Friday, November 9, 2018

A Risk Assessment Excercise in Several Parts

Guidelines of impact relevance for IHE profiles
from the IHE Security Cookbook

One of the challenges for anyone involved in activities in Healthcare IT standards development is being able to share documents, presentations, training and other materials used in the development of the standards.  Like many in this field, I have access to not just those materials which I need to be able to share, but also access to a lot of other things that shouldn't be shared and which needs to be protected.

I've been in settings where I'm creating or revising a document or presentation, where the fastest way to get it to somebody somewhere is via a USB memory device.  But if access to external storage is locked out, then I cannot share information, or accept information from devices that may be shared with me.  In some cases, it's been nearly the only way (ever try to get to wireless or WIFI at a very busy, yet under-provisioned conference setting ... sometimes it's just not possible).  I've been in presentation settings where the presenter system is owned by the organization, and for related reasons, is the only thing that can be used for presenting, so the only way to get content may well be a USB stick.  These are infrequent, yet USB is still the fastest way often.

Yet, USB sticks (and other devices) are a two way infection vector, and also a way to enable transfers of huge amounts of information that sometimes shouldn't be shared. Even in cases where it should be, may need its own set of protections (e.g., encryption and authentication for use) to prevent it from falling into the wrong hands.

So, I need a risk assessment and mitigation strategy if I'm to justify any sort of exception to a complete lock-down.  This post represents the first of several posts that walk through a risk assessment process.  We'll start first in this post with assets to protect, move on next to threats, then assessment and mitigation.

Here's a partial list of assets that need protection.
  • My Company Issued Laptop
  • My Data
    I have pictures on my laptop that are mine, which I might want to save, my company laptop has access to many web sites I use for both personal and professional reasons.  I may have personal data related to my work (e.g., Payroll, taxes, benefits, health insurance). I want to protect that content.
  • Infrastructure
    Anything my laptop (where the USB device would be used) can access, can subsequently be attacked by my laptop were it to be infected.
    • Corporate Infrastructure
    • Customer Infrastructure
  • Intellectual Property
    Anything I have access to via that laptop could potentially be a target, including:
    • Company IP
    • Partner IP
    • Customer IP
    • SDO IP
      Examples include presentations, training material, and draft content of specifications that I may be working on.  This is material I often need to share with others.
  • Individually Identifiable Data
    Various regulation requires additional safety around certain classes of data that might be available via my laptop, including:
    • Patient Data (PHI)
    • Data about other Individuals (PII)

Consequential to the threats to any of these assets, are threats to my reputation, and those of my employer, its partners and customers, and to the financial status of those organizations.  One simply need look at what happened last year with the NotPetya attacks to see how much damage can be done.

I invite your comments and feedback below!



0 comments:

Post a Comment