Risk Assessment: Key to a Successful Information Security Program Sharon Welna Information Security Officer October 23, 2008

Risk Assessment: Key to a Successful Information Security

Program

Sharon WelnaInformation Security Officer

October 23, 2008

Agenda• Environment

• Legal entities• Network• Regulatory

• Information Security organizational structure• What is a mobile device?• How are mobile devices used in healthcare• Risk Assessment• Risk Mitigation

Nebraska’s Pride is 500-miles wide


Sharon Welna, Information Security Officer

EducationBA from UNL (Major: Political Science)MBA from UNO

ConAgra Central Telephone Creighton University Medical Hospital

CIODirector Medical RecordsControllerDirector, IT


Partners in Healthcare

The Nebraska Medical Center

UNMC

Patient Care

Education

Research

Outreach

Diversity

UNMC Physicians

Partnership Vision


The partnership of UNMC and the Nebraska Health System will be a world-renowned health sciences center that:

• Delivers state-of-the-art health care;• Prepares the best-educated health professionals and

scientists;• Ranks among the leading research centers;• Advances our historic commitment to community

health;• Embraces the richness of diversity to build unity.

Environment: Legal EntitiesUNMC

College of Nursing College of Medicine College of Pharmacy College of Dentistry College of Public Health Eppley Cancer Institute Munroe Meyer Institute

3,000+ Students 4,000+ Faculty / Staff $90+ Million Research


Environment: Legal EntitiesThe Nebraska Medical Center

1997 Partnership 735 Licensed beds 900+ Medical Staff 4,400+ Employees UNMC’s Primary Teaching Hospital


Environment: Legal EntitiesUNMC PhysiciansPhysician Practice Group

500 physicians serving in over 50 specialist & sub-specialist areas from family medicine to transplantation

300+ non physician employees


Environment: Physical Omaha

MidTown 100 acres 43 buildings 3.9 million square feet

30+ clinics

College of Nursing Lincoln, Kearney, Scottsbluff Norfolk (under development)

College of Dentistry Lincoln


Buildings, Moves and More…

Weigel Williamson Center for

Visual Rehabilitation

38th & Jones April 08

Sorrell Center For Health Science Education

August 08


Durham Research Center II (Winter 08)

Patient Financial Services / TNMC Executive Offices Relocation To Mutual of Omaha 3333 Farnam Street


Village PointNMC Cancer Center (late 08/early 09)

Bellevue Medical CenterHighway 370 and 25th Street Bellevue, Nebraska (2010)

Environment: Regulatory

HIPAA HealthcareGLBA FinancialFERPA StudentPCI Credit Card

And more

Environment: Information Security

Entities contractually agreed to follow same policies and procedures

Information Security OfficerPolicies, ProceduresIncident ManagementLegal

Network Technical Services TeamTechnical Security implementation


Environment: Wireless800+ access points1 million + square ft Cisco unified wireless network

infrastructure


Mobile Devices


Medical Mobile Devices


IV Pumps

Glucose Meters

Mobile Device UsageElectronic Medical Record viewingPoint of Care devicesTraditional administrative functions


Summary12,000 members of the workforceWant to access data from anywhere,

anytime with any device securely


Risk Analysis Protect the organization’s ability to perform

its mission

Risk Analysis: Approach #1Identify riskDetermine risk mitigation alternatives and

costCompare risk mitigation cost to Annual

Loss ExpectancyImplement/do not implement decision

Risk Analysis: Approach #1

Definitions:

Annualized Rate of Occurrence (ARO)

Single Loss Expectancy (SLE)

Annual Loss Expectancy (ALE)

Risk Formula:

ARO * SLE = ALE

Single Loss ExpectancyCosts include:

Notification (creating letter, postage etc)800 number set up and staffingStaff time…

Gartner estimate as of August 2007

$300/account


Annual Loss ExpectancyCategory Assumption

Annualized Rate of Occurrence (ARO) 2

Single Loss Expectancy (SLE) $300/account * 1,000 accounts = $300,000

Annual Loss Expectancy (ALE) $600,000


Risk Analysis: Approach #2NIST

SP 800-30Risk Management Guide for Information

Technology Systems

NIST 800-30 Guide Purpose Provide a foundation for risk management

program developmentProvide information on cost-effective

security controls

DefinitionsRisk - “…a function of the likelihood of a

given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.”

