Breach Prevention: Using NIST FrameworkHow One Healthcare System Is Applying the Guidance
In movie screenwriting, an "inciting incident" is the conflict that precipitates the plot. It's something that happens to the hero or heroes, usually not of their choosing, and is often a crisis.
Recently, data breaches have become the inciting incident for a dramatic refocusing of thinking and behavior in the information security industry, and the organizations they protect (see: China Hackers Suspected in Health Breach). Daily headlines report compromises of confidential information that have deluged brand name corporations and Web service providers with ever increasing numbers of hapless accountholders. The trend is accelerating. What's the crescendo of this plot? How big is this crisis?
At PeaceHealth, we've adopted the NIST framework and expanded it to meet our needs.
Security-centric news is rife with theories, dire predictions, and staggering statistics. For instance, 93 percent of large organizations experienced a security breach in 2013, and two-thirds weren't discovered for at least a month, according to the PricewaterhouseCoopers 2013 Information Security Breaches Survey.
Even with dramatic increases in information security spending, thousands of "cyber" articles - and almost as many webinars - tell us it's a losing battle. The asymmetric advantage of the innovative cybercriminals has the makings of a tragic plot.
If big organizations - with impressive security budgets, technologies and consultants - can't keep the villains at bay, what are the chances for the rest of us?
To start with, we should have a cybersecurity strategy. Not a complex program, just a Phase 1, first-things-first, outline of how we do the basics:
- Identify what's at risk and worth protecting;
- Protect our valuables with the capabilities we have;
- Detect threats and incidents as they are happening;
- Respond as quickly as possible, because every hour of delay increases the cost dramatically; and
- Recover services in order of priority - and learn from experience, hopefully the experiences of others.
Here, at the end of a depressing Act I, enters our "ally," the National Institute of Standards and Technology, with the U.S. Cybersecurity Framework , published in February 2014 - and it's free. It's also well-formed, agile, process and risk-centric, voluntary, aligned with multiple standards bodies, and supported by industries and the passionate white-hat security communities.
The framework is cybersecurity focused, but it easily aligns with a business-view, risk-centric, service-aligned security model. It provides a simplified context for the rest of us who can't afford the staff and resources to adopt an ISO-27000 program or a "controls" framework approach. Many of us need to adopt small-scale block-and-tackle type programs that our internal information security teams can implement and sustain - and our leadership can understand and sponsor.
That's the end of Act I. But the show is not over.
At PeaceHealth, a healthcare system in the Pacific Northwest, we've adopted the NIST framework and expanded it to meet our needs. Here's our adaptation:
- Align the five core functions of Identify, Protect, Respond, and Recover - the "profiles" (categories) - with our COBIT Information Security Service Catalog (the value proposition);
- Identify and map our risk priorities - with three year funding request roadmap - to each applicable profile (subcategory requirements, controls and objectives);
- Map our organizational maturity to each category (current state, gap, target state), with an integrated heat map for strengths, weaknesses, opportunities and threats;
- Create a three-year Action Plan and Remediation Roadmap - quarter by quarter, with achievable projects "chunked" to the skills and capabilities of our resources.
That's it - on one page. Granted, it's a ledger-sized spreadsheet, but it fits and speaks to leadership. It's all there: The risk-aligned framework, the service catalog, priorities, funding, maturity map (even though the NIST framework isn't intended to be a maturity model), and remediation project roadmap.
The elegance of this simple layout is that any number of columns can be hidden to focus attention for each audience, without maintaining different reports or data sources.
As the NIST framework's executive summary states, it will help an organization "align its cybersecurity activities with its business requirements, risk tolerances and resources."
The beauty of NIST standards are that they come with crosswalks to other major frameworks and references: ISO/IEC, ISA, COBIT 5, and NIST 800-53.
In healthcare we have a number of regulatory compliance requirements: HIPAA/HITECH, Payment Card Industry, state level privacy and health statutes and more. PeaceHealth is tracking over 700 "controls" that we are accountable to address. It's no wonder healthcare is stressed to mature our information security and privacy programs.
Healthcare is not immune to the cybersecurity drama. Many research reports and surveys have called attention to the high value of medical record information and the challenges in preventing breaches. Ominously for healthcare, we are trending at the bottom in our ability to respond in a timely manner to sophisticated and subtle cyberthreats.
We have entered the climax of the story. The prospects are pretty grim for our heroes in information security.
There is no dÃ©nouement, no closure to our story. Information security is a never-ending and ever-evolving process. Old ways of defending against threats will, out of necessity, evolve. The security perimeter is now information itself. Encryption of data at rest, in motion and in use is required. Detection and response capabilities need to show up before the credits role, and all actors - and audience members - need to awaken to our collective roles and responsibilities in shaping the outcome of this climatic stage.
The NIST Cybersecurity Framework provides an elegant, simple and easy to adapt resource for establishing baseline security for any organization. It's agile, extensible and evolving.
Paidhrin is the security administration manager in the information security technology division of PeaceHealth, a healthcare delivery system in the Pacific Northwest, where he has worked for 12 years. Earlier, he worked in higher education, as well as in private sector and entrepreneurial ventures, where he held a number of director-level positions.