10/18/2016
1
Preparing Your Organization for a HHS‐OIG Information Security Audit
David Holtzman, JD, CIPP/G CynergisTek, Inc.
Brian C. Johnson, CPA, CISA HHS‐OIG
Section 2: Preparing for a HHS‐OIG Audit
Section 1: Models for Risk Assessment
10/18/2016
2
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek
Models for
Risk Assessment
3
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 4
Where Do We Start? Risk Assessment…
10/18/2016
3
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 5
• The process of:
– Analyzing threats and vulnerabilities in a
specified environment,
– Determining the impact or magnitude, and
– Identifying areas needing safeguards or
controls
What is Risk Analysis?
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek
Information Security
Risk Analysis
HIPAA Security Rule
10/18/2016
4
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 7
• An assessment of threats and vulnerabilities to information
systems that handle e‐PHI.
• This provides the starting point for determining what is
‘appropriate’and ‘reasonable’.
• Organizations determine their own technology and administrative
choices to mitigate their risks.
• The risk analysis process should be ongoing and repeated as
needed when the organization experiences changes in technology
or operating environment.
HIPAA Security Risk Assessment
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 8
Performing a Risk Analysis
Gather Information
Analyze Information
Develop Remedial Plans
• Prepare inventory lists of information assets‐data, hardware and software.• Determine potential threats to information assets.• Identify organizational and information system vulnerabilities.• Document existing security controls and processes.
• Evaluate and measure risks associated with information assets.• Rank information assets based on asset criticality and business value.• Develop and analyze multiple potential threat scenarios.
• Prioritize potential threats based on importance and criticality.• Develop remedial plans to combat potential threat scenarios.• Repeat risk analysis to evaluate success of remediation and when there are
changes in technology or operating environment.
10/18/2016
5
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 9
Administrative SafeguardsSecurity Management Process
Findings Comments
Risk Analysis
Has a policy, procedure or plan been documented & implemented that requires annual risk analysis?
Is a risk analysis conducted annually or whenever significant modifications made to a system, facility or network? If yes, then when was the last date?
Risk Management
Has a risk management policy, procedure or plan been documented and implemented to ensure security measures are in place to reduce risk to an acceptable level?
Example of Security Risk Analysis
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek
Cybersecurity
Framework
10
10/18/2016
6
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 11
• Describing an organization’s current cybersecurity posture
• Describing its target state for cybersecurity
• Identifying and prioritize areas of improvement
• Employing a repeatable process for review
• Continuously assessing its cybersecurity posture
• Communicating cybersecurity risks to both internal and external stakeholders
• Conducting regular measurements of control effectiveness
• Demonstrating compliance
Frameworks: A Common Taxonomy For
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 12
Inventory information assets and analyze their risks
Use technical, administrative, and physical controls to mitigate the identified risks
Monitor the environment for signs of intrusion
Mobilize resources to contain and eradicate an intrusion
Remediation the effects of an intrusion and return to normal operations
A Holistic Approach To Data Security
Identify
Protect
Detect
Respond
Recover
Governan
ce
Reference: NIST Cybersecurity Framework
10/18/2016
7
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 13
CSF Crosswalks to HIPAA SR
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek
Resources & Tools
14
10/18/2016
8
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 15
• HHS HIPAA Information Security Risk Assessment for Small Organizations (v2.0,
September, 2016)
– https://www.healthit.gov/providers‐professionals/security‐risk‐
assessment
• NIST Cybersecurity Framework
– http://www.nist.gov/cyberframework/
• HIPAA Security Crosswalk to NIST Cybersecurity Framework
– http://www.hhs.gov/sites/default/files/nist‐csf‐to‐hipaa‐security‐rule‐
crosswalk‐02‐22‐2016‐final.pdf
Resources for Getting Started
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com � @CynergisTek 16
Questions
David Holtzman
(240)720‐1365
@HITprivacy
Questions?
?
10/18/2016
9
October 24, 2016 17
Disclaimer
What is the OIG?
What does the OIG oversee?
What are OIG’s components?
What is OIG’s oversight role in health IT?
Where does IT Audit fit in?
October 24, 2016 18
10/18/2016
10
How do we decide what to audit?
What are we working on now?
What should you expect if selected for an audit?
