CASC Regulated Data Working Group Meeting: HIPAA Round Table Ralph Zottola, PhD CTO – Strategy, Research and Communications University of Massachusetts President’s Office October 14, 2015

Context I am not an information security officer… AND I don’t usually pretend to be one, especially at conferences… BUT

I am told that I am well past the tin-foil hat stage of awareness…. …and thus need help so I am fortunate that some of my best friends are information security officers!

Today, Two Short Stories How we managed to build a clinical data warehouse when we were not the HIPAA covered entity Building a cybersecurity program at the University of Massachusetts President’s Office

UMassMed CDW Context UMass Medical School and UMass Memorial Health Care are separate legal entities Began as a Medical school initiative driven by our CTSA planning UMassMed is not a HIPAA covered entity Today, this is a shared strategic priority of UMassMed and UMMHC

UMassMed CDW Sell a Big Vision Know your audience Align with partner priorities Be flexible

TIDE Architecture aka Fort Knox Critical component to secure data access agreement and BAA with UMMHC The Trusted Independent Data Environment is the repository for all identified data Medical School functions as an “Honest Broker” Highly secure Dedicated firewalls, IDS, two factor authentication Limited number of users No “internet access” – all transfers via VPN secure FTP Human Subjects training (CITI) and background checks for all IT staff that have access Regular audits of traffic and system usage SOPs for data management Another secure zone created for transactional regulated data (i.e. REDCap, IRB authorized marts…)

Keys to Success & Lessons Learned 20% Technology -- 80% Policy & Procedure relationships Since the school is not the HIPAA covered entity, it took a year of review by legal, privacy and compliance, risk management, etc Do NOT dismiss any issue/concern NEED Executive Sponsorship Establish shared governance Expect to repeatedly address “resolved” issues Incremental builds to establish culture of success

UMPO Cybersecurity Program Led by Lawrence Wilson, CISO, UMPO A special acknowledgement for sharing slides UMass A federation of five campuses and the President’s Office Five Chancellors and a President Six CIOs, six CISOs Focus here on UMPO which manages the ERP, WAN, IdM services across the system

CISO’s View Of The Problem: Unmanaged Assets Our Managed Assets ARE protected Our managed assets  We need to understand why security breaches occur  And the steps to take to prevent them  And build a program to protect our organization’s assets Our unmanaged assets  There are undetected problems – not seen, not reported  Our unmanaged assets become easy targets  And lead to a breach from missing or ineffective controls Our Unmanaged Assets ARE NOT protected Design and build a security program to protect IT resources and information assets

So Many Standards Control Objectives for Information and Related Technology (COBIT) Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC) ANSI/ISA ( )-2009, Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program: ANSI/ISA ( )-2013, Security for Industrial Automation and Control Systems: System Security Requirements and Security Levels: ISO/IEC 27001, Information technology --Security techniques -- Information security management systems --Requirements: NIST SP Rev. 4: NIST Special Publication Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013 (including updates as of January 15, 2014). We found that ISO is more process oriented—good for management and operations but difficult for IT people to understand. CCS is more technical— better suite for IT staff

The CISO Solution: Managed Assets Build layers of controls to protect your organization’s assets MGT – Management Controls TEC – Technical Controls OPS – Operational Controls Identify Protect Detect Respond Recover The NIST C Framework 3

The CISO Model: Controls Factory Technology Design Controls Framework Controls Standards Technology Architecture Design Office Technology Center Operations Center Controls Design Technology Build or Buy Security Administration Security Operations Program Management Incident Response Input Output The Current Profile (Before the Factory) The Target Profile (After the Factory) Program Delivery Program Planning Program Roadmap Testing Center Technology Testing Controls Testing Operations Testing Vulnerabilities & Defects Threats & Threat Actors Attack Chain Threat Office Unmanaged Assets Program Risk Management Factory Governance Program Compliance Management Factory Management Engineering Area Operations AreaBusiness Area Managed Assets

The Deliverables: Cybersecurity Programs Crown Jewels Program (Deliverables: Managed Critical Assets) Identity Governance Program (Deliverables: Managed People, Accounts, Entitlements) Data Governance Program (Deliverables: Managed Information) Application Security Program (Deliverables: Managed Applications) Engineerin g Office Technology Center Operations Center Testing Center Program Manageme nt Infrastructure Security Program (Deliverables: Managed Endpoints, Networks, Servers, Databases) Threat Office Input Unmanaged Assets Output Managed Assets Factory Manageme nt Controls Design Technology Build Operations Run Controls Test Program Deliverables Attack Models Factory Deliverables

The Approach: Factory in a Box From academic to early adopter to regulated environments Implementation Blueprint Research, Lab Environments (Academic, Cybersecurity Organizations) Dev, Test, Prod Environments (Early Adopters) Cloud, MSSP, Enterprise Environments (Regulated Entities) Feedback Loop Implementation Blueprint Feedback Loop Implementation Blueprint Feedback Loop 1 2 3

Thank you