RSAM User Conference

Janice Sarver Karen Bulawa InfoSec Risk Management September 25, 2013

2

A journey of a thousand miles begins with a single step.

Lao-tzu, The Way of Lao-tzu Chinese philosopher (604 BC - 531 BC)

Reflection

3

• Dignity Health – Organizational Overview

• Goals of Implementation of RSAM

• Challenges

• Current Use Cases

• Sample Metrics

• Future Focus

• Timeline for RSAM GRC Direction

• Additional Use Case Requests – RSAM GRC Direction

• Questions

Overview

4

• Dignity Health, one of the nation’s five largest health care systems, is a 17-state network of 10,000 physicians and 56,000 employees who provide patient-centered care at more than 300 care centers, including hospitals, urgent and occupational care, imaging centers, home health, and primary care clinics.

• Headquartered in San Francisco, Dignity Health is dedicated to providing compassionate, high-quality and affordable patient-centered care with special attention to the poor and underserved. In 2012, Dignity Health provided $1.6 billion in charitable care and services.

Dignity Health – Organizational Overview

STATISTICS (Fiscal Year 2012)

Assets: $13.5 billion

Net Operating Revenue: $10.5 billion

General Acute Patient Care Days: 1.6 million

Community Benefits and Care of the Poor: $1.6 billion

Acute Care Beds: 8,400

Skilled Nursing Beds: 800

Acute Care Hospitals: 39

Active Physicians: 10,000

Total Employees: 56,000

http://www.dignityhealth.org/stellent/groups/public/@xinternet_con_sys/documents/webcontent/232618.pdf

5

• Minimize risk

• Maximize efficiency

• Provide clear process for users to follow

• Be responsiveness to internal and external auditors

• Ensure effective issue tracking from start to resolution

Goals of Implementation Of RSAM

6

• Paper based

• Access management

• Decentralized archival

• Manual workflow

• Difficult to evaluate risk

Challenges

• Stakeholder engagement

• Workflow documentation

• Process documentation

7

• Security Assessments

– Enables online access to vendors

– Multiple internal reviewers can review, track, comment

• CISRT Tracking

– Manages workflow (notifications, deadlines)

– Links to internal policy source

– Enables reporting/trending

• Variance

– Connects to related Security Assessments

– Tracks expirations

• Meaningful Use Risk Assessment

– Connects with remediation plans

• Privacy

– Tracks single reportable incident at multiple locations

Current Use Cases

8

Current State

• Manual process transferred to RSAM.

• Flexibility for dynamic questions to limit unnecessary time on behalf of the business.

Gaps Realized

• Questions need refining to gather specific information, rather than open text fields.

• Dynamic questions have to tie-back to project plans for implementation/remediation.

• Need to drive more uniform approach action plans.

• Leverage SSRS to report out to various audiences

• Implement risk ranking to help prioritize resources

Security Assessments

9

• Security Assessments Dynamic Questions

Security Assessments

10

Current State

• Workflow maturity from manual processes.

• Notifications and Escalations added to workflow.

• Handover to compliance once investigation and triage is complete.

Gaps Realized

• Revisit categorizations (cascading sub-categories)

• Build out lessons learned phase.

• SSRS

• Risk ranking

CSIRTs

11

CSIRT Data Gathering

12

CSIRT Event Analysis

13

Sample Metrics: Security Incidents - Open/Close

Sample data is displayed. This does not represent actual results

14

Sample Metrics: Incidents by Category

Sample data is displayed. This does not represent actual results

15

Sample Metrics: Details for Top Incident Category

Sample data is displayed. This does not represent actual results

16

Sample Metrics: Incidents by Facility

17

Current State

• Manual process put into RSAM workflow.

• Approval process improved.

• Search features and user assignment capability improved “need to know” for business.

Gaps Realized

• Dynamic question set revisions.

• Customize information requested to be appropriate for the specific variance request.

Variances

18

Variance Request Form

19

Current State

• Phase 1 complete for those locations with EHR.

• Attestations complete for funding.

• Reports with risk areas and scoring implemented.

Gaps Realized

• Yearly re-attestation process.

• Business Owners needed remediation plans set for them.

• Remediation plans needed to be stored in RSAM with assessment.

Meaningful Use

20

• Navigator screen

Meaningful Use Risk Assessments

21

• Risk Scoring

Scoring of Meaningful Use

22

Current State

• Facility Privacy Officials

• Shared assessments across multiple facilities eliminates duplicate work.

Privacy Impact Assessments

23

• Privacy Impact Assessment

Privacy Impact Assessment

24

• Vendor Access is requested by a Dignity Health Employee.

• Run vendor access through F5’s or use offline data gathering.

• Dormant Disable process is run to remove vendor access after a period of time has elapsed.

• Saves time for the Project Managers.

• Improves accuracy of answers for implementations.

Vendor Access

25

• Trending available for leadership decisions.

• Reduced duplication of work during manual processes.

• Ability to look up history for every assessment or event.

• Improved accuracy of data gathered by using multi-select and drop-down fields.

• Centralized storage of risk information partially realized.

Benefits

26

• Global picture - GRC framework from the top down

• Risk weighting/Ranking

• Prioritization of remediation efforts

• Synchronize investigation and reporting

• Refine question sets

• Leverage new functionality in Version 8

• SSRS

• Connections between use cases where duplicate data is needed/used.

Future Focus

27

Timeline for RSAM GRC Direction

Task Name Target FY14 Quarter

General Maintenance Ongoing

Upgrade Hardware Q2

Upgrade to Version 8 Q2

SSRS Reporting Q2

Metrics/Trending Q2

Improvements on Existing Use Cases Q3

Top-Down and Bottom-Up Methodology Change Q3

Industry Standards and Regulatory Compliance Q3

Link Repeatable Information Between Use Cases Q4

Technology Automation for Existing Manual Processes in Security Operations Q4

New Use Cases Needed Q4

28

Additional Use Cases Requested- RSAM GRC Direction

Business Use Case Business Area and Controls Area

IT Compliance - Business Impact Assessment

Ensure BIA’s are updated every year and standardized priority is in place. Drives disaster recovery testing and prioritization.

IT Audit/Compliance Audit finding tracking and remediation in a central repository with links to variance requests and other use cases.

HIPAA Corporate Compliance

HIPAA Compliance Waivers with compensating controls from the business and human resource perspective.

HIPAA IT Compliance HIPAA Transaction Compliance Waivers with compensating controls from an IT perspective.

Software License Tracking for IT

Ensures central location for licensing and reminders for renewals.

Security Ops Forms and Processing

For example: Third Party Access, Elevated Privileges, Smart Phones,

Monitoring and Alerting Systems Imports

Nitro, Rapid7, Varonis, Cisco Intrusion Detection, McAfee EPO, Firewall Log Reviews, Marimba, etc.

29

Questions