Security Control Gaps Are Not Risks

Randall “Fritz” Frietzsche is the Chief Information Security (CISO) and Privacy Officer for Denver Health. He has over 20 years of experience in IT, 15 years in Information Security, 10 years in Healthcare and is currently a Cyber Security Hub Advisory Board member.

Frietzsche holds a Master’s degree in Information Security and Assurance, as well as the Certified Information Systems Security Professional, Certified Ethical Hacker and Certified Hacking Forensics Investigator, along with 23 other IT and InfoSec certifications. He is a Distinguished Fellow with the Information Systems Security Association (ISSA) and was the President of the Louisville, Ky. ISSA chapter. Frietzsche also teaches Information Security, ethical hacking and digital forensics as an Adjunct Professor, and Cyber Security Risk Management, for Harvard. Frietzsche started his career as a Deputy Sheriff in Indiana and is a graduate of the FBI Citizen’s Academy.

See Related: “Member Spotlight: Randall Frietzsche, CISO, Denver Health”

Last week, Frietzsche penned a post in LinkedIn that gathered hundreds of likes and many in-depth comments. Based on the post results, it is worthy to note that many cyber security individuals are still expressing confusion when it comes to security risk analysis and GAP analysis.

In fact, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently addressed this question as part of its April 2018 OCR Cyber Security Newsletter: Risk Analyses vs. Gap Analyses – What is the difference? 

What is the difference between Risk Analysis and Gap Analysis?

It said that under HIPAA Privacy, Security and Breach Notification Rules, covered entities and their business associate are requited to safeguard electronic health information (ePHI) through reasonable and appropriate security measures. The first step in doing so is through a risk assessment. According to OCR, there are certain elements that should be incorporated into the risk analysis:

• The scope of the analysis should address all of an entity’s ePHI, regardless of the medium in which it is created, received, maintained, or transmitted, or the source of location of its ePHI.
• Identify locations of information systems and information systems where ePHI is created, received, maintained, or transmitted. Such an inventory should consider not only workstations and servers, but also applications, mobile devices, electronic media, communications equipment, and networks as well as physical locations.
• Identify technical as well as non-technical vulnerabilities.
• Assess current security measures such as encryption and anti-malware solutions.
• Determine the level of risk for threat and vulnerability combinations identified by the risk analysis.
• Documentation should demonstrate that a covered entity’s or business associate’s risk analysis was conducted in an accurate and thorough manner.
• Conducting a risk analysis is an ongoing process that should be reviewed and updated regularly.

See Related: “Incident Of The Week: UW Medicine Patient Data Exposed Online”

On the other hand, while a Gap Analysis may be a useful tool to help, it is not required by HIPAA rules. The Healthcare Compliance Pros identify Gap Analysis as a “narrowed examination of a covered entity or business associate’s enterprise to assess whether certain controls or safeguards required by the Security Rule are implemented. A gap analysis can also provide a high-level overview of the controls in place that protect ePHI, without engaging in the comprehensive evaluation required by a risk analysis.”

What Does This All Mean?

Here is where Frietzsche breaks it down into a more digestible format:

Security control gaps are not risks. If I leave my front door to my house unlocked, that is not a risk — it is a security control gap. It is a vulnerability. If a burglar or home invader uses that vulnerability to enter my home, and the loss event is the loss of property or loss of life — THAT is the risk. The risk is the RISK of the loss event occurring.

The control gap simply is a contributor to the ultimate risk. We have to understand what that means for our business.

If we have a breach — we might have legal, reputational, compliance, financial, etc. — issues. THAT's the risk – due to security control gaps, we’re at a higher likelihood of those risks becoming reality. One vendor's lacking around data loss prevention (DLP) may contribute to that overall business risk, but that vendor's shortcomings on DLP is not a risk.

So from this, we can actually track business risk — we identify those internal and vendor-related control gaps — we qualify or quantify those gaps in terms of how they contribute to the overall business risk. How does that unlocked door increase the risk of loss of life or property?

If we live in the middle of Nebraska — most people probably do not lock their front door. But, if we live on the south side of Chicago, the likelihood of a threat using a vulnerability/control gap to make that risk a reality is much more likely.

Use this when you are doing risk analysis. Risk is not control gaps. Consider this!

See Related: “Encryption & Controls: Reducing Insider Threats In Healthcare