Main

Redspin Provides Public Comments on Proposed Stage 2 Meaningful Use (NPRM)

Posted on May 7, 2012 by Dan Berger in Main | Leave a comment

Redspin has provided security risk analysis (SRA) services to dozens of hospitals, helping them meet Core Measure 14 of the Stage 1 Meaningful Use EHR Incentive Program. As one of the leading experts in IT security, we take a comprehensive approach to these engagements. As such, our primary focus is to help our clients truly safeguard PHI from data breach by expanding beyond a strict interpretation of the Stage 1 Rule.

It is from that vantage point that we are providing our comments on the Proposed Rule for Stage 2 of this program. We are encouraged that CMS is shining a spotlight on the issue of encryption as it pertains to “data at rest.” Yet under HIPAA 45 CFR 164.312(a)(2)(iv), this requirement is listed as an “addressable” control but is not specifically mandated. The “addressable” standard allows for some latitude (i.e. determining whether encryption is “reasonable and appropriate” and if not, implementing equivalent protections).

For Stage 2 attestation, we assume providers will be required to clearly document their process for evaluating whether the control is “reasonable and appropriate…and would likely contribute to protecting its health information.”

While highlighting encryption of “data at rest” is a step in the right direction, it then raises two other significant issues. The first is in regard to business associates. What is CMS’ stance on the covered entities’ responsibility and authority over encryption of “data at rest” at business associates? Do covered entities now need to make that a requirement in their BAA’s? Who determines “reasonability and appropriateness?”

Also, what about the use of PHI in various other applications outside of the specific EHR system? Such applications may also store ePHI as structured data in an underlying database. Our concern is that encryption may be claimed as “unreasonable” in the context of the application, while the app itself may have never even been tested for security vulnerabilities.

Stage 2 Meaningful Use: The Next Step in Security Risk Analysis

Posted on May 2, 2012 by Dan Berger in Main | Leave a comment

At first read, the security risk analysis (SRA) provisions of the proposed Stage 2 “meaningful use” regulations appear to have changed only slightly from those in Stage 1. The language in the draft rule is nearly identical to Stage 1, with one notable addition highlighted below:

“Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.

Covered entities and eligible providers must now address the issue of encryption of “data at rest” as part of their security risk analysis process. This shines a spotlight on the existing encryption references within the HIPAA Security Rule. Encryption of ePHI is specifically covered under 45 CFR 164.312(a)(2)(iv) which reads; “Implement a mechanism to encrypt and decrypt electronic protected health information.” However, since it is categorized as an “addressable control,” it is not specifically mandated.

As part of Stage 2 Meaningful Use, encryption of “data at rest” must be considered as an addressable control. As such, providers need a process by which they evaluate whether the control is “reasonable and appropriate” and would likely contribute to protecting its health information.   If the control is deemed “reasonable and appropriate,” then it must be implemented.

However, if the provider decides “encryption of data at rest” is not reasonable and appropriate, then it must 1) document why it is not reasonable and appropriate, and 2) Implement an equivalent alternative measure if reasonable and appropriate. Despite a little remaining wiggle room, it has become increasingly difficult to justify not encrypting ePHI under the “reasonable and appropriate” caveat.

Turning to the new rules for EHR software certification, Stage 2 also requires the main software application ‘to be able to demonstrate the capacity to encrypt [data on] mobile devices in circumstances where the EHR technology manages the data flow on the mobile device,”

In our view, these provisions stop just short of a mandate. Determining reasonableness is not just about the cost of hardware and software or the complexity of implementation. It is more about whether or not the organization can execute the requirement consistently and effectively.

Given that the majority of significant breaches to date have been the result of lost or stolen devices containing unencrypted data, and the increasing mobility of data itself, it will be difficult to find “equivalent alternative measures.” That said, Redspin can provide a framework for considering the issue within our overall SRA roadmap and expert guidance on how to reasonably and effectively protect patient information.

