Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Information+security rutgers(final)
1. INFORMATION SECURITY FOR
INFORMATICS PROFESSIONALS
Amy M. Walker, MS, RN, CPHQ, FACHE, NEA-BC
CEO OptimizeIT Consulting LLC
Healthcare IT Strategist
A Proud EDWOSB, Cage Code 6 TH50
2. Amy Walker MS, RN, CPHQ, FACHE,
NEA-BC
.
Healthcare System
Critical Care RN, Certified and Nurse Manager
Director of Informatics, CIO Boot Camp-CHIME
Chief Clinical Information Officer (CCIO)
Technology Provider-Large Scale
Development
Implementation
Strategic Account Management
Consulting
DoD Health Affairs
HIPAA, Healthcare Compliance, Security, and Data Exchange
Interim CIO
Entrepreneur
Fellow in the American College of Healthcare Executives
Certified as a Healthcare Quality Professional
Certified as an Advanced Nurse Executive
2010 President of the National Capital of Healthcare Executives
Nominated Member of the Women’s Business Leader’s of the
U.S. Healthcare Industry Foundation
2
3. We Will Discuss Today
IT Security Pillars
How to Appropriately Construct Policies and Procedures
Develop, Implement, Enforce
Security Standards and Risk Assessment Effective
Strategies
System Architecture and Design
An Overview of Security Issues and Solutions
3
4. SWOT-Analysis
• Identified Security Officer
• Tight Integration Between RolesStrengths
• Knowledge Deficit
• Not Practicing to Standards
• Deficient Risk Assessment Process
Weaknesses
• Are GreatOpportunities
• Are GreatThreats
4
5. 5
Obama meets with CEOs to push cyber-security legislation
The meeting in hopes of getting the stalled legislation passed
comes a day after intelligence officials warn of the threat to
national security.
March 13, 2013|By Ken Dilanian and Jessica Guynn, Los Angeles
Times
"What is absolutely true is that
we have seen a steady ramping
up of cyber-security threats,"
President Obama said on ABC's
"Good Morning America." "Some
are state-sponsored. Some are
just sponsored by criminals."
(Evan Vucci / Associated Press)
6. Security Problems Hit Close To Home
Dear user:
As a follow up to our last email communication about the identified security vulnerability in the XYZ system , the U.S.
General Services Administration (GSA) is taking all possible steps to protect and inform xyz users, especially those that
use their social security numbers for purposes of doing business with the federal government.
Your entity’s data has been identified to be at greater risk for potential identity theft because you used your social
security number as your Tax Identification Number to do business with the federal government.
This vulnerability enabled government entity administrators and delegated entity registration representatives to
potentially gain access to information of any entity’s registration -- enabling visibility of entity management data at all
sensitivity levels.
As a precaution, GSA is taking proactive steps to protect and inform xyz users. The agency is offering users at higher
risk, like you, access to credit monitoring services and will follow up with information about these services.
If you wish to take additional steps to protect against possible identity theft, visit www.xyz for specific information. If you
would like additional background or have questions, you may call 1-800-FED-INFO (1-800-333-4636), from 8 a.m. to 8
p.m. (ET), Monday-Friday starting Monday, March 18. We recommend that you monitor your bank accounts and notify
your financial institution immediately if you see any discrepancies.
We apologize for any inconvenience or concern this situation may cause. We believe it is important for you to be fully
informed of any potential risk resulting from this incident. The security of your information is a critical priority to us and we
will work to ensure the system remains secure.
Sincerely,
6
9. Internet Security Alliance
Larry Clinton, the longtime head of the Internet
Security Alliance delivered the keynote at the March
PHI Protection Forum. Mr. Clinton focused on PHI
Security and Privacy, he cited an important study of
the state of health care information security, PWC’s
2013 State of Info Security Survey data regarding
health care organizations.
