Meaningful Use and Security Risk Analysis Iowa CPSI User Group – October18th 2011 Presented by Evan Francen, President – FRSecure, LLC
IntroductionSpeaker – Evan Francen, CISSP CISM CCSK• President & Co-founder of FRSecure• 20 years of information security experience• Security evangelist with more than 700 published articles• Experience with 150+ public & private organizations.
Introduction Topics • Healthcare Regulation • Meaningful Use Requirements • Measure 14 of 14 – Protect Health Information• “Conduct or review a security risk analysis” Fundamental Concepts • Security Risk Analysis Best Practices • Security Risk Analysis Common Mistakes
Healthcare Regulation In General: Health care regulation has gotten more officious and granular. With respect to security and privacy, HIPAA has always been aimed atprotecting sensitive health information. HIPAA has been ineffective in this regard due to lack of focus and confusion.“Navigating the Meaningful Use and Standards and Certification Criteria Final Rules can sometimes be a challenge.” – Source: U.S. Department of Health & Human Services (http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&objID=3584)
Meaningful Use Requirements Meaningful use of health information technology is an umbrella term for rules and regulations that hospitals and physicians must meet to qualify for federalincentive funding under the American Recovery and Reinvestment Act of 2009 (ARRA). But you already knew this… Eligible Hospital and CAH Meaningful Use – (14) Core and (10) Menu Set Objectives
Measure 14 of 14 - Protect Electronic Health InformationObjective: Protect electronic health information created or maintained by thecertified EHR technology through the implementation of appropriate technical capabilities. Measure: Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. Measure 14 of 14 is NOT A NEW REQUIREMENT!The Final Rule on Security Standards was issued on February 20, 2003. It took effect on April 21, 2003 with a compliance date of April 21, 2005 for most covered entities and April 21, 2006 for "small plans".
Measure 14 of 14 - Protect Electronic Health Information45 CFR Section 164.308(a)(1)(ii)(A) of the HIPAA Security Rule requires that the organization "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information [ePHI] held by the covered entity.”45 CFR Section 164.308(a)(1)(ii)(B) requires an organization to ―implementsecurity measures sufficient to reduce risks and vulnerabilities to a reasonableand appropriate level to comply with CFR 45 164.306(a) which is the General Requirements of the Security Rule.
“Conduct or review a security risk analysis” Fundamental ConceptsWhat is “security”? (question for you)
“Conduct or review a security risk analysis” Fundamental ConceptsInformation Security is:The application of Administrative, Physical and Technical controls in an effort toprotect the Confidentiality, Integrity, and Availability of Information.Controls:• Administrative – Policies, procedures, processes• Physical – Locks, cameras, alarm systems• Technical – Firewalls, anti-virus software, permissionsProtect:• Confidentiality – Disclosure to authorized entities• Integrity – Accuracy and completeness• Availability – Accessible when required and authorized
“Conduct or review a security risk analysis” Fundamental Concepts What is “risk”?
“Conduct or review a security risk analysis” Fundamental ConceptsRisk is a function of two criteria:1. The likelihood of a threat exploiting a vulnerability, and2. The resulting impact it would have on the organization.Threat - These are things that can go wrong or that can attack the system.Examples might include fire or fraud. Threats are ever present for everysystem.Vulnerability – A weakness in a system or gap in a control Risk = Likelihood x Impact
“Conduct or review a security risk analysis” Fundamental ConceptsA “security risk analysis” is the process of identifying,prioritizing, and estimating information security risks.Risks (likelihood & impact) of unauthorized:• Disclosure• Alteration (or modification), and/or;• Destructionof information under the custodial care of an organization.
“Conduct or review a security risk analysis” Fundamental ConceptsTypes of risk analysis: Quantitative Risk Analysis • Uses hard metrics, such as dollars. • Objective • Difficult • Costly Qualitative Risk Analysis • Uses best estimates based on experience • Subjective • Less Difficult • Less Expensive Gap Analysis
“Conduct or review a security risk analysis” Best Practices “The Security Rule does not prescribe a specific risk analysis methodology” -http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/radraftguidance .pdf A “methodology” is nothing more than a way of doing something.
“Conduct or review a security risk analysis” Best Practices For organizations with an informal riskmanagement program, an ideal approach may be a qualitative gap risk analysis. Qualitative – Subjective, best-effort criteria and metrics assigned based upon experience and knowledge. Gap – Assess the risks inherent in gaps with a chosen information security framework.
“Conduct or review a security risk analysis” Qualitative Gap Risk Analysis1. Choose a well-known information security framework• ISO 27002 (17799:2005)• NIST• COBITThe information security framework is a reference to/fromwhich you will manage your information security efforts.
“Conduct or review a security risk analysis” Qualitative Gap Risk Analysis2. Compare your existing information security controls against the information security framework you have chosen.Example:Control 5.1.2 in the ISO 27002 standard states:“The information security policy should be reviewed at planned intervals or ifsignificant changes occur to ensure its continuing suitability, adequacy, andeffectiveness.”Questions:Does your organization review information security policy at planned intervals?
“Conduct or review a security risk analysis” Qualitative Gap Risk Analysis3. Where there are gaps, assign best-effort metrics, based on experience (qualitative).Example:In the previous example, let’s assume that the answer is “Yes”, but the requirement toreview information security policies has not been documented.Metrics:Likelihood that the lack of documentation will lead to a compromise, on a scale of 1 -5(5 being most likely). – 2Impact that a potential compromise would have on the organization, on a scale of 1 – 5(5 being most impactful/catastrophic) – 2
“Conduct or review a security risk analysis” Qualitative Gap Risk Analysis4. Assign risk “rating” based upon the metrics (use a risk matrix).
“Conduct or review a security risk analysis” Qualitative Gap Risk Analysis5. Define and document risk decision criteria.When confronted with a risk, you have four choices:• Risk Avoidance• Risk Acceptance What are the• Risk Transference criteria for risk decision making?• Risk Mitigation
Keep in mind…A risk analysis is an integral part of an organization’s overallrisk management program.Some “security risk analysis” best practices:• The risk analysis methodology should be documented.• The risk analysis methodology should be repeatable.• The risk analysis methodology should be auditable• Internal risk analyses should be conducted no less than annually.• Independent risk analyses should be conducted periodically.
Common MistakesWhen conducting a security risk analysis:• Scope is too narrow• Too technically focused – People are the most significant risk• Convenience shouldn’t always trump security• Lack of documentation• Assessment is only done once• Lack of management buy-in or involvement
Common MistakesCommon risks that are often overlooked:• Physical risks• Policies are hard to understand and follow• Vendor risk management• Inventory of assets is incomplete or informal• Internal and external vulnerability scans are not regularly conducted.• Incident management• Disaster recovery planning• Poor training and awareness
About RK Dixon & FRSecureRK Dixon is a market leader when it comes to copiers, printers, networks, andpure drinking water systems. Our products and services allow customers tostreamline operations while reducing costs at the same time. We serve thousandsof companies, organizations, and government entities in Iowa, Illinois, andWisconsin. Visit us online at http://www.rkdixon.com.FRSecure LLC is a full-service information security consulting company; dedicatedto information security education, awareness, application, and improvement.FRSecure helps our clients understand, design, implement, and manage best-in-class information security solutions; thereby achieving optimal value for everyinformation security dollar spent. Visit us online at http://www.frsecure.com.RK Dixon and FRSecure have partnered to offer services throughout Iowa, Illinois,and Wisconsin.
Questions?You made it!If you would like acopy of thispresentation, pleasebe sure to give meyour business card.