Professional Documents
Culture Documents
www.redspin.com l Page 1
process of deploying a successful information risk Organizing For Performance (Figure 1)
management program.
2. Assessing risk
3. Decision analysis
4. Policy implementation
www.redspin.com l Page 2
With this organization in place the information PHI/PII Risk Indication (Figure 2)
risk management program can be set in motion.
Before describing the process in detail it is useful
to consider alternative approaches. With pressure
to meet the more stringent regulatory requirements
imposed by the HITECH act, urgent deadlines to
meet meaningful use requirements, and the need
to react to day to day incidents, it is easy for a
program to become derailed. Let’s consider the re-
quirements required to comply with the HITECH
act. Organizations must do the following:
• Implement a notification process to inform Developing a broader view of risk to the business
affected parties after a discovery of a breach allows the information risk management team to
of security to PHI without unrea-sonable delay. avoid acting narrowly. For example, rather than a
siloed effort to develop policies and implement
• Implement policies, processes, and procedures controls to comply with the HITECH Act, a pro-
for security awareness and training. gram can be put in place that addresses the unified
regulatory requirements associated with PHI/PII
• Encrypt PHI data – at rest and in transit. data.
Immediately launching an effort to address these Now let’s examine each of the steps to carry out
requirements is tempting, but fraught with peril. the information risk management program. The
Many HIPAA security programs focused on creat- continuous nature of this process is illustrated in
ing policies and procedures as a starting point. Figure 3.
Frequently, there was a disconnection between
policies and actual technical and procedural safe- Risk Management Process (Figure 3)
guards. Further, there is not a clear understanding
of the broader risk picture and integration with the
business context. A more informed view is shown
in Figure 2.
www.redspin.com l Page 3
Step 1. Assess Risk a. Ensure that policy specifications are enforce-
The first step in the process involves identification able.
and prioritization of risks to the business.
b. Apply a comprehensive approach that inte-
a. Plan data gathering. Identify key success grates process automation, people, and tech-
factors and preparation guidance. nology in the mitigation solution.
b. Gather risk data. Outline the data collection c. Focus on defense in depth by coordinating
process and analysis. application, system, data, and network controls
to meet business objectives.
c. Prioritize risks. Use qualitative and quantitative
risk analysis to drive prioritization. d. Communicate policies and control responsibili-
ties throughout the organization.
Step 2. Decision Analysis
The second step covers the processes for evaluat- Step 4. Measure Effectiveness
ing requirements, understanding possible solutions, The fourth step consists of developing and dis-
selecting controls, estimating costs, and choosing seminating reports as well as providing managment
the most effective mitigation strategy. a dashboard to understand program effectiveness.
www.redspin.com l Page 4
An effective method to get this process underway • Critical - Corrective measures are required im-
is to view risk across four simple categories. This mediately.
provides a straightforward way to clarify trad-
eoffs and make decisions. These categories can be • High - Strong need for corrective measures.
thought of as the four A’s: An action plan must be put in place as soon as
possible.
Availability: This means keeping the systems run- • Medium - Corrective actions are needed
ning. IT needs to communicate regularly to execu- and a plan must be developed to incorporate
tive staff on the availability risk to major business these actions within a reasonable period of time.
processes and ensure there is a business continuity
plan in case of failure. • Low - Management must determine whether
corrective actions are required, or decide to ac-
Access: This is defined as ensuring access to cept the risk.
systems and data. IT is responsible for provid-
ing the right people with the access they need and • Informational - The issue does not indicate
ensuring that sensitive information is not misused. a material policy violation but is something
The IT organization must regularly discuss risks for management to consider for enhancing the
associated with data loss, privacy violations, and overall security posture.
inappropriate use.
Drive these definitions into risk mitigation pro-
Accuracy: This means providing complete, timely grams, policy specifications and controls.
and correct information that meets the require-
ments of customers, suppliers, regulators and Next, everyone in the organization needs a clear
management. Compliance with HIPAA/HITECH and consistent definition of risk. In this context,
and Sarbanes-Oxley are common sources of ac- risk is the probability of a vulnerability being ex-
curacy risk for enterprises in the United States. ploited in the current environment, leading to a
IT should review with management the sources of degree of loss of confidentiality, integrity or avail-
accuracy risk (and risk mitigation programs) such ability of an asset. The diagram shown in Figure
as the inability to get an accurate, consistent view 4 illustrates the relationships of each element of
of patient records or clinical workflow effective- risk.
ness.
Component of Risk (Figure 4)
Agility: This is defined as the ability to make the
necessary business changes with appropriate
cost and speed. A specific example of agil-
ity risk would be the delay or cancellation of
a merger because of the risk of integrating IT
systems. The IT organization needs to dis-
cuss these risks so that management can make
informed decisions and not hedge their bets be-
cause they don’t believe IT can deliver on time.
www.redspin.com l Page 5
To illustrate the usage of a risk statement in prac- strongly with management. However, such a pro-
tice let’s look at an example focusing on risk to cess is resource intensive and thus more expensive
PHI data. so broad based coverage is challenging. Therefore,
focusing on high impact areas with quantitative
The assets (what you are trying to protect is PHI) methods and driving coverage with qualitative
approaches tends to produce the best results.
• You need to know where it is, how it is used,
and how it is transported over the network. A final consideration in terms of key success
factors is the timing for repeating the process.
The threats (what are you afraid of happening) Each cycle starts with a new risk assessment. The
frequency will vary from organization to organiza-
• Sophisticated cybercriminals stealing account tion. Many companies find that annual recurren-
credentials, credit card records, or medical ceis sufficient so long as the information security
history to file false claims. team is proactively monitoring for new threats,
vulnerabilities, and assets.
• Hackers using application attacks to gain access
to database records. In summary, you can expect investment in an
information risk management program to bring
• Insiders gathering inappropriate data through important business benefits. Some of these include
misconfigured access control. the following:
The vulnerabilities (how could the threat occur) • Risk reduction allows deployment of new busi-
ness processes that were not previously possible.
• Targeted social engineering attacks; malware
exploiting Adobe .pdf and MS office .doc vul- • Confidence in brand protection can result in
nerabilities new revenue generating programs.
• Application vulnerabilities (e.g., SQL injection,
command injection) • Trust in service availability means that existing
programs can generate more revenue and more
• Misconfigured database access controls profitably.
Current mitigation (what is currently reducing • Confidence in risk mitigation efforts ranging
the risk) from technical controls to effective service level
agreements decrease program launch time.
• Staff
• Clear guidance on security requirements associ-
• Technology ated with new business unit projects accelerates
time to revenue.
• Processes
www.redspin.com l Page 6
How Redspin Can Help
Redspin has invested heavily in the healthcare in-
dustry segment for several years and has built deep
understanding of security, privacy, and compliance
issues. Specific service offerings include:
About Redspin
Redspin delivers the highest quality information
security assessments through technical expertise,
business acumen, and objectivity. Redspin cus-
tomers include leading companies in healthcare,
financial services, media/entertainment, retail,
and technology. Some of the largest communica-
tions providers and commercial banks rely upon
Redspin to provide an effective managerial, op-
erational and technical solution tailored to their
business context, allowing them to reduce risk,
maintain compliance, and increase the value of
their business unit and IT portfolios.