White Paper
Strengthening Information Assurance in Healthcare
Date: April, 2011
Provided by:
Concurrent Technologies Corporation (CTC)
100 CTC Drive
Johnstown, PA 15904-1935
www.ctc.com
Business Point of Contact:
Mr. Dave Davis
Senior Director, Healthcare Initiatives
Phone: (814) 269-2582
Email: davisd@ctc.com
Strengthening Information Assurance in Healthcare
The 2009 changes to the Health Insurance Portability and Accountability Act (HIPPA) Privacy
Rules and Security Safeguards have had a major impact on healthcare providers as well as noncovered entities as there is no longer the option of voluntary compliance. The changes include
mandatory audits for HIPPA compliance, significant fines for non-compliance and criminal
charges for violations HIPPA‟s rules authorization requirements (fines can range from $10K$50K per violation). This paper focuses on the HIPPA regulations as it pertains to information
technology security and an approach to address information assurance.
Covered entities and business associates should note that while successful compliance
assessments may be a starting point for information security, it really only provides a minimal
level of information assurance and does not provide a practical indication of the overall security
posture of the organization. It is not sufficient to concentrate only on infrastructure controls as
the majority of cyber attacks are increasingly occurring at the application layer and unprotected
endpoints. Data from MITRE indicates that “compliance only” assessments provide
approximately 45% coverage of known vulnerabilities. Attackers know this, and will assume that
you are compliant, and therefore concentrate on the remaining 55% of the attack surface.
As electronic exchange of Protected Health Information (PHI) becomes the norm, covered
entities must have assurances that PHI is safeguarded as it is transmitted between corporate and
local facilities, third party service providers, governmental entities, or other public health
entities.







What assurances do you have that other facilities have appropriate safeguards for PHI
you provide?
What assurances do you have that the health information technology software that you
have deployed was developed using industry standard software assurance practices?
Have your employees been sufficiently trained in information security practices?
Do you have a good understanding of what security controls you have in place, what they
protect, their effectiveness, and where the gaps are if any?
Are all endpoints protected (including business and personal mobile devices such as
laptops, phones)?
How often are you reassessing security safeguards, policies and procedures?
Is there too much focus on protection and too little on detection and response?
When choosing security safeguards, entities must assess these controls and understand how the
controls relate to the various states and places in which information assets can exist. The
McCumber Cube provides a concise framework that models the perspectives that one must
consider for information assurance and how information assets can coexist in multiple
dimensions. When assessing an information security problem, it provides a good reference for
thinking about the problem from each perspective.
1
.
Strengthening Information Assurance in Healthcare
Security Goals/Services
rm
fo
In
Processing
s
cie
i
l
Po
Storage
Transmission
ity
ntial
e
d
i
f
Con
rity
Integ
ity
labil
Avai
Te
s
y
log
o
n
ch
n
io
at
ma
Hu
es
at
St
C
&P
e
tic
rac
ac
nF
s
tor
e
-M
r
e
nt
ou
s
ure
s
a
Figure 1 McCumber Cube
Information Security Goals/Services
 Confidentiality – information should not be disclosed to unauthorized users.
 Integrity – information (and systems) should not be modified (maliciously or
accidentally) outside of authorized processes.
 Availability – information should be reliably accessible to authorized users.
Information States
 Transmission – information moving from source to destination.
 Storage – information at rest, waiting to be accessed.
 Processing – information is being examined or modified.
Security Counter-Measures
 Technology – hardware and software used to limit threats and vulnerabilities.
 Policies & Practices – defined goals and procedures for mitigating risks.
 Human Factors - awareness, education, and training.
For example, file or disk encryption is a technology that addresses confidentiality of
information in storage. However, it does not address availability if the password is lost, or
human factors and policies if the password is weak or obtained through social engineering
(awareness, education), or transmission if the data must be decrypted for another office or entity
to receive who then retains the information unencrypted in a mobile device (unprotected
endpoint).
Identification of Critical Program Information (CPI) and Critical Technology (CT) is the
backbone for all risk management strategic scheduling and resource decisions. Given the fact
that resources are not unlimited and that entities may not have the ability to conduct full-scale
2
.
