a framework for analyzing cyber risk...aug 08, 2019 · • smaller healthcare providers struggling...

© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved

August 8, 2019

CISO Virtual Cybersecurity SymposiumSession 2 | Module 3

A Framework for Analyzing Cyber Risk

Cathie BrownVP, Professional Services, Clearwater

© Clearwater Compliance LLC | All Rights Reserved

2

1. Understand why and how to leverage the NIST Cybersecurity Framework to better manage and reduce cybersecurity risk

2. Implement the NIST IRM Process: Framing, Assessing, Responding to and Monitoring Risk

3. Mature your IRM program to proactively protect your organization’s sensitive information

4. Ultimately, make higher quality decisions about information / cyber risks by adopting the NIST approach

Title: A Framework for Analyzing Cyber Risk

Module Duration = 50 Minutes

Learning Objectives Addressed in This Module:

Module 3 Overview


3

Your Presenter:

Cathie BrownPMP, CGEIT, CISM, CISSP

Vice President, Professional Services

• 30+ years in Information Technology, including 20 years in Health IT• 15+ years in Information Security, Risk Management and Compliance• 10+ years in Management Consulting• Former Deputy Chief Information Security Officer for the Commonwealth of Virginia• Expertise and Focus: Developing and leading Information Security and Risk

Management teams, Healthcare and HIPAA Compliance• Board Member of Virginia HIMSS Chapter, Chair of Women in Health IT SIG


4

Discussion Flow

It’s the FRAMEWORK!

No wait, It’s the PROCESS!

Actually, It’s the RISK MANAGEMENT PROGRAM!!


5

The State of Cyber in the Healthcare EcosystemDiagnosis: Healthcare Cybersecurity is in Critical Condition

Indicators 2018 2017

Patient Records Breached Protenus 2019 Breach Barometer

15M+ 5.5M+

HIPAA Settlements/Judgements OCR Concludes All-Time Record Year for HIPAA Enforcement

$28,6K $19,4K

Allocate 3-6% of IT budget to cyber 2019 HIMSS Cybersecurity Survey

25% 21%

Conduct comprehensive end-to-end security risk assessments 2019 HIMSS Cybersecurity Survey

37% 26%

Patients continue to be anxious about the state of health data security and the average cost per breached record remains about $400 per record.

https://www.protenus.com/2019-breach-barometer

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/2018enforcement/index.html

https://www.himss.org/2019-himss-cybersecurity-survey

https://www.himss.org/2019-himss-cybersecurity-survey


6

Confidentiality Integrity Availability

• Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019)

• Medtronic Recalls Insulin Pumps Due to Cybersecurity Risk (June 28, 2019) • Vulnerabilities in Servers Behind Majority of Healthcare Data Breaches (June 24, 2019)• May 2019 Healthcare Data Breach Report (June 20, 2019)• High and Critical Severity Vulnerabilities Identified in Certain BD (Infusion Pumps) Alaris Gateway

Workstations (June 18, 2019)• Ransomware and Data Destruction Attacks Dominate Healthcare Threat Landscape (June 11, 2019)• 40% of Healthcare Delivery Organization Attacked with WannaCry Ransomware in the Past 6 Months (May

31, 2019)• Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules (April 16, 2019)• ETC….

1 HIPAA Journal

Recent News… 1

https://www.hipaajournal.com/category/healthcare-cybersecurity/


7

Healthcare and Public Health are Critical Infrastructure

Critical infrastructure is the body of systems, networks and assets that are so essential that their continued operation is required to ensure the security of a given nation, its economy, and the public's health and/or safety.1

Response and Recovery: Protects from terrorism, infectious disease outbreaks, natural disasters, etc.

1 www.dhs.gov/topic/critical-infrastructure-security

https://www.dhs.gov/topic/critical-infrastructure-security


8

How does your organization manage cyber risk?

IT has it coveredNot enough staffHigher prioritiesNot in the budgetOverwhelming

Cyber Risk Management is important to your business… BUT…


9

IRM Program: Framework | Process | Maturity Model

NIST Risk Assessment Category Outcomes• ID.RA-1: Asset vulnerabilities are identified and documented• ID.RA-2: Threat and vulnerability information is received from

information sharing forums and sources• ID.RA-3: Threats, both internal and external, are identified and

documented• ID.RA-4: Potential business impacts and likelihoods are

identified• ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are

used to determine risk• ID.RA-6: Risk responses are identified and prioritized

NIST Risk Management Category Outcomes• ID.RM-1: Risk management processes are established,

managed, and agreed to by organizational stakeholders• ID.RM-2: Organizational risk tolerance is determined and clearly

expressed• ID.RM-3: The organization’s determination of risk tolerance is

informed by its role in critical infrastructure and sector specific risk analysis

