five steps to managing business associate (ba) risk
Post on 30-Dec-2016
219 Views
Preview:
TRANSCRIPT
Five Steps to Managing Business Associate (BA)
Risk
James Christiansen, Optiv
Vice President, Information Risk Management, Office of the CISO
Conflict of Interest James Christiansen, BS, MBA Has no real or apparent conflicts of interest to report.
Welcome – We are using a polling session today. Please answer the following question using your HIMSS application or SMS message as instructed below
• Are you enjoying HIMSS so far?
– 1) Yes – 2) No
Five Steps to Managing Business Associate (BA)
Risk
3
Agenda
The “Risk” of Business Associates • Reducing the Inherent Risk of BAs
Understanding Business Associate Risk
• Defining the Types of Risk of BAs
Managing Business Associate Risk • Matching Security Assessment Level to
Risk
Changing the Paradigm • Standardized and Automation of
Assessments by Type of Service
Key Points: • Begin due diligence on critical business associates immediately • Evaluate your risk inventory and assign risk tiers based on best practices • Start slow – Get quick wins • Create a tiered program to evaluate risk based on inherent risk • Manage a remediation plan to address deficient controls • Provide a robust reporting program for executive team and regulators • THINK DIFFERENTLY!
4
Learning Objectives • Define the different types of business associate risk • Discuss the process for managing business associate risk • Identify inherent risk in the business • Appraise the inherent risk with the required regulatory controls • Apply business associate audits matching the level of due-diligence
to the inherent risk
5
Realizing the Value of Health IT
Electronic Secure Data • Healthcare information is under attack.
It has more value and longer shelf life than credit card data
• Business Associates are often the weak link in the healthcare ecosystem and targeted by attackers
6
The Beginning of a Bad Day
CEO reads in the news that a major Business Associate provider had a security breach
Do we outsource to this Business Associate?
Did we do a recent security
review?
Do we have insurance to
cover the costs?
Are we prepared to respond to the media, our customers and the board
of directors? Have we
contacted our regulators? Have we been
contacted by the media?
©HIMSS 2016
Common Industry Challenge
Growing Problem • Sheer Volume • Costly Due-Diligence • Global Regulatory Requirements • Data and Privacy Security
Breaches • Fiduciary Board - Top of Mind
Current Practice • Costly Manual On-Site Audits • Duplication of Efforts • No Standard of Due Care • No Trusted Assessor
8
Business Associate Attacks
Your Business Supplier with Trusted Access
Service Provider
“Trusted” “Outsourcer” “Insider”
Target of Opportunity Breach a major supplier and you gain access to multiple companies’ data
Global Problem A supplier anywhere in the world can be the cause of, or suffer from a security breach
Economic Conditions Increased outsourcing and financial stress on business associate can lower defenses
Business Associate Targeted Attacks
©HIMSS 2016 9
Exploiting the “Trusted” Business Associate
Use Credentials
to Gain Access
Escalate Privileges
Lateral Movement
Hacktivists Criminal Orgs State Sponsored
ACTORS and METHODS:
=
THE ATTACKER’S TARGET Capture Login
Credentials
Business Associate or “INSIDER”
Non-critical Servers Sensitive Servers
©HIMSS 2016 10
(1) Source: Key findings from The Global State of Information Security® Survey 2014, PWC, CSO Magazine (2) 2014 Cost of Data Breach Study: Global Analysis, Ponemon Institute, May 2014
You are not in control of the response or communications
Responding is more complex and time consuming
The Cost of a Breach at an External Party is Higher than an Internal Breach (2)
Business Associate Breaches
51% of All Breaches Come from external
parties(1)
11
Planning Steps to take to understand the inherent
risk in the Business Associate relationship
Managing How to effectively manage the residual risk of your
Business Associate
Reporting Reporting on Business Associate risk management
process
Planning, Managing and Reporting
13
Business Associate Risk Management Maturity
Development of high-level scope and inventory (program adoption)
Assessments on new relationships that leverage generic controls framework
Assessments tailored to risk tier Managed remediation process
Assessment depth/breadth appropriate for due-diligence required
Validation and tracking of remediation
Scope focused on full spectrum of BAs
Predictive intelligence
Manage to SLAs and future viability
Source: Optiv Third-Party Program Blueprint 14
Threat Intelligence
Maturity of security program; people, process and technology
Use web information as
indicator on level of control maturity
Use technology to scan system
configuration and controls
Economic Data
Financial Data
Social Data
Risk Reports Process
People
Technology
Information From External BA
Sites
Level 1
Direct Interaction with BA
Level 2
Direct Interaction with Technology
Level 3
BA Cyber Risk Monitoring
15
Business Associate Contracts
Right to Audit
Security Service Level
Agreement Breach
Notification
Restrictions on Outsourcing
Security Safeguards
Indemnification, Cyber Insurance, etc.
Exit Strategy
©HIMSS 2016
Business Associate Risk Process
Business Profile Risk – Who Are They?
2
How Are They Protecting the Information?
3
1 Relationship Risk – What Are They Doing for Us?
4
Control Validation
5
Monitoring and Reporting
- Regulatory or Contract Exposure - Data Exposure - Business Process Exposure
1
- Financial Strength - Geopolitical / Country Risk - Breach History or Indication
2
- Electronic Validation - Onsite Validation - Control Evidence
4 - Changes in Relationship - Changes in Business - Changes in Controls
5
- Standardized - Service Type, Size and Complexity - HIPAA/STAR
3
The First Question: “What data of ours was breached?”