9
10. PWCs 2013 State of Info Security Survey
Most executives in the HC industry are confident in the effectiveness
of their security practices. They believe their strategies are sound
and many consider themselves to be leaders in the field
(And yet, only) 42% have a strategy & (are) proactive in executing it
Of the 4 key criteria of information security leadership, ONLY 6%
RANK AS LEADERS
60% do NOT have a policy for third parties to comply with privacy
policies
73% use mal code detection tools; DOWN 16%
48% use tools to find unauthorized devices; DOWN 14%
51% use intrusion detection tools; DOWN 19%
10
PWC’s 2013 State
of Info Security
Survey,
http://www.pwc.com
/gx/en/consulting-
services/information
-security-
survey/index.jhtml
11. 48% use vulnerability scanning tools; DOWN 15%
31% DON’T KNOW when info sec is part of major
projects –ONLY 18% at project inception
90% HC respondents say protecting employee &
customer data is important - few know where the data is
stored (43% have an accurate inventory of data)
Adopting new technology (is outpacing) security – new
technology referring to cloud 28%, mobile 46%, soc
media 45%, personal devices 51%
11
PWCs 2013 State of Info Security Survey
12. The Reasons? As Noted by Larry
Lack of funding 53%
20% top leadership “is an impediment to improved security.”
Only 43% report security breaches
Diminished budgets have resulted in degraded security programs, incidents
are on the rise, new technologies are being adopted faster than safeguards
There are short-term economic incentives to be insecure (VoIP, use personal
devices, the Cloud)
HC providers report lower $ loss from incidents but many do not perform
thorough or consistent analysis to appraising those losses, e.g. only 33%
consider damage to brand as a financial loss
12
13. June 26, 2012 Alaska Department of
Health and Social Services
A USB hard drive possibly containing ePHI was stolen from
the vehicle of a DHHS employee.
DHHS did not have adequate safeguard policies and
procedures in place.
DHHS had not completed a risk analysis, implemented
sufficient risk management measures, completed security
training for its workforce, implemented device and media
controls, or addressed device and media encryption.
Pay a $1.7 million fine and take corrective action to
ensure compliance with the Security Rule
Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers,
Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier
13
14. April 17, 2012 Phoenix Cardiac Surgery
Staff were posting clinical and surgical appointments for patients on an
Internet-based calendar that was publicly accessible.
PC failed to implement adequate policies and procedures to
safeguard patient information
PC failed to document that it trained any employees on policies and
procedures.
PC failed to identify a security official and conduct a risk analysis.
PC failed to obtain business associate agreements with Internet-
based email and calendar services where the provision of the service
included storage of and access to its ePHI.
Pay a $100,000 fine and develop a corrective action plan to ensure
compliance with the Security Rule
Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers,
Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier
14
15. March 13, 2012
Blue Cross Blue Shield of Tennessee
Fifty-seven unencrypted computer hard drives were stolen
from a leased facility. The drives contained the ePHI of
more than 1 million individuals, including member names,
Social Security numbers, diagnosis codes, dates of birth,
and health plan identification numbers.
BCBST failed to implement appropriate administrative
safeguards by not performing the required security
evaluation.
BCBST failed to implement appropriate physical
safeguards.
Pay a $1.5 million fine and implement a corrective action
plan to address gaps in its HIPAA compliance program
Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press). Confidentiality, safety and security. In R. Nelson & N. Staggers,
Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier
15
18. 10 Domains of Information Security
Access Control •Operations Security
Business Continuity and
Disaster Recover Planning
•Physical (Environment
Security)
Cryptography •Security Architecture and
Design
Information Security
Governance and Risk
Management
•Software Development
Security
Legal, Regulations,
Investigation, and
Compliance
•Telecommunications and
Network Security
18
International Information Systems
Security Certification Consortium
https://www.isc2.org/
19. Basic Requirements
Security
Reliability
Transparency
Scalability
19
Maintainability
Audit ability
Integrity
Authentic
International Information
Systems Security
Certification Consortium
https://www.isc2.org/
20. 20
Operations security (OPSEC) is a process that identifies critical information to determine
if friendly actions can be observed by adversary intelligence systems, determines if
information obtained by adversaries could be interpreted to be useful to them, and then
executes selected measures that eliminate or reduce adversary exploitation of friendly
critical information.
25. Policies and Procedures
Acceptable Use
Access Control
Accreditation
Acquisition
Business Continuity
Certification
Change Control Management
Code of Ethics
Confidentiality
Data Classification
Internet Use
25
27. System Architecture Components
Hardware
Firmware
Central Processing Units
Input/Output Devices
Software
Architectural Structures
Storage and Memory
27
Analyze security
risks, limitations, and
positive attributes of
each.
