“Recommendations for Implementing an Information Security Framework for

Life Science Organizations”

Introduction

Doug Shaw CISA, CRISC

Director of CSV & IT Compliance

Azzur Consulting

Agenda

● Why is information security generally less mature in

Health and Life Science organizations than other

industries?

● What can be done to promote a more holistic

approach?

● What types of controls can be implemented to

improve confidentiality, integrity and availability of

critical systems/ data?

Cyber Health Study Findings Reveal:

● Study in 2014 by BitSite Technologies examined

cyber health of S&P500 companies

● 82% of companies experienced security breaches

● Healthcare and Life Science companies ranked last

● HLS take > 5 days to resolve

● Spends only what is required to be ‘compliant’

Compliance with regulations does not equate to full

security!

Patient (ePHI) Data Breaches 2015

39

43

2

51

Breach Categories

UnauthorizedAccess

Hacking/ IT Incident

Improper Disposal

Laptop Loss/ Theft

*https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Audit Findings Support Study Findings

Personal experiences:

● Initial focus is on computer validation, Part 11

● Individual systems validated but no holistic plan for

information security

● Disconnect between system owners and IT

● Gaps between SOPs/ overarching policies lacking

● Doing ‘just enough’ to get through inspections

Information Security: Definition

COBIT- “Ensures that within the enterprise, information is protected against disclosure to unauthorized users, improper modification, and non-access when required.”

ISO27001- “Preservation of confidentiality, integrity and availability of information” (CIA)

NIST 800-53- Protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability

MHRA- Extent to which all data are complete, consistent and accurate throughout the data lifecycle.

CIA is Referenced Throughout Regulations!

● 21CFR Part 11- “…employ procedures and controls

designed to ensure authenticity, integrity and, as

appropriate, confidentiality of electronic records..”

● 21CFR Part 211 Sub-part J- Readily available for

inspection

● 21CFR Part 211 Sub-part D- ‘Appropriate control..’

● Both mention availability of records for inspection

● Part 11 Scope and Application- security still in scope

● MHRA Data Integrity Guidance- ‘overarching data

governance’, data integrity controls

Additional Examples:

● 21CFR Part 820- ‘records reasonably accessible”;

“prevent loss”; “records shall be backed up”

● General Principals on Software Validation- calls for

security requirements, design and test

● Computerized Systems used in Clinical Trials-

availability…reconstruct trial, prevent un-authorized

access, data integrity

● 42CFR Part 493 (CLIA)- data is “accurate and

reliable”

InfoSec has Benefits Beyond Compliance

● Corrective actions can be costly, divert key resources

● Patient safety issues

● Lawsuits

● Fines

● Facility closings

● Reduced production

● Financial (recall, negative PR, stock price decline)

Regulator Focus is Increasing

● Warning letter 21CFR 211.68b- (1/2015)- Failed to

exercise appropriate controls over computer

systems

● Warning Letter API- (2/2015)- no backup, audit trail

turned off, raw data not secure

● 483 21CFR 211.68b (7/2014)- Lack of control on lab

instruments to assure data integrity

● 483 21CFR 211.68b- (5/2014) general login allows

data to be deleted or modified

Security Framework Implementation Process

● Identify and classify data

● Identify applicable regulations

● General principals for information security- security

objectives

● Perform risk assessment/ existing control review/

identify gaps

● Implement controls

● Monitor

Scale framework to complexity of operations and risk

Framework Consists of Controlled Documents

Core Objectives

•Availability

Policies

•Business Continuity

SOPs

•Backup/ Restore

Work Instructions

•Tape Rotation

Forms/ Checklists

•Backup Log Review

Document Control

Training ReviewInternal Auditing

Core Objectives Have Multiple Inputs

Core Objectives

Data Classification/ Regulations

Monitoring and

Improvement

Manage Risk

User Needs

Manage Costs

Data Can Be Classified Using a Checklist Approach

• Identify applicable regulations

• Inventory systems (regulated v. not)

• Develop checklist based on regulations

• Simple questions: “Does the system contain adverse event data?”