 

A Blue Note: Looking Deeper at the 2009 PHI Breach at BlueCross BlueShield Tennessee

Posted on March 17, 2012 by Dan Berger in Main | 1 Comment

The cost of a significant data breach of protected health information (PHI) has been a popular topic in the news recently. The new ANSI publication“The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security” debuted with much fanfare in D.C. earlier this month. White House Cybersecurity Czar Howard Schultz kicked off a March 5th press conference where the release of the report was announced. His participation helped elevate the issue to a national audience.

The following day, many of the companies who helped ANSI produce the study revved up their own PR engines. Their  warning: While the widespread adoption of electronic health records will ultimately translate into greater efficiencies and better patient care, it also creates the possibility for massive data breaches. The risks to healthcare organizations go far beyond penalties imposed by HHS who must also consider the costs of restitution, legal fees, media relations, brand damage, and exposure to class-action lawsuits.

It was against this backdrop on March 13th that the Department of Health and Human Services (HHS) announced a data breach resolution agreement with BlueCross BlueShield Tennessee (BCBST), including a settlement payment of $1.5 million for potential violations of the HIPAA Privacy and Security rule. The breach was reported to HHS in 2009 when 57 unencrypted hard drives were stolen from a “data storage closet” in a customer call center facility that BCBST leased in Chattanooga, Tennessee. Over 1 million health records were affected. The personal data compromised included names, SS#, DOB, diagnosis codes and health plan ID numbers in the form of 1,000,000 audio and 300,000 video recordings of customer service calls.

At first glance, the $1.5 million dollar fine looked very light for a breach affecting 1 million patients. Dr. Deborah Peel, founder of the Patient Privacy Rights Foundation, commented on ModernHealthcare.com that the amount of the fine was “practically nothing,” particularly for such a large insurer. Additional reports confirmed that since the incident, BCBST has spent over $17 million dollars in investigation, notification and protection efforts. This was no doubt a factor that HHS considered when settling the case. In fact, the ongoing HHS/OCR investigation and persistent “overhang” of pending enforcement action was likely, in and of itself, the justification of making these improvements. Under classic behavior modification theory, the threat of punishment can often be more effective that the punishment itself (If you have kids, you know what I mean).

Yet, the total of $18.5 million for 1 million record breach, or approximately $18.50 per record, pales in comparison to the estimates used in “The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security.” Industry analysts consistently put the costs of PHI or PII data breach in the hundreds of dollars per record. A common restitution offer of late has been credit monitoring services for each individual for 2-3 years to protect against medical ID theft, generally at a cost around $29 per individual per year. Recent class action lawsuits filed following breaches of PHI data breach have asked for damages of $1,000 per patient.

So did BCBST get off easy? Well, they certainly did a good job of damage control. But in today’s environment, I doubt anyone could follow suit. BCBST very likely benefitted from HHS/OCR not being in position to immediately enforce the Breach Rule given that the HITECH Act itself has only just been enacted a few months prior to the breach. Now, some 2½ years later, they’ve had a chance to implement a stronger IT security program, including the encryption of its PHI data-at-rest, a step we at Redspin strongly advocate. Also, no cases of ID theft or fraud have come to light as a result of their breach.

While BCBST admitted to no liability as a result of the theft of the data and hard drives, they did agree to a 450-day corrective action plan (CAP) under which there policies, procedures, security controls and operations will be under enhanced scrutiny. As I told Information Week Healthcare:

“The monetary penalty may grab headlines but it’s the corrective action plan that provides the most insight. Effective IT security and compliance is only possible through an ongoing process. BCBST has now agreed to periodically review its policies and procedures, conduct regular HIPAA training for all employees, and monitor adherence to its own corrective action plan.”

These provisions will add to BCBST’s operational overhead for sure, but in reality, the CAP just reinforces prudent and responsible information security management, something all healthcare organizations need to have in place now. The risks (and potential costs) of data breach will accelerate geometrically as the adoption, implementation, and utilization of electronic health records continues to increase.

 

The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security

Posted on March 8, 2012 by Dan Berger in Main | 1 Comment

On Monday, March 5th, I was invited to a press conference in Washington, D.C. announcing the release of “The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security,” published by the American National Standards Institute (ANSI). The honorable Howard A. Schmidt, White House Cybersecurity Czar, kicked off the event. Mr. Schmidt commented that “in the continuum of the cybersecurity issues we look at, (healthcare security) is obviously critical as this is one that affects everyone.”

