Telecommunications andNetwork Security18International Information SystemsSecurity Certification Consortiumhttps://www.isc2.org/
  19. 19. Basic Requirements Security Reliability Transparency Scalability19 Maintainability Audit ability Integrity AuthenticInternational InformationSystems SecurityCertification Consortiumhttps://www.isc2.org/
  20. 20. 20Operations security (OPSEC) is a process that identifies critical information to determineif friendly actions can be observed by adversary intelligence systems, determines ifinformation obtained by adversaries could be interpreted to be useful to them, and thenexecutes selected measures that eliminate or reduce adversary exploitation of friendlycritical information.
  21. 21. Construction ofPolicies and Procedures21
  22. 22. SecurityEnterpriseEcosystemPeopleProcessesCoreBusinessTechnology
  23. 23. 23
  24. 24. Policy FrameworkImplementationStandards Procedures Protocols GuidelinesPoliciesDirectives You ShallOverarching Management DirectionRegulations Strategy Standards Laws24
  25. 25. Policies and Procedures Acceptable Use Access Control Accreditation Acquisition Business Continuity Certification Change Control Management Code of Ethics Confidentiality Data Classification Internet Use25
  26. 26. System Architecture and Design26
  27. 27. System Architecture Components Hardware Firmware Central Processing Units Input/Output Devices Software Architectural Structures Storage and Memory27Analyze securityrisks, limitations, andpositive attributes ofeach.
  28. 28. Open Source A study by Mitre corporation, sponsored by the Defense InformationSystems Agency, found extensive and diverse use of open softwareat the DoD, with over 100 open products being used in more than250 applications. Security applications were most noted as a reason open sourceshould be expanded. Widely used open security tools included SNORT, a light weightintrusion detection tool used for plugging “network security holeswhen new attacks emerge” and SARA, the security auditorsresearch Assistant, used for relatively straightforward networksecurity risk analyses. The MITRE report lists more than 100 opensource products that have demonstrated superior records ofsecurity and reliability.28
  29. 29. The Abdus Salam International Centrefor Theoretical Physics
  30. 30. System Security Risk Assessment30
  31. 31. Risk Management Purpose The purpose of an organization’s risk managementprocess should be to protect the organization and it’sability to perform it’s mission-including but not limitedto its IT assets. Risk is a function of the likelihood of a given threatsource’s exercising a particular vulnerability and theresulting impact of that adverse event.NIST SP 800-30www.csrc.nist.gov31
  32. 32. Risk AnalysisConduct an accurate and thorough assessment ofthe potential risks and vulnerabilities to theconfidentiality, integrity, and availability of electronicprotected health information held by theorganization.32
  33. 33. Details of a System Security RiskAssessment Qualitative Scenario oriented No $$ values Ranking of threats Perform to the goal of reasonableness Quantitative Assign $$ values Resource extensive More difficult to determine Hybrid33International InformationSystems SecurityCertification Consortiumhttps://www.isc2.org/
  34. 34. Risk Assessment SP 800-30 Step 1 Characterization Step 2 Threat Identification Step 3 Vulnerability Identification Step 4 Control Analysis Step 5 Likelihood Determination Step 6 Impact Analysis Step 7 Risk Determination Step 8 Control Recommendations Step 9 Results Documentation Steps 2, 3, 4, and 6 can be conducted in parallel after Step 1 hasbeen completed.34
  35. 35. CMS Security Risk Analysis ProcessReview existingsecurity ofprotected healthinformationIdentify threatsandvulnerabilitiesAssess risks forlikelihood andimpactMitigate securityrisksMonitor results35CMS, Information SecurityOverview,
  36. 36. 36
  37. 37. 10 Best Practices for theSmall Health Care Environment Use Strong Passwords and Change Them Regularly Passwords and Strong Authentication Install and Maintain Anti-Virus Software Use a Firewall Control Access to Protected Health Information Limit Network Access Plan for the Unexpected Maintain Good Computer Habits Software Maintenance Protect Mobile Devices Establish a Security Culture37CMS, Information Security Overview,http://cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/index.html?redirect=/InformationSecurity/
  38. 38. Security IT Issues and Solutions38
  39. 39. Overview of Healthcare ITSecurity Issues and Solutions Lack of Effective Ecosystem Governance Lack of Budget Lack of Appropriate Risk Assessment with CAP MU Core Objective and Measure 12 Core Objective and Measure 15 HIPAA Privacy and Security Federal Regulations39
  40. 40. Overview of Healthcare ITSecurity Issues and Solutions Attacks Vulnerabilities Complex Systems Change Control Doing More with Less Mobile and Wireless Technologies Outsourcing40
  41. 41. HITRUST ™ The Health Information Trust Alliance (HITRUST) was born out of the beliefthat information security should be a core pillar of, rather than an obstacle to,the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology andinformation security leaders, has established the Common SecurityFramework (CSF), a certifiable framework that can be used by any and allorganizations that create, access, store or exchange personal health andfinancial information. The CSF is an information security framework that harmonizes therequirements of existing standards and regulations, including federal(HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). Asa framework, the CSF provides organizations with the needed structure,detail and clarity relating to information security tailored to the healthcareindustry. The CSF is available through HITRUST Central.41
  42. 42. Retain absolute faith that you can and willprevail in the end, regardless of thedifficulties, and at the same time confrontthe most brutal facts of your current reality,whatever they might be.(Jim Collins Good to Great)42
  43. 43. Thought Questions1. In your own experience, what are yourrecommendations on the highest IT securitypriorities?2. Are there resources related to IT security that yousuggest must be given greater visibility?3. What is your organization’s SWOT analysis tellyou?43
  44. 44. References CMS, Information Security Overview, http://cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/index.html?redirect=/InformationSecurity/ HITRUST, http://hitrustalliance.net/ International Information Systems Security Certification Consortiumhttps://www.isc2.org/ National Institute of Standards and Technology,http://csrc.nist.gov/publications/PubsSPs.html Office of the National Coordinator,http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf44
  45. 45. References PHI Protection Network, Linked In Group PWC’s 2013 State of Info Security Survey,http://www.pwc.com/gx/en/consulting-services/information-security-survey/index.jhtml Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press).Confidentiality, safety and security. In R. Nelson & N. Staggers,Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier The Betterly Report,http://thebetterleyreport.wordpress.com/2013/03/18/larry-clinton-of-the-internet-security-alliance-and-some-startling-statistics-about-privacy-security-in-the-health-care-industry/?goback=%2Egde_4493923_member_223850708 The Operations Security Professional’s Association,http://www.opsecprofessionals.org/45
  46. 46. SWOT-Analysis• Identified Security Officer• Tight Integration Between RolesStrengths• Knowledge Deficit• Not Practicing to Standards• Deficient Risk Assessment ProcessWeaknessesOpportunitiesThreats46
  47. 47. Thank You!Contact us at:4031 University Drive, Suite 100Fairfax, Virginia 22030 P: 703-283-4678E: awalker@optimizeitconsultingwww.optimizeitconsulting.comOptimizeIT Consulting LLC is a proudEDWOSBCage Code 6TH50

×