netspective iehie continuous compliance mitigation program v2.0

IEHIE Proposal for Continuous Compliance, Mitigation & Recovery (CCMR) Program

Focused on Small (1-9) Physician Groups, their affiliates, and Business Associates

2www.netspective.com

Comprehensive and Continuous Security SolutionCyber threats haunt security experts everyday and even IT professionals cannot keep up with the pace of new risks. Asking small physician practices to remain secure while trying to stay profitable as reimbursements decline and administrative burdens increase is both unreasonable and untenable.

Inland Empire Health Information Exchange (IEHIE) met with Netspective in early June and expressed a desire to deploy a comprehensive approach to protecting IEHIE’s environment by looking beyond its own infrastructure and into the volatile cyber threat environments at its smallest physician sites’ most vulnerable endpoints.

This would be accomplished using a unified, continuous, legal, security, and cyber risk coverage approach which would allow its network participants to establish and manage a minimum but adequate standard for IT security practices, without IEHIE having to bear the responsibility or liability of its participants.

Netspective suggested IEHIE focus on the “probable” threats to IEHIE’s participants, rather than trying to boil the ocean of “possible” threats and attackers. We recommended an Independent Physician Association (IPA) or Group Purchasing Organization (GPO) style membership-based shared services approach that would offer:

Legal compliance led by a law firm that would supply documentation and legal services under attorney-client privilege. This protects every member from HHS’s Office of Civil Rights (OCR).

Technical security led by a systems integration firm that would bring to bear security staff along with an entire tools and partners ecosystem. This protects every member from hackers and technically recovering from breaches.

Cyber insurance provided by an insurance company that would provide financial recovery. This protects every member from monetary harm when a breach does occur.

http://www.iehie.org/

http://www.netspective.com/


Membership-based shared servicesUse Cyber IPA/GPO/MSO shared services organization to establish familiarity with participants, circumvent regulatory/compliance scrutiny, and lower costs:• IEHIE can become a management or administrative

member with full collaborative oversight of participants systems and data

• Unified portal serves as a point of collaboration for the administrative, technical, legal, and insurance parties/components involved

• Provide cyber security insurance coverage options that are related to risk of individual participants

• Scalable solution and resources to handle a large pipeline of provider organizations between 1-9 physicians in size; automate processes without sacrificing quality and/or security

• IEHIE can demand minimum security standard from participants, while validating ongoing compliance/security, without having to take on any liability

• Automate and standardize policies, procedures, tools, documentation, and staff within solution

Practice 1 Practice 2Practice N

BusinessAssociates

IPA/GPO/MSO

OpsfolioCollaboratio

n Portal

SIEM, ID, DLP,Monitoring & Tools

Ecosystem

Policies, Procedures,Documentation,Training & Education

Legal, technical, breach cleanup, risk management staff

Management & Administration

www.netspective.com 4

The managed services approach

Conduct instant pen test to discover

immediate holes

Implement immediate

controls & POAM1 the remainder

Establish governance and

RAM2/RACI3 matrix

Identify & classify PII4/PHI5 and

regulated systems

Implement or update policies &

procedures

Create incident response plan &

testable procedures

Identify & classify vendors and external risks

Identify & classify insider risks

Integrate with other members

in the community (ISACs6)

Establish continuous

monitoring & mitigation services

1 Plan of Actions & Milestones2 Responsibility assignment matrix3 Responsible, Accountable, Consulted, and Informed4 Personally Identifiable Information5 Protected Health Information6 Information Sharing and Analysis Center


Initial Technical Security Assessment

Access Point

Analysis 3InformationGathering Assessment

ExternalPenetration

TestingRisk Analysis

LogsSystem Catalogue

AssessmentDetails

PenetrationTest ResultsRemote

CybersecurityConsultant

Discovery

21

Practice 1

Practice 2

Practice N

BusinessAssociates

Lite (instant)•External penetration testing based risk assessment

Adequate (rapid)•Lite assessment plus basic top-down technical risk assessment

Complete (time-consuming)

•Bottom-up asset-specific inventory-based risk assessment


Outward facing penetration testsRun instant scans of externally facing servers and assets to determine immediate risks

Based on results of instant scans, focus next security steps on highest priority vulnerabilities


Identify & classify regulated systemsIdentification and classification across all major asset categories and subcategories are easy

Customizable attributes and relationships across all assets are placed under change control


Identify & classify data / storageTrack encryption at the storage, database, and schema levels

Document precisely what kind of data is being stored in backups and where they’re located


Asset-specific risk assessmentsAsset-specific risk assessments encourages attention to security rather than compliance

Asset-specific controls documentation allows better visibility into specific vulnerabilities


