0
Healthcare Cybersecurity Check-Up: Achieving and Measuring Excellence
Session ID: CYB4, 1:15pm – 2:15pm, February 11, 2019
James Brady, PhD, CISSP, CISM, CRISC
Chief Information Officer, Los Angeles County Department of Health Services
1
James Brady, PhD, CISSP, CISM, CRISC
Has no real or apparent conflicts of interest to report.
Conflict of Interest
2
• Why Cybersecurity Matters
• Defining Cybersecurity
• Cybersecurity Report Card
• Assessing Your Cybersecurity Fitness
• Addressing Your Cybersecurity Weak & Strong Areas
Agenda
3
• Illustrate a healthcare organization’s assessment of their
cybersecurity program: “report card” and evaluations
• Explain how to systematically assess the “fitness” of your
organization’s cybersecurity program from a holistic perspective
• Discuss how to drive and manage change in weaker areas and
how to keep strong in areas of strength
Learning Objectives
4
Los Angeles County Department of Health Services
5
Los Angeles County Department of Health Services
6
Why Cybersecurity Matters
7
Cyber incidents cause real harm — compromising
patient data, risking patient safety and
jeopardizing operations
Blog
YouTubeChat
SnapChat
417,000 Augusta
University Health patient
records breached exposing
sensitive patient data after
a phishing attack.
LifeBridge Health reveals breach
that compromised health data of
500,000 patients after malware
infection.
Office of Civil Rights and HHS
fine Fraesenius Medical $3.5
million for 5 breaches
violating HIPAA.
LA County 211
service breached
exposing PII and
sensitive call
details on 3.2
million records.
In 2016 Hollywood Presbyterian
ransomware WannaCry attack
disabled computer systems
disrupting clinical operations and
forcing the transfer of patients.
MedStar Health turns patients away
after virus attack requires network
shutdown in 2016.
8
There is also a cumulative impact associated with
cybersecurity incidents—leading to fines, lawsuits
and corrective action
FinancialA recent “Cost of Data Breach” study found that the
average cost for each lost or stolen record containing
confidential information was $141.
ReputationalFacebook shed slightly more than $100 billion in market
cap (almost 20% of its total value) for breaching its users'
trust following the Cambridge Analytica incident.
RegulatoryThe GDPR can levy fines up to 4% of global turnover or €20M,
whichever is higher, for violations on any company worldwide
found mishandling personal data in scope. $
RECEIPT
Note: The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
9
By 2020, national authorities in the U.S. and U.K. will mandate capture of
information related to cybersecurity breaches.
By 2021, at least one company will publicly acknowledge a $1 billion revenue
impact from a business outage resulting from a malware/ransomware attack.
Consumers are increasingly moving their business to where organizations are
personal information is best protected and cared for.
Importance of cybersecurity continues to
increase and is becoming vital to organizations
By 2022, cybersecurity ratings will become as important as credit ratings when
assessing the risk of business relationships.
Predicts 2018: Security and Risk Management Programs, Gartner - July 2018
Build for Privacy, Gartner - June 2018
10
Defining Cybersecurity
11
Operational Security & AccessibilityEncompasses user level security measures
and standard role-based access restrictions.
Secures Existing DataThe secure storage and backup of data whether it
is located in the cloud on on-premise.
Privacy & ConfidentialityControl of information at various sensitivities,
limiting data visibility and maintaining access logs
Cybersecurity & Privacy
Cybersecurity
Cybersecurity
Privacy
12
Security is NOT privacy
Organizations often mistake security features, such as access control or certified cryptography, for privacy.
Security makes up one instrument in a varied toolbox of capabilities to address privacy requirements.
Subject Access Requests
Data
Classification
Adequate
Security
Dynamic
Masking
Structured
Search
Unstructured
Search
Subject Access Response
13
• Many healthcare organizations
structure cybersecurity efforts
primarily around HIPAA compliance.
• Mere compliance does NOT
inoculate the organization’s cyber
threats.
• Compliance with HIPAA is only the
starting point of healthcare data
security.
Compliance is NOT security
14
Security is NOT a Checklist or One Time Effort
15
Cybersecurity is the practice of protecting
systems, networks, and programs from
digital attacks to address RISK.