Immature<25% Defined<50% Managed<75% Established<94% Optimized>95%

Governance, Awareness of Benefits and Value

No Board Oversight Council or strategy for

IRM

Risk Management is on the agenda, but IRM not

considered important strategically

Board engagement and documented guiding principles aligning

strategic decisions with IRM

Cyber expertise on the Board and active

engagement in IRM activities and decisions

IRM is incorporated into all business strategic and tactical decisions

People, Skills, Knowledge & Culture

No Executive Committee exists to execute an

IRM strategy or tactics

A Working Group has started to be

established with some understanding of the

importance of IRM

Cyber expertise exists on the Executive Committee and responsibiilities for

the Working Group have been established

Executive Committee has determined a risk threshold on which

busines decisions are made

High degree of IRM knowledge and

understanding across the whole organization

re IRM decisions

Process, Discipline, & Repeatability

No or incomplete P&Ps or formal practices

regarding IRM

Some P&Ps have been documented; no or minimal Evidence of

Practice existS

The process for framing assessing and resonding

to IRM risks are documented and followed

Responsibility for documenting P&Ps and evidence of practice has been assigned are being

followed

The organization has adopted a continuous process improvement

and milestones to reach a maturity level

Use of Standards, Technology Tools /

Scalability

No standards or tools for scaling IRM activities exist

Some standards have been adopted and some

tools for scaling IRM activities exist

IRM tools have started to be integrated into business and IT

strategies, tactics and plans

Tools for tactical operations have been

adopted e.g. detection, incident response, identity

management, etc.

Sound understanding, consistent use of

standards and tools for productivity and

scalability

Engagement, Delivery & Operations

Any IRM activity is primarily driven by

compliance requirements, not

business

IRM activity is adhoc, driven by individuals who apply their own

priorities to the process

Use of the IRM process, framework and strategy is

somewhat consistent across the organization

All IRM participants are convinced that the IRM program has reduced

security incidents

IRM is embedded in decision making and continuous process

improvement is a way of life

INFORMATION RISK MANAGEMENT MATURITY LEVEL

KEY

RIS

K M

AN

AG

EMEN

T C

APA

BIL

ITIE

S

Framework Maturity ModelProcess• “Immature”- Not or Minimally adopted,

implemented or achieved• “Defined”- Partially adopted,

implemented or achieved • “Managed”- Largely adopted,

implemented or achieved• “Established”- Almost fully adopted,

implemented or achieved• “Optimized”- Fully adopted, implemented

or achieved

HOW CPIWHAT


10

NIST Cybersecurity Framework

A risk-based approach composed of three components 1. Framework Core2. Framework Profile, and 3. Framework Implementation

Tiers1.

1Framework for Improving Critical Infrastructure Cybersecurity

The NIST Framework sets overall architecture, provides structure and guidance and creates a common language for Cybersecurity discussions, decisions and outcomes

http://www.nist.gov/cyberframework


11

Core | A Catalog of Cybersecurity OutcomesFunction Category

What processes and assets need protection? Identify

Asset ManagementBusiness EnvironmentGovernanceRisk AssessmentRisk Management StrategySupply Chain Risk Management1.1

What safeguards are available? Protect

Identity Management, Authentication and Access Control1.1

Awareness and TrainingData Security

Information Protection Processes & Procedures

MaintenanceProtective Technology

What techniques can identify incidents? Detect

Anomalies and EventsSecurity Continuous MonitoringDetection Processes

What techniques can contain impacts of incidents? Respond

Response PlanningCommunicationsAnalysisMitigationImprovements

What techniques can restore capabilities? Recover

Recovery PlanningImprovementsCommunications

• Framework = What: Risk Assessment & Management

• Process = How: Detailed Steps in SP800-39, SP800-30, SP800-37, etc.

5 Functions | 23 Categories | 108 Subcategories


12

Tiers | Provide Context for Managing Risk

NOT a Maturity Model


13

Profile | Builds Prioritized Cybersecurity Roadmap

Creates a Target Profile Based On:• Business Objectives• Risk Tolerance• Available Resources


14

Steps: Turn the NIST CSF into a reality

Select Target Goals

Create Detailed Profile

Assess Current Position

Gap Analysis Action Plan

Implement Action Plan

Determine acceptable level of risk

Using the Tiers, align to business needs and understand current position

Conduct a thorough risk assessment,identify vulnerabilities, threats and impact

Compare actual scoreswith target goals, identify actions to improve and prioritize

Manage projects to close the gaps, improve IRM posture


15

3.1: Has your organization adopted an overall framework for managing cybersecurity risk?

