climate change: it's about managing risk, not just compliance · new information...
TRANSCRIPT
![Page 1: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/1.jpg)
Quality health plans & benefits Healthier living Financial well-being Intelligent solutions
Jim Routh September, 2014
Climate Change: It's about Managing Risk, Not Just Compliance
![Page 2: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/2.jpg)
Aetna Inc.
Objectives
2
1. Present a model for risk-driven information security
2. Suggest an alternative approach to managing risk in your security technology portfolio
3. Encourage you to consider changes in your approach to information security
![Page 3: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/3.jpg)
Aetna Inc.
The Evolving Role of the CISO
Chief information security officer A Chief Information Security Officer (CISO) is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing and
maintaining processes across the organization to reduce information and information technology (IT) risks
![Page 4: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/4.jpg)
Aetna Inc.
The Opportunity Awaits Us
4
• Medical/health fraud is $80 billion annually Institute of Medicine report, The Healthcare Imperative
• An example of fraud is medical identity theft, which is growing at close to 20% annually (500k cases) Poneman
• # of devices connected to the Internet in 2020 will be 50 billion Cisco
$500 $25
FULZ • Insurance card • Bank account • SSN • Email address
SSN Aug. 1st Aug. 8th
$1.00 $.48
![Page 5: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/5.jpg)
Aetna Inc.
Compliance-Driven Info Sec
Event Awareness Committee Legislative Law Rules Enforcement Regulatory
![Page 6: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/6.jpg)
Aetna Inc. 6
HiTech Act
HIPAA Event Awareness Committee Legislative Law Rules Enforcement
Regulatory
HIPAA
1996
Kennedy-Kassebaum
Bill
1993-94
+3
HIPAA Privacy Rule
1999
+6
HIPAA Privacy Rule -Final
2002
+9
Final Rule Security on security standards
2003
+10 2005
+12 2003
+10
Privacy Compliance date
Security Compliance date
Final Rule on HIPAA
Enforcement
2006
+13 2009 +16
HiTech Act Rule
2010
+17
![Page 7: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/7.jpg)
Aetna Inc.
Risk-Driven Information Security
Event Awareness Committee Legislative Law Rules Enforcement Regulatory
Threat
![Page 8: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/8.jpg)
Aetna Inc.
Separate Privacy Program from Information Security Program
8
Info Sec Privacy
Federal
State
Local
External Threat
Internal Threat
Vulnerability Assessment
![Page 9: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/9.jpg)
Aetna Inc.
Consume Cyber Security Intelligence
9
3rd Party
Information Sharing
Public Domain National Cyber Security and Communications Center
![Page 10: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/10.jpg)
Aetna Inc.
The Threat Landscape
10
Organized cyber criminals
Mobile Devices
Geo Political
![Page 11: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/11.jpg)
Aetna Inc.
New Information Classification Model
11
Confidential Information • Protected Health Information (PHI)
• Medical Records • Diagnosis & Procedure Codes • Lab Results • Claim Data • Etc.
• Personally Identifiable Information (PII) • Name, Address
• Street, City, State, Zip Code • Member ID • DOB • Telephone & Fax Numbers • Email Addresses • Etc.
• Company Financial Data • Merger & Acquisition Data
• Controls Meet All HIPAA & Other Regulatory Requirements
- Nothing changes
New Controls: • Encryption or
Tokenization • 2 Factor Authentication • Increased Auditing &
Monitoring
Restricted Data: •Credit Card Data •SSN •Credentials
• User IDs & Passwords
![Page 12: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/12.jpg)
Aetna Inc.
Changing Business Practices
12
Consumer Provider Payer
SSN
![Page 13: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/13.jpg)
Aetna Inc.
A Security Technology Portfolio
13
Legacy Technology Mature Meets basic requirements
Legacy to Replace
Needs replacement No longer mitigates risk
New Technology Solutions
Emerging technology controls
65%
10% 25%
![Page 14: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/14.jpg)
Aetna Inc.
Apply Portfolio Management Theory
14
Angel/Early Stage VC Backed IPO Private Equity Round 1 Round 2 Round 3 Product/Service
0
2
4
6
8
1 2 3 4 5
Market SharePrice
• Product/Service market value increases with maturity • Price follows market value • More investors means higher pricing, more market share
means higher pricing • Select technology early and apply rigorous testing while
sharing feedback
Buy Here
![Page 15: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/15.jpg)
Aetna Inc.
