Recommendations for Implementing an Information Security Framework for Life Science Organizations

Similar documents
NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

SECURITY & PRIVACY DOCUMENTATION

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix

EXHIBIT A. - HIPAA Security Assessment Template -

HIPAA Security Checklist

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

HIPAA Security Checklist

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Information Security Data Classification Procedure

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Information Technology General Control Review

The Common Controls Framework BY ADOBE

Information Security Controls Policy

Employee Security Awareness Training Program

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

AUTHORITY FOR ELECTRICITY REGULATION

ADIENT VENDOR SECURITY STANDARD

University of Pittsburgh Security Assessment Questionnaire (v1.7)

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Sparta Systems TrackWise Digital Solution

SECURITY PRACTICES OVERVIEW

Keys to a more secure data environment

NIST Risk Assessment for Part 11 Compliance: Evaluation of a GXP Case Study

Vendor Security Questionnaire

Checklist: Credit Union Information Security and Privacy Policies

Security Policies and Procedures Principles and Practices

FDIC InTREx What Documentation Are You Expected to Have?

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

Juniper Vendor Security Requirements

Certified Information Systems Auditor (CISA)

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

Altius IT Policy Collection

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Maher Duessel Not for Profit Training July Agenda

Cyber Criminal Methods & Prevention Techniques. By

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

INFORMATION ASSET MANAGEMENT POLICY

HIPAA Security and Privacy Policies & Procedures

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Security Principles for Stratos. Part no. 667/UE/31701/004

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

The simplified guide to. HIPAA compliance

A practical guide to IT security

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

IT risks and controls

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Cloud Transformation Program Cloud Change Champions June 20, 2018

Morningstar ByAllAccounts Service Security & Privacy Overview

Part 11 Compliance SOP

WORKSHARE SECURITY OVERVIEW

Trust Services Principles and Criteria

Putting It All Together:

Security Controls in Service Management

REPORTING INFORMATION SECURITY INCIDENTS

Data Protection in Practice

Auditing the Cloud. Paul Engle CISA, CIA

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Audit Network Security. University System of New Hampshire

21 CFR Part 11 LIMS Requirements Electronic signatures and records

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

April Appendix 3. IA System Security. Sida 1 (8)

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Data Backup and Contingency Planning Procedure

Identity Theft Prevention Policy

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

These rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

HIPAA Compliance Checklist

Sparta Systems Stratas Solution

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Addressing the elephant in the operating room: a look at medical device security programs

Business continuity management and cyber resiliency

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Information Security Policy

Data Center Operations Guide

RECORDS MANAGEMENT RECORDS MANAGEMENT SERVICES

How to Optimize Cyber Defenses through Risk-Based Governance. Steven Minsky CEO of LogicManager & Author of the RIMS Risk Maturity Model

Cyber Security Updates and Trends Affecting the Real Estate Industry

A company built on security

Leveraging ITIL to improve Business Continuity and Availability. itsmf Conference 2009

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

No Country for Old Security Compliance in the Cloud. Joel Sloss, CDSA Board of Directors May 2017

Online Services Security v2.1

Tech Advantage Benchmarking Your Cyber Security Program. March 5, 2014

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

Cybersecurity Checklist Business Action Items

Start the Security Walkthrough

ADDING BUSINESS VALUE THROUGH EFFECTIVE IT SECURITY MANAGEMENT

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

Department of Public Health O F S A N F R A N C I S C O

Transcription:

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Introduction Doug Shaw CISA, CRISC Director of CSV & IT Compliance Azzur Consulting

Agenda Why is information security generally less mature in Health and Life Science organizations than other industries? What can be done to promote a more holistic approach? What types of controls can be implemented to improve confidentiality, integrity and availability of critical systems/ data?

Cyber Health Study Findings Reveal: Study in 2014 by BitSite Technologies examined cyber health of S&P500 companies 82% of companies experienced security breaches Healthcare and Life Science companies ranked last HLS take > 5 days to resolve Spends only what is required to be compliant Compliance with regulations does not equate to full security!

Patient (ephi) Data Breaches 2015 Breach Categories 51 39 Unauthorized Access Hacking/ IT Incident 43 Improper Disposal 2 Laptop Loss/ Theft *https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Audit Findings Support Study Findings Personal experiences: Initial focus is on computer validation, Part 11 Individual systems validated but no holistic plan for information security Disconnect between system owners and IT Gaps between SOPs/ overarching policies lacking Doing just enough to get through inspections

Information Security: Definition COBIT- Ensures that within the enterprise, information is protected against disclosure to unauthorized users, improper modification, and non-access when required. ISO27001- Preservation of confidentiality, integrity and availability of information (CIA) NIST 800-53- Protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability MHRA- Extent to which all data are complete, consistent and accurate throughout the data lifecycle.

CIA is Referenced Throughout Regulations! 21CFR Part 11- employ procedures and controls designed to ensure authenticity, integrity and, as appropriate, confidentiality of electronic records.. 21CFR Part 211 Sub-part J- Readily available for inspection 21CFR Part 211 Sub-part D- Appropriate control.. Both mention availability of records for inspection Part 11 Scope and Application- security still in scope MHRA Data Integrity Guidance- overarching data governance, data integrity controls

Additional Examples: 21CFR Part 820- records reasonably accessible ; prevent loss ; records shall be backed up General Principals on Software Validation- calls for security requirements, design and test Computerized Systems used in Clinical Trialsavailability reconstruct trial, prevent un-authorized access, data integrity 42CFR Part 493 (CLIA)- data is accurate and reliable

InfoSec has Benefits Beyond Compliance Corrective actions can be costly, divert key resources Patient safety issues Lawsuits Fines Facility closings Reduced production Financial (recall, negative PR, stock price decline)

Regulator Focus is Increasing Warning letter 21CFR 211.68b- (1/2015)- Failed to exercise appropriate controls over computer systems Warning Letter API- (2/2015)- no backup, audit trail turned off, raw data not secure 483 21CFR 211.68b (7/2014)- Lack of control on lab instruments to assure data integrity 483 21CFR 211.68b- (5/2014) general login allows data to be deleted or modified

Security Framework Implementation Process Identify and classify data Identify applicable regulations General principals for information security- security objectives Perform risk assessment/ existing control review/ identify gaps Implement controls Monitor Scale framework to complexity of operations and risk

Framework Consists of Controlled Documents Core Objectives Policies SOPs Work Instructions Forms/ Checklists Availability Business Continuity Backup/ Restore Tape Rotation Backup Log Review Document Control Training Review Internal Auditing

Core Objectives Have Multiple Inputs Manage Risk Monitoring and Improvement User Needs Data Classification/ Regulations Core Objectives Manage Costs

Data Can Be Classified Using a Checklist Approach Identify applicable regulations Inventory systems (regulated v. not) Develop checklist based on regulations Simple questions: Does the system contain adverse event data? Have system owners complete and approve Assemble information into a living table

General Risk Assessment Approach Risk Scenarios Effectiveness of Current Controls Severity, Probability, Detectability Additional Controls Identify Analyze Evaluate Treat/ Control Breach categories- excellent starting point for Identify phase discussions

Controls are Important for Each Phase of Data Lifecycle Create Store Retrieve/ Modify Archive Destroy Application Security Training User SOP Encryption at rest Physical Security Logical Security Anti-Virus SW Environmental Controls OS patching Intrusion Prevention System Checksum Firewall Encryption in transit VPN Network Security Access Forms Application Security Disaster Recovery Backup/ Restore Audit Trails Encryption at rest Data Migration Plan Physical Security Restore Testing Hardware Maintenance Patching Outsourced destruction Change Management Think CIA- Confidentiality, Integrity and Availability

and as Data Flows Through Hardware and Networks Individual programs validated but gaps lacking throughout data flow Data typically flows through more than one system Chain of custody lacking Map data flow as part of risk assessment Assign data owner CSV policy, templates, education, accountability

Gaps Can Be More Easily Identified When Mapping Flow Laboratory Instrument Excel Emailed SAS Cloud Local Hard Drive Network Drive Mail Server Personal Computer Third Party Controls should be considered and implemented as warranted throughout flow

Types of Controls Administrative - Risk assessment - Access forms - Maintenance checklists Administrative Physical Technical Technical - Application security - Network monitoring - Firewall - Encryption Physical - Tiered security - Physical locks - Badge readers - Biometric scanner

Use Typical Scenarios to Initiate Risk Assessment Process Natural disaster: Earthquake, fire, flood, hurricane Denial of Service, Malware, Virus Data loss/ corruption/ hardware/ tape failure Malicious employee Lost card key Lost device/ backup tapes Password sharing Employee leaves company but still has access

Specific Scenarios Help Identify Many Controls Scenario 1: Prolonged power outage Controls: Diesel generator, battery backup, periodic testing of generator/ batteries, checklists, environmental monitoring Scenario 2: Unauthorized access Controls: Network monitoring, intrusion prevention, firewall, security patching process, third party penetration testing, incident reporting procedure, anti-virus software, access controls procedure, user training

Related Controls Should be Grouped Into Procedures Start with generic SOP list- no need to reinvent the wheel COBIT, ISO27001, NIST800-53 & FEDRAMP are excellent references Tie SOPs back to a policy Scale and merge content according to risk and data criticality Vendor Mgmt. Logical Security Incident Handlin g Change Control Physical Security Visitor Policy

Control Rigor Does Not Decrease With Outsourcing Requirement for strong controls does not go away Vendor audit program Service Level Agreement (SLA) SOP coverage Change management Incident reporting Patching (SaaS) Validation

Risk Management/ Control Monitoring Periodic internal/ supplier auditing Review change requests Review risk assessment Help desk tickets User accounts Maintenance records Regulation changes SOPs Review data classification/ criticality Vendor updates, patches etc.

Summary Utilize a top-down approach. Start with organization s security objectives and risks No need to start with a blank piece of paper. Plenty of information available to get RA started Classify data based on criticality Translate controls into actionable SOPs Monitoring is key to maintaining compliance AND improving efficiency Complying with Regulations does not necessarily close all gaps

Agenda- review Why is information security generally less mature in Health and Life Science organizations than other industries? What can be done to promote a more holistic approach? What types of controls can be implemented to improve confidentiality, integrity and availability of critical systems/ data? Jason will elaborate on technical controls

Thank You! Contact Information: Doug Shaw CISA, CRISC doug.shaw@azzur.com 610.741.5631

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback