Page 1
© 2013 SISA Information Security Inc.
About SISA:
SISA Information Security was founded in 2003 and has over 300 customers
ranging from healthcare, insurance, banks, hospitality and information technology.
SISA is a leader in Risk Analysis and its tool SISA Assistant is widely used for
HIPAA compliance.
HIPAA Risk Analysis
www.sisainfosec.com
© 2013 SISA Information Security Inc.
Page 2
© 2013 SISA Information Security Inc.© 2013 SISA Information Security Inc.
Dharshan Shanthamurthy,CISA, CISSP, GWAPT, PCI QSA, OCTAVE Authorized
Trainer/Advisor, FCA, ISA, CEH, P2PE QSA, PA QSA
• CEO of SISA Information Security Inc
• Two decades of information security experience and specialist on formal
risk assessment methodologies.
• Conducted around 120 workshops in over 13 countries on topics
ranging from Risk Assessment, HIPAA, PCI and ISO.
• Trained at CERT Coordination Center on Risk Assessment and
recognized as authorized trainer/advisor for SEI in 2003.
• Author of the Certified Information Security Risk Assessor Program
(training dedicated towards formal methodologies)
• PCI DSS Special Interest Group Proposer and Lead for Risk
Assessment.
LinkedIn: http://www.linkedin.com/in/dharshanshanthamurthy
Page 3
© 2013 SISA Information Security Inc.
Agenda
• Definition
• Background
• Current environment
• Common Risk Analysis Process
• Questions
Objective: Step-by-step approach to HIPAA Risk Analysis
Page 4
© 2013 SISA Information Security Inc.
Risk Assessment
Risk assessment is the cornerstone of any
information security program, and it is the fastest
way to gain a complete understanding of an
organization's security profile – its strengths and
weaknesses, its vulnerabilities and exposures.
“IF YOU CAN’T MEASURE IT
…YOU CAN’T MANAGE IT!”
Page 5
© 2013 SISA Information Security Inc.
• Formal risk analysis (or risk assessment)
- Essential component of HIPAA compliance
- Can help organizations identify their most critical
exposures vulnerabilities and — more importantly —
safeguard overall privacy and security
- Forms a basis for determining how risks should be
managed
• Add value by ensuring that resources are directed at the
areas that are most important to management and
governance.
Background
Page 6
© 2013 SISA Information Security Inc.
HIPAA and Risk AnalysisAdministrative Safeguard
Security Management Process
• “Conduct an accurate and thorough assessment of the
potential risks and vulnerabilities to the confidentiality,
integrity, and availability of EPHI held by the covered entity.”
• “Implement security measures sufficient to reduce risks and
vulnerabilities to a reasonable and appropriate level to
comply with §164.306(a). “
Page 7
© 2013 SISA Information Security Inc.
Risk Analysis: Why is it so critical?
• Control optimization: Protect everything or do RISK Analysis to
know what need to be protected
• Treat helps to prioritize the mitigation process
• Be secure, not just compliant: Effective and Efficient control
deployment
• Was secure yesterday but is it true today? Analyze the
effectiveness of existing control on ongoing basis
• Helps organization to take right decision at the right time
Page 8
© 2013 SISA Information Security Inc.
Current Environment
• 80% of the organizations don’t have a consistent manner in
assessing risk.
• 4/5 of the organizations have no formal risk appetite defined.
• 47/49 providers, 20/35 health plans and 2/7 of clearing houses
did not have basic formal risk assessment
Source: NIST-OCR 2013
Source: 2013 KPMG Survey
Page 9
© 2013 SISA Information Security Inc.
Common misconceptions
• Vulnerability Assessment = Risk Analysis
• Risk Analysis = Audit
• Risk Analysis does not require any specific skill
• Risk Analysis is black or white.
• We already know the risk so why conduct formal Risk
Analysis?
