Health systems tout Security CIS Controls in fight against cybercriminals
In the hectic, sometimes crazed world of healthcare cybersecurity, a little guidance can be a welcome thing for CIOs and CISOs. That’s why the Center for Internet Security pieced together its CIS Controls, a framework of 20 controls with the aim of leading healthcare organizations to better, more locked down systems and data security. And some healthcare organizations are using these controls to great effect.
“The CIS Controls framework is very approachable; it’s organized in a prioritized manner, and even the top-level controls are presented in such a way that as technologists we can communicate them intelligently in a conversation to internal stakeholders who are concerned about risk,” said Roger Lutz, interim chief information officer at Butler Health System. “And we can discuss things at that level, obfuscating the deeper sub-controls, of which there are many, getting interested stakeholders to understand how we are addressing cybersecurity risk.”
Healthcare organizations need to select a cybersecurity framework to work from, otherwise, they will simply be reactionary to the latest threats and whatever is in the news, Lutz said.
“While your own judgement may be excellent, you may be missing something,” he said. “To have that framework and work toward a common set of technology controls of which a great number of very intelligent people have come to unified agreement, it helps us to make a lot of real progress over time and record that progress that shows advancement in information security and keeps us on track.”
At 20, the number of controls is small enough to manage easily, and further, it’s easy for both technology staff and management executives to understand all of the controls, said an auditor at a large health system in Tennessee, who wished to remain anonymous due to the sensitive nature of security issues.
“There are other frameworks, such as the NIST framework and the ISO 27002,” he said, “but the Center for Internet Security CIS Controls are just a lot easier to understand.”
Lutz points to control No. 5 as an example: “Controlled Use of Administrative Privileges.”
“We identified the need some time ago to control our administrative credentials among the various staff on the information systems team,” he said. “We implemented a system that does centralized privileges access control. It creates a vault, our users log into the vault to pull the privileged access credentials for other systems so we can automate long, complex passwords for all of our administrators and so forth. This control was one we nailed down pretty well.”
Lutz said it is interesting and helpful the way the Center for Internet Security has constructed the controls, where one measures four different categories for each sub-control of a control. Control No. 5 has nine sub-controls, from using multi-factor authentication to logging accesses to using a dedicated machine for administrative tasks. Each of those sub-controls are then measured by policy defined, control implemented, control automated, and control reported to the business.
“This is an area that really allows you to demonstrate maturity in your information security programs,” Lutz said. “Not only are you buying a product or implementing a technology change that provides information security to an organization, you are defining how you are going to do it through policy so you have consistency and so from a governance standpoint you paid attention to the other things and implemented it properly.”
And “control reported to the business” is an important and valuable measurement, Lutz added.
“This is about having a way to demonstrate things up the chain of command, to show them what you are doing in a way that doesn’t boggle them with technology but instead shows them a measurement they can understand, which over time is important,” he said.
The large health system in Tennessee has seen many positive results after working with the CIS Controls.
“From our audit perspective, by determining which controls are more critical, based on the audits we can give real-time feedback, here are our findings, here is what needs to be improved, here is what we are doing well,” the auditor said. “That gets management attention; the auditor report goes to the board of directors. There is awareness brought to the cybersecurity program both to the technical folks and management. This is a slow process, we are not able to do 20 in a year, we are trying to get through all 20 every three years.”
The results of using the CIS Controls at Butler Health System include bringing focus to the IT and security teams, bringing measurement to processes and therefore the ability to reflect progress to interested stakeholders within the organization, and bringing prioritization to security projects – all of which has led to information security maturity, Lutz said.
“If you think of any good process, there’s focus, measurement, accountability and prioritization in the face of limited resources,” he said. “With unlimited resources you can do everything all at once and it’s less of a constraint. But with constrained resources, being able to focus over the months and years and demonstrate progress in a prioritized manner is excellent. And it’s great working with controls predesigned by an organization that has excellent technical engineering resources at their disposal.”