If you peruse IBM's X-Force Exchange and realize the number of Threat Vectors that exist in the wild, you would soon despair of ever producing a rigorous Risk Assessment. However, there is no need to despair because these millions of vectors can be organized into Threat Categories that effectively rationalize the space. This does not mean that IBM's research is not necessary, quite the opposite, sooner or later you will need to have enough detail on a particular vector to implement a Control that "plugs it."
However, at the time of producing a Risk Assessment knowing the Threat Category is more than sufficient. For example, one of our Threat Categories is "Social Engineering or Intrusion." When you are performing a Risk Assessment you don't need to know the million and one ways that the "bad guys" can penetrate your network; what you need to know is how much exposure you have. For example, if the bad guys penetrated and deleted your data could you recover it promptly, or at all?
If the bad buys used a Phishing Scheme to penetrate your network, it is important to educate your workforce on this particular scheme or Phishing in general (i.e. so that your workforce can recognize the patterns).
Below we list definitions of the Threat Categories that we use for HIPAA, and now for GDPR and other compliance regimes as well. This is not a definitive/exhaustive set. That's the whole point. We have rationalized the space to make it easier for our customers to manage.
Threat Categories Rationalized!
1. Power outage:
Describes the potential for loss of electricity to exploit one or more vulnerabilities (usually more). However, as with almost all the Threat categories described herein, your thinking needs to be broader than the loss of electricity at your main facility. The loss of electricity at the principal locations of key partners will almost certainly have a negative impact on your operational environment.
2. Denial of service:
A denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. The intent is to cripple the targeted computing system.
3. Workforce Exfiltration:
Workforce Exfiltration is similar to data exfiltration but broader; data exfiltration, also called data extrusion, is the unauthorized transfer of data from a computer within an organization to one outside of it. However, data exfiltration is too narrowly defined to cover all potential use cases. Many times data walks out the door with a human being as the transfer agent. Such a transfer may be manual and carried out by someone with physical access to a computer, or it may be automated and carried out through malicious programming over a network. Exfiltration may be acute at a certain time, such as when an employee leaves their current employment - voluntarily or involuntarily. This is especially true if the employee left on bad terms. However, one of the worst exfiltrations in the history of the CIA was carried out by Aldrich Ames, who was an employee in good standing right up to the time he was caught.
4. Fire:
Describes the potential of a Fire to your Facility (or other assets) that may (probably will) exploit one or more vulnerabilities within your operational environment. However, Fire could impact you in many more ways that are not readily apparent on their face. For example, a Fire at your cloud storage provider is likely to have a significant impact on your operational environment. The same holds true for Fires at the facilities of other key partners.
5. Media:
Media is physical storage of data that should be encrypted and securely stored. Impairments to Media (e.g. hard drives) is generally the primary cause for essential computing equipment to fail (e.g. servers).
6. Personnel:
Consider how Personnel may exploit lack of regulatory compliance. Generally, exploitations by Personnel come in two forms: (1) intentional; and (2) negligent. It is nearly impossible to prevent intentional bad conduct by trusted Personnel. However, the impact of said conduct can be reduced dramatically by following best practices as dictated by the Security Rule. Further, negligent conduct is suspect to being virtually eliminated with the proper training and organizational commitment.
7. Weather or Natural Disaster:
Consider how weather or natural disaster may exploit lack of regulatory compliance. Weather is notorious for finding vulnerabilities to exploit. At its worst, Weather is capable of eliminating all redundancies and leaving us at its mercy. However, with the advent of cloud computing, most of the egregious negative impacts that Weather may have on an organization's operational environment may be minimized, if not eliminated. Consider how easy it is to mirror cloud-based data on two remote locations, unlikely to experience weather events at the same time. If all your apps and data live on the Cloud, then you need to get key Personnel out of harm's way and into locations where their access devices will function (e.g. phones, laptops, pads, etc.).
8. Theft or Lost Device:
Consider how theft or a lost device may exploit lack of regulatory compliance. Devices are lost or stolen all the time. Human proclivities for losing and misplacing things have caused a significant number of non-trivial breaches. Given the amount of data that a thumb drive can now hold provides insight into the magnitude of potential breaches of PHI that can occur using portable devices. Mobile devices should be limited to access only tools, and by exception, when used to store PHI the latter should be encrypted. Portable devices should NEVER be used as permanent storage devices for PHI. On an exception basis and for temporary use (e.g. data analytics), they should be deployed carefully and then "wiped" after the temporary use is no longer required.
9. Direct Access Attack:
A direct attack by hackers to access your network, computers or software. This is what the lay public usually refers to as "hacking." It may come as a surprise that "hacking" attacks are not your organization's largest source of Risk. Although it is becoming easier by the day to "hack" (i.e. with dozens of "rootkits" available on the Internet) you can look elsewhere for the low-hanging fruit that will help you achieve the most bang-for-the-buck. There is a consensus in the security community that the "perimeter is dead;" which translates into - you have to assume that your perimeter defenses can be compromised and rely on such strategies as minimizing "dwell time" to Reduce Risk.