• Have system owners complete and approve

• Assemble information into a living table

General Risk Assessment Approach

Risk Scenarios

Identify

Effectiveness of Current Controls

Analyze

Severity, Probability,

Detectability

Evaluate

Additional Controls

Treat/ Control

Breach categories- excellent starting point for ‘Identify’

phase discussions

Controls are Important for Each Phase of Data Lifecycle

Create

•Application Security

•Training

•User SOP

Store

•Encryption at rest

•Physical Security

•Logical Security

•Anti-Virus SW

•Environmental Controls

•OS patching

• Intrusion Prevention System

•Checksum

Retrieve/ Modify

•Firewall

•Encryption in transit

•VPN

•Network Security

•Access Forms

•Application Security

•Disaster Recovery

•Backup/ Restore

•Audit Trails

Archive

•Encryption at rest

•Data Migration Plan

•Physical Security

•Restore Testing

•Hardware Maintenance

•Patching

Destroy

•Outsourced destruction

•Change Management

Think CIA- Confidentiality, Integrity and Availability

…and as Data Flows Through Hardware and Networks

● Individual programs validated but gaps lacking

throughout data flow

● Data typically flows through more than one system

● Chain of custody lacking

● Map data flow as part of risk assessment

● Assign data owner

● CSV policy, templates, education, accountability

Gaps Can Be More Easily Identified When Mapping Flow

Laboratory Instrument

Excel Emailed SAS Cloud

Local Hard Drive

Network Drive

Mail Server

Personal Computer

Third Party

Controls should be considered and implemented as

warranted throughout flow

Types of Controls

Technical

Physical

Administrative

Administrative

- Risk assessment

- Access forms

- Maintenance checklists

Technical

- Application security

- Network monitoring

- Firewall

- Encryption

Physical

- Tiered security

- Physical locks

- Badge readers

- Biometric scanner

Use Typical Scenarios to Initiate Risk Assessment Process

Natural disaster: Earthquake, fire, flood, hurricane

Denial of Service, Malware, Virus

Data loss/ corruption/ hardware/ tape failure

Malicious employee

Lost card key

Lost device/ backup tapes

Password sharing

Employee leaves company but still has access

Specific Scenarios Help Identify Many Controls

Scenario 1: Prolonged power outage

Controls: Diesel generator, battery backup, periodic testing of generator/ batteries, checklists, environmental monitoring

Scenario 2: Unauthorized access

Controls: Network monitoring, intrusion prevention, firewall, security patching process, third party penetration testing, incident reporting procedure, anti-virus software, access controls procedure, user training

Related Controls Should be Grouped Into Procedures

Start with generic SOP list- no need to ‘re-invent the wheel’

COBIT, ISO27001, NIST800-53 & FEDRAMP are excellent references

Tie SOPs back to a policy

Scale and merge content according to risk and data criticality

Change Control

Vendor Mgmt.

Incident Handlin

g

Visitor Policy

Physical Security

Logical Security

Control Rigor Does Not Decrease With Outsourcing

Requirement for strong controls does not go away

● Vendor audit program

● Service Level Agreement (SLA)

● SOP coverage

● Change management

● Incident reporting

● Patching (SaaS)

● Validation

Risk Management/ Control Monitoring

● Periodic internal/ supplier auditing

● Review change requests

● Review risk assessment

● Help desk tickets

● User accounts

● Maintenance records

● Regulation changes

● SOPs

● Review data classification/ criticality

● Vendor updates, patches etc.

Summary

● Utilize a ‘top-down approach’. Start with

organization’s security objectives and risks

● No need to start with a ‘blank piece of paper’.

Plenty of information available to get RA started

● Classify data based on criticality

● Translate controls into actionable SOPs

● Monitoring is key to maintaining compliance AND

improving efficiency

Complying with Regulations does not necessarily close

all gaps

Agenda- review

● Why is information security generally less mature in

Health and Life Science organizations than other

industries?

● What can be done to promote a more holistic approach?

● What types of controls can be implemented to improve

confidentiality, integrity and availability of critical

systems/ data?

● Jason will elaborate on technical controls

Thank You!

Contact Information:

Doug Shaw CISA, CRISC

doug.shaw@azzur.com

610.741.5631