Strengthening Information Assurance in Healthcare
risk management activities on all of its critical assets, it is still crucial to identify and collect
knowledge of these assets to aid in the appropriate prioritization and allocation of resources
across the entire enterprise. This knowledge is also useful for characterizing and prioritizing the
potential risks to critical assets and determining the entity‟s overall security posture.
CTC advocates a more positive approach to information assurance through both compliance
assessments, CPI/CT identification and threat modeling with more emphasis on the effectiveness
that security controls have in limiting or mitigating threats in each dimension of information
assurance. Compliance only assessments at most, provide half of the threat coverage and are
more “negatively” focused on the non-compliance gaps.
CTC utilizes a multi-tiered approach to risk management that minimizes effort for lower risk
areas and maximizes understanding and mitigation planning for higher risk areas.
Tier 1 Assessment
 Objectives: Identify critical technology (CT) and critical program information (CPI)
likely to pose increased risk (i.e. critical asset identification).
 Activities: Identify and collect basic information about all critical assets. This
information consists of very high-level indicators (criticality) of critical assets.
 Mechanisms: Interviews and survey.
 Investment: Minimal cost and effort to interview and fill in survey information.
 Deliverables: Report containing results of surveys, prioritized list of critical assets by
criticality.
Tier 2 Assessment
 Objectives: Identify which critical assets will require more immediate investigation and
assessment to quantify and mitigate risk. Review policies and procedures for compliance
to HIPPA privacy rule. Initial review of security controls for compliance with HIPPA
Security Safeguards.
 Activities: Includes Tier 1 activities. Collect more detailed information about specific
technologies utilized to provide confidentiality, integrity, availability of critical assets.
Review policies and procedures documentation for HIPPA compliance. Review and
determination of the existence and effectiveness of required HIPPA Security Safeguards.
 Mechanisms: Interviews, surveys, documentation review, threat modeling.
 Investment: Additional cost for documentation reviews, additional interviews and
surveys, and threat modeling.
 Deliverables: Report containing results of surveys, compliance checks, and results of
threat modeling providing further detail of criticality, risks and mitigations for identified
critical assets.
Tier 3 Assessment
 Objectives: Determine the overall “health” of security safeguards applied to the critical
assets with a „high‟ criticality. Test and identify issues/vulnerabilities with associated
security safeguards and recommend appropriate mitigations. In-depth review of policies
3
.
Strengthening Information Assurance in Healthcare




and procedures for potential recommendations of changes to improve and reduce security
management costs.
Activities: Includes all tier 2 activities. Analysis of security safeguards which include
basic application penetration-tests. In-depth review of policies and procedures.
Mechanisms: Interviews, surveys, document reviews, penetration-test and scanning tools.
Investment: Additional costs for in-depth reviews, application penetration-tests, scanning
and analysis.
Deliverables: Report containing results of reviews and application penetration and scan
tests providing further detail of criticality, risks and mitigations for identified critical
assets.
Tier 4 Assessment
 Objectives: Determine the overall “health” of critical assets with a criticality of „Medium‟
or higher. Test and identify issues/vulnerabilities with associated security safeguards and
recommend appropriate mitigations. Review of auditing procedures and electronic
monitoring of security controls. Review of education, training, and security awareness
programs with recommendations to address identified gaps. Review of compliance with
HIPPA, Defense Information Systems Agency (DISA) Security Technical
Implementation Guide (STIG), National Institute of Standards and Technology (NIST)
800-53, and International Organization for Standardization (ISO) 17799.
 Activities: Includes Tier 3 activities. Complete review of policies and procedures and
security safeguards against HIPPA, DISA STIG, NIST 800-53, ISO 17799. In-depth
review of education, training, and security awareness documents and procedures.
 Mechanisms: Interviews, surveys, document reviews, penetration-test and scanning tools.
 Investment: Additional costs for compliance checks, education and training reviews, and
added application penetration-tests, scanning and analysis.
 Deliverables: Report containing results of reviews, compliance checks, and results of
application penetration and scan tests providing further detail of criticality, risks and
mitigations for identified critical assets.
In summary, CTC provides our customers with end-to-end risk management solutions that
focus on security risk management across the HIT enterprise.
4
.