5 Truths of HIPAA Security Risk Assessment

Risk assessment should serve as the foundation for any Health Insurance Portability and Accountability Act (HIPAA) security compliance effort, and for that matter, the cornerstone for the overall information security program. Consider these five truths to help grasp the criticality of the security risk assessment to achieving and demonstrating HIPAA compliance:

  1. It is not optional. All organizations deemed covered entities or business associates under HIPAA are required to perform an accurate, thorough and periodic risk assessment in to demonstrate compliance with the HIPAA Security Rule. No matter the level of security employed, an organization cannot be compliant without a documented risk assessment. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments, and to implement reasonable and appropriate security measures to protect against anticipated threats or hazards to the security or integrity of electronic protected health information (e-PHI). Risk analysis is the first step in that process.
  2. It is not black and white. Risk analysis is generally a subjective undertaking, and there are a number of available risk frameworks that provide a methodical approach to complete a risk assessment. While the Office of Civil Rights has not outlined a prescriptive risk analysis framework, it has issued guidance that outlines essential elements of an acceptable risk assessment. In a nutshell, an organization must systematically identify and document: all electronic media touching e-PHI; all threats and vulnerabilities which could result in inappropriate access to or disclosure of the organization’s e-PHI; the implementation and effectiveness of security measures; and the determination of threat occurrence likelihood, impact, resulting risk level and risk mitigations.
  3. It is not easy. The Security Rule is comprehensive and inclusive of all e-PHI created, received, maintained or transmitted within the IT environment. A risk assessment cannot simply consist of a checklist, but must demonstrate the totality of systems inventoried in scope, e-PHI identified, and risk decisions. Also, the scope of the security risk assessment most often exceeds just electronic health records (EHR) application data, as it must cover all e-PHI maintained within other systems (consider legacy, shadow, and end-user systems).
  4. Documentation is key. All information considered, compiled and reviewed will form the basis for risk assessment and demonstrates the rationale for risk decisions. Documentation of data collection efforts, security controls evaluation, analytical procedures performed, and methodology for risk prioritization evidences a thorough and comprehensive risk assessment. Further, risk assessment documentation is a must if using control rationalization to demonstrate why an organization opts not to implement any HIPAA addressable controls.
  5. Build it into process. Organizations should continuously explore all areas of technology risk facing the business with an integrated risk analysis approach, including the implementation of new technologies and the ongoing management of central applications holding e-PHI. While an EHR application should have security controls embedded within, actual implementation of the EHR is critical, as is a secure integration into the overall IT infrastructure. It is imperative to consider security essentials, such as encryption and access controls, during design and implementation phases, and in subsequent changes and upgrades. An integrated risk analysis process enables the proactive identification of risks and facilitates timely risk management.

True risk assessment does not simply entail the completion of a compliance checklist that is locked away in a file cabinet until the auditor arrives. Comprehensive risk assessment must fully evaluate the relevant threats, vulnerabilities, risks and related controls over the security of all e-PHI, and all systems handling this sensitive data. Accurate risk assessment represents a worthy challenge to any organization, but done well, it pays dividends in the management of enterprise risk and demonstration of HIPAA compliance.

Gary Miller, CISA, CCSA, CIA, CISSP, CRMA, ITIL
Information Security Manager
Dell SecureWorks
gary_m@dell.com

Gary will discuss this concept at ISACA’s North America Information Security and Risk Management (North America ISRM)Conference this November, in his presentation titled, “HIPAA Security Risk Assessment.”

[Source: ISACA]

Side-step Shellshocks the “5+2” Way—3 Lessons for You

Security professionals were largely blindsided by Shellshock. Was there a process by which it could have been more easily found? Yes, 3 lessons can help business and IT leaders help their security teams get ahead—and protect the public from the attack of the high tech toaster oven.

Shellshock is a popular name for a new security exploit in the UNIX Bash shell (first released in 1989). One meaning of “Bash” is “Bourne again shell” where “Bourne” refers to the shell created by Steven Bourne in 1977 to replace an earlier shell. A “shell” provides a way—originally a command line—for a person to access operating system functions.

Lesson #1: Be “old school,” use what you know to ask “how?” and “why?”

Tech-savvy business and even IT leaders can feel intimidated by new tech. Yet, old school often helps. Shellshock attacks a code gap that seems to be over a decade old. Further, many people forgot that a key feature of the Bourne shell was scripting—similar to scripts for automating simple tasks in word processing and spreadsheet documents.

