CASC Regulated Data Working Group Meeting:

HIPAA Round Table

Ralph Zottola, PhDCTO – Strategy, Research and CommunicationsUniversity of Massachusetts President’s Office

October 14, 2015

Context

I am not an information security officer…

AND

I don’t usually pretend to be one, especially at conferences…

BUT

I am told that I am well past the tin-foil hat stage of awareness….

…and thus need help so I am fortunate that some of my best friends are information security officers!

Today, Two Short Stories

• How we managed to build a clinical data warehouse when we were not the HIPAA covered entity

• Building a cybersecurity program at the University of Massachusetts President’s Office

UMassMed CDW Context

• UMass Medical School and UMass Memorial Health Care are separate legal entities• Began as a Medical school initiative driven by our

CTSA planning• UMassMed is not a HIPAA covered entity

• Today, this is a shared strategic priority of UMassMed and UMMHC

UMassMed CDW

Sell a Big Vision

Know your audience

Align with partner priorities

Be flexible

TIDE Architecture aka Fort Knox

• Critical component to secure data access agreement and BAA with UMMHC

• The Trusted Independent Data Environment is the repository for all identified data

• Medical School functions as an “Honest Broker”• Highly secure

• Dedicated firewalls, IDS, two factor authentication• Limited number of users• No “internet access” – all transfers via VPN secure FTP• Human Subjects training (CITI) and background checks for all IT staff that

have access • Regular audits of traffic and system usage

• SOPs for data management

• Another secure zone created for transactional regulated data (i.e. REDCap, IRB authorized marts…)

Keys to Success & Lessons Learned

• 20% Technology -- 80% Policy & Procedure• relationships

• Since the school is not the HIPAA covered entity, it took a year of review by legal, privacy and compliance, risk management, etc• Do NOT dismiss any issue/concern• NEED Executive Sponsorship• Establish shared governance• Expect to repeatedly address “resolved” issues• Incremental builds to establish culture of success

UMPO Cybersecurity Program• Led by Lawrence Wilson, CISO, UMPO• A special acknowledgement for sharing slides

• UMass• A federation of five campuses and the President’s Office• Five Chancellors and a President• Six CIOs, six CISOs

• Focus here on UMPO which manages the ERP, WAN, IdM services across the system

CISO’s View Of The Problem: Unmanaged Assets

Our Managed Assets ARE protected

Our managed assets We need to understand why security breaches occur And the steps to take to prevent them And build a program to protect our organization’s assets

Our unmanaged assets There are undetected problems – not seen, not reported Our unmanaged assets become easy targets And lead to a breach from missing or ineffective controls

Our Unmanaged Assets ARE NOT protected

Design and build a security program to protect IT resources and information assets

So Many Standards• Control Objectives for Information and Related Technology (COBIT)

• Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC)

• ANSI/ISA-62443-2-1 (99.02.01)-2009, Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program:

• ANSI/ISA-62443-3-3 (99.03.03)-2013, Security for Industrial Automation and Control Systems: System Security Requirements and Security Levels:

• ISO/IEC 27001, Information technology --Security techniques --Information security management systems --Requirements:

• NIST SP 800-53 Rev. 4: NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013 (including updates as of January 15, 2014).

We found that ISO is more process oriented—good for management and operations but difficult for IT people to understand. CCS is more technical—better suite for IT staff

The CISO Solution: Managed Assets

MGT-01 MGT-02 TEC-01 TEC-02 TEC-03 TEC-04 MGT-03 MGT-04

MGT-05 MGT-06 TEC-05 TEC-06 TEC-07 TEC-08 MGT-07 MGT-08

OPS-01 OPS-02 OPS-03

Managed Assets

OPS-04 OPS-05 OPS-06

OPS-07 OPS-08 TEC-09 TEC-11 OPS-09 OPS-10

OPS-11 OPS-12 TEC-10 TEC-12 OPS-13 OPS-14

OPS-15 OPS-16 OPS-17 OPS-18 OPS-19 OPS-20

MGT-09 MGT-10 TEC-13 TEC-14 TEC-15 TEC-16 MGT-11 MGT-12

MGT-13 MGT-14 TEC-17 TEC-18 TEC-19 TEC-20 MGT-15 MGT-16

Build layers of controls to protect your organization’s assets

MGT – Management ControlsTEC – Technical ControlsOPS – Operational Controls

Identify

Protect

Detect

Respond

Recover

The NIST C Framework3

The CISO Model: Controls Factory

Technology Design

Controls Framework

ControlsStandards

Technology Architecture

DesignOffice

TechnologyCenter

OperationsCenter

ControlsDesign

Technology Build or Buy

Security Administration

Security Operations

ProgramManagement

Incident Response

Input Output

The Current Profile(Before the Factory)

The Target Profile(After the Factory)

ProgramDelivery

Program Planning

Program Roadmap

TestingCenter

Technology Testing

Controls Testing

OperationsTesting

Vulnerabilities & Defects

Threats & Threat Actors

Attack Chain

Threat Office

Unmanaged Assets

Program Risk Management

Factory Governance

Program Compliance

Management

FactoryManagement

Engineering Area Operations Area Business Area

Managed Assets

1 2 3 4 5 6 7

The Deliverables: Cybersecurity Programs

Crown Jewels Program (Deliverables: Managed Critical Assets)

Identity Governance Program (Deliverables: Managed People, Accounts, Entitlements)

Data Governance Program (Deliverables: Managed Information)

Application Security Program (Deliverables: Managed Applications)

Engineering Office

Technology Center

Operations Center

Testing Center

Program Manageme

nt

Infrastructure Security Program (Deliverables: Managed Endpoints, Networks, Servers, Databases)

ThreatOffice

Input

Unmanaged Assets

Output

Managed Assets

FactoryManageme

nt

Controls Design

Technology Build

Operations Run

Controls Test

ProgramDeliverables

Attack Models

FactoryDeliverables

1 2 3 4 5 6 7

The Approach: Factory in a Box

From academic to early adopter to regulated environments

Implem

entation Blueprint

Research, Lab Environments (Academic, Cybersecurity Organizations)

Dev, Test, Prod Environments(Early Adopters)

Cloud, MSSP, Enterprise Environments(Regulated Entities)

Feedback Loop

Implementation Blueprin

t

Feedback Loop

Implementation Blueprint

Feedback Loop

1

2

3

Thank you