It was great to see the White House advocating the importance of healthcare IT security, right on the heels of the President Obama’s February release of a   new framework for protecting consumer data privacy

“One thing should be clear, even though we live in a world in which we share personal information more freely than in the past, we must reject the conclusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need it now more than ever.”

– President Barack Obama

Mr. Schmidt referenced the President’s clarion call and concluded: “Without security, you don’t have privacy.”

The report itself “The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security” is a 67-page, glossy publication. Much like an annual report, it is attractively-designed, professionally-printed, and includes: 13 tables as well as numerous charts and graphics. The project was a huge collaborative effort with 3 leads, 2 premium sponsors, and 10 partner sponsors. Credits were extended to 82 individuals and their respective organizations on the full Project Team. Boxes full of reports were available at the National Press Club and Rayburn House Office Building. Copies were distributed to the press, members of Congress, and their aides. The report is also downloadable from ANSI at: http://webstore.ansi.org/phi/

The bulk of the report is a compilation of previously-published research, surveys, statistics, and news articles (as evidenced by the 122 footnotes). While it breaks no new ground, it is a useful marketing communications piece that will raise overall awareness of the IT security risks and challenges facing the healthcare industry.

At the end of the report, the authors suggest a new methodology for applying quantitative risk analysis to healthcare IT security called “PHIve.” Its end-goal is to enable an organization to calculate how much they should invest to reduce the risk of data breach. I am not a fan of this approach (see my upcoming presentation “In Praise of Qualitative Risk Analysis” at NCHICA’s 8th Annual Academic Medical Center Conference, April 23-25 in Chapel Hill, N.C.) However, the first of PHIve’s steps is:  “Conduct a Risk Assessment – Assess the Risks, Vulnerabilities, and Applicable Safeguards.”

Sound familiar? It should. After all, it is a requirement of the HIPAA Security Rule.  More recently, nearly identical language regarding security risk analysis has been included in the core requirements of Stage 1 and Stage 2 “meaningful use” for covered entities, eligible hospitals and eligible providers. Yet, at the Congressional lunch launch of The Financial Impact of Breached Healthcare Data, Joy Pritts, HHS’ Privacy and Security Officer, lamented “it is quite telling that a recent HIMSS survey found that 25% of respondents had not even conducted a security risk assessment.  It’s been part of the HIPAA Security Rule for what, the past 5 or 6 years?”

Redspin has conducted HIPAA Security Risk Analysis projects for dozens of hospitals over the past year enabling them to attest to Stage 1 meaningful use as well as maintain their compliance with the HIPAA Security Rule. While the PHIve quantitative risk methodology gets extremely elaborate, note that even that begins with a security risk assessment. It is a logical starting point. And in our view, Redspin’s security assessments enable you to significantly reduce your risk before making a single calculation. That’s invaluable, particularly with the increased attention on healthcare IT security at the highest levels of the Federal government.

 

Stage 2 Meaningful Use – Addressing Encryption/Security

Posted on February 25, 2012 by Dan Berger in Main | Leave a comment

Last week, Health and Human Services Secretary Kathleen Sebelius reported that the number of  hospitals using electronic health records (EHR) has more than doubled in the last two years from 16 to 35 percent.  She also said that 85 percent of all hospitals now report that by 2015 they intend to participate in The Centers for Medicare and Medicaid Services’ (CMS) EHR incentive program.

Also last week, CMS released the proposed Stage 2 Meaningful Use requirements for public comment.  The draft rule gives eligible hospitals and providers a good indication of where to focus their efforts as they continue their implementation and adoption of electronic health records throughout their organizations.  Stage 1 was mostly about transferring data to EHRs and being able to share information, including electronic copies and visit summaries for patients. Stage 2 moves the goalposts  further down field, requiring that patients have online access to their health information and facilitation of electronic health information exchange between providers.

The Stage 2 core requirement for IT security uses nearly identical language from Stage 1 regarding updating or conducting a  HIPAA security risk analysis.  Both Stage 1 and Stage 2 rely on the  HIPAA security rule provisions under federal code 45 CFR. HIPAA deems encryption an “addressable” specification, meaning a covered entity decides if it is a “reasonable and appropriate” technical security step to implement. The security rule enables an entity to adopt an alternative protective measure that achieves the same purpose.

But the difference between Stage 1 and Stage 2 on this issue is subtle but significant. Stage 1 only mentioned the security risk analysis provision. However, by specifically calling out out the issue of encryption at rest in Stage 2 , CMS has heightened the importance of analyzing the pros and cons of using the technology.  The complete language of the core objective for both hospitals and eligible providers requires that they:

“Conduct or review a security risk analysis in according with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.”

As Redspin reported in our February 1st  Breach Report 2011 – Protected Health Information:

“Of the 385 incidents affecting 500 or more individuals, 55% involved unencrypted devices or media. The Federal government is unlikely to mandate that all portable devices that store ePHI be encrypted, but it’s an obvious and sensible policy for a healthcare organization to adopt. Taking it further, why not require that all mobile devices in the healthcare workplace be encrypted, even if ePHI is not allowed on them.”

As we predicted, the government stopped short of a mandate. There is no movement afoot to change or add to the  HIPAA security rule requirements.  But in Stage 2 they emphasized that an EP or hospital should consider encrypting electronic protected health information as part of their security risk analysis, and where it is not “reasonable and appropriate,”  adopt an equivalent alternative measure of securing data.

Sometimes, you have to read between the lines… or in this case, read between the forward slash. We’ll be talking about the phrase “addressing the encryption/security of data at rest” for the next few years.

 

Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)

Posted on February 24, 2012 by Dan Berger in Main | Leave a comment

I wasn’t the most popular person around the office printer late yesterday afternoon.  It was right after HHS and CMS finally released the proposed rule for Stage 2 of the EHR Meaningful Use Incentive Program. Earlier in the week, rumors regarding the release of the 445-page document swirled around the HIMSS12 Conference. Perhaps because it was in Las Vegas, Stage 2 seemed to take on its own celebrity status. HIMSS participants arrived early for the 8:30AM “Achieving Meaningful Use Symposium” and almost immediately began texting and tweeting their disappointment that there would be a delay in the release of Stage 2 details and the amendments to the Stage 1. Tuesday came with reports of Stage 2 “sightings” and ended with more disappointment.  Bookmakers puts the odds at 3:2 that the information would be disclosed before Dr.Farzad Mostashari, the National Coordinator for Health Information Technology delivered the Thursday morning keynote. Wrong again. Dr. Mostashari was able to speak to the highlights of the new proposed rule, but could only commit that full public disclosure would follow “soon.”  Then Elvis, I mean Dr. Mostashari, left the building. Enter Stage 2′s publicity “people.”  The press was told that the proposed rule would be posted to the Federal Register next week due to “formatting problems.”  But then, perhaps through Presidential Executive Order or an Act of Steve Wynn, the document was suddenly made available just after 5PM Eastern. And to prove not everything that happens in Vegas stays in Vegas, here’s a link where you can get your very own copy of the proposed rule.   http://www.ofr.gov/OFRUpload/OFRData/2012-04443_PI.pdf

 

HIPAA Security Risk Analysis. – Are You One Of The 3,300?

Posted on January 25, 2012 by Dan Berger in Main | Leave a comment

Get ‘er Done!

I’m referring of course to the HIPAA Security Risk Analysis requirement of the Stage 1 EHR Meaningful Use Incentive Plan. Between 85%-90% of the 5,000+ eligible hospitals say they plan to qualify for Stage 1, yet data from the Centers for Medicare &Medicaid Servicesshows less than 25% have attested and received payment as of November 30, 2011. So for the 3,300 or so other hospitals – this is no time to procrastinate. Time flies, whether you’re having fun or not. You’ll need to plan your 90-day qualification period and be ready to attest before the 2012 deadline. Don’t let the HIPAA Security Analysis become “the tall pole in the tent.”

If the $4 million dollars ($2m Medicare, $2m Medicaid) is not enough of an incentive, don’t forget that the new Federal HIPAA compliance and audit program has begun. The Department of Health and Human Services’ Office for Civil rights announced the specifics of the audit program last year, fulfilling the mandate from the HITECH Act (part of the overall ARRA bill passed in 2009). 150 organizations will be audited in 2012 by KPMG (under contract with OCR) and the first 20 covered entities have already been selected and notified.

Although the primary goal of the audit program is security improvement, significant corrective action and civil monetary policies resulting from these audits have not been ruled out. As Leon Rodriguez, OCR’s new chief, likes to say “enforcement improves compliance.” OCR officials have suggested that most of the remainder of the audits will be conducted in the 2nd half of 2012. Even more reason for hospitals to get their HIPAA Security Risk Assessments completed as soon as possible. Better to have had a run-through with a 3rd party, objective, IT security assessment company of your own choosing and taken corrective actionbefore the federal auditors arrive.

Lastly, some hospitals put off allocating resources to meaningful use efforts in 2011 until their individual states had begun their Medicaid EHR Incentive Programs. But the 2012 national landscape already looks much different. 41 of 50 states have now launched their programs with another 5 or 6 to commence in Q1/2012. In all likelihood, all 50 state programs will be in place and making payments by July 2012.

How An Internal Penetration Test Can Help Your Organization

Posted on December 22, 2011 by John Abraham in Main | Leave a comment

Every IT department faces the challenge of having to apply limited resources (headcount, technology, 3rd party assessments) against a plethora of potential security risks. Choosing wisely is often the difference between an effective security strategy and an ineffective one. With that in mind and a number of possible assessment approaches available, what benefits can be gained from an internal penetration test?

First, since security terminology is often misunderstood, let’s first define internal penetration testing. An internal pen test is a very specific scope of work where a security engineer connects to your internal network, or portion thereof, and with nothing other than an internal network connection, attempts to gain access to sensitive organizational resources. In an internal pen test the security engineer is network level connected but has no other credentials, such as a user account on the domain or on a corporate software application. Such a test can be conducted on-site with the engineer working from a conference room with an Ethernet drop, or done remotely via VPN connection. It is from this restricted vantage point that the engineer attempts to gain unauthorized access to internal systems and data.

Example of a Common Finding – Compromised Web Server

Finding

A web application server with sensitive customer and cardholder data can be compromised.

Narrative

Our internal penetration testing often exposes the ability to compromise a web application server from inside the firewall.

The entry point is usually a host accessible through default credentials. From there we can get JMX console access and view the microkernel of the JBoss application server.

If full control over the JBoss application server can be obtained, we can then start or stop services as well as deploy or un-deploy Web application ARchives (WAR) files. It is possible to even create a custom WAR file and embed a JavaServerPages (JSP) payload that when executed, will initiate a reverse connectback to the RPA server and spawn a shell.

From there a user account can be created and added  to the local administrators group in order to maintain access to the server and use it as a jump point for further testing.

Once this user account is created, a fully interactive session can be established by using RDP to connect to the server. Once connected, its possible to dump the password hashes of the local user accounts.

Impact

Any user with physical access to the corporate network can access sensitive customer PII (personally identifiable information) and cardholder data without authorization credentials.

The results of an internal penetration test typically demonstrate what information or other assets might be exposed to an unauthorized user who has network level access to your corporate IT environment. Extrapolating further, it also shows what a hacker could access if they were to compromise your gateway. But, an internal pen test is not designed simply to expose risk from external hackers. There are a number of internal risks as well. Here are some other important considerations:

  • What confidential info might an employee obtain by gaining access to your internal HR database
  • What about vendors or visitors who are allowed on your internal network by an employee, and/or they are left alone in a conference room where they plug into a live Ethernet port?
  • What information could a rogue employee exploit?
  • Can partner companies that have network level connectivity access more internal resources than you intended?

An internal penetration test can help answer these questions and educate others in your organization about this kind of risk. With limited resources to work with, it’s important to clarify what your organization wants to accomplish as you embark on any type of security assessment. We hope we’ve clarified above the most important benefits of an internal penetration test.