Scripting should ring a bell as one of the first tools used by hackers. That is why black hat newbies are called “script kiddies.” Script kiddies wanting to do damage with other scripting languages will easily find this group of scripting tools, even in dusty IT books.

The black hat systematic search for knowledge must be answered by your systematic race to find that knowledge first. Controls are the wrong tool for the job.

Lesson #2: Shell games and war games

“Shall we play a game?” You might have been puzzled by this question from Black Widow to Captain America in Captain America: The Winter Soldier (2014). If you are a film buff, you would remember the question in War Games (1983) posed by the nuclear missile computer to a young gamer played by Matthew Broderick.

The world was saved because Broderick’s character grasped how the code worked. This reminds us to know “how it works,” confirm old code is good code, and war game our way to prevention with the systems-aware 5+2 Risk Management Cycle. For more film lessons see, Managing Risk in Reel Time.

Lesson #3: Evaluate your environment and capabilities

Step 1 in the 5+2 Risk Management Cycle is “Evaluating Environment and Enterprise Capabilities.” Business leaders often say “Know your business!” For IT pros, it is “know your code,” including the environment variable.

Shellshock amplifies its power from how Bash can be tricked through the environment variable and a bit of scripting—black hats knew the system better than white hats.

The error in so many risk management processes is they skip steps—failing to use the 5+2 Risk Management Cycle to be systematic. This was a key point in the recent workshop at the ISACA San Francisco Chapter.

The 5 continual steps of the 5+2 Risk Management Cycle are:

  1. Evaluate the environment and enterprise capabilities—“Know the business.”
  2. Seek scenarios—rigorously ask, “What if?”—the heart of managing risk
  3. Watch for warnings
  4. Prioritize
  5. Improve position in environment and/or capabilities

The “+2” are about reacting to warning signs and recovering.

The 5+2 Risk Management Cycle applies to business strategy and product management as well as cyber war. Thus, business leaders can use a familiar approach to guide their IT teams.

We’ll be discussing this at the New York Metro Joint Cybersecurity Conference (7 October) and ISACA Curacao Chapter Conference (15-17 October). Join us. Together, we can make a difference.

Brian Barnier, ValueBridge Advisors, has served ISACA in a range of roles. He is the author of The Operational Risk Handbook, at the ISACA Bookstore. Brian@valuebridgeadvisors.com

[Source: ISACA]

ISACA International President: Ongoing Diligence is Key to Address Vulnerabilities Such as the One in Bash

Diligence may not be the most exciting items on our to-do lists, but it is a time-honored practice and should be a staple. This thought rises to the top as we read news reports about the security vulnerability in the Bourne Again Shell (Bash), which is now being referred to by many as Shellshock.

Some experts counsel that the impact of this vulnerability will only be moderate and that patches will be applied appropriately. At the same time, the potential severity of this vulnerability is high—it could allow hackers to take control of affected systems, thus allowing unauthorized disclosure of information, unauthorized modification and disruption. In addition, its severity is ranked as 10, while its complexity is considered low, which might not make it a “perfect” storm but at least a “close-to-perfect” storm.

I think we all agree that our future will contain many more vulnerabilities, bugs and other incidents with varying repercussions. Human error, changing times and needs, updates to technology and the ever-present desire in some people to cause havoc will ensure that we are all kept on our toes. A combination of planning, reviewing, monitoring and ongoing diligence is needed so we can be both proactive and prepared for rapid response when needed.

Diligence includes frequently reinforcing that processes and techniques must be in place to ensure that systems are appropriately patched and upgraded. This needs to be extended to the supply chain, including vendors and partners. We need to monitor complex interconnected environments to ensure that devices in manufacturing lines and elsewhere are maintained. Penetration testing is critical and should be regularly undertaken to ensure entry points to the organization are secure and monitored. Security awareness programs should be reviewed to ensure they are thorough, updated and—even more important—exist.

The fact remains that we will never be able to entirely prevent cyber incidents. The only secure machine is the one in the box not yet connected to a network. And even then it is subject to physical theft. If steps aren’t taken, though, the impact is potentially catastrophic—harm to people, compromised systems, lost data/intellectual property/revenue and perhaps even an end to the business. This is one reason ISACA offers the Cybersecurity Nexus (CSX), which provides cybersecurity guidance, career development, education and community for professionals at every stage of their careers.

