Upload
doantruc
View
220
Download
3
Embed Size (px)
Citation preview
“Recommendations for Implementing an Information Security Framework for
Life Science Organizations”
Introduction
Doug Shaw CISA, CRISC
Director of CSV & IT Compliance
Azzur Consulting
Agenda
● Why is information security generally less mature in
Health and Life Science organizations than other
industries?
● What can be done to promote a more holistic
approach?
● What types of controls can be implemented to
improve confidentiality, integrity and availability of
critical systems/ data?
Cyber Health Study Findings Reveal:
● Study in 2014 by BitSite Technologies examined
cyber health of S&P500 companies
● 82% of companies experienced security breaches
● Healthcare and Life Science companies ranked last
● HLS take > 5 days to resolve
● Spends only what is required to be ‘compliant’
Compliance with regulations does not equate to full
security!
Patient (ePHI) Data Breaches 2015
39
43
2
51
Breach Categories
UnauthorizedAccess
Hacking/ IT Incident
Improper Disposal
Laptop Loss/ Theft
*https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Audit Findings Support Study Findings
Personal experiences:
● Initial focus is on computer validation, Part 11
● Individual systems validated but no holistic plan for
information security
● Disconnect between system owners and IT
● Gaps between SOPs/ overarching policies lacking
● Doing ‘just enough’ to get through inspections
Information Security: Definition
COBIT- “Ensures that within the enterprise, information is protected against disclosure to unauthorized users, improper modification, and non-access when required.”
ISO27001- “Preservation of confidentiality, integrity and availability of information” (CIA)
NIST 800-53- Protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability
MHRA- Extent to which all data are complete, consistent and accurate throughout the data lifecycle.
CIA is Referenced Throughout Regulations!
● 21CFR Part 11- “…employ procedures and controls
designed to ensure authenticity, integrity and, as
appropriate, confidentiality of electronic records..”
● 21CFR Part 211 Sub-part J- Readily available for
inspection
● 21CFR Part 211 Sub-part D- ‘Appropriate control..’
● Both mention availability of records for inspection
● Part 11 Scope and Application- security still in scope
● MHRA Data Integrity Guidance- ‘overarching data
governance’, data integrity controls
Additional Examples:
● 21CFR Part 820- ‘records reasonably accessible”;
“prevent loss”; “records shall be backed up”
● General Principals on Software Validation- calls for
security requirements, design and test
● Computerized Systems used in Clinical Trials-
availability…reconstruct trial, prevent un-authorized
access, data integrity
● 42CFR Part 493 (CLIA)- data is “accurate and
reliable”
InfoSec has Benefits Beyond Compliance
● Corrective actions can be costly, divert key resources
● Patient safety issues
● Lawsuits
● Fines
● Facility closings
● Reduced production
● Financial (recall, negative PR, stock price decline)
Regulator Focus is Increasing
● Warning letter 21CFR 211.68b- (1/2015)- Failed to
exercise appropriate controls over computer
systems
● Warning Letter API- (2/2015)- no backup, audit trail
turned off, raw data not secure
● 483 21CFR 211.68b (7/2014)- Lack of control on lab
instruments to assure data integrity
● 483 21CFR 211.68b- (5/2014) general login allows
data to be deleted or modified
Security Framework Implementation Process
● Identify and classify data
● Identify applicable regulations
● General principals for information security- security
objectives
● Perform risk assessment/ existing control review/
identify gaps
● Implement controls
● Monitor
Scale framework to complexity of operations and risk
Framework Consists of Controlled Documents
Core Objectives
•Availability
Policies
•Business Continuity
SOPs
•Backup/ Restore
Work Instructions
•Tape Rotation
Forms/ Checklists
•Backup Log Review
Document Control
Training ReviewInternal Auditing
Core Objectives Have Multiple Inputs
Core Objectives
Data Classification/ Regulations
Monitoring and
Improvement
Manage Risk
User Needs
Manage Costs
Data Can Be Classified Using a Checklist Approach
• Identify applicable regulations
• Inventory systems (regulated v. not)
• Develop checklist based on regulations
• Simple questions: “Does the system contain adverse event data?”