Risk management – process of identifying, assessing and reducing risk

Definitions Threat – “The potential for a threat-source to exercise

(accidentally trigger or intentionally exploit) a specific vulnerability.”

Threat-Source – “Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability

Definitions: Vulnerability:

Hardware, firmware, or software flow that leaves an AIS open for potential exploitation. A weakness in automated system security procedures, administrative controls, physical layout or internal controls that could be exploited by a threat to gain unauthorized access to information or disrupt critical processing.

Risk Assessment Methodology

Step 1: System CharacterizationCollect system-related information including:

Which mobile devicesHow are they being used


Step 2: Threat IdentificationIdentify potential threat-sources that could

cause harm to the IT system and its environment

Can be natural, human or environmental


Step 3: Vulnerability IdentificationDevelop list of system vulnerabilities (flaws or

weaknesses) that could be exploitedDevelop Security Requirements Checklist


Step 4: Control AnalysisControl Methods –

May be technical or non-technical

Control Categories – preventative or detectiveControl Analysis Technique – use of security

requirements checklist


Step 5: Likelihood DeterminationGoverning factors

Threat-source motivation & capabilityNature of the vulnerabilityExistence & effectiveness of current controls

Levels – High, Medium or Low


Step 6: Impact AnalysisPrerequisite information

System missionSystem and data criticalitySystem and data sensitivity

Adverse impact described in terms of loss or degradation of integrity, confidentiality, availability

Quantitative vs. qualitative assessment


Step 7: Risk DeterminationDevelop Risk-Level Matrix

Risk Level = Threat Likelihood x Threat Impact

Develop Risk ScaleRisk Levels with associated Descriptions and

Necessary Actions

NIST Likelihood

Likelihood Definitions Weight

HighThreat is sufficiently capable, and control to prevent the vulnerability from being exercised are ineffective

1.0

Medium Threat is sufficiently capable, and controls are in place that MAY impede successful exercise of the vulnerability

.5

Low Threat lacks capability or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.

.1

NIST Impact

Impact Exercise of the vulnerability WeightHigh 1. May result in highly costly loss of major tangible

assets or resources;2. May significantly violate, harm or impede organization's mission, reputation or interest; or3. May result in human death or serious injury

100

Medium 1. May result in costly loss of major tangible assets or resources;2. May violate, harm or impede organization's mission, reputation or interest; or3. May result in human injury

50

Low 1. May result in loss of some tangible assets or resources;2. May noticeably affect an organization's mission, reputation or interest;

10

NIST Risk Level Matrix

ImpactThreat

LikelihoodLow (10)

Medium (50)

High (100)

High (1.0) 10 x 1.0 = 10 50 x 1.0 = 50 100 x 1.0 = 100

Medium (0.5) 10 x 0.5 = 5 50 x 0.5 = 25 100 x 0.5 = 50

Low (0.1) 10 x 0.1 = 1 50 x 0.1 = 5 100 x 0.1 = 10

NIST RISK MATRIX EXAMPLE

Category Mobile Devices

Vulnerability Device is lost

Threat Confidential data is stored on device

Mitigation Strategies Implemented Encryption

Likelihood High

Likelihood Rating 1.0

Impact Low

Impact Rating 10

Risk Rating 10 (1.0 x 10)

Action Plan (if needed)

NIST Risk LevelHigh (50-100)

Strong need for corrective measure as soon as possible

Medium (10-49)Plan must be developed and implemented

within a reasonable period of timeLow (1-9)

Determine if corrective action is needed or can risk be accepted


Step 8: Control RecommendationsFactors to consider

Effectiveness of recommended optionLegislation and regulationOrganizational policyOperational impactSafety and reliability


Step 9: Results DocumentationRisk Assessment Report

Presented to senior management and mission owners

Describes threats & vulnerabilities, measures risk and provides recommendations on controls to implement

Risk Mitigation StrategiesSpecific to the deviceLaptops:

Password ProtectionEncryption

BlackberriesVendor recommendationPolicy/procedure to follow if device is lostDevice “wiped” from the server


Risk Mitigation StrategiesFlash drives

Encryption requiredWorking towards making it easy to access

data remotely—eliminate the need for a flash drive


Documents

Risk Assessment: Key to a Successful Information Security Program Sharon Welna Information Security Officer October 23, 2008