Relationship Exposure Inventory – Risk Registry • Maintain a relationship list (type and quantity)
Relationship “Creep” • Due diligence is performed during the first contract • Relationship grows over time • Increased liability without updating the risk exposure metrics
Relationship Exposure Inventory
18
Business Profile Risk
Purpose: Who is The Business Associate?
Understand the Risk of Doing Business With Business Associate
• Financial Strength/Credit Risk
• Regulatory Oversight
• Geopolitical/Economic Risk
• Business Risk
• Breach History, Crime, Legal Suit
Most often performed outside of Information Security
19
Relationship Risk Tier 1 Tier 2 Tier 3
High Medium Low Strategic Risk High Medium Low Reputational Risk $$$$ $$$$ $$$ Transaction Risk High Medium Low Compliance Risk High Medium Low Data Privacy Risk
Business Profile Risk $$$$$ $$$$ $$$ Credit Risk High Medium Low Country Risk High Medium Low Other Risks
Mapping Risk Tiers
20
Match the Level of Due Diligence to Inherent Risk
Inherent Risk is a Function of Relationship and Profile Risk
Tier 1
• Strategic accounts (high revenue dependence)
• Regulatory/contract requirements
• High reputation risk
• “Trusted” relationships
Tier 2 • Lower volume with no or
minimal sensitive data
• Lower revenue risk
• Business operations risk
• Some business profile risk
Tier 3 • No sensitive data
• Minimal reputation risk
• Minimal or no revenue dependence
• “Trusted” relationship with low-level access
Risk Tiers Based on Inherent Risk
©HIMSS 2016
21
HIPPA Final Rule - Omnibus • Perform a HIPPA Risk Assessment to determine risks to PHI and identify
additional security measures that should be implemented to better protect PHI • Business Associates are directly liable for compliance with HIPPA Security
Rule • Subcontractors must be included
22
1.5% - 2% 6% - 8% 90% - 95%
Average Enterprise Has 1000s of Business Associates
Tier 1 Tier 2 Tier 3
Business Associate Risk – Current Situation
©HIMSS 2016
22
Standardized Assessments
• Match Due-Diligence to Risk and Type of Service
• No Ambiguity
• How You Ask Questions is as Important as What You Ask
• Call Center • Small Office • Single Person Office
• Full Assessment - Large • Full Assessment - Light • Cloud Computing • Application Development
Control Assessments
23
Onsite Business Associate Validation
• Costly and Time Prohibitive
SSAE16 SOC 2 • A SSAE16 SOC 2 provides information
pertaining to the IT controls that has been certified by an accredited firm
Tip: Make sure the scope match the services being provided.
Business Associate Breach Intelligence
• Service that monitors for bad traffic on the internet
Validating IT Controls
24
Polling Question • Is a SSAE16 SOC 2 Type 2 good enough?
– 1) Yes – 2) No – 3) For BA’s with minimal risk
25
Tier 1 Assessments
Fully Validated
• Self Attest of Controls • Validate (not a complete list)
• Security policies • Incident response plan and procedures • Detection & Monitoring Systems (e.g. SIEM, SOC) • Business continuity/disaster recovery plan and test results • Vulnerability management procedures and sample reports • Security awareness, training and completion log • Last independent security assessment - status of high risks • Physical security
Tip: Multiple sites and outsourcing by Business Associate significantly increases level of effort
Tier 1 Due Diligence
26
• Random Audit
Tier 2 Assessments
Tier 3 Assessments
Self Attest of Controls Electronic Validation • Policies • Access Management • Vulnerability Management
• Threat Management • Penetration Tests • Endpoint Management
Self Attest of Controls • Review Responses
Tier 2 and 3 Assessments
Partially Validated
27
Remediation Plan
Business Associate Not Meeting Required Standards – Does control deficiency impact services?
– Provide Business Associate list of required improvements and dates
– Business Associate will: • Commit • Require additional time • Reject
– Remediation plan – agreed upon improvements • Trigger follow-up
28
Business Associate Due Diligence Process
Review Risk Inventory
Determine the Appropriate Risk Tier
Have Business Associate Complete Self-Attest
Ensure Proper Changes Implemented
Review Results and Negotiate Remediation Plan
Control Validation – Dependent on Tier Level
29
Changing the Paradigm
• Inefficient, Cost Prohibitive and Sheer Volume – Performing assessments - Often only small
percentage assessed – Responding to 100’s of risk assessments are
disruptive takes incredible resources
• Time For a Change! – A standard set standard set of criteria that
serves 90% of the needs – Gather the information once and share many – Automate the process of audits and
remediation
30
Polling Question
• Would you be willing to use a service that provides validated assessments using a standard criteria if it meant significantly less cost, move coverage and higher quality?
– 1) Yes – 2) No
31
90 Days
+ 90 Days
Begin due diligence on critical business associates
Evaluate your risk inventory and assign risk tier
Start slow – Get quick wins
Within Three Months, You Should:
Beyond Three Months, Establish:
✓ ✓ ✓
A tiered program to evaluate risk
A remediation plan to address deficient controls
Reporting program ✓ ✓ ✓
Realizing the Value of Health IT
32
top related