Clearwater Risk Analysis WorkShop™ Findings, Observations ...€¦ · Findings, Observations, and Recommendations (FOR) Clearwater Customer Report January 11, 2016 ... , as illustrated

1|© 2015 Clearwater Compliance LLC | All Rights Reserved | CONFIDENTIAL – Do Not Circulate

ClearwaterRiskAnalysisWorkShop™Findings,Observations,and

Recommendations(FOR)ClearwaterCustomerReport

January11,2016

PrivilegedandConfidentialPreparedUndertheDirectionofOutsideCounsel

PreparedBy:

PrincipalConsultant#1PrincipalConsultant#2

ClearwaterComplianceLLC

800-704-3394


TableofContentsExecutiveSummary..................................................................................................3RiskAnalysisMethods..............................................................................................5Background...........................................................................................................5MeetingOCRRiskAnalysisAuditProtocols..........................................................7

OurProcess..............................................................................................................7LimitationsoftheAnalysis.......................................................................................9RiskAnalysisResults...............................................................................................10GoodorBestPracticesObserved........................................................................11ControlAnalysis...................................................................................................11IdentifiedHighRisksandRecommendedRemediationControls........................11OtherRecommendations....................................................................................17

Appendices.............................................................................................................18AppendixA–InformationAssetInventory.........................................................18AppendixB–RiskRatingReport/RiskRegister(SAMPLE).................................21AppendixC–ClearwaterControls......................................................................22


ExecutiveSummaryClearwaterComplianceperformedaHIPAASecurityRiskAnalysisofClearwaterCustomerspecificallyidentifiedinformationassetsthatcreate,receive,maintainortransmitelectronicProtectedHealthInformation(ePHI)throughanonsitevisit,interviews,reviewofprovideddocumentation,andanalysisofcontrolsagainstasset/threat/vulnerabilitycombinations.ActualtechnicaltestingoftheCustomerinformationsecuritycontrolswasconsideredout-of-scopeforthisspecificengagement,asagreed,butshouldbeperformedseparatelytofurthertesttheefficacyofadministrative,physicalandtechnicalcontrols.TheRiskAnalysisexaminestheinformationsecurityrisksataspecificpointintimeandallresultsarebasedonfindingsandobservationsduringtheonsiteinterviewsandfollow-updiscoveryphonecalls.

The Clearwater IRM|Analysis™ Software-as-a-Service (SaaS) application was used to facilitate themethodologyspecificallyoutlinedinHHS/OCR“GuidanceonRiskAnalysisRequirementsundertheHIPAASecurity Rule”1 and the underlying NIST Special Publications on performing risk assessments and riskmanagement.Notably,theClearwatersoftwareandmethodologyisbasedonNISTSP800-30GuideforConductingRiskAssessments2,asillustratedinthefigurebelow.

Furthermore,ourmethodologyaddressesallfive(5)KeyAuditProceduresspecifiedfortheriskanalysisimplementationspecificationintheOCRHIPAAAuditProtocol.3

1https://clearwatercompliance.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf2http://clearwatercompliance.com/wp-content/uploads/SP800-30-Rev1_Guide_for_Conducting_Risk_Assessments_09-2012.pdf3http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol-current/index.html


Aspartofthisengagement,allinformationassetsandassociatedmediadeemedtobeinscopewereloadedintotheClearwaterIRM|Analysis™Software-as-a-Serviceapplicationandanalyzedforrelevantthreats,vulnerabilities,currentcontrolsandthen,ariskratingwasdeterminedbasedonthelikelihoodofspecificthreatstoexploitspecificvulnerabilitiesandtheimpactofharmweresuchanexploitationtotakeplace.TheSaaSapplicationnowhousesClearwaterCustomer’sriskpostureandshouldbeusedasamanagementandreportingplatformtoprioritizeandtrackimplementationofrelevantcontrols.

Acompleteprioritizedinventoryofriskstotheconfidentiality,integrityandavailabilityofePHIispopulatedinthisSaaSapplicationintheRiskRatingReport.Risksarecategorizedas“Critical”,“High”,“Medium”and“Low”.

ThisreporthighlightstherisksdeterminedtobehigherthanClearwaterCustomer’sriskthreshold(i.e.riskrating>=15)whichrepresentthemostsignificantareasofrisktotheePHIthatCustomercreates,receives,maintainsortransmits.Thesespecificrisksfoundtoexceedthisthresholdcanbegroupedintothefollowingfourareas:

• Thecurrentpracticeofshippingworkstations,servers,and/ortheirdiskswithunencryptedePHIwithoutwipingtheircontentsfirst;

• TheabilityofClearwaterCustomerstafftodownloadGoogleGmailattachmentsandGoogleDrivefilesthatcouldcontainePHItonon-ClearwaterCustomercomputersanddeviceswheretheycouldpossiblybeviewedbyothers;

• Thepresenceofunencryptedsmartphones,tablets,andUSBkeysthatcouldbeusedtovieworstoreClearwaterCustomerePHI,whichcouldbeeasilylostorstolen;

• Thepossibilitythatthesesameuser-owneddevicescouldbeimproperlydisposedofbytheirownerswhilestillcontainingunencryptedClearwaterCustomerePHI;and

• Insufficientduediligenceofcertainthird-partyvendorswhichcreate,transmit,maintain,orreceiveePHIinordertoensuretheyhavethenecessaryISsecuritycontrolsinplacetoproperlysafeguardthisdata.

Importantly,ascommittedintheprojectStatementofWork,theClearwaterIRM|Analysis™softwarehasbeenpopulatedwithassetinformation,associatedmedia,threats/vulnerabilities,presentcontrols,andriskratingsforallassetsincludedintheanalysis.WhatthismeanstoClearwaterCustomeristhatadatabaserepositoryforongoingriskanalysisandriskmanagementhasbeencreatedtomeetexplicitHIPAASecurityRulerequirementsandOfficeforCivilRights(OCR)auditprotocolspertainingtotheHIPAASecurityRiskAnalysisrequirementat45CFR§164.308(a)(1)(ii)(A).TrainingintheuseofthistoolwillbeprovidedtoappropriateClearwaterCustomerstaff.


