Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Health & Life SciencesBreach Security Assessment
Report
For Star Healthcare
Fictitious organization and assessment data. For demo purposes only.
Contents
Executive Summary .................................................................................................................................................................... 3
Breach Security Maturity ............................................................................................................................................................ 5
Breach Type Priorities ................................................................................................................................................................ 6
- Cybercrime Hacking ................................................................................................................................................................. 6
- Loss or Theft of Mobile Device or Media ................................................................................................................................ 8
- Insider Accidents or Workarounds ......................................................................................................................................... 10
- Business Associates .............................................................................................................................................................. 12
- Malicious Insiders or Fraud ................................................................................................................................................... 14
- Insider Snooping .................................................................................................................................................................... 16
- Improper Disposal .................................................................................................................................................................. 18
- Ransomware .......................................................................................................................................................................... 20
Breach Security Maturity Model ............................................................................................................................................... 23
Breach Security Gaps and Opportunities for Improvement ..................................................................................................... 24
Breach Security Action Plan .................................................................................................................................................... 26
Breach Security Capabilities .................................................................................................................................................... 27
Confidential. Page 2 of 55
Reported On Wednesday, 4 Jan 2017 15:45 PST
Assessed On Monday, 1 Feb 2016 11:18 PST
Organization Star HealthcareProvider, United States
AccountManager
Kathy TrustworthySenior Account ManagerVMWare123 456 [email protected]
Assessor Joe Whitehat CISSPSenior Security [email protected]
Assessments 52 (Global Scope)
Executive SummaryBreaches are the top privacy and security concern in Health & Life Sciences organizations, according to global Intel researchconducted in 2015. This report highlights the results of an assessment of your organizations breach security capabilities. Italso compares your breach security maturity, priorities across breach types, and your breach security capabilities with the restof the Health & Life Sciences organizations that have also been assessed up to the time of this report. This is a pilot programrunning throughout 2016 and 2017, led by Intel in collaboration with a broad range of partners working in the Health & LifeSciences Industry. We welcome your feedback both on the pilot program in general, and on this report.
This Health & Life Sciences breach security assessment is a high level survey of potential breach security issues and isintended to inform participants where they stand on selected security practices in relation to other similar participants in thisstudy, and is not intended to replace participants other compliance or security due diligence activities. It is also differentfrom and complementary to risk assessments that are required by several regulations and security standards. It provides anopportunity to look at gaps and next steps that can be taken to improve breach security posture. Improvements to breachsecurity based on this assessment may also help with compliance with privacy and security regulations, data protection laws,and standards. Please consult publicly available information on your applicable regulations, laws and standards for furtherinformation.
42 breach security capabilities were assessed in this engagement. Star Healthcare has 75% of the capabilities in the Baselinematurity level (3% ahead of average), 46% in Enhanced (4% behind average), and 29% in Advanced (1% behind average).The breach security maturity level of Star Healthcare peaks in the Baseline level. See Breach Security Maturity for furtherdetails on the assessment of the breach security maturity level of Star Healthcare, and how this compares with the broaderHealth & Life Sciences Industry.
Star Healthcare is leading the industry (upper percentile range) in terms of readiness for the following breach types: Lossor Theft of Mobile Device or Media, Business Associates, and Improper Disposal. Star Healthcare is lagging the industry(lower percentile range) in terms of readiness for the following breach types: Cybercrime Hacking. See Breach Type Prioritiesfor further details on Star Healthcare readiness for various breach types, and how this compares in terms of percentile tothe rest of the Health & Life Sciences Industry. At Star Healthcare, Cybercrime Hacking, Malicious Insiders or Fraud, andRansomware are considered High priority. Loss or Theft of Mobile Device or Media, Insider Accidents or Workarounds,Business Associates, and Insider Snooping are considered Medium priority. Improper Disposal is considered Low priority. 3 ofthese priorities are significantly different from the average priorities assigned by other Health & Life Sciences organizations tothese breach types. See Breach Type Priorities for further details on priorities assigned by Star Healthcare to various breachtypes, and how these priorities compare to the Health & Life Sciences Industry.
Confidential. Page 3 of 55
In the Baseline maturity level, Star Healthcare was behind the average in 4 capabilities: Anti-Malware, Email Gateway, WebGateway and Backup and Restore. In the Enhanced maturity level, Star Healthcare was behind the average in 6 capabilities:Device Control, Penetration Testing, Vulnerability Scanning, Network Data Loss Prevention (Discovery Mode), Multi-FactorAuthentication with Timeout, Secure Remote Administration and Business Associate Agreements. In the Advanced maturitylevel, Star Healthcare was behind the average in 1 capabilities: Security Information and Event Management. See BreachSecurity Maturity Model for how Star Healthcare was assessed across 42 breach security capabilities in the maturity model,and how this compares with the Health & Life Sciences Industry.
30 gaps in breach security capabilities were identifiedduring this assessment. These capabilities representnew opportunities for improvements by Star Healthcareto improve its breach security posture and furthermitigate risk of breaches. These capabilities may alsoimprove usability, reduce cost, and improve efficiencyof IT operations. For details on specific gaps andopportunities for improvement see Breach Security Gapsand Opportunities for Improvement . It is recommendedthat Star Healthcare review these opportunities andspecific products, technologies and services that canhelp together with the account manager and assessorlisted at the beginning of this report.
A 12 step multi-year Breach Security Action Plan is recomended for Star Healthcare to improve breach security posture andfurther reduce residual risk of breaches.
This report includes traceability to the following security and privacy standards, regulations and data protection laws:- HIPAA- ISO/IEC 27000-Series- NIST- PCI DSS- CIS Controls- GDPRIn addressing any breach security capability gaps identified in this report, such traceability helps you understand howaddressing these gaps may also help with compliance with applicable standards, regulations and data protection laws. Pleasesee each of the 42 capabilities in the Breach Security Capabilities section for details.
Thank you for participating in the Intel Health & Life Sciences Breach Security Assessment Program Pilot. We welcome anyupdates you may have on your breach security to ensure the accuracy of your assessment and this report. Please coordinateany such updates with your assessor. We also welcome your feedback on the overall process, as well as this report. Forfurther information about this program please see the Intel Breach Security Assessment Program website.
Confidential. Page 4 of 55
1. Breach Security MaturityThe percentage of breach security capabilitiesyou have implemented at the various maturitylevels. As your breach security posture improves,your assessment at all of these maturity levelswill approach 100%. Important aspects to notein this result are what level your maturity peaksat, as well as how your Baseline, Enhanced, andAdvanced maturity levels compare with the rest ofthe Health & Life Sciences Industry.
Maturity
75% 72%
Baseline
46% 50%
Enhanced
29% 30%
Advanced
Star Healthcare Average
Confidential. Page 5 of 55
2. Breach Type PrioritiesThis assessment analyzed your level of concern or priority across eight different types of breaches. These results enableyou, for each breach type, to compare your level of concern or priority with the rest of the Health & Life Sciences Industry.For each of the following types of breaches the Priority Assessed reflects the priority or level of concern you assigned to thegiven type of breach. The Priority Assessed value for each type of breach is compared to the Health & Life Sciences Industryaverage for that breach type. If the Priority Assessed is significantly different than the industry average an alert will be shownin Priority Alerts. Readiness Assessed shows for each type of breach the percentage of relevant security capabilities currentlyimplemented at Star Healthcare. Readiness Percentile shows for each type of breach the percentile Star Healthcare fallswithin across all organizations assessed, based on the Readiness Assessed score. The most important result in the followingtable is the Readiness Percentile score for each of the breach types. In particular, it is recommended to pay careful attentionto any Readiness Percentile results that are red, indicating lower percentile range (less than 33%). For more detail on yourreadiness for a given breach type you can drill down by clicking on the associated breach type link.
Star Healthcare Breach Type Priorities
# Breach Priority Readiness Type Assessed Alerts Assessed Percentile
2.1 Cybercrime Hacking High 52% 23%
2.2 Loss or Theft of Mobile Device or Media Medium 58% 67%
2.3 Insider Accidents or Workarounds Medium 56% 54%
2.4 Business Associates Medium 65% 67%
2.5 Malicious Insiders or Fraud High > Avg 53% 54%
2.6 Insider Snooping Medium 55% 65%
2.7 Improper Disposal Low < Avg 67% 85%
2.8 Ransomware High 57% 40%
Star Healthcare priority differs significantly from Health & Life Sciences Industry average
2.1 Cybercrime HackingIn this type of breach an external hacker accesses your organizations network and obtains unauthorized access to sensitivepatient information. A common example of this type of breach starts with the hacker spear- phishing a worker in yourorganization, resulting in that worker clicking on a malicious link, and leading to drive-by download of malware. The malwarethen proliferates inside your intranet and key-logs the database administrator database credentials, at which point it turns intoa bot that logs into your database containing sensitive patient data and exfiltrates this data "low and slow" to evade detection.
Confidential. Page 6 of 55
Star Healthcare assigned a High priority toCybercrime Hacking .
This is comparable to the average priorityassigned by the rest of the healthcare industry tothis type of breach.
Cybercrime Hacking Priority
8%
Low
27%
Medium
65%
High
Key: Star Healthcare Average
Star Healthcare currently has approximately 52% of the breach security capabilities relevant to Cybercrime Hacking . Basedon this metric, when compared to other healthcare organizations, Star Healthcare is at the 23% readiness percentile , puttingit in the lower percentile range and lagging the healthcare industry. As Star Healthcare improves it's Cybercrime Hackingreadiness the slider on the graph below would move to the right, corresponding to an increase in both its percentage ofrelevant breach security capabilities implemented, and its readiness percentile.
