Beyond passwords: How NIST cybersecurity framework gives risk management a boost
Enterprise risk management is a tall order, as healthcare organization strive in earnest to mitigate their exposure to a wide array of threats and uncertainties. But what if there was a roadmap already written that could help guide the way?
There is, says healthcare attorney Barry Herrin, founder of Herrin Health Law. It's just too often seen as something to be filed away with health systems' cybersecurity plans.
The NIST Cybersecurity Framework will be familiar to many hospital IT and security personnel as they grapple with this frightening new era of weaponized malware, insider threats and nation-state hacking, of course.
But it also contains some key provisions that could be very useful to healthcare organizations as they try to get their arms around myriad other risks and vulnerabilities, said Herrin – particularly with regard to access control.
It can help inform approaches to people, process and technology (in that order) for mitigation of risks across the healthcare enterprise, he said.
"I've been trying to evangelize it," said Herrin of the idea that the cyber risk management framework can be expanded "to set expectations about how we're going to use it to manage enterprise security – not just data security, but all kinds of security."
"Most people believe that access control relates to passwords – how you get into the dataset. It can mean how you physically gain access to the data room."
Barry Herrin, Herrin Health Law
It's especially pressing these days, as the industry pursues interoperability in earnest, he said, which many seem to think should be defined as ubiquitous access to data, all the time.
"We make our systems porous on purpose so as many people as possible can access the data for patient care," said Herrin. "When we do that, we create massive gaps in confidentiality, privacy and security."
So how to patch those gaps? Technology isn't enough. Since the FBI tells us that 80 percent of the threats to data come from people who've already been given access to it on purpose, "building the Great Firewall around your enterprise is not going to work."
That means organizations have to refocus their thinking, concentrating on efforts beyond technology and casting a wider view of their workforce and the access employees are given to data. Sure, there's tech that can help with that. "But we have to look at the controls inside the risk management framework in ways other than technology," said Herrin.
Healthcare Security Forum
The forum in San Francisco to focus on business-critical information healthcare security pros need June 11-12, 2018.
The cyber framework's first two steps are 1) to categorize your information systems' security controls, taking stock of the management, operational and technical safeguards available to protect against risk, and 2) to select an initial set of security controls, tailoring and supplementing as needed.
The third steps is to implement those controls. But Herrin point out that the language used tends to focus on words such as "purchase," "install," "configure" and "test."
That's where too many healthcare organizations stop thinking about the people and the people and processes involved in risk management and begin to think of it only in terms of technology.
"You've already given the game up if that's the talk you talk because you just assume that the control is something you buy," he explained.
"Here's the example I always use: Access control," said Herrin. "Most people believe that access control relates to passwords – how you get into the dataset."
But "access control" also can mean other things.
"It can mean how you physically gain access to the data room, or how to get access to the level of the data you're supposed to get based on your job description," he said. "It can mean an assessment of you as a threat vector rather than a vulnerability. It can mean lots of things: 'Why would I let you have access to this, under these circumstances.'"
For example, the guidelines for the control set for access control say organizations should revalidate employees' credentials whenever their access level is increased inside the data structure.
"If you're going to have access to more stuff, we need to re-vet you to make sure that it is consistent with your job description and that you don't pose an insider threat," said Herrin
During a presentation on this topic at HIMSS18, he asked the audience whose organization does that, and "no one's hand went up," he said. "Nobody does that. They just respond to the email from the IT department that says, 'Give so and so access.'"
If employees had to "sign a piece of paper and sit down in front of an IT manager" to get expanded access to a hospitals data, that could lead to substantial decrease in insider threat risks.
"It costs you nothing but time," said Herrin. "And it eliminates tons of vulnerabilities. There's no FBI agent on the cyber squad, anywhere in the country, that would disagree with that statement. I've asked them myself."
So what about expanding on the access control guidance of the cyber risk framework, and applying it other circumstances in other parts of the enterprise?
"Who gets access to the premises? How do we do badging? How do we verify identity? What's our policy on looking to see whether people have badges? That's all part of access control. You have to scope people's access based on their job description, and in healthcare that's absolutely mission critical."
But telescoping HIPAA's Minimum Necessary Requirement out to other parts of the enterprise is just one aspect where a more creative reading of the cybersecurity framework could lead to more robust processes and protections, said Herrin.
"There are tons of things you can do easily that someone has already given you guidance for if you just open the box up and look and see what's inside," he said. "But you have to reorient your thinking about the cybersecurity risk management framework. It cannot be about buying toys and tools. It has to be about implementing controls."
For many organizations, however, the fact that it's "not about buying something, it's about doing something" is exactly the reason that creative thinking doesn't take hold more often. Technology is easy; people and process are harder.
To that, Herrin has a simple answer: "HIPAA is out there as the hammer," he said. "You need to pay attention to this stuff. What we know, based on what OCR is doing, that they're looking at whether you audit people's access to systems where you've not configured limitations on control. They're spending their time right in that wheelhouse.
"If you're interested in not paying a fine with two commas in it, you should at least look in the mirror and say, 'What can I do to limit access to this data set,'" he said. "You have to stop looking at technology as the sole solution to system security problems. It's going to require cultural change."