RiskAnalysisMethods

BackgroundClearwaterComplianceusesanindustry-acceptedformulafordeterminingariskvalue:

Risk=Likelihood*ImpactByapplyingthisformula,ClearwaterComplianceisabletocategorizerisksasLow,Medium,HighandCriticalasillustratedinthe5X5matrixshownbelow.ThecategorizationofeachriskwillhelpClearwaterCustomerprioritizeriskremediationefforts.Categorizingrisksinthiswayenablesprioritizationandfacilitatesriskmanagementdecisions.

OverallRisk

Impact

Disastrous(5) Low Medium High High CriticalMajor(4) Low Medium Medium High HighModerate(3) Low Low Medium Medium HighMinor(2) Low Low Low Medium MediumInsignificant(1) Low Low Low Low Low

Rare(1) Unlikely(2)Moderate(3)

Likely(4)AlmostCertain(5)

Likelihood

Thepossiblevaluesinthismatrixaredistributed,asfollows:

PossibleValues RiskLevel

0 NotApplicableRisk

1,2,3,4,5,6 LowRisk

8,9,10,12 MediumRisk

15,16,20 HighRisk

25 CriticalRisk

The Security Rule does not specify exactly how a risk analysis should be conducted; however, theDepartmentofHealthandHumanServices(DHHS)andOfficeforCivilRights(OCR)issued“GuidanceonRisk Analysis Requirements under the HIPAA Security Rule”4, in July 2010. This guidance, in turn,references theNational Instituteof Standards andTechnology (NIST) Security Frameworkand several

4https://clearwatercompliance.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf


specificdocumentssuchasNISTSP800-30Revision1GuideforConductingRiskAssessments-FINAL.ThisNIST publication offers a comprehensive approach to completing a risk analysis. Threats in theenvironmentareidentified,andthenvulnerabilitiesintheinformationassetsareassessed.Threatsarethenmatched to vulnerabilities to describe risk. The Clearwater Risk Analysis and RiskManagementMethodologyrigorouslyfollowDHHS/OCRguidanceandtheNISTRiskManagementFramework.

The“GuidanceonRiskAnalysisRequirementsundertheHIPAASecurityRule”5describesnine(9)essentialelementsaRiskAnalysismustincorporate,regardlessofthemethodologyemployed.Theseelementsareasfollows:

1. ScopeoftheAnalysis-AllePHIthatanorganizationcreates,receives,maintains,ortransmitsmustbeincludedintheriskanalysis.(45C.F.R.§164.306(a).)

2. DataCollection-ThedataonePHIgatheredusingthesemethodsmustbedocumented.(See45C.F.R.§§164.308(a)(1)(ii)(A)and164.316(b)(1).)

3. IdentifyandDocumentPotentialThreatsandVulnerabilities-OrganizationsmustidentifyanddocumentreasonablyanticipatedthreatstoePHI.(See45C.F.R.§§164.306(a)(2),164.308(a)(1)(ii)(A)and164.316(b)(1)(ii).)

4. AssessCurrentSecurityMeasures-OrganizationsshouldassessanddocumentthesecuritymeasuresanentityusestosafeguardePHI.(See45C.F.R.§§164.306(b)(1),164.308(a)(1)(ii)(A),and164.316(b)(1).)

5. DeterminetheLikelihoodofThreatOccurrence-TheSecurityRulerequiresorganizationstotakeintoaccountthelikelihoodofpotentialriskstoePHI.(See45C.F.R.§164.306(b)(2)(iv).)

6. DeterminethePotentialImpactofThreatOccurrence-TheRulealsorequiresconsiderationofthe“criticality,”orimpact,ofpotentialriskstoconfidentiality,integrity,andavailabilityofePHI.(See45C.F.R.§164.306(b)(2)(iv).)

7. DeterminetheLevelofRisk-Thelevelofriskcouldbedetermined,forexample,bycombiningthevaluesassignedtothelikelihoodofthreatoccurrenceandresultingimpactofthreatoccurrence.(See45C.F.R.§§164.306(a)(2),164.308(a)(1)(ii)(A),and164.316(b)(1).)

8. FinalizeDocumentation-TheSecurityRulerequirestheriskanalysistobedocumentedbutdoesnotrequireaspecificformat.(See45C.F.R.§164.316(b)(1).)

9. PeriodicReviewandUpdatestotheRiskAnalysis-Theriskanalysisprocessshouldbeongoing.Inorderforanentitytoupdateanddocumentitssecuritymeasures“asneeded,”whichtheRulerequires,itshouldconductcontinuousriskanalysistoidentifywhenupdatesareneeded.(45C.F.R.§§164.306(e)and164.316(b)(2)(iii).)

ThisreportandcomprehensivedocumentationcapturedintheClearwaterIRM|Analysis™SaaStoolsuchasasset-by-assetinformation,associatedmedia,threats/vulnerabilities,presentcontrols,andriskratingsforallassetsdemonstratefullcompliancewithelements1-8fromthislistforthenumberofinformationassetsreviewedduringthelimitedtimeallocated.Compliancewithelement9,Periodic

5https://clearwatercompliance.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf


ReviewandUpdatestotheRiskAnalysis,canbedemonstratedbyregularlyrepeatingthisprocessinthefuture.ClearwaterCompliancestronglyrecommendsthatariskanalysisbecompletedannually(ataminimum)oruponanysignificantchangesinorganization,people,processes,ortechnology.6

MeetingOCRRiskAnalysisAuditProtocolsInJune2012,OCRmadepublicallyavailabletheprotocolsforOCRauditsofHIPAAPrivacy,SecurityandHITECHBreachRulecompliance.Thereareapproximately77suchprotocolsforSecurityRulecompliance,78forPrivacyRulecomplianceand10forBreachRulecompliance.EachareabeingauditedbreaksdownintoAuditPerformanceCriteria,KeyAuditActivitiesandKeyAuditProcedures.FortheHIPAASecurityRiskAnalysisrequirementat45CFR§164.308(a)(1)(ii)(A),thereare5KeyAuditProceduresspecifiedasfollows:

1. Inquireofmanagementastowhetherformalorinformalpoliciesorpracticesexisttoconductanaccurateassessmentofpotentialrisksandvulnerabilitiestotheconfidentiality,integrity,andavailabilityofePHI.

2. ObtainandreviewrelevantdocumentationandevaluatethecontentrelativetothespecifiedcriteriaforanassessmentofpotentialrisksandvulnerabilitiesofePHI.

3. Evidenceofcoveredentityriskassessmentprocessormethodologyconsiderstheelementsinthecriteriaandhasbeenupdatedormaintainedtoreflectchangesinthecoveredentity'senvironment.

4. Determineifthecoveredentityriskassessmenthasbeenconductedonaperiodicbasis.5. Determineifthecoveredentityhasidentifiedallsystemsthatcontain,process,ortransmit

ePHI.TheClearwaterSecurityRiskAnalysisprocesshelpsprepareorganizationstomeeteachoftheseauditareas.

OurProcessClearwater Compliance conducted interviews with multiple members of Clearwater Customer staff,basedontheInformationAssetInventoryagreeduponinthescope-of-workandlistedinAppendixA.Theintentofeachinterviewsessionwastoperformthefollowingforeachin-scopeinformationasset:

1. IdentifyandDocumentPotentialThreatsandVulnerabilities2. AssessCurrentSecurityControls3. DeterminetheLikelihoodofThreatOccurrence4. DeterminethePotentialImpactofThreatOccurrence5. DeterminetheLevelofRisk6. Recordrequireddocumentation7. Preparerequiredreporting

6Ideally,Customerwouldconductariskanalysisbeforeperforminganysignificantchanges.


Notethatriskscanexistwhenandonlywhenaspecificasset-threat-vulnerabilitycombinationexitsintheenvironment.Forexample,alaptopwithsensitivedatasuchasePHImaybestolen(thethreat).Ifthatdata is not encrypted (a vulnerability that may be exploited), the combination of this threat andvulnerabilitylikelyrepresentsarisktotheorganization.Theextentorsignificanceofthisriskisafunctionofcertainpredisposingconditionsandcontrolsthatmayormaynotbeinplace.Thedeterminationofariskratingforaparticularasset-threat-vulnerabilitycombinationisexpressedasafunctionoflikelihoodandimpactwhere;Thelikelihoodisessentiallytheestimatedprobabilityofanadverseimpacttotheorganizationconsideringthe ability of a specific threat to exploit a specific vulnerability given predisposing conditions, andconsideringthecontrolsinplaceforthespecificmedia/asset.Theimpactistheestimatedmagnitudeofharmthatcanbeexpectedtotheconfidentiality,integrityoravailabilityofsensitiveinformationifthespecificthreatweretoexploitthespecificvulnerabilitygiventhepredisposingconditionsandcontrolscurrentlyinplaceforthespecificmedia/asset.Thususingthesevalues,theriskcanbecalculatedas:Risk=Impact*LikelihoodNotethatbothlikelihoodandimpactincludethecontrolenvironmentinplace.Forthisengagement,thelikelihoodratingofaparticularthreatexploitingapotentialvulnerabilitywithintheactualClearwaterCustomerenvironmentwasestimatedbasedon:

• Historicalinformation• Threat-sourcemotivationandcapability• Natureofthevulnerability• Existenceandeffectivenessofcurrentcontrols

In addition to the historical informationprovidedbyClearwater Customerworkforce, theClearwaterComplianceteamusedtheirprofessionalknowledgetoestimatetheotherthreefactors.Thelikelihoodthatapotentialvulnerabilitycouldbeexploitedbyagiventhreatsourcewasdefinedasfollows:

Level LikelihoodDefinition

Rare(1) Mayhappenonceevery20yearsorlonger

Unlikely(2) Mayhappenonceevery10to20years

Moderate(3) Mayhappenonceevery5to10years


Likely(4) Mayhappenonceevery1to5years

AlmostCertain(5) Mayhappenatleastonceayearormorefrequently

Similarly, to analyze the impact of a threat exploiting a particular vulnerability, the team used thefollowingdefinitions:

Level ImpactDefinition(PotentialScenarios)

Insignificant(1) Remediatewithin1hourNointerruptionofoperations

Minor(2) Remediatewithin8hoursNoseriousinterruptionofoperationsMultiple other controls would have to fail for the threat to exploit thevulnerability

Moderate(3) • Remediateinmorethan8hours• Disruptionofoperations• Createsnewminorvulnerabilities

Major(4) • Multi-hourinterruptionofoperations• DatabreachreportabletoHHSannually(<500records)• AnOCRinvestigationcouldpotentiallyresultinpenalties• Createsanewseriousvulnerability

Disastrous(5) • Multi-dayinterruptionofoperations• DatabreachreportabletoHHSimmediately(>500records)• AnOCRinvestigationwouldlikelyresultinpenalties• Createsmanynewseriousvulnerabilities

LimitationsoftheAnalysisTheriskanalysisissolelybasedoninterviewsandsubjectiveobservation,notobjectivetechnicalreportsorsystem/applicationtesting.ItreliesoninformationprovidedbyknowledgeableClearwaterCustomerstaffandsubjectmatterexperts.VulnerabilityinformationwastakenfromtheNationalVulnerabilityDatabaseattheNationalInstituteforStandards and Technology (NIST)7 . It is the Clearwater Compliance assumption that there are othervulnerabilitiesandthreatsthatwehavenotidentifiedthatcouldonlybeidentifiedbydeeperanalysis,