Cybercrime Hacking Readiness
2
25%
2
30%
0
35%
2
40%
3
45%
8
50%
9
55%
2
60%
9
65%
4
70%
4
75%
2
80%
4
85%
1
90%
Key: Star Healthcare Number of Organizations at Readiness %
Confidential. Page 7 of 55
The capabilities below are relevant to mitigating risk of Cybercrime Hacking type breaches. This table shows the capabilitiesStar Healthcare has, and where there are gaps. Alerts are shown where gaps in capabilities are lagging the industry average,or in other words where on average most other organizations currently have the associated capability implemented.
Star Healthcare Cybercrime Hacking Breach Security Maturity
Baseline Enhanced Advanced
Policy
Risk Assessment
Audit and Compliance
! User Awareness Training
! Anti-Malware
Firewall
! Email Gateway
! Web Gateway
Vulnerability Management,Patching
Security Incident ResponsePlan
! Backup and Restore
! Penetration Testing,Vulnerability Scanning
! Secure RemoteAdministration
Network Segmentation
Network IntrusionPrevention System
Network Data Loss Prevention(Prevention Mode)
Database Activity Monitoring
Digital Forensics
! Security Information and EventManagement
Threat Intelligence
Server Application Whitelisting
De-Identification / Anonymization
Tokenization
Business Continuity and DisasterRecovery
( = present, = partially present, = not present, = lagging industry in implementing, ! = action item in plan )
2.2 Loss or Theft of Mobile Device or MediaIn this type of breach a worker either loses or has stolen a mobile device or media containing sensitive patient data, resultingin potential unauthorized access to that data and a breach.
Star Healthcare assigned a Medium priority toLoss or Theft of Mobile Device or Media .
This is comparable to the average priorityassigned by the rest of the healthcare industry tothis type of breach.
Loss or Theft of Mobile Device or Media Priority
25%
Low
46%
Medium
29%
High
Key: Star Healthcare Average
Confidential. Page 8 of 55
Star Healthcare currently has approximately 58% of the breach security capabilities relevant to Loss or Theft of MobileDevice or Media . Based on this metric, when compared to other healthcare organizations, Star Healthcare is at the 67% readiness percentile , putting it in the upper percentile range and leading the healthcare industry. As Star Healthcare improvesit's Loss or Theft of Mobile Device or Media readiness the slider on the graph below would move to the right, corresponding toan increase in both its percentage of relevant breach security capabilities implemented, and its readiness percentile.
Loss or Theft of Mobile Device or Media Readiness
3
15%
0
20%
0
25%
1
30%
4
35%
4
40%
7
45%
6
50%
6
55%
14
60%
2
65%
3
70%
1
75%
1
80%
Key: Star Healthcare Number of Organizations at Readiness %
Confidential. Page 9 of 55
The capabilities below are relevant to mitigating risk of Loss or Theft of Mobile Device or Media type breaches. This tableshows the capabilities Star Healthcare has, and where there are gaps. Alerts are shown where gaps in capabilities are laggingthe industry average, or in other words where on average most other organizations currently have the associated capabilityimplemented.
Star Healthcare Loss or Theft of Mobile Device or Media Breach Security Maturity
Baseline Enhanced Advanced
Policy
Risk Assessment
Audit and Compliance
! User Awareness Training
! Endpoint Device Encryption
! Mobile Device Management
Endpoint Data Loss Prevention(Discovery Mode)
IAM, Single Factor Access Control
Vulnerability Management,Patching
Security Incident Response Plan
Secure Disposal
! Backup and Restore
Client Solid State Drive(Encrypted)
Anti-Theft: Remote Locate,Lock, Wipe
! Multi-Factor Authenticationwith Timeout
! Secure RemoteAdministration
Policy Based Encryption forFiles and Folders
Server / Database / BackupEncryption
Virtualization
Server Solid State Drive(Encrypted)
Digital Forensics
! Multi-FactorAuthentication withWalk-Away Lock
Client ApplicationWhitelisting
De-Identification /Anonymization
Tokenization
( = present, = partially present, = not present, = lagging industry in implementing, ! = action item in plan )
2.3 Insider Accidents or WorkaroundsIn this type of breach a worker performs a well-intentioned action that results in unauthorized access to sensitive patientinformation. A common example of this type of breach involves a worker emailing unsecured sensitive patient information,resulting in potential unauthorized access to this information, and a breach. This type of breach can involve the use of eithercorporate or BYOD devices by workers.
Confidential. Page 10 of 55
Star Healthcare assigned a Medium priority toInsider Accidents or Workarounds .
This is comparable to the average priorityassigned by the rest of the healthcare industry tothis type of breach.
Insider Accidents or Workarounds Priority
17%
Low
48%
Medium
35%
High
Key: Star Healthcare Average
Star Healthcare currently has approximately 56% of the breach security capabilities relevant to Insider Accidents orWorkarounds . Based on this metric, when compared to other healthcare organizations, Star Healthcare is at the 54% readiness percentile . As Star Healthcare improves it's Insider Accidents or Workarounds readiness the slider on the graphbelow would move to the right, corresponding to an increase in both its percentage of relevant breach security capabilitiesimplemented, and its readiness percentile.
Insider Accidents or Workarounds Readiness
3
20%
1
25%
0
30%
2
35%
6
40%
3
45%
8
50%
11
55%
6
60%
5
65%
2
70%
3
75%
1
80%
1
85%
Key: Star Healthcare Number of Organizations at Readiness %
Confidential. Page 11 of 55
The capabilities below are relevant to mitigating risk of Insider Accidents or Workarounds type breaches. This table showsthe capabilities Star Healthcare has, and where there are gaps. Alerts are shown where gaps in capabilities are laggingthe industry average, or in other words where on average most other organizations currently have the associated capabilityimplemented.
Star Healthcare Insider Accidents or Workarounds Breach Security Maturity
Baseline Enhanced Advanced
Policy
Risk Assessment
Audit and Compliance
! User Awareness Training
! Mobile Device Management
Endpoint Data Loss Prevention(Discovery Mode)
! Anti-Malware
! Email Gateway
! Web Gateway
Vulnerability Management,Patching
Security Incident Response Plan
Secure Disposal
Device Control
Endpoint Data LossPrevention (PreventionMode)
Network Data LossPrevention (Discovery Mode)
! Secure RemoteAdministration
Policy Based Encryption forFiles and Folders
Network Segmentation
Network Data LossPrevention (PreventionMode)
Digital Forensics
Threat Intelligence
Client ApplicationWhitelisting
De-Identification /Anonymization
Tokenization
( = present, = partially present, = not present, = lagging industry in implementing, ! = action item in plan )
2.4 Business AssociatesIn this type of breach a third party organization contracted by your organization experiences a breach event involvingunauthorized access to sensitive patient information. In this case the patient information impacted originates from yourorganization and was previously shared for the purpose of the third party organization fulfilling its contractual obligations. Inthe United States these entities are known as Business Associates, while in Europe they are typically referred to as DataProcessors.
Confidential. Page 12 of 55
Star Healthcare assigned a Medium priority toBusiness Associates .
This is comparable to the average priorityassigned by the rest of the healthcare industry tothis type of breach.
Business Associates Priority
35%
Low
37%
Medium
29%
High
Key: Star Healthcare Average
Star Healthcare currently has approximately 65% of the breach security capabilities relevant to Business Associates . Basedon this metric, when compared to other healthcare organizations, Star Healthcare is at the 67% readiness percentile , puttingit in the upper percentile range and leading the healthcare industry. As Star Healthcare improves it's Business Associatesreadiness the slider on the graph below would move to the right, corresponding to an increase in both its percentage ofrelevant breach security capabilities implemented, and its readiness percentile.
Business Associates Readiness
1
5%
1
10%
0
15%
0
20%
1
25%
2
30%
4
35%
3
40%
4
45%
7
50%
7
55%
2
60%
7
65%
3
70%
3
75%
1
80%
4
85%
2
90%
Key: Star Healthcare Number of Organizations at Readiness %
Confidential. Page 13 of 55
The capabilities below are relevant to mitigating risk of Business Associates type breaches. This table shows the capabilitiesStar Healthcare has, and where there are gaps. Alerts are shown where gaps in capabilities are lagging the industry average,or in other words where on average most other organizations currently have the associated capability implemented.
Star Healthcare Business Associates Breach Security Maturity
Baseline Enhanced Advanced
Policy
Risk Assessment
Audit and Compliance
! User Awareness Training
Security Incident Response Plan
Business AssociateAgreements
Digital Forensics
Threat Intelligence
De-Identification /Anonymization
Tokenization
( = present, = partially present, = not present, = lagging industry in implementing, ! = action item in plan )
2.5 Malicious Insiders or FraudIn this type of breach a worker performs a malicious action that results in unauthorized access to sensitive patient information.This could be a disgruntled worker, or done for the purpose of committing fraud. A common example of this type of this breachinvolves medical claims fraud where a worker files dishonest healthcare claims in order to turn a profit, or sells sensitivepatient information on the black market. Prescription fraud and financial fraud are other examples of this type of breach.
Star Healthcare assigned a High priority toMalicious Insiders or Fraud .
This generated an alert because on averagethe healthcare industry prioritizes this type ofbreach lower .
Malicious Insiders or Fraud Priority
40%
Low
35%
Medium
25%
High
Key: Star Healthcare Average
Confidential. Page 14 of 55
Star Healthcare currently has approximately 53% of the breach security capabilities relevant to Malicious Insiders or Fraud .Based on this metric, when compared to other healthcare organizations, Star Healthcare is at the 54% readiness percentile .As Star Healthcare improves it's Malicious Insiders or Fraud readiness the slider on the graph below would move to the right,corresponding to an increase in both its percentage of relevant breach security capabilities implemented, and its readinesspercentile.