There was a time, not that many years ago, that security was not a primary issue. Many programs and systems were vulnerable to hacking, and it was still assumed that they were still safe. We now know better.

Robert E Stroud, CGEIT, CRISC
International President of ISACA

[Source: ISACA]

ISACA: Investing in Privacy Training

Ever since Snowden made his first revelations over a year ago, ‘privacy’ has become a bit of a buzzword. Once the prerogative of royals and stars (whose computers and online accounts continue to be among hackers’ favourite targets) in the information age the average consumer struggles to reconcile the benefits of personalised services and tailored advertising with the apprehension of not knowing what personal information about them is held by whom, where it is stored, and how it is used. Forrester calls this the ‘privacy-personalisation paradox’.

Equally, companies and public bodies face a difficult challenge: to paraphrase Voltaire, with big data must come big responsibilities. Get privacy right, and you have gained a competitive advantage. Get it wrong and—well, you’re in trouble. Target’s former CEO and its board of directors know this well. At stake: financial and reputational damages.

Add to the picture the fact that one of the global pillars of privacy legislation, the European Union’s Data Protection Directive 1995, is currently undergoing a substantial overhaul, and recent developments such as the May ruling of the Court of Justice of the EU on the so-called ‘right to be forgotten’, and the scenario becomes even more complicated.

So where to start? Many companies have appointed chief privacy officers (CPOs)—in Europe, data protection officers (DPOs)—whose focus is solely on privacy and data protection. In 2006, Harriet Pearson, then-CPO for IBM, said: ‘A good CPO must do more than just ensure that companies comply with the present-day law. They must also attempt to second-guess future innovation and design company security policies and procedures accordingly’.

Her words are still very contemporary and, as technology and innovation have evolved over the past eight years, so has the role of CPOs and DPOs, who went from almost invisible magicians behind the curtains of compliance to highly sophisticated professionals whose function has consistently been climbing up corporate hierarchies.

In Europe, the current draft of the General Data Protection Regulation, which will replace the outdated 1995 Data Protection Directive, requires the mandatory appointment of DPOs for public-sector entities processing personal data and for private-sector enterprises processing the data of more than 5,000 data subjects in a year. By the way, you may be interested to know that the draft Regulation also introduces fines of up to 1million euro or 2 percent of a company’s global annual turnover, and stipulates that personal data breaches should be notified ‘without undue delay’ to the relevant supervisory authority and, if the breach ‘is likely to adversely affect’ them, also to the data subjects.

Mind you, the Regulation is not yet law, and its text is likely to undergo some changes before it is finalised, but European leaders have made no secret of their intention to make the data protection rights of their citizens a top priority.

Now, if the major data breaches that dominated the headlines in the past years have taught us anything, it is that you can have the best policies and the tightest security measures in place, but nothing can be done against human error. Or can it?

The UK Information Commissioner’s Office released some statistics on data breaches in August 2013 and the data is unequivocal: ‘More than half of the 335 data breach incidents we looked at in the first quarter [of 2013] fall into the ‘disclosed in error’ category’, read an ICO blog post. ‘That covers everything from emails being sent to the wrong people to information erroneously included in freedom of information responses, but invariably they can be described as careless’.

Let’s face it: at any point in time, in any given organisation or public office, data is processed (accessed, shared, managed and transformed) by hundreds or even thousands of employees. These employees can be sitting in any department, and at any point in their career: they can be product developers designing a new product, sales and marketing managers trying to sell it, or human resources professionals handling employee data.

Clearly, the need for privacy training and awareness extends beyond the ‘core’ privacy team (the office of the CPO or DPO) to the entire office or corporation. Investing in privacy training for employees is a fundamental component when managing the risks associated to our data-driven economy. Marketing professionals look at privacy training and awareness through the lens of transparency: ensuring openness and customer control of their own data. Information security professionals, CTOs and CIOs know too well what a difference a robust data governance strategy that aligns security and privacy can make.

Any employee touching data in a significant way poses a risk; yet your biggest assets are your employees. How can you afford not to invest in privacy training?

Rita Di Antonio
Managing Director IAPP Europe

Rita will discuss this concept at ISACA’s European Computer Audit, Control and Security (EuroCACS/ISRM) Conference this September, in her presentation titled, “EU Privacy: Past, Present and Future.”

