Tuesday, October 2, 2012

Security Assessment Kickoff

Meaningful Use Stage 2 requires a security audit.

"Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process."

Yesterday, we kicked off the enterprise security audit at BIDMC.

Every audit requires a framework.   For security, framework choices include NIST, ISO 27002, HITRUST, PCI and COBIT.    We've elected to use a NIST approach.

NIST is the National Institute of Standards and Technology, a component of the Department of Commerce (formerly National Bureau of Standards).  One of the NIST subject areas is Information Technology - the "800" series.

NIST publishes hundreds of Bulletins, Standards and Guidelines related to Information Technology.   Topics range from "What about Cloud Security" to "Smart Grid Interoperability".  Relevant to security audits is the NIST 800-30 "Guide for Conducting Risk Assessments".

Why did we choose NIST?

NIST is mandated within the Federal Government.   It is gradually being extended to contractors, including Medicare providers.    Recently, several NIH grants I've reviewed have included the need for a NIST-based risk assessment.    The Center for Medicare and Medicaid Services (CMS) increasingly refers to NIST assessments in their compliance efforts.

All security frameworks, including NIST 800, share common themes.   For example, risk is defined in terms of threat, vulnerability, likelihood of occurrence, and impact.

"Threat" could be malware, a natural disaster, disgruntled employee or a myriad of other things
"Vulnerability" is a weakness that makes a system susceptible to the threat
"Likelihood" is the probability the threat and vulnerability will come together
"Impact" is the consequence to the organization of an occurrence

For example,
        -  Threat = thief
        -  Vulnerability = laptop visible on front seat of a car parked in a public lot
        -  Likelihood of Occurrence = high,
        -  Impact = significant if the laptop contains ePHI

NIST 800 also provides recommended controls for mitigating risk.   NIST 800-53 describes 194 security controls that roll up into 18 families.    (see the above graphic)

I'll report back on the results of our audit and lessons learned when it is completed in November.


Austin said...

I'm excited to hear about the results of this audit. Do you believe your environment is ready for the NIST audit or is it more of an implementation approach?

Also, why did you not consider HITRUST as it includes NIST? I know it is a somewhat immature framework, but in theory it should map to NIST and allow you to also get coverage of many other regulations. Interested in your thoughts!

Anonymous said...

Don't overlook the usefulness of NIST SP800-30 (Guideline for Conducting Risk Assessments) and SP800-66 (Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule).

Both of these can be excellent resources for providers trying to better understand the Security Rule and Risk Assessments as necessary under MU.

If you really want to better understand how HHS/CMS view/address security, take a look at CMS's Acceptable Risk Safeguards for Moderate level systems (http://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/downloads/ARS_App_B_CMSR_Moderate.pdf). Think of it as SP800-53 with all of the blanks filled in.

NIST also provides an excellent (and free) tool to to help collect artifacts related to the Risk Assessment in their HIPAA Security Rule Toolkit. (http://scap.nist.gov/hipaa/)