Malicious Insiders or Fraud Readiness
1
15%
2
20%
1
25%
0
30%
3
35%
7
40%
4
45%
9
50%
11
55%
5
60%
2
65%
5
70%
1
75%
1
80%
Key: Star Healthcare Number of Organizations at Readiness %
Confidential. Page 15 of 55
The capabilities below are relevant to mitigating risk of Malicious Insiders or Fraud type breaches. This table shows thecapabilities Star Healthcare has, and where there are gaps. Alerts are shown where gaps in capabilities are lagging theindustry average, or in other words where on average most other organizations currently have the associated capabilityimplemented.
Star Healthcare Malicious Insiders or Fraud Breach Security Maturity
Baseline Enhanced Advanced
Policy
Risk Assessment
Audit and Compliance
! User Awareness Training
! Endpoint Device Encryption
! Mobile Device Management
Endpoint Data LossPrevention (Discovery Mode)
IAM, Single Factor AccessControl
Firewall
! Email Gateway
! Web Gateway
Vulnerability Management,Patching
Security Incident ResponsePlan
Secure Disposal
! Backup and Restore
Device Control
! Penetration Testing,Vulnerability Scanning
Client Solid State Drive(Encrypted)
Endpoint Data LossPrevention (PreventionMode)
Network Data LossPrevention (Discovery Mode)
Anti-Theft: Remote Locate,Lock, Wipe
! Multi-Factor Authenticationwith Timeout
! Secure RemoteAdministration
Policy Based Encryption forFiles and Folders
Server / Database / BackupEncryption
Network Segmentation
Server Solid State Drive(Encrypted)
Network Data LossPrevention (PreventionMode)
Database Activity Monitoring
Digital Forensics
! Security Information andEvent Management
Threat Intelligence
! Multi-Factor Authenticationwith Walk-Away Lock
Client ApplicationWhitelisting
Server ApplicationWhitelisting
De-Identification /Anonymization
Tokenization
Business Continuity andDisaster Recovery
( = present, = partially present, = not present, = lagging industry in implementing, ! = action item in plan )
2.6 Insider SnoopingInsider snooping involves a worker accessing the records of patients of your organization without any legitimate need to do so,for example where a patient is not under the direct care of the worker.
Confidential. Page 16 of 55
Star Healthcare assigned a Medium priority toInsider Snooping .
This is comparable to the average priorityassigned by the rest of the healthcare industry tothis type of breach.
Insider Snooping Priority
31%
Low
44%
Medium
25%
High
Key: Star Healthcare Average
Star Healthcare currently has approximately 55% of the breach security capabilities relevant to Insider Snooping . Based onthis metric, when compared to other healthcare organizations, Star Healthcare is at the 65% readiness percentile . As StarHealthcare improves it's Insider Snooping readiness the slider on the graph below would move to the right, corresponding toan increase in both its percentage of relevant breach security capabilities implemented, and its readiness percentile.
Insider Snooping Readiness
1
10%
2
15%
0
20%
1
25%
0
30%
5
35%
5
40%
9
45%
11
50%
5
55%
6
60%
2
65%
3
70%
1
75%
1
80%
Key: Star Healthcare Number of Organizations at Readiness %
Confidential. Page 17 of 55
The capabilities below are relevant to mitigating risk of Insider Snooping type breaches. This table shows the capabilities StarHealthcare has, and where there are gaps. Alerts are shown where gaps in capabilities are lagging the industry average, or inother words where on average most other organizations currently have the associated capability implemented.
Star Healthcare Insider Snooping Breach Security Maturity
Baseline Enhanced Advanced
Policy
Risk Assessment
Audit and Compliance
! User Awareness Training
! Endpoint Device Encryption
! Mobile Device Management
Endpoint Data LossPrevention (Discovery Mode)
IAM, Single Factor AccessControl
Firewall
! Web Gateway
Vulnerability Management,Patching
Security Incident ResponsePlan
Secure Disposal
Device Control
! Penetration Testing,Vulnerability Scanning
Client Solid State Drive(Encrypted)
Endpoint Data LossPrevention (PreventionMode)
Network Data LossPrevention (Discovery Mode)
! Multi-Factor Authenticationwith Timeout
! Secure RemoteAdministration
Policy Based Encryption forFiles and Folders
Server / Database / BackupEncryption
Network Segmentation
Network Data LossPrevention (PreventionMode)
Database Activity Monitoring
Digital Forensics
! Security Information andEvent Management
Threat Intelligence
! Multi-Factor Authenticationwith Walk-Away Lock
Client ApplicationWhitelisting
Server ApplicationWhitelisting
De-Identification /Anonymization
Tokenization
( = present, = partially present, = not present, = lagging industry in implementing, ! = action item in plan )
2.7 Improper DisposalImproper disposal of electronic storage devices or media containing sensitive patient information. Examples of this couldinclude dumping of paper based patient records in a dumpster, or selling electronic devices with stored patient records withoutfirst securely wiping them.
Confidential. Page 18 of 55
Star Healthcare assigned a Low priority toImproper Disposal .
This generated an alert because on averagethe healthcare industry prioritizes this type ofbreach higher .
Improper Disposal Priority
40%
Low
38%
Medium
21%
High
Key: Star Healthcare Average
Star Healthcare currently has approximately 67% of the breach security capabilities relevant to Improper Disposal . Basedon this metric, when compared to other healthcare organizations, Star Healthcare is at the 85% readiness percentile , puttingit in the upper percentile range and leading the healthcare industry. As Star Healthcare improves it's Improper Disposalreadiness the slider on the graph below would move to the right, corresponding to an increase in both its percentage ofrelevant breach security capabilities implemented, and its readiness percentile.
Improper Disposal Readiness
1
0%
1
5%
1
10%
1
15%
1
20%
1
25%
4
30%
1
35%
6
40%
8
45%
0
50%
9
55%
10
60%
2
65%
4
70%
1
75%
0
80%
1
85%
Key: Star Healthcare Number of Organizations at Readiness %
Confidential. Page 19 of 55
The capabilities below are relevant to mitigating risk of Improper Disposal type breaches. This table shows the capabilities StarHealthcare has, and where there are gaps. Alerts are shown where gaps in capabilities are lagging the industry average, or inother words where on average most other organizations currently have the associated capability implemented.
Star Healthcare Improper Disposal Breach Security Maturity
Baseline Enhanced Advanced
Policy
Risk Assessment
Audit and Compliance
! User Awareness Training
! Endpoint Device Encryption
! Mobile Device Management
Endpoint Data LossPrevention (Discovery Mode)
Vulnerability Management,Patching
Security Incident ResponsePlan
Secure Disposal
Client Solid State Drive(Encrypted)
Anti-Theft: Remote Locate,Lock, Wipe
Policy Based Encryption forFiles and Folders
Server / Database / BackupEncryption
Server Solid State Drive(Encrypted)
Digital Forensics
De-Identification /Anonymization
Tokenization
( = present, = partially present, = not present, = lagging industry in implementing, ! = action item in plan )
2.8 RansomwareRansomware breaches involve malware infections, often through spear phishing and drive by download, where the malwareencrypts patient data in electronic form and the hackers behind it withold the decryption keys, typically demanding a ransom.This type of breach compromises the availability of the patient records, and can also involve unauthorized access to patientinformation, depending on the malware and hacker access to the internal network and data of the health and life sciencesorganization.
Confidential. Page 20 of 55
Star Healthcare assigned a High priority toRansomware .
This is comparable to the average priorityassigned by the rest of the healthcare industry tothis type of breach.
Ransomware Priority
6%
Low
12%
Medium
83%
High
Key: Star Healthcare Average
Star Healthcare currently has approximately 57% of the breach security capabilities relevant to Ransomware . Based onthis metric, when compared to other healthcare organizations, Star Healthcare is at the 40% readiness percentile . As StarHealthcare improves it's Ransomware readiness the slider on the graph below would move to the right, corresponding to anincrease in both its percentage of relevant breach security capabilities implemented, and its readiness percentile.
Ransomware Readiness
1
15%
0
20%
0
25%
3
30%
0
35%
4
40%
2
45%
4
50%
10
55%
10
60%
4
65%
3
70%
4
75%
4
80%
3
85%
Key: Star Healthcare Number of Organizations at Readiness %
Confidential. Page 21 of 55
The capabilities below are relevant to mitigating risk of Ransomware type breaches. This table shows the capabilities StarHealthcare has, and where there are gaps. Alerts are shown where gaps in capabilities are lagging the industry average, or inother words where on average most other organizations currently have the associated capability implemented.
Star Healthcare Ransomware Breach Security Maturity
Baseline Enhanced Advanced
Policy
Risk Assessment
Audit and Compliance
! User Awareness Training
! Anti-Malware
IAM, Single Factor AccessControl
! Email Gateway
! Web Gateway
Vulnerability Management,Patching
Security Incident ResponsePlan
! Backup and Restore
Device Control
! Penetration Testing,Vulnerability Scanning
Endpoint Data LossPrevention (PreventionMode)
Network Segmentation
Network Intrusion PreventionSystem
Network Data LossPrevention (PreventionMode)
Digital Forensics
! Security Information andEvent Management
Threat Intelligence
Client Application Whitelisting
Server ApplicationWhitelisting
Business Continuity andDisaster Recovery
( = present, = partially present, = not present, = lagging industry in implementing, ! = action item in plan )
Confidential. Page 22 of 55
3. Breach Security Maturity ModelThe capabilities in the maturity model below are directly relevant tomitigating risk of various types of breaches. This view presents acomprehensive overview of all 42 assessed breach capabilities. To seethe subset of capabilities relevant to a particular breach type see theprevious section for that breach type. Each capability is classified intothe Baseline, Enhanced or Advanced breach security maturity levels. Onthe left of each breach security capability is a circle indicating whetherthis capability is currently present ( ), partially present ( ), or absent( ) at Star Healthcare respectively. ( ) indicates a capability where StarHealthcare is significantly behind the Health & Life Sciences Industryaverage in implementing the capability.
Star Healthcare Breach Security Maturity
Baseline Enhanced Advanced
Policy
Risk Assessment
Audit and Compliance
! User Awareness Training
! Endpoint Device Encryption
! Mobile Device Management
Endpoint Data LossPrevention (DiscoveryMode)
! Anti-Malware
IAM, Single Factor AccessControl
Firewall
! Email Gateway
! Web Gateway
Vulnerability Management,Patching
Security Incident ResponsePlan
Secure Disposal
! Backup and Restore
Device Control
! Penetration Testing, VulnerabilityScanning
Client Solid State Drive(Encrypted)
Endpoint Data Loss Prevention(Prevention Mode)
Network Data Loss Prevention(Discovery Mode)
Anti-Theft: Remote Locate, Lock,Wipe
! Multi-Factor Authentication withTimeout
! Secure Remote Administration
Policy Based Encryption for Filesand Folders
Server / Database / BackupEncryption
Network Segmentation
Network Intrusion PreventionSystem
Business Associate Agreements
Virtualization
Server Solid State Drive(Encrypted)
Network Data LossPrevention (PreventionMode)
Database ActivityMonitoring
Digital Forensics
! Security Information andEvent Management
Threat Intelligence
! Multi-FactorAuthentication with Walk-Away Lock
Client ApplicationWhitelisting
Server ApplicationWhitelisting
De-Identification /Anonymization
Tokenization
Business Continuity andDisaster Recovery
( = present, = partially present, = not present, = lagging industry in implementing, ! = action item in plan )
Confidential. Page 23 of 55
4. Breach Security Gaps and Opportunities for ImprovementSecurity capabilities for which your implementation was assessed as either "No" ( ) or "Partial" ( ) are listed below togetherwith the maturity level of the safeguard, its relevance across breach types, and whether your gap is significantly behind therest of the Health & Life Sciences organizations assessed. Capabilities that are assessed as not present ( ) will tend toappear higher on this list that ones assessed as partially present ( ) . Capabilities that are relevant across more breach types( ) will tend to appear higher on this list than ones relevant to fewer breach types. Capabilities relevant to breach types thatyou rated as higher priority will tend to appear higher on the list than those relevant to breach types that you rated as lowerpriority. Capabilities for which you assessed as significantly behind the Health & Life Sciences average ( ) will tend to appearhigher on the list than ones where your gap is typical across the Health & Life Sciences organizations assessed. This list isnot intended to be prescriptive. Please consult your account manager and assessor for further guidance in interpreting theseresults.
Star Healthcare Breach Security Gaps# Security Capability Assess Breach Types Mitigated
and Star Healthcare PrioritiesBehindIndustry
CybercrimeHacking
Loss orTheft
InsiderAccidents
BusinessAssociates
MaliciousInsidersor Fraud
InsiderSnooping
ImproperDisposal
Ransomware
High Medium Medium Medium High Medium Low High
1 Secure RemoteAdministration
2 Penetration Testing,Vulnerability Scanning
3 Security Information andEvent Management
4 Device Control
5 Tokenization
6 Network Data LossPrevention (DiscoveryMode)
7 Multi-Factor Authenticationwith Timeout
8 Web Gateway
9 Network Data LossPrevention (PreventionMode)
10 Email Gateway
11 Backup and Restore
12 Digital Forensics
13 User Awareness Training
14 Vulnerability Management,Patching
Confidential. Page 24 of 55
Star Healthcare Breach Security Gaps# Security Capability Assess Breach Types Mitigated
and Star Healthcare PrioritiesBehindIndustry
CybercrimeHacking
Loss orTheft
InsiderAccidents
BusinessAssociates
MaliciousInsidersor Fraud
InsiderSnooping
ImproperDisposal
Ransomware
High Medium Medium Medium High Medium Low High
15 Anti-Malware
16 De-Identification /Anonymization
17 Threat Intelligence
18 Multi-Factor Authenticationwith Walk-Away Lock
19 Server Solid State Drive(Encrypted)
20 Client ApplicationWhitelisting
21 Server ApplicationWhitelisting
22 Mobile Device Management
23 Policy Based Encryption forFiles and Folders
24 Endpoint Device Encryption
25 Business Continuity andDisaster Recovery
26 Database Activity Monitoring
27 Anti-Theft: Remote Locate,Lock, Wipe
28 Network IntrusionPrevention System
29 Business AssociateAgreements
30 Virtualization
( = present, = partially present, = not present, =lagging industry in implementing, ! = action item in plan )
Confidential. Page 25 of 55
5. Breach Security Action PlanThe following 12 step multi-year action plan is recommended for Star Healthcare to improve their breach security posture andreduce residual risk of breaches.
2016
1. User Awareness Training : Enhance training to include spear-phishing, and add new security training at the time ofemployee role changes.
2. Secure Remote Administration : Add ability to efficiently administer remote endpoints for maintenance, patching,updates and support.
3. Backup and Restore : Add backup and restore (versioned) for all data for availability and protection againstransomware.
4. Endpoint Device Encryption : Add encryption to smartphones and tablets.
2017
5. Security Information and Event Management : Implement SIEM for improved detection of breaches to minimizebusiness impact.
6. Penetration Testing, Vulnerability Scanning : Conduct penetration testing on external interfaces. Complete vulnerabilityscan to find unsecured machines, including unsecured development and test databases with PHI.
7. Multi-Factor Authentication with Timeout : Add tap and go MFA with proximity cards to improve usability and security.
8. Mobile Device Management : Add MDM for corporate provisioned mobile endpoints.
2018
9. Multi-Factor Authentication with Walk-Away Lock : Upgrade tap and go MFA to also include walk-away lock to minimizerisk of session hijacking when clinicians leave.
10. Email Gateway : Add monitoring of alerts, and management for Email Gateway.
11. Web Gateway : Add monitoring of alerts, and management for Web Gateway.
12. Anti-Malware : Add anti-malware to smartphones and tablets.
Confidential. Page 26 of 55
6. Breach Security CapabilitiesThis assessment evaluated the presence of 42 breach security capabilities in Star Healthcare . This section defines eachcapability and shows how Star Healthcare compares with the Health & Life Sciences Industry in implementing each capability.
6.1 PolicyAccurate, complete and up to date privacy & security policy.This is the internal document used to govern healthcareemployee responsibilities with regard to privacy and securityof patient information.
More Info
Notes: Need to update for BYOD.
HIPAA: 45 CFR 164.308(a)
ISO: 27001:2013 Section 5.2 Policy
NIST: SP 800-53 Rev. 4 PS-1, PS-7
PCI DSS: v3.1 Section 12.1
CIS: v6.1 CSC Governance Item #4: Policies
GDPR: Regulation 78 internal policies
Policy Capability
8%
Absent
27%
Partial
65%
Present
Key: Star Healthcare Average
Policy is relevant to the following breach types: - Cybercrime Hacking - Loss or Theft of Mobile Device or Media - Insider Accidents or Workarounds - Business Associates - Malicious Insiders or Fraud - Insider Snooping - Improper Disposal - Ransomware
6.2 Risk AssessmentDocumented risk assessments done annually.
More Info
Notes: Last one completed about 2 years ago. Not currentlydone regularly.
HIPAA: 45 CFR 164.308(a)(1)
ISO: 27001:2013 Section 8.2 Information Security RiskAssessment
NIST: SP 800-53 Rev. 4 RA-1 to RA-3
PCI DSS: v3.1 Section 12.2
CIS: v6.1 CSC 13.1
GDPR: Regulation 76 risk assessment
Risk Assessment Capability
23%
Absent
35%
Partial
42%
Present
Key: Star Healthcare Average
Risk Assessment is relevant to the following breach types: - Cybercrime Hacking - Loss or Theft of Mobile Device or Media - Insider Accidents or Workarounds - Business Associates - Malicious Insiders or Fraud - Insider Snooping - Improper Disposal - Ransomware
Confidential. Page 27 of 55
6.3 Audit and ComplianceAudit and compliance technology and processes in place todetect and remedy non-compliance with policy.
More Info
Notes: Logging and regular audits done to verify compliancewith policy.
HIPAA: 45 CFR 164.312(b)
ISO: 27001:2013 Section 9.2 Internal Audit
NIST: SP 800-53 Rev. 4 AU-1 to 16
PCI DSS: v3.1 Requirement 10
CIS: v6.1 CSC 6
GDPR: Regulation 74 demonstrate compliance
Audit and Compliance Capability
13%
Absent
54%
Partial
33%
Present
Key: Star Healthcare Average
Audit and Compliance is relevant to the following breach types: - Cybercrime Hacking - Loss or Theft of Mobile Device or Media - Insider Accidents or Workarounds - Business Associates - Malicious Insiders or Fraud - Insider Snooping - Improper Disposal - Ransomware
6.4 User Awareness TrainingTraining of healthcare workers on security and privacy. Maybe implemented at time of hire, change of role, annually, ormore frequently. May also be triggered by specific events.More advanced training may use gamified techniques, forexample for spear phishing, to help train healthcare workerson the job.
More Info
Notes: New employees trained. Need training on role changeand spear phishing.
