How much security is enough? Business decision-makers juggle countless variables and make risk decisions using “due care” and “reasonableness.” Understand how to apply duty of care to your specific organization.
HALOCK senior partner, Terry Kurzynski, and Jennifer L. Rathburn, partner from Foley & Lardner LLP present the challenging topic of balancing compliance, security, and business objectives in the healthcare arena.
- How to balance the protection of your entity’s interests with public interest in accordance with regulatory standards.
- Establish definitions for “due care” to evaluate whether safeguards are reasonable and appropriate, either before or after a breach occurs.
- How entities evaluated the risk-appropriateness of their safeguards after a breach occurs.
- A practical method of how to define “appropriate” or “reasonable” risk.
TRANSCRIPT
Today’s program is titled Thought Leader Adopting Duty of Care Risk Analysis (DoCRA) to Drive GRC.
Special thank you goes out to HALOCK for sponsoring today’s webinar.
Before we get started with today’s presentation, I would like to draw your attention to the links box located to the left of the slide. There, you will see a link labeled Course Material Website. And when selected, you’ll be directed back to the learning platform where you can access the presentation slides and complete the webinar evaluation.
Now it is my pleasure to turn it over to today’s speakers.
Thank you, Eric. Well, first, we’re gonna do some quick introductions.
My name is Jen Rathburn. I am a partner at Foley and Lardner, and I practice in the area of data privacy and security.
Essentially, I do everything from data protection programs to preparing clients to prepare for data breaches to incident response to monetization of data. And I also focus on U. S. And global laws.
I am really excited today to talk about this. I’ve been doing this for almost twenty years, and I really feel that our discussion today is going to be very helpful and practical, both to lawyers and to InfoSec personnel, and really getting to the meat of what do you need to do with your HIPAA risk analysis.
We’re going to do some backgrounds and ground individuals on the call about what is required under HIPAA, why are these requirements important, some recent enforcement actions and penalties.
But what we’re really going to focus about is why we believe that the correct evolution of how to do a risk assessment, and essentially that’s DoCRA.
Think in your minds risk assessment 2.0 Really, we’re bringing infosec and legal together to really speak the same language, and we’ll get into more of that later on.
So starting out, we’re not gonna belabor the point, but many of you obviously on the call know that the health care industry has the highest breach cost, and it’s been that way for some time. Obviously, the financial industry is also up there. But the reason why health care industry is under attack is because health care providers and health plans are rich with sensitive data.
Hackers know it, and also due to the regulatory scheme and potential, litigation that results, the costs are very high.
So I wanted to provide you all just a little bit of information about a recent, notice of enforcement discretion that came out from HHS.
We’ve all seen these potential HIPAA penalties for some years now. There’s been controversy over what penalties, an organization can be penalized with on a yearly basis, total penalties, etcetera. And there was a recent clarification that came out this April. Last year in two thousand and eight, it was an all time record enforcement year.
What we do think from these, new updated penalties or in other words, the way in which HHS is going to enforce them is it will likely result in lower penalties and settlement agreements, but we don’t know for sure yet. We’re going to have to see how this plays out. There is huge incentives however for our covered NAs and business associates to demonstrate good faith compliance efforts. And what I mean by that is that even if you do something with willful neglect, which you can see on the left hand column, really the penalties go by culpability, you know, how negligent or how, willful neglect, did you act.
But even in the willful neglect scenario, if it’s corrected within thirty days, there’s a huge benefit because the repeat violations go from two hundred and fifty thousand dollars to one point five million. So I just wanted you all to be aware of this. You can see the citation below if you wanna take a look at, what was published, but there has been some promising guidance in this aspect.
So I want to talk about a recent OCR enforcement action that happened just this May.
Essentially, three point five million records were accessed by a hacker from a medical record service company. They had access to, you know, demographic data, Social Security number, clinical and health information, And they were fined one hundred thousand dollars What’s important here, and we’ve seen this before, but it continues, is that the OCR said is that really the failure to identify potential risk and vulnerabilities to ePHI opens the door to breaches and violates HIPAA. And we’ve seen this now for the past couple of years, but the OCR understands it’s really about preparation.
Is your organization a good actor? Are you conducting risk analyses? Are you having an ongoing risk management plan to address that? And specifically in the corrective action plan, the organization has to conduct a risk analysis and development develop and implement a risk management plan. And, essentially, what does that mean? I mean, they put in the corrective action that, really, the organization has to evaluate whether existing security measures are sufficient.
And what we’re gonna talk about today is really exciting because it’s a way in which your organization can not only do a HIPAA risk analysis to prepare itself for an attack, to prepare to turn it over to the OCR to defend itself, but it’s also a type of risk analysis that judges understand, and we’ll get into that in just a moment.
So what is cybersecurity under HIPAA? But before we go into this advanced framework we’re talking about today, and advanced just means actually really good and practical, let’s go back and ground ourselves in what is meant by cybersecurity under HIPAA. We all know these administrative, technical, and physical safeguards that are required by HIPAA came out a very long time ago, and they don’t prescribe, you know, specific standards.
So we all know that HIPAA compliance is required, but it’s not gonna ensure protection from cyberattacks. Just like other frameworks such as PCI DSS, and others, it’s simply a security framework that you have to follow, but it does not guarantee that you will not experience a cyberattack. So where do these requirements come from? They come from HIPAA security rule, and the first one is under the risk management process standard.
And what does that say? Essentially, you have to implement policies and procedures to prevent, detect, contain, and correct security violations. This is a required standard for the legal people out there. If you wanna know the standard, it’s forty five CFR one hundred and sixty four three zero eight, a little I, but this is it’s right out of the HIPAA security rule.