• Risk Analysis has no business value and is required only
for compliance purposes just before the audit
• Risk Analysis does not require formal approach. Let me
devise my own.
Page 10
© 2013 SISA Information Security Inc.
Common Risk Analysis Flow
Risk Treatment
Risk Analysis: Risk Identification
Risk Analysis: Risk Estimation and
Evaluation
General Description of ISRA
SISA Assistant
Risk Profiling
Threat
Vulnerabilities
Scope
Asset
Results Documentation
Risk Treatment Plan
Page 11
© 2013 SISA Information Security Inc.
1. General Description of ISRA
• Basic Criteria
• Scope and
Boundaries
• Organization for
ISRM
Identify, Describe
(quantitatively or
qualitatively) and
Prioritize Risks
Assessed risks
prioritized according
to Risk Evaluation
Criteria.
Risk EvaluationRisk Analysis:
Risk IdentificationRisk Analysis:
Risk Estimation
General
Description
of ISRA
Page 12
© 2013 SISA Information Security Inc.
2. Risk Analysis: Risk Identification
Identification of Assets
Scope and
Boundaries
Asset owners
Asset Location
Asset function
Assets are defined
List of Assets.
List of associated
business processes.
Risk EvaluationRisk Analysis:
Risk Estimation
Risk
Analysis:
Risk
Identification
General
Description of
ISRA
Page 13
© 2013 SISA Information Security Inc.
2. Risk Analysis: Risk Identification
Identification of Threats
Threat Information
from
• Review of
Incidents
• Asset Owners
• Asset Users, etc.
Threats are defined
• Threats
• Threat source
• Threat type
Risk EvaluationRisk Analysis:
Risk Estimation
Risk
Analysis:
Risk
Identification
General
Description of
ISRA
Page 14
© 2013 SISA Information Security Inc.
2. Risk Analysis: Risk Identification
Identification of Existing
Controls
• Documentation of
controls
• RTP
Existing and planned
controls are defined
• Existing and
planned controls
• Implementation
status
• Usage status
Risk EvaluationRisk Analysis:
Risk Estimation
Risk
Analysis:
Risk
Identification
General
Description of
ISRA
Page 15
© 2013 SISA Information Security Inc.
2. Risk Analysis: Risk Identification
Identification of Vulnerabilities
• Identified Assets
• Identified Threats
• Identified Existing
Controls
Vulnerabilities are
identified
• Vulnerabilities
related to assets,
threats, controls.
• Vulnerabilities not
related to any
threat.
Risk EvaluationRisk Analysis:
Risk Estimation
Risk
Analysis:
Risk
Identification
General
Description of
ISRA
Page 16
© 2013 SISA Information Security Inc.
2. Risk Analysis: Risk Identification
Identification of Consequences
• Assets and
business
processes
• Threats and
vulnerabilities
The impact of the
loss of CIA is
identified
• Incident scenarios
with their
consequences
related to assets
and business
processes
Risk EvaluationRisk Analysis:
Risk Estimation
Risk
Analysis:
Risk
Identification
General
Description of
ISRA
Page 17
© 2013 SISA Information Security Inc.
3. Risk Analysis: Risk Estimation
Risk Estimation Methodologies
(a) Qualitative Estimation: High, Medium, Low
(b) Quantitative Estimation: $, hours, etc.
Risk Evaluation
Risk
Analysis:
Risk
Estimation
General
Description of
ISRA
Risk Analysis:
Risk Identification
Page 18
© 2013 SISA Information Security Inc.
3. Risk Analysis: Risk Estimation
Assessment of consequences
Risk Evaluation
Risk
Analysis:
Risk
Estimation
General
Description of
ISRA
Risk Analysis:
Risk Identification
• Assets and
business
processes
• Threats and
vulnerabilities
• Incident scenarios
The business impact
from information
security incidents is
assessed.
Assessed
consequences of an
incident scenario
expressed in terms of
assets and impact
criteria.
Page 19
© 2013 SISA Information Security Inc.
3. Risk Analysis: Risk Estimation
Level of Risk Estimation
Risk Evaluation
Risk
Analysis:
Risk
Estimation
General
Description of
ISRA
Risk Analysis:
Risk Identification
• Incident scenarios
with their
consequences
• Their likelihood
(quantitative or
qualitative).
Level of risk is
estimated for all
relevant incident
scenarios
List of risks with value
levels assigned.
Page 20
© 2013 SISA Information Security Inc.
4. Risk Analysis: Risk Estimation
Level of Risk Estimation
General Description
of ISRA
Risk Analysis:
Risk Identification
• Risks with value
levels assigned and
risk evaluation
criteria.
Level of risk is
compared against
risk evaluation
criteria and risk
acceptance criteria
Risks prioritized
according to risk
evaluation criteria in
relation to the incident
scenarios.
Risk
Evaluation
Risk Analysis:
Risk Estimation
Page 21
© 2013 SISA Information Security Inc.
Scope
Physical Location – building,
room, etc.
Data Center
Business Process
Business DivisionRisk Profiling
Threat
Vulnerabilities
Scope
Asset
Results Documentation
Risk Treatment Plan
Page 22
© 2013 SISA Information Security Inc.
Asset Review
Admin Processes
Clinical Processes
Electronic Health
Records System
Risk Profiling
Vulnerabilities
Scope
Results Documentation
Risk Treatment Plan
Threat
Asset
Page 23
© 2013 SISA Information Security Inc.
Threat Review
smart-ra.com
Hacker exploits insecure
communication channels
Theft /destruction of
media or documents
Corruption of data
CSRF Attack
Risk Profiling
Vulnerabilities
Scope
Results Documentation
Risk Treatment Plan
Asset
Threat
Page 24
© 2013 SISA Information Security Inc.
Vulnerability Review
Employee Disclosure
EPHI is stored unencrypted
No quarterly review of firewall
rules
XSS Vulnerability
Risk Profiling
Threat
Scope
Results Documentation
Risk Treatment Plan
Asset
Vulnerabilities
Page 25
© 2013 SISA Information Security Inc.
Risk Profiling
Risk Score = f( Asset Value, LHOT,
LOV)
•Calculated after taking Risk
Evaluation and Risk Acceptance
Criteria into account
Revised Risk Score = Risk Score
after
•Evaluating Existing Controls
•Applying New Controls
Vulnerabilities
Threat
Scope
Results Documentation
Risk Treatment Plan
Asset
Risk Profiling
Page 26
© 2013 SISA Information Security Inc.
Risk Treatment Plan
Vulnerabilities
Threat
Scope
Results Documentation
Risk Profiling
Asset
Risk Treatment Plan
Treat/Tolerate/Terminate/Transfer
Take Action if Treat/Transfer
Take Approval if Tolerate/Terminate
Page 27
© 2013 SISA Information Security Inc.
Results Documentation
smart-ra.com
Vulnerabilities
Threat
Scope
Risk Profiling
Risk Treatment Plan
Asset
Results Documentation
Document A-T-V Combination with the
associated Risk
Calculation of Risk
RTP
Action Taken
Page 28
© 2013 SISA Information Security Inc.
Scenario – Threat Profiling
We have had people moving from one
department to another and it seems like
some of them continue to have their
previous access rights both to the network
and to the lab area. Consequently PHI is
accessible to more people than required.
Page 29
© 2013 SISA Information Security Inc.
Questions
Email: [email protected]
About SISA:
SISA Information Security was founded in 2003 and has over 300 customers
ranging from healthcare, insurance, banks, hospitality and information technology.
SISA is a leader in Risk Analysis and its tool SISA Assistant is widely used for
HIPAA compliance. Sign up on our website to get a FREE 30 day trial.
www.sisainfosec.com
LinkedIn: http://www.linkedin.com/in/dharshanshanthamurthy