Risk Management

The management of organizational risk is a critical element in any organization's information security program, particularly those like Department of Defense (DoD) contractors that process highly sensitive, critical data.
With this in mind, the National Institute of Standards and Technology (NIST) has developed the Risk Management Framework (RMF), a set of processes for federal bodies to integrate information security and risk management into their systems development life cycles.
In other words, Risk Management Framework (RMF) is a set of criteria that defines how United States government IT systems must be architected, secured, and monitored. Originally developed by the Department of Defense (DoD), the RMF was adopted by the rest of the US federal information systems in 2010.
Today, the RMF is maintained by the National Institute of Standards and Technology (NIST), and provides a solid foundation for any data security strategy.
The goals of RMF are:

• To improve information security
• To strengthen risk management processes
• To encourage reciprocity among federal agencies

TDC Healthcare cloud-based EHR System

As part of TDC Healthcare's business strategy, we have deployed a cloud centric EHR system. With the software installed in the cloud, the cloud-provider upgrade the software for TDC Healthcare without disrupting our practice. The cloud infrastructure is built on redundancy, meaning that your system is always available, even if there is an outage on our end. The services are designed so that outages are transparent to the users and all services remain available. It's Scalable. Over time your EHR system will grow largely due to the increasing amount of patient data and additional improvements in the application software that may require more computing power. This will require additional computing resources in order to keep performing efficiently. On the cloud we can add more servers with the push of a button and will be transparent to you. This eliminates the need to buy additional costly hardware and perform ground-up configuration and disruption that would be required with an in-office solution to keep your system running. It's Secure. With the increasing threat from hackers, both foreign and domestic, patient information is becoming more of a target and harder to secure. A local installation (in our office) requires extra attention to detail to keep secure. When you install the system in your office, you take on the responsibility of making sure the environment is safe from unauthorized access. By using our cloud-based solution, the benefit from infrastructure that is already in place to provide both security benefits such as a private IP network isolation, encryption, server load balancing and automated backups. The following diagram describes the high-level architecture of the TDC Healthcare EHR System.

When breach of health information occurs, they can have serious consequences for organizations like TDC Healthcare, including reputational and financial harm or harm to our patients. Poor privacy and security practices heighten the vulnerability of patient information in your health information system, increasing the risk of successful cyber-attack. To help cultivate patients' trust, TDC Healthcare should:

• Maintain accurate information in patients' records using the above system
• Make sure patients have a way to request electronic access to their medical record and know how to do so.
• Carefully handle patients' health information to protect their privacy
• Ensure patients' health information is accessible to authorized representatives when needed

​The Health Insurance Portability and Accountability Act (HIPAA)
Whether patient health information is on a computer, in an Electronic Health Record (EHR), on paper, or in other media, providers have responsibilities for safeguarding the information by meeting the requirements of the Rules. Understanding of the HIPAA privacy and security requirements is critical for all our execs of TDC Healthcare.
​
EHR and IT Developers
When working with your EHR and health information technology (health IT) developers of TDC Healthcare, Security Consultants must ask the following questions to help understand the privacy and security practices they put in place. When my health IT developer installs its software for my practice, does its implementation process address the security features listed below for my practice environment?

1. ePHI encryption
2. Auditing functions
3. Backup and recovery routines
4. Unique user IDs and strong passwords
5. Role- or user-based access controls
6. Auto time-out
7. Emergency access
8. Amendments and accounting of disclosures

• Will the health IT developer train my staff on the above features so my team can update and configure these features as needed?

• How much of my health IT developer's training covers privacy and security awareness, requirements, and functions?
• How does my backup and recovery system work?

• Where is the documentation?
• Where are the backups stored?
• How often do I test this recovery system?

• When my staff is trying to communicate with the health IT developer's staff, how will each party authenticate its identity? For example, how will my staff know that an individual who contacts them is the health IT developer representative and not a hacker trying to pose as such?
• How much remote access will the health IT developer have to my system to provide support and other services? How will this remote access be secured?
• If I want to securely email with my patients, will this system enable me to do that as required by the Security Rule?

Risk Management Framework for EHR System

TDC Healthcare organization will adapt and apply the RMF which is developed by NIST National Institute of Standard and Technology (NIST) for the US federal bodies. The Risk Management Framework (RMF), illustrated in below figure, provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.

1. Categorized the information System

The information system and the information processed, stored, and transmitted by that system based on an impact analysis:

• TDC Healthcare EHR System

A Healthcare organization EHR system have extremely sensitive patient information that has a potential impact from a loss of confidentiality is high, the potential impact from a loss of integrity is moderate, and the potential impact from a loss of availability is moderate. The resulting security category, SC, of this information type is expressed as: SC patient healthcare information = {(confidentiality, HIGH), (integrity, MODERATE), (availability, MODERATE)}.
2. Select Security Controls
Selectan initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions
The organization allocates security controls to an information system consistent with the organization's enterprise architecture and information security architecture. With that in mind, here are some of the critical security safeguards that every top-notch Healthcare cloud based EMR system absolutely must have in place: (TDC Healthcare will implement it)
HIPAA and HITECH compliance-as a baseline.
HIPAA and HITECH provide a regulatory roadmap for securing protected information-and while they serve as a great baseline standard for data security, TDC Healthcare will need security controls that are tailored to its specific needs.