And underneath that, there’s various different implementation specifications. And the one we’re gonna focus on mostly today is the HIPAA risk analysis requirement.
This is a required implement patient specification.
As you all know, covered in A’s and business associates both must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to not only the confidentiality of data, meaning you’re not worried just about data being disclosed.
You’re also worrying about the integrity of data. Is your datasets accurate, complete?
And you’re worried about the availability of ePHI. Think ransomware. The OCR issued some guidance a few years back on how they approach ransomware. But I just want you to be clear, it’s not just about the disclosure of information, it’s also about the integrity and availability.
The HIPAA risk analysis, it really should be ongoing, which we’re going to talk about, but at a minimum, it should be updated annually in our opinion and definitely when new technologies or business operations are implemented.
And we’ll talk a little bit about that in a moment.
So the good news is we have seen some guidance from the Office of Civil Rights, and we thank you OCR for this. They have been very proactive in the last couple years and I just want to point to a couple pieces of guidance for background information for you. If you go to the OCR website and under the HIPAA security rule, there’s actually a guidance document there to review about how to conduct a risk assessment.
There is also, various OCR privacy and security listservs newsletters that are very helpful. And one of them that I want to talk about today came out last April. And essentially, it was a paper discussing what is a risk analysis versus a gap analysis and what is the difference. So I’ll tell you a little bit about what they said. First of all, the security rule does not require a specific methodology to assess the risk to ePHI, nor does it require risk analysis documentation to be in a specific format. So in other words, you have discretion.
However, what they did note is, is that a risk assessment is essentially different than a gap analysis. Why?
A risk assessment doesn’t just evaluate the controls that are in place, rather it addresses enterprise risk. And if you see from these guidance tips above, these are the steps that you have to go through. So simply just looking at, do we have all these administrative, technical, and physical safeguards in place and where are gaps, that’s not gonna get you over the finish line. The OCR wants you to address risk appropriately. So, essentially, what you need to do is you need to figure out how ePHI flows in and out of your organization, whether that’s a data map, you know, newer term coined by GDPR, CCPA, but essentially figuring out where ePHI lives in your systems and how it flows in and out. You do have to address current security measures, but where it differs here with a risk analysis is you really need to identify and document potential threats and vulnerabilities.
You gotta determine the likelihood of a particular threat occurrence. You need to determine the potential impact of that threat occurrence, and you need to determine the level of risk. Obviously, this needs to be documented as well. I will tell you if you experience a breach of over five hundred, the OCR generally always asks for the most recent copy of your risk analysis or back six years.
They also will ask you about your risk management plan as well. So this is a very important document. It essentially is the foundation and the floor to build all of your policies. Because if you don’t understand where your risk lies, then you don’t know how to implement the right controls.
And, obviously, in a moment, we’re gonna get into the devil and the details on that. But I just wanna point out, this is the foundation, and the OCR does ask you about it, and it must be done.
So in addition to your HIPAA risk analysis, we wanna just to simply mention that there are requirements about ongoing plans. And I note here the other implementation specifications about risk management and evaluation.
In some, it just means that these are processes that are ongoing and dynamic that change as your environment or operation changes. And I will tell you, the OCR understands that once you do your risk analysis, that’s a that’s a date and time, and that you need to take those risks and gaps, and you need to develop a plan to address them, and it needs to be updated ongoing. They request this information and ask for copies of it. So it’s not just a one and done.
We also wanted to point out is what are your board of directors being trained on? This slide here comes from guidance from the National Association of Corporate Directors (NACD), and this is what your directors are being trained about. Corporate directors wanna know, what am I supposed to be doing?
I have an oversight function. What am I supposed to be doing as a board member to ensure that I meet my fiduciary duties to the organization?
And so I just want you to be aware of these, that they’re being taught about these principles and here they go. First one, cybersecurity is an enterprise wide risk management issue. It’s not just an IT issue. For those of us who’ve been in the cyberspace for some time, this has been a clear point, but now board of directors are getting that. They can’t outsource it just to the CISO, CIO.
This is an enterprise wide risk issue.
Also, the board needs to understand the legal implications of cyber risk as they relate specifically to the company’s circumstances.
What we talk about today, doing the DoCRA type of risk analysis, this will really help your organization communicate up to the C-suite and board about what your particular risk is.
Also, the board needs to have adequate access to cybersecurity expertise and give cyber risk management regular and adequate time on board meeting agendas. The board needs to hear about cyber risk. Just like anything else in healthcare, there’s lots of risks that come through healthcare organizations. A lot of that is reported up through benchmarking reporting. Cyber needs to be another one of them.
Also, board members need to understand that management must establish an enterprise wide risk management framework. What frameworks are you adopting? What types of controls are you adopting? And there needs to be adequate staffing and budget. Again, determining the type of risk to your organization will help you make all those decisions.
And then lastly, this one really is about allocation of risk, but it’s about management needs to discuss what types of risks are we gonna avoid, what are we gonna accept, and what are we gonna mitigate or transfer through insurance. So there needs to be a discussion of allocation of risk.
So this is why this presentation is one of the most interesting things that we’ve done in a very long time. I have seen this communication gap between infosec and legal go on for many, many years. Legal may not understand what infosec is saying. Infosec is talking security controls, where legal is talking vulnerabilities.
And really, what this type of risk analysis does is bring these together. And, you know, really what it is is most attorneys, and I am one myself, so I recognize this, are missing the linkage the government has provided that connects the logic of regulations with the logic of information security. As a result, attorneys see technology, business, and law as opposing forces rather than a unified set of interests called reasonable. We all want to be reasonable at the end of the day.