“Enforcement Promotes Compliance” – HIPAA Audits Just Around the Corner

Posted on November 22, 2011 by Dan Berger in Main | Leave a comment

Earlier this month, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released further details on its plan to audit 150 covered entities under its pilot HIPAA audit program. Periodic audits of the HIPAA privacy, security and breach notification standards are required of the HHS Secretary under Section 13411 of the 2009 HITECH Act (2009). In June of 2011, OCR awarded a $9.2 million contract to the consulting firm KPMG to develop an audit methodology and pilot program, and to conduct the first 150 audits. (Ironically, KPMG was selected despite having been responsible for a breach that included the loss of an unencrypted flash drive and affected more than 4,500 patient records at a New Jersey medical facility in May 2010 – Oh well, no one’s perfect!)

Of further note, the pilot program will be limited to 150  HIPAA covered entities and will not include business associates (BAs) although OCR stated that BAs will be subject to audits at a later date. This despite the fact that 55% of all major breach incidents since September 2009 (those involving 500 or more individual’s records) occurred at BAs. In addition, less than 50% of healthcare organizations conduct any kind of pre- or post- contract compliance assessments of their BAs.  But more on BAs later. First here’s the planned roll-out of the pilot program for covered entities:

The HIPAA auditors plan to notify covered entities that they are among the lucky 150 by mail. What we find most interesting is that they then have 10 days to provide the auditor with documented evidence of how they have complied with the HIPAA privacy and security standards, as well as breach notification rules, including a copy of their most recent HIPAA Risk Analysis. That’s right, their HIPAA Risk Analysis. As you may or may not recall, the  HIPAA Security Risk Analysis requirement is not just a Core Measure of attesting to meaningful use, it’s been a requirement under the HIPAA Security Rule since 2005.  If you’re at all concerned about making a good first impression on the auditor, we’d suggest you don’t send them a HIPAA Risk Analysis that is more than 2 years old.

OCR is also getting serious about enforcement. The KPMG contract itself requires their auditors to inform organizations in advance that “OCR may initiate further compliance enforcement action based on the content and findings of the audit.” Since taking office, the mantra of OCR’s new director, former prosecutor Leon Rodriguez,  has been “enforcement promotes compliance.”

Now onto business associates. While OCR opted not to include auditing business associates themselves in their pilot HIPAA program, covered entities are not relieved of their obligation to monitor PHI safeguards at their BAs.  In fact, a significant concern at hospitals should be business associate oversight, a complex and cumbersome, thus oft-neglected responsibility.

For business associates themselves, protecting the security and privacy of ePHI/PHI will shortly become both a fiduciary responsibility and potentially a competitive issue. The OCR has confirmed that direct liability for a breach will extend to BAs at the end of 2012 raising the likelihood of civil penalties. As hospitals begin to feel increased audit pressure, they may insist that BAs provide them with documented policies, procedures, and third-party network security assessments prior to signing or renewing business contracts. Publicly- disclosed violations or civil penalties assessed to BAs could be brand-damaging at the least and a company killer at their most severe.

Whether you’re a covered entity or a business associate, we recently published a list of 10 things we’d recommend to best prepare yourself for the inevitable day the HIPAA auditor arrives. You can download the full Audit Advisory here: http://www.redspin.com/resources/whitepapers-datasheets/request_HIPAA-security_audit_advisory.php

 

 

 

Healthcare IT Security – Who is Responsible, Really?

Posted on November 15, 2011 by Chris Brown in Main | Leave a comment

In any complex, cross-functional business challenge, responsibility and authority must be distributed intelligently while at the same time prove a process of internal dispute resolutions. An information security program is one such complex and multifarious business necessity. At its heart, information security is a method of managing risk to information and information systems, and reducing uncertainty relative to organizational objectives; it is a balance.

But the success of an information security program depends upon the ability of an organization to establish a set of controls based on a thoughtful and consistent design that was developed against carefully analyzed internal and external requirements. Relatively few companies approach the problem this way, so we thought we’d offer some guidance based on Redspin’s 10+ years of IT security experience.

The following describes an accountability-driven and risk-based approach to address the information security expectations of leaders, customers, citizens, partners, and investors.

