Presentation is loading. Please wait.

Presentation is loading. Please wait.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Health IT Standards Committee Meeting Security Risk Management For Health IT Systems and Networks.

Published byShannon Fann Modified over 9 years ago

Similar presentations

Presentation on theme: "NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Health IT Standards Committee Meeting Security Risk Management For Health IT Systems and Networks."— Presentation transcript:

1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Health IT Standards Committee Meeting Security Risk Management For Health IT Systems and Networks

2 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2 Setting the stage.

3 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3 The sanctity of the patient’s privacy (data confidentiality) and safety (data integrity and service availability). The growing use of advanced information technologies… Key Challenge Exercising security and privacy due diligence and managing risk.

4 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4  We are vulnerable because our information technology is fragile and susceptible to a wide range of threats including:  cyber attacks. (including insider threat)  natural disasters.  structural failures.  errors and misuse.

5 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5 Advanced Persistent Threat An adversary that —  Possesses significant levels of expertise / resources.  Creates opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, deception).  Establishes footholds within IT infrastructure of targeted organizations:  To exfiltrate information;  To undermine / impede critical aspects of a mission, program, or organization; and  To position itself to carry out these objectives in the future.

6 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6 Classes of Vulnerabilities A 2013 Defense Science Board Report described—  Tier 1: Known vulnerabilities.  Tier 2: Unknown vulnerabilities (zero-day exploits).  Tier 3: Adversary-created vulnerabilities (APT). A significant number of these vulnerabilities are “off the radar” of most organizations…

7 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7 Good cyber hygiene is necessary… But not sufficient. You can’t count, configure, or patch your way out of this problem space. Difficult decisions ahead. Which Road to Follow?

8 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8 Today, in cybersecurity, we are doing a lot of things right… But we are not doing enough.

9 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 The hard cybersecurity problems are buried below the water line… In the hardware, software, and firmware.

10 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10 The argument for building stronger, more resilient information systems… Software assurance. Systems security engineering. Supply chain risk management.

11 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11 Getting the attention of the C-Suite.

12 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12  T hreat  A ssets  C omplexity  I ntegration  T rustworthiness TACIT Security MERRIAM - WEBSTER DICTIONARY tac. it adjective : expressed or understood without being directly stated

13 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13 Threat  Develop a better understanding of the modern threat space, including the capability of adversaries to launch sophisticated, targeted cyber-attacks that exploit specific organizational vulnerabilities.  Obtain threat data from as many sources as possible.  Include external and insider threat analysis.

14 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14 Assets  Conduct a comprehensive criticality analysis of organizational assets including information and information systems.  Focus on mission/business impact.  Use triage concept to segregate assets by criticality.

15 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15 Complexity  Reduce the complexity of the information technology infrastructure including IT component products and information systems.  Employ enterprise architecture to consolidate, optimize, and standardize the IT infrastructure.  Adopt cloud computing architectures to reduce the number of IT assets through on-demand provisioning of services.

16 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16 Integration  Integrate information security requirements and the security expertise of individuals into organizational development and management processes.  Embed security personnel into enterprise architecture, systems engineering, SDLC, and acquisition processes.  Coordinate security requirements with mission/business owners; become key stakeholders.

17 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17 Trustworthiness  Invest in more trustworthy and resilient information systems supporting organizational missions and business functions.  Isolate critical assets into separate enclaves.  Implement solutions using modular design, layered defenses, component isolation.

18 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18 Summary  Understand the cyber threat space.  Conduct a thorough criticality analysis of health IT organizational assets.  Reduce complexity of health IT infrastructure.  Integrate health IT security requirements into organizational processes.  Invest in trustworthiness and resilience of health IT components and systems.

19 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19 The road ahead.

20 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20 Joint Task Force Federal Cyber Security Toolset  NIST Special Publication 800-39 Managing Information Security Risk: Organization, Mission, and Information System View  NIST Special Publication 800-30 Guide for Conducting Risk Assessments  NIST Special Publication 800-37 Applying the Risk Management Framework to Federal Information Systems  NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations  NIST Special Publication 800-53A Guide for Assessing the Security Controls in Federal Information Systems and Organizations

21 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21 TIER 3 Information Systems and Medical Devices (Environment of Operation) TIER 2 Mission / Business Process (Information and Information Flows) TIER 1 Organization (Governance) Communicating and sharing risk-related information from the tactical to strategic level, that is from the operators to the executives. The Healthcare Organization Communicating and sharing risk-related information from the strategic to tactical level, that is from the executives to the operators.