Initial Legal Compliance Assessment

Practice 1

Practice 2

Practice N

BusinessAssociates

Lite

•Self assessment based on preexisting top down frameworks using Opsfolio

•Computer Based Training (CBT) by user

Adequate

•Lite Assessment +•Survey questionnaire for expert review of regulatory compliance

•Customized CBT development and tracking for training coverage

Complete

• Adequate Assessment + • Bottom Up compliance assessment by expert

• Fractional CPO and CISO (Opsfolio executive reports leveraged)

• Audit Readiness Analysis• Executive Coaching

Bottom Upanalysis

Analysis 3InformationGathering

Compliance Assessment Audit readiness

Analysis

Compliance Analysis

P&P, Technical andSecurity Catalogue Assessment

Report Audit readiness

reportConsulting Compliance Experts

Discovery

21


Ensure policies are documentedMulti-stakeholder, multi-institution policies and procedures management

Proper policies and procedures are available across internal staff as well as external vendors


Ensure training complianceMulti-stakeholder, multi-institution training courses management

Training courses can be assigned and tracked across internal staff or even external vendors


Evaluate training effectivenessEnhanced computer based or traditional training can be offered

After training is completed, surveys and tests can be conducted and tracked for effectiveness


Maintain compliance reportsDynamic reports keep compliance management for the Chief Privacy Officer and CISO easy

Everyone within the organization and across their legal and security teams have same data


Implement change controlActivity tracking and runbook management through blogging is done at the asset level

Incident tracking for outages, potential breaches, and actual breaches


Track BAs, BAAs, and vendorsComprehensive list of Business Associates and their agreements

Comprehensive Business Associates and vendor details/attributes management


Common gaps that we’ll fill for IEHIELegal Compliance Gaps• Staff unawareness of Privacy/Security Officer• Dated Risk Assessment and Training• Generic Policies & Procedures that add no value• Absence of adequate physical safeguards for IT

systems• No comprehensive list of Business Associates and BAAs• Failure to inventory IT assets• No Business Disaster & Recovery Plan• Security incidents are not documented with a

consistent and effective approach• Absence of consistent logging and monitoring activities• Information around controls are not considered by

management before making decisions• Failure to review audit logs of application systems• Failure to terminate access to IT systems upon

dismissal or completion of duties

Technical Security Gaps• No bottom-up Risk Assessment for each IT asset• Absence of (layered/segmented) firewall security• Absence of Intrusion Prevention and Detection

Systems• Insufficient access controls for technology devices• Insufficient password strength and expiration

requirements • Absence of encryption and/or secure transmission

configurations• Absence of consistent logging and monitoring

activities • Absence of (on-site and offsite) backup systems• Lack information around risks to make informed

management decisions• No scrutiny of Business Associate compliance and

security• No Continuity of Operations Plan


Customizable servicesContinuous Monitoring• Monitoring – patch management, data loss

prevention, data integrity maintenance, unauthorized data access of information systems, legal compliance (training, policies and procedures, documentation, physical/administrative, technical safeguards and security), threat intelligence, intrusion detection monitoring, cyber risk monitoring

• Assessment – impact analysis from monitoring for adverse events or changes in business policies and procedures, change in regulatory laws, pen testing, asset discovery and inventory updates, monthly document review

Continuous Risk RemediationCompliance gaps remediation plan, patch management, technical or security risk analysis remediation plan, resolve technical or organizational controls, configuration management, policies and procedures updates, documentation updates, asset inventory updates, cyber risk insurance updates, legal risk remediation plan.

www.netspective.com 19

Access Point

Analysis

Client Environment

3InformationGathering Assessment Penetration

TestingRisk Analysis

LogsSystem Catalogue

AssessmentDetails

PenetrationTest ResultsRemote

Cybersecurity Consultant

Environment Survey

Discovery

Internet

Cybersecurity Situational Awareness Data Science Platform

Risk Assessment

Pre-processing, Analytics, Post-processing

HDFS

Type 3

RDBMS

Type 2

Cassandra

Type 1

etc.

Type 4

Source Data Lake (Mutable)

Data Sources

Apache Spark

Tripwire SecureScan Logs Spice Works Inventory Management Tool Logs

Cybersecurity Aggregator (Pre-processing, Analytics, Post-processing)

Graylog Logs Rules EngineLogStash Logs OpenVAS Logs

NMap ResultsOpenDLP Logs

Opsfolio21

CloudStaging

Logs

HDFS (Hadoop)PostgreSQL

Working Data Lake (for Apps and Analytics)

File Access REST APIData Access Layer

Fluent XA (Log Shipping)Assess

Thank You

Visit http://www.netspective.com http://www.healthcareguy.comE-mail [email protected] @ShahidNShahCall 202-713-5409

netspective iehie continuous compliance mitigation program v2.0

Healthcare