28. Open Source
A study by Mitre corporation, sponsored by the Defense Information
Systems Agency, found extensive and diverse use of open software
at the DoD, with over 100 open products being used in more than
250 applications.
Security applications were most noted as a reason open source
should be expanded.
Widely used open security tools included SNORT, a light weight
intrusion detection tool used for plugging “network security holes
when new attacks emerge” and SARA, the security auditors
research Assistant, used for relatively straightforward network
security risk analyses. The MITRE report lists more than 100 open
source products that have demonstrated superior records of
security and reliability.
28
29. The Abdus Salam International Centre
for Theoretical Physics
31. Risk Management Purpose
The purpose of an organization’s risk management
process should be to protect the organization and it’s
ability to perform it’s mission-including but not limited
to its IT assets.
Risk is a function of the likelihood of a given threat
source’s exercising a particular vulnerability and the
resulting impact of that adverse event.
NIST SP 800-30
www.csrc.nist.gov
31
32. Risk Analysis
Conduct an accurate and thorough assessment of
the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of electronic
protected health information held by the
organization.
32
33. Details of a System Security Risk
Assessment
Qualitative
Scenario oriented
No $$ values
Ranking of threats
Perform to the goal of reasonableness
Quantitative
Assign $$ values
Resource extensive
More difficult to determine
Hybrid
33
International Information
Systems Security
Certification Consortium
https://www.isc2.org/
34. Risk Assessment SP 800-30
Step 1 Characterization
Step 2 Threat Identification
Step 3 Vulnerability Identification
Step 4 Control Analysis
Step 5 Likelihood Determination
Step 6 Impact Analysis
Step 7 Risk Determination
Step 8 Control Recommendations
Step 9 Results Documentation
Steps 2, 3, 4, and 6 can be conducted in parallel after Step 1 has
been completed.
34
35. CMS Security Risk Analysis Process
Review existing
security of
protected health
information
Identify threats
and
vulnerabilities
Assess risks for
likelihood and
impact
Mitigate security
risks
Monitor results
35
CMS, Information Security
Overview,
37. 10 Best Practices for the
Small Health Care Environment
Use Strong Passwords and Change Them Regularly
Passwords and Strong Authentication
Install and Maintain Anti-Virus Software
Use a Firewall
Control Access to Protected Health Information
Limit Network Access
Plan for the Unexpected
Maintain Good Computer Habits
Software Maintenance
Protect Mobile Devices
Establish a Security Culture
37
CMS, Information Security Overview,
http://cms.gov/Research-Statistics-Data-and-
Systems/CMS-Information-
Technology/InformationSecurity/index.html?redirec
t=/InformationSecurity/
39. Overview of Healthcare IT
Security Issues and Solutions
Lack of Effective Ecosystem Governance
Lack of Budget
Lack of Appropriate Risk Assessment with CAP
MU
Core Objective and Measure 12
Core Objective and Measure 15
HIPAA Privacy and Security Federal Regulations
39
40. Overview of Healthcare IT
Security Issues and Solutions
Attacks
Vulnerabilities
Complex Systems Change Control
Doing More with Less
Mobile and Wireless Technologies
Outsourcing
40
41. HITRUST ™
The Health Information Trust Alliance (HITRUST) was born out of the belief
that information security should be a core pillar of, rather than an obstacle to,
the broad adoption of health information systems and exchanges.
HITRUST, in collaboration with healthcare, business, technology and
information security leaders, has established the Common Security
Framework (CSF), a certifiable framework that can be used by any and all
organizations that create, access, store or exchange personal health and
financial information.
The CSF is an information security framework that harmonizes the
requirements of existing standards and regulations, including federal
(HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). As
a framework, the CSF provides organizations with the needed structure,
detail and clarity relating to information security tailored to the healthcare
industry. The CSF is available through HITRUST Central.
41
42. Retain absolute faith that you can and will
prevail in the end, regardless of the
difficulties, and at the same time confront
the most brutal facts of your current reality,
whatever they might be.