These attacks are usually aimed at:
• accessing, changing, or destroying
sensitive information;
• extorting money from users; or
• interrupting normal business processes
A continuous information risk management
program fully supported by the organization
is required!
16
Increased automation and complexity leads to
higher risk, driven by data amounts
Incre
asin
g R
isk
External exchange of sensitive data via a
Health Information Exchange (HIE)
Internet of Things (IoT) including medical
and consumer grade devices
Multiple departments sharing data
across a Wide Area Network (WAN)
Centralized data warehouse storing data
from multiple disparate sources
Electronic Health Record processing
large amounts of sensitive personal data
Multiple PCs sharing data across a Local
Area Network (LAN)
Singular PC
07
06
05
04
03
02
01
Incre
asin
g C
om
ple
xity
17
Cybersecurity Report Card
18
Cybersecurity Report Card
There is no such thing as perfect protection
The investments made in cybersecurity are a
business decision and directly related to the level of
risk the business is willing to accept
To engage in a meaningful discussion with the
business, it is imperative to understand the current
risk exposure and maturity so that the gaps can be
explained to the business
Our organization is using a reference architecture
against which we assess our maturity. This results in
a report card that helps prioritize our investments in
security.
19
Level of risk you are willing to accept will
determine your cybersecurity strategy
Lower Risk
Higher Cost
Higher Maturity
There is no such thing as "perfect protection"
Less complex business,
less of a target
Growing business, more
customers and complexity
Larger, more complex
business, more of a target
Higher Risk
Lower Cost
Lower Maturity
Business Model
As our business grows, we have to continually reassess
how much risk is appropriate.
Our goal is to build a sustainable program that balances
the need to protect against the needs to run our business.
20
Won’t the business units choose poorly?
Won’t all the business units just select the lowest level of service/risk/cost?
NO
NO
They have to defend their selections to key
stakeholders such as the board, the executive
committee, the regulators, and their customers.
You can’t buy your way out of this problem and it is
equally problematic to select too little risk as it is to
select too much risk.
Won’t this force the business to take the highest level of service/risk/cost?
21
Understand the Messaging Behind the Concept of
Security Maturity
Security
Maturity
Weak/Ad Hoc Reactive Proactive Managed Optimized
RISK TOLERANCE
Composite
Risk
Cost &
Effort
The measurement of security maturity includes the aspects of existence, completeness,
comprehensiveness, effectiveness, and efficiency
Gartner Research Source: IT Score for Information Security, G00301271
MATURITY
PROFILE
22
Cybersecurity Reference Architecture
Application SecurityConfidence in the ability of
software to provide the expected
level of transaction assurance
Change ManagementConfidence in the ability of technology to provide the expected level of
data and system protection
Data SecurityConfidence in the ability of users
and systems to provide the
required information protection
Endpoint SecurityConfidence in the ability of
devices to provide the expected
level of data & access protection
Security
GovernanceConfidence in
the ability of the
security program
to provide the
necessary level
of risk
management &
resolution
Physical SecurityConfidence in the ability of facilities to provide the expected level of
environment, technology, personnel and data protection
Identity and
Access
ManagementConfidence in the
ability of systems
to provide the
expected level of
data and system
access control
commensurate
with need and
authority
Mobile
SecurityConfidence
in the ability
of devices
and to
provide the
expected
level of
data,
access and
transaction
protection
Network
SecurityConfidence in
the ability of
the IT
architecture
to provide the
expected
level of IT
environment
protection
Security
AnalyticsConfidence
in the ability
of the
security
program to
provide the
necessary
level of
proactive risk
detection
and
mitigation
Service ContinuityConfidence in the enterprise ability to meet business and customer
expectations for data and service restorationVulnerability
ManagementConfidence in the
ability of devices,
systems and
infrastructure to
provide the
expected or
required level of
data and
transaction
protection, and in
the ability of
security program
to proactively
identify and
mitigate risks
23
Governance, Risk & Compliance
Business Value, Culture, Principles
Organization/Operating Model
Policy, Procedures, Standards
Training & Awareness
Metrics Tracking & Reporting
Program/Project Management
Sourcing/Vendor Management
Financial Management
Security/Risk Assessment
Issue & Action Management
Statutory/Regulatory Monitoring
Security Planning & Authorization
Audit and Compliance
Security Analytics
Security Operations Center
Intrusion & Behavior Monitoring
Risk Monitoring & Analytics
Log Management
Vulnerability & Threat Intelligence
Data Security
Data Classification and Discovery
Confidentiality
Integrity
Data in Motion
Data at Rest
Data in Use
Privacy
Application Security
Requirements Management
Architecture
Secure Coding Practices
Security Testing and Validation
Vulnerability Management
Incident Management & Response
Vulnerability Scanning & Testing
Patch Management
Anti-Malware Management
Network Security
Network Perimeters
Network Zones
System Placement
Address Space Management
Endpoint Admission
Cloud Use Case Protection
Wireless Management
Endpoint Security
End User Security
Compute Platform Security
Device Security
Identity & Access Management
IAM Governance & Administration
Provisioning
Authentication
Authorization
Access Management
Federated/Cloud IAM
IAM Data Directory Services
Service Continuity Management
Disaster Recovery Planning/Testing
Business Impact Assessment
Alternative Processing Strategy
High Availability Strategy
Backup Strategy Mobile Security
Social Media
Mobile Security
Physical Security
Physical/Logical Access Integration
Personnel Security & Badging
Data Center Controls
Building Access & Protection
Social Engineering
Change & Configuration Management
Asset/Inventory Management
Configuration Management
Change/Release Management
Cybersecurity Reference Architecture Mapping
24
Assessing the maturity of a security program is a
critical first step
0
1
2
3
4
5Governance
Plan &Budget
Organization
Controls
EngineeringAwareness
Response
ThreatManagement
RiskAssessment
Key: Health Care Benchmark
Baseline
LAC DHS Security
Maturity Model
dimensions are used to
establish a cybersecurity
strategy.
A series of initiatives are
then identified for maturing
each dimension into the
defined strategy.
The measurement of security maturity includes the aspects of existence,
completeness, comprehensiveness, effectiveness, and efficiency
25
Risk exposure resulting from current security maturity
facilitates prioritization of the “Next Dollar Spent”
0
1
2
3
4
5
App Security
Service Continuity
Change/Config Mgmt
Data Security
Governace-Risk-Compliance
Endpoint Security
Access Mgmt
Mobile/Collaboration Security
Security Analytics
Network Security
Physical Security
Vulnerability Mgmt
• Loss of confidence in ability to provide expected
or required protection
• Remediation: FTE: 4.5 FTE, Capital: $800k
• Loss of confidence in ability to provide
expected level of transaction protection
• Remediation: FTE: 2.5 FTE, Capital: $450k
• Loss of confidence in ability to meet
expectations for service restoration
• Remediation: FTE: 2.0 FTE, Capital: $250k
• Loss of confidence in ability to provide
expected level of infrastructure protection
• Remediation: FTE: 1.8 FTE, Capital: $1.2M
1
2
3
4
Target-state Maturity Current-state Maturity
Risk Exposure
26
Assessing Your Cybersecurity Fitness
27
Systematic and holistic assessment of the
“fitness” of a cybersecurity program
The hard truth about cybersecurity is that you are never
done.
So it is important to have a framework to continuously
assess the threats, the cost to the business and the
mitigation measures.
Our organization is focused on building foundational
controls (access controls, compliance, awareness),
supplementing them with good controls (audits, risk
assessment, governance) and then focusing on advanced
measures (integrated controls, leading indicators, etc.)
Periodic assessments and report cards inform our
current level of “fitness” and inform our investments
28
The concept of security is simple.
But executing security in this day and
age is a journey for which there are no
shortcuts. And it’s no longer simply
about technology. It’s expensive and
requires continuous investment. It
takes time and requires constant
attention. It forms complex
relationships and is part of everything
you do. And the need for it never ends.
The hard truth
about security
29
Cybersecurity Framework
The Cybersecurity Framework provides a common language for expressing,
understanding, and managing cybersecurity risk, both internally and externally.
The Framework Core provides references to cybersecurity activities and
Informative References. These activities are mapped to five functional categories;
identify, protect, detect, respond, and recover.
RecoverDetectIdentifyRespondProtect
30
Formal process:
- Measurable
- Repeatable
Detection and Response:
- Log analysis
- User behavior (access logs)
- Virtual machine scanning
- Data loss prevention
Risk assessment:
- IT risk (applications and projects)
- Facility risk assessment
- Automation
Governance:
- Governance committees
- Change management
- Identity access governance
Strategic planning
Business alignment:
- Integrate controls with business
process
Key risk indicator mapping:
- Leading indicators of risk that
influence business decision making
Behavior shaping:
- Reduce technical controls
Ethical hacking
Risk management:
- Enterprise risk
- Accountability
- Scenario risk assessment
Perimeter (network security):
Firewalls
Intrusion prevention
Access controls:
User provisioning (role-based)
Access management (two-factor)
Vulnerability management:
Patching (45-day cycle)
Incident response
Security awareness:
Training (annual)
Policy
Organization:
Staff (roles)
Skills (certifications)
Compliance:
Audit
Requirements management
E-discovery
A layered system of security controls provides the
best protection
Foundation Controls Good Controls Advanced
Maturing Security Strategy
31
Timeline and Milestones for 90 Day Engagement
Engagement
Management
Assessment
Status Reports
Key
Deliverables
Project
Planning
Summary
Out-brief
HolidayCheckpoint Calls
Onsite
Kickoff
Planning Deck
Baseline Report
Findings Report
Results Briefing
Kickoff Briefing
Roadmap Report
1. Project Initiation
2. Current-state
Discovery
3. Current-state Definition and
Validation
4. Maturity and Mitigation Analysis and
Validation
5. Roadmap and Strategy Planning and
Validation
Project Closure
6. Final Results
Reporting
Phase 1
Baseline
Phase 2
Evaluation
Phase 3
Remediation
& Reporting
Oct
10Dec
17
Dec
24
Dec
31
Jan
7
Jan
14
Jan
21
Jan
28Feb
4
Feb
11
Feb
18Feb
25
Mar
4Mar
11
Follow-up data collection
next week as necessary
Draft Current-state Report
Validation Review Cycle
On-site data collection
32
Addressing Your Cybersecurity Weak & Strong Areas
33
Drive change in weak areas and keep strong in
areas of strength
Once you understand areas of weakness, it is imperative
that investment dollars are prioritized to mitigate them
Awareness is key – have a plan and engage in continuous
communications with stakeholders and users in your
organization. More than 40% of reported security
breaches are caused by employee negligence.
Create a Security Plan that helps prioritize initiatives,
focus on all aspects of cybersecurity (people, processes,
technology).
34
Cybersecurity program objectives are well defined and a
leadership and organization-wide and responsibility
These five objectives will be used in the updated Cybersecurity Plan at DHS.
Develop Information
Security Staff
Instill Security
Hygiene ControlsImpart consistency in implementing and maintaining information security controls, as
specified in policies or otherwise agreed upon, to manage risk and compliance.
Perform Ongoing
Threat Detection and
Management
Encourage Secure
Employee Behavior
Create Crisis
Response Plan
Objective Description
Complete regular, scheduled threat detection checks to monitor the environment and, in
case of attacks, generate alerts with as much advance notice as possible.
Instill a culture of secure employee behavior thru training, awareness campaigns, and by
encouraging employees to take ownership of information security and act as “controls”.
Target hiring and development to focus on critical competencies required to protect
against advanced threats and drive business engagement in security activities.
Formulate, and maintain, an actionable plan to rapidly disseminate critical messages to
internal and external stakeholders in the event of a security breach.
35
Leaders must support cybersecurity as an enterprise-wide risk
business and management issue, not just an IT issue.
Action 1
Leadership must have adequate access to cybersecurity
expertise, and discussions about cyber-risk management
should be given regular and adequate time on meeting
agendas.
Action 2
Leadership must lead by example and set the expectation that
enterprise-wide cyber-risk management frameworks need to be
adhered.
Action 3
We need leadership to engage with staff at all
levels, everyone has a role to play
36
Cybersecurity is a business problem, not an IT
problem
Cybersecurity is a business performance
issue that requires business leaders to make
informed choices; it's not a technical
problem buried in IT.
The complexities of cybersecurity demand a
structured program that supports resilience,
flexibility and accountability.
Business leaders must be ready for the
present and prepared for the future so there's
an opportunity to anticipate and influence
business initiatives.
37
• Email: [email protected]
• LinkedIn: https://www.linkedin.com/in/jamesbrady/
• Don’t forget to complete online session evaluation!!
Questions?