Enterprise Resilience - Healthcare edition (Part 2: Risk Classification)

In the previous post in this series I introduced the healthcare dilemma from the CISO perspective, then attacked the Build vs. Buy issue in a 2-part series so today we get into the serious topic of risk classifications ...as the quote from Princess Bride goes "...when death is on the line."



Importance of Risk Classifications


Before you tell me that risk classifications are important, and water is wet, the sun is hot, and ice is cold ... I'd like to remind you how many large, small, and everything-in-between enterprises still do it poorly.  I almost wish it was a simple as data telling you it's critical or not, but let's face it the game is very rarely that simple.


When I managed an IT organization at a start-up financial a number of years ago "everything" was critical.  Our customer database, their financial and personal information, our feeds, people's payroll information, and everything in between.  No one was willing to say "this data over here, isn't that important" ... heck even the call center manager classified his data stores at "Tier 1" (meaning - company critical).


Now fast-forward to working as a consultant through several medical and healthcare organizations over the past decade and as I go through my notes through my notebooks over the years looking at network diagrams and designs, hacking and recovery exercises, and data protection initiatives I realize that it's still difficult to classify anything as non-critical... but if you're a healthcare provider like a hospital or medicinal dispensary or similar, there's critical and then there's critical.  The former will get you fined or in trouble with the FDA or worse ... the latter will potentially kill someone if you screw it up.  The difference is huge.



Concentric circles.jpgDefining Critical


When we're defining data classification levels in healthcare providers, we have to think about the absolute worst-case scenario: loss of life.  My recommendation is that when you're doing risk assessments you do this for yourself... draw a small circle in the middle of a page and call it "Human Life" and then draw several concentric rings radiating out from the center... in the immediate circle that contains the "Human Life" circle you should have systems and data that are directly responsible for life support, maintenance.  Things like that heart monitor that lives on the network and provides real-time feedback to the central nurse's station, and the application that manages case records and medicinal formulations/dispensations... things like that.  In the next outer circle write in all the things that are one step removed from these life-critical systems such as the application infrastructure that allows doctors to seek a second opinion on an x-ray from a doctor in another hemisphere.  Keep drawing and filling circles out and out until you're at that point where you've filled in every system, application, and data asset in your organization.  Now you've got your risk classifications... based on the thing you care about most - human life.


Once you've gone through this exercise within IT, it's time to have the same kind of exercise with people like heads of the different departments within your organization, and basically everyone in the management chain in the organization outside IT.  Nothing against IT people, but we're really not necessarily the best judges of what a doctor may need to re-start someone's heart... but over time and with enough of these exercises we'll get much better at the task!



Learning from the Circles


One thing that quickly becomes apparent is that you have a lot of critical systems, and you're going to need to pare them down further in order to get a starting point.  In most healthcare organizations the sprawl of 'critical systems' is swift and difficult to contain.  There are always new technologies that pop up to give doctors an edge when it comes to saving lives and improving people's healthcare - which means that we need to keep track of those systems ever-more carefully lest we lose track of what really matters.


For me, the point where I learned the most is not the first iteration of the concentric circle exercise within IT, but when I sat down with various department heads.  At a hospital I sat down with the head of radiology, the head nurse, the head of the ER and various others and each of them had a slightly different perspective on things.  To the head of nursing dispensary and support systems were the most crucial as her team needed to manage multiple patients at the same time across a floor, or "pod"... but for the head of the Emergency Room it was all the devices and information systems that his staff required to get that edge over someone's critical ailment.  While they rarely had the exact same things in the 'critical' ring, what I realized is that the things that multiple department heads (and my IT team) had in the critical circle meant they were super-duper critical, and I based my overall analysis based on the frequency of overlapping in certain rings of criticality.


There was a good bit of science to the exercise, and if you've done one of these yourself, or are thinking about it - remember that it's not anything exact.  Each facility, each organization, and each person thinks and depends on different components to make them effective.  It will depend on your facility and how you provide care.





As a final analysis, identifying critical systems is absolutely ...well ...critical, as is classifying them in the real rings of criticality so that you can understand how things are inter-connected and what makes your organization tick and operate effectively.


I'd love to hear from someone that's led either this type of exercise, or something similar... just to get your experiences and ideas that perhaps others can work with.


If you're leaving a comment below, please leave your Twitter handle, and don't forget to tell us that you've left a comment on this topic to the #SecBiz Twitter hashtag.  Healthcare is a very interesting, and often slightly unique, animal when it comes to risk, critical systems and getting a grasp on securing these things... thanks for sharing your experiences!

marcin marcin(anon) | ‎10-28-2012 12:48 AM

Infrastructure supporting the critical systems becomes critical when there is a tight coupling between their components. I have no idea is this is actually true in healthcare, but industrial systems can be hell to segment

and secure when vendors or integrators take shortcuts, or do not know any better. 

Marcel C(anon) | ‎10-28-2012 09:34 PM

Wh1t3Rabbit wrote:

... draw a small circle in the middle of a page and call it "Human Life" and then draw several concentric rings radiating out from the center... in the immediate circle that contains the "Human Life" circle you should have systems and data that are directly responsible for life support, maintenance.  Things like that heart monitor that lives on the network...

Interesting read. I've done this type of assessment at a hospital. Based on my experience, I believe that things like that heart monitor likely will not be supported/maintained by IT. In fact, IT may not know anything about it even though it may somehow interface or provide data to the hospital's EHR. It's a sticky situation. Who's on the hook for classifying (or risk assessing) medical devices? IT? Clinicial staff? These classification exercises are usually done by IT. Are you proposing that IT should manage the classification of critical network-connected medical devices in addition to the traditional stuff? I don't disagree with that idea. But you know how it goes...this month IT leads a classification exercise, a few months later they'll be asked to support the devices they classified. Based on medical device vulns reported over the past year, I think IT departments will  eventually end up providing some level of support to those critical devices that vendors dump on clinial staff and then run away from. What a can of worms that'll be. IT folks already are under-appreciated and often downright abused by clinical staff. What'll happen when IT is put on the hook for providing 1st or 2nd level support for medical devices?



Alfredp(anon) | ‎10-29-2012 01:52 AM
I work at a bank and every speck of data is clarified, it's one of the things we actually do well. It's very important that you indicate to the data owners what the condensers are of certain classifications. In the beginning of our classification effort, some managers thought having critical data was good for their image. When we applied corporate security policies to that data and they figured out protection measures cost money,a huge drive to lower classifications ensued. This did kick off the correct assessment of business criticality, rather then just have subjective opinions of what was important.
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About the Author

Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation