PHI Breach detection in county government
The Office of Civil Rights (OCR) maintains a list of HIPAA breach investigations which currently lists over 400 open breach investigations.
One interesting breach is Adams County, Wisconsin which was leaking information undetected for over five years from 2013 and it highlights the lack of controls counties have in place for detection of security anomalies.
It’s pretty easy to determine whether or not counties have appropriate controls in place. The first question to ask is do they have a risk assessment? If your local government organization doesn’t conduct ongoing periodic risk assessments, you aren’t compliant with the HIPAA Security Rule. So, if you don’t have a risk assessment, get one so you can identify potential problems.
There are roughly 40 policy requirements for the HIPAA Security Rule and HIPAA sets a low bar in comparison to ISO/IEC 27001 and NIST CSF. If your county security policy doesn’t have these 40 policies in place, with corresponding processes and procedures you aren’t compliant with HIPAA.
We offer a low-cost 90 minute HIPAA workshop to help you assess your level of HIPAA compliance. The worst time to find out that you aren’t compliant is after a breach!
© Copyright Jeffrey Morgan, 2018
HIPAA’s not just for hospitals
Most counties and behavioral health organizations aren’t compliant with the HIPAA Security rule, but don’t take my word for it. Download the HIPAA Security Rule directly from HHS and read it over the weekend. If you want to talk about it, grab a 30-minute slot in my calendar and we’ll discuss your security policies and procedures at no charge.
Read more about our HIPAA services for counties and behavioral health organizations.
For more background, read Jeff’s articles on HIPAA
- Risk assessments for local governments and SMBs. CIO.com, May 2017.
- HIPAA as an umbrella for county/municipal cybersecurity. CIO.com, April 2017.
- County and municipal cybersecurity – Part 2. CIO.com, April 2017.
- County and municipal cybersecurity – Part 1. CIO.com, March 2017.
- May I see your comprehensive security policy please? CIO.com, October 2016.
- The ACA and the death of medical privacy. CIO.com, August 2016.
- Why should county commissioners and executives care about HIPAA? Careers in Government, February 2018.
© Copyright Jeffrey Morgan, 2018
© Copyright Jeffrey Morgan, 2018
The rich green scent of dairy cows wafted off the pasture and blew the bitter blue diesel smoke away from my face as I drove our tractor to dig a grave for Cooper. Sweat poured out and soaked my shirt with a toxic cocktail of shock, grief, anger, and guilt. Only a few hours had passed since Cooper was brutally murdered by my neighbor.
What if I had reacted more quickly? What if I hadn’t been so busy watching the new puppy? Had any aspect of the day gone just a little differently, Cooper would still be with us. Five days later, the guilty self-recriminations still loop relentlessly as my mind continues to replay the last few seconds of this beautiful dog’s life.
Cooper was the sweetest most innocent guy I’ve ever known and he joyously greeted every visitor to our house. When people came to fish in the pond, he always accompanied them and made sure they were doing it right. He even went ice fishing in the middle of winter. He was a Corgi mixed with some sort of hunting dog – maybe a Bassett Hound or Beagle. Whenever the tenant farmer came to drop off or pick up his cows, Cooper always helped load and unload the trailer. He was shaped like a fat sausage with short, stubby legs and his head was a little too big for his body. We often called him names like dork and shrimp but it didn’t seem to hurt his self-esteem a bit.
My wife always said that Cooper should wear a cape. He flew around the yard like Super Dog with a huge smile on his face and it was hard to believe those little legs could propel his chubby body so quickly and with such precision. When we gave him and Riley beef bones, they would go to separate sides of the yard to chew. Cooper would soon be slinking off with his signature Elmer Fudd swagger to bury his bone and then return to steal Riley’s.
When he slept in our bedroom, Cooper would throw the same little tantrum every night. He would get on his Sealy Posturpedic dog bed, roll around, and whine about having to sleep on the floor like a dog. Once we were sound asleep, he would quietly climb on our bed. If my stepdaughter was here, Coop would almost always sleep with her. She provided him with a pillow and blanket right next to her and I dreaded breaking the news to her most of all because of the deep bond that had developed between them.
Last year on Memorial Day weekend, only a few weeks after the passing of my English Shepherd, Birdie, some hunters we know stopped at our house with Coop in the front of their truck. They had found him wandering the woods on Armenia Mountain and brought him to their cabin for the night so he wouldn’t be devoured by the local coyotes. They said they were looking for the Animal Shelter, but that was total bullshit. They knew I would give him a home. My wife was in the shower so I took him upstairs on a leash to get her approval.
Who knew then what trouble he would be? We live on a two-mile dirt road with only four households on it. There is little traffic most of the year and we have over 1000 feet of fence surrounding our yard which we began shoring up immediately. The larger dogs can’t escape, but the system wasn’t designed for dwarves. We succeeded in securing the roadside fence but there were still places he could fit through on the pasture side.
Cooper never respected the fence and he was constantly escaping and running down the road. When I called for him to stop, he would turn around, look at me, and then make a mad dash for it. It was a game. As a jolly trickster, he loved all games. I would dutifully hop in the car to retrieve him and sometimes he would run a mile or more before he was out of breath. Then he would just hop in the back seat and ride home content that he had outsmarted me yet again. Over the last year, he had gotten better about the running but never gave it up entirely. Recently he had taken up woodchuck hunting and I was there for his first confirmed kill.
