When the executive team and board are discussing this quarter’s financial results, it is important that everyone understands terms like revenue, operating margin, and net income. Any ambiguity in the understanding of those terms can lead to miscommunication. Likewise, in order to have a meaningful and productive conversation about cyber risk and cybersecurity, everyone at the table needs to be able to speak with precision and understand the differences between a risk, a vulnerability, and a threat, among other terms.
The fact is, that cyber risk management and cybersecurity encompass so many different terms and concepts, one could write an entire book on terminology alone. (It’s been done. One of the best references on the subject-and my main resource in writing this blog post and Chapter 5 of my book Stop the Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM) -is the glossary compiled by the Computer Security Resource Center (CSRC) at the National Institute of Standards and Technology (NIST). This comprehensive glossary can be accessed online at: https://csrc.nist.gov/glossary/ ).
In their free time, your executive team and board might find it interesting to browse the NIST Glossary. In the interest of saving them some time, I summarized the most critical terms, phrases and concepts from Chapter 5 of my book. This blog excerpts a portion of that chapter, covering eight terms that are critical to driving a productive dialogue about ECRM.
Risk
Risk is about the possibility of loss or harm. Risk is a function of the likelihood of a given threat triggering or exploiting a particular vulnerability and the resulting impact on the organization. (The terms in italics are further defined below). Risk is not, therefore, one single factor or event, but the combination of variables (assets, threats, vulnerabilities, controls) that, when considered together, can have an adverse impact on your organization or its stakeholders. Cyber risk, in the context of healthcare, arises through the compromise of the confidentiality and/or integrity and/or availability of your healthcare data, systems or devices. Usage Example: “Have we assessed our enterprisewide cyber risk?”
Assets and Information Assets
Assets may include major applications, general support systems, high-impact programs, the physical plant, mission critical systems, personnel, equipment or another logically-related group of systems.[i] System or information assets include any software, hardware, data, administrative, physical, communications or personnel resources with an information system. In numerous documented enforcement actions (Resolution Agreements and Corrective Actions Plans) to noncompliant healthcare organizations, the Office for Civil Rights (OCR) has variously defined information assets as:
- “… all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by [organization name] or its affiliates that contain, store, transmit or receive [organization name] ePHI …”[ii]
- “all … electronic equipment, data systems, and applications controlled, administered or owned by [organization name] or any [organization name] entity, that contain, store, transmit or receive ePHI.”[iii]
- “all of its facilities, electronic equipment, data systems, and applications that contain or store ePHI”[iv]
As you can see, OCR’s definition of an asset is broad and inclusive. All information assets must be risk-analized. The typical healthcare organization has thousands of assets, if not tens of thousands, when you include all of the different categories of assets that exist:
- Traditional information assets. Traditional information assets include IT systems and applications. They include EHRs, clinical information applications, lab and/or medical specialty applications, medical billing and claims processing applications, email applications, company intranet websites, human resources management applications, network file sharing applications, electronic data interchange (EDI) applications, fax applications, payment processing applications, financial management and reporting applications, and other applications and systems.
- Biomedical information assets. Biomedical assets include items such as patient monitoring devices, so-called “smart” rooms, implantable devices, and remote wellness and chronic disease management applications.
- Internet of Things (IoT) information assets. IoT assets include biomedical devices, as well as internet-connected assets such as facilities security and building management; real-time location services (RTLS) for assets, employees, patients and visitors; and networking hardware, software, security and services.
Usage Example: “When we complete our acquisition of XYZ Health, we will need to inventory all of their information assets in order to incorporate them into our ECRM program.”
Threats / Threat Sources
A threat is any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.[v] Threats come from a variety of sources. A common way to categorize threat sources, according to NIST, is:
- Accidental. Accidental threats occur without malice or intent on the part of the user. Examples of accidental threat sources include an employee who sends out a group email containing ePHI to the wrong recipients or an equipment operator at a nearby construction site cutting fiber optic cable connecting you to your EHR.
- Adversarial. Adversarial threats are characterized by the malicious intent of the perpetrator. The perpetrator may be an individual, a group, a competing organization, or a hostile nation state. A common type of adversarial threat is “insider threat,” which originates inside the organization (e.g., a disgruntled employee).
- Environmental. Environmental threat sources include natural or man-made disasters (fire, flood, earthquake, tornado, etc.) and unusual natural events (e.g., sunspots/solar flares, pandemic).
- Structural. Examples of structural threats include the failure of IT equipment or a utility service, such as a failed hard drive, poorly written code in a software application or loss of telecommunications infrastructure or electrical power.
An effective ECRM program will consider all reasonably anticipated threat sources and possible threat events. It’s important to base your ECRM program on a comprehensive assessment of your organization’s unique threats, rather than simply responding to the latest ‘threat du jour.’ The specific threats that are making headlines today (malicious URLs, web attacks, formjacking attacks, cryptojacking and ransomware) will be replaced by new threats tomorrow.[vi] Your organization’s best defense is to take a proactive approach to assessing risk across the organization, rather than simply reacting to today’s headlines. Usage Example: “Does our ECRM program address relevant environmental threats?”
