Legal Information Security Case Study
He’s the CIO of an NLJ 250 firm… already worried about increasingly vigilant client security requirements/questionnaires.
Now the partner who runs Medical Device & Health Care Litigation wants to discuss the HIPAA Omnibus Rule and how Protected Health Information (PHI) needs to be segregated within the firm’s Document Management System.
The action items from last month’s meeting with the FBI regarding the “China Threat” still need attention.
Henryk needed somewhere to turn for guidance and support.
Information Security Concern
Henryk and his security team developed a list of three critical issues needing to be resolved quickly:
✔ Demonstrating security/compliance with a number of different standards(e.g., ISO 27002, HIPAA) to satisfy client security requirements.
✔ Understanding the requirements of the HIPAA Omnibus Rule and putting the necessary “least privilege” protections in place to mitigate the possibility of “breach notification.”
✔Understanding rapidly evolving information security risks in the legal industry (e.g., the Operation Aurora cyber attacks and other advanced persistent threats originating in China and elsewhere) and putting the required controls in place.
Information Security Approach
Pivot Point Security worked with Henryk and his team to analyze various options, and helped them come up with the right combination of activities to meet their specific requirements.
Henryk and his team decided to:
✔ Conduct a comprehensive External Vulnerability Assessment/Penetration Test (against both the network and applications) to ensure that there are no significant gaps that an intentioned party could leverage. They supplemented that with a Credentialed Internal Vulnerability Assessment to ensure that vulnerability/configuration management practices were operating as intended to reduce the risk associated with drive-by downloads and poisoned document attacks. They also conducted a Phishing Attack to determine whether their security awareness training program was effective. These activities provided assurance that the environment was “appropriately” secure.
✔ Augment the Credentialed Internal Vulnerability Assessment with a malware assessment focused on detection of evidence of malware on internal machines. When potential evidence of APT1 was found on several litigation support systems, additional monitoring of firewall logs was used to determine if those systems were communicating outbound to known “bad” hosts (e.g., command & control servers). These activities provided assurance that internal systems were secure and not exfiltrating sensitive client information.
✔Work towards ISO 27001 certification. With several recent contracts/RFPs citing ISO 27001 certification as a preference and a need for a comprehensive approach to managing information security risks, this decision was relatively easy. Moving ISO 27001 forward also allowed the ISO 27001 work effort to replace the planned HIPAA Gap Assessment. A 12-month project schedule was laid out to minimize the effort’s impact on business as usual. ISO 27001 will allow Henryk to demonstrate to partners and clients alike that the firm’s information security risks are being managed via internationally recognized best practices.
With ISO 27001, the risks and compliance requirements associated with the HIPAA Omnibus Rule are “inputs” during the risk assessment phase. During the Risk Treatment Phase, access control, logging, risk assessment, and segregation controls for the firm’s Document Management System were developed and put into operation. These controls provided the concerned partner with assurance that access to PHI was properly restricted to those with a need to know.
Pivot Point Security continues to work collaboratively with Henryk and his team, executing on the ISO 27001 project plan and remediation roadmap that is in place.
You could say that Henryk’s affirmative information security actions should result in a positive judgment by clients and partners alike!