What are the results of our work?
What are your questions?
October 24, 2016 19
The views I express are my own, and do not necessarily represent those of the OIG, or any other government agency or department.
October 24, 2016 20
10/18/2016
11
Mission: Protect the integrity of HHS programs and the welfare of the people they serve
October 24, 2016
1,550+employees 70+ offices
21
October 24, 2016
Audit Services
Evaluation&
Inspections
InvestigationsCounsel to
the IG
22
10/18/2016
12
• 100+ HHS programs, including those operated bythe Centers for Medicare & Medicaid Services, theOffice of the National Coordinator, and the Foodand Drug Administration
• $1 trillion in HHS spending, including grants andcontracts
October 24, 2016 23
October 24, 2016
Internal to HHSR
OCR FDA
Etc.
Contractors States
Etc.
24
CMSONC
External to HHS
Hospitals Physicians
10/18/2016
13
HHS Cybersecurity Program Mission: Foster an enterprise‐wide secure and trusted environment in support of HHS' commitment to better health and well‐being of the American people.
OIG IT Audit Mission: To provide timely, impactful, and innovative IT audits of data and information systems maintained by, or on behalf of, HHS.
Our Common Mission: To ensure that all data and systems under the jurisdiction of HHS are secure.
October 24, 2016 25
Our IT Audit work generally falls into the following areas:
Congressionally Mandated Work
Information Security General Controls Audits including Vulnerability Assessments using automated tools
Application Control Audits
Penetration Tests
October 24, 2016 26
10/18/2016
14
Two risk‐based approaches we are currently using:
Cyber Risk Assessments (Public Reconnaissance)
Enterprise Risk Management (ERM)
October 24, 2016 27
The Cyber Assessment Team has been adopting public reconnaissance to plan work at HHS OpDivs. The team used publicly available sources to provide insight on each OpDiv’sinfrastructure and to determine whether potentially vulnerable systems and web applications exist.
General and application control IT audit teams have been adopting Enterprise Risk Management to plan work.
October 24, 2016 28
10/18/2016
15
The Cyber Assessment Team identified potential targets and provided insight on various attack landscapes:
No vulnerabilities exploited and
No active attacks took place.
Information extracted included:
Currently existing vulnerabilities;
IP addresses and sub‐domains;
Insight on the network infrastructure; and
Software potentially used.
October 24, 2016 29
What is Enterprise Risk Management?
October 24, 2016 30
10/18/2016
16
Based on the risks identified, some of our top priorities for upcoming work include:
HHS Operating Division Data and Information System Security (Cyber and General Control Assessments)
Medicaid Data and Information System Security (MMIS, MCO, and Eligibility systems)
Medical Device Security
System Controls Supporting Prescription Drugs
October 24, 2016 31
Average 25 ongoing audits in various stages
Average 25 reports per year
Many significant recommendations per report (individually
or collectively)
October 24, 2016 32
10/18/2016
17
We will contact you and the HHS Operating Division responsible for the related HHS program oversight. In our audit notification letter we will typically include our:
audit objective,
an explanation of our authority to conduct the audit,
an initial request list,
who our contacts are, and
instructions on how to communicate and send information securely.
October 24, 2016 33
Here is an example of a typical IT audit objective:
The objective of our audit is to determine whether the you adequately secured your data and information systems that support a particular HHS program (e.g. Medicare, Medicaid, State Marketplaces, Electronic Heath Records, etc.) in accordance with Federal requirements (e.g. HIPAA, HITECH, ACA, Medicare, Medicaid, etc.)
October 24, 2016 34
10/18/2016
18
To accomplish our objective(s), we:
Obtain guidance the auditee received from oversight organizations, e.g. CMS;
Assess System Security Plans;
Assess Risk Management Programs
obtain an understanding of the security framework used (e.g. HIPAA, NIST SP 800‐53, ISO 27001, COBIT, SOC2, etc.) ;
October 24, 2016 35
Map data flow, decision/control points (input, processing, storage), to include external interfaces, network architecture, databases – for example:
Information flow
Hardware/software (network diagrams)
People (organization charts);
Obtain SLAs, Business Associate Agreements, contracts, MOUs, etc.;
Interview management and personnel;
Assess policies, procedures, and practices;
October 24, 2016 36
10/18/2016
19
Assess network system security;
Assess computer security patch management;
Assess access controls;
Assess device and media controls;
Assess network perimeter devices (ex. firewalls, routers, and switches);
October 24, 2016 37
Assess web application and website security;
Assess database controls; and
Assess incident response controls.
