1

Physical Security In A Privacy World

David Nelson - CHCR, CISSP, CIPP/GPrivacy Officer

County of San DiegoDavid.Nelson@SDCounty.ca.gov

619-515-4243

San Diego County

� Health and Human Services Agency

� 5000 Employees, 16000 in County

� 4th Largest Co

� $1.2 B budget

� $400 MM in Contracts

� Over 200 Contractors

� Psychiatric Hospital 109 beds

� Skilled Nursing Facility 192 beds

� Dozens of Clinics

� 50 to 60 Research Contracts

� Six Health Plans

2

Disclaimer� Cannot advise on legal matters

� Not an attorney

� County of San Diego is not advising you

� Only my opinion as a Privacy Officer� How to get things done

� Can tell you industry standards� What’s Happening

� Can advise you in the difference between wines from Bordeaux and Burgundy

Content

� Identify areas where physical security gaps can occur� Laws & Regs – Why identifying the gap is

important

� Provide a policy check list for physical security � Suggestions for assigning responsibilities

� Non-technical physical security audit tool� Well, mostly non-technical

3

The Shape of the World

85 % of all breaches are caused by employee actions

Desks

Paper

4

Portable Devices

Doors

5

Shoulder SurfingSocial Engineering

What Me Worry?

� HIPAA Rules = SAFEGUARDS� Physical – Focus Later

� 42 CFR Part 2

� FTC Red Flag Rules (6 -1-2010)� Identity Theft Precautions

� FERPA (Federal Educational Rights and Privacy Act)

6

State Civil Codes� State Health & Welfare Codes

� State Evidence Code� Physical and IT Chain of Trust for Evidence

� Penal Code

� Public Guardian

� Lab Results

� HIV & HIV Test Results

� Mental Health

� Genetic Testing & Results

� Persons With Disabilities

Penalties

� HIPAA

� Civil and Criminal $100 to $50K per up to $1.5MM annual

� AG can file suit (Health Net of Connecticut)

� CMS HIPAA Compliance Site Visits

� Must report over 500 to Secretary

� http://transparency.cit.nih.gov/breach/index.cfm.

� FTC

� $3.5K per violation, statutory $16K for GLB, 1974 Privacy or Red Flag

7

���� HOMEWORK ���� 10:20

� List Programs or Data Sets

� List Applicable Fed Laws/Regs

� List State Laws/Regs

� List Penalty Range

� Framework for Identifying Gaps (next)

� QUESTIONS?

??

?

164.310 Physical Safeguards Paper to Electronic back to paper

� (a)(1) Standard: Facility access controls.

� (2) Implementation specifications:

� (i) Contingency operations (Addressable).

� (ii) Facility security plan (A).

� (iii) Access control and validation procedures (A).

� (iv) Maintenance records (A).

� (b) Standard: Workstation use.

� (c) Standard: Workstation security.

� (d) (1) Standard: Device and media controls.

� (2) Implementation specifications:

� (i) Disposal (Required).

� (ii) Media re-use (R).

� (iii) Accountability (A).

� (iv) Data backup and storage (A).

BS

8

Gaps1. Locks (doors, desks, cabinets…)

2. Desktops (paper, stickies, monitors..)

3. Portable Equipment (laptops, USB, CDs…)Not just about the data!

4. Employment (background checks, debarment, Social Networking Sites…) Not Physical Security

5. Dumb MovesMailing, fax, stuff in cars, significant others…

6. Access Audit (not network - think UCLA/Kaiser)

What were/are they looking at???

OTHERS?

Policies and/or Procedures (1)

� Physical Access� Building – Key Card� Work Spaces – Door/Cabinets

� Site and Program Manager

� Information Handling – Desk Top� Mailing – Procedures for sensitive info� Printing/Faxing – Guidelines for sensitive info� In Transit (Site to Site or In the Field)� Storage

� Site and Program Manager

� Portable Equipment � Issuance/Tracking/Disposal/Reuse

� HIPAA Security Officer or CIO

9

Policies and/or Procedures (2)� Contingency

� Business Continuity

� Disaster Recovery� Program Manager

� Employment� Background

� Social Networking????

� Cell Phone Cameras

� Central HR

� Access Audit � Who is looking at

What and Should They be Looking?The Peril of Authorized Users!!!!

� Program Manager

���� HOMEWORK ���� 10:40

� In SMALL group

� List Current Policies and/or Procedures

� Identify Gaps in P&P

� Compare to First Homework Penalties� Exercise in next section

� Share with Program/Data Owner

� Questions

10

Questions???

Review:We have a Policy Check Listand Identified Security Gaps

New South Wales, Australia

Journey to the Dark Side

11

Risk Analysis Outline

1. List Data Groups & Value

2. List Risks (Threats)

3. List Safeguards

1. Existing

2. Missing (Vulnerability Gap)

4. Threat Likelihood

5. Threat Impact

1. Data Groups

� Hospital Client Data Base

� $1M billing

� Immunization Registry

� $55K billing;

� Medicaid Program Participants

� Internal Cross Reference

12

2. Risks/Threats* (Bring in help)

� Hacking

� Cross Site Scripting

� Stealth Attacks*

� Social Engineering*

� Theft/Loss

� Portable Devices*

� Site Access*

� Paper*

� Peeking*

3.1 Existing Safeguards

� Firewall

� Protects Network

� Network Access Audit Trail

� Logs Users

� Training

� Privacy

� Code of Ethics

13

3.2 Missing Safeguards� Portable Device Policy

� Security Awareness Training

� Social Engineering/Stealth Attacks

� Shoulder Surfing

� On site Key Master Policy

� Authorized Users Access Audit

� Document Handling Policies (retention)

� Internal at desktop

� External Transportation

HINT: Calculate what it costs to do the policy piece

4. Threat Likelihood0 = Least Likely 4 = Most Likely

� Hacking H IR M

� Cross Site Scripting 1 1 0

� Social Engineering 3 2 1

� Stealth Attacks 2 0 0

� Theft/Loss

� Portable Devices 4 4 4

� Paper (Key Master) 4 4 4

� Peeking 3 2 1

0 – 4 is arbitrary could be 1 – 3 or 0 - 10

14

5. Threat Impacts

� Hospital Client data base (150K+10K)

� $1MM billing (Black Eye 10 -15% business loss)

� State Penalty $10K

� Immunization Registry (10K)

� $55K billing

� State Penalty $10K

� Medicaid Program Participants (85K+10K)

� Internal Cross Reference

� $85K in Forced Administrative Mitigation

� State Penalty $10K

The MoneyData Groups; Threats; Safeguards; Likelihood; Impact

Loss Expectancy

$ 142,083

23,750 95,000 25.0%014010Cross

5,000 10,000 50.0%144021IZ

113,333 160,000 70.8%344321Hosp

One time costs

PeekingPaperDeviceSASEXSS

$$ Impact

% Likelihood

# /24

Theft/LossHackData

QUESTIONS?

15

How to Sell the Solution142,803 Vs. 57,803

� Loss Expectancy 142,803

� Cost of Policy Mitigation 85,000

� Residual Risk 57,803

� Two Arguments:

� Making the case for DOING it

� Making the case to FUND it

?

Contents Review� Identify areas where physical security gaps

can occur

� Provide a policy check list for physical security

� Non-technical physical security audit tool

Change

Overturn Old Conditions