physical security in a privacy world
TRANSCRIPT
1
Physical Security In A Privacy World
David Nelson - CHCR, CISSP, CIPP/GPrivacy Officer
County of San [email protected]
619-515-4243
San Diego County
� Health and Human Services Agency
� 5000 Employees, 16000 in County
� 4th Largest Co
� $1.2 B budget
� $400 MM in Contracts
� Over 200 Contractors
� Psychiatric Hospital 109 beds
� Skilled Nursing Facility 192 beds
� Dozens of Clinics
� 50 to 60 Research Contracts
� Six Health Plans
2
Disclaimer� Cannot advise on legal matters
� Not an attorney
� County of San Diego is not advising you
� Only my opinion as a Privacy Officer� How to get things done
� Can tell you industry standards� What’s Happening
� Can advise you in the difference between wines from Bordeaux and Burgundy
Content
� Identify areas where physical security gaps can occur� Laws & Regs – Why identifying the gap is
important
� Provide a policy check list for physical security � Suggestions for assigning responsibilities
� Non-technical physical security audit tool� Well, mostly non-technical
3
The Shape of the World
85 % of all breaches are caused by employee actions
Desks
Paper
4
Portable Devices
Doors
5
Shoulder SurfingSocial Engineering
What Me Worry?
� HIPAA Rules = SAFEGUARDS� Physical – Focus Later
� 42 CFR Part 2
� FTC Red Flag Rules (6 -1-2010)� Identity Theft Precautions
� FERPA (Federal Educational Rights and Privacy Act)
6
State Civil Codes� State Health & Welfare Codes
� State Evidence Code� Physical and IT Chain of Trust for Evidence
� Penal Code
� Public Guardian
� Lab Results
� HIV & HIV Test Results
� Mental Health
� Genetic Testing & Results
� Persons With Disabilities
Penalties
� HIPAA
� Civil and Criminal $100 to $50K per up to $1.5MM annual
� AG can file suit (Health Net of Connecticut)
� CMS HIPAA Compliance Site Visits
� Must report over 500 to Secretary
� http://transparency.cit.nih.gov/breach/index.cfm.
� FTC
� $3.5K per violation, statutory $16K for GLB, 1974 Privacy or Red Flag
7
���� HOMEWORK ���� 10:20
� List Programs or Data Sets
� List Applicable Fed Laws/Regs
� List State Laws/Regs
� List Penalty Range
� Framework for Identifying Gaps (next)
� QUESTIONS?
??
?
164.310 Physical Safeguards Paper to Electronic back to paper
� (a)(1) Standard: Facility access controls.
� (2) Implementation specifications:
� (i) Contingency operations (Addressable).
� (ii) Facility security plan (A).
� (iii) Access control and validation procedures (A).
� (iv) Maintenance records (A).
� (b) Standard: Workstation use.
� (c) Standard: Workstation security.
� (d) (1) Standard: Device and media controls.
� (2) Implementation specifications:
� (i) Disposal (Required).
� (ii) Media re-use (R).
� (iii) Accountability (A).
� (iv) Data backup and storage (A).
BS
8
Gaps1. Locks (doors, desks, cabinets…)
2. Desktops (paper, stickies, monitors..)
3. Portable Equipment (laptops, USB, CDs…)Not just about the data!
4. Employment (background checks, debarment, Social Networking Sites…) Not Physical Security
5. Dumb MovesMailing, fax, stuff in cars, significant others…
6. Access Audit (not network - think UCLA/Kaiser)
What were/are they looking at???
OTHERS?
Policies and/or Procedures (1)
� Physical Access� Building – Key Card� Work Spaces – Door/Cabinets
� Site and Program Manager
� Information Handling – Desk Top� Mailing – Procedures for sensitive info� Printing/Faxing – Guidelines for sensitive info� In Transit (Site to Site or In the Field)� Storage
� Site and Program Manager
� Portable Equipment � Issuance/Tracking/Disposal/Reuse
� HIPAA Security Officer or CIO
9
Policies and/or Procedures (2)� Contingency
� Business Continuity
� Disaster Recovery� Program Manager
� Employment� Background
� Social Networking????
� Cell Phone Cameras
� Central HR
� Access Audit � Who is looking at
What and Should They be Looking?The Peril of Authorized Users!!!!
� Program Manager
���� HOMEWORK ���� 10:40
� In SMALL group
� List Current Policies and/or Procedures
� Identify Gaps in P&P
� Compare to First Homework Penalties� Exercise in next section
� Share with Program/Data Owner
� Questions
10
Questions???
Review:We have a Policy Check Listand Identified Security Gaps
New South Wales, Australia
Journey to the Dark Side
11
Risk Analysis Outline
1. List Data Groups & Value
2. List Risks (Threats)
3. List Safeguards
1. Existing
2. Missing (Vulnerability Gap)
4. Threat Likelihood
5. Threat Impact
1. Data Groups
� Hospital Client Data Base
� $1M billing
� Immunization Registry
� $55K billing;
� Medicaid Program Participants
� Internal Cross Reference
12
2. Risks/Threats* (Bring in help)
� Hacking
� Cross Site Scripting
� Stealth Attacks*
� Social Engineering*
� Theft/Loss
� Portable Devices*
� Site Access*
� Paper*
� Peeking*
3.1 Existing Safeguards
� Firewall
� Protects Network
� Network Access Audit Trail
� Logs Users
� Training
� Privacy
� Code of Ethics
13
3.2 Missing Safeguards� Portable Device Policy
� Security Awareness Training
� Social Engineering/Stealth Attacks
� Shoulder Surfing
� On site Key Master Policy
� Authorized Users Access Audit
� Document Handling Policies (retention)
� Internal at desktop
� External Transportation
HINT: Calculate what it costs to do the policy piece
4. Threat Likelihood0 = Least Likely 4 = Most Likely
� Hacking H IR M
� Cross Site Scripting 1 1 0
� Social Engineering 3 2 1
� Stealth Attacks 2 0 0
� Theft/Loss
� Portable Devices 4 4 4
� Paper (Key Master) 4 4 4
� Peeking 3 2 1
0 – 4 is arbitrary could be 1 – 3 or 0 - 10
14
5. Threat Impacts
� Hospital Client data base (150K+10K)
� $1MM billing (Black Eye 10 -15% business loss)
� State Penalty $10K
� Immunization Registry (10K)
� $55K billing
� State Penalty $10K
� Medicaid Program Participants (85K+10K)
� Internal Cross Reference
� $85K in Forced Administrative Mitigation
� State Penalty $10K
The MoneyData Groups; Threats; Safeguards; Likelihood; Impact
Loss Expectancy
$ 142,083
23,750 95,000 25.0%014010Cross
5,000 10,000 50.0%144021IZ
113,333 160,000 70.8%344321Hosp
One time costs
PeekingPaperDeviceSASEXSS
$$ Impact
% Likelihood
# /24
Theft/LossHackData
QUESTIONS?
15
How to Sell the Solution142,803 Vs. 57,803
� Loss Expectancy 142,803
� Cost of Policy Mitigation 85,000
� Residual Risk 57,803
� Two Arguments:
� Making the case for DOING it
� Making the case to FUND it
?
Contents Review� Identify areas where physical security gaps
can occur
� Provide a policy check list for physical security
� Non-technical physical security audit tool
Change
Overturn Old Conditions