! Recommended Action: 2016 : Enhance training to includespear-phishing, and add new security training at the time ofemployee role changes. See Action Plan.
HIPAA: 45 CFR 164.308(a)(5)
ISO: 27002:2013 Section 7.2.2 Information SecurityAwareness, Education and Training
NIST: SP 800-53 Rev. 4 AT-1 to 4
PCI DSS: v3.1 Section 9.9.3
CIS: v6.1 CSC 17
GDPR: Article 39 awareness raising and training of staff
User Awareness Training Capability
19%
Absent
33%
Partial
48%
Present
Key: Star Healthcare Average
User Awareness Training is relevant to the following breach types: - Cybercrime Hacking - Loss or Theft of Mobile Device or Media - Insider Accidents or Workarounds - Business Associates - Malicious Insiders or Fraud - Insider Snooping - Improper Disposal - Ransomware
Confidential. Page 28 of 55
6.5 Endpoint Device EncryptionClient devices storing sensitive patient information haveencryption of data at rest.
More Info
Notes: Laptops encrypted. Need encryption for smartphonesand tablets.
! Recommended Action: 2016 : Add encryption tosmartphones and tablets. See Action Plan.
HIPAA: 45 CFR 164.312
ISO: 27002:2013 Section 10 Cryptography
NIST: SP 800-53 Rev. 4 SC-28
PCI DSS: v3.1 Section 3.4.1
CIS: v6.1 CSC 13.2
GDPR: Article 32 1a encryption of personal data
Endpoint Device Encryption Capability
15%
Absent
42%
Partial
42%
Present
Key: Star Healthcare Average
Endpoint Device Encryption is relevant to the following breach types: - Loss or Theft of Mobile Device or Media - Malicious Insiders or Fraud - Insider Snooping - Improper Disposal
Confidential. Page 29 of 55
6.6 Mobile Device ManagementManagement of mobile client devices including smartphonesand tablets. Often used with BYOD devices. Functionalitymay include secure container for whitelisted business appsand data with access control and encryption, as well asremote management including remote lock and wipe.
More Info
Notes: Currently in place for BYOD smartphones. Need forcorporate smartphones and tablets.
! Recommended Action: 2017 : Add MDM for corporateprovisioned mobile endpoints. See Action Plan.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 6.2 Mobile Devices andTeleworking
NIST: SP 800-53 Rev. 4 AC-19
PCI DSS: v3.1 Section 1.4
CIS: v6.1 CSC 13
GDPR: Regulation 83 accidential or unlawful loss of personaldata
Mobile Device Management Capability
23%
Absent
27%
Partial
50%
Present
Key: Star Healthcare Average
Mobile Device Management is relevant to the following breach types: - Loss or Theft of Mobile Device or Media - Insider Accidents or Workarounds - Malicious Insiders or Fraud - Insider Snooping - Improper Disposal
Confidential. Page 30 of 55
6.7 Endpoint Data Loss Prevention (Discovery Mode)Data Loss Prevention ability to discover and possibly alsoclassify sensitive patient data at rest on clients or servers.
More Info
Notes: Currently used to discover patient data stored onlaptops etc.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 18.1.3 Protection of Records
NIST: SP 800-53 Rev. 4 AU-13 to AU-14
PCI DSS: v3.1 Requirement 3
CIS: v6.1 CSC 13.9
GDPR: Regulation 83 accidential loss of personal data
Endpoint DLP Discovery Capability
71%
Absent
15%
Partial
13%
Present
Key: Star Healthcare Average
Endpoint Data Loss Prevention (Discovery Mode) is relevant to the following breach types: - Loss or Theft of Mobile Device or Media - Insider Accidents or Workarounds - Malicious Insiders or Fraud - Insider Snooping - Improper Disposal
6.8 Anti-MalwareAbility to detect and remediate blacklisted executables.May be signature based or heuristics / behavior based.Remediation may include quarantine or removal of anymalware detected.
More Info
Notes: Currently running on laptops. Need for smartphonesand tablets as well.
! Recommended Action: 2018 : Add anti-malware tosmartphones and tablets. See Action Plan.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 12.2 Protection from Malware
NIST: SP 800-53 Rev. 4 SI-3
PCI DSS: v3.1 Requirement 5
CIS: v6.1 CSC 8
GDPR: Regulation 49 prevent malicious code distribution
Anti-Malware Capability
2%
Absent
15%
Partial
83%
Present
Key: Star Healthcare Average
Star Healthcare is lagging the healthcare industry inimplementing the Anti-Malware capability.
Anti-Malware is relevant to the following breach types: - Cybercrime Hacking - Insider Accidents or Workarounds - Ransomware
Confidential. Page 31 of 55
6.9 IAM, Single Factor Access ControlAccess control using a single factor, either "what youknow", "what you have" or "what you are" / biometrics.Username / password is a very common form of "whatyou know" single factor authentication. There may bemultiple sets of credentials across different domains,applications and solutions. This capability includes bothtechnology and processes covering full IAM (Identity andAccess Management) lifecycle such as authentication andauthorization / privilege management.
More Info
Notes: Microsoft Windows login, as well as logins acrossvarious applications.
HIPAA: 45 CFR 164.312
ISO: 27002:2013 Section 9 Access Control
NIST: SP 800-53 Rev. 4 AC-1 to 3
PCI DSS: v3.1 Requirement 7
CIS: v6.1 CSC 14, CSC 5
GDPR: Regulation 39 security and preventing unauthorisedaccess
IAM, Single Factor Access Control Capability
8%
Absent
23%
Partial
69%
Present
Key: Star Healthcare Average
IAM, Single Factor Access Control is relevant to the following breach types: - Loss or Theft of Mobile Device or Media - Malicious Insiders or Fraud - Insider Snooping - Ransomware
Confidential. Page 32 of 55
6.10 FirewallThe external firewall provides network perimeter defenseagainst unauthorized access to healthcare organizationssystems and sensitive patient information. Also includesinternal host based firewalls. Services may includeprovisioning / deployment, upgrade, patching, policy /configuration updates, network traffic monitoring, etc.
More Info
Notes: Currently have firewalls in place on perimeter ofnetwork, as well as endpoints.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 13.1.2 Security of Network Services
NIST: SP 800-53 Rev. 4 SC-7
PCI DSS: v3.1 Requirement 1
CIS: v6.1 CSC 9.2, CSC 9.6, CSC 12, CSC 18.2
GDPR: Regulation 39 security and preventing unauthorisedaccess
Firewall Capability
0%
Absent
17%
Partial
83%
Present
Key: Star Healthcare Average
Firewall is relevant to the following breach types: - Cybercrime Hacking - Malicious Insiders or Fraud - Insider Snooping
Confidential. Page 33 of 55
6.11 Email GatewaySafeguard for email and may include inbound threatprotection, outbound encryption, compliance, data lossprevention, and administration.
More Info
Notes: We have the appliance in place but need to establishprocess to configure and monitor it.
! Recommended Action: 2018 : Add monitoring of alerts, andmanagement for Email Gateway. See Action Plan.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 13.1 Network Security Management
NIST: SP 800-53 Rev. 4 SC-7
PCI DSS: v3.1 Requirement 5
CIS: v6.1 CSC 7
GDPR: Regulation 49 resist accidental events thatcompromise confidentiality
Email Gateway Capability
0%
Absent
15%
Partial
85%
Present
Key: Star Healthcare Average
Star Healthcare is lagging the healthcare industry inimplementing the Email Gateway capability.
Email Gateway is relevant to the following breach types: - Cybercrime Hacking - Insider Accidents or Workarounds - Malicious Insiders or Fraud - Ransomware
Confidential. Page 34 of 55
6.12 Web GatewaySafeguard for web requests and content returned inresponses and may include analysis of the nature and intentof all content and code entering the network from requestedweb pages, to provide protection against malware and otherhidden threats.
More Info
Notes: Appliance in place but need resources and process tomonitor it to get full benefit.
! Recommended Action: 2018 : Add monitoring of alerts, andmanagement for Web Gateway. See Action Plan.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 13.1 Network Security Management
NIST: SP 800-53 Rev. 4 SC-7
PCI DSS: v3.1 Requirement 5
CIS: v6.1 CSC 7, CSC 12
GDPR: Regulation 49 resist accidental events thatcompromise confidentiality
Web Gateway Capability
8%
Absent
15%
Partial
77%
Present
Key: Star Healthcare Average
Star Healthcare is lagging the healthcare industry inimplementing the Web Gateway capability.
Web Gateway is relevant to the following breach types: - Cybercrime Hacking - Insider Accidents or Workarounds - Malicious Insiders or Fraud - Insider Snooping - Ransomware
Confidential. Page 35 of 55
6.13 Vulnerability Management, PatchingAbility (technology and processes) to manage vulnerabilitieson endpoint devices through configuration updates, signatureupdates, patching, and so forth. This can include patching ofoperating systems, security solutions, as well as office andhealthcare applications to ensure they are up to date andsecure.
More Info
Notes: Currently PC's configured for automatic updates.Need to do more vulnerability management eg with clientconfiguration.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 12.6 Technical VulnerabilityManagement
NIST: SP 800-53 Rev. 4 CM-1 to 11, MA-1 to 6
PCI DSS: v3.1 Requirement 6
CIS: v6.1 CSC 3, CSC 11, CSC 15, CSC 18, CSC 4.5
GDPR: Regulation 83 implement state of the art measures
Vulnerability Management, Patching Capability
6%
Absent
40%
Partial
54%
Present
Key: Star Healthcare Average
Vulnerability Management, Patching is relevant to the following breach types: - Cybercrime Hacking - Loss or Theft of Mobile Device or Media - Insider Accidents or Workarounds - Malicious Insiders or Fraud - Insider Snooping - Improper Disposal - Ransomware
6.14 Security Incident Response PlanPlans in place covering what do to in the event of a suspecteddata security incident or breach.
More Info
Notes: Currently in place and tested. Good to go.
HIPAA: 45 CFR 164.308(a)(6)
ISO: 27002:2013 Section 16 Information Security IncidentManagement
NIST: SP 800-53 Rev. 4 IR-1 to 10
PCI DSS: v3.1 Section 12.10
CIS: v6.1 CSC 19
GDPR: Article 32 1 protect confidentiality, integrity, availabilityof personal data
Security Incident Response Plan Capability
21%
Absent
38%
Partial
40%
Present
Key: Star Healthcare Average
Security Incident Response Plan is relevant to the following breach types: - Cybercrime Hacking - Loss or Theft of Mobile Device or Media - Insider Accidents or Workarounds - Business Associates - Malicious Insiders or Fraud - Insider Snooping - Improper Disposal - Ransomware
Confidential. Page 36 of 55
6.15 Secure DisposalTechnology and processes to securely dispose of devicesand media containing sensitive healthcare information. Thiscan include secure wipe of disk drives, shredding of paperrecords, and so forth.
More Info
Notes: Secure wipe for hard drives. Shredding for paperrecords.
HIPAA: 45 CFR 164.310(d)(2)(i)
ISO: 27002:2013 Section 8.3.2 Disposal of Media, 11.2.7Secure Disposal or Re-Use of Equipment
NIST: SP 800-53 Rev. 4 MP-6
PCI DSS: v3.1 Section 9.8
CIS: v6.1 CSC Privacy Impact Assessment: Disposal
GDPR: Regulation 83 protect confidentiality of personal data
Secure Disposal Capability
10%
Absent
17%
Partial
73%
Present
Key: Star Healthcare Average
Secure Disposal is relevant to the following breach types: - Loss or Theft of Mobile Device or Media - Insider Accidents or Workarounds - Malicious Insiders or Fraud - Insider Snooping - Improper Disposal
Confidential. Page 37 of 55
6.16 Backup and RestoreAbility to securely backup systems and data, store versionedbackups in a secure managed backup system. At least oneversion should be air-gapped / offline. This also includes theability restore systems that become corrupt or infected. Forthis capability to be considered fully implemented it should beregularly tested through a full backup and restore cycle.
More Info
Notes: Some endpoints including smartphones and tabletsnot yet backed up.
! Recommended Action: 2016 : Add backup and restore(versioned) for all data for availability and protection againstransomware. See Action Plan.
HIPAA: Security Rule - Protect Availability - TechnicalSafeguard
ISO: 27002:2013 Section 12.3 Backup
NIST: SP 800-53 Rev. 4 CP-9, 10
PCI DSS: v3.1 Section 9.5.1
CIS: v6.1 CSC 10
GDPR: Article 32 1c restore availability and access topersonal data
Backup and Restore Capability
0%
Absent
19%
Partial
81%
Present
Key: Star Healthcare Average
Star Healthcare is lagging the healthcare industry inimplementing the Backup and Restore capability.
Backup and Restore is relevant to the following breach types: - Cybercrime Hacking - Loss or Theft of Mobile Device or Media - Malicious Insiders or Fraud - Ransomware
Confidential. Page 38 of 55
6.17 Device ControlAbility to enforce a healthcare organizations policy regardingremovable storage devices that may be connected byhealthcare workers to endpoint client devices. Typicallyincludes representation of policy rules, as well as technologyand processes to enforce such rules. Examples include USBsticks or other removable storage.
More Info
Notes: Need to get this to prevent use of USB keys withlaptops.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 8.3.1 Management of RemovableMedia
NIST: SP 800-53 Rev. 4 MP-7, SC-18, SC-41
PCI DSS: v3.1 Requirement 5
CIS: v6.1 CSC 13.5
GDPR: Regulation 39 security and preventing unauthorisedaccess
Device Control Capability
31%
Absent
31%
Partial
38%
Present
Key: Star Healthcare Average
Star Healthcare is lagging the healthcare industry inimplementing the Device Control capability.
Device Control is relevant to the following breach types: - Insider Accidents or Workarounds - Malicious Insiders or Fraud - Insider Snooping - Ransomware
Confidential. Page 39 of 55
6.18 Penetration Testing, Vulnerability ScanningPenetration testing or vulnerability scanning has beenconducted within the last year to discover vulnerabilities in ahealthcare organizations IT infrastructure or applications.
More Info
Notes: Need to conduct this, especially on external networkinterfaces.
! Recommended Action: 2017 : Conduct penetration testingon external interfaces. Complete vulnerability scan to findunsecured machines, including unsecured development andtest databases with PHI. See Action Plan.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 18.2.3 Technical ComplianceReview
NIST: SP 800-53 Rev. 4 CA-8, RA-5, RA-6
PCI DSS: v3.1 Section 11.3
CIS: v6.1 CSC 9, CSC 4, CSC 15.2, CSC 18.4
GDPR: Article 32 1d regular testing, assessing, evaluatingeffectiveness of security
Pen Testing, Vulnerability Scanning Capability
17%
Absent
35%
Partial
48%
Present
Key: Star Healthcare Average
Star Healthcare is lagging the healthcare industry inimplementing the Penetration Testing, Vulnerability Scanningcapability.
Penetration Testing, Vulnerability Scanning is relevant to the following breach types: - Cybercrime Hacking - Malicious Insiders or Fraud - Insider Snooping - Ransomware
Confidential. Page 40 of 55
6.19 Client Solid State Drive (Encrypted)Self-encrypting solid state drives are used on client / endpointdevices to protect sensitive patient information at rest, withhigh performance.
More Info
Notes: Currently used in laptops.
HIPAA: 45 CFR 164.312
ISO: 27002:2013 Section 10 Cryptography
NIST: SP 800-53 Rev. 4 SC-28
PCI DSS: v3.1 Section 3.4.1
CIS: v6.1 CSC 13.2, CSC 14.5
GDPR: Article 32 1a encryption of personal data
Client SSD (Encrypted) Capability
63%
Absent
17%
Partial
19%
Present
Key: Star Healthcare Average
Client Solid State Drive (Encrypted) is relevant to the following breach types: - Loss or Theft of Mobile Device or Media - Malicious Insiders or Fraud - Insider Snooping - Improper Disposal
6.20 Endpoint Data Loss Prevention (Prevention Mode)Data Loss Prevention for endpoint / client devices. Enforcesrules derived from the policy of the healthcare organizationthat are intended to protect sensitive patient data. Includescapability to monitor user actions, detect potential non-compliance, and take action according to policy rules. Actionsmay include notifying the user, logging information in an auditlog, preventing an action, or protecting data used in an actionfor example using encryption.
More Info
Notes: Working well as intended.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 18.1.3 Protection of Records
NIST: SP 800-53 Rev. 4 SC-7
PCI DSS: v3.1 Requirement 3
CIS: v6.1 CSC 13.9, CSC 13.4
GDPR: Regulation 49 resist accidental events thatcompromise confidentiality
Endpoint DLP Prevention Capability
69%
Absent
23%
Partial
8%
Present
Key: Star Healthcare Average
Endpoint Data Loss Prevention (Prevention Mode) is relevant to the following breach types: - Insider Accidents or Workarounds - Malicious Insiders or Fraud - Insider Snooping - Ransomware
Confidential. Page 41 of 55
6.21 Network Data Loss Prevention (Discovery Mode)Network based Data Loss Prevention ability to monitor (scanand analyze) network traffic in real time, detect and classifysensitive patient data, and discover unknown risks.
More Info
Notes: We don't currently have a network DLP appliance.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 13.1 Network Security Management
NIST: SP 800-53 Rev. 4 AU-13, 14, 16AU-14
PCI DSS: v3.1 Requirement 3
CIS: v6.1 CSC 13.6
GDPR: Regulation 83 accidential loss of personal data
Network DLP Discovery Capability
65%
Absent
15%
Partial
19%
Present
Key: Star Healthcare Average
Star Healthcare is lagging the healthcare industry inimplementing the Network Data Loss Prevention (DiscoveryMode) capability.
Network Data Loss Prevention (Discovery Mode) is relevant to the following breach types: - Insider Accidents or Workarounds - Malicious Insiders or Fraud - Insider Snooping
6.22 Anti-Theft: Remote Locate, Lock, WipeAbility for IT Administrators in healthcare organizations toremotely locate lost or stolen mobile client devices, lock them,or wipe them to remove sensitive patient data and therebyreduce risk of breach.
More Info
Notes: We have remote locate / lock / wipe only onsmartphones and tablets, not on laptops currently.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 6.2 Mobile Devices andTeleworking
NIST: SP 800-53 Rev. 4 AC-7, AC-19
PCI DSS: v3.1 Section 9.8
CIS: v6.1 CSC 3.4
GDPR: Regulation 39 security and preventing unauthorisedaccess
Anti-Theft Capability
35%
Absent
33%
Partial
33%
Present
Key: Star Healthcare Average
Anti-Theft: Remote Locate, Lock, Wipe is relevant to the following breach types: - Loss or Theft of Mobile Device or Media - Malicious Insiders or Fraud - Improper Disposal
Confidential. Page 42 of 55
6.23 Multi-Factor Authentication with TimeoutAccess control with multiple factors: what you know (egusername / password), what you have (eg security hardwaretoken), or what you are (biometrics). Timeout functionalityautomatically locks access after a policy defined period ofinactivity, intended to reduce risk of an unauthorized accessand breach that may result from an unauthorized personaccessing an abandoned secure session.
More Info
Notes: We don't currently have MFA, but looking at Tap andGo prox cards.
! Recommended Action: 2017 : Add tap and go MFA withproximity cards to improve usability and security. See ActionPlan.
HIPAA: 45 CFR 164.312
ISO: 27002:2013 Section 9 Access Control
NIST: SP 800-53 Rev. 4 IA-2, AC-2, AC-11, AC-12
PCI DSS: v3.1 Requirement 8
CIS: v6.1 CSC 5.6, CSC 11.4, CSC 12.6, CSC 16.11
GDPR: Regulation 39 security and preventing unauthorisedaccess
MFA with Timeout Capability
29%
Absent
54%
Partial
17%
Present
Key: Star Healthcare Average
Star Healthcare is lagging the healthcare industry inimplementing the Multi-Factor Authentication with Timeoutcapability.
Multi-Factor Authentication with Timeout is relevant to the following breach types: - Loss or Theft of Mobile Device or Media - Malicious Insiders or Fraud - Insider Snooping
Confidential. Page 43 of 55
6.24 Secure Remote AdministrationAbility for IT Administrator in healthcare organization tosecurely and remotely administer client devices containingsensitive patient information. This can include diagnostics,remediation of issues, patching, updates eg anti-malwaresignatures, configurations, upgrades, and so forth.
More Info
Notes: We don't currently have vPro laptops with ActiveManagement Technology.
! Recommended Action: 2016 : Add ability to efficientlyadminister remote endpoints for maintenance, patching,updates and support. See Action Plan.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 12.6 Technical VulnerabilityManagement
NIST: SP 800-53 Rev. 4 MA-4
PCI DSS: v3.1 Section 10.8.1
CIS: v6.1 CSC 3.4
GDPR: Article 32 1c restore availability and access topersonal data
Secure Remote Administration Capability
10%
Absent
27%
Partial
63%
Present
Key: Star Healthcare Average
Star Healthcare is lagging the healthcare industry inimplementing the Secure Remote Administration capability.
Secure Remote Administration is relevant to the following breach types: - Cybercrime Hacking - Loss or Theft of Mobile Device or Media - Insider Accidents or Workarounds - Malicious Insiders or Fraud - Insider Snooping
Confidential. Page 44 of 55
6.25 Policy Based Encryption for Files and FoldersEncryption of specific files or folders based on policy ofthe healthcare organization, and classification of files, inorder to ensure only authorized access to files and folderscontaining sensitive patient data, and thereby reduce risk ofunauthorized access and mitigation of risk of breach.
More Info
Notes: X-Ray images are automatically encrypted per policy.Need to get this in place for other types of files.
HIPAA: 45 CFR 164.312
ISO: 27002:2013 Section 10 Cryptography
NIST: SP 800-53 Rev. 4 SC-28
PCI DSS: v3.1 Requirement 3
CIS: v6.1 CSC 13.2, CSC 14.5
GDPR: Article 32 1a encryption of personal data
Policy Based Encryption Capability
85%
Absent
12%
Partial
4%
Present
Key: Star Healthcare Average
Policy Based Encryption for Files and Folders is relevant to the following breach types: - Loss or Theft of Mobile Device or Media - Insider Accidents or Workarounds - Malicious Insiders or Fraud - Insider Snooping - Improper Disposal
6.26 Server / Database / Backup EncryptionEncryption of servers, databases running on servers orSAN's, and encryption of backup archives.
More Info
Notes: Server filesystem encrypted. Database full diskencryption in place. Backups encrypted before going ontotape.
HIPAA: 45 CFR 164.312
ISO: 27002:2013 Section 10 Cryptography
NIST: SP 800-53 Rev. 4 SC-28
PCI DSS: v3.1 Requirement 3
CIS: v6.1 CSC 10.3, CSC 13.2, CSC 14.5
GDPR: Article 32 1a encryption of personal data
Server / Database / Backup Encryption Capability
40%
Absent
44%
Partial
15%
Present
Key: Star Healthcare Average
Server / Database / Backup Encryption is relevant to the following breach types: - Loss or Theft of Mobile Device or Media - Malicious Insiders or Fraud - Insider Snooping - Improper Disposal
Confidential. Page 45 of 55
6.27 Network SegmentationNetwork is segmented to protect critical assets. This caninclude use of guest network, medical devices network, orother segmentations to isolate vulnerabilities.
More Info
Notes: Currently have network segmented for Intranet, DMZ,Guest and Medical Devices.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 13.1.3 Segregation in Networks
NIST: SP 800-53 Rev. 4 SC-7, SC-32
PCI DSS: v3.1 Requirement 1
CIS: v6.1 CSC 14.1, CSC 12, CSC 15.9
GDPR: Regulation 49 resist unlawful or malicious actions
Network Segmentation Capability
4%
Absent
52%
Partial
44%
Present
Key: Star Healthcare Average
Network Segmentation is relevant to the following breach types: - Cybercrime Hacking - Insider Accidents or Workarounds - Malicious Insiders or Fraud - Insider Snooping - Ransomware
6.28 Network Intrusion Prevention SystemTechnology and processes to detect and prevent intrusionsthe healthcare organizations network.
More Info
Notes: Needs better monitoring.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 13.1 Network Security Management
NIST: SP 800-53 Rev. 4 SI-4, SC-7
PCI DSS: v3.1 Requirement 1
CIS: v6.1 CSC 12, CSC 15.3
GDPR: Regulation 49 resist unlawful or malicious actions
Network IPS Capability
29%
Absent
17%
Partial
54%
Present
Key: Star Healthcare Average
Network Intrusion Prevention System is relevant to the following breach types: - Cybercrime Hacking - Ransomware
Confidential. Page 46 of 55
6.29 Business Associate AgreementsContractual agreements covering the security and privacy ofsensitive patient data with all third party sub-contractors ordata processors that work with sensitive patient information.
More Info
Notes: Most of our contractors have signed a BAA. Workingon getting others.
HIPAA: 45 CFR 164.308(b)(1)
ISO: 27002:2013 Section 13.2.4 Confidentiality or Non-Disclosure Agreements
NIST: SP 800-53 Rev. 4 SA-9
PCI DSS: v3.1 Section 12.8.2
GDPR: Article 32 4 controller and processor ensurecompliance
Business Associate Agreements Capability
2%
Absent
21%
Partial
77%
Present
Key: Star Healthcare Average
Star Healthcare is lagging the healthcare industry inimplementing the Business Associate Agreements capability.
Business Associate Agreements is relevant to the following breach types: - Business Associates
6.30 VirtualizationVirtualizing clients so that sensitive healthcare data existsonly on strongly managed and secured servers, and not onclients and mobile devices that are at higher risk of loss ortheft.
More Info
Notes: We have some VDI from zero client terminals, but westill have a significant portion of our endpoint PC's withoutVDI.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 11.2.1 Equipment Siting andProtection
NIST: SP 800-53 Rev. 4 SC-2, SC-7, SI-14
PCI DSS: v3.1 Section 2.2.1
CIS: v6.1 CSC 2.4
GDPR: Regulation 83 protect confidentiality of personal data
Virtualization Capability
12%
Absent
31%
Partial
58%
Present
Key: Star Healthcare Average
Virtualization is relevant to the following breach types: - Loss or Theft of Mobile Device or Media
Confidential. Page 47 of 55
6.31 Server Solid State Drive (Encrypted)Solid state drive with encryption for protection of sensitivepatient data at rest on the drive.
More Info
Notes: We don't use any SSD's on the server at present.
HIPAA: 45 CFR 164.312
ISO: 27002:2013 Section 10 Cryptography
NIST: SP 800-53 Rev. 4 SC-28
PCI DSS: v3.1 Section 3.4.1
CIS: v6.1 CSC 13.2, CSC 14.5
GDPR: Article 32 1a encryption of personal data
Server SSD (Encrypted) Capability
87%
Absent
8%
Partial
6%
Present
Key: Star Healthcare Average
Server Solid State Drive (Encrypted) is relevant to the following breach types: - Loss or Theft of Mobile Device or Media - Malicious Insiders or Fraud - Improper Disposal
6.32 Network Data Loss Prevention (Prevention Mode)Network Data Loss Prevention ability to prevent non-compliance with the policy of the healthcare organizationregarding network traffic. For example if a healthcareorganization has a policy against sending patient informationattached to emails NDLP can detect and block such emailsand notify the sender to reduce risk of recurrence.
More Info
Notes: We don't currently have network DLP.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 13.1 Network Security Management
NIST: SP 800-53 Rev. 4 SC-7
PCI DSS: v3.1 Requirement 3
CIS: v6.1 CSC 13.6
GDPR: Regulation 49 resist accidental events thatcompromise confidentiality
Network DLP Prevention Capability
75%
Absent
15%
Partial
10%
Present
Key: Star Healthcare Average
Network Data Loss Prevention (Prevention Mode) is relevant to the following breach types: - Cybercrime Hacking - Insider Accidents or Workarounds - Malicious Insiders or Fraud - Insider Snooping - Ransomware
Confidential. Page 48 of 55
6.33 Database Activity MonitoringMonitoring of database activity in order to detect possibleintrusion, for example in a case where database administratorcredentials may have been compromised and used for covertunauthorized access to sensitive patient information in thedatabase.
More Info
Notes: We currently only have this on some of our databasescontaining patient information.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 12.4 Logging and Monitoring
NIST: SP 800-53 Rev. 4 AC-23
PCI DSS: v3.1 Requirement 10
CIS: v6.1 CSC 5.1
GDPR: Regulation 39 security and preventing unauthorisedaccess
DB Activity Monitoring Capability
56%
Absent
31%
Partial
13%
Present
Key: Star Healthcare Average
Database Activity Monitoring is relevant to the following breach types: - Cybercrime Hacking - Malicious Insiders or Fraud - Insider Snooping
6.34 Digital ForensicsAbility to conduct forensic analysis of IT infrastructure,often in the event of a suspected security incident, to detectunauthorized access to sensitive patient information andestablish whether breach occurred and if so characteristicssuch as timing and extent.
More Info
Notes: We contract an external organization for parts of this.
HIPAA: Incident Management - Forensics
ISO: 27002:2013 Section 16.1.7 Collection of Evidence
NIST: SP 800-53 Rev. 4 IR-7, 10
PCI DSS: v3.1 Sections 10.3 and A1.4
CIS: v6.1 CSC 17
GDPR: Regulation 83 protect confidentiality of personal data
Digital Forensics Capability
44%
Absent
19%
Partial
37%
Present
Key: Star Healthcare Average
Digital Forensics is relevant to the following breach types: - Cybercrime Hacking - Loss or Theft of Mobile Device or Media - Insider Accidents or Workarounds - Business Associates - Malicious Insiders or Fraud - Insider Snooping - Improper Disposal - Ransomware
Confidential. Page 49 of 55
6.35 Security Information and Event ManagementSecurity Information and Event Management includes real-time analysis of logs and security alerts generated by networkhardware and applications.
More Info
Notes: We really need this to improve our detectioncapabilities.
! Recommended Action: 2017 : Implement SIEM for improveddetection of breaches to minimize business impact. SeeAction Plan.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 12.4 Logging and Monitoring
NIST: SP 800-53 Rev. 4 SI-4
PCI DSS: v3.1 Section 10.6
CIS: v6.1 CSC 6.6
GDPR: Regulation 39 security and preventing unauthorisedaccess
SIEM Capability
56%
Absent
23%
Partial
21%
Present
Key: Star Healthcare Average
Star Healthcare is lagging the healthcare industryin implementing the Security Information and EventManagement capability.
Security Information and Event Management is relevant to the following breach types: - Cybercrime Hacking - Malicious Insiders or Fraud - Insider Snooping - Ransomware
Confidential. Page 50 of 55
6.36 Threat IntelligenceAcquisition of threat intelligence information such as wheresuspicious activities or intrusions have occurred, the nature ofthe incidents, appropriate safeguards and actions to mitigate,and sharing this information across security infrastructurenear real time to improve defense and minimize recurrence /extent of future intrusions / breaches. Threat intelligencecan include reputational information, information acquiredthrough sandboxing and static or dynamic analysis of suspectexecutables, or behavioral analytics.
More Info
Notes: We get updates on new threats from our securityprovider. We really need the ability to automate update ofsecurity controls based on this feed though.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 12.6 Technical VulnerabilityManagement
NIST: SP 800-53 Rev. 4 SI-4, SI-5, SC-7, SC-44
PCI DSS: v3.1 Requirement 5
CIS: v6.1 CSC 8.5, CSC 12, CSC 16.10
GDPR: Regulation 39 security and preventing unauthorisedaccess
Threat Intelligence Capability
50%
Absent
23%
Partial
27%
Present
Key: Star Healthcare Average
Threat Intelligence is relevant to the following breach types: - Cybercrime Hacking - Insider Accidents or Workarounds - Business Associates - Malicious Insiders or Fraud - Insider Snooping - Ransomware
Confidential. Page 51 of 55
6.37 Multi-Factor Authentication with Walk-Away LockMulti-Factor Authentication including multiple factors from:what you know (eg username / password), what you have (egsecurity hardware token), and what you are (eg biometrics).Walk away lock is ability to automatically lock a securesession the moment a healthcare worker walks away from theendpoint device running that terminal. Intended to mitigaterisk of an unauthorized individual hijacking a secure sessionthat an authorized user established and has abandoned (yettimeout lock has not yet occurred).
More Info
Notes: We don't currently have MFA. Once we have MFA wewant to get this through Imprivata walk-away lock based onfacial recognition.
! Recommended Action: 2018 : Upgrade tap and go MFAto also include walk-away lock to minimize risk of sessionhijacking when clinicians leave. See Action Plan.
HIPAA: 45 CFR 164.312
ISO: 27002:2013 Section 9 Access Control
NIST: SP 800-53 Rev. 4 IA-2, AC-2, AC-11, AC-12
PCI DSS: v3.1 Requirement 8
CIS: v6.1 CSC 5.6, CSC 11.4, CSC 12.6, CSC 16.11
GDPR: Regulation 39 security and preventing unauthorisedaccess
MFA with Walk-Away Lock Capability
73%
Absent
23%
Partial
4%
Present
Key: Star Healthcare Average
Multi-Factor Authentication with Walk-Away Lock is relevant to the following breach types: - Loss or Theft of Mobile Device or Media - Malicious Insiders or Fraud - Insider Snooping
Confidential. Page 52 of 55
6.38 Client Application WhitelistingAbility to control what applications run on a client deviceand block unauthorized applications from running. Typicallysignature based detection and enforcement. Includessecure processes for provisioning, managing, and updatingwhitelists.
More Info
Notes: We have this on some medical device machines. Weneed it on more.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 12.2.1 Controls Against Malware
NIST: SP 800-53 Rev. 4 CM-7
PCI DSS: v3.1 Requirement 5
CIS: v6.1 CSC 2.2
GDPR: Regulation 49 resist unlawful or malicious actions
Client Application Whitelisting Capability
63%
Absent
27%
Partial
10%
Present
Key: Star Healthcare Average
Client Application Whitelisting is relevant to the following breach types: - Loss or Theft of Mobile Device or Media - Insider Accidents or Workarounds - Malicious Insiders or Fraud - Insider Snooping - Ransomware
Confidential. Page 53 of 55
6.39 Server Application WhitelistingAbility to control what applications run on servers and blockunauthorized applications from running. Typically signaturebased detection and enforcement. Includes secure processesfor provisioning, managing, and updating whitelists.
More Info
Notes: Some servers associated with medical devices havethis, but need it on all medical device servers.
HIPAA: Security Rule - Protect Confidentiality - TechnicalSafeguard
ISO: 27002:2013 Section 12.2.1 Controls Against Malware
NIST: SP 800-53 Rev. 4 CM-7
PCI DSS: v3.1 Requirement 5
CIS: v6.1 CSC 2.2
GDPR: Regulation 49 resist unlawful or malicious actions
Server Application Whitelisting Capability
58%
Absent
31%
Partial
12%
Present
Key: Star Healthcare Average
Server Application Whitelisting is relevant to the following breach types: - Cybercrime Hacking - Malicious Insiders or Fraud - Insider Snooping - Ransomware
6.40 De-Identification / AnonymizationThe ability to remove or mask personally identifiable fields insensitive patient information to enable use while minimizingrisk of breach.
More Info
Notes: We currently do this on data for research.
HIPAA: HHS Guidance
ISO: 27002:2013 Section 9.4.1 Information AccessRestriction
NIST: SP 800-53 Rev. 4 MP-6, DM-2, DM-3
PCI DSS: v3.1 Requirement 3
GDPR: Regulation 26 anonymous information
De-Id, Anonymize Capability
37%
Absent
35%
Partial
29%
Present
Key: Star Healthcare Average
De-Identification / Anonymization is relevant to the following breach types: - Cybercrime Hacking - Loss or Theft of Mobile Device or Media - Insider Accidents or Workarounds - Business Associates - Malicious Insiders or Fraud - Insider Snooping - Improper Disposal
Confidential. Page 54 of 55
6.41 TokenizationReplacing personally identifiable fields in sensitive patientrecords with opaque unique tokens and storing the mappingsfrom these tokens back to the real data values in a secureaccess controlled database.
More Info
Notes: We don't do this but could use it for areas of ournetwork that do payment processing and are subject to PCIDSS compliance.
HIPAA: HHS Guidance
ISO: 27002:2013 Section 9.4.1 Information AccessRestriction
NIST: SP 800-53 Rev. 4 MP-6, DM-2, DM-3
PCI DSS: v3.1 Requirement 3
GDPR: Article 32 1a pseudonymisation of personal data
Tokenization Capability
79%
Absent
13%
Partial
8%
Present
Key: Star Healthcare Average
Tokenization is relevant to the following breach types: - Cybercrime Hacking - Loss or Theft of Mobile Device or Media - Insider Accidents or Workarounds - Business Associates - Malicious Insiders or Fraud - Insider Snooping - Improper Disposal
6.42 Business Continuity and Disaster RecoveryPeople, process and technology to enable the recovery orcontinuation of vital technology infrastructure and systemsfollowing a natural or human-induced disaster or disruption.
More Info
Notes: Some core / critical systems still need to be added.
HIPAA: Security Rule - Protect Availability
ISO: 27002:2013 Section 11.1.4 Protecting Against Externaland Environmental Threats
NIST: SP 800-53 Rev. 4 CP-1 to 13
PCI DSS: v3.1 Section 12.10.1
CIS: v6.1 CSC Governance Item #4: Business Continuity andDisaster Recovery
GDPR: Article 32 1c restore availability and access topersonal data
BC / DR Capability
15%
Absent
48%
Partial
37%
Present
Key: Star Healthcare Average
Business Continuity and Disaster Recovery is relevant to the following breach types: - Cybercrime Hacking - Malicious Insiders or Fraud - Ransomware
Intel, and the Intel logo are trademarks of Intel Corporation in the United States and other countries. Other names and brands may be claimed as the property of others. Intel technologies'features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. Nocomputer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at intel.com .
Confidential. Page 55 of 55