The National Association of Insurance Commissioners recently released “guidance” on cybersecurity. Here's what healthcare executives should know.
The National Association of Insurance Commissioners has followed on the heels of the U.S. Securities and Exchange Commission and in April issued “guidance” on cybersecurity.
The "Principles for Effective Cybersecurity: Insurance Regulatory Guidance" looks to state insurance regulators “to ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks.”
The guidance encourages insurers, agencies and producers to secure data and maintain security with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework. The NIST framework provides guidance on managing and reducing cybersecurity risk for organizations of all sizes, putting them in a much better position to identify and detect attacks, as well as to respond to them, minimizing damage and impact.
The basic function of the NIST Framework consists of five functions, each divided into subcategories, as well as standards, guidelines and best practices. The framework helps organizations manage the personnel, devices and systems that enable the organization to conduct business while managing risk.
framework is based on other security organizations, such as the SANS Institute and ISACA.
A cybersecurity framework can be divided into three parts:
• The framework core
• The current and target risk profiles
• The implementation tiers
The framework core consists of five functions: identify, protect, detect, respond, and recover. Each of those functions has categories and subcategories.
Dan BonnetOnce you have identified your assets that need to be secured, you can implement access controls to protect them. However, no protection is failsafe. So you must be able to detect anomalous activities that could signify the presence of an attacker in your network.
That’s why monitoring networks and endpoints is of the utmost importance. The quicker you get attackers out, the less information they can obtain and the cheaper it is to clean up the mess they left behind.
To respond effectively, you need to already have an incident response plan in place. To recover quickly from an incident, you need to have disaster recovery, business continuity, and incident response plans maintained and regularly tested to ensure they will be effective in the event of an actual incident.
Current and target risk profiles enable organizations to align and improve cybersecurity practices based on their individual business needs, tolerance for risk, and available resources. A risk profile evaluates a business’s level of risk it is willing to take, similar to an investment risk profile.
A healthcare facility needs to look at all the business activities it currently does and would like to do and rank the riskiness of each action. For example, a healthcare facility may want to provide Internet access to its patients and customers. However, if those people were to connect to the corporate Internet, they might be able to access the network, which could be highly risky, probably about a Level 5 risk on a risk scale of 1 to 5. If the facility does not offer that Internet access to patients, they might go to another facility that does offer Internet access so they can conduct work while waiting to see a doctor. A healthcare company needs to gauge how important it is to the business to allow certain activities to be conducted and how risky those activities are.
These things are best discussed with a cybersecurity consultant who understands a healthcare company’s needs and risks. The consultant could advise the company on the best ways to continue to allow activities that are needed for the business. For example, there is a way to offer Internet service to patients and guests without that service connecting to the corporate network.
Another example of looking at the risks involved in each business activity would be looking at the ways physicians are accessing the network on their mobile devices. There is a big risk associated with that because if the device is lost or stolen, patient information could be found on the device. However, since physicians may need access to that information even when they are outside of their offices to treat patients in emergencies, most facilities allow a connection to the healthcare facility’s network.
Once healthcare facilities are aware of the risks involved in conducting daily business activities, management can decide how necessary it is to take precautions to lessen the risk. This risk profile helps management address cybersecurity risk in a cost effective way.
The implementation tiers is the part of the framework that helps create a context that enables organizations to understand how their current cybersecurity risk-management capabilities stack up against the characteristics described by the NIST Framework. This is the stage in which a healthcare organization lists its current risk-management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.
For example, a healthcare organization should understand the threats that are most relevant to it, which would include attackers that use malware and tactics to obtain protected healthcare information (PHI) and personal identifiable information (PII). The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor and sophistication in cybersecurity risk-management practices.
Tier 1 is the level in which an organization has limited awareness of cybersecurity risk and manages it in an ad hoc fashion. At Tier 2, cybersecurity activities have been approved by management but they aren’t implemented company-wide. At Tier 3, risk management practices are formally approved and expressed as policy, and personnel has the skills to perform their roles. At Tier 4, organizations are constantly adapting their cybersecurity practices, continuously improving their cybersecurity technologies and practices.
While the NIST Framework language is easy to understand, assessing the network and making sure everything is being done, is not easy. A cybersecurity consultant can assess the work your organization has begun and guide it on areas that need additional security.
Dell SecureWorks, a global information services security company, helps organizations of all sizes reduce risk, improve regulatory compliance and lower their IT security costs. Dan Bonnet is the director of small and medium business, North America, at Dell SecureWorks. He has held several roles in technology consulting and business process optimization. He holds a Bachelor of Science degree from Georgia Tech University and an MBA from Georgia State University.