Three steps to help manage security alert overload

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.beckershospitalreview.com/healthcare-information-technology/three-steps-to-help-manage-security-alert-overload.html

How many security alerts does your healthcare organization generate every
day? One hundred? One thousand? More? These numbers are not unusual. It's
also not unusual for healthcare organizations to have a single investigator
responsible for patient privacy violations – one who is likely overworked
and overwhelmed.

Take the lower end of the spectrum: say you have 100 security alerts per
day. Then, assume you have one investigator, who can handle an average of
fifty security alerts per day. That leaves 50 security alerts unaddressed
every day. Is it any wonder that cyber crimes cost healthcare organizations
an average of $2.1M a year?1 There are simply too many alerts to handle!

The two biggest culprits driving security alert volume for healthcare
organizations are web-based attacks and malicious insiders 1. But since
most hospitals cannot hire dozens of investigators to examine each and
every one of these alerts, what can be done?

Where Are All the Alert Coming From?
When it comes to unauthorized data access, there are three main tools that
generate alerts:

1. Rules pinpoint known patterns of suspicious behavior with speed and
efficiency. Rules are static in nature and can work with limited data
points.
2. Profiling identifies abnormal behavior for an employee based on their
past behavior or the behavior of those in similar roles.
3. Advanced Analytics (e.g., Predictive, Models, Scoring) extrapolate
questionable behavior based on multiple data points and trending
information. Advanced analytics are adaptive in nature and require a large
volume of data points.

Reduce Alert Volume
The first step to reducing the ever-increasing volume of security alerts is
to focus on patient risk. When you strip everything else away, that is what
alerts are all about: they represent potential risk to your organization
but more importantly your patients.

A patient risk mindset takes into consideration such factors as:
• The amount of trust lost from your patients
• The negative impact on your organization's reputation
• Compliance and legal ramifications
• The effect on your organizations competitive position

Having adopted a patient risk mindset, you need to put in place a filter to
determine the risk category for each alert. This is done via a scoring
system that evaluates the potential likelihood of a privacy data breach for
a given event (e.g., does it represent a 5% or 90% chance of a privacy
violation?) and the potential magnitude of a breach for a given event.
Magnitude relates to the fact that not all alerts are created equal. An
alert that signifies a potential theft of 100 patient records is more
important than one that indicates a potential theft of 5.

An unauthorized perusal of a celebrity's account – where the information
might be leaked to news-hungry media agents – carries more weight than an
employee conniving a look at a friend's patient record. A filter and
scoring system, therefore, helps narrow down the number of alerts
generated, and prioritizes high-risk transactions that have a significant
likelihood of actually being a privacy violation.

It is critical to understand, however, that the accuracy of such a scoring
system and its efficacy in reducing the number of false-positive alerts is
increased by connecting the dots across applications, systems, networks,
and log files and correlating across multiple channels to reveal risky
patterns. Patient security is like a puzzle: many pieces fit together to
form a single picture. For that reason, if a risk score is assigned based
solely on the information from one application interaction or data set,
then it may not reflect the true risk involved. In detecting patient
privacy violation, a combination of data points is much more than the sum
of its parts.

Segment Alerts to Prioritize Actions
Suppose you have determined that your investigator can handle 50 alerts a
day. How do you decide which 50 get reviewed? There is one more necessary
step: segmenting alerts by category.

Without segmentation, you might simply take the "top 10" alerts based on
their risk score. The problem is that some alerts which deserve your
attention may not make your "top 10" list. For instance, what if an alert
signifying unauthorized access to a patient record is buried farther down
the list? Segmenting allows you to prioritize certain types of alerts over
others (e.g., VIP Snooping alerts over Working After Hours alerts) to
appropriately address patient risk. You may want your investigator to
review every alert from one category but only the top 10% from another.

By evaluating the patient risk associated with each segment and combining
that information with the risk scores for the alerts themselves, you can
determine which alerts should claim priority processing each day. Viewing
alerts in this way helps investigators move away from asking, "How fast can
I process this mountain of alerts?" to inquire instead, "Where is my time
best spent to protect the interests of the patient and the organization?"

Get More from Your Investigators
Scoring and prioritization help investigators focus on the most important
alerts – but is it possible to actually increase the number of alerts
investigators can handle in a given day? After all, if an investigator can
review 200 alerts instead of 50, your organization's risk profile is
enhanced.

With the right tools and processes, the answer is "Yes." For instance,
consider the skill, complexity, and time involved in a typical patient
privacy data breach investigation. An investigator needs to understand what
different data points mean, identify the important pieces of data for a
given alert, cross-check other systems for confirmation, establish
connections between various data points, etc.

But what if you could give your investigator a tool that would consolidate
information (alleviating the need to maneuver between multiple systems) and
contextualize information (giving meaning to bare data points)? By placing
all the information an investigator requires at their fingertips, they
would have a complete picture of the situation – significantly increasing
the speed and accuracy of investigations.

The right tool can also speed alert handling by managing workflow. An
investigation may need to follow a compliance process or have input across
multiple departments – from Human Resources, Legal, or Finance, for
example. But when the investigator transfers the file to the next person,
it can be effectively "lost in transit." A good workflow tool will track
each case from initiation to conclusion, sending reminders when necessary
to keep the file moving, and providing management with complete visibility
into the caseload.

Search capabilities are another critical tool for investigators. For
instance, an investigator may know that a privacy violation has been
perpetrated on a certain patient record, but not know how or by whom. A
solution that has a Google-like search will help them quickly find what
they are looking for, while screen-by-screen replay will then give them
visibility into every activity that has taken place for that patient
record, along with who performed the activity, step by step. They can then
determine if a single employee was involved in the violation, or if two or
more people were acting in collusion.

Lower Your Organization's Risk Profile & Increase Patient Privacy
Managing security alerts effectively is critical as you seek to protect
your patients privacy, your organizations reputation and compliance
position. By translating security alerts into patient risk and
appropriately scoring, categorizing, and segmenting them, you can identify
the top priorities for your investigation team, focusing their attention
and concentrating their efforts where it will have the greatest impact on
your company's risk profile. This, coupled with tools that can shorten case
cycle time and improve the quality of investigations, will enable you to
manage security alerts of your patient's data efficiently and with
confidence.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.