We tried a shock collar starting last fall, but he didn’t seem to care. Once he was running after something there was nothing that could make him stop. One night last winter, I chased him across a field of deep snow as he ripped across the frozen pond to see what the coyotes were making such a fuss about.
Cooper was a tire biter. He didn’t just chase cars; he went to the front and would try to herd the vehicle. On the few occasions when this happened, I was usually already out in the road trying to stop him. Invariably, the people would laugh, stop their cars, and wait for me to catch him. Sometimes they would even open their doors to hop out and pet him as he innately trusted all people. Our road isn’t really on the way to anywhere and people generally aren’t in a big hurry to get nowhere. Like almost all dogs, most people are decent.
Last Wednesday, Cooper had snuck out to hunt woodchucks and finally came back to one of the gates. I called him in but he wouldn’t come. I had our new Great Dane puppy on a leash and I had to take her and Riley inside and lock them in my office. I didn’t need three dogs out in the road. When I got back outside, Cooper had already dashed off to the field across the street. I walked down to get him and he wouldn’t come so I went back to the house to get truck keys as he almost always comes to me if I am in a vehicle. I glanced out the window and saw my neighbor driving down the road very slowly and Cooper appeared from nowhere nipping at the SUV’s front tires. The vehicle was moving so slowly that all the nasty old curmudgeon had to do was stop. At that point I was already in motion and heading out the door. I was only out of sight of the incident for a few seconds.
Once I got out of the gate though, I could see Cooper lying in the road and panic set in. He was rolling his head around as I called out to him and the old bastard’s vehicle was long gone. Coop’s eyes said it all to me. “Jeff, I really fucked up this time, but why didn’t you keep me safe?” The old shit had slowly run him over, dragged his body 25 feet down the road, and sped off. Cooper’s lovely life force blew away with the wind as I held him.
There is not the slightest doubt in my mind that this was malicious intent. He killed Cooper on purpose.
My neighbor is the sort of mean junkyard dog who only bites when your back is turned. He is always snooping in everyone’s business like a malevolent Gladys Kravitz and he is the type who drops a dime if he sees you doing some work on your property without a permit. A malicious gossip, I have never heard him say a kind word about anyone over the 35 years I have known him. We have done him and his family a number of favors related to their property but I can’t think of a single time they have ever reciprocated. A poisonous, greasy trail of bad karma lingers wherever he has been.
My experience with dogs is that they will always come and apologize for some bad deed, but my neighbor hasn’t been dog enough to knock at my door and explain himself. The difference between dogs and humans is that badly behaved dogs can generally be fixed — they almost always want to be good regardless of the abuse and maltreatment they may have suffered previously. While humans have the choice and the capacity, they rarely choose to become better people. This is why relationships with dogs are generally more rewarding than those with humans.
In his late 80’s, my neighbor will be meeting his maker before long and I suspect he will have a great deal to explain when that time comes. I hope an accounting for what he did to Cooper is at the top of the list. While my neighbor qualifies for several of the circles of hell, there surely must be a tenth circle for cruelty to animals.
Digging Cooper’s grave allowed me to take my mind off of the horrific chain of events for a little while. I am not the best front end loader operator and digging in the rocky, Pennsylvania soil is always a challenge. I decided to bury him next to Lucy, our Great Dane who passed away in 2016. Cooper never knew Lucy, but he loved all dogs, people, and he even tolerated cats. He is now part of the DNA of this land forever.
The laughter, joy, and happiness Cooper brought to our lives will be with us for the remainder of our days, but we are all still devastated. I can’t help but feel that my wife and stepdaughter both hold me responsible, and I can’t blame them if they do. It was my job to keep Cooper safe and I failed when he needed me most. It’s a painful addition to a long list of lifetime failures – the things I have gotten wrong — the failure to recognize what was important in real time rather than in retrospect.
While the guilt will fade over time, it will come back periodically and stab me in the heart with its cruel, razor sharp blades.
Rest in Peace, Cooper. I’ll try to do better.
© Copyright Jeffrey Morgan, 2018
Stoners at the donut shop
It’s maddening. I pull up to my local branch of a national coffee and donut chain and here’s how the conversation goes.
“I’d like an extra large extra extra and a large extra cream please.”
“Uh . . . What was that again? A large cream and sugar and a large cream and extra sugar?”
For Christ’s sake! They take coffee orders for a living and can’t even get a two-item order right.
Blame it on weed
I blame it on Pot, Reefer, Ganja. How much marijuana do you have to smoke to make your brain function that poorly? All over the country, though, legalized marijuana is being pushed hard by pandering politicians. How will legalization affect society, commerce and the workforce, though?
In my view, no one should ever spend a single day in jail or prison for possessing or using any substance whatsoever. Certainly, no one should have a felony conviction because of this behavior. If you are committing other crimes to feed your habit, though, they can lock you up and throw away the key. Substance use, abuse, and addiction are not excuses for criminal behaviors like property crime and violence.
Just because I don’t believe in incarceration of drug users doesn’t mean that I think using drugs is a good idea. On the contrary, it’s a horrible idea. My wife is a behavioral health executive and former substance abuse therapist and she finds current trends like marijuana legalization and “safe” injection sites to be alarming. She sees the human cost of substance abuse every day and has a difficult time seeing the issue from the libertarian point of view. She has some good points and we both agree that prevention and treatment are better solutions than arrest, incarceration, and permanent criminal records that marginalize people’s lives forever.
