ASSESSING THE BUSINESS
The purpose of the business assessment is to determine relative importance of each component of the healthcare organization. Determining when a specific activity must be available is a key product of the business assessment.Insuring the availability of a given activity has a cost. The more immediate the requirement to recover an activity, the higher the price. Thus, it is important to tailor solutions to a healthcare organization's needs. Most healthcare organizations prioritize their business processes and recovery timeframes to ramp-up operations following a complete disruption to a facility, or campus. The ability to stage a recovery is derived from the information obtained in the business assessment phase of planning.There are two components to a Business Assessment:Risk Assessment, and
Business Impact Analysis (BIA)
The Risk Assessment is designed to evaluate existing exposures from the health healthcare organization's environment, and the Business Impact Analysis assesses potential business loss which could result from any event that interrupts major operational processes.
Risk assessment
A critical step in designing a comprehensive, viable, and valid disaster recovery plan is to conduct a risk assessment. The purpose is to identify threats and vulnerabilities, and to determine if existing precautions and countermeasures are adequate to protect the healthcare organization's mission critical data and assets as well as protected health information (PHI). The Risk Assessment is an evaluation of the exposures present in a healthcare organization's external and internal environment.Traditionally, the focus of a Risk Assessment has been physical threats, such as susceptibility to floods, hurricanes, tornadoes, power failure, etc. The risk assessment documents what mitigating steps have been taken to address these threats. Particularly in the healthcare environment, the issues are likely to be logical or information-driven as well as physical, including the threats of viruses, denial of service attacks and simple program bugs. This is not to minimize the importance of physical issues but to expand the scope of the analysis to include current and prevalent threats.The assessment must consider the current physical and technological security environment in order to determine areas of risk that threaten the ability to operate. Data and information exchange internally and externally among the healthcare organization's employees and business associates can present considerable privacy and data security issues.HIPAA compliance requirements underscore the need to identify and mitigate areas of vulnerability that have been either assumed or overlooked by management in the past.Risk mitigation strategies must be implemented to ensure the probability of vulnerabilities is reduced. A properly completed risk analysis should provide a complete overview of the healthcare organization's current security posture.For each threat that is relevant, there should be an identification of the preventive measures that are in place. The issue then is to determine whether all foreseeable, realistic risks have been adequately addressed. Determining the degree to which risks are foreseeable is often a subjective decision. Fires are rare, but happen often enough that they must be considered foreseeable in all circumstances. Logical threats caused by hackers, misuse and error are so omnipresent, that they must be considered no matter how strong the preventive measures.The following matrix can be used to step the analyst through potential exposures and the mitigating measures that could reduce the risk associated with the threat. While this matrix is the result of fifteen years of my noting what various companies employ to mitigate risk, it should be used as a starting point to develop a matrix for the reader's organization.
High Availability" respectively.
Information Protection
Increasingly, healthcare organizations rely on their networks and systems. Viral outbreaks pose a threat to the business continuity of these healthcare organizations. Many of these healthcare organizations' firewalls are probed for vulnerabilities on a daily basis which makes it possible that they will be victimized by a serious security incident at some time.To mitigate these risks, healthcare organizations need a comprehensive strategy comprised of the following four components:
Protection in the form of focused IT security teams that are armed with the appropriate tools, rules of project (e.g., firewall policies), and management support.
Detection capabilities such as intrusion detection (IDS), tripwires, viral scanning, and net-mapping, which can be inserted into the infrastructure to detect malicious or unusual events.
Assessment capabilities that allow the IT security team to correlate incident information and assess whether or not they are significant incidents.
Response capabilities that limit the damage that can be caused by significant incidents.
Protection
Protection comes from knowing the vulnerabilities of the healthcare organization; knowing the applicable countermeasures to these threats and implementing the appropriate controls.The members of the IT security team should be aware of the changing security environment. The IT security team must carry out environmental scanning of new threats and vulnerabilities. The team must remain aware of available countermeasure products, tools or software patches by reviewing paper media, internet news feeds, and peer networking.Continuous vulnerability analysis should be conducted on the healthcare organization's critical resources in order to maintain an effective security posture. The vulnerability analysis is designed to identify network vulnerabilities that result from the configuration of the operating system and network protocols.
