Want to reduce security risks? Assess near misses

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govhealthit.com/news/want-reduce-security-risks-assess-breach-near-misses

Life is full of “near misses”: the rear-end collision that didn’t happen,
the chest pain that wasn’t a heart attack, the time your child stumbled but
didn’t fall. Healthcare organizations also experience their own near
misses; that is, they have hundreds, even thousands, of privacy or security
incidents involving PHI/PII that never become data breaches.

But there are lessons to be learned from these near misses — they are a
treasure trove of information that most CISOs or privacy officers may not
be mining to identify their future security vulnerabilities.

In an article in CIO Insight, “Security strategies must be integrated,” the
author notes that one of “security’s primary aims is to prevent negative
incidents” since it is “almost impossible for organizations to avoid such
events.” He says that without a proper analysis of negative incidents —
these near misses — that an organization may “not spend money where it’s
most needed to reduce the odds of a major data breach or other security
incident.” In other words, to reduce data breach risks, an organization
needs to look at the incidents that might have been data breaches.

Consistent incident assessment: secret weapon for reducing risk
Under the Breach Notification Final Rule, covered entities must perform an
incident risk assessment for every privacy or security incident involving
unsecured PHI based on the new compromise standard. Not only that, the
methodology used to do these assessments must be consistent from incident
to incident.

“Each incident’s risk assessment will be fact-specific, but the manner in
which you analyze the four [compromise] factors must be the same,” says
Sophia Collaros, chief privacy officer at the University of New Mexico
Health Sciences Center.

This consistent or “operational” process for incident assessments is a
powerful tool for reducing breach risk. Using a two-step process,
organizations can first identify risks, and second, use that information to
allocate resources for managing those risks.

1. Analyze trends and identify root causes. Every incident, breach or not,
is put through the incident assessment process, which allows CISOs or
privacy officers to view all incidents in a consistent way. They can
identify trends — a pattern of behavior, a specific threat actor, or
technology weakness — that can be the root cause of data incidents. For
example, they could discover how many incidents originated in a hospital in
Boise, or a cloud provider in Topeka, or how many were insider-caused, or
how many were malicious. This provides a more accurate view of probable
risk to their organizations.

“We ‘scrubbed’ last-year’s events that were escalated to discover root
causes,” one CISO said in a recent whitepaper co-developed with the CISO
Executive Network. “In addition, we are expanding our definition of
operational incidents beyond those that involve data to include business or
IT. We need to analyze these incidents from an operational perspective for
root causes.”

2. Make sound risk management investments. The compliance counsel for a
financial holding company said that “a true measure to [compliance] success
for us is mitigation and corrective action. We track reoccurring issues in
[our] software with customized fields of root causes that identify people,
process systems, and root-cause departments — in essence, how an incident
happened. We can see patterns of issues, and refresh our training and
education in these problem areas.”

We have a lot of evidence that preventative controls alone are not
sufficient to mitigate risks and that we must begin to allocate more
resources to incident response.  This ability to analyze trends and
identify root causes enables CISOs to focus security efforts and
investments on high-risk areas or causes. They can accurately communicate
these risks and recommendations to the board and other top management in a
dollar-and-sense kind of way. It provides immutable, understandable
evidence for where to best allocate risk management dollars.

Reduce — not eliminate — risk
Despite our best efforts, car accidents happen, people suffer heart
attacks, and our children do fall. The same is true for privacy and
security incidents. Most incidents will not, thankfully, turn into data
breaches.

Consistent incident assessments can further reduce the likelihood of data
breaches, and the costly risks they pose to healthcare organizations and
their patients.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!