Does Your Information Security Program Measure Up? Session #74

Does Your Information

Security Program Measure Up?

Session #74

Conflict of Interest Disclosure

• Alain Bouit

– Has no real or apparent conflicts of interest to report

• Tom Walsh

– Has no real or apparent conflicts of interest to report

Measuring

• Why measure?

"What gets measured gets done."

– Peter Drucker, Tom Peters, Edwards Deming

• What to measure?

– The overall effectiveness of the program

• How to measure?

Objectives

• Review the core elements that govern an

information security program (Tom)

• Summarize the common findings from

past OCR audits and some of the triggers that would increase the likelihood of an audit (Tom)

Objectives

• Determine appropriate matrices for

measuring the effectiveness of an information security program (Alain)

• Identify the best ways to periodically

communicate program measures to executive management (Alain)

Objectives

• Assess what other organizations are doing

(common practices) to manage their information security programs (Tom)

• Present indicators to determine if an

organization’s program is on the right path toward compliance (Tom)

Introductions

• Alain Bouit, CISSP

– Director IT Security, Adventist Health, Roseville, CA – 8 years with Adventist Health

– Factoid: Lived all over the world

• Tom Walsh, CISSP

– Independent consultant, Overland Park, KS – Co-authored four books

Steps to Building a Program

1. Getting started 2. Defining expectations 3. Implementing 4. Measuring 5. Optimizing Risk analysis and compliance (program drivers)  Policies, procedures, and plans Safeguards and controls Monitor and evaluate Maintain Desired state

Governance – Defined

• Setting clear expectations for the conduct

(behaviors and actions)

• Directing, controlling, and strongly

influencing to achieve expectations

• Using a framework for guidance

• Doing things right and at the right time

Drivers for GRC

Besides HIPAA, there is a wide range of legislation and industry requirements:

• State law

– Massachusetts Data Protection Law

– California data security breach notification law

• Payment Card Industry Data Security

Standards

• Joint Commission

Some Governance Frameworks

• ISO 27002 (current); ISO 17799 (old std.)

• NIST – National Institute of Standards and

Technology, Special Publications, 800 series

• ITIL – Information Technology Infrastructure

Library

• COBIT – Control Objectives for Information

and (Related) Technology

• HITRUST – Health Information Trust Alliance

• Access Control and Management • Audit and Accountability  • Awareness and Training  • Business Continuity and Contingency  Planning  • Computer Workstation and Mobile  Device Security • Configuration Management and  Change Control • Disaster Recovery Planning • Evaluation and Validation  • Identification and Authentication  • Incident Reporting and Response • Information Integrity  • Information Security Responsibilities • Media Protection and Controls  • Network Connectivity and Interfacing • Personnel Security Procedures • Physical and Environmental Protection  • Policies, Procedures, and Plans • Risk Analysis and Management • Sanctions

Security Governance – Example

Information Security –

Governance Description

Organizational

Policy HIPAA PCI DSS

Access Control and Management

Requesting user accounts, modifying user access privileges, authorizations, removal of accounts §164.308(a)(4)(i) §164.308(a)(4)(ii)B §164.308(a)(4)(ii)C §164.312(a)(1) Requirement 7 Requirement 8

Audit and Accountability Monitoring and auditing access to or use of resources

§164.308(a)(1)(ii)(D)

§164.312(b) Requirement 10

Awareness and Training

Conducting comprehensive security training, education and awareness program

§164.308(a)(5)(i)

§164.308(a)(5)(ii)(A) Requirement 12.6

Business Continuity and Contingency Planning

Implementing Business Continuity Planning including criticality / business impact analysis, data backup, contingency and disaster recovery planning §164.308(a)(7)(i) §164.308(a)(7)(ii)(A) §164.308(a)(7)(ii)(B) §164.308(a)(7)(ii)(C) §164.308(a)(7)(ii)(D) §164.308(a)(7)(ii)(E) Requirement 12.9.1 Configuration Management and Change Control

Managing, communicating and documenting configuration changes to information systems

None

Requirement 6.3 Requirement 6.4 Requirement 2

Timeline of Compliance Audits

Date

Action Taken

2008 – 2009 CMS HIPAA Compliance Reviews  2012 HIPAA Security audits conducted by KPMG June 2012 HIPAA Audit Protocol released November 2012 Medicare EHR incentive program audits

CMS Audit Reports 2008 – 2009

Seven common areas of concern

1. Risk Assessment

2. Currency of Policies and Procedures 3. Security Awareness and Training

4. Workforce Clearance 5. Workstation Security 6. Encryption

7. Business Associate Contracts and Other Arrangements

CMS Audit Reports 2012

16

Source: 2012 HIPAA Privacy and Security Audits, Linda Sanches, OCR Senior 

Adventist Health (AH)

• 19 hospitals with more than 2,700 beds

• California, Hawaii, Oregon and Washington

• More than 150 clinics and outpatient centers

• 39 rural health clinics

• 14 home care agencies and 6 hospice agencies

• Four joint-venture retirement centers

• Workforce of 28,700 includes:

– 21,000 employees

Three Levels of Measurement at AH

1. Enterprise (corporate) level

– Is the program based upon GRC?