We conduct our audits in accordance with generally accepted government auditing standards.
October 24, 2016 38
10/18/2016
20
Based on the auditee’s environment, systems and applications, and in coordination with the OIG OAS IT Cyber Threat and Assessment Team, we will use various automated tools to assess the security of the system or applications.
We are also developing a strategy and tools for identifying Incidents of Compromise. We believe this could become a valuable service to our auditees.
October 24, 2016 39
Two Risk Factors for Management: Compliance and Security
Being in compliance does not mean data and systems are secure.
In general, HHS OIG IT Audits are performance audits. Compliance audits are a subset of performance audits.
We are advocates for the security of data and systems supporting HHS programs; therefore, to provide a better service to our stakeholders, our IT audit teams use a hierarchy of criteria to focus on IT security.
October 24, 2016 40
10/18/2016
21
We use laws, regulations, guidance, and best practices to support our findings and recommendations. For example:
FISMA (Federal agencies and contractors)
HIPAA/HITECH (for covered entities and their business associates)
ACA (meaningful use)
Regulations (Code of Federal Regulations)
Guidance (NIST SP 800 Series)
Industry Best Practices (Manufacturer/vendor support for OS, patches, etc.)
October 24, 2016 41
Many of our findings involve vulnerabilities in the following control areas:
Security Program Management,
Access Controls,
Configuration Management (patching and current, supported systems and applications), and
Contract and service level agreement oversight, as well as interagency coordination.
October 24, 2016 42
10/18/2016
22
Security management. The auditee had inadequate security management, i.e., no security plan for its claims processing system.
Access controls.The auditee had inadequate access controls:
a lack of encryption for systems and claims data stored on backup tapes, an inadequate password history setting for securing its Windows network, no policy requiring two‐factor authentication for remote network access, inadequate documentation of remote network access requests and authorizations,
untimely disabling of user accounts for terminated employees, and inadequate physical access security controls.
October 24, 2016 43
Configuration management.The auditee had inadequate configuration management:
outdated software on production servers no longer supported by the vendor,
outdated antivirus definitions on production servers, inadequate security settings for network devices, no encryption on the claims processing database, critical software patches not applied to all workstations in a timely manner, an inadequately secured Web site for providers, and no use of centralized logging on Windows servers hosting the claims processing system.
October 24, 2016 44
10/18/2016
23
The auditee did not adequately secure its data and information systems in accordance with Federal requirements. Although the auditee adopted a security program for the [processing system], we identified numerous significant system vulnerabilities. These vulnerabilities existed because the auditee did not implement sufficient controls over its data and information systems or provide sufficient oversight to ensure that [its contractor] implemented contract security requirements.
October 24, 2016 45
Although we did not find evidence that anyone had exploited these vulnerabilities, exploitation could have resulted in unauthorized access to and disclosure of [##] beneficiaries’ data that also supported paid claims totaling more than [$$] billion in FY 2015, as well as disruption of critical [program] operations. These vulnerabilities were collectively and, in some cases, individually significant and could have compromised the integrity of the auditee’s [HHS] program.
October 24, 2016 46
10/18/2016
24
We issue a draft audit report to the auditee.
We allow 30 calendar days for auditees to comment on our draft report.
We incorporate the auditee’s comments in a restricted final report to the auditee, attach them in their entirety as an appendix, and provide a copy of our report to CMS (or other appropriate HHS Division(s)).
We also publish a public summary report.
Due to security considerations, we omit from the public summary report certain details regarding specific system vulnerabilities.
October 24, 2016 47
Stay Connected:
oig.hhs.gov
twitter.com/OIGatHHS
youtube.com/OIGatHHS
Questions
October 24, 2016 48
10/18/2016
25
October 24, 2016 49
October 24, 2016 50
Brian C. Johnson, CPA, CISAIT Audit Manager
U.S. Department of Health and Human Services (HHS)Office of Inspector General (OIG)
[email protected]‐562‐7788