What I see is lawyers negotiate down contract language to reduce the burden of their clients’ security requirements, which makes sense, but also lawyers accept technical statements from the security team and or vendor suppliers on face value that respond to inquiries about security capabilities because lawyers don’t dig deep down. The consequence is that organizations are not cognizant of their actual security risk, either in terms of their preparedness for an incident or their ability to defend their actions after the incident.
The attorney’s traditional role of negotiating down safeguards is leaving organizations less secure.
Accepting technical explanations without understanding the risk makes organizations very vulnerable to negligence suits after a breach.
And why has this occurred for all of these years? Well, it’s very difficult to quantify risk in an organization.
It takes a lot of thought process, to do that, and people communicate in different ways, which is why this type of risk analysis really will help you. So let’s talk about how do you prepare for a data breach.
The day you’re sued for a data breach, you’ll be asked a series of questions, you know, whether that’s from regulators or in court.
Essentially, the judge is trying to figure out, are you negligent?
And many states use something called a multifactor balancing test to get to this.
What is that?
So a multifactor balancing test essentially asked, was there a duty of care obligation?
Was due care performed adequately?
Again, the courts are trying to figure out was this organization negligent?
Did they meet their duty of care?
We’re not gonna read through all of these, but we wanted to give you some examples of multifactor balancing tests throughout the country. And many, if not most of the jurisdictions, use multifactor balancing tests. We also look at was the risk foreseeable, what type of risk is there. But you can go through all of these different, examples, but essentially the multi factor balancing test has many things in common. All of these different tests get to certain issues.
The first one we talk about is social utility and benefits for each party. What this means is, what is the mission and purpose of the organization?
Is it saving lives? Is it arbitrage trading for their own personal benefit? What is the mission of the organization?
Was the risk foreseeable?
Could this type of threat be anticipated?
Has it happened before to your peers?
Has it happened to your organization before? In other words, have you been put on notice?
What is the potential impact or injury?
How great is the impact?
This could be in terms of dollars, but it could also be measured in any harm to another party, such as loss of privacy, reputation, sickness, death, growth, business failure.
And then what is the burden of the safeguard?
How expensive is the risk treatment compared to the weighted impact?
Terry, in a moment, is gonna get into this in more detail, but really what is the burden? You’re doing a balancing test here. And then what is the relationship between the parties? How direct or indirect is the relationship?
If you’re an insurance company and collect private data from your customers, you have a direct relationship and a direct duty of care to protect that data. Similarly, if you’re a health care organization with your pay patients, you have a direct duty to to that patient.
However, if you’re a restaurant and someone gets sick and then someone happens to be a surgeon that was needed to perform emergency surgery but not able to do so because of food poisoning and the patient dies, the restaurant is likely not liable due to the dead patient’s relatives. So these are the types of questions that courts are asking. And so our traditional risk analysis framework really has not been up to this point. But the good news today for you is we’re gonna talk about how to get you there. And now I’m gonna turn it over to my co presenter, Terry, to get into the weeds.
Jen, that was a fantastic, introduction. I really appreciate it.
I am Terry Kurzynski. I’m a working security professional, so I’m not an attorney.
I’m a founder of HALOCK Security Labs, and I have all the security certs behind it. But one of the key ones here is I’m also one of the, contributing authors and founders of the Duty of Care Risk Analysis council. So the DOCRA council is something I’m a board member of.
And Jen and I also share a board with the Midwest Cyber Security Alliance. So getting into it, the first one we have here is a poll question. So I’m gonna give everyone a second here to respond. But does your organization perform risk assessments?
We just wanna take a real quick poll on this and, you know, we got a, b, or c. Does not exist? Or b, ad hoc, occasionally, or c, on a regular basis? Let’s see where everyone is.
Looks like most occasionally, or c, on a regular basis. Let’s see where everyone is. Looks like most people are doing it either ad hoc or on a regular basis, so we’ll move on.
So what we’ve learned so far so Jen did a great job building up and showing that the HIPAA security rule is based on and requires risk analysis.
And then second, that judges determine negligence based on a multifactor balancing test. What we’re gonna also show going forward here is that information security frameworks almost universally require risk assessments.
So what does this really, you know, what does this mean, and how do we, how are we gonna play forward with this? So let’s take a look.
So the message today is all about your risk assessment. So your best defense is a properly framed risk management program that will allow you to meet compliance requirements, limit your liability, and prioritize information security activities for the infosec folks and IT folks. Right? So all of this can actually come from the same risk management program. So we don’t have to have FIFEDOMs doing their own programs and prioritizing their own activities. We can have one centralized risk management program that the entire organization can work from that meets everyone’s needs.
So we’ll see how that happens here in a second.
So a couple examples. So what I’ve seen over the last few years, in several cases where large health care organizations are breached, and I had actually three of these exact same ones in the last two years. OCR’s investigation reveals the lack of risk management.
So then HALOCK gets the call from the health care provider’s privacy attorney, you know, and they need an emergency risk assessment. So HALOCK performs a Duty of Care Risk Analysis, and we’ll talk about what that means in a in a little bit. So we perform a Duty of Care Risk Analysis (DoCRA), and the related risk treatment plan gets accepted by OCR, and in fact gets included in the corrective action plans. So net the health care organization can take control of its post breach remediation efforts based on actual perceived risks versus a wish list from a regulator, which is what we’ve seen in the way past, is that you just see the kitchen sink thrown into the junk to release.
So from the auditor perspective, so another example. So, you know, HALOCK has a client who does work for Health and Human Services.