7https://nvd.nist.gov


investigationandperiodicrepetitionoftheriskanalysisprocess.Controlrecommendationsweremadebasedontheprioranalysis,takingintoaccountbestpractices,resourceconstraints,andwhatcontrolswouldbereasonableandappropriatefortheClearwaterCustomerenvironment.RiskAnalysesexamine the informationassets, threats,vulnerabilitiesandrisksofanorganizationataspecificpointintime.Itistheresponsibilityoftheorganizationtoachieve,demonstrate,andmaintaintheir information security vigilance at all times. Therefore, Clearwater Compliance, LLC makes norepresentationorwarrantyastowhethertheCompany'snetworkand/orcomputersystemsaresecurefromeitheraninternaloranexternalattackorwhethersensitivedataisatriskofbeingcompromised.Additionally, Clearwater Compliance, LLC makes no representations or warranties regarding theorganization'sbusinessactivitiesoroperations.

RiskAnalysisResultsSystemCharacterizationClearwaterCustomerhasthreelinesofbusinessthatroutinelyhandleePHI.Themain applications in use byClearwater Customer are theABCworkflow application and the XYZ‘sensitive information’ management system, which have one installation at each of 100 locations.Additionalsystemsinuseincludeane-prescribingsystem,mailorderande-commercesupportsystems,theTopShelfIncidentandRiskManagementapplication,andtheQspecialtysensitiveinformationsystem,hosted at the vendor. Sensitive information operations alsomake use of Vendor X adherence andanalyticsservices.TheYsystemsinuseincludethemain,internallydevelopedapplicationrunningontheIBMiSeriessystemandthethinclientsinstalledonworkstationsateachlocation.Themanufacturingplantsystemsconsistofanumberofcomputernumericalcontrol(CNC)machinesontheassemblyline,andtheirmanagementsystemsonadedicatedsegmentednetworkattheplant.TheQRSCentersuseaweb-basedSoftware-as-a-Serviceapplicationhostedbythevendor,Vendor.net.ThisapplicationisonlyaccessiblefromapprovedwhitelistedIPaddresseswithinClearwaterCustomercorporateofficesandlocations.ThereisasupportingNoah4applicationinstalledonworkstationsateachHAC,usedtoruntestsandtransmitresults.ClearwaterCustomer’scorporateemailsystemsisGmail,whichisaccessiblefromanywhere.Zixmailisusedtoencryptemailautomaticallywhenitissentbyothers.Itcanalsobedonemanuallybyplacingakeywordinthesubjectline.Emailisalsoarchivedforoneyear.ThisarchivingfunctionalityisbeingmovedtoGoogleVault,whereemailwillbearchivedforsevenyears.Asindicatedabove,theInformationAssetsagreeduponinthescope-of-workarelistedinAppendixA.


GoodorBestPracticesObservedClearwaterCustomerhasimplementedanumberofinformationsecuritysafeguardsthatareconsideredindustrybestpractices.Thesepracticesinclude,butarenotlimitedto:

• Strongphysicalsecuritycontrolsatalllocations• Cross-trainedpersonnelwithstrongcorporateknowledgeandlongtenureatClearwater

Customer• Well-definedaccesscontrolprocesses• ExtensiveISsecurityawarenesstrainingandreminders• RegularpenetrationandvulnerabilityscanningofnetworksandInternet-facingsystems.• FrequentauditsofmanyofClearwaterCustomer’sadministrative,technical,andphysicalIS

controls.

ControlAnalysisDetailsofthepreventative,detective,andcompensatingcontrolsinplacetominimizethelikelihoodorimpactofaspecificthreatexploitingaparticularvulnerabilityaredocumentedintheClearwaterComplianceIRM|Analysis™SaaSapplication.TherobustcontrolsetusedtocompletethecontrolanalysisisderivedfromNISTSP800-53Revision4Final,RecommendedcontrolsforFederalInformationSystemsandOrganizations.AlistingoftheClearwaterControls,derivedfromtheNISTcontrolset,areshowninAppendixB.Thesecontrolscanbeseenintheapplication’sRiskRatingReportoraspartofnotesatthethreat-vulnerabilitylevel.

IdentifiedHighRisksandRecommendedRemediationControlsAsset-threat-vulnerabilitycombinationsthatwerejudgedtobesounlikelyastonotmeritriskmanagementwerenotincludedintheanalysis.IntheClearwaterComplianceIRM|Analysis™Software-as-a-Serviceapplication,846media-threat-vulnerabilitycombinationswereanalyzedandtheexistingcontrolenvironmentdocumented.FromouranalysisandtheClearwaterIRM|Analysis™application,asummaryofClearwaterCustomerrisksisasfollows:

RiskLevel

NumberofRisks

PercentageofTotalRisks

Critical 0 0%

High 21 2%

Medium 137 16%

Low 688 82%

Below,youwillfindtherisksthatwereidentifiedasexceedingClearwaterCustomerriskthreshold(i.e.riskrating>=15).Theseriskshavebeencombinedintofivebroadcategories,wherethecauseforthe


riskandrecommendedremediationcontrolswerethesame.TheexhaustivelistofallrisksisarticulatedintheClearwaterComplianceIRM|Analysis™Software-as-a-Serviceapplication.OtherMediumandLowrisksshouldalsobewatchedclosely,asitisnotuncommonforlowerriskstobecomehigherrisksastheenvironmentchangesovertime.

