NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Health IT Standards Committee Meeting Security Risk Management For Health IT Systems and Networks.

Slides:



Advertisements
Similar presentations
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Advertisements

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
KDP-1: Integrate supply chain knowledge into secure solutions concepts Evaluate supply chain threats with respect to the set of possible solutions under.
Near Real Time Risk Management Transforming the Certification and Accreditation Process ISSA-Baltimore Chapter Meeting May 28, 2008 Dr. Ron Ross.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works
Managing Risks from Information Systems Building Effective Information Security Programs Data Management Association-National Capital Region January.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Critical Infrastructure Protection (and Policy) H. Scott Matthews March 25, 2004.
Federal Information Security Management Act Applying NIST Information Security Standards and Guidelines Presented to the State of California April.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Risk Assessment Frameworks
Risk Management Framework
NIST SP , Revision 1 Applying Risk Management to Information Systems (Transforming the Certification and Accreditation Process) A Tutorial February.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Dr. Ron Ross Computer Security Division
Systems Engineering Approach to MPS Risk Management Kelly Mahoney Presented at the Workshop for Machine Protection in Linear Accelerators.
Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.
Privileged and Confidential Strategic Approach to Asset Management Presented to October Urban Water Council Regional Seminar.
Introduction to Network Defense
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 FISMA Next Generation Managing Risk in an Environment of Advanced Persistent Cyber Threats NASA IT Summit.
Complying With The Federal Information Security Act (FISMA)
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Dr. Ron Ross Computer Security Division Information Technology Laboratory Defending the United States.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Panel: Moderator: Michele Iversen Guest Experts: Dr. Ron Ross, Rod Beckstrom, Bob Wandell.
NHTSA Cyber Security Best Practices Study Tim Weisenberger December 7, 2011.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Dr. Ron Ross Computer Security Division Information Technology Laboratory Evolving Cybersecurity Strategies.
SEC835 Database and Web application security Information Security Architecture.
Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.
1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Federal Government Perspectives on Secure Information Sharing Technology Leadership Series August 14,
Security Assessments FITSP-A Module 5
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa
TEL2813/IS2820 Security Management
1 Information System Security Assurance Architecture A Proposed IEEE Standard for Managing Enterprise Risk February 7, 2005 Dr. Ron Ross Computer Security.
NIST Special Publication Revision 1
1 Process Engineering A Systems Approach to Process Improvement Jeffrey L. Dutton Jacobs Sverdrup Advanced Systems Group Engineering Performance Improvement.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.
National Institute of Standards and Technology 1 The Federal Information Security Management Act Reinforcing the Requirements for Security Awareness Training.
1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Managing Risk in New Computing Paradigms Applying FISMA Standards and Guidelines to Cloud Computing Workshop.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Catawba County Board of Commissioners Retreat June 11, 2007 It is a great time to be an innovator 2007 Technology Strategic Plan *
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Organization, Mission, and Information Systems View 2009 Workshop.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
Enterprise Cybersecurity Strategy
The NIST Special Publications for Security Management By: Waylon Coulter.
Protection of Transportation Infrastructure from Cyber Attacks EXECUTIVE BRIEFING.
CS457 Introduction to Information Security Systems
Computer Security Division Information Technology Laboratory
Cybersecurity - What’s Next? June 2017
BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.
Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
ATD session 2: compliancy versus mission assurance
Threat Systems Management Office (TSMO)
An Urgent National Imperative
What are the Resilience Mechanisms? Hugo Pereira Evoleo Technologies
Cybersecurity ATD technical
Cybersecurity Threat Assessment
MAZARS’ CONSULTING PRACTICE
Presentation transcript:

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Health IT Standards Committee Meeting Security Risk Management For Health IT Systems and Networks

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2 Setting the stage.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3 The sanctity of the patient’s privacy (data confidentiality) and safety (data integrity and service availability). The growing use of advanced information technologies… Key Challenge Exercising security and privacy due diligence and managing risk.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4  We are vulnerable because our information technology is fragile and susceptible to a wide range of threats including:  cyber attacks. (including insider threat)  natural disasters.  structural failures.  errors and misuse.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5 Advanced Persistent Threat An adversary that —  Possesses significant levels of expertise / resources.  Creates opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, deception).  Establishes footholds within IT infrastructure of targeted organizations:  To exfiltrate information;  To undermine / impede critical aspects of a mission, program, or organization; and  To position itself to carry out these objectives in the future.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6 Classes of Vulnerabilities A 2013 Defense Science Board Report described—  Tier 1: Known vulnerabilities.  Tier 2: Unknown vulnerabilities (zero-day exploits).  Tier 3: Adversary-created vulnerabilities (APT). A significant number of these vulnerabilities are “off the radar” of most organizations…

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7 Good cyber hygiene is necessary… But not sufficient. You can’t count, configure, or patch your way out of this problem space. Difficult decisions ahead. Which Road to Follow?