Threat Events
A threat event is an event or situation that has the potential to cause undesirable consequences or impact.[vii] When your organization conducts the HIPAA Security Rule-mandated risk analysis, it is important to brainstorm and consider all types of reasonably anticipated threat events, even if you believe they are highly improbable or even if you’ve never experienced them before. For example, although California has experienced accidental power outages before, 2019 marked the first year that preemptive power outages were used so frequently and on such an expansive scale. Healthcare providers have had to rethink their disaster protocols to deal with this new environmental threat event.[viii] Usage Example: “As we develop our ECRM program, we need to consider all possible threat events that our organization might encounter.”
Vulnerability
Security engineers and operations staff often confuse conducting vulnerability scans with completing a risk analysis. Vulnerability scans are important but do not comprise real risk analysis. Vulnerability scans provide a long list of weaknesses but fail to take into account the rest of the risk factors. Using home security as an example, if you do not have a deadbolt lock on one of your exterior doors, that could be a vulnerability. But you don’t just run out and install deadbolt locks. If you live in a gated community (a control) and you have external motion detectors in your home security system (another control), the likelihood of a burglar exploiting the lack of a deadbolt on a single door may be very low.
Examples of vulnerabilities that are related to your information assets might include: dormant user accounts, accounts with inappropriate/excessive user permissions, inadequate device or data encryption, custom application bad software code, weak passwords, and insufficient program governance, among others. You can determine your organization’s specific vulnerabilities by conducting a comprehensive, enterprisewide risk analysis. Usage Example: “I am concerned about the lack of encryption on the laptops and mobile devices that store PHI. Do you think this is a vulnerability that we ought to address?”
Controls
As a reminder: risk exists when an asset, a threat and a vulnerability are present simultaneously. The ultimate goal of your ECRM program is to implement reasonable and appropriate controls to ensure your risks are within your risk appetite. Controls (also referred to as safeguards or countermeasures) are the tools your organization uses to mitigate risks to an acceptable level.
Security controls are the management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.[x] The HIPAA Privacy Rule and the HIPAA Security Rule refer to controls as “safeguards.”[xi] Both rules reference three types of safeguards:
- Administrative. Administrative safeguards encompass things like policies and procedures, governance, the security management process, risk analysis, risk management, training and business continuity plans.
- Technical. Technical controls encompass the typical controls you might think of when you think of cybersecurity, including firewalls, encryption, intrusion detection/prevention systems, etc.
- Physical. Physical safeguards include things like building security systems, guards, gates, biometric access controls and fire suppression systems.
Note that technical safeguards are only one of three types of safeguards or controls. Establishing and maturing your organization’s ECRM program is, arguably, your most critical administrative control. You can’t achieve cybersecurity by engaging in a technical controls arms race. For controls to be effective, your organization needs to take a considered approach, based on an examination of your unique business and your organization’s unique assets, threats and vulnerabilities. Usage Example: “I know we’ve talked about purchasing a new intrusion detection system, but before we discuss that, are we sure we have the appropriate administrative controls in place?”
Likelihood
Likelihood is the chance of something happening.[xii] The first step in conducting a comprehensive, enterprisewide, risk analysis is to identify all possible risk scenarios {asset-threat-vulnerability}; the next step is to rate them. Likelihood is one of two factors (the other being “impact,” defined below) used to rate risks. In the context of insurance, the analogous terms you will likely hear are “frequency” and “severity.” Your Chief Risk Officer and professional liability insurance broker usually use these latter two terms.
NIST explains that the likelihood of occurrence is a weighted risk factor based on an analysis of the probability that a given threat is capable of exploiting a given vulnerability (or set of vulnerabilities).[xiii] An example of a scale on which to assess likelihood is shown in Figure 1:
For example, suppose you are assessing the likelihood of one of your organization’s unencrypted laptops being lost by a careless employee in the {laptop-careless employee-no encryption} risk scenario. It’s been estimated that a laptop is lost every 53 seconds![i] Given this statistic, it is likely that all healthcare organizations will lose at least one laptop each year. In that case, the likelihood rating would be “Almost Certain”, a “5.” Usage Example: “What is the likelihood that one of our employees will lose a laptop containing ePHI this year?”
Impact
Impact from a threat event is the magnitude of loss or harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.[ii] In other words, the impact assessment is based on the extent of compromise of the confidentiality, integrity or availability of your organization’s data, systems or devices.
Just as with likelihood, a scale be used to assess impact (Figure 2).
Continuing with the {laptop-careless employee-no encryption} risk scenario from the definition above, if that lost laptop was known to contain about 5,000 ePHI records, a rating of “Major” or “4” would be assigned. Usage Example: “What is the impact on our organization from one lost, unencrypted laptop?”
How do these terms and concepts work together? Figure 3 illustrates the key terms and concepts related to risk and their relationship to each other.
C-suite executives and board members are the de facto “owners” of their organization’s assets. With that responsibility comes a requirement that they exercise duty of care. That responsibility includes understanding the organization’s unique cyber risks and providing the leadership and oversight to manage those risks to within their risk appetite. It begins with understanding the terminology and the organization’s unique risk profile well enough to enable informed decision-making about implementing controls and safeguards to protect the confidentiality, integrity, and availability of all of the organization’s healthcare data, systems, and devices.