Business Associate to Business Associate: A CISO’s Perspective on Applying Controls to Identified Risks

In my first blog in this series, I focused on how Business Associates can ensure the data they interact with on behalf of customers remains secure and confidential. I shared thoughts on the importance of risk analysis and how to focus resources on the most impactful tasks to an organization. The next step in risk management is to apply controls against identified risks to reduce them to levels within a defined risk tolerance applicable to your organization. Thoughtful selection, implementation, management, and monitoring of technical controls is required for ongoing risk management hygiene.

In this blog, I provide insight into the use of risk analysis and risk response as a vehicle for controls selection and prioritization, discuss control implementation and monitoring, and take a look at research from the Clearwater CyberIntelligence Institute® to provide insight into the most common control gaps related to risks in healthcare.

Risk-Based Control Selection

In the previous post, I discussed risk rating as a function of the estimation of likelihood that a vulnerability could be exploited, based on the effectiveness of the current control state, and the impact (financial, operational, reputational etc.) to the organization should that vulnerability be exploited. We determined that risks above threshold must be treated (remediate, transfer, avoid, accept), based on the organizations risk tolerance. The next step in the process is to evaluate the options for treatment in order to make the most appropriate decision for treatment.

Evaluate Alternatives

All risks above an organization’s risk threshold are related to control deficiencies. These control deficiencies will likely affect multiple risks both above and below the risk threshold. In order to determine the overall risk posture, it is important to look at overall risk reduction, rather than solely the high and critical risks. Some parameters used to prioritize remediation are cost, feasibility, return on security investment (ROSI)^[1], and expected risk reduction that equates to lowering the single and annual loss expectancy (SLE/ALE) related to each risk.

Cost

It is crucial to consider all costs related to the selection, implement, and ongoing maintenance of controls. Cost may include:

• Licensing fees
• Annual maintenance and support
• Technology infrastructure required to support the control
• Sufficient staff with requisite knowledge and training necessary to ensure proper operation of the solution
• Project management
• Consulting fees to ensure proper implementation

NOTE: Many controls are process-based and have little or no direct financial cost, but still require time and expertise to implement and monitor.

Feasibility

Elements to consider when making a determination of feasibility include:

• The ROSI for each proposed solution
• Executive support for the project; many projects often fail without an executive sponsor
• Evaluation criteria to impartially rate the proposed solutions based on the requirements specific to your organization; criteria should include the cost metrics described above, as well as the specific features that are most important to your organization.
• The expertise, skills and capabilities of your staff
• Analysis of the reduction in likelihood of an occurrence based on effectiveness of each proposed solution
• Re-calculation of the residual risk should the control be implemented
• The risk reduction and overall improvement to the organization’s risk posture for each proposed solution

Control Implementation

Once you have determined the appropriate steps to take remediate risks, your next step is to implement the controls identified. Implementation should begin with the development of a Plan of Action and Milestones (POAM) that will establish a clear process and timeline.

Ensure all relevant departments are represented in the POAM, as teams like service desk are often overlooked. It is also critical that controls follow current organizational policies and procedures or that you update them accordingly in order to address risks.

You should also ensure settings in devices, operating systems and applications are properly configured. We recommend using tools/software to automate implementation and ensure proper and consistently applied configurations, where possible.

Monitoring Control Effectiveness

Monitoring is a critical ongoing process that is used to ensure that risk remediation activities, and overall risk ratings, remain below the established risk threshold, and that control effectiveness does not degrade over time.

Effective change management and communication for all relevant security controls is a key aspect of this work. It is important to maintain awareness of changes to threats and vulnerabilities as well as changes in asset value that will affect likelihood and impact ratings for each asset.

• Threats – Use threat intelligence services and consider participation in intelligence sharing communities such as Infragard^[2] and the Health Security Coordinating Council^[3] Vulnerability Communications task group.
• Vulnerabilities – Closely monitor vendor and independent security research. Use credentialed vulnerability scanning to ensure patches, software, and configuration-based vulnerabilities are identified and remediated where feasible.
• Assets – Asset values change continuously due to a number of factors, including increased or decreased access, number of sensitive records stored, processed, or transmitted by an asset.

Risk ratings should be updated as changes occur, and new high and critical risks should be escalated to management for guidance on risk treatment.

Common Control Deficiencies

The enormous data set of cyber risk information flowing through Clearwater’s IRM|Analysis® software enables us to capture deep insights surrounding current cyber threats and identify trends that will help inform and prepare organizations to manage their risks. The Clearwater CyberIntelligence Institute, using its advanced analytics and data mining capabilities, has discovered significant patterns from our database which contains millions of data risk records from hospitals, health systems, and Business Associates.

The following list represents the most common control deficiencies related to high and critical risks across all healthcare sectors. You may find these control deficiencies and the associated risks within your organization.

1. Single Sign-on and Multi-factor Authentication

Single Sign-on has become common in organizations as a means of eliminating tasks for users, but it does carry a significant security risk as a hacker who is able to acquire a user’s credentials can penetrate every application to which the user has access. As users tend to use the same or similar passwords for access to sensitive applications and data as they use to check stock prices and social media, these control deficiencies equate to high ratings for likelihood of threat occurrence, and if the asset value is moderate to high, these will represent high or critical risk to your organization. Multi-Factor Authentication can be an effective method for remediating risks related to Single Sign-on and weaknesses inherent in generic username/password pairs.

2. Log Aggregation and Analysis

It is critical to be able to identify and broadcast alerts that allow staff to respond effectively to anomalous activity within your environment, before they turn into breaches. The most common tool for this purpose is Security Information and Event Management (SIEM) platforms that centralize, correlate and analyze logs. Endpoint detection and response is often played as a replacement but does not typically solve the whole problem.

3. User Permissions and Activity Reviews, Session Auditing

User permission review, along with activity reviews and session auditing, ensure the proper implementation of role-based access that enforce the principle of least privilege. When combined with threats such as social engineering and malicious or accidental data exfiltration, they become the basis for a significant number of high and critical risks.

4. User Account Management

Ineffective user account management increases the likelihood of exploitation of vulnerabilities related to use of dormant accounts by former workforce members and both internal and external attackers.

5. Operating System Patching

Effective patch management, as well as application and firmware patch management, are crucial to reduction of attack surface. This deficiency also applies to unsupported operating systems such as Windows 7 and Windows 2008, which we still see present when performing risk analysis for customers. Unsupported operating systems often mean that anti-virus/anti-malware products are either not supported or provide only partial protection. These deficiencies are often associated with high and critical risks.

6. Locked Down External Ports (USB, CD, DVD, Firewire, etc.) and Data Loss Prevention

Controlling the flow of information is critical to maintenance of the confidentiality and integrity of sensitive data. Along with implementation of Data Loss Prevention technologies and restrictions of access to non-organizational email and file sharing sites (OneDrive, Box, Dropbox, etc.), locked down external ports form a strong basis to ensure data is not exposed or exfiltrated.

Designed to reduce the risk associated with the protection of electronic protected health information (ePHI) and other sensitive information to levels within the risk tolerance of your organization, technical controls are something you must carefully select, implement and monitor to ensure risk is managed effectively. No small task, to be sure, and many organizations draw upon outside experts and resources to help them with this important process.

In my next blog, I’ll cover the security control frameworks that are commonly used in healthcare.

Meantime, if you have questions or concerns, I’m happy to discuss. Please reach out to me at henry.sprafkin@clearwatercompliance.com.