Workstream Name: Risk Management Process Initiative Number: 1.1 Workstream Lead: Mark Olson, CISO Sponsor: John Halamka, MD, CIO Problem Statement: Part 164.308 (a)(1) of Title 45 of the Code of Federal Regulations (CFR) requires each HIPAA Covered Entity to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. Part 17.00 of Chapter 201 of the Code of Massachusetts Regulations (CMR) requires all Service Providers that receive, store, maintain, process, or otherwise permit access to Personal Information related to a Massachusetts resident to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing Personal Information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks. An information systems security program review by D&T conducted in December 2012 recommended improving the formality with which BIDMC conducts risk assessments. Objectives: Develop and implement a standard risk management framework and methodology (including risk appetite / thresholds, acceptance criteria, treatment process). Conduct periodic risk assessments and remediate the gaps / risks. Implement security incident handling procedures to manage all security incidents from reporting, logging, investigation to remediation. Relationship to D&T Assessment: This was one of the fourteen workstreams identified by D&T. The initiatives they recommended include: S1.1 Define a standard risk assessment framework and methodology and conduct periodic risk assessments. The risk assessment framework / methodology should: a) Incorporate applicable legal, regulatory, industry and organization security requirements b) Define risk thresholds c) Define likelihood, impact and risk ratings d) Define process for conducting risk assessment FY13 Q3 Q4 FY14 Q1 Q2 Q3 FY15 Q4 Q1 Q2 Q3 FY16 Q4 Q1 Q2 Q3 Q4 S1.2 Establish a formal process to manage (i.e., identify, review, approve) exceptions to established policies and procedures for relevance and validity. Page 1 of 5 Version 4.2 5-23-2013 T1.4 Implement an Enterprise Governance Risk and Compliance solution (eGRC) to adequately manage risks, demonstrate compliance, and automate risk management activities. FY13 Q3 Q4 FY14 Q1 Q2 Q3 FY15 Q4 Q1 Q2 FY16 Q3 Q4 Q1 Q2 Q3 Q4 T1.5 Establish additional security metrics to ensure a comprehensive mechanism for quantifying information on the effectiveness and performance of information security activities across all critical security domains. FY13 Q3 Q4 FY14 Q1 Q2 Q3 FY15 Q4 Q1 Q2 FY16 Q3 Q4 Q1 Q2 Q3 Q4 S1.6 Develop a process to ensure that security incident handling activities are performed in a consistent manner or all security incidents. In addition, develop a mechanism to ensure that security incidents are logged and routed to the appropriate team for tracking, investigation and remediation. FY13 Q3 Q4 FY14 Q1 Q2 Q3 FY15 Q4 Q1 Q2 FY16 Q3 Q4 Q1 Q2 Q3 Q4 Resource Requirements: Type Expense Recurring Operating Purc. Svcs, – Annual Pen Testing Purc. Svcs, – Biannual full/Annual update Purc. Svcs. – far-end WAN site reviews Software maint. – GRC Software Travel and Training Supplies and Material FY13 Total Recurring Capital – Specialized tools and GRC s/w FY14 FY15 FY16 FY17 $0 $0 $0 $0 $0 $45,000 $250,000 $40,000 $0 $50,000 $45,000 $250000 $40,000 $50,000 $45,000 $250,000 $40,000 $50,000 $45,000 $250,000 $40,000 $50,000 0 $385,000 $385,000 $385,000 $385,000 $0 $200,000 $0 $0 $0 Note: D&T estimate was $600-$800k and 3 FTE for 15 months for initial work. Ongoing cost estimate was $400-$600k and 1 FTE over 5 years. A new position, Risk Assessment Coordinator, will be created within the Information Systems Security division. The Coordinator will report to the Chief Information Security Officer (CISO). The person will be responsible for managing a biannual full risk assessment based on the NIST 800 security framework and an update on the off-years. A multi-disciplinary Committee, to be chaired by the Chief Information Security Officer and staffed by the Risk Unit Coordinator, will be established to provide advice and assistance for the effort. Page 2 of 5 Version 4.2 5-23-2013 Work products will be reviewed by the Information Systems and Privacy Committee and the IS Security Governance Committee that is to be formed. The latter will consist of the COO, CFO, CIO, SVP for Compliance, and CISO. Assumptions and Constraints: Indications are that CMS will require HIPAA Covered Entities to complete risk assessments based on the NIST 800 Framework. Therefore, BIDMC will adopt the NIST 800 framework as its model. Assessing risk is a dynamic process as laws, technologies, organizations, processes, threats and other variables are constantly changing. Therefore, our Risk Management Strategy should not be a onetime event, but a continuous process. Annual penetration testing will not include every application, but a sample environment that, in the opinion of the CISO, presents highest risk. Accomplishments will be dependent on our ability to recruit and retain planned resources. Major Milestones and Timeline: Achieving the above objectives will require the following – Description 12 months Establish organizational roles and responsibilities, governance process, and policies supportive of the program Competitively identify a firm for conducting the assessments Select security controls 1 Conduct assessment to determine compliance with selected controls 2 Identify functionality required to remediate non-compliant items 3 Identify remediation activities necessary to bring systems (s) into compliance with security controls Establish a process for monitoring progress toward achieving full compliance with security controls Implement a Governance, Risk Management, and Compliance (GRC) software application.4 24 months 36 months 48 + months 1 Security controls require each information system to be rated according to the impact it would have on confidentiality, integrity, and availability should a breach in security occur. Risk levels are low, moderate, and high. Security controls (SP 800-53) are selected based on risk levels. 2 Note: Existing information systems should be reviewed on a biannual basis or whenever a significant change occurs. New systems should be reviewed prior to go-live. 3 Technology teams would be responsible for selecting and implementing the solution. Cost for remediation solutions is not included in the above budget. They are included in the overall budget if D&T identified the risk in their assessment. Page 3 of 5 Version 4.2 5-23-2013 Description Establish a set of security metrics for quantifying and measuring the effectiveness of the IS security program across all critical domains Develop improved Security-related incident handling policies and procedures 12 months 24 months 36 months 48 + months Out of Scope: These recommendations identified by D&T will be addressed in other Workstreams. S1.3 ADM14 (Signature Authorization) policy which requires all requests for computer hardware and/or software to be reviewed and approved by the CIO or designee should be included as part of the annual trainings to all employees to ensure the requirement is understood and consistently adhered to across the organization. S1.7 Continue with current laptop encryption initiative and conduct user awareness trainings to mitigate the risks posed by unauthorized access to laptops. Expenses to remediate newly discovered risks not identified in the January 2013 D&T Risk Assessment report are not included in this budget. Risk assessments will be applicable to BIDMC proper for centrally managed systems only. If, during the course of an assessment, risks are identified for other areas, they will be brought to their attention, but will not become the responsibility of the CISO. The budget only covers the cost of risk assessment activities and not remediation of risks discovered. Measures of Success: 1. 2. 3. Resolve the two NIST 800-66 HIPAA control and one industry gaps identified above within three years. Establish a maturity Level 3, “Defined” by 2014 and level 4, “Managed” by year 2015. Achieve acceptable ratings through the risk assessment process for 60 percent of these NIST 800-53 Security and Privacy Controls by 2014, 80 percent by 2015 and 90 percent or better by 2016. IR-1 IR-2 IR-3 IR-4 IR-5 IR-6 IR-7 IR-9 PM-6 Incident Response Policy and Procedures * Incident Response Training * Incident Response Testing * Incident Handling * Incident Monitoring * Incident Reporting * Incident Response Assistance * Incident Response Plan Information Security Measures of Performance 4 GRC applications provide a means for managing IS Security policies and exceptions, visualizing and communicating risks, managing, monitoring and tracking threats, and investigating and resolving cyber incidents. Page 4 of 5 Version 4.2 5-23-2013 PM-9 RA-1 RA-2 RA-3 RA-5 Risk Management Strategy Risk Assessment Policy and Procedures * Security Categorization * Risk Assessment * Vulnerability Scanning * * These items are cross-walked to HIPAA in NIST 800-66 Page 5 of 5 Version 4.2 5-23-2013