And, so HHS is our client’s client. Alright? So HHS audits our client, and they actually send out NIST auditors to do that. So, the auditors use a strict interpretation of a control set, and they wanted our client to spend money on an expensive control that would have been burdensome without any reduction in risk.
So our client auditor then conceded and moved on. So they were able to show that listen. The whole idea of these regulations is that they’re risk based. So if you can’t show that you’re actually reducing risk or the harm to the public, it’s a burden, and it’s not a reasonable control.
So in our case, our client was able to do that. So understanding and managing your risk, you can better manage interested third parties.
Another example on the litigation side. So we had a state’s attorney general, who was peppered with complaints about a breach of a personal data from a particular health provider. It was a national provider.
When reviewing the discovery, including the risk assessment, the attorney general concluded that the organization was assessing not only the harm to itself, but the harm to others outside the organization and that the organization was performing its duty.
So the AG does not pursue the complaint, concluding that bad things happen to good companies and the case was a loser for the state. Didn’t wanna take it up. So message received here, a proper risk assessment can reduce liability and lawsuits even when the breach happens.
So risk assessments are universally required. All in almost all information security statutes, regulations, and frameworks are telling us we have to use risk analysis to determine the reasonableness of controls. You know, ISO twenty seven thousand one’s on top, for example. So, you know, one of the first things you do, and I’m not gonna go through all of these just as an example, but one of the first things you do, is establish the security organization and the scope and boundaries for ISO 27001, and then you perform a risk assessment.
You then leverage the annex a controls to reduce the risk to an acceptable level as defined by the organization. You know, all the other frameworks have kind of a similar process. You know, you do a risk assessment, you grab controls, you reduce the risk to an appropriate level an acceptable level. And I keep throwing out acceptable because we’re gonna get into a problem with the definition of acceptable in a little bit as well.
So, you know, there’s this question always. Why is risk so difficult? You know, if all these organizations are breached and OCR does the investigation, they don’t have a proper risk assessment, what’s going on? Why is this so difficult for people to do? It’s the first thing on, you know, forty five CFR one, one sixty four, as Jen pointed out. Why are organizations not performing it?
So the threat vulnerability landscape is in constant motion. Our threat actors are constantly changing their methods.
They’re evolving and changing. We got lots of interested parties with different expectations. So you have the IT folks, you have the legal folks, you have compliance, you have risk, you have outside interested parties or vendors, you’ve got the, regulators, so you have all these interested parties, maybe even board members.
Members. It’s difficult to measure the probability of any given threat vulnerability pairing.
So the impact scoring gets a little tough, and it’s tough to appease the business and also pass the balancing the balance test with the courts, the multi factor balancing test that Jen was alluding to.
Prioritizing risk is a challenge.
It’s time consuming, and the other thing is it appears to be out of date the minute we publish the risk register. There’s this other concept that performing risk assessments can be risky business, and that’s partly because organization hasn’t properly defined what the risk appetite is.
The risk assessment process doesn’t include key personnel. They say, well, just let the compliance people take care of it. But executive management doesn’t get involved. The business doesn’t get involved. We don’t know all the business processes, the people, process, and technology that might be contributing to risk.
It only considers the company’s risk, not the public’s. So what’s the harm to me? A lot of risk assessments we see are about me. Me, me, me, and they don’t consider the harm outside the organization.
This is a big one. We see the quantification of risk only in the terms of dollar limits. And, I’ve used this example before, but in just, negligence cases, some of those attorneys on the phone might remember the Ford case back in the seventies where the Ford Pinto was exploding and everyone inside would just burn and die to death. So in when the cases started, the class action lawsuits started coming, Ford’s defense was that they did their cost benefit analysis based on the hand rule.
And they basically laid out the fact that their actuaries had identified the fact that there was a risk of these cars burning, but they put a dollar amount of two hundred thousand on each death, and they had some dollar amount on the cars. And they said it was gonna cost about, forty nine million in death benefits and lost cars, but it’s gonna cost over a hundred and thirty five million, for us to change the design of the gas tank, which would have cost about twelve dollars a piece, they would have to change that gas tank of a two thousand dollar vehicle. It would now be two thousand and twelve dollars, and the actuary says, you know, our cost benefit analysis to us says that we need to go with the lower cost.
They said they used the hand rule in court. That was their defense, but they didn’t actually apply the hand rule correctly. They did not consider the gravity of the injury to the other parties. They only considered the harm.
In fact, they only considered the dollar amount in cost benefit analysis to themselves. So they had the punitive damages because of that.
Jenna alluded to this one too. General counsel likes to constrain the process with concerns over, you know, risk documentation.
I’ve seen this a few times with our clients where I can’t even write anything down. I can only have a phone call with certain parties and whisper what the vulnerabilities are. And I think that’s a real challenge because if that organization needs to prove their duty of care, they’ve got no proper documentation. They can show that they’ve made no efforts to assess the foreseeable harm, gravity of injuries to themselves or others, that they’ve taken steps to remediate. They don’t have any of that published. They just eliminated it all, saying that if it never existed, we didn’t have an obligation to actually do anything about it, and I think this is a big mistake.
A lot of the risk assessments I see lack or at least, the board perceives as lacking insights. And one of the big reasons for that is what they’re calling a risk assessment is not a risk assessment. Jen alluded to this concept of a gap assessment. I’ll also say that maturity assessments, maturity model assessments fall in the same gap.
So when you see something like HITRUST and it says, am I one, two, three, four, or five on maturity? The problem with that, I don’t know if I need to be at a three and go to a five in this domain or that domain. Only risk analysis can tell us that. So maturity models lack a real, a level of insight on what do I need to do.
It’s a report card on where I’m at, but it doesn’t tell me where I need to make my investments, where my risks are, and how to actually shore those up. So it puts the board in a very, very difficult situation on where to make investments. They now have to trust the gut of the IT or compliance folks and where they wanna make the investments versus having concrete risk in front of them that they can say we need to treat that risk.
In the event of a breach, how do you feel your risk assessment method affects your liability? A, do you think your risk assessment method process, once discovered, will increase your liability?
Do you think it’ll decrease it, or you just don’t know?
Alright. We’ve got everyone answered. So everyone believes that it’ll decrease. So everyone feels they’re in good shape. So in the information security age, we really need a risk assessment, and not just any risk assessment. We really need a duty of care risk assessment.
So everyone, if you can hear me okay, I’m gonna just, turn up my volume just a little bit. Okay?
Let’s move forward here.
So what is Duty of Care? Alright.
So if you were breached and you’re in front of a regular judge or interested party, as Jen had mentioned, there’s always a control that you could have had in place that could have prevented the breach. The question will come up, why did you not have this control in place? Or why was it not correctly configured? Or why was it not protecting that asset in addition to other assets? So the real question being asked is, did you do your due care where you had a duty of care? So if you had to breach, you know, determination whether or not you had a duty of care to, yourself or another party.
So once it is understood that you had a duty of care obligation, the next determination is whether you performed your due care. Did you apply the controls and bring down the risk to a reasonable level?
Was that risk appropriate to the parties for which you had a duty of care?
Okay.
This concept of reasonable person, and we see this concept of reasonable being used a lot. We see it in the HIPAA security rule. And I’ll just to quote Oliver Wendell Holmes junior, for society to function a certain average of conduct, a sacrifice of individual peculiarities going beyond a certain point is necessary to the general welfare.
So the reasonable person takes into consideration the harm they may pose to themselves and others based on their actions or intended actions, And then the reasonable person is gonna consider alternatives to their actions that would pose less risk or harm and still accomplish the mission.
This is called due care.
So and, you know, Jen might comment on this one too. I’ll kind of walk through this case of where the FTC failed to define reasonable. So some of you may know about the LabMD case, where the FTC files a complaint against LabMD for failing to protect the security of consumers’ personal data. So the FTC alleges that LabMD failed to provide reasonable and appropriate security for personal information.
At about the same time, the House committee was having hearings because the FTC doesn’t have a comprehensive information security program to refer to. This is sort of happening in parallel with the LabMD case.
And, LabMD then files a petition for review with the court saying that they don’t agree with FTC.
In twenty eighteen, so this is last June, the federal appeals court, they put aside they sided with LabMD saying the FTC did not have a proper definition of reasonable security. And so they put that case aside.
So, you know, net here is that the FTC failed to define what a reasonable and appropriate security program looks like or a specific standard that could be referenced as a framework for organizations to follow.
And I have some couple comments there, Terry. I mean, I would say, I mean, LabMD is interesting because it’s been going on for many years, really before, you know, reasonable security measures were in the forefront.
And so I don’t think that there was something like DoCRA or other types of security frameworks were really in the mind to say that was the duty of care. You should be following that. And I think that’s the underlying factor here is that, you know, the FTC was trying to hold LabMD to a standard without being specific about what they were.
And just specifically for the legal eagles on the phone, this really comes under Section five of the FTC Act. They were trying to say this was an unfair act or practice that caused or likely caused substantial injury to consumers and that’s where it was brought. But that’s why this discussion today is so important is what are reasonable security measures? I mean, this is what clients ask me all the time.
Just tell me what I need to do. I wanna be at a safe harbor. There are certain states that say if you meet a particular framework, then you have some shield of liability. But that’s really what the industry has been grappling with, in particular over the last, I would say, five to seven years.
What are the specific reasonable security measures you want me to do so that I’m protected on the back end. And, unfortunately, that really depends upon your organization’s particular risk.
Thanks, Jen, for the clarification on that.
So the transition here so what do the courts mean by reasonable safeguard? So if the courts are saying, hey. The FTC, you didn’t define reasonable well. What are the courts defining as a reasonable safeguard?
And what we’re seeing here is we have to really go back to the calculus of negligence. So the multifactor balancing test that forty three states follow, and the other six or seven just say was the risk foreseeable, all has its roots back in the calculus of negligence. So Judge Learned Hand, nineteen forty seven case, US versus Carroll Towing. Judge Learned Hand comes up with this great idea of negligence that’s the the calculus of negligence.
This is how he determines whether organization is negligent. So was the harm foreseeable? What was the gravity of the injuries? And what was the burden to you to have reduced, and the cost of the safeguards to reduce that risk to a reasonable and appropriate level?
That was really the nut of the calculus of negligence.
So that’s what the courts are saying. That’s how they’re doing the negligence cases, and that’s how the multifactor balancing test is working today. And if we really break down the language, this is what came across us about six years ago when we discovered how to develop the Duty of Care Risk Analysis. We saw that the calculus of negligence is on top so that the burden of the organization, you know, of the safeguards, it’s they’re not expected to hurt or break yourself in order to help others or the weighted impact of others.
So that probability times the liability piece, is there there’s a calculus there. It says, like, listen, if that weighted impact is really small and the cost and burden to you is really high, that’s not reasonable. However, if the weighted impact, the probability of something happening in the in the in the harm to others is really high, and the cost to you or burden to you is relatively low in comparison to this weighted impact, you’re expected to implement those safeguards or that burden to you to actually reduce that harm to others. And when you look at the bottom scoring, so those that are involved in risk assessments, you know that the standard calculation for risk looks like this.
Risk equals your likelihood times the impact. Right? So you have the risk scores based on this likelihood and impacting.
And you see that looks very similar to our probability and liability. So we suddenly, it dawned on us that if we have a properly framed risk register, risk management framework, if it’s set up in a certain way, it can not only direct the organization’s activities, but can actually meet this negligence threshold and meet what compliance and regulators are looking for. So this is a really interesting find.
And I just wanna kinda transition now to say, well, okay. There’s other assessment frameworks out there. Why aren’t they doing this? What are they not actually assessing risk the same way?
And the answer is you’re gonna see lots of out there, that the things that people are calling a risk assessment, but they’re not risk assessments. Alright? So what I’m kind of throwing up here is you see these columns, on these, the different evaluations for these different assessment methods. Those columns are what regulators, every regulator, and every litigator expects to see in an organization.
And so by meeting or doing these things, you’re showing that you’re meeting your duty of care. So we see maturity models on the bottom. A maturity model is simply stating how mature is this control on a scale of, you know, either one through three or one through five, and sometimes as simple as it’s implemented, partially implemented, not implemented. I’ve seen them that way too.
And so it doesn’t really tell us anything about risk or decisions we need to make unless we’re just gonna say we’re gonna implement all controls at a five. It doesn’t tell us anything. Gap assessments, as Jen alluded to, is another problem. It just tells you the gap to a compliance, to a control, but it doesn’t really tell us to what extent we need to implement that control or if it’s sufficient.
You know? So we may have implemented the control, but I don’t know whether it’s sufficient or not or whether it’s actually meeting our risk threshold.
The FAIR assessment that’s out there, its big issue is it’s quantifying risk in terms of dollars, and it’s only quantifying that in terms of impact to me. And it kinda makes the assumption that the impact to me is the same acceptable risk as impact others outside the organization.
So while Jack Jones has put together a very popular assessment for FAIR, it it’s not gonna meet the mustard in front of a judge. So he just got we gotta modify that. You gotta assess the risk and harm to others outside the organization.
You see the traditional IT risk assessments, like ISO twenty seven thousand five and NIST eight hundred dash thirty and risk IT, they go a little bit further. They do estimate the harm to others in some cases, but they don’t define an acceptable level of risk or have its definition a reasonable nor do they evaluate the safeguard risk. So the risk treatment sometimes creates more harm than the thing you’re originally treating. And it might be too costly. It might affect your mission. So all those things are not evaluated in all the other assessments.
So I’m just kinda summing up the response you would see from, like, say, a maturity model, you would see something like the control is a three. We decided not to go to a four, and the judge or regular is saying, well, I don’t know what that means. You know? So a gap assessment, the auditor said we were compliant. And the judge or regular is saying compliance is not a measure of reasonableness.
ISO twenty seven thousand five and NIST and FAIR, you know, well, management accepted the risk to the asset. And the judge of regular is saying, well, you didn’t consider the harm to the public. You accepted the risk on behalf of the public.
So and then we see that CIS RAM, Center for Internet Security, and we’ll get to that in a second, and Duty of Care Risk Analysis (DoCRA), the control provided a reasonable balance between foreseeable harm and the burden to sustain the control. And the judge of regular’s response, that’s due care. Okay?
So first, this video that we’re about to see, so hopefully everyone’s audio is on and you can hear this.
I’m setting the stage here. So health care dot gov had just launched, you know, their website, and information security experts sway were saying that there’s vulnerabilities.
And so Daryl Issa had thirty one hearings about the security of health care dot gov and Drake, the, head of HHS, CECO, and CMS, and only to find out that they simply accepted the risk and launched the site. And so this is the video where he’s commenting on that.
Eric, you can launch the video.
Under current law, it is possible to launch a site by simply saying that an executive within the administration of the right level has the ability to accept the risk.
That current law allows an administration official to accept the risk or almost the assurance that American people’s personal identifiable information (PII) will be compromised.
There is no protection against a judgment call that the risk of billions of dollars, trillions of dollars, the entire economy can in fact be waived by an administration official. Meaning, there is no standard other than the acceptance of risk.
Looks like the video may have ended there prematurely. But, Daryl’s saying basically that there’s no standard other than the acceptance of risk. And the reason why he’s saying that is because most of the government agencies for risk follow NIST eight hundred dash thirty. And so for any of those of you on the line familiar with, NIST eight hundred dash thirty, it has the concept of a designated approving authority.
And that designated approving authority simply has the power to accept risk or not accept risk. There is no standard by which they’re accepting this risk. There’s no guidance provided by doctor Ron Ross over at NIST for how you accept that risk. You simply have the power to accept that risk, and that’s where the thirty one senate hearings came in from Darrell Issa, understanding, like, how did this come to be? And it’s because the standard actually fails to define an acceptable level of risk.
So the other issues that we have on some of the risk assessment standards there is the impact scoring. So what we’re gonna see is that the majority of the risk assessments I see focus on the impact to the asset itself.
That website has a SQL injection.
That network is not segmented and could lead to unauthorized access. And so all these terms, they talk about the availability or confidentiality or availability impact to the asset. Occasionally, they’ll have a narrative written up that tries to communicate to the organization the risk, you know, but they usually fail at it. There’s no framework to interpret those impacts, to the organization.
So we end up seeing it looking like this. So you have a typical kind of risk register scoring where we have a likelihood, but the impact is on the asset. And the narrative that you’re talking about the analysis, again, talks about the asset. So we talk about here, unsecured networks and systems can introduce vulnerabilities and attack vectors increasing the risk of compromise.
This is an actual risk register that I took from a client. It wasn’t it was not performed based on Duty of Care or CIS RAM. And what we’re seeing there is how can the business interpret that risk analysis? How can the business understand what that really means impact wise to its mission, its understand what that really means impact wise to its mission, its objectives, its obligations, or harm it can do others?
It has to do a whole another set of risk analysis to understand what this even means to the organization. And so now they’re left not knowing really how to operate and where to budget dollars.
Don’t do it this way.
So if we could have the perfect standard, right, one that made sense to judges and regulators and security experts, what exactly would it include? So one, it would have a standard of care always there. Right? So that one that professionals accept as a a standard set of controls.
We would identify vulnerabilities. We would consider the threats or foreseeable harm that creates, the harm to self, the harm to others outside of the organization. Right? What was the likelihood estimates?
And it would have to define an acceptable level of risk. We saw the issue with NIST eight hundred dash thirty did not define an acceptable level of risk. Instead, just had this DAA saying I accept the risk, which might be a CEO, might be the head of risk, might be head of security. Not good.
Defines reasonable.
Right? So everyone’s out there. We have a problem defining reasonable. We’re being told by the FTC to implement reasonable controls.
What does that mean? I don’t have a definition with my organization for that. If we had a perfect risk framework that helped me define reasonable, I would follow it. And then we also would want one to evaluate safeguards.
Why? Because that is exactly what we’re being asked in negligence cases. We’re not expect to hurt ourselves in order to protect others. We’re expect to have a balance.
But if it’s not a big burden to me and the harm to others is great, I am expected to do it. So I need to be able to evaluate the safeguard risk right in this risk register, in the risk framework.
So the good news is this already exists. So under full disclosure, as I mentioned, I’m one of the authors of the Duty of Care Risk Analysis. The standard is a 501c3 organization that was set up. The first published methodology, we published with the Center for Internet Security.
It’s called risk assessment version one point o. It’s a complete step by step guide. Whether you’re tier one, two, or three, you will find the right methodology for yourself in the CIS RAM. It’s a free download. It has free worksheets and Excel spreadsheets to work do your work papers in.
And one comment is the CIS RAM, while it does focus on the CIS controls, you can harmonize it with whatever set of controls or regulations or legislation you want, including, HIPAA.
So if you wanna harmonize, the HIPAA security rule controls as well as NIST eight hundred dash fifty three controls, because the directives under HIPAA security rule are a little bit vague and the controls under NIST eight hundred dash fifty three are more specific. You can harmonize them right in there and use these. These are free resources available to you right now.
So let’s talk about so we know that regulators and judges will like duty of care risk. So how will this work with, business management? Why is it business management friendly? It’s because risk management is really supposed to be about reciprocity.
Don’t expect you know, expect me to reduce the risk of harm to you, but don’t expect me to break myself in the process because I would never expect you to break in order to protect me. So it’s this equal kind of golden rule that we’re working under under risk management.
So if we think about duty of care risk and we think about traditional heat maps, we’re gonna have to redo them. So originally, if you look on the left here, it says likelihood, the horizontals, impact. We multiply the two together, and we get a risk score. So if it’s high, like a five times a five, twenty five is a really high risk.
Whereas a one times a one is considered negligible or almost zero risk. But if we look at what’s really being asked of us out there, we’re not asked to get to zero risk. Perfect security doesn’t exist.
I drove to work today. I didn’t expect zero risk of an issue this morning, but because there’s an economic benefit. So there’s this trade off of the mission and utility, and that has to be a part of the equation. We have to have and define this acceptable level of risk to the organization. So really, traditional traditional heat maps go away and we look more like this, whereas getting to zero risk is actually risky. We don’t wanna over control the organization.
So we’re all about balance. Right? And I wanna get to the I need a slide four because I know we’re running out of time here. I didn’t realize that, we’re getting towards the end.
So what we’re seeing here is a strict interpretation of a standard. So it’s a strict liability interpretation of a standard. In fact, regulations are relative to risk and need to be managed as such. So if we see here, if you did an audit under strict liability, the blue is where you’re compliant.
The yellow is where you would need to still implement controls, and this is under kind of a strict liability interpretation.
However, if you use risk the way it’s supposed to under this cost benefit analysis, you’ll see that the blue is what you have, and then yellow now is your burden to implement controls to get to a reasonable level. I’m now no longer over controlled nor under controlled, but appropriately controlled with reasonableness.
K?
Poll question number three.
Our organization uses risk assessments as a cost benefit analysis for prioritizing risk treatments.
I’d agree, somewhat agree, disagree, don’t know.
Okay.
We got somewhat, agree and disagree and I don’t know. We’ll move on.
So how do we calculate the acceptable birth definition? We kinda went through this before, but, if I were to click through here. So we have an impact.
Right? So an intolerable impact times an expected, expectation that’s gonna happen at some point. So, intolerable impact that’s expected. So I have a this kind of three times a three, that gives me my acceptable risk score. So anything less than that can be my acceptable risk. Anything that scores above that, in this case, a nine or above, I’m gonna treat and usually in prioritized order or fashion. K?
So Duty of Care Risk scoring, how does it look? If I’m not looking at the impact on the asset, what am I doing? Well, I’m gonna look at the organization’s mission, the impact on the mission, its objectives, and its obligations. What does that look like?
So I’m gonna identify, you know, my mission. What do I do for the world? What’s my utility? What am I doing?
My objectives. I can have multiple objectives. I can have multiple obligations. But I wanna measure my impact scoring to these things, because this is what the business understands.
This is what the judges are gonna understand. This is what the regulators are gonna understand.
What does it look like? This is a simplified risk register. I’ll just do it as an example. So this is a hospital’s full risk assessment criteria.
So we see we have the mission, which is health outcomes. We have an objective here of a balanced budget, and then we have an obligation of patient privacy. Right? So I have negligible impact at one.
I have two, which is really an acceptable level of impact in plain English. And then the third one is the unacceptable level. Now I don’t have to have all three of these in unison in order to define a risk. I can have any one of these be a risk.
Right? So I can have an impact to my mission or an impact to my obligation that’s at a three that’s unacceptable. And if it’s expected, I’m going to do risk treatments against it. I’m gonna remediate anything that is at that, unexpected or unacceptable level of impact that is expected.
In this case, I defined it as expected but rare. So this is a way for me now to organize the organization’s entire risk register based on mission, objectives, and obligations, the impact that the language of the organization works, the language of regulators, the language of judges, I now define an acceptable level of risk. And acceptable level of risk has to be not only acceptable within the organization, but would be acceptable to interested parties outside the organization. So this will take some legal counsel on that one.
So and I’ll just run through an example because I know we’re we’re running short on time.
So as an example of inappropriate risk. Right? So we had, all routable devices is it’s an asset.
The owner’s IT, and there were sporadic asset scans that we performed. So the problem with that is the threat was undetected compromised systems might enter into the network. The risk scenario here is that irregular asset scans may not identify a compromised system that gets joined to the network, and then it becomes an attack vector for the organization. So we calculated the mission’s impact at a two, the objectives at a three, the obligations at a three, and then likelihood at a three.
So the scoring came in at a nine, right kind of on the line. Okay? So what can I do to reduce that a little bit? If I implement a NAC, a system assessment process for alerted devices, So it’s a moderate cost that would have minimal impact on the budget.
Installation of the tool is likely not disruptive. So now my mission goes down to a one. My objectives go down to a two. My obligations, impact goes down to a one.
Now it’s very likely that, actually, my likelihood goes up, but my score goes down to eight, which is an acceptable level of risk.
Alright. So that’s just an example how we run through these. I know this is a very rudimentary example. I just wanna see how these run. So I’m gonna kinda skip these because we’re out of time and get to our summary.
Alright. So solving the communication gap that Jen had mentioned in the beginning, it’s now solved. So Duty of Care Risk Analysis is the universal translator between the information security community and the legal community. We speak the language of both. Alright? So what Duty of Care Risk provides is a method to evaluate the risk by calculating a potential impact or injury to the organization’s customers, its mission objectives, and external entities. It’s a method to define acceptable risk and helps you prioritize risk needing the treatment.
K?
So we kinda mentioned the how the other assessments work in there, and I just kinda give some more flavor to this. So how would a judge interpret a maturity model? The judge says, hey. The plaintiff claims that your data breach would have been stopped if you had used DLP system.
Were you not using one? Can you explain why? And then you respond, well, when we evaluate our data leakage controls, we’re at a three, and we decided that we didn’t need to go to a four. Judge says why?
Was the burden of the control greater than the risk to the plaintiff? We just agreed not to go to a four. So maturity models just don’t work. And, again, I show how gap assessments don’t work here as well.
And then the fair, nice job evaluating the thread. I see the dollar value of your potential loss, but I don’t think the control is appropriate for the risk. Well, you can see by this heat map over here that the our probable loss is low. And the regulators like your probable loss, what about the impact others or harm to the public?
K? Duty of care not only works for regulators and judges, but also works within the organization to align infosec, legal, and business management.
It’s the same language. So in summary, develop and mature your risk management program, update your risk assessment criteria to align with DoCRA so you can defend proactively against a breach, align the needs of the business, right, prioritize risk. Alright.
Let me go back here.
And prioritize risk. Sorry about that. I don’t know why it’s, jumping forward on me.
Didn’t have an endpoint on there.
There we go. Sorry about that.
So and then resources available to you. So you can download the Sysram from c I security dot org. That’s a free download. You can upgrade your current security assessment to meet duty of care.
Okay? So you can develop your criteria and acceptance criteria that’s gonna be based on DoCRA, and you can do threat modeling on the analysis. You can evaluate harm to others. Now you can evaluate the safeguards to determine if they were reasonable or if they were a burden to you, and you’ll actually have the calculus documentation to show it.
Alright? Or you can start fresh with a new DoCRA-based risk assessment. So you can either upgrade your current one or start fresh with a new DoCRA-based risk assessment.
And I think from there, we have our last polling question. I would like to receive Duty of Care Risk Analysis checklist and SANS security leadership poster.
You’ll be paired up with an answer from that. If you say you want one, we will send one to you.
And from there, I think we’re right at a minute of time. So, were there questions that we wanted to try to field?
You can also feel free to reach out to either one of us after the webinar is over.
Jen, any comments on anything that you think we needed to really drive home? I think the concept here is that regulations want risk. Judges interpret negligence based on, if you evaluated, risk and harm to others. The organization wants to manage its investments based on risk to the business as well as the harm to others. And the Duty of Care Risk, a risk assessment can do that, but not just any risk assessment, a Duty of Care Risk Assessment, which evaluates the harm or, harm or impact to mission, objectives, and obligations. If there’s any message, I think that’s what we’re trying to drive home today.
One hundred percent.
I agree with that. It’s really a language that we can all speak together in harmony together.
Thank you for your time today. And, again, if you have any questions, please feel free to reach out to Terry or myself.
Thank you all.
Thank you all. And thank you to our speakers too for their excellent presentations and also you, the participants, for joining
