Risk Assessment: Key to a Successful Information Security
Program
Sharon WelnaInformation Security Officer
October 23, 2008
Agenda• Environment
• Legal entities• Network• Regulatory
• Information Security organizational structure• What is a mobile device?• How are mobile devices used in healthcare• Risk Assessment• Risk Mitigation
Nebraska’s Pride is 500-miles wide
Nebraska’s Pride is 500-miles wide
Sharon Welna, Information Security Officer
EducationBA from UNL (Major: Political Science)MBA from UNO
ConAgra Central Telephone Creighton University Medical Hospital
CIODirector Medical RecordsControllerDirector, IT
Nebraska’s Pride is 500-miles wide
Partners in Healthcare
The Nebraska Medical Center
UNMC
Patient Care
Education
Research
Outreach
Diversity
UNMC Physicians
Partnership Vision
Nebraska’s Pride is 500-miles wide
The partnership of UNMC and the Nebraska Health System will be a world-renowned health sciences center that:
• Delivers state-of-the-art health care;• Prepares the best-educated health professionals and
scientists;• Ranks among the leading research centers;• Advances our historic commitment to community
health;• Embraces the richness of diversity to build unity.
Environment: Legal EntitiesUNMC
College of Nursing College of Medicine College of Pharmacy College of Dentistry College of Public Health Eppley Cancer Institute Munroe Meyer Institute
3,000+ Students 4,000+ Faculty / Staff $90+ Million Research
Nebraska’s Pride is 500-miles wide
Environment: Legal EntitiesThe Nebraska Medical Center
1997 Partnership 735 Licensed beds 900+ Medical Staff 4,400+ Employees UNMC’s Primary Teaching Hospital
Nebraska’s Pride is 500-miles wide
Environment: Legal EntitiesUNMC PhysiciansPhysician Practice Group
500 physicians serving in over 50 specialist & sub-specialist areas from family medicine to transplantation
300+ non physician employees
Nebraska’s Pride is 500-miles wide
Environment: Physical Omaha
MidTown 100 acres 43 buildings 3.9 million square feet
30+ clinics
College of Nursing Lincoln, Kearney, Scottsbluff Norfolk (under development)
College of Dentistry Lincoln
Nebraska’s Pride is 500-miles wide
Buildings, Moves and More…
Weigel Williamson Center for
Visual Rehabilitation
38th & Jones April 08
Sorrell Center For Health Science Education
August 08
Buildings, Moves and More…
Durham Research Center II (Winter 08)
Patient Financial Services / TNMC Executive Offices Relocation To Mutual of Omaha 3333 Farnam Street
Buildings, Moves and More…
Village PointNMC Cancer Center (late 08/early 09)
Bellevue Medical CenterHighway 370 and 25th Street Bellevue, Nebraska (2010)
Environment: Information Security
Entities contractually agreed to follow same policies and procedures
Information Security OfficerPolicies, ProceduresIncident ManagementLegal
Network Technical Services TeamTechnical Security implementation
Nebraska’s Pride is 500-miles wide
Environment: Wireless800+ access points1 million + square ft Cisco unified wireless network
infrastructure
Nebraska’s Pride is 500-miles wide
Mobile Device UsageElectronic Medical Record viewingPoint of Care devicesTraditional administrative functions
Nebraska’s Pride is 500-miles wide
Summary12,000 members of the workforceWant to access data from anywhere,
anytime with any device securely
Nebraska’s Pride is 500-miles wide
Risk Analysis: Approach #1Identify riskDetermine risk mitigation alternatives and
costCompare risk mitigation cost to Annual
Loss ExpectancyImplement/do not implement decision
Risk Analysis: Approach #1
Definitions:
Annualized Rate of Occurrence (ARO)
Single Loss Expectancy (SLE)
Annual Loss Expectancy (ALE)
Risk Formula:
ARO * SLE = ALE
Single Loss ExpectancyCosts include:
Notification (creating letter, postage etc)800 number set up and staffingStaff time…
Gartner estimate as of August 2007
$300/account
Nebraska’s Pride is 500-miles wide
Annual Loss ExpectancyCategory Assumption
Annualized Rate of Occurrence (ARO) 2
Single Loss Expectancy (SLE) $300/account * 1,000 accounts = $300,000
Annual Loss Expectancy (ALE) $600,000
Nebraska’s Pride is 500-miles wide
NIST 800-30 Guide Purpose Provide a foundation for risk management
program developmentProvide information on cost-effective
security controls
DefinitionsRisk - “…a function of the likelihood of a
given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.”
