IEHIE Proposal for Continuous Compliance, Mitigation & Recovery (CCMR) Program
Focused on Small (1-9) Physician Groups, their affiliates, and Business Associates
2www.netspective.com
Comprehensive and Continuous Security SolutionCyber threats haunt security experts everyday and even IT professionals cannot keep up with the pace of new risks. Asking small physician practices to remain secure while trying to stay profitable as reimbursements decline and administrative burdens increase is both unreasonable and untenable.
Inland Empire Health Information Exchange (IEHIE) met with Netspective in early June and expressed a desire to deploy a comprehensive approach to protecting IEHIE’s environment by looking beyond its own infrastructure and into the volatile cyber threat environments at its smallest physician sites’ most vulnerable endpoints.
This would be accomplished using a unified, continuous, legal, security, and cyber risk coverage approach which would allow its network participants to establish and manage a minimum but adequate standard for IT security practices, without IEHIE having to bear the responsibility or liability of its participants.
Netspective suggested IEHIE focus on the “probable” threats to IEHIE’s participants, rather than trying to boil the ocean of “possible” threats and attackers. We recommended an Independent Physician Association (IPA) or Group Purchasing Organization (GPO) style membership-based shared services approach that would offer:
Legal compliance led by a law firm that would supply documentation and legal services under attorney-client privilege. This protects every member from HHS’s Office of Civil Rights (OCR).
Technical security led by a systems integration firm that would bring to bear security staff along with an entire tools and partners ecosystem. This protects every member from hackers and technically recovering from breaches.
Cyber insurance provided by an insurance company that would provide financial recovery. This protects every member from monetary harm when a breach does occur.
3www.netspective.com
Membership-based shared servicesUse Cyber IPA/GPO/MSO shared services organization to establish familiarity with participants, circumvent regulatory/compliance scrutiny, and lower costs:• IEHIE can become a management or administrative
member with full collaborative oversight of participants systems and data
• Unified portal serves as a point of collaboration for the administrative, technical, legal, and insurance parties/components involved
• Provide cyber security insurance coverage options that are related to risk of individual participants
• Scalable solution and resources to handle a large pipeline of provider organizations between 1-9 physicians in size; automate processes without sacrificing quality and/or security
• IEHIE can demand minimum security standard from participants, while validating ongoing compliance/security, without having to take on any liability
• Automate and standardize policies, procedures, tools, documentation, and staff within solution
Practice 1 Practice 2Practice N
BusinessAssociates
IPA/GPO/MSO
OpsfolioCollaboratio
n Portal
SIEM, ID, DLP,Monitoring & Tools
Ecosystem
Policies, Procedures,Documentation,Training & Education
Legal, technical, breach cleanup, risk management staff
Management & Administration
www.netspective.com 4
The managed services approach
Conduct instant pen test to discover
immediate holes
Implement immediate
controls & POAM1 the remainder
Establish governance and
RAM2/RACI3 matrix
Identify & classify PII4/PHI5 and
regulated systems
Implement or update policies &
procedures
Create incident response plan &
testable procedures
Identify & classify vendors and external risks
Identify & classify insider risks
Integrate with other members
in the community (ISACs6)
Establish continuous
monitoring & mitigation services
1 Plan of Actions & Milestones2 Responsibility assignment matrix3 Responsible, Accountable, Consulted, and Informed4 Personally Identifiable Information5 Protected Health Information6 Information Sharing and Analysis Center
5www.netspective.com
Initial Technical Security Assessment
Access Point
Analysis 3InformationGathering Assessment
ExternalPenetration
TestingRisk Analysis
LogsSystem Catalogue
AssessmentDetails
PenetrationTest ResultsRemote
CybersecurityConsultant
Discovery
21
Practice 1
Practice 2
Practice N
BusinessAssociates
Lite (instant)•External penetration testing based risk assessment
Adequate (rapid)•Lite assessment plus basic top-down technical risk assessment
Complete (time-consuming)
•Bottom-up asset-specific inventory-based risk assessment
6www.netspective.com
Outward facing penetration testsRun instant scans of externally facing servers and assets to determine immediate risks
Based on results of instant scans, focus next security steps on highest priority vulnerabilities
7www.netspective.com
Identify & classify regulated systemsIdentification and classification across all major asset categories and subcategories are easy
Customizable attributes and relationships across all assets are placed under change control
8www.netspective.com
Identify & classify data / storageTrack encryption at the storage, database, and schema levels
Document precisely what kind of data is being stored in backups and where they’re located
9www.netspective.com
Asset-specific risk assessmentsAsset-specific risk assessments encourages attention to security rather than compliance
Asset-specific controls documentation allows better visibility into specific vulnerabilities
10www.netspective.com
Initial Legal Compliance Assessment
Practice 1
Practice 2
Practice N
BusinessAssociates
Lite
•Self assessment based on preexisting top down frameworks using Opsfolio
•Computer Based Training (CBT) by user
Adequate
•Lite Assessment +•Survey questionnaire for expert review of regulatory compliance
•Customized CBT development and tracking for training coverage
Complete
• Adequate Assessment + • Bottom Up compliance assessment by expert
• Fractional CPO and CISO (Opsfolio executive reports leveraged)
• Audit Readiness Analysis• Executive Coaching
Bottom Upanalysis
Analysis 3InformationGathering
Compliance Assessment Audit readiness
Analysis
Compliance Analysis
P&P, Technical andSecurity Catalogue Assessment
Report Audit readiness
reportConsulting Compliance Experts
Discovery
21
11www.netspective.com
Ensure policies are documentedMulti-stakeholder, multi-institution policies and procedures management
Proper policies and procedures are available across internal staff as well as external vendors
12www.netspective.com
Ensure training complianceMulti-stakeholder, multi-institution training courses management
Training courses can be assigned and tracked across internal staff or even external vendors
13www.netspective.com
Evaluate training effectivenessEnhanced computer based or traditional training can be offered
After training is completed, surveys and tests can be conducted and tracked for effectiveness
14www.netspective.com
Maintain compliance reportsDynamic reports keep compliance management for the Chief Privacy Officer and CISO easy
Everyone within the organization and across their legal and security teams have same data
15www.netspective.com
Implement change controlActivity tracking and runbook management through blogging is done at the asset level
Incident tracking for outages, potential breaches, and actual breaches
16www.netspective.com
Track BAs, BAAs, and vendorsComprehensive list of Business Associates and their agreements
Comprehensive Business Associates and vendor details/attributes management
17www.netspective.com
Common gaps that we’ll fill for IEHIELegal Compliance Gaps• Staff unawareness of Privacy/Security Officer• Dated Risk Assessment and Training• Generic Policies & Procedures that add no value• Absence of adequate physical safeguards for IT
systems• No comprehensive list of Business Associates and BAAs• Failure to inventory IT assets• No Business Disaster & Recovery Plan• Security incidents are not documented with a
consistent and effective approach• Absence of consistent logging and monitoring activities• Information around controls are not considered by
management before making decisions• Failure to review audit logs of application systems• Failure to terminate access to IT systems upon
dismissal or completion of duties
Technical Security Gaps• No bottom-up Risk Assessment for each IT asset• Absence of (layered/segmented) firewall security• Absence of Intrusion Prevention and Detection
Systems• Insufficient access controls for technology devices• Insufficient password strength and expiration
requirements • Absence of encryption and/or secure transmission
configurations• Absence of consistent logging and monitoring
activities • Absence of (on-site and offsite) backup systems• Lack information around risks to make informed
management decisions• No scrutiny of Business Associate compliance and
security• No Continuity of Operations Plan
18www.netspective.com
Customizable servicesContinuous Monitoring• Monitoring – patch management, data loss
prevention, data integrity maintenance, unauthorized data access of information systems, legal compliance (training, policies and procedures, documentation, physical/administrative, technical safeguards and security), threat intelligence, intrusion detection monitoring, cyber risk monitoring
• Assessment – impact analysis from monitoring for adverse events or changes in business policies and procedures, change in regulatory laws, pen testing, asset discovery and inventory updates, monthly document review
Continuous Risk RemediationCompliance gaps remediation plan, patch management, technical or security risk analysis remediation plan, resolve technical or organizational controls, configuration management, policies and procedures updates, documentation updates, asset inventory updates, cyber risk insurance updates, legal risk remediation plan.
www.netspective.com 19
Access Point
Analysis
Client Environment
3InformationGathering Assessment Penetration
TestingRisk Analysis
LogsSystem Catalogue
AssessmentDetails
PenetrationTest ResultsRemote
Cybersecurity Consultant
Environment Survey
Discovery
Internet
Cybersecurity Situational Awareness Data Science Platform
Risk Assessment
Pre-processing, Analytics, Post-processing
HDFS
Type 3
RDBMS
Type 2
Cassandra
Type 1
etc.
Type 4
Source Data Lake (Mutable)
Data Sources
Apache Spark
Tripwire SecureScan Logs Spice Works Inventory Management Tool Logs
Cybersecurity Aggregator (Pre-processing, Analytics, Post-processing)
Graylog Logs Rules EngineLogStash Logs OpenVAS Logs
NMap ResultsOpenDLP Logs
Opsfolio21
CloudStaging
Logs
HDFS (Hadoop)PostgreSQL
Working Data Lake (for Apps and Analytics)
File Access REST APIData Access Layer
Fluent XA (Log Shipping)Assess
Thank You
Visit http://www.netspective.com http://www.healthcareguy.comE-mail [email protected] @ShahidNShahCall 202-713-5409