Workstream Name: Risk Management Process
Initiative Number: 1.1
Workstream Lead:Mark Olson, CISO
Sponsor:John Halamka, MD, CIO
Problem Statement: Part 164.308 (a)(1) of Title 45 of the Code of Federal Regulations (CFR) requires each HIPAA Covered Entity to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
Part 17.00 of Chapter 201 of the Code of Massachusetts Regulations (CMR) requires all Service Providers that receive, store, maintain, process, or otherwise permit access to Personal Information related to a Massachusetts resident to identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing Personal Information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks.
An information systems security program review by D&T conducted in December 2012 recommended improving the formality with which BIDMC conducts risk assessments.
Objectives: Develop and implement a standard risk management framework and methodology (including
risk appetite / thresholds, acceptance criteria, treatment process). Conduct periodic risk assessments and remediate the gaps / risks. Implement security incident handling procedures to manage all security incidents from reporting, logging, investigation to remediation.
Relationship to D&T Assessment: This was one of the fourteen workstreams identified by D&T. The initiatives they recommendedinclude:
S1.1 Define a standard risk assessment framework and methodology and conduct periodic risk assessments. The risk assessment framework / methodology should:
a) Incorporate applicable legal, regulatory, industry and organization security requirements
b) Define risk thresholds
c) Define likelihood, impact and risk ratings
d) Define process for conducting risk assessment
FY13 / FY14 / FY15 / FY16Q3 / Q4 / Q1 / Q2 / Q3 / Q4 / Q1 / Q2 / Q3 / Q4 / Q1 / Q2 / Q3 / Q4
S1.2 Establish a formal process to manage (i.e., identify, review, approve) exceptions to established policies and procedures for relevance and validity.
T1.4 Implement an Enterprise Governance Risk and Compliance solution (eGRC) to adequately manage risks, demonstrate compliance, and automate risk management activities.
FY13 / FY14 / FY15 / FY16Q3 / Q4 / Q1 / Q2 / Q3 / Q4 / Q1 / Q2 / Q3 / Q4 / Q1 / Q2 / Q3 / Q4
T1.5 Establish additional security metrics to ensure a comprehensive mechanism for quantifying information on the effectiveness and performance of information security activities across all critical security domains.
FY13 / FY14 / FY15 / FY16Q3 / Q4 / Q1 / Q2 / Q3 / Q4 / Q1 / Q2 / Q3 / Q4 / Q1 / Q2 / Q3 / Q4
S1.6 Develop a process to ensure that security incident handling activities are performed in a consistent manner or all security incidents. In addition, develop a mechanism to ensure that security incidents are logged and routed to the appropriate team for tracking, investigation and remediation.
FY13 / FY14 / FY15 / FY16Q3 / Q4 / Q1 / Q2 / Q3 / Q4 / Q1 / Q2 / Q3 / Q4 / Q1 / Q2 / Q3 / Q4
Resource Requirements:
Type Expense / FY13 / FY14 / FY15 / FY16 / FY17Recurring Operating
Purc. Svcs, – Annual Pen Testing / $0 / $45,000 / $45,000 / $45,000 / $45,000
Purc. Svcs, – Biannual full/Annual update / $0 / $250,000 / $250000 / $250,000 / $250,000
Purc. Svcs. – far-end WAN site reviews / $0 / $40,000 / $40,000 / $40,000 / $40,000
Software maint. – GRC Software / $0 / $0 / $50,000 / $50,000 / $50,000
Travel and Training / $0 / $50,000
Supplies and Material
Total Recurring / 0 / $385,000 / $385,000 / $385,000 / $385,000
Capital – Specialized tools and GRC s/w / $0 / $200,000 / $0 / $0 / $0
Note: D&T estimate was $600-$800k and 3 FTE for 15 months for initial work. Ongoing cost estimate was $400-$600k and 1 FTE over 5 years.
A new position, Risk Assessment Coordinator, will be created within the Information Systems Security division. The Coordinator will report to the Chief Information Security Officer (CISO). The person will be responsible for managing a biannual full risk assessment based on the NIST 800 security framework and an update on the off-years.
A multi-disciplinary Committee, to be chaired by the Chief Information Security Officer and staffed by the Risk Unit Coordinator, will be established to provide advice and assistance for the effort.