2. Entity (facility) level

– Are corporate policies being implemented?

– Does each facility have a plan to address risks?

3. Control level

– Has the control been implemented?

Steps to Building a Program

1. Getting started 2. Defining expectations 3. Implementing 4. Measuring 5. Optimizing Risk analysis and compliance (program drivers)  Policies, procedures, and plans Safeguards and controls Monitor and evaluate Maintain 3. Control level 2. Entity Level 1. Enterprise Level

1. Enterprise Level

Threat: Noncompliance with HIPAA Security Rule Policy: Maintain compliance with government and  state regulations Measures: • # of high and moderate risk findings  identified in the annual HIPAA review  • Completed PCI DSS Self‐assessments Example

2. Entity Level

Threat: Disaster in local data center

Policy: Maintain and test a disaster recovery plan Measures: • Inventory of locally hosted applications • An updated disaster recovery plan • Results from most recent exercise or test Example

3. Control Level

Threat: Unauthorized access to PHI Policy: Encrypt devices storing PHI Measure: Monthly report of the # of laptops and  workstations that store PHI and that are  not encrypted Example #1

3. Control Level

Threat: Authorized user misusing their privileges Policy: Audit and monitor user activity in the EHR Measures: • Reports on the # of individuals audited • # of users caught accessing a patient’s  record inappropriately Example #2

Measuring Effectiveness – Sample

Level Maturity Description Grade 0 Absence “There is absolutely no evidence of any activities

supporting the process”

F 1 Initiation “There are ad-hoc activities present, but we are not aware

of how they relate to each other within a single process”

F

2 Awareness “We are aware of the process but some activities are still incomplete or inconsistent; there is no overall

measuring or control”

D

3 Control “The process is well defined, understood and implemented”

C 4 Integration “Inputs from this process come from other well controlled

processes; outputs from this process go to other well controlled processes”

B

5 Optimization “This process drives quality improvements and new business opportunities beyond the process””

A

Measuring Effectiveness – Sample

Maturity Level Description Breakdown

0 ‐ Nonexistent Processes are not applied at all 1 1 ‐ Initial/Ad Hoc Processes are ad hoc & disorganized 12 2 ‐ Repeatable but Intuitive Processes follow a regular pattern 30 3 ‐ Defined Process Processes are documented & communicated  10 4 ‐ Managed & Measurable Processes are monitored & measured 0 5 ‐ Optimized Industry practices are followed & automated 0

N/A ‐ Not Applicable Control does not apply 1

Total ‐ 54

Maturity levels for management and control over information security processes is based on  an approach defined by the Control Objectives for Information and related Technology (CobiT)  framework (www.isaca.org/cobit).   

Original Maturity Model at AH

Communicating Program Measures

Executives’ primary concerns:

• Does the program support the AH mission?

• Does the program meet the Information

Technology Services (ITS) department goals?

• Do we comply with regulation and legal statutes?

• Are risks managed appropriately?

• Are we maintaining efficient, uninterrupted

operational processes for our caregivers?

Common Practices

• Hiring consultants to conduct a review

• Using tools to monitor the program

– NIST HIPAA Security Toolkit

• Measuring the program against the HIPAA

Audit Protocol

• Participating in forums and workgroups to

Managing Your Program

• What are you doing?

Audience 

Participation

Positive Program Indicators (1)

• Regulations – a good understanding

• Risk analysis – documented proof, signed

off by management

• Risk management – remediation plan

• Responsibilities for security – well defined

• Policies, procedures, and plans – easy to

Positive Indicators (2)

• Security education, awareness, & training

– strategy or plan exists

• Incident reporting and response – evidence

that incidents are tracked

• Monitoring and measuring – matrices

• Evaluation (technical and nontechnical) –

controls are monitored; periodic review

Summary

• Information Security programs should be

based upon a governance structure

• HIPAA compliance is becoming more

critical due to increasing audit activity

• Create objects and measure

• Present results to executive management

• Find out what others are doing

Thanks for Attending

• Alain Bouit [email protected]

Adventist Health Roseville, CA

• Tom Walsh [email protected]

Tom Walsh Consulting, LLC Overland Park, KS