Creating an environment where operational units coordinate to achieve consistent and appropriate information security controls helps to ensure that the operation and security objectives of the organization are met. One way to do this is to assign accountability and responsibilities in a way that makes internal parties accountable to one another, with guidance and input from subject matter experts. The following mutual accountability can be used to drive decisions that align with your organization’s mission and goals:

A Data Steward is a single person accountable for establishing policies for internal uses and conditions of internal and external disclosure. There is one steward for each domain of data across the entire organization. Domains are generally broad and easily identifiable, organizations having on average between 10 to 15 core domains.

A Process Owner is a single person accountable for general processes (such as workforce acquisition and termination). These individuals establish the minimum process control requirements, which may then be implemented in a centralized or decentralized manner. Each implementer is responsible for meeting the process owner’s control requirements and one or more data steward’s control requirements.

System Sponsors are assigned to each application and system, from the department specific applications to general utility applications such as email. These system sponsors are responsible for meeting the availability and processing quality requirements of the process owners (e.g. up time and stability), and the data confidentiality and integrity requirements of the data stewards (e.g. patching and access controls). They are also responsible for justifying the continued existence of an application or system.

Data Gatekeepers are accountable for disclosures to a particular audience. Some of these roles are historically well established. For example, the senior public-relations official is accountable for responding to inquiries from the public and the press, and the senior legal official is accountable for addressing inquires from the courts and, depending on the organization, perhaps for inquiries from regulators and governments. Extending this concept to each unique audience creates internal accountability. Audiences may include consumers, vendors, business customers, partners, local and foreign governments, and law enforcement and intelligence agencies. The data gatekeeper is answerable to one or more data stewards.

Let’s run this through an example to see how it works. USB thumb drives are prevalent, with organizations taking stances that range from very loose to very tight. Policies commonly ban the devices, don’t mention them, or put IT in the role of deciding who gets one. The first two positions generally fail to serve the organization, and the last requires IT to make a business operations decision. To address this let’s step back to ask ourselves a few questions. Which process do the USB drives support and are the USB drives inherently required by those processes? Will the USB drive contain controlled information and are the data stewards requirements met?

Sales might use thumb drives to display presentations on client’s equipment. This is clearly a sales process, and would be under the purview of the most senior sales management position, perhaps a VP of Sales. The VP of Sales could responsibly and reasonably take a position that USB drives are required for external sales presentations. So long as that drive contains only sales information, then the data in question is also under the purview of the VP of Sales.

Changing the scenario for a moment, let’s say a salesperson wants to include very sensitive discount information. In this case, the VP of Sales may have a policy that discount data is only shared with key members of the client decision team. The VP of Sales in a process owner role still approves the use of USB thumb drives for sales presentations, but the VP of Sales in a data steward role requires that the data be distributed in a limited and controlled manner.

Changing the scenario even further, let’s say that the client requests key financial information. Again the use of USB drives is already approved by the VP of Sales. However, in this scenario the data in question is subject to the policies of the CFO, who has the requirement that key financial data be stored only on company owned equipment and be encrypted at all times when not within company facilities. In this case, the sales person must use a company owned and encrypted laptop for the presentation. If the VP of Sales doesn’t like this and still wants to use USB drives, the issue is not between Sales and IT, it’s between Sales and Finance. We are effectively taking IT out of  the middle, to a role where IT implements the decision of the parties who have the greatest stake in the decision.

IT organizations in the healthcare industry are being asked to make increasingly complex and subtle decisions. IT everywhere is being asked to do more and be responsible for more. Enabling the business to meaningfully engage IT, and creating a way that provides the businesses with the right information to make decisions is key to the perceived and actual success of an IT department. The road to engaging all parts of the business is difficult, but it has also been shown to be a hallmark of successful organizations.

IT has been put in the role of making business decisions, because organizations lack a framework for making data and system decisions. Providing a framework for decision making can become a key value that IT can provide. Even if your organization is not ready to formally adopt these concepts the thinking process, and the line of questions that result, will help you facilitate better security decision making within your organization.

« Previous   1 2 3 4 5 6 ... 17 18   Next »