BreachExchange mailing list archives
Three steps to help manage security alert overload
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 25 Jan 2016 17:12:00 -0700
http://www.beckershospitalreview.com/healthcare-information-technology/three-steps-to-help-manage-security-alert-overload.html How many security alerts does your healthcare organization generate every day? One hundred? One thousand? More? These numbers are not unusual. It's also not unusual for healthcare organizations to have a single investigator responsible for patient privacy violations – one who is likely overworked and overwhelmed. Take the lower end of the spectrum: say you have 100 security alerts per day. Then, assume you have one investigator, who can handle an average of fifty security alerts per day. That leaves 50 security alerts unaddressed every day. Is it any wonder that cyber crimes cost healthcare organizations an average of $2.1M a year?1 There are simply too many alerts to handle! The two biggest culprits driving security alert volume for healthcare organizations are web-based attacks and malicious insiders 1. But since most hospitals cannot hire dozens of investigators to examine each and every one of these alerts, what can be done? Where Are All the Alert Coming From? When it comes to unauthorized data access, there are three main tools that generate alerts: 1. Rules pinpoint known patterns of suspicious behavior with speed and efficiency. Rules are static in nature and can work with limited data points. 2. Profiling identifies abnormal behavior for an employee based on their past behavior or the behavior of those in similar roles. 3. Advanced Analytics (e.g., Predictive, Models, Scoring) extrapolate questionable behavior based on multiple data points and trending information. Advanced analytics are adaptive in nature and require a large volume of data points. Reduce Alert Volume The first step to reducing the ever-increasing volume of security alerts is to focus on patient risk. When you strip everything else away, that is what alerts are all about: they represent potential risk to your organization but more importantly your patients. A patient risk mindset takes into consideration such factors as: • The amount of trust lost from your patients • The negative impact on your organization's reputation • Compliance and legal ramifications • The effect on your organizations competitive position Having adopted a patient risk mindset, you need to put in place a filter to determine the risk category for each alert. This is done via a scoring system that evaluates the potential likelihood of a privacy data breach for a given event (e.g., does it represent a 5% or 90% chance of a privacy violation?) and the potential magnitude of a breach for a given event. Magnitude relates to the fact that not all alerts are created equal. An alert that signifies a potential theft of 100 patient records is more important than one that indicates a potential theft of 5. An unauthorized perusal of a celebrity's account – where the information might be leaked to news-hungry media agents – carries more weight than an employee conniving a look at a friend's patient record. A filter and scoring system, therefore, helps narrow down the number of alerts generated, and prioritizes high-risk transactions that have a significant likelihood of actually being a privacy violation. It is critical to understand, however, that the accuracy of such a scoring system and its efficacy in reducing the number of false-positive alerts is increased by connecting the dots across applications, systems, networks, and log files and correlating across multiple channels to reveal risky patterns. Patient security is like a puzzle: many pieces fit together to form a single picture. For that reason, if a risk score is assigned based solely on the information from one application interaction or data set, then it may not reflect the true risk involved. In detecting patient privacy violation, a combination of data points is much more than the sum of its parts. Segment Alerts to Prioritize Actions Suppose you have determined that your investigator can handle 50 alerts a day. How do you decide which 50 get reviewed? There is one more necessary step: segmenting alerts by category. Without segmentation, you might simply take the "top 10" alerts based on their risk score. The problem is that some alerts which deserve your attention may not make your "top 10" list. For instance, what if an alert signifying unauthorized access to a patient record is buried farther down the list? Segmenting allows you to prioritize certain types of alerts over others (e.g., VIP Snooping alerts over Working After Hours alerts) to appropriately address patient risk. You may want your investigator to review every alert from one category but only the top 10% from another. By evaluating the patient risk associated with each segment and combining that information with the risk scores for the alerts themselves, you can determine which alerts should claim priority processing each day. Viewing alerts in this way helps investigators move away from asking, "How fast can I process this mountain of alerts?" to inquire instead, "Where is my time best spent to protect the interests of the patient and the organization?" Get More from Your Investigators Scoring and prioritization help investigators focus on the most important alerts – but is it possible to actually increase the number of alerts investigators can handle in a given day? After all, if an investigator can review 200 alerts instead of 50, your organization's risk profile is enhanced. With the right tools and processes, the answer is "Yes." For instance, consider the skill, complexity, and time involved in a typical patient privacy data breach investigation. An investigator needs to understand what different data points mean, identify the important pieces of data for a given alert, cross-check other systems for confirmation, establish connections between various data points, etc. But what if you could give your investigator a tool that would consolidate information (alleviating the need to maneuver between multiple systems) and contextualize information (giving meaning to bare data points)? By placing all the information an investigator requires at their fingertips, they would have a complete picture of the situation – significantly increasing the speed and accuracy of investigations. The right tool can also speed alert handling by managing workflow. An investigation may need to follow a compliance process or have input across multiple departments – from Human Resources, Legal, or Finance, for example. But when the investigator transfers the file to the next person, it can be effectively "lost in transit." A good workflow tool will track each case from initiation to conclusion, sending reminders when necessary to keep the file moving, and providing management with complete visibility into the caseload. Search capabilities are another critical tool for investigators. For instance, an investigator may know that a privacy violation has been perpetrated on a certain patient record, but not know how or by whom. A solution that has a Google-like search will help them quickly find what they are looking for, while screen-by-screen replay will then give them visibility into every activity that has taken place for that patient record, along with who performed the activity, step by step. They can then determine if a single employee was involved in the violation, or if two or more people were acting in collusion. Lower Your Organization's Risk Profile & Increase Patient Privacy Managing security alerts effectively is critical as you seek to protect your patients privacy, your organizations reputation and compliance position. By translating security alerts into patient risk and appropriately scoring, categorizing, and segmenting them, you can identify the top priorities for your investigation team, focusing their attention and concentrating their efforts where it will have the greatest impact on your company's risk profile. This, coupled with tools that can shorten case cycle time and improve the quality of investigations, will enable you to manage security alerts of your patient's data efficiently and with confidence.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which vendors to trust. Contact us today for a demo.
Current thread:
- Three steps to help manage security alert overload Audrey McNeil (Jan 26)