The HIPAA Security Rule, as well as NIST and other standards, stipulate that a risk analysis and risk management process should be ongoing, and not a once and done process. The Office for Civil Rights “Guidance on Risk Analysis Requirements Under the HIPAA Security Rule” is based on NIST SP 800-30 Guide for Conducting Risk Assessments and further emphasizes the requirement for continuous, ongoing Cyber Risk Management.
With healthcare data, systems, and devices exploding across the care delivery network and cyberattacks growing in number and sophistication, healthcare organizations need to make assessing and managing their cyber risks an ongoing process. Monitoring organizational information systems and environments of operation will help to verify compliance, determine effectiveness of risk response measures, and identify risk-impacting changes.
In this blog, I will briefly review the concept of a multi-tiered approach to your risk monitoring strategy. For a deeper dive on the subject, I invite you to access the Clearwater on-demand webinar Assess, Manage, Monitor: 3 Key Elements to Cyber Risk Management.
NIST Risk Monitoring Key Elements
Under NIST, there are five key elements to risk monitoring that every organization must be mindful of in developing an effective strategy. The first is verifying compliance with policies and procedures. You need to have that background to which controls and monitoring activities are tied. Technical solutions are great, but they need to have that important context.
Another important element is determining the ongoing effectiveness of risk response measures. Are the controls that you’ve implemented effective at reducing risk? Not just if they’re in place, but are they doing the job?
We often forget about risk-impacting changes to organizational systems and environments of operation, but this is also an important aspect of monitoring. A basic thing in this area might be is there a new information system in place at my organization? Have I included that system in my monitoring? And am I monitoring for new systems being added on an ongoing basis?
In addition, we need to see monitoring as part of the system development lifecycle and make sure that control implementation is working within those processes. The last key element is determining the efficiency of risk response measures.
Tiers to Drive an Integrated Risk Management Process
Building from those key elements, NIST recommends a three-tiered approach to integrating the risk management process throughout the organization:
- Tier 1: Organization level
- Tier 2: Mission/business process level
- Tier 3: Information systems level
There’s a tendency to think of monitoring as just happening at the information systems level, but that shouldn’t be the case.
At the Tier 1 level, governance, risk management goals, and organizational risk tolerance drive the monitoring strategy. Organizational risk tolerance established by senior executives/leaders as part of the risk executive function influences monitoring policy, procedures, and implementation activities across all tiers.
Within this tier, the criteria for monitoring are defined by the organization’s risk management strategy, including how the organization plans to assess, respond to, and monitor risk, and the oversight required to ensure that the risk management strategy is effective.
Security controls, security status, and other metrics defined and monitored by officials at this tier are designed to deliver information necessary to make risk management decisions in support of governance.
The Tier 2 criteria for continuous monitoring of information security are defined by how core mission/business processes are prioritized with respect to the overall goals and objectives of the organization, the types of information needed to successfully execute the stated mission/business processes, and the organization-wide information security program strategy.
Controls in the Program Management family are an example of Tier 2 security controls. These controls address the establishment and management of the organization’s information security program.
Tier 2 controls are deployed organization-wide and support all information systems. They may be tracked at Tier 2 or Tier 1.
The frequencies with which Tier 2 security controls are assessed and security status and other metrics are monitored are determined in part by the objectives and priorities of the mission or business process and measurement capabilities inherent in the infrastructure. Security-related information may come from common, hybrid, and system-specific controls.
Metrics and dashboards can be useful at Tiers 1 and 2 in assessing, normalizing, communicating, and correlating monitoring activities below the mission/business process tier in a meaningful manner
Monitoring activities at Tier 3 address risk management from an information systems perspective. These activities include ensuring that all system-level security controls (technical, operational, and management controls) are implemented correctly, operate as intended, produce the desired outcome with respect to meeting the security requirements for the system, and continue to be effective over time.
Monitoring activities at Tier 3 also include assessing and monitoring hybrid and common controls implemented at the system level. Security status reporting at this tier often includes, but is not limited to, security alerts, security incidents, and identified threat activities.
The monitoring strategy for Tier 3 ensures that security-related information supports the monitoring requirements of other organizational tiers.
Data feeds/assessment results from system-level controls (system-specific, hybrid, or common), along with associated security status reporting, support risk-based decisions at the organization and mission/business processes tiers. Information is tailored for each tier and delivered in ways that inform risk-based decision making at all tiers. Those resulting decisions impact the monitoring strategy applied at the information systems tier.
Monitoring metrics originating at the information systems tier can be used to assess, respond to, and monitor risk across the organization.
In Summary
The implementation of continuous monitoring is a critical step in any successful risk management strategy. Continuous monitoring can alert on individual and broader malicious event sequences, simplifying remediation and helping mitigate risk.
As one of the six steps in the Risk Management Framework outlined in NIST Special Publication 800-37, Revision 1, continuous monitoring is a major component for validating the Recommended Security Controls for Federal Information Systems and Organizations outlined in NIST Special Publication 800-53, Revision 3.
Continuous monitoring combines process and technology, detecting and alerting on operational and security issues related to a wide range of compliance and risk concerns.
If you have questions or would like to learn more about how to develop the optimal risk monitoring strategy for your organization, contact the Clearwater team at [email protected].