Work products will be reviewed by the Information Systems and Privacy Committee and the IS Security Governance Committee that is to be formed. The latter will consist of the COO, CFO, CIO, SVP for Compliance, and CISO.
Assumptions and Constraints: Indications are that CMS will require HIPAA Covered Entities to complete risk assessments based on the NIST 800 Framework. Therefore, BIDMC will adopt the NIST 800 framework as its model.
Assessing risk is a dynamic process as laws, technologies, organizations, processes, threats and other variables are constantly changing. Therefore, our Risk Management Strategy should not be a one-time event, but a continuous process.
Annual penetration testing will not include every application, but a sample environment that, in the opinion of the CISO, presents highest risk.
Accomplishments will be dependent on our ability to recruit and retain planned resources.
Major Milestones and Timeline: Achieving the above objectives will require the following –
Description / 12 months / 24 months / 36 months / 48 + monthsEstablish organizational roles and responsibilities, governance process, and policies supportive of the program /
Competitively identify a firm for conducting the assessments /
Select security controls [1] /
Conduct assessment to determine compliance with selected controls [2] /
Identify functionality required to remediate non-compliant items [3] /
Identify remediation activities necessary to bring systems (s) into compliance with security controls /
Establish a process for monitoring progress toward achieving full compliance with security controls /
Implement a Governance, Risk Management, and Compliance (GRC) software application.[4] /
Establish a set of security metrics for quantifying and measuring the effectiveness of the IS security program across all critical domains / / /
Develop improved Security-related incident handling policies and procedures /
Out of Scope: These recommendations identified by D&T will be addressed in other Workstreams.
S1.3 ADM14 (Signature Authorization) policy which requires all requests for computer hardware and/or software to be reviewed and approved by the CIO or designee should be included as part of the annual trainings to all employees to ensure the requirement is understood and consistently adhered to across the organization.
S1.7 Continue with current laptop encryption initiative and conduct user awareness trainings to mitigate the risks posed by unauthorized access to laptops.
Expenses to remediate newly discovered risks not identified in the January 2013 D&T Risk Assessment report are not included in this budget.
Risk assessments will be applicable to BIDMC proper for centrally managed systems only. If, during the course of an assessment, risks are identified for other areas, they will be brought to their attention, but will not become the responsibility of the CISO.
The budget only covers the cost of risk assessment activities and not remediation of risks discovered.
Measures of Success:
- Resolve the two NIST 800-66 HIPAA control and one industry gaps identified above within three years.
- Establish a maturity Level 3, “Defined” by 2014 and level 4, “Managed” by year 2015.
- Achieve acceptable ratings through the risk assessment process for 60 percent of these NIST 800-53 Security and Privacy Controls by 2014, 80 percent by 2015 and 90 percent or better by 2016.
IR-1 Incident Response Policy and Procedures *
IR-2 Incident Response Training *
IR-3 Incident Response Testing *
IR-4 Incident Handling *
IR-5 Incident Monitoring *
IR-6 Incident Reporting *
IR-7 Incident Response Assistance *
IR-9 Incident Response Plan
PM-6 Information Security Measures of Performance
PM-9 Risk Management Strategy
RA-1 Risk Assessment Policy and Procedures *
RA-2 Security Categorization *
RA-3 Risk Assessment *
RA-5 Vulnerability Scanning *
* These items are cross-walked to HIPAA in NIST 800-66
Page 1 of 5 Version 4.2 5-23-2013
[1]Security controls require each information system to be rated according to the impact it would have on confidentiality, integrity, and availability should a breach in security occur. Risk levels are low, moderate, and high. Security controls (SP 800-53) are selected based on risk levels.
[2]Note: Existing information systems should be reviewed on a biannual basis or whenever a significant change occurs. New systems should be reviewed prior to go-live.
[3]Technology teams would be responsible for selecting and implementing the solution. Cost for remediation solutions is not included in the above budget. They are included in the overall budget if D&T identified the risk in their assessment.
[4]GRC applications provide a means for managing IS Security policies and exceptions, visualizing and communicating risks, managing, monitoring and tracking threats, and investigating and resolving cyber incidents.