Issue link: https://securitytechnologyexecutive.epubxp.com/i/282968
23 SECURITY TECHNOLOGY EXECUTIVE • February/March 2014 www.SecurityInfoWatch.com department may discover the situation, investigate and han- dle it and move on to the next task. But without visibility into this type of data, how would the compliance department learn about a possible data leakage and take the necessary steps to investigate and report? On the flip side, the compliance department is the only group authorized to see private and sensitive patient data so there are very strong access controls to protect that informa- tion. But the compliance department doesn't have the training or tools to spot unusual system activity. While the IT security department should not have access to privacy data, certain data can be summarized and presented to IT security with- out disclosing any sensitive information. Specifically, system data, such as total number of accesses by hosts or by role on a machine, won't disclose patient records or clinical data but could indicate a potential breach and initiate an investigation. It cuts both ways. For either side of the organization, lim- ited data visibility and collaboration hampers the ability to identify a breach and, in turn, limit losses. Technology and compliance leaders at healthcare organi- zations need to take a holistic approach to security risk man- agement to allow for true visibility and full spectrum threat remediation. However, with limited budgets and priorities often, and rightfully, placed on patient care, many healthcare organizations lack the resources to take the necessary steps. Despite these constraints, with the right technology and best practices in place healthcare organizations can position themselves for success. The same Ponemon report finds that the top three factors that decrease the cost of a breach include: having a CISO with overall responsibility for enterprise data protection, a strong security posture and an incident response plan. Below are a few recommendations to help healthcare organizations make inroads on these fronts. A CISO with overall responsibility for enterprise data pro- tection. Successfully bridging the gap between IT security and privacy/compliance is predicated on having support from the highest levels within the organization. An innovative C-level IT security executive who understands the challenges and appreci- ates the value that comes from an enterprise-wide approach to protecting data must be at the helm. The most effective CISOs are able to collaborate across the organization, aligning technol- ogy with business objectives to ensure risk tolerances are met while supporting business imperatives. They also understand the necessary action to take should a breach occur, including involving the appropriate parties to protect the organization and patients. And they know how to leverage technology to optimize resources while accomplishing the mission. A strong security posture. With limited resources, healthcare organizations need to be savvy about technology investments. They need solutions that satisfy requirements now but can also carry them into the future. IT security teams should ask tech- nology vendors the following questions: W hat types of data can you integrate with? Healthcare companies needs to collect data from a large variety of sources including off-the-shelf and custom appli- cations, including patient systems, infrastructure devices (switches, routers, firewalls, VPN concentrators, proxy serv- ers, etc.), servers and desktops, application access logs and physical security data (badge access records). They also need to be able to add more sources easily over time. How much data can you store and for how long? In the healthcare industry, regulations can require storing data for up to 10 years. Organizations need storage infrastructure that can support collection and analysis of increasingly large data sets over long timeframes. Traditional relational data- base technologies can be a poor match for storing