Threat-VulnerabilitySpecificNo.ofRatingsofthisMagnitudeforthisThreat-Vulnerability

RiskRating

VariousClearwaterCustomerServers,Workstations,andITDevicesImproperDestruction,DisposalorReuseofStorageMedia-Destruction/DisposalVulnerabilities

7 High

ExplanationofFinding:• Unencryptedserver,workstations,andotherITequipment(e.g.tablets,networkequipment,

etc.)areeithershippedtoRecyclingfordestruction,disposal,orreuse.Theharddrivesandothernon-volatilememoryinthesesystemsarenotnecessarilywipedbeforeshipment,eventhoughsomeofthemmaycontainePHIdata.

• ShipmentstoRecyclingarenotnecessarilyshippedwithanysortoftrackinginformationrequired.Thiswouldmakeitdifficult,ifnotimpossible,tolocateanyofthisequipmentifitweretogomissingbeforereachingitsintendeddestination.

• SomeharddrivesarestoredatBuilding2andatABCPartsforatimebeforetheyarereusedorsenttoRecyclingfordestruction.However,acurrentinventoryoftheharddrivesbeingmaintainedateachlocationdoesn’texist,soifanyoftheseweretoberemovedorstolen,itisunlikelyanyonewouldnoticeforawhile,ifever.

RemediationRecommendations:• RequireallunencryptedharddiskdriveswithePHIdatabeingdisposedoforrecycledforreuse

besecurelywipedbeforebeingsenttoRecyclingorABCParts,ifpossible.

• Alternatively,considercontractingwithadiskdestruction/shreddingcompanytogodirectlytoanyClearwaterCustomerlocationthathasaharddriveitneedsdestroyedinordertoperformthedestructiononsite.


RiskRating

Gmail/GoogleDocsInformationLeakage–EndpointLeakageVulnerabilities

1 High

ExplanationofFinding:


• EmployeescandownloadGoogleGmailattachmentsandGoogleDrivefiles,eitherofwhichmaycontainePHIdata,ontopersonally-ownedcomputersandmobiledevices(e.g.smartphones,Chromebooks,tablets,etc.),aswellasontoothernon-companycomputerswithInternetaccess.

• ThoughCloudlockisbeingusedtoscanthemovementofdataonthecompany’sGoogleDriveaccount,itisnotcurrentlybeingusedtoscanorstoptheunauthorizedmovementofePHIdataontoanyofthecomputersordevicesmentionedabove.

• Oncedownloaded,thesefilescouldbeviewedbyotherswhoarenotClearwaterCustomeremployeesand/ornottrainedintheHIPAAprivacyrules,whichwouldconstituteanimpermissibledisclosureofePHI.

• ComputersanddevicescontainingthesefilescouldbedisposedofordonatedtocharitieswithouttheePHIbeingproperlydeleted,whichcouldresultinadatabreachreportabletotheOfficeforCivilRightsattheU.S.DepartmentofHealthandHumanServicesundertheprovisionsofTitle45,SubtitleA,SubchapterC,Part164,SubpartD–NotificationintheCaseofBreachofUnsecuredProtectedHealthInformation

RemediationRecommendations:• ConsiderimplementingapolicythatprohibitsClearwaterCustomeremployeesfrom

downloadingePHItonon-ClearwaterCustomercomputersormobiledevices.

• EnableCloudlocktostopthetransferoffileswithePHIdatatonon-ClearwaterCustomercomputersormobiledevices.


RiskRating

EmployeeOwnedandCompanyIssuedMobileDevices(Smartphones&Tablets)LossorTheftofEquipment-VulnerabilitiesinMediaHandling;Burglary/Theft–PhysicalSecurityVulnerabilities;AccesstoSensitiveData–VulnerabilitiesRelatedtoEncryption;AccesstoSensitiveData–VulnerabilitiesinUserAuthentication;ImproperDestruction,DisposalorReuseofStorageMedia-Destruction/DisposalVulnerabilities

10 High

ExplanationofFinding:• EmployeescandownloadGoogleGmailattachmentsandGoogleDrivefiles,eitherofwhichmay

containePHIdata,ontopersonallyandcompany-ownedmobiledevices(e.g.smartphones,Chromebooks,tablets,etc.).

• Employeesarenotrequiredtoregistertheirdeviceswithacompany-managedMobileDeviceManagementProgram,noraretheyrequiredtoenablePIN,password,orgesture-basedauthentication,enabledeviceencryption,orinstallremotewipeorgeo-locationprogramsonthesedevicesbeforeaccessingClearwaterCustomerprogramsandfilestoreswithePHI.


• ThelossortheftofanyofthesemobiledevicesthatmayhaveePHIdatastoredonthemcouldresultinadatabreachreportabletotheOfficeforCivilRightsattheU.S.DepartmentofHealthandHumanServicesundertheprovisionsofTitle45,SubtitleA,SubchapterC,Part164,SubpartD–NotificationintheCaseofBreachofUnsecuredProtectedHealthInformation.Ifover500recordsareinvolved,ClearwaterCustomerwouldalsohavetonotifytheaffectedClearwaterCustomerandthemediaofthebreach.Ifthiswerenecessary,thiscouldhaveaprofoundlynegativeimpactonClearwaterCustomer’sreputationandfinances.

• Employeeslikelydisposeoftheirmobiledeviceswithoutremovinganyfilesorprogramsfromthedevicebeforedoingso.IftheyhaveePHIdataonthedevicewhentheydodisposeofit,andiftheydonotremovethisdataorhaveenabledencryption,thereisastrongpossibilitythatthis,too,couldresultinareportabledatabreach.

RemediationRecommendations:• ConsiderimplementingapolicythatprohibitsallClearwaterCustomeremployeesfrom

accessingePHIdataonordownloadingePHIdatatoanypersonally-orcompany-ownedmobiledevicethatdoesnothave:

o PIN,password,orgesture-basedauthentication;o Device-basedencryptionenabled;ando Remote-wipeorgeo-locationcapabilityimplemented.

• Alternatively,considerre-implementingthecompany’sMobileDeviceManagementsystemandrequireallpersonally-orcompany-ownedmobiledevicestoberegisteredwithandmanagedbythisprogrambeforeaccessingcompanyprograms,email,ordatastores.