Detection
Unusual or questionable events that are detected on the healthcare organization's networks, computers or information must be investigated. Many times it is difficult to determine if the questionable event is symptomatic of an incident because the evidence of security incidents can also be the evidence of a problem with system configuration, untested application program, hardware failure, or user errors. Some of the indications of security incidents are as follows:
Unexplained new files or unfamiliar file names.
Unexplained modification or deletion of data.
Alarms set off by an intrusion detection tool.
Accounting discrepancies.
A large number of unsuccessful login attempts.
Attempts to gain unauthorized access to a system or its data.
Unexplained new user accounts.
Suspicious entries in system or network accounting.
Modifications to file lengths / dates.
Unexplained attempts to write to systems files or changes in system files.
Unusual time of usage.
The unauthorized use of a system for the processing or storage of data.
Denial of service or inability of one or more users to login to their account.
System crashes.
Programs being compiled under a user's account that does not have any programming responsibility.
Poor system performance.
Unauthorized operation of a program or sniffer device to monitor network traffic.
Detection of the use of attack scanners.
Remote requests for information about systems and/or users.
Changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent.
Response
Procedures need to be developed that respond to incidents as they occur. The procedure may involve working with the affected business unit to determine the cause of the incident and help them to become secure again, or it may involve finding a solution to a vulnerability that is actively being exploited. Reactive response involves three stages; containment, eradication and recovery, followed by a post-incident analysis.There are a number of strategies that can be employed to limit the effects of unwanted intrusions:
In order to detect intrusions, Intrusion Detection Systems (IDS) can be deployed at strategic points throughout the healthcare organization's IT architecture. The IDS looks for known patterns of misuse or suspected attacks then automatically notifies the designated staff member(s) via email, pager or cell phone.
Decoys or "honey pots" can be deployed to distract any potential attackers until their activities can be detected and dealt with. Such a decoy should lure attackers away from more sensitive hosts. These are heavily instrumented hosts so they provide many alarms and logs of activities that touch them.
File integrity can be established by applying calculations to file contents and deriving coded values that are stored separately. If it is suspected that someone has altered critical system files hese stored check values can be compared to newly calculated values for the files.
Viral scanning software is essential for any IT system. Possible variations of viral attacks make it a challenge to minimize the window of exposure between the release of a new variant and the installation of the latest detective database.
The task of assessing incidents is made less difficult when there is a current map of the networks and their peripheral devices. Without this it is hard to determine from where an attack may have ome and what systems may be impacted.
Desktop technologies have been developed to deal with the downloading of active, malicious code. Trojan code imbedded within an application can access and pass information about you or your system back to some collection site. These technologies or "sandboxes" try to impose restrictive controls on suspect code by sensing and stopping improper activities.
Containment
The IT security team needs to limit the scope and magnitude of an incident. They must first decide what to do with critical information and/or computer resources. They must then decide whether to shut down the system entirely, disconnect from the network, or allow the system to continue to run so that additional suspect activity can be monitored.
Eradication
Eradicating the cause of the incident is accomplished using established procedures and the appropriate tools. For a viral infection, eradication is accomplished by using virus-scanning software that will remove the virus from the information storage media. Vulnerable ports of entry should be closed, indications of changed system files, hidden files or new ID files need to be recorded, and backups of log files prior to removal of malicious modifications or reloads to the operating system need to be made.
Recovery
Recovery involves restoring the system to its normal operational status. The length of the recovery process may be short, as in the case of a virus, or lengthy as in the case of an intruder that may have modified data or software files.
Post Incident
After the incident is over, there needs to be a follow-up process to determine how the virus entered the enterprise or the entry point used by an intruder to gain unauthorized access. A follow-up report should be used to update policies and procedures used by the healthcare organization.