(Jim Collins Good to Great)
42
43. Thought Questions
1. In your own experience, what are your
recommendations on the highest IT security
priorities?
2. Are there resources related to IT security that you
suggest must be given greater visibility?
3. What is your organization’s SWOT analysis tell
you?
43
44. References
CMS, Information Security Overview, http://cms.gov/Research-
Statistics-Data-and-Systems/CMS-Information-
Technology/InformationSecurity/index.html?redirect=/InformationSec
urity/
HITRUST, http://hitrustalliance.net/
International Information Systems Security Certification Consortium
https://www.isc2.org/
National Institute of Standards and Technology,
http://csrc.nist.gov/publications/PubsSPs.html
Office of the National Coordinator,
http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-
security-guide.pdf
44
45. References
PHI Protection Network, Linked In Group
PWC’s 2013 State of Info Security Survey,
http://www.pwc.com/gx/en/consulting-services/information-security-
survey/index.jhtml
Staggers, N., Gallagher, L., Goncalves, L., & Nelson, R. (in press).
Confidentiality, safety and security. In R. Nelson & N. Staggers,
Health Informatics: An Interdisciplinary Approach. St Louis: Elsevier
The Betterly Report,
http://thebetterleyreport.wordpress.com/2013/03/18/larry-clinton-of-
the-internet-security-alliance-and-some-startling-statistics-about-
privacy-security-in-the-health-care-
industry/?goback=%2Egde_4493923_member_223850708
The Operations Security Professional’s Association,
http://www.opsecprofessionals.org/
45
46. SWOT-Analysis
• Identified Security Officer
• Tight Integration Between RolesStrengths
• Knowledge Deficit
• Not Practicing to Standards
• Deficient Risk Assessment Process
Weaknesses
Opportunities
Threats
46
47. Thank You!
Contact us at:
4031 University Drive, Suite 100
Fairfax, Virginia 22030 P: 703-283-4678
E: awalker@optimizeitconsulting
www.optimizeitconsulting.com
OptimizeIT Consulting LLC is a proud
EDWOSB
Cage Code 6TH50
Notas do Editor
No deep dive.
Social engineering- often used in conjunction with blind and double blind testing, social engineering is gaining critical or sensitive information through social interaction, typically with the organization’s employees, suppliers, and contractors. Techniques may include posing as a representative of the IT department’s help desk and gaining users account and password information, posing as an employee and gaining physical access to restricted areas, intercepting mail, or even dumpster diving to search for sensitive materials. It tests the organization’s people to contribute to or prevent unauthorized access to information and information systems.
Security posture is not static It is dynamic and can change based on the quality of the continued execution of the program elements. It requires active management of the security program to maintain a certain security posture.
Proprietary is not always more secure.Open source software is often misunderstood as “free” software. With open source software, the source code is available to the user or purchaser, whereas with most software, only the executable or object code is available. The security implications are debated, but most believe that users are able to examine open source code results in systems with fewer unanticipated vulnerabilities.
Record keeping is mandatory The OSI open system interconnect model was first dfined and published as an international standard (ISO/IEC) 7498-1). In 1984 Last revised in 1994. Strenghts and Weakensses, Estalished, flexible,Weaknesses complex,Encapsultaiotn the process of wrapping the data using headers and somethins, traliers before ending. Layering-separating function of each laayer. TCP/IP model functions like the OSI Model. Maps to the IP modle. Simplier it is network centric doesn’t/ describe the function of the applictiont in enough detail..Does your organization keep records on or otherwise keeps track of network and data , and systems intrusions. How long is it kept?How about insider intrusions?Network security is a cornerstone for business operations because network connectivity. provide an easy and consistent venue or an attack.Availability- uptime, here we look for single points of failure. Non redundant components, can be reinforced. Redundancy has to be built into the a system at the network, application, and/or process level. Backups networks.Confidentiaily =wireless network are vulnerable to sniffing. Message protection,, non repudiation is the assurance that a specific author did actually send a specific item to a specifi recipients. Effective non-repudiation is accomplished through the use of digital signatures, and encryption. Hi redundancy. 8) Defense in depth, hurdles.