Drug-related vehicle accidents now kill more people than alcohol-related accidents and the problem is continuing to get worse. Currently, there are no national standards for measuring drug impaired driving.
Cost of the drug war
However you look at it, the drug war has been an unmitigated disaster. The DEA’s budget alone is around $2.9 billion a year and they employ nearly 10,000 people. I don’t know what the hell they are doing with all that money, but I am pretty sure it would take me about 15 minutes to figure out where to go buy drugs if I wanted them. With the cost of incarceration and all the other federal, state, and local agencies involved, the drug war costs about $80 billion a year and well over $1 trillion has been spent on it since the 1970s. We seem to have little to show for it except for a lot of people in jail and prison for victimless crimes.
There are currently 79,036 people incarcerated in the federal prison system and nearly 200,000 in state prisons for drug crimes. About 44,000 are in state prisons solely for possession. In 2016, there were nearly 1.6 million arrests for drug law violations in the US, roughly 85% of which were for possession. This doesn’t seem like a wise use of scarce resources.
The drug war has created an all-you-can-eat feeding trough for the entire Government Drug Industrial Complex that includes law enforcement, correctional officers, judges, social workers, probation officers, case workers, therapists and other well-paid public sector employees. Additionally, attorneys, private prisons, pharmaceutical companies, drug testing companies, and a host of other private organizations are also sucking at the public teat but doing little to actually win the war. There is simply no incentive to do so. Politicians and lobbyists for the $80 billion industry are no doubt keen to keep the feeding frenzy going.
Sleazy politicians across the entire political spectrum all love the drug war. From the tough on crime, “Let’s hang ‘em all” district attorneys and judges to the “free tuition, legal pot, and Medicare for everyone” socialists, it’s a win-win from the point of view of getting elected. States like California, while requiring drug free workplace certifications from vendors have legalized marijuana. While smoking pot may be legal, you won’t be able to get a job with a company that does business with the state. How much sense does that make?
International drug trade
The drug war in the US is small potatoes compared to the international illegal drug trade which is estimated to have a value of more than $500 billion annually. How much of that money makes its way to politicians to maintain the status quo? It’s enough money to buy entire third world governments with plenty left over to influence policy in the western world.
Many people think that corporate leaders are akin to the worst criminals in the history of mankind. However, I know of no incidents of corporate executives cutting off heads, cutting out hearts, and chopping rivals into little pieces. I would much prefer a transparent, corporate drug trade to the system now in place. Again, there is no incentive to change this. $500 billion can buy you a lot of politicians. Open, legal drug trade would change the production and distribution landscape entirely and those profiting from the illegal drug trade, whoever they are, won’t give up their golden geese so easily.
The drug war has cost us all our freedom
In addition to the human casualties of the drug war, we’ve all lost our freedom. Civil asset forfeiture, DWI checkpoints, and stop and frisk policies should be anathema to every American citizen. That we are not all joining hands to end these affronts to freedom is the inevitable result of a poorly educated population that believes rights come from the government. Few Americans have even a basic understanding of Constitutional rights and far fewer understand the concept of natural rights.
Drug addiction is yet another form of imprisonment and politicians at the state and federal levels love to imprison their subjects – every one of us. Like 30-year mortgages, seven-year car loans, welfare, and six-figure student loans for worthless degrees, legal drugs will be yet another form of control the government can exercise over you. A stoned population is a complacent one and your new drug dealer will be the State. Like everything else run by the government, your legal drugs will cost a great deal more than the private sector version.
How drugs affect business and work
In many states, a felony drug conviction can limit your ability to get professional licensure as a barber or hair stylist. Do you really care if your hair stylist smokes pot?
I’m ok with baristas, hair stylists, musicians, screen writers and the like smoking pot or using any other substances they wish. If they are too dysfunctional, I will simply patronize another business. Like excessive, visible tattoos and piercings however, drug use, even if legal, can and should limit your career options and this isn’t an example of the white patriarchy at work; it is common sense.
Who wants to be a passenger in a jet operated by a pilot who goes flying on Alaskan Thunder Fuck after work every night? I don’t want potheads operating heavy equipment, driving trucks, doing surgery, or performing any other activities where they may endanger other people and those employed in these professions should continue to be regularly tested for drugs that impair cognitive and motor ability. I don’t even want stoners doing data entry. Stoned, drunk, and hungover employees are bad for business.
Just because you can legally use, doesn’t mean employers have to hire you and tolerate your scrambled brains. At least not yet, but I’m sure some such legislation will be forthcoming. Employers already can’t inquire about criminal history in some states. What’s coming next and how will legalized drugs affect how work gets done in your business? Will you soon be forced to hire criminals and drug users and give them “equal” pay?
Legal drugs and a welfare state don’t mix
Another policy issue with liberal drug laws is the question of the welfare state. Do we really want to pay people to sit on their asses, smoke pot, and watch The View all day? Personal responsibility and accountability have to be components of liberal drug policy. Marijuana was legal until 1937 and opium was legal and freely available until 1909. Back in those days, if you didn’t work, you didn’t eat and for most people, work meant hard physical labor. Drug use and abuse resulted in serious personal consequences. It still does, but our social safety net allows for people to make bad decisions and choose marginal lives at the expense of their fellow citizens. If you want drugs, you damn sure better pay for them yourself. But, that’s not the way things work in our society now. Promising free stuff is a good bet at election time.
It strikes me that the logical next step after legalization will be to add marijuana to the list of entitlements and include it as part of the SNAP allowance. You can go to the grocery store, get your “free” munchies and pick up your “free” weed before you head back to your “free” apartment to Netflix and chill on your “free” Internet connection.
Enlightened drug havens?
Many people point to Amsterdam as a paradise of enlightened policy. Have you ever been there? It’s a seedy place. Most Americans, even “social liberals” tend to be a puritanical and prudish group of people. The outrageous debauchery, open drug use, and overt sex trade in Amsterdam would offend the sensibilities of many, if not most Americans regardless of whether they consider themselves to be liberals or conservatives. Hamburg, Berlin, Bangkok, and a host of other cities share similar traits. If you haven’t experienced the “night life” in these cities, it is something everyone should experience at least once. Most of us wouldn’t want this sort of behavior happening in our neighborhoods.
I have been an ardent proponent of total drug legalization for the last 40 years, but I know that it’s not all Unicorns and balloons. Drug abuse is a serious problem, but the drug war, at least the way it has been conducted isn’t the solution. Drug use isn’t a moral issue; it’s an issue of liberty and natural rights.
© Copyright Jeffrey Morgan, 2018
Is there anything more exasperating than dealing with a service organization that has failed to implement even the most basic process and quality control tools? Not in my book. Those pesky critters who ate my broccoli and Brussels sprouts this summer are a distant second to IT service providers that fail to deliver uniformly high-quality services for a reasonable price.
The 1980s-style MIS (management information systems) is still with us, and no makeover will make it more attractive. What can you do?
Reengineer and reinvent, of course. But you don’t need to do it all by yourself. One of the simplest ways to reinvent your IT service organization is to use ISO 20000 as a foundation.
What is ISO?
Until recently, I used to think of ISO (International Organization for Standardization) as a producer of standards for large, multinational corporations, but I now see it in a different light. ISO/IEC 20000-1:2011, Information Technology – Service Management – Part 1: Service management system requirements is the international standard for IT service management, and it scales well even in the smallest organizations. At 26 pages, Part 1 is straightforward and manageable. If you work in a small organization with a limited budget, adoption of service management standards makes even more sense because it enables your organization to provide proven, cost-effective services in the context of your unique business model.
I recently spoke with Dr. Suzanne Van Hove, WG2 Convenor, Maintenance and Development of ISO/IEC 20000 – Information Technology – Service Management, within SC 40 (IT Service Management and IT Governance) under Joint Task Committee 1 (JTC1) and Chair of GIT1 (Governance of IT), the U.S. mirror group for SC 40. Suzanne took the role of WG2 Convenor at the beginning of June 2017, and as chair of GIT1, one of her responsibilities is to ensure that the United States participates across all four ISO workgroups. SC 40 currently has seven standards under revision or development across all four WGs.
Standards groups typically meet face to face twice a year to work on the standards with their global colleagues. The next meeting for SC40 is in November of 2017 and for WG2, four standards are currently under revision: Part 1 (Requirements); Part 2 (Guidance); Part 3 (Scoping); and Part 10 (Concepts and Terminology). These meetings are critical, as global consensus is the goal for all standards.
Suzanne received the itSMF USA Lifetime Achievement Award in 2013 and she is also co-author of Pragmatic Application of Service Management with Mark Thomas. Suzanne and Mark both have excellent courses available on Lynda.com.
About ISO standards in general
According to Suzanne, standards are generally written and revised on a five-year cycle, and ISO/IEC 20000-1:2011 is slightly overdue but is currently under revision and moving forward to a status of DIS (Draft International Standard). It will be reviewed at the next plenary meeting in 2018 and the forthcoming version will conform to Annex SL, “to provide a universal high-level structure, identical core text, and common terms and definitions for all management system standards (MSS),” so the new document will appear to be a radical change from the current version. Now, all MSS, which includes ISO/IEC 20000 (i.e., ISO 9001 Quality Management, ISO/IEC 27001 Information Security Management, ISO 14001 Environmental Management, ISO 50001 Energy Management, among others), have the same structure making it easier for organizations to comply with multiple MSSs if their business model demands it.
Mapping to other frameworks
ISO/IEC 20000 first appeared in 2005 and the current version was published in 2011. It presently contains 12 parts and additional parts are under development. 20000-1 is the standard itself, while 20000-2 provides practical guidance on application. One exciting component under development is 20000-13, which will contain guidance on the relationship between the standard and COBIT5®, and is anticipated to be published late in 2019. Part 11 maps the standard to ITIL® and Part 12 maps the standard to CMMI-SVC®.
Applicable to organizations of all sizes
Suzanne and I didn’t confine our chat solely to the ISO, and we had the opportunity to talk about a few general industry challenges, as well.
The commoditization of IT
“Once IT becomes a commodity, we lose the idea of a service . . . If IT goes down that commodity route we’ve really lost the capability to exploit technology for the benefit of business achievements. Technology is the differentiator. If leadership doesn’t recognize it and let go of the traditional view of IT, they find their organizations not staying at the top of the food chain and losing ground.”
In this area, I think Suzanne is more optimistic than I about the future, because I believe we are already far down the road to commoditization. While I run across many amazing, high-quality service providers, the market for cheap, low-quality work seems to be pervasive.
“I have taught hundreds of foundation classes in my career, and I can count on two hands the number of people who came from the business side rather than IT. The service management principle doesn’t just rest in IT. It has to be pervasive across the organization.”
Silos and frameworks
Suzanne cleverly refers to organizational silos as cylinders of vertical excellence. Another related topic is the dependence on only one methodology or framework. “I think service management is slowly coming around to the understanding that the best use of these of any of these bodies of knowledge is to know more than one and be able to combine them.”
I hope to talk to Suzanne again in the future, as she is a fountain of wisdom about all things IT service management and I learned a great deal in a short time. One completely new framework I learned about was from the SFIA Foundation, but we’ll save that for another day.
© Copyright Jeffrey Morgan, 2017by
Failure of boards and mangers to address information security is expensive and the preventable, poorly handled Equifax breach may end up costing the company as much as $1.5 billion in direct costs by the time it all plays out (SeekingAlpha, 9/29/17). This lack of management attention was clearly demonstrated when Equifax acting CEO, Paulino do Rego Barros, Jr. told a congressional hearing “he wasn’t sure whether the company was encrypting consumer data.”
This problem is systemic and pervasive across the business landscape. In a January 10th article, the Wall Street Journal reported that “Board committees dedicated to information technology risks and strategy are still rare. Just four Fortune 100 companies operate one.” Moreover, only 37% of corporate directors “feel confident the company they serve is properly secured against a cyberattack,” In the broader arena of SMBs and local governments, board and management oversight of information security is even rarer and 37% seems grossly optimistic.
An even more disturbing revelation from that WSJ article was that some boards have “devised a response plan, including creating of a bitcoin account from which to pay ransoms.” I suppose there is a justifiable and quantifiable business case for this position from the board’s perspective, but it really sticks in my ex-military craw that any organization would negotiate with and reward criminals. Prevention and resilience are better policies.
What’s the role of the board and management?
There is no mystery about what boards and executives should be doing to ensure their organizations are paying attention to information security. Section 5 of ISO/IEC 27001 describes 18 requirements for “top management” with respect to developing an organizational information security management system (ISMS). These requirements include policy development, resource allocation, continual improvement, documentation, reporting, and a great deal more.
NACD (National Association of Corporate Directors) offers a 16-hour cyber-risk certificate course for directors. Upon completion of the course and an exam, participants receive a certificate from Carnegie Mellon University. NACD also publishes a free, informative, 44-page Cyber-Risk Oversight Handbook that describes “five principles for effective cyber-risk oversight,” along with a wealth of other information that includes an appendix with 48 questions boards should be asking management about Cybersecurity.
For local governments, ICMA publishes Local Government Cyber Security: Getting Started as well as other information. This guide has some useful information, but it doesn’t begin to approach the depth and quality of the NACD handbook. I would recommend that school board members, county commissioners. and city council members download and read the NACD handbook as well as the Growing Impact of Cybercrime in Local Government. The public sector doesn’t take cybersecurity seriously and local governments are in possession of huge deposits of PII and PHI.
My problem with the discussions of “the cyber” from both of these organizations is that they fail to address the broader discipline of “information security.” This isn’t simply a matter of semantics and cyber-risk has to be understood in the broader context of an overarching information security (InfoSec) program to be truly effective.
To put it simply, if senior leadership isn’t an integral part of your information security program, you don’t really have a program. Boards and executives should routinely devote CPU cycles to the issue, just as they would to any other critical business issue.
Making the case
The argument for comprehensive information security programs for even very small enterprises is simple, powerful, and backed by a constantly growing body of evidence. Failure to secure information costs money – and lots of it. The Anthem breach, in which the company was found to be neither negligent nor liable, cost them roughly $414 million and the Target breach cost $230 million (SeekingAlpha).
While the fiscal argument may make the best case for a security program, it sometimes takes a while to get traction because executives in smaller organizations may not immediately see how these gigantic breaches relate to their business. Consequently, one of my preferred techniques for making the case is to get the corporation counsel or municipal attorney involved from the start.
Bring lawyers and money
Lawyers begin making the connections faster than the rest of the team, especially if regulatory compliance issues are involved. They quickly connect the dots between stupid mistakes, negligence, breach, forensic and regulatory investigations, fines, public embarrassment and the inevitable litigation. In most organizations, the lawyers tend to be highly regarded and they can see the whole movie playing in their head. They instinctively know that they won’t be playing the part of the hero unless they get the show going so they do a pretty good job of rallying the troops.
In one organization for which I developed a comprehensive policy, the process took several months of collaborative work with a large committee of stakeholders that included board members, management, HR, attorneys and staff. The discussions sometimes became contentious, but the team approach was worth the effort because everyone was invested in the final product. It took the organization two years to fully implement the policy and when the first periodic risk assessment came due, one of the Director’s said “you mean to tell me that this is going to cost money?”
Yeah, it costs money; but it costs a hell of a lot less money than a breach.
You might appreciate my video on Equifax breach:
© Copyright Jeffrey Morgan, 2018by
NIST Cybersecurity Framework
Version 1.0 of the NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) celebrated its fourth birthday in February. The CSF is a “risk-based approach to managing cybersecurity risk… designed to complement existing business and cybersecurity operations.” I recently spoke with Matthew Barrett, NIST program manager for the CSF, and he provided me with a great deal of insight into using the framework.
NIST (National Institute of Standards and Technology) is a division of the U.S. Department of Commerce, and they have been involved in information security since the 1970s. On May 11, 2017, President Trump signed Executive Order 13800 requiring all federal agencies to use the CSF, so if you conduct business with these entities, you are likely to hear a great deal more about it in the near future.