• Have system owners complete and approve
• Assemble information into a living table
General Risk Assessment Approach
Risk Scenarios
Identify
Effectiveness of Current Controls
Analyze
Severity, Probability,
Detectability
Evaluate
Additional Controls
Treat/ Control
Breach categories- excellent starting point for ‘Identify’
phase discussions
Controls are Important for Each Phase of Data Lifecycle
Create
•Application Security
•Training
•User SOP
Store
•Encryption at rest
•Physical Security
•Logical Security
•Anti-Virus SW
•Environmental Controls
•OS patching
• Intrusion Prevention System
•Checksum
Retrieve/ Modify
•Firewall
•Encryption in transit
•VPN
•Network Security
•Access Forms
•Application Security
•Disaster Recovery
•Backup/ Restore
•Audit Trails
Archive
•Encryption at rest
•Data Migration Plan
•Physical Security
•Restore Testing
•Hardware Maintenance
•Patching
Destroy
•Outsourced destruction
•Change Management
Think CIA- Confidentiality, Integrity and Availability
…and as Data Flows Through Hardware and Networks
● Individual programs validated but gaps lacking
throughout data flow
● Data typically flows through more than one system
● Chain of custody lacking
● Map data flow as part of risk assessment
● Assign data owner
● CSV policy, templates, education, accountability
Gaps Can Be More Easily Identified When Mapping Flow
Laboratory Instrument
Excel Emailed SAS Cloud
Local Hard Drive
Network Drive
Mail Server
Personal Computer
Third Party
Controls should be considered and implemented as
warranted throughout flow
Types of Controls
Technical
Physical
Administrative
Administrative
- Risk assessment
- Access forms
- Maintenance checklists
Technical
- Application security
- Network monitoring
- Firewall
- Encryption
Physical
- Tiered security
- Physical locks
- Badge readers
- Biometric scanner
Use Typical Scenarios to Initiate Risk Assessment Process
Natural disaster: Earthquake, fire, flood, hurricane
Denial of Service, Malware, Virus
Data loss/ corruption/ hardware/ tape failure
Malicious employee
Lost card key
Lost device/ backup tapes
Password sharing
Employee leaves company but still has access
Specific Scenarios Help Identify Many Controls
Scenario 1: Prolonged power outage
Controls: Diesel generator, battery backup, periodic testing of generator/ batteries, checklists, environmental monitoring
Scenario 2: Unauthorized access
Controls: Network monitoring, intrusion prevention, firewall, security patching process, third party penetration testing, incident reporting procedure, anti-virus software, access controls procedure, user training
Related Controls Should be Grouped Into Procedures
Start with generic SOP list- no need to ‘re-invent the wheel’
COBIT, ISO27001, NIST800-53 & FEDRAMP are excellent references
Tie SOPs back to a policy
Scale and merge content according to risk and data criticality
Change Control
Vendor Mgmt.
Incident Handlin
g
Visitor Policy
Physical Security
Logical Security
Control Rigor Does Not Decrease With Outsourcing
Requirement for strong controls does not go away
● Vendor audit program
● Service Level Agreement (SLA)
● SOP coverage
● Change management
● Incident reporting
● Patching (SaaS)
● Validation
Risk Management/ Control Monitoring
● Periodic internal/ supplier auditing
● Review change requests
● Review risk assessment
● Help desk tickets
● User accounts
● Maintenance records
● Regulation changes
● SOPs
● Review data classification/ criticality
● Vendor updates, patches etc.
Summary
● Utilize a ‘top-down approach’. Start with
organization’s security objectives and risks
● No need to start with a ‘blank piece of paper’.
Plenty of information available to get RA started
● Classify data based on criticality
● Translate controls into actionable SOPs
● Monitoring is key to maintaining compliance AND
improving efficiency
Complying with Regulations does not necessarily close
all gaps
Agenda- review
● Why is information security generally less mature in
Health and Life Science organizations than other
industries?
● What can be done to promote a more holistic approach?
● What types of controls can be implemented to improve
confidentiality, integrity and availability of critical
systems/ data?
● Jason will elaborate on technical controls
Thank You!
Contact Information:
Doug Shaw CISA, CRISC
610.741.5631