Network attackers-The types of attacks, attacker would take a path of least resistance. Most know issues from both the defender and attacker. It is important to have a documented topology. Single point of failures are to be avoided.Wireless 803.11 From the wired network to station, wireless local area networks. Both wireless and wired technologies are susceptible to sniffing( the collection of sniffing)Cloud computing cloud computing is the provisioning of IT services over the cloud, the internet. The term cloud is based on the depiction of the internet as a cloud .Some of the services provided in the cloud are data storage, software, security, communications, etc. Security issues since the services are being provided at a third party, trust is a major concern. Connections-VPN?Sharing of data-Cross Border Data Transfer-cloud services are provided may be challenging to ensure cross border transmission of traffic. Network partitions- firewalls are used to make trusted vsuntrustednewtorks, again no single point of failures, defenise in depth, stateful inspection. A complete firewardcolution would be having the firewall handling traccic and denying or permitting access correctly the funcationrequiremetn and the logging and monitroing aspect addressing the assurance requirements of the firewall solution by ensuring that the fireall is workign properly and providing the expected level of protection in relation to the risks that the firewall was inteneded to control
There are a number of risk assessment models available:OCTAVE- Operational Critical Threat, Asset, and Vulnerability EvaluationNIST SP 800-30SSE-CMM System Security Engineering Capability Maturity ModelOther……..
Administrative Categories to AssessReview of Policies and ProceduresImplementationEnforcementPenetration TestingVulnerabilitiesDemonstrationLogsWalkthroughTechnical SafeguardsDetailed wired/wireless network designsSecure workstation use (documentation of specific guidelines for each class of workstation)Procedures for encryption and decryption of EPHIPhysical SafeguardsData Backup and StorageDisposalAdministration safeguardsRisk Management Methodology Information Access ManagementSecurity Awareness and TrainingPrivacy PoliciesBusiness Association AgreementsQuantative- estimate single loss expectancy, annualized rate of occurance, annual loss expectancy,- estimate potential losses.
An organization should take a positive proactive actions.National Institute of Standards and TechnologyRecognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under the Executive Order “Improving Critical Infrastructure Cybersecurity” has directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The Framework will consist of standards, guidelines, and best practices to promote the protection of information and information systems supporting critical infrastructure operations. The prioritized, flexible, repeatable, and cost-effective approach of the framework will help owners and operators of critical infrastructure to manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties.Vulnerability Assessment Tools A audit trail is a record of system activities. More specifically, an audit trail is a chronological record of system activities that makes it possible a reconstruction , review, and examination of the sequence of activities that can then be used to indicate a possible intrusion, or to investigate and incident.Data generated by the system, network, application, or user activities are recorded.The configuration of an audit trail should include data about network connections, system-level events, application-level events, user level events ie keystroke activity, event filtering. It may be necessary to use some type of event filtering or clipping level. Attackers often try to scrub audit logs to cover their attacks. Vulnerability assessment tools. Penetration Testing-pen tests (also called ethical hacking) consists of a formal set of steps and procedures similar to those tricks and techniques an intruder would be likely to use. The purpose is to evaluate how well the enterprise can thwart an attack and how it might be compromised by a potential attack.
Core Measure 15:Regardless of which Risk Assessment process is selected there is a likely to be a gap or need of a correction action plan Analyze current stateIdentify assets, threats, vulnerabilities and business impact.Perform technical risk assessment through appropriate testing,Review existing control documentationInterview key personnel to understand concernsDevelop Strategy for Improvement or corrective action planPrioritize identified risk and exposurePerform root cause analysisDevelop potential solutionsPrepare recommendations for improvementsAssess existing versus target process maturityCommunicate and Manage RiskConsider high-level strategies to facilitate improvementRate proposed recommendations by impact and success potentialPrepare business case for identified solutions.
Risk Mitigation Risk appetitePrioritizationAppreciation to dealing with risk accept risk transfer risk eliminate risk reduce riskEvolving process
Best practicesFirewallsPhysical security systems, electronic access, control systems, badging systems, CCTV, etc.Encryption of critical data in transitRole-based access controlIntrusion detection systems monitored by personInformation assurance technologies that track access and use of organizational dataAutomated patch managementIntrusion detection systems monitored by automate systems with built in alarmsTwo factor authenticationWireless monitoringKeystroke monitoring of individual users