Risk management – process of identifying, assessing and reducing risk
Definitions Threat – “The potential for a threat-source to exercise
(accidentally trigger or intentionally exploit) a specific vulnerability.”
Threat-Source – “Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability
Definitions: Vulnerability:
Hardware, firmware, or software flow that leaves an AIS open for potential exploitation. A weakness in automated system security procedures, administrative controls, physical layout or internal controls that could be exploited by a threat to gain unauthorized access to information or disrupt critical processing.
Risk Assessment Methodology
Step 1: System CharacterizationCollect system-related information including:
Which mobile devicesHow are they being used
Risk Assessment Methodology
Step 2: Threat IdentificationIdentify potential threat-sources that could
cause harm to the IT system and its environment
Can be natural, human or environmental
Risk Assessment Methodology
Step 3: Vulnerability IdentificationDevelop list of system vulnerabilities (flaws or
weaknesses) that could be exploitedDevelop Security Requirements Checklist
Risk Assessment Methodology
Step 4: Control AnalysisControl Methods –
May be technical or non-technical
Control Categories – preventative or detectiveControl Analysis Technique – use of security
requirements checklist
Risk Assessment Methodology
Step 5: Likelihood DeterminationGoverning factors
Threat-source motivation & capabilityNature of the vulnerabilityExistence & effectiveness of current controls
Levels – High, Medium or Low
Risk Assessment Methodology
Step 6: Impact AnalysisPrerequisite information
System missionSystem and data criticalitySystem and data sensitivity
Adverse impact described in terms of loss or degradation of integrity, confidentiality, availability
Quantitative vs. qualitative assessment
Risk Assessment Methodology
Step 7: Risk DeterminationDevelop Risk-Level Matrix
Risk Level = Threat Likelihood x Threat Impact
Develop Risk ScaleRisk Levels with associated Descriptions and
Necessary Actions
NIST Likelihood
Likelihood Definitions Weight
HighThreat is sufficiently capable, and control to prevent the vulnerability from being exercised are ineffective
1.0
Medium Threat is sufficiently capable, and controls are in place that MAY impede successful exercise of the vulnerability
.5
Low Threat lacks capability or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.
.1
NIST Impact
Impact Exercise of the vulnerability WeightHigh 1. May result in highly costly loss of major tangible
assets or resources;2. May significantly violate, harm or impede organization's mission, reputation or interest; or3. May result in human death or serious injury
100
Medium 1. May result in costly loss of major tangible assets or resources;2. May violate, harm or impede organization's mission, reputation or interest; or3. May result in human injury
50
Low 1. May result in loss of some tangible assets or resources;2. May noticeably affect an organization's mission, reputation or interest;
10
NIST Risk Level Matrix
ImpactThreat
LikelihoodLow (10)
Medium (50)
High (100)
High (1.0) 10 x 1.0 = 10 50 x 1.0 = 50 100 x 1.0 = 100
Medium (0.5) 10 x 0.5 = 5 50 x 0.5 = 25 100 x 0.5 = 50
Low (0.1) 10 x 0.1 = 1 50 x 0.1 = 5 100 x 0.1 = 10
NIST RISK MATRIX EXAMPLE
Category Mobile Devices
Vulnerability Device is lost
Threat Confidential data is stored on device
Mitigation Strategies Implemented Encryption
Likelihood High
Likelihood Rating 1.0
Impact Low
Impact Rating 10
Risk Rating 10 (1.0 x 10)
Action Plan (if needed)
NIST Risk LevelHigh (50-100)
Strong need for corrective measure as soon as possible
Medium (10-49)Plan must be developed and implemented
within a reasonable period of timeLow (1-9)
Determine if corrective action is needed or can risk be accepted
Risk Assessment Methodology
Step 8: Control RecommendationsFactors to consider
Effectiveness of recommended optionLegislation and regulationOrganizational policyOperational impactSafety and reliability
Risk Assessment Methodology
Step 9: Results DocumentationRisk Assessment Report
Presented to senior management and mission owners
Describes threats & vulnerabilities, measures risk and provides recommendations on controls to implement
Risk Mitigation StrategiesSpecific to the deviceLaptops:
Password ProtectionEncryption
BlackberriesVendor recommendationPolicy/procedure to follow if device is lostDevice “wiped” from the server
Nebraska’s Pride is 500-miles wide