[Source: ISACA]

Global Privacy Concerns about the Internet of Things

I have been looking into the privacy risks of the Internet of Things (IoT) for the past few years. I initially became interested through my work with National Institute of Standards and Technology (NIST) while researching the privacy risks of the smart grid and leading the group responsible for NISTIR 7628 Volume 2, and then a new version two years later in NISTIR 7628 Volume 2 Revision 1. Looking into smart meters led to my personal research of looking into smart appliances and then wearables.

For the past year, I have been working with a large medical devices group (and spoke at its conference) to identify the information security and privacy risks that are created by new and emerging medical devices, many of which are “smart” devices, generally meaning they are also part of the IoT. Smart medical devices can bring significant benefits to the associated patients, such as automatically applying medication based upon health readings, or sending alerts to a physician or hospital in the event of a medical emergency. However, they also create privacy risks when inappropriate entities get access to the data and use it for malicious actions. For instance, health insurance companies that use the medical device data as a basis to increase insurance premiums or cancel health insurance coverage; or those with ill intent accessing the medical device to do physical harm to the associated individual.

I also gave a keynote at an international conference in Bogotá, Colombia, about IoT and associated risks. And, I will be speaking on this topic again at a conference in Melbourne, Australia, in October. Privacy and information security of IoT truly is a hot topic around the world. And it is with good reason. Here is just one real-life example of how weak controls within smart devices were exploited and resulted in privacy and/or information security harm:

  • TRENDnet told customers that its web-enabled wireless home security and baby monitoring cameras were secure. However, starting in January 2012 a hacker exploited the lack of security controls in the devices and sent livestream images to multiple Internet sites showing the images and sounds of people and their activities from the rooms where they were used. TRENDnet agreed to a sanction consisting of a 20-year consent decree to implement a comprehensive security and privacy program, and be subject to ongoing audits from the Federal Trade Commission (FTC).

A recent 2014 HP Security Research study determined 70% of these smart IoT connected devices are vulnerable to attack. Why? Three common culprits include: 1) insecure Web interfaces, 2) insufficient software protections and 3) lack of encryption.

Resulting high-level risks (as described within NIST’s draft Privacy Engineering Workshop papers) from these vulnerable IoT devices include:

  • Personal information may be used in ways that exceed the associated individual’s expectation or authorization.
  • The use or dissemination of inaccurate or misleadingly incomplete personal information can lead to breaches or inappropriate actions.
  • Loss of autonomy of the associated individuals through induced disclosure of data from the devices
  • Loss of trust, as well as exposing individuals to economic loss, and stigmatization
  • Tracking or monitoring of personal information that is disproportionate to the purpose of the device
  • Exposure of the associated individual in unexpected way, stigmatization, power imbalance and loss of trust and autonomy
  • Denial of access to the device leading to exclusion, economic loss, loss of trust, or physical harm
  • Inappropriate access leading to changes in device settings, changes to the device data, or misuse of the data, leading to physical harm to the associated individual

While doing research and visiting with others to discuss IoT issues, I have had interesting conversations with many bright and insightful folks. Here are some important recurring points made during these experiences, with which most agree:

  • Current information security and privacy controls are not sufficient for most IoT devices.
  • IoT devices typically collect, share and process data automatically, more often with no human intervention. This makes it essential for the engineers creating the devices to have a good understanding of the related information security and privacy risks, and how to build the devices to appropriately mitigate the risks.
  • We cannot wait for laws or regulations to be created to govern the privacy and security of IoT devices. We must be proactive and establish such controls now, based on our own expertise and cooperative research. This will ensure that the billions of devices that will soon be put into use will not create a security and privacy disaster.

I am encouraged by NIST’s initiative to create privacy engineering standards, and ISACA’s support and participation in that initiative. The goal is to provide privacy engineers with standards to use to build controls into IoT devices—hopefully in the not so distant future. I believe ISACA will play a key role in getting those standards created and communicated and will provide guidance on how to use them for ISACA members worldwide.

If you would like to learn more, please view the video of the April NIST Privacy Engineering Workshop session where I represented ISACA: http://cdnapi.kaltura.com/index.php/extwidget/openGraph/wid/0_eac0g2ra.

Rebecca Herold, CISA, CISM, CISSP, CIPP, FLMI
Owner & CEO, Rebecca Herold & Associates

[Source: ISACA]

English
Exit mobile version