Let’s Talk SMAC!
15
SMAC
Social Mobile
Analytics Cloud
![Page 16: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/16.jpg)
Aetna Inc.
Cloud Consumption
16
Total # Cloud Services Identified
1,180
Average # Cloud Services Used
2,365
Healthcare
![Page 17: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/17.jpg)
Aetna Inc.
Majority of the 2,365 Services Used Lack Basic Security Features
Provide Multi-Factor
Authentication
16%
Encrypt Data at Rest
11%
Are ISO 27001 Certified
4%
Controls
Cloud Usage benchmark data
17
![Page 18: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/18.jpg)
Aetna Inc.
Security Ranking of File Sharing Services 178 TOTAL FILE SHARING
SERVICES Top 10 File Sharing Services
A B C D E F G H I J
1
10
9
8
7
6
5
4
3
2
High Risk
Medium Risk
Risk Distribution
18
4
5
6
9
1 2
3 7 8
10
![Page 19: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/19.jpg)
Aetna Inc.
Mobile Ecosystem Controls?
19
![Page 20: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/20.jpg)
Aetna Inc.
Developer for Aetna Insurance++
20
![Page 21: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/21.jpg)
Aetna Inc.
The Mobile App Uses Permissions…
22 of the apps are requesting the GET_ACCOUNTS permission
GET_ACCOUNTS lets you see various accounts on a phone via account manager, including Google, Facebook, Twitter, etc.
In this app, it is used by ad library called "com.edealya", seemingly for ad tracking and targeting, quote: “eDealya enables marketers to respond to social intent with an in-context, on-time, and relevant mobile advertisement.”
21
![Page 22: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/22.jpg)
Aetna Inc.
eDealya
22
Reference: eDealya Website - https://www.e-dealya.com/wp-content/uploads/2013/07/eDealya-One-Pager-v4.3.1.pdf
![Page 23: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/23.jpg)
Aetna Inc.
New Authentication Models Are Needed
23
Decision Data Input for RISK SCORING
Measurements-See Key Below
Read/Transmit
Build Data Accelerometer Data H,MF, P,S R,T Apt Folder data H,N R Battery Usage H R,T Blacklist Device ID H R,T Bluetooth settings H,T R,T Call Settings H R,T Customer ID H R,T Device ID H R,T Fonts installed H,MF,N, R,T Last Power up F,H,N,T,TB,TD R,T Manufacture build data H R,T Network F,H,MF,N,T,TD R,T Preference settings H R,T Processing Power H R,T Random number [inauth] H R,T Security H,MF,N,S,V R,T Sound H R,T Storage/memory H R,T Su Library data H R Super User data H R Test-Release data H R Time Zone Setting F,H,MF,N,TB R,T Transmission settings H R,T Unique ID H R,T Wi-Fi settings F,H,N,S,T,TB,TD,V R,T Call Data Call Country Codes F,H,MF,N,S,T,TB,TD,
V R,T
Call Data H R,T Call Duration H,MF,T, R,T
![Page 24: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/24.jpg)
Aetna Inc.
Using Technical Innovation to Improve Controls
• Overlapping controls enables Aetna to invest in emerging technologies with game-changing capabilities
Micro-virtualization
Host-based intrusion detection 1
White listing processes
Host-based intrusion detection 2
0
2
4
6
8
1 2 3 4 5
Market Share
PriceAetna Purchased here
24
![Page 25: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/25.jpg)
Aetna Inc.
Trusted Email Lifecycle Summary
25
![Page 26: Climate Change: It's about Managing Risk, Not Just Compliance · New Information Classification Model . 11 . Confidential Information • Protected Health Information (PHI) • Medical](https://reader036.vdocument.in/reader036/viewer/2022071215/6044748f04541d3f1a4b911b/html5/thumbnails/26.jpg)
Aetna Inc.
Benefit Summary
26
On July 14 2014 #1 Targeted Domain for malicious email American Healthholding.com supported DMARC enforcement:
Total malicious email removed from delivery (7/14- 8/30): 10,276,150