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8 Today, in cybersecurity, we are doing a lot of things right… But we are not doing enough.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 The hard cybersecurity problems are buried below the water line… In the hardware, software, and firmware.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10 The argument for building stronger, more resilient information systems… Software assurance. Systems security engineering. Supply chain risk management.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11 Getting the attention of the C-Suite.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12  T hreat  A ssets  C omplexity  I ntegration  T rustworthiness TACIT Security MERRIAM - WEBSTER DICTIONARY tac. it adjective : expressed or understood without being directly stated

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13 Threat  Develop a better understanding of the modern threat space, including the capability of adversaries to launch sophisticated, targeted cyber-attacks that exploit specific organizational vulnerabilities.  Obtain threat data from as many sources as possible.  Include external and insider threat analysis.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14 Assets  Conduct a comprehensive criticality analysis of organizational assets including information and information systems.  Focus on mission/business impact.  Use triage concept to segregate assets by criticality.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15 Complexity  Reduce the complexity of the information technology infrastructure including IT component products and information systems.  Employ enterprise architecture to consolidate, optimize, and standardize the IT infrastructure.  Adopt cloud computing architectures to reduce the number of IT assets through on-demand provisioning of services.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16 Integration  Integrate information security requirements and the security expertise of individuals into organizational development and management processes.  Embed security personnel into enterprise architecture, systems engineering, SDLC, and acquisition processes.  Coordinate security requirements with mission/business owners; become key stakeholders.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17 Trustworthiness  Invest in more trustworthy and resilient information systems supporting organizational missions and business functions.  Isolate critical assets into separate enclaves.  Implement solutions using modular design, layered defenses, component isolation.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18 Summary  Understand the cyber threat space.  Conduct a thorough criticality analysis of health IT organizational assets.  Reduce complexity of health IT infrastructure.  Integrate health IT security requirements into organizational processes.  Invest in trustworthiness and resilience of health IT components and systems.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19 The road ahead.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20 Joint Task Force Federal Cyber Security Toolset  NIST Special Publication Managing Information Security Risk: Organization, Mission, and Information System View  NIST Special Publication Guide for Conducting Risk Assessments  NIST Special Publication Applying the Risk Management Framework to Federal Information Systems  NIST Special Publication Security and Privacy Controls for Federal Information Systems and Organizations  NIST Special Publication A Guide for Assessing the Security Controls in Federal Information Systems and Organizations

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21 TIER 3 Information Systems and Medical Devices (Environment of Operation) TIER 2 Mission / Business Process (Information and Information Flows) TIER 1 Organization (Governance) Communicating and sharing risk-related information from the tactical to strategic level, that is from the operators to the executives. The Healthcare Organization Communicating and sharing risk-related information from the strategic to tactical level, that is from the executives to the operators.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22 Risk Management Framework Security Life Cycle Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). ASSESS Security Controls Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. AUTHORIZE Information System Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Starting Point CATEGORIZE Information System Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. SELECT Security Controls (a)(8) Evaluation (a)(1)(ii)(D) Information System Activity Review (a)(1)(ii)(B) Risk Management (a)(8) Evaluation (a)(1)(ii)(B) Risk Management Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. IMPLEMENT Security Controls Continuously track changes to the information system that may affect security controls and reassess control effectiveness. MONITOR Security Controls (a)(1)(i) Security Management Process (a)(1)(i) Security Management Process (a)(1)(ii)(A) Risk Analysis (a)(1)(ii)(B) Risk Management (b)(1) Documentation (b)(2)(ii) Updates

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23 Dual Protection Strategies Sometimes your information systems will be compromised even when you do everything right…  Boundary Protection Primary Consideration: Penetration resistance. Adversary Location: Outside defensive perimeter. Objective: Repel the attack.  Agile Defense Primary Consideration: Information system resilience. Adversary Location: Inside defensive perimeter. Objective: Operate during disruption, mitigate damage, recover quickly.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24 NIST Special Publication Systems Security Engineering An Integrated Approach to Building Trustworthy Resilient Systems On the Horizon…

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25  Stakeholder requirements definition.  Requirements analysis.  Architectural design.  Implementation.  Integration.  Verification.  Transition.  Validation.  Operation.  Maintenance.  Disposal. Building on International Standards

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26 Some final thoughts.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27 Security should be a by-product of good design and development practices. Security is critical to the success of any healthcare organization, and to the privacy, safety, and health of patients.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28 Be proactive, not reactive when it comes to protecting your organizational assets.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 29 Cybersecurity is a team sport. Government Academia Industry

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 30 Necessary and Sufficient Security Solutions… Cyber Security Hygiene COUNTING, CONFIGURING, AND PATCHING IT ASSETS Strengthening the IT Infrastructure SYSTEM / SECURITY ENGINEERING, ARCHITECTURE, AND RESILIENCY Has your organization achieved the appropriate balance?

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 31

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 32 Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA Project LeaderAdministrative Support Dr. Ron RossPeggy Himes (301) (301) LinkedIn Senior Information Security Researchers and Technical Support Pat Toth Kelley Dempsey (301) (301) Web: csrc.nist.govComments:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.