• Audit and Accountability (AU)
• Incident Response Control (IR)
• Identity Management and Authentication: (IA)

​ 3. Implement Security Controls
Implement the security controls and describe how the controls are employed within the information system and its environment of operation.
Security Control ID: AC -1
Security Control Name: Access Control Policy and Procedure (Logical/ Technical Control)
Implementation: Implementation of a comprehensive access control policy is critical. Once implemented then violation of access control policy should be reported immediately with necessary remediation action. Procedures should be followed on regular basis. Its more like a systems approach
Similarly incident response, audit control and identity access controls were implemented .IR-1, IR-2, IR-3, IR-4 & IR-5, AU-1 & AU-2, IA-1 and IA-2
4. Assess Security Controls
For TDC Healthcare EHR system, a well-executed assessment helps to:

• determine the validity of the controls contained in the organization's security plans and privacy plans and subsequently employed in organizational information systems and environments of operation; and
• facilitate a cost-effective approach to correcting weaknesses or deficiencies in systems in an orderly and disciplined manner consistent with organizational mission/business need

Plan of Actions & Milestones
During the assessment, Assessor have noted one non-compliant security controls within Access Control: AC-1(b)(2)[1] .The AC-1(b)(2)[1] is critical since the frequency to review and update the current access control procedure was very high which is not practical for a large Organization like TDC Healthcare.
Remediations
​As the assessor, my recommendation is first to address the AC-1(b)(2)[1] security control failure immediately as the integrity of data is of the utmost importance.
5. Authorized Information System
(NIST SP- 800-37) The purpose of the Authorize step is to provide organizational accountability by requiring a senior management official to determine if the security and privacy risk (including supply chain risk) to organizational operations and assets, individuals, other organizations, or the Nation based on the operation of a system or the use of common controls, is acceptable. At high level here are some of tasks for authorizing the Risk Management Framework. In the case of TDC Healthcare EHR (Electronic Health Record) system since the risk factor for EHR system was low to medium hence the executives have provided an approval for ATO.
​
6. Monitor Security Controls
​The following are security controls that were part of the assessment conducted during the steps 4. Assess as part of the TDC Healthcare EHR Risk Management Framework security implementation. While one security controls were assessed as non-compliant
Establish Process To Continuously Monitor EHR Data Quality
Improving data quality is a continuous process that can be central to TDC Healthcare EHR operations rather than a one-time or time-limited activity. Practice leadership may set the expectation with staff that ongoing data quality monitoring will be institutionalized in the practice's way of doing business. This section discusses considerations for ongoing data quality maintenance:

1. Establish ongoing data quality monitoring processes.
2. Determine feedback mechanisms to practices.
3. Document and implement ongoing processes and procedures to address data quality issues.

Over time, TDC Healthcare goals may change and new measures selected to monitor progress in meeting new or revised goals, underscoring the need for ongoing data quality monitoring and improvement. After practices establish ongoing data quality monitoring processes, they can create protocols to identify and resolve future issues based on what worked best during initial data quality improvement activities. This can include identifying specific individuals within the practice who will be accountable for the ongoing monitoring activity. Community-driven approaches can monitor data quality through a centralized function to support practices throughout the community.
References
Reference:FIPS PUB 199 (2004), Standards for Security Categorization of Federal Information and Information Systems website. Retrieved from US Department of Commerce website: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
Lang, Casey (2019, May 17), Understanding the NIST Risk Management Framework (RMF) Information Systems website. Retrieved from Cybershealth website: https://cybersheath.com/understanding-the-nist-risk-management-framework-rmf/?gclid=Cj0KCQjwwIPrBRCJARIsAFlVT89qs71pxWwsnbpNdLwGiD2VY_kyoOomB9R4CL7rgykP0_j7UfPnnxEaAsH6EALw_wcB
JOINT TASK FORCE (2014, December). NIST Special Publication 800-53A Revision 4. Retrieved from NIST website: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf
JOINT TASK FORCE (2017, August). Draft NIST Special Publication 800-53 Revision 5. Retrieved from NIST website: https://csrc.nist.gov/CSRC/media//Publications/sp/800-53/rev-5/draft/documents/sp800-53r5-draft.pdf
JOINT TASK FORCE (2018, December). NIST Special Publication 800-37 Revision 2. Retrieved from NIST website: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
​
Stine, K., Kissel, R., Barker, W., Lee, A., & Fahlsing, J. (2008, August). Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories. Retrieved from NIST website: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v2r1.pdfThe Office of the National Coordinator for HIT: Capturing High Quality Electronic Health Records Data to Support Performance Improvement
https://www.healthit.gov/sites/default/files/onc-beacon-lg3-ehr-data-quality-and-perform-impvt.pdf

Reflection

The final project for CSOL 530 provides in-depth information of all six steps within the RMF. Industries with critical or highly sensitive data needs are increasingly adopting the RMF in an effort to cope with growing risk and comply with their strict legislation- healthcare (HIPAA), and retail/payment (PCI). Hence I picked healthcare industry to investigate how a healthcare organization can implement RMF. It's my professional opinion that every organization (e.g. healthcare) that handles sensitive data can benefit from adopting the RMF. RMF functions as a very effective security planning tool that gives you a comprehensive picture of your organizational risk. RMF is not specific to any one agency or body, which gives it the flexibility to be adopted and applied by organizations of all shapes, sizes, and industries.
​RMF is seen as the gold standard on which many risk management approaches are modeled. For that reason, it wouldn't be surprising to see it mandated in some form in the near future, particularly for high-risk industries, but possibly across the board.This happened recently with the EU's General Data Protection Regulation (GDPR), which mandated that any and every company handling sensitive data comply with the regulations, regardless of industry.
RMF can also help in establishing a strong culture of ethics and integrity because risk management are linked with ethical consideration.