Current State of Cybersecurity
To begin the conversation, I asked Matthew what he thought about the current state of cybersecurity in business and government.
“I think there is a bit of an awakening going on to the true importance of just how foundational cybersecurity is,” he says. “It used to be that businesses were based on trust, and it is still the case. Increasingly, we’ve built out our technological infrastructure and more and more important over time is digital trust. I’m not sure whether all parties understood when they were implementing those technologies just how much that pendulum was going to swing from traditional trust models to the digital representations of those trust models. It’s not an overnight thing. There’s a cascade. I see a ripple that has started that hasn’t completed its way across the pond.”
The CSF in a Nutshell
If you have worked with other security standards or frameworks based on best practices or compliance approaches, the CSF provides a different viewpoint. It is not intended to be used as a standalone framework for developing an information security program. Rather, the CSF is designed to be paired with other frameworks or standards such as ISO/IEC 27000, COBIT 5, ANSI/ISA 62443, and NIST SP 800-53. It is also meant to be customized rather than being used as a process or activity checklist. The CSF has three components – the core, tiers and profiles.
The core of the framework has five functions – identify, protect, detect, respond and recover. These functions can be thought of as outcomes and aligned with them are 22 categories, 98 subcategories, 125 outcomes and 287 informative references (controls). The core, with all the informative references, is also available in Excel format which can make a handy template to add to your cybersecurity policy and control toolkit. According to Matthew, becoming comfortable with these five functions and the associated concepts at the leadership level tends to be the first stage of the adoption curve.
Determining the organization’s tier is often the second step in adoption. The tiers are a useful tool and they “provide context on how an organization views cybersecurity risk and the processes in place to manage that risk.” There are four tiers: partial, risk-informed, repeatable and adaptive. Although the tiers don’t officially function as a maturity model, it is difficult for me not to see them as such.
However, Matthew explained the CSF’s position on maturity models: “We take exception to the way maturity models are applied where everyone has to get the highest mark on the maturity scale. That’s a great ambition. Rooted in the real world of things, we know that people have budgets, and those budgets are finite. More so than the way people tend to implement maturity models, we’re trying to highlight that you can pick and choose.”
“In my mind’s eye,” Matthew continued, “I picture a tier that isn’t even on the map. A tier zero. There’s a group of people who have managed to short-list high-impact items, and that’s about all they do relative to cybersecurity. For most people, that’s a temporary stopping point. Some people stop there and never get to dynamic, iterative cybersecurity risk management.”
Based on my own personal observations in the field, most SMBs, local governments and even many larger entities probably fall into Tier 1, and the only way to realistically get to Tier 2 is for management to become risk informed. However, getting executives and boards interested in information and cybersecurity is a formidable hurdle.
If an organization is truly a part of national critical infrastructure, remaining at Tier 2 would be troubling. Tier 3 is the first tier that defines organization-wide policy as a requirement, and I would personally see Tier 3 as the minimally acceptable target for most organizations, but this is my opinion rather than NIST’s or Matthew’s.
The tiers do provide a solid tool for organizational management to realistically evaluate their cybersecurity program and make rational, pragmatic, informed business decisions for program improvements going forward. Taking the leap from Tier 1 to Tier 2 is probably the most difficult step for most organizations. Once an organization gets to Tier 2, management has accountability and consequently more motivation to move forward.
NIST recommends that the framework be “customized in a way that maximizes business value,” and that customization is referred to as a “Profile.”
Matthew believes that all cybersecurity programs have three things to do and three things only:
- Support mission/business objectives;
- Fulfill cybersecurity requirements; and
- Manage the vulnerability and threat associated with the technical environment.
The CSF provides a seven-step process for creating or improving a cybersecurity program using a continuous improvement loop:
- Prioritize and scope
- Create a current profile
- Conduct a risk assessment
- Create a target profile
- Determine, analyze, and prioritize gaps
- Implement action plan
Profiles can be used as a tool to provide a basis for prioritization, budgeting and gap analysis.
One of my personal rants is on the disinterest so many executives show toward information security. I am always irritated when I see IT and security managers unilaterally commit an organization to cyber risk without obtaining informed consent from senior management. Often, these staff members make decisions that are far outside the scope of their roles and authority, and I think some executives prefer their own blissful state of ignorance. This leaves too much room for managers to claim “I never knew. Mistakes were made.” Like both ISO 27001 and COBIT 5, the CSF clearly defines management’s role in information security processes, so the CSF can be used as a powerful tool to engage boards and managers and hold them accountable for risk and budgeting decisions.
Matthew’s response to my rant was diplomatic. “I wonder whether the very nature of cybersecurity professionals makes us hold on to risk decisions rather than distribute them portfolio style. Smaller, less impactful risk decisions that are distributed. Distribute decisions, empower folks, and there is accountability around that empowerment, as well.” The CSF provides tools to distribute this risk.
Adoption and Implementation Trends
Results from a 2015 Gartner poll claim that about 30% of organizations have adopted the CSF and by 2020, 50% of organizations will have adopted it. I am skeptical of this assessment. Based on personal observation of the SMB and local government sectors, I would be astonished to find that even 25% of them have formal information security programs based on any framework or standard, let alone the CSF.
However, CSF has been used and customized by a diverse group of organizations such as the Italian government, the American Water Works Association, Intel, the Texas Department of Information Resources, and many others. Case studies can be found on the NIST CSF website.
It’s always good to look at information security programs from multiple viewpoints and the NIST CSF provides many excellent tools to do just that. NIST provides many additional materials on using the framework and they can be found on the CSF Homepage. The site also has an excellent 30-minute video presentation of Matthew providing an overview of the framework.
This article first appeared in Security Magazine.
© Copyright Jeffrey Morgan, 2018
Health care providers are 12,000 times more dangerous than school shooters
Every well-run business relies on some form of risk assessment as part of its decision making process. Threats are assessed and prioritized according to their relative impact and probability and the business takes appropriate action based on that information. Or so one hopes.
In public policy, this isn’t the way it works. Two perfect examples of public policy overreach not based on credible risk and threat data are school shootings and climate change.
School shootings are horrific events that should never happen and I can’t even imagine the pain this causes for the families of the victims. However, school shootings are low-risk, high-impact events. In the big picture, the probability that someone will be killed in a school shooting is about the same as getting struck by lightning or being killed by a cow. I used 2015 data, where available, to build the chart above.
School shootings vs. medical malpractice
In 2015, 21 people were killed in school shootings while medical malpractice killed an estimated 251,000 according to a Johns Hopkins University study. Other studies put the number as high as 330,000. In 2015, you were 11,952.38 times more likely to be killed in a hospital than in a school shooting.
Medical error is the third leading cause of death in the United States and it kills nearly 700 people every single day or about 29 people every hour. More people die from medical malpractice every hour than are killed by school shootings in a year. Today, more Americans will be killed by medical malpractice than have died in all the school shootings in the entire history of the United States.
Where are all the posturing politicians on medical errors? Why aren’t news trucks lined up outside of hospitals profiling the doctors and nurses who may have just killed a patient? Why aren’t policy makers proposing trillions of dollars in spending and draconian regulations to address this travesty?
You are about 4 times more likely to be killed by an insect than you are to be killed in a school shooting. Yet, school shootings bring out calls for billions of dollars in spending, new regulations, and limitations on constitutional rights. There is no evidence that any of these proposals will prevent another school shooting. There is a great deal of evidence, though, that political cronies will become wealthy from policies that won’t work. Why won’t these work?
A cascade failure
The Marjory Stoneman Douglas High School tragedy was clearly a systemic cascade failure where those entrusted with the safety of students failed to do their jobs at every level. The school board, school administration, FBI, SROs, deputies, and many more all failed to fulfill their responsibilities over a long period of time. Nikolas Cruz was a known threat actor and no one did anything about him.
In the private sector, Robert Runcie, the incompetent superintendent, would already be ancient history as would Broward County sheriff, Scott Israel. They would both have been handed walking papers immediately and they should be facing criminal charges and civil litigation for their negligence. This event wasn’t caused by lack of laws or resources; it was caused by incompetent management and governance.
We don’t need to throw fantastic sums of federal money and new federal laws at the issue of school safety. What we do need are public sector employees who will actually do their jobs. Moreover, these issues should be addressed at local levels where citizens can make their own risk assessments based on unique requirements, cultural factors, and risk appetite. Heavy-handed, one-size-fits-all solutions from distant Washington bureaucrats aren’t the answer.
Risk and climate change
Climate change is another issue where proposals for risk mitigation are completely out of proportion to the actual risk. If meteorologists could accurately predict tomorrow’s weather, I might find dire predictions of the climate 100 years from now to be more credible. If a single climate model actually accounted for the climate over the last 20 years, I might be inclined to take it seriously.
Predicting the future is risky business – just ask any investor or financial manager. For some reason though, policy makers take apocalyptic, Nostradamus-like predictions of our future weather seriously. And, why not? Billions of dollars for ineffective school security programs are small change compared to the sums of money involved in “fixing” the climate. Fixing the planet could make someone his or her first trillion and all of their political cronies will be richly rewarded.
Bureaucrats at the United Nations, the most incompetent and expensive bureaucracy the world has ever known, actually believe they can fix the climate. Or maybe they just know they can become wealthy and powerful on a journey to nowhere. No one today will actually be around to see whether or not the predictions are right, so what difference does it make?
Emotional reactions never create good policy and we really need politicians at all levels of government who are capable of cool-headed, objective risk assessment.
© Copyright Jeffrey Morgan, 2018
What are the 4 characteristics of great IT services and how can you ge there? I provide three ways to improve your IT services. Watch my 7-minute video on improving your IT services. This video is for county and municipal executives and managers, public sector board members, and small and medium business owners and managers.
© Copyright Jeffrey Morgan, 2018by
Are you asking the right questions?
So, you are looking for new enterprise or departmental software or some other type of major system. Maybe you are looking for a new ERP system, an EHR, a 311 system, or an EDMS? Maybe you need a major hardware upgrade as a solo project or as part of a new system project?
You might have already had discussions with vendors, or possibly you even know which product you want to purchase. Perhaps you are planning to purchase the ERP from TBQ International for manufacturing because that is what everyone in your industry uses and it seems like a safe bet. Or all of your neighboring Counties use O’Riley Technologies, so you think it will work for you. Maybe you called Bill, the Public Health Director from your neighboring County and he says Navajo Software makes a great EHR product and that is a good enough recommendation for you. You just want to get the project done.
The big problem with word-of-mouth recommendations is that YOU will be the one responsible for the success or failure of the project – the people who casually advised you will have amnesia about their recommendations if the project fails.
Regardless of where you are in the process, let’s step back and start over from the beginning.
60% of Projects Fail
According to the Project Management Institute, 60% of projects fail. Based on my own observations, the success rate for municipal software projects is probably lower than 40%. Government agencies rarely publicly or even privately admit that a project failed. Spectacular, expensive failures occur in the private sector as well, and the corporate landscape is littered with the carcasses of dead software projects where managers and executives have been forced into early retirement because of outrageous multi-million dollar cost overruns or outright failures.
Projects don’t succeed or fail by accident and you want to be overseeing one of the minority of projects that actually succeed. Whatever decision you make, your organization will be bearing the fruit of or suffering the consequences of your decision for the next 15 – 20 years, or longer. Large systems become a generational legacy, especially in the public sector. Regardless of the type of system you are seeking, the approach to purchasing the system should be the same. You need a rigorous methodology that incorporates staff buy-in and proven techniques for getting the features you need to make better business decisions. That system and the vendor’s culture must mesh successfully with your organizational culture. The vendor will be your business partner for the life of the product and thirty year old systems are not unusual in the public sector.
Why Projects Fail
Here are some common reasons why large software projects fail:
• Top Down management, planning and execution.
• Failure to identify and enumerate specific business goals and objectives.
• Failure to understand current, “as is” business processes.
• Failure to comprehend and plan for the entire scope of the project.
• Weak communication and stakeholder management.
• Failure to establish end-user buy-in.
• Failure to account for organizational culture.
• RFP doesn’t match your requirements for software and services.
• Underestimating the services required to configure the product.
• Underestimating or omitting training.
• Failure to plan for implementation.
• Insufficient or poor project and stakeholder management.
• Lack of Experience.
I recently read a report written for a manufacturing organization written by a Big 4 consulting firm. The report was extolling the virtues of a top-down management approach to the company’s ERP project. The project was already over budget by $15 Million and the meter was still ticking. I suppose the consulting firm was scrambling for excuses for their disastrous management of a project that will eventually come in 300% – 500% over budget.
I couldn’t disagree more with the Big 4 firm when it comes to top-down management of large projects.
You can’t build airplanes in the air and you don’t build a pyramid starting from the top. Large software procurement and implementation projects must be built from the ground up with a strong foundation that results from giving the stakeholders who will actually be using the system a prominent seat at the table. Yes, you need strong executive support for a major software/business reengineering project, but executives may never use the system. If you don’t build a robust foundation provided by the people who actually understand the granular level of all the organizational business processes, the project will be difficult, seriously over budget, or may fail completely. Succeeding at these types of project requires top-down, bottom-up, and inside-out management. You must examine every aspect from every angle.
Lack of Experience
Lack of experience is another major reason why large system projects fail. Large system procurement and implementation projects are events that occur only once or twice in the career of many employees in the public sector. If you are an executive in a very large public sector organization, you may have full-time professionals who specialize in software procurement and implementation projects. However, there are 3033 County governments in the United States, over 19,000 municipal governments, and nearly 14,000 independent school districts. The vast majority of these organizations cannot afford to employ experienced full-time system procurement and project specialists. If you are an executive in this real world of municipal government, what do you do?
The Role of Organizational Culture
Even when expert, internal resources are available, there may be cultural issues in organizations that can make projects involving significant change impossible. I once worked on a project for a Fortune 100 company that employed a large staff of professionals who could theoretically have performed the large migration project they were undertaking. However, their institutional culture made it impossible for them to complete the project. The ultra-stratified management structure and extreme risk aversion made the execution of such a project impossible for them to implement internally and they had to contract a small army of risk-tolerant consultants to do the work.
RFP’s From the Internet
Unfortunately, many organizations begin the process of software procurement with an RFP. Even worse, they sometimes use an RFP that was downloaded from the Internet and written for another organization with different requirements, different business processes and an entirely different organizational culture. The truth is, the same piece of software that works for your neighboring county, school or city may not work for you. There are hundreds of commercially available ERP products for municipal governments. When you factor in Utility Systems, Public Safety Systems, Records Management Systems, Tax Collections Systems, Traffic Management Systems, Public Health Systems, Code Enforcement Systems, and the like, there are thousands of products from which to choose. How do you navigate such a massive set of choices?
Following a rigorous and disciplined methodology for the procurement process will vastly increase the probability of a successful outcome. Maybe you already have a system that works well. Below is a summary outline of the system I have used and honed since my first large software procurement in 1996. If you are experienced at software procurement and implementation projects, this information may seem to be self-evident. However, considering the number of failed municipal software projects I have seen, the message hasn’t really gotten out yet. Notice that the RFP finally comes up in Step 8.
- Draft a Project Charter
- Establish a Procurement Committee & Appoint a Project Manager
- Conduct a Business Process Review
- Identify and Document Goals, Objectives and a Preliminary Budget
- Conduct a Needs Assessment
- Analyze and document your Information Technology Infrastructure
- Document Environmental Factors and Organizational Culture
- Draft and release an RFP (Request for Proposal) or RFB (Request for Bid)
- Review Proposals and Prepare a Short List for Demonstrations
- Site Visits – Customer and Vendor HQ
- Hold Software Demonstrations & Select a Solution
- Negotiate and execute the Contract
I cover the entire process here. Please feel free to e-mail me if you have comments or want to discuss software procurement in your organization. If you take a sensible and cautious approach using all due diligence, your project will certainly be a success.
If you want to talk about your project, send me an e-mail at email@example.com.
Copyright © Jeffrey Morgan 2015, 2018