Recommendations for Implementing an Information Security Framework for Life Science Organizations
Introduction Doug Shaw CISA, CRISC Director of CSV & IT Compliance Azzur Consulting
Agenda Why is information security generally less mature in Health and Life Science organizations than other industries? What can be done to promote a more holistic approach? What types of controls can be implemented to improve confidentiality, integrity and availability of critical systems/ data?
Cyber Health Study Findings Reveal: Study in 2014 by BitSite Technologies examined cyber health of S&P500 companies 82% of companies experienced security breaches Healthcare and Life Science companies ranked last HLS take > 5 days to resolve Spends only what is required to be compliant Compliance with regulations does not equate to full security!
Patient (ephi) Data Breaches 2015 Breach Categories 51 39 Unauthorized Access Hacking/ IT Incident 43 Improper Disposal 2 Laptop Loss/ Theft *https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Audit Findings Support Study Findings Personal experiences: Initial focus is on computer validation, Part 11 Individual systems validated but no holistic plan for information security Disconnect between system owners and IT Gaps between SOPs/ overarching policies lacking Doing just enough to get through inspections
Information Security: Definition COBIT- Ensures that within the enterprise, information is protected against disclosure to unauthorized users, improper modification, and non-access when required. ISO27001- Preservation of confidentiality, integrity and availability of information (CIA) NIST 800-53- Protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability MHRA- Extent to which all data are complete, consistent and accurate throughout the data lifecycle.
CIA is Referenced Throughout Regulations! 21CFR Part 11- employ procedures and controls designed to ensure authenticity, integrity and, as appropriate, confidentiality of electronic records.. 21CFR Part 211 Sub-part J- Readily available for inspection 21CFR Part 211 Sub-part D- Appropriate control.. Both mention availability of records for inspection Part 11 Scope and Application- security still in scope MHRA Data Integrity Guidance- overarching data governance, data integrity controls
Additional Examples: 21CFR Part 820- records reasonably accessible ; prevent loss ; records shall be backed up General Principals on Software Validation- calls for security requirements, design and test Computerized Systems used in Clinical Trialsavailability reconstruct trial, prevent un-authorized access, data integrity 42CFR Part 493 (CLIA)- data is accurate and reliable
InfoSec has Benefits Beyond Compliance Corrective actions can be costly, divert key resources Patient safety issues Lawsuits Fines Facility closings Reduced production Financial (recall, negative PR, stock price decline)
Regulator Focus is Increasing Warning letter 21CFR 211.68b- (1/2015)- Failed to exercise appropriate controls over computer systems Warning Letter API- (2/2015)- no backup, audit trail turned off, raw data not secure 483 21CFR 211.68b (7/2014)- Lack of control on lab instruments to assure data integrity 483 21CFR 211.68b- (5/2014) general login allows data to be deleted or modified
Security Framework Implementation Process Identify and classify data Identify applicable regulations General principals for information security- security objectives Perform risk assessment/ existing control review/ identify gaps Implement controls Monitor Scale framework to complexity of operations and risk
Framework Consists of Controlled Documents Core Objectives Policies SOPs Work Instructions Forms/ Checklists Availability Business Continuity Backup/ Restore Tape Rotation Backup Log Review Document Control Training Review Internal Auditing
Core Objectives Have Multiple Inputs Manage Risk Monitoring and Improvement User Needs Data Classification/ Regulations Core Objectives Manage Costs
Data Can Be Classified Using a Checklist Approach Identify applicable regulations Inventory systems (regulated v. not) Develop checklist based on regulations Simple questions: Does the system contain adverse event data? Have system owners complete and approve Assemble information into a living table
General Risk Assessment Approach Risk Scenarios Effectiveness of Current Controls Severity, Probability, Detectability Additional Controls Identify Analyze Evaluate Treat/ Control Breach categories- excellent starting point for Identify phase discussions
Controls are Important for Each Phase of Data Lifecycle Create Store Retrieve/ Modify Archive Destroy Application Security Training User SOP Encryption at rest Physical Security Logical Security Anti-Virus SW Environmental Controls OS patching Intrusion Prevention System Checksum Firewall Encryption in transit VPN Network Security Access Forms Application Security Disaster Recovery Backup/ Restore Audit Trails Encryption at rest Data Migration Plan Physical Security Restore Testing Hardware Maintenance Patching Outsourced destruction Change Management Think CIA- Confidentiality, Integrity and Availability
and as Data Flows Through Hardware and Networks Individual programs validated but gaps lacking throughout data flow Data typically flows through more than one system Chain of custody lacking Map data flow as part of risk assessment Assign data owner CSV policy, templates, education, accountability
Gaps Can Be More Easily Identified When Mapping Flow Laboratory Instrument Excel Emailed SAS Cloud Local Hard Drive Network Drive Mail Server Personal Computer Third Party Controls should be considered and implemented as warranted throughout flow
Types of Controls Administrative - Risk assessment - Access forms - Maintenance checklists Administrative Physical Technical Technical - Application security - Network monitoring - Firewall - Encryption Physical - Tiered security - Physical locks - Badge readers - Biometric scanner
Use Typical Scenarios to Initiate Risk Assessment Process Natural disaster: Earthquake, fire, flood, hurricane Denial of Service, Malware, Virus Data loss/ corruption/ hardware/ tape failure Malicious employee Lost card key Lost device/ backup tapes Password sharing Employee leaves company but still has access
Specific Scenarios Help Identify Many Controls Scenario 1: Prolonged power outage Controls: Diesel generator, battery backup, periodic testing of generator/ batteries, checklists, environmental monitoring Scenario 2: Unauthorized access Controls: Network monitoring, intrusion prevention, firewall, security patching process, third party penetration testing, incident reporting procedure, anti-virus software, access controls procedure, user training
Related Controls Should be Grouped Into Procedures Start with generic SOP list- no need to reinvent the wheel COBIT, ISO27001, NIST800-53 & FEDRAMP are excellent references Tie SOPs back to a policy Scale and merge content according to risk and data criticality Vendor Mgmt. Logical Security Incident Handlin g Change Control Physical Security Visitor Policy
Control Rigor Does Not Decrease With Outsourcing Requirement for strong controls does not go away Vendor audit program Service Level Agreement (SLA) SOP coverage Change management Incident reporting Patching (SaaS) Validation
Risk Management/ Control Monitoring Periodic internal/ supplier auditing Review change requests Review risk assessment Help desk tickets User accounts Maintenance records Regulation changes SOPs Review data classification/ criticality Vendor updates, patches etc.
Summary Utilize a top-down approach. Start with organization s security objectives and risks No need to start with a blank piece of paper. Plenty of information available to get RA started Classify data based on criticality Translate controls into actionable SOPs Monitoring is key to maintaining compliance AND improving efficiency Complying with Regulations does not necessarily close all gaps
Agenda- review Why is information security generally less mature in Health and Life Science organizations than other industries? What can be done to promote a more holistic approach? What types of controls can be implemented to improve confidentiality, integrity and availability of critical systems/ data? Jason will elaborate on technical controls
Thank You! Contact Information: Doug Shaw CISA, CRISC doug.shaw@azzur.com 610.741.5631