ISO27K OtherNIST CSFDon’t Know

Pause and Quick Poll


16

Discussion Flow





17





IRM













importance of IRM







re IRM decisions



regarding IRM


Practice existS




followed




Scalability








management, etc.



scalability




business






security incidents




KEY

RIS

K M

AN

AG

EMEN

T C

APA

BIL

ITIE

S


18

Risk: Back to BasicsWe perform some level of risk management everyday, for example…

Patient with fever/cough

Flu

Patient did not have Flu vaccine

The Likelihood this patient will have the flu is HIGHThe Impact of the flu to this patient may be MEDIUM

THIS RISK MAY BE HIGH OR EVEN CRITICAL!TREATMENT IS THE RESPONSE


19

Definition: Information Risk Management

1http://clearwatercompliance.com/wp-content/uploads/SP800-39-final.pdf

“Risk management is a comprehensive process that requires organizations to: (i) frame risk (i.e., establish the context for risk-based

decisions); (ii) assess risk; (iii) respond to risk once determined; and (iv) monitor risk on an ongoing basis using effective

organizational communications and a feedback loop for continuous improvement in the risk-related activities of organizations.

Risk management is carried out as a holistic, organization-wide activity that addresses risk from the strategic level to the tactical level, ensuring that risk-based decision making is integrated into every aspect of the organization.”1

http://clearwatercompliance.com/wp-content/uploads/SP800-39-final.pdf


20

IRM: Process Components

1 Adopted from NIST Special Publication 800-39

1. Frame• Define the IRM strategy and risk tolerance• Determine how to assess risks• Identify priorities and constraints

2. Assess• Perform the risk assessment• Identify threats (operations, assets or individuals)• Identify vulnerabilities (internal and external)• Determine impact (threats exploiting vulnerabilities)• Identify risks

3. Respond• Provide consistent response to risk per risk framework• Determine risk response (accept, avoid, mitigate, transfer)• Identify tools, techniques, and methodologies• Identify external partners (law enforcement, service providers, etc.)

4. Monitor • Verify planned risk response measures are implemented• Determine ongoing effectiveness • Identify risk-impacting changes to systems and environments

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf


21

IRM: Multitiered Approach

Organizational View

Mission/Business View

Information System View

• Executives and BOD engagement• Risk framing is foundation for

overall IRM program• Governance • Risk Executive (function)

• Business and IRM constraints defined

• Establish security architecture• Information criticality/sensitivity• Information security requirements

• Categorize information systems• Allocate security controls• Manage the ongoing monitoring


22

IRM: Risk Management Strategy and Framework

Bring Your InformationRisk ManagementFramework to Life

I. Scope of The Risk Management Process A. Organizational entities coveredB. Business functions affectedC. How risk management activities are applied

within the tiersD. Etc.

II. Risk ThresholdA. Risk tolerance

III. Risk Assessment GuidanceA. Characterization of threat sourcesB. Sources of threat informationC. Etc.

IV. Risk Response Guidance A. Risk thresholdB. Risk response concepts to be employedC. Etc.

V. Risk Monitoring GuidanceA. Guidance on analysis of monitored B. Monitoring frequencyC. Etc.

VI. Risk Constraints VII. Organizational Priorities And Trade-offs


23

IRM: Risk Assessment Process

Finalize Asset Inventory in

scope

Identify Threats and

Vulnerabilities

Determine Likelihood and

Impact (1-lowest to 5-

highest)

Assign Risk Level (1-

lowest to 25-highest)

Governance and Project Management


24

IRM: Risk Assessment ExampleAsset Threats Vulnerability Likelihood Impact Risk Level

EHR System Unauthorized access (Confidentiality)

Password complexity, aging not enforced

5 5 25

EHR System Malicious system events (Integrity)

EHR system logs are not reviewed on a proactive basis

4 5 20

EHR System Ransomware (Availability)

Restoration of backups is not tested on a periodic basis

4 5 20

EHR System System flaws are not remediated (CIA)

Formal patch management process does not exist

5 5 25

EHR System Natural disaster (Availability)

Backup site is located within 5 miles

2 5 10

EHR System Data leakage (Confidentiality)

Media control policy has not been documented

2 3 6

Critical Output is the Risk Register


25

IRM: Risk Response Decisions


26

IRM: Risk Action Plan


27

IRM: Risk Monitoring for Compliance, Effectiveness & Change

Purpose of monitoring risk

Verify compliance with internal PnPs and external requirements

Verify that planned risk response is implemented

Determine the ongoing effectiveness or risk response

Identify risk-impacting changes to information assets


28

Pause and Quick Poll3.2: Has your organization chosen an information risk management process such as that described in NIST SP800-39?

Yes Not Sure

No


29

Discussion Flow





30





IRM













importance of IRM







re IRM decisions



regarding IRM


Practice existS




followed




Scalability








management, etc.



scalability




business






security incidents




KEY

RIS

K M

AN

AG

EMEN

T C

APA

BIL

ITIE

S

Maturing capabilities are the path to organizational resiliency


31

IRM: Assessing Maturity

Reference: ISO/IEC 15504 Process Assessment Standard

Identify where current maturity level is in relation to certain activities or practices

Establish a goal for maturity improvement

Set priorities for improvements to achieve desired maturity level

https://www.iso.org/standard/60555.html


32

Pause and Quick Poll

3.3: Ask the best question?

1. Is my enterprise secure?

3. Is our security program operating

effectively?

2. Am I compliant?

4. How secure is ‘good enough’?


33

IRM: Asking the Question

1. Is my organization secure?• Controls focused• Considers performance measure such as penetration testing, vulnerability assessment, etc.• Measures coverage and utility

2. Am I compliant?• Minimum baseline• Compartmentalized (i.e., PCI, HIPAA)• ‘Check the box’ mindset

3. Is our security program operating effectively?• Indicates governance• Aligned with business• Capability focused

4. How secure is ‘good enough’?• Reactive posture• Minimalist mindset


34

IRM: Attributes of Mature Capability

• Governed• Measurable• Controlled• CPI-based• Standards-based

OptimizedWhere Does Your Organization Need to Be?

Immature

• Proactive• Adaptable• Consistent• Predictable• Automated

Information Risk Management Maturity


35

IRM: Clearwater’s Maturity Model


36

IRM: Maturity Core Capabilities and Practice Areas

Governance ProcessPeople Technology Engagement

Board Oversight and Expertise

Oversight Council Strategic Alignment

Oversight Council Operational Alignment

Oversight Council Planning and Process

Executive Oversight

Practice and Expertise

Strategic Alignment

Operational Alignment

Documentation of IRM Processes for

Repeatability

Documentation of Responsibilities

Continuous IRM Process Improvement

Strategic Considerations for

Technology, Tools and Scalability

Tactical Considerations for

Technology, Tools and Scalability

Operational IRM Tools and Scalability

Engagement, Delivery and Operations

Alignment

Operational Engagement

Delivery and Operations

5 Capabilities | 17 Practice Areas | 104 Best Practice Statements Examined

4

4

8

7

215

3

5

6

4

5

6

6

5

9

10

10

7

27

23 20

13


37

IRM: Maturity Taxonomy

Practice Area

Practice Statement

Capability People

Oversight Council

Strategic Alignment

Governance

Oversight Council

Planning and Process

There is cybersecurity expertise on the

Oversight Council.

:::Board

Oversight and Expertise

:::

A board, governance or oversight council

(“Oversight Council”) focused on IRM exists.

Oversight Council members are actively

engaged in IRM matters.

The Oversight Council believes an IRM

program is important to the achievement of

its organizational strategies and plans.

:::

Oversight Council

Operational Alignment


38

Discussion Flow




Closing Thoughts…


39

IRM: Closing Thoughts

Standards are our friend

Standards have matured the healthcare industry in many aspects. Standards based frameworks and processes are needed to mature Cybersecurity and Information Risk Management.

IRM is not an IT

Security ‘thing’

Cybersecurity is not about a series of tasks or controls. The challenges are complex and require executive and BOD engagement, business alignment and program management.

Implement the NIST

CSF

Tools and guidance exists today! Do not waste precious time and resources debating the best framework. Take advantage of the work from some of the best in the field. www.nist.gov

http://www.nist.gov/


40

Module 3 Supplemental Resources1. Framework for Improving Critical Infrastructure Cybersecurity

2. Cybersecurity Framework Industry Resources

3. OIG: HHS Needs to Strengthen Security and Privacy Guidance and Oversight

4. Cybersecurity Framework Frequently Asked Questions

5. NIST SP800-39-final_Managing Information Security Risk

6. Harnessing the Power of NIST | Your Practical Guide to Effective Information Risk Management

7. Choosing an Information Risk Management Framework: The Case for the NIST Cybersecurity Framework in Healthcare Organizations

http://www.nist.gov/cyberframework

http://nist.gov/cyberframework/cybersecurity-framework-industry-resources.cfm

http://www.gao.gov/assets/680/679260.pdf

http://nist.gov/cyberframework/cybersecurity-framework-faqs.cfm

http://abouthipaa.com/wp-content/uploads/SP800-39-final.pdf

https://clearwatercompliance.com/thought-leadership/white-papers/harnessing-the-power-of-the-nist-framework/

https://clearwatercompliance.com/wp-content/uploads/2017/10/Choosing-an-IRM-Framework_The-Case-for-the-NIST-CSF-in-Healthcare_Clearwater-White-Paper.pdf


41

Thank You & Questions

Cathie Brown [email protected] or 434-665-0345www.clearwatercompliance.com

mailto:[email protected]

http://www.clearwatercompliance.com/

© Clearwater Compliance | All Rights Reserved

Legal Disclaimer

Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.

Copyright Notice

All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

22018-1

a framework for analyzing cyber risk...aug 08, 2019 · • smaller healthcare providers struggling...

Documents