RiskRating

EmployeeOwnedandCompanyIssuedPortableStorageDevices(e.g.USBKeys/FlashDrives,externalUSBharddrives,SDcards,etc.)LossorTheftofEquipment-VulnerabilitiesinMediaHandling;TheftofEquipment–PhysicalSecurityVulnerabilities

2 High


ExplanationofFinding:• EmployeesmaydownloadePHIandothersensitivedatatoeithercompany-issuedoremployee-

ownedportablestoragedevices(e.g.USBkey,externalUSBharddrive,SDcard,etc.)whichdonothavetobeencrypted.

• MostcorporateworkstationUSBportsarenotblockedfromwritingdata.Whenwritingdatatoportablestoragedevices,thedatabeingwrittenisnotnecessarilyencrypted,norarethedevicesthemselvesencrypted.

• AlthoughClearwaterCustomerdoeshaveaDataLossProtection(DLP)systemtomonitorthemovementofdata,itisnotcurrentlyconfiguredtotrackthemovementofanyePHIdata.

• ThelossortheftofanyofportablestoragedeviceswhichmayhaveePHIdatastoredonthemcouldresultinadatabreachreportabletotheOfficeforCivilRightsattheU.S.DepartmentofHealthandHumanServicesundertheprovisionsofTitle45,SubtitleA,SubchapterC,Part164,SubpartD–NotificationintheCaseofBreachofUnsecuredProtectedHealthInformation.Ifover500recordsareinvolved,ClearwaterCustomerwouldalsohavetonotifytheaffectedbusinessassociatesandthemediaofthebreach.Ifthiswerenecessary,thiscouldhaveaprofoundlynegativeimpactonClearwaterCustomer’sreputationandfinances.

RemediationRecommendations:• ConsiderimplementingapolicythatprohibitsallClearwaterCustomeremployeesfrom

transferringePHIdatatoanycompany-issuedoremployee-ownedportablestoragedevice(e.g.USBkey,externalUSBharddrive,SDcard,etc.).BecausevirtuallyallemployeeswithaccesstoePHIthatshouldneedtotransferitelsewherehaveaccesstoothersecurefiletransfermethodsavailabletothem(e.g.encryptedemail,SecureFTP,etc.),thereshouldbenoreasontouseportablestoragedevicesasatransfermethod,especiallyconsideringtherisktheyrepresenttotheorganization.

• FurtherconsiderlockingdowndatawritecapabilitiesonallworkstationUSBportsandCD/DVDdrivesusingActiveDirectoryGroupPolicies.Grantexceptionstothispolicyonlyuponappropriatemanagementapproval.

• IntheeventitisdeterminedthereisalegitimatebusinessneedtotransferePHIdatausingportablestoragedevices,requirethatsuchdatabeencryptedwhenwritten,oralternatively,onlybewrittentodeviceswithbuilt-inencryptioncapabilities(e.g.IronKey,ImationDefender,etc.)


RiskRating

Third-partyContractors/ConsultantsLackofDueDiligence-VulnerabilitiesinServiceProviders/Vendors

1 High


ExplanationofFinding:• ClearwaterCustomerdoesnotpresentlyrequireindependentauditsorotherproofthatall

third-partycontractorsthatcreate,receive,maintain,ortransmitClearwaterCustomerePHIarecomplyingwiththeHIPAASecurityRuleorthattheyhavethenecessaryISsecuritycontrolsinplacetoproperlyprotectsensitivedata.

• ClearwaterCustomerdoesnotpresentlyhaveaBusinessAssociateAgreement(BAA)inplacewithVendorX,athird-partyvendorthatcouriersandstoresClearwaterCustomersystembackuptapescontainingePHI,asisrequiredby45CFR§164.308(a)(8)(b)(2).ABAArequiresVendorXtoformallyacknowledgetheirresponsibilitytoabidebyallapplicableprovisionsoftheHIPAASecurityRule,andtopromptlynotifyClearwaterCustomershouldtheyexperienceadatabreachofClearwaterCustomer’sePHIdata.

RemediationRecommendations:• Toensurethird-partiesthatcreate,receive,maintain,ortransmitClearwaterCustomer,ePHI

havetheappropriateprotectivemeasurestoinplacetoprotectthissensitivedata,ClearwaterCustomershouldrequirethesethirdpartiesprovidethemwithproofofthisfact.Thefollowingitems,inorderofpreference,wouldprovidethisadditionalproof:o ASOC2orSOC3report,conductedbyanindependentCPAfirm,formallyattestingtothe

stateofthethirdparty’sinformationsystemsecuritycontrols.o ARiskAnalysis,conductedbyanindependentthirdparty,showinganevaluationoftherisks

totheBusinessAssociate’sorganization’ssystemsthataccess,create,maintain,transmitorreceiveePHI.

o AsecuritycontrolsauditperformedbyClearwaterCustomerstaffofthethirdparty’sinformationsystemsecuritymeasures.

o AcompletedsecuritycontrolsquestionnairefurnishedbyClearwaterCustomertothethirdpartyregardingthesecuritymeasurestheyhaveinplacetoprotecttheorganization’sePHIdata.

• OncetheresultsofoneoftheprecedingreviewsareprovidedtoClearwaterCustomer,itshouldrequirethatthevendorshowproofwithinapredeterminedperiodthatithasremediatedanyrisksClearwaterCustomerandthevendoragreeareaboveanacceptablerisklevel.AnyfailurebythemtocompletetheirremedialactionswithintheagreedupontimeframeshouldbeconsideredgroundsforClearwaterCustomertoterminateitscontractwiththevendor.

• RequireVendorXtosignaClearwaterCustomerBusinessAssociateAgreementthatmeetstherequirementsof45CFR§164.314(a)(2)(i)(A)-(C)oftheHIPAASecurityRule.


OtherRecommendations

Thefollowingrecommendationsaredesignedtoaddressothersecurityconcernswhich,whilenotaspressingasthoselistedabove,areworthyofconsideration,astheywill,iffollowed,likelyreducecertainlowerlevelrisksorpreventthemfrombecominghigherriskslater.

• ClearwaterCustomerdoesnotmaintainacurrentinventoryofitscomputerhardwareandsoftware.Asaresult,ifsomeequipmentorsoftwareinstoragegoesmissing,there’sreallynowaythatClearwaterCustomerwouldnecessarilyknow.ThiscouldbeespeciallyproblematiciftheequipmentthatismissingwaspreviouslyusedtostoreePHIdata.Itwouldbehighlyadvisable,therefore,forClearwaterCustomertoupdateitscomputerhardwareandsoftwareinventory,andperiodicallyre-inventorytheseitems.

• ClearwaterCustomershouldconsiderenablingencryptionforanydatabasethatcontainsePHIdata,wherepossible.Thiswillgreatlyreducetheabilityofasystemcrackerormalicioususertogainaccesstothisdata,eveniftheyareabletocompromisetheserverthathoststhedatabaseinsomeotherway(e.g.gainrootaccess).

• ClearwaterCustomer’sDisasterRecoveryandBusinessContinuity(DR/BC)PlanningisinconsistentatitsBuilding2andtestingoftheseplansissporadic,andinsomecases,non-existent.Ifonedoesnotalreadyexist,a“model”DR/BCplanshouldbedevelopedforallBuildings,modifiedbyeachofthem,andperiodicallytestedatselectlocations.


Appendices

AppendixA–InformationAssetInventory

AssetName AssetDescriptionMediaandDevicesthatstorethisData Notes

DirectoryServers AuthenticatesusersbeforeallowingaccesstotheClearwaterCustomernetworkorapplications

Server

Corporate,(MailOrder)Workstations

PCsandlaptopsusedtoaccesscorporateapplications

DesktoporLaptop,Tablet

VendorX Third-partybackupmediacourierandoffsitestoragevendor

Contractors/Consultants

ADDED

Cloud-BasedProductivityApplications

Enterpriseemailanddocumentstorage Software-as-a-Service

FAX(HasHDD)FaxVendor555

FaxMachine Scanners,Printers,orCopiers

REMOVEDOutofscope–DoesnotstoreePHI

ImagingManagementGroup

Secondtierhelpdesksupportvendor Contractors/Consultants

ADDED

Recumbent.com Web-Basedpracticemanagementapplication Software-as-a-Service Workstations WorkstationsusedtoaccessRecumbent.com

practicemanagementapplicationDesktop

ContentManagementSystem

Contentmanagementsystemwhichcontainsbenefitplaninformation.

Server,DiskArray,BackupMedia

StorageManager Backsupserversandworkstations Server EmailArchiveFiles Localstorageofemailmessages DesktoporLaptop MobileDevices BYOdevicesthatcanaccessClearwater

CustomerSystemsSmartphone,Tablet,USBkeyorflashdrive

ADDED

Multi-FunctionPrinter/Scanner/Copier

Devicesusedforprinting,scanning,emailofscanneddocuments,andstoragetonetworkshare

Scanners,Printers,orCopiers

NetworkFileShares WindowsserversconnectedtotheSAN StorageAreaNetwork,Server

RenamedfromFileServer

DVIServer ProgramusedatLabtofillorders Third-partyserviceprovider,Server,BackupMedia,USBkey/flashdrive

Fax(HasHDD)FaxVendor555

FaxMachine Scanners,Printers,orCopiers


PrimaryApplication–ABCapplication

SystemusedtoprocessordersatBuilding2 Server



ABCApplicationWorkstations

WorkstationsusedtoconnecttoABCapplication Desktop

DVIWorkstations WorkstationsusedtoconnecttoDVIserveratLab

Desktop

VendorX Third-partysensitiveinformationadherenceandanalyticsservicesprovider.

Contractors/Consultants

ADDED

Department1application ApplicationthatstoresDepartment1sensitiveinformation

Server

Department1-Albatross ClearwaterCustomersensitiveinformationmanagementsystem

Server

Department1-AlbatrossCommandandControl

FacilitatesClearwaterCustomersensitiveinformationmanagement.

Server

Department1–SensitiveInfoGenerator

CreatesemailstosendClearwaterCustomers’Customerssensitiveinfo

Server RenamedfromEmailCreator

Department1–SensitiveInfoSystem

Systemusedtosendandreceivesensitiveinformation

Server

Fax(NoHDD)FaxVendor555

FacsimileMachine Scanners,Printers,orCopiers


InteractiveVoiceResponseSystem

Voicemailapplianceusedtoreceiveincomingmessages

Server

SpecialtyAlbatrossServer Albatrossservers Server ADDEDOnlineOrdersSystem Programusedtopullonlineorders Desktop ChangedfromServer

toDesktop,asthisiswhattheprogramrunson.

IncidentTrackingSystem IntranetapplicationmanageHIPAAincidenttracking

Server

SpecialtyApplication Systemusedtoprocessspecializeddrug(e.g.cancerchemotherapy)orders

Third-partyserviceprovider

BackupClient BackupclientusedtofacilitatebackupsofcriticaldatabaseandAlbatrossServers.

Server ADDEDReplacesVirtualServers

AlbatrossDatabase OracleDatabaseusedtosupportAlbatrossapplications


AlbatrossServer ClearwaterCustomersensitiveinformationmanagementsystem




CaptainDatabase SQLServerDatabaseusedtosupportCaptainapplication


CaptainServer Workflowsystemcontrollingtheprocessusedtoprocesssensitiveinformation

Server

VirtualServers VirtualizedAlbatrossandCaptainServerslocatedatalllocations

Server REMOVEDBrokenoutintoothercategoriescapturedasotherassetsintheInformationAssetInventory

Workstations Windowsdesktopsusedtoaccessapplications Desktop WebSiteDatabaseServer Databaseserverforpublicfacingwebserver

acceptingonlinesensitiveinformationServer

WebSiteServer Public-facingwebserverusedtoprocessonlinesensitiveinformation

Server

AutomatedFaxVendor ReceivesexternaltransmissionsintotheBenefitsDepartment

Server

CollocationDataCenterCorp.

DataCenterVendor Contractors/Consultants

ADDED

123BackUpSoftware Applianceusedtobackupserversandworkstations

Server,DiskArray,BackupMedia

RenamedfromABCSystem.123BackUpSoftwareisthevendor.

SFTPServer Providessecure(encrypted)filetransferbetweeninternalClearwaterCustomersystemsandexternalsystems

Server

DocumentManagementSystem(DMS)

E-captureanddocumentmanagementsystem Server

DMSDatabase Documentmanagementsystemdatabase Server,BackupMedia REMOVEDCombinedwithDMSApplication

CollocationDataCenter BackupDataCenterVendor Contractors/Consultants

ADDED


AppendixB–RiskRatingReport/RiskRegister(SAMPLE)


AppendixC–ClearwaterControlsAdministrativeAcceptableUsePolicyEmployeesupervisionIdentifiedsecurityrolesInformationdisclosureproceduresInternalITauditprogramSecurity/privacyawarenessandtrainingSecurityduringsystemsacquisitionSegregationofdutiesTrainingforthesecurityworkforceProcessdocumentationRedundantserviceprovidersContinuityBusinesscontinuityplansCapacityplanningDatabackupMobileDevices(IncludingUSBDevices)AutomatedmanagementofdeviceControlledaccesstoareaswithmobiledevicesDevicehandlingpolicyandproceduresDevicetestingandvalidationpolicyandproceduresEncryptionofdevicePhysicalsecuritypolicyandproceduresSecurestorageofdeviceswhennotinuseTrackingofdeviceOperatingSystemsandApplicationsAccountslockaftertoomanyfailedloginsApplicationpenetrationtestingAutologofforautoscreenlockingControlsarounduser-installedsoftwareFakedatatoattractmisuse(honeypotrecords)InformationaccesscontrolpolicyandproceduresIdentificationandauthenticationpolicyandproceduresLoggingofinformationaccessOS/ApplicationpatchingpolicyandproceduresPasswordstrengthrequirementsPassword/tokenmanagementpolicyandproceduresPreventionofsimultaneoususerloginsPrincipleofleastprivilegeRole-basedaccesscontrolStandardizedsystemconfigurationsTestingofpasswordstrengthsTwofactorauthenticationUseraccountmanagementUseractivityreviewUserauthenticatedlocallyUserpermissionsreviews

PhysicalFire-suppressionsystemsLimitedaccesstonetworkcablinganddevicesOn-sitegeneratorPhysicalaccessauthorizationPhysicalaccesscontrolPhysicalaccessmonitoringPhysicallyhardenedorruggedizedsystemsPhysicallysecureddemarcationpointsPhysicallysecuringdevicesorsystemswhennotinuseProtectiveenclosuresfornon-mobileequipmentRedundantHVACequipmentSurgeprotectorsUninterruptablepowersupply(UPS)VisitoraccesscontrolSoftwareDevelopmentApplicationcodereviewApplicationordatapartitioningApplicationpenetrationtesting[customapps]DatainputvalidationSecuresoftwaredevelopmentprocessesSecuresoftwaredevelopmenttrainingandawarenessSecuritystandardsforsoftwaredevelopmentSystemsandMediaAnti-viruspolicyandproceduresAnti-virussoftwareAutomatedhandlingofbackupmediaBackupmediahandlingpolicyandproceduresBackupmediare-use/disposalpolicyandproceduresDocumentedsecurityrolesinthesystemdevelopmentlifecycleEncryptionofbackupmediaEncryptionofdisks(fulldisk,filebased,USBkey,etc.)Lights-out/hands-offmanagementLimitedaccesstooutputdevices(printers,etc.)Lockeddownexternalports(USB,CD,DVD,Firewire,etc.)Mediare-useanddisposalpolicyandproceduresMediatestingandvalidationpolicyandproceduresPreventionofuserstoringdatalocally(terminals,VDI,etc.)RestrictionsonmediauseSecurestorageofbackupmediawhennotinuseTrackingofbackupmediaUseofadiskshreddingservicewithconfirmationofdestructionTechnicalApplication,systemornetworkvulnerabilityscanningAuthenticationofnetworksessions(asdistinctfromusers)Centralmonitoringofanti-virusandpersonalfirewalllogsChangecontrolprocesses


NetworkEncryptionofnetworktrafficNetworkdisconnectofidleormaliciousconnectionsNetworkfirewallsNetworksegmentationNetworktrafficthrottlingPersonalfirewallenabledRedundantInternetconnectionsRedundanttelecommunicationsprovidersRemoteaccesscontrolsRemoteadministrativeaccessWirelessaccessrestrictionsWirelessencryptionWirelesslinkprotectionWirelesssecuritypolicyandprocedures

DistributedprocessingorstorageDataLossPreventiontoolsLimiteduseraccessability(bytimeofday,bylocation,etc.)MedicalsnoopingdetectivesoftwareOn-calltechnicalresourcesRedundantorspareequipmentTamper-proofmechanismsTwo-manrule3rdPartyAuditsofserviceprovidersLocally-storedbackupsofthird-partyhosteddataService-levelagreementsUseofthird-partydatastoragesservices

Documents

Clearwater Risk Analysis WorkShop™ Findings, Observations ...€¦ · Findings, Observations, and Recommendations (FOR) Clearwater Customer Report January 11, 2016 ... , as illustrated