10. Identity Theft:
Consider how identity theft may exploit lack of regulatory compliance. Identity theft has become a multibillion-dollar industry with the end (or flattening) of growth nowhere in sight. Widespread use of two-factor authentication is emerging as a viable option for curbing its growth. As the name implies, two-factor authentication requires at least two factors: (1) something you know (e.g. user id and password); and (2) something you have (e.g. a smartphone). Because smartphones are ubiquitous among computer users, they have become the de facto "something you have" factor. Although, two-factor authentication is highly recommended (understatement) it, like any other control, is not foolproof. Two-factor authentication can be hacked, BUT it requires a very sophisticated hack usually incorporating a social engineering phishing attack to achieve its objective.
11. Social Engineering or Intrusion:
Social Engineering or Intrusion deals with inappropriate access to your network or computers through some form of psychological manipulation. Consider how social engineering or intrusion may exploit lack of regulatory compliance. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for information gathering, fraud, or system access, it differs from a traditional "con" as it is often one of many steps in a more complex fraud scheme. The term "social engineering" as an act of psychological manipulation of a human, is also associated with the social sciences, but its usage has caught on among computer and information security professionals. We aggregate Social Engineering with Intrusion to exploit vulnerabilities. It matters little how the "bad guys" were able to penetrate your perimeter. What really matters is that they "got in." There are literally millions of vectors for penetrating a perimeter. A number so large that it makes little sense to attempt to attack a wicked problem such as regulatory compliance by dealing with millions of variables.
CONCLUSION
The problem needs to be "rationalized" before it can be managed. There are no perfect solutions. Moreover, the law does not require perfection. Generally doing what is "reasonable and appropriate" is sufficient. Unfortunately, too many in the healthcare industry have elected the "Ostrich Strategy" instead of making a good faith attempt at compliance. I will clue you in on a little secret: "Complaining to HHS about not having enough HIPAA education from them is NOT going to help a scintilla next time a Breach occurs in your organization.
|
HOW TO COMPLY WITH HIPAA?
|
At 3Lions Publishing, Inc. our mission is to provide clients with:
- Premium Compliance Products,
- Education,
- Free Monthly Webinars,
- Newsletter Articles on HIPAA and regulatory topics, as well as
-
"High Touch" LIVE assistance with Products for Risk Assessment and Remediation.
We do NOT charge extra for compliance support like many of our competitors, the cost for your LIVE assistance is included in your Subscription purchase.
A full 360-degree circle of Risk Assessment and Remediation products are provided in 3Lions Publishing Inc.'s
The Subscription Plan includes
Expresso®, the Risk Assessment "SaaS" based software, over 30+ compliance and remediation products, and training videos that help Covered Entities and Business Associates understand how to implement the necessary Controls to be in compliance with HIPAA regulations. Our LIVE "High Touch" Assistance helps you "get it done" fast!Our many Training products describe various aspects of the regulations as well as demonstrations of how to use Expresso and associated compliance tools. As part of the Subscription Plan we also provide certification for clients seeking designation as HIPAA Certified Professional ("HCP").
A "Crosswalk" between Expresso Risks and Remediation tools provides easy access to model policies, procedures and tracking mechanisms for compliance.
FREE Monthly newsletters and webinars provide education on topics of regulatory concern. Missed one? Webinars and articles are posted to the HIPAA Survival Guide Store Website for future reference.
Questions? Please call or write using the contact information below.
Email: [email protected]
Phone: (800) 516-7903
GDPR FOR 2018!
With the recent European Union (EU) enforcement of the General Data Protection Regulation ("GDPR") effective May 25, 2018, we now provide you with GDPR Personal Data Assessment within Expresso along with compliance tools. If you intend to conduct business with EU users, customers or businesses, you need to learn how to comply with these requirements.
View the GDPR Subscription and products on the HIPAA Survival Guide Store:
Get your GDPR products or Subscription Now!
 |
EXPRESSO RELEASE 2.0 COMING SOON!!
We are complimenting Expresso with access to:
1) A fully encrypted web-based Compliance Repository and
2) Direct Access to HIPAA Survival Guide Products for Subscription clients.
Your web-based repository will enable you to upload and save your final Visible Demonstrable Evidence of Compliance ("VDE") to secure and encrypted folders. Direct access to HIPAA Survival Guide Products makes it easy for Subscription Customers to get products and compliance information from a single site.
So, why are we sharing this information in our Newsletter? Education, Education, Education. Stay tuned not only for Product updates but also for new capabilities and value offered to our elite group of clients. Save time and money with our high quality, bargain Subscription Plan!
Comments