22 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22 Risk Management Framework Security Life Cycle Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). ASSESS Security Controls Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. AUTHORIZE Information System Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Starting Point CATEGORIZE Information System Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. SELECT Security Controls 164.308(a)(8) Evaluation 164.308(a)(1)(ii)(D) Information System Activity Review 164.308(a)(1)(ii)(B) Risk Management 164.308(a)(8) Evaluation 164.308(a)(1)(ii)(B) Risk Management Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. IMPLEMENT Security Controls Continuously track changes to the information system that may affect security controls and reassess control effectiveness. MONITOR Security Controls 164.308(a)(1)(i) Security Management Process 164.308(a)(1)(i) Security Management Process 164.308(a)(1)(ii)(A) Risk Analysis 164.308(a)(1)(ii)(B) Risk Management 164.316(b)(1) Documentation 164.316(b)(2)(ii) Updates

23 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23 Dual Protection Strategies Sometimes your information systems will be compromised even when you do everything right…  Boundary Protection Primary Consideration: Penetration resistance. Adversary Location: Outside defensive perimeter. Objective: Repel the attack.  Agile Defense Primary Consideration: Information system resilience. Adversary Location: Inside defensive perimeter. Objective: Operate during disruption, mitigate damage, recover quickly.

24 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24 NIST Special Publication 800-160 Systems Security Engineering An Integrated Approach to Building Trustworthy Resilient Systems On the Horizon…

25 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25  Stakeholder requirements definition.  Requirements analysis.  Architectural design.  Implementation.  Integration.  Verification.  Transition.  Validation.  Operation.  Maintenance.  Disposal. Building on International Standards

26 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26 Some final thoughts.

27 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27 Security should be a by-product of good design and development practices. Security is critical to the success of any healthcare organization, and to the privacy, safety, and health of patients.

28 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28 Be proactive, not reactive when it comes to protecting your organizational assets.

29 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 29 Cybersecurity is a team sport. Government Academia Industry

30 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 30 Necessary and Sufficient Security Solutions… Cyber Security Hygiene COUNTING, CONFIGURING, AND PATCHING IT ASSETS Strengthening the IT Infrastructure SYSTEM / SECURITY ENGINEERING, ARCHITECTURE, AND RESILIENCY Has your organization achieved the appropriate balance?

31 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 31

32 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 32 Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Project LeaderAdministrative Support Dr. Ron RossPeggy Himes (301) 975-5390(301) 975-2489 ron.ross@nist.gov peggy.himes@nist.gov LinkedIn http://www.linkedin.com/in/ronrossnist Senior Information Security Researchers and Technical Support Pat Toth Kelley Dempsey (301) 975-5140 (301) 975-2827 patricia.toth@nist.gov kelley.dempsey@nist.gov Web: csrc.nist.govComments: sec-cert@nist.gov

Download ppt "NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Health IT Standards Committee Meeting Security Risk Management For Health IT Systems and Networks."

Similar presentations

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
KDP-1: Integrate supply chain knowledge into secure solutions concepts Evaluate supply chain threats with respect to the set of possible solutions under.

KDP-1: Integrate supply chain knowledge into secure solutions concepts Evaluate supply chain threats with respect to the set of possible solutions under.
Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.

Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works

Security Controls – What Works
Managing Risks from Information Systems Building Effective Information Security Programs Data Management Association-National Capital Region January.

Managing Risks from Information Systems Building Effective Information Security Programs Data Management Association-National Capital Region January.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Critical Infrastructure Protection (and Policy) H. Scott Matthews March 25, 2004.

Critical Infrastructure Protection (and Policy) H. Scott Matthews March 25, 2004.
Federal Information Security Management Act Applying NIST Information Security Standards and Guidelines Presented to the State of California April.

Federal Information Security Management Act Applying NIST Information Security Standards and Guidelines Presented to the State of California April.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Risk Assessment Frameworks

Risk Assessment Frameworks
Risk Management Framework

Risk Management Framework
NIST SP 800-37, Revision 1 Applying Risk Management to Information Systems (Transforming the Certification and Accreditation Process) A Tutorial February.

NIST SP , Revision 1 Applying Risk Management to Information Systems (Transforming the Certification and Accreditation Process) A Tutorial February.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Dr. Ron Ross Computer Security Division

Dr. Ron Ross Computer Security Division
Systems Engineering Approach to MPS Risk Management Kelly Mahoney Presented at the Workshop for Machine Protection in Linear Accelerators.

Systems Engineering Approach to MPS Risk Management Kelly Mahoney Presented at the Workshop for Machine Protection in Linear Accelerators.
Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.

Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.

Similar presentations

Ads by Google