Active Cyber Defenses for Third Party Risk Management
By John Keenan, Director, IS e-Security, Memorial Hospital at Gulfport
Actions that disrupt business or governmental operations in the cyber domain have often been referred to as cyber warfare, and more recently, as cybercrime. As a result, the program that we’ve implemented has evolved by combining deep healthcare information security tactics, techniques, and procedures with an executive vision that relies heavily on the military decision-making process and the tools that the military teaches all of its operational planners to use when building adaptive plans. We start with a continuous effort to understand how critical assets in the cyber domain are woven into the fabric of the business form the foundation of our entire information security program. Then we apply concepts like self-evaluation of defensive positions (KOCOA), evaluation of enemy capabilities (SALUTE reports), and potential actions (EMPCOA) to understand our risk whenever an attack happens. An exploit is found in the wild, a new vulnerability is announced, or a new element like an information exchange with a new vendor changes our information ecosystem. One area that requires constant attention but often gets little funding is third party risk management. Risk management, especially third-party risk management, involves a constant assessment and re-assessment process to understand what each vendor brings to the business and what risks they potentially introduce. In our information security program, we employ the principles of NIST SP 800-53 to take on third-party risk aggressively.
Our data and our supply chains are our “center[s] of gravity”; not in the astrophysics definition of the term, but in the Carl von Clausewitz (Prussian military theorist during the Napoleonic Wars) usage of the term: “The center of gravity of an armed force refers to those sources of strength or balance. It is that characteristic, capability, or locality from which the force derives its freedom of action, physical strength, or will to fight.” In connected medicine, a center of gravity is the free exchange of information and the information itself. In healthcare delivery, a center of gravity is the supply chain. We identify the defensive measures needed to protect data and our supply chain. We analyze potential criminal activity and assess our connectivity with those who share our data for potential weaknesses.
We prepare and implement our defensive actions and “battlements” based on common military tactics. We evaluate KOCOA: Key Terrain, Observation and fields of fire, Cover and Concealment, Obstacles, and Avenues of Approach. People, endpoints, and infrastructure represent the key terrain that surrounds the data and the supply chain. As we analyze observation and fields of fire, we review what we know about where the data goes when it leaves our facility and what we control we implement to protect it. If gaps exist in our visibility, we look for ways to address them or add them to the risk register. Some gaps may be mitigated by existing controls. We recognize those existing controls (that may or may not be technical) as cover and concealment. We also recognize a well-segmented network as intentional obstacles placed to redirect or stall criminal activity. We continuously assess these controls with a variety of tests. The final step in our defensive preparation is analyzing the avenues of approach.
Cloud security, shared as a responsibility between a cloud provider and cloud consumer, clearly cannot be assumed.
A center of gravity, in its inverse, can often represent a critical vulnerability…That is to say that data and supply chains not well-protected can become the source of an attacker’s strength rather than the defender’s stronghold. Each new connection with our centers of gravity could become the next avenue of approach, if not properly protected. As such, we look at all avenues of approach with an “assumed breach” mentality so that we can then rank all potential avenues of approach to arrive at what we perceive as an “enemy’s most probably course of action”. This requires a well-developed process of threat intelligence evaluation. We look at all threats to our ecosystem and the healthcare industry and assess what’s going on by estimating size, activity, location, unit, time, and equipment (SALUTE report). Thorough analysis of vendor’s proposed architecture as it interacts with our environment, and detailed Socratic questioning of the vendor through dialog, questionnaires, annual re-assessments, and re-assessments whenever there’s a major architectural change. We assess every third party’s publicly available information using a “real-time” third party risk management tool. Of course, vendors can attest to security measures in questionnaires or by submitting evidence of audits. Still, if the attestations don’t match the publicly available data then that generates additional questions. In that case, we start to dig into the details with the vendors to get them to document the exceptions to their policies that we have assessed as risks to our information-sharing agreements.
Connected medicine benefits significantly from so many different “software as a service” subscriptions. As business units enlist cloud services to enhance the speed of delivery of connected medicine, the third-party risk management program must evolve to address OWASP Top 10 and OWASP Mobile App Top 10. Cloud security, shared as a responsibility between a cloud provider and cloud consumer, clearly cannot be assumed. Headlines prove that even companies with proven track records in traditional app sec have failed when migrating to the cloud. To properly guard critical assets, we constantly assess emerging capabilities in healthcare; how the products and services might create new avenues of approach that impact a previously secure sector of our technological ecosystem; and how to engage in meaningful dialog with innovators on how to bake security into their product in ways that redistribute the risk equitably rather than starkly in favor of the vendor.
No third-party risk program, no matter how well funded, will eliminate risk. Risk management and security are processes, not products. Once a device is connected, it is inherently insecure and must undergo constant evaluation for how that connectedness can impact the overall security posture. Only through constant interaction with business associates and equipment providers can we harden our ecosystems with technical, administrative, and compensating controls that provide solid security foundations that limit damage and risk in the event of a compromise.