A metaphor I like to use with clients compares security vulnerabilities with seismic fault lines. As long as the earth doesn’t move – you’re safe, but once things start moving sideways – you can drop into a big hole. Most security vulnerabilities reside in the cracks of systems and organizational integration and during an M&A, those cracks fault lines can turn your local security potholes into the Grand Canyon.
Here are 5 practical things I would recommend to any healthcare organization CIO:
1. Do not rely on fixed controls
Any information security professional will tell you that security countermeasures are comprised of people, processes and technology. The only problem is that good security depends on stable people, processes and technology. A stable organization undergoing rapid and violent change is an oxymoron. Visualize your company has ISO 27001 certification but the stock drops by 90% because of an options back-dating scandal at the top, the company fires 900 employees and all of a sudden, the fixed controls are not as effective as you thought they were. Think about the Maginot Line in WWII.
2. Use common sense when it comes to people
People countermeasures should be a mix of common-sense, background checks (at a depth proportional to job exposure to sensitive assets), and deterrence. Andy Grove once said
“Despite modern management theory regarding openness – a little fear in the workplace is not a bad thing”.
When a lot of employees are RIF‘d – there is a lot of anger and people who don’t identify with their employer; the security awareness training vaporizes and fear and revenge take over. Some of the security people will be the first to go, replaced by contractors who may not care one way or the other or worse – be tempted by opportunities offered by the chaos. In a large complex healthcare organization, large scale security awareness training is probably a hopeless waste of resources considering the increasing number of options that people have (Facebook, smartphones..) to do stuff that causes damage to the business.Security awareness will lose every time it comes up against an iPad or Facebook.
Why is common sense a good alternative to awareness training?
Common sense is easy to understand and enforce if you keep it down to 4 or 5 rules: maintain strong passwords, don’t visit porn sites, don’t blog about the business, don’t insert a disk on key from anyone and maintain your notebook computer like you guard your cash.
3. Spend some money on securing your software applications instead of on security theater
It’s a given that business processes need to be implemented in a way that ensures confidentiality, integrity and availability of customer data. A simplistic example is a process that allows a customer service representative to read off a full credit card number to a customer. That’s a vulnerability that can be exploited by an attacker. But – that’s a trivial example – while you’re busy managing processes and using security theater code words – the attackers are attacking your software and stealing your data.
4. Question your defenses
Technology countermeasures are not a panacea – and periodically you have to step back and take a look at your security portfolio both from a cost and effectiveness perspective. You probably reply on a defense in depth strategy but end up with multiple, sometimes competing and often ineffective tools at different layers – workstation, servers and network perimeter.
Although defense-depth is a sound strategy – here are some of the fault lines that may develop over time:
- One – most defense in depth information security is focussed on external threats while in an organization undergoing rapid change – the problem is internal vulnerabilities.
- Second – defense-in-depth means increased complexity which can result in more bugs, more configuration faults and … less security instead of more security.
- Three – when the security and executive staff is cut, security monitoring and surveillance is suffers – since there are less (or no) eyeballs to look at the logs and security incident monitoring systems. With less eyeballs looking at events – you may have a data breach and only know about it 3 months later – are you still sure defense in depth was protecting you?
5. Invest in smart people instead (instead of investing in business alignment)
Business alignment is one of those soft skill activities that keep people in meetings instead of mitigating healthcare vulnerabilities – which requires hard professional skills and high levels of professional security competence. It’s a fact of life that problem solvers hate meetings and rightly so – you should invest in smart people and go light on the business alignment since it will never stop the next data breach of your patients’ data.
Claudiu Popa, president and chief security officer of data security vendor Informatica Corp. told Robert Westervelt in an interview on searchsecurity.com that:
…once an organization reaches the right level of maturity, security measures will not only save time and money, but also contribute to improved credibility and efficiency.
This is nonsense – security is a cost and it rarely contributes to efficiency of a business (unless the business can leverage information security as part of it’s marketing messages) and as for an organization firing 30% of it’s workforce over night – words like maturity, credibility and efficiency go out the door with the employees.
At that point – highly competent and experienced security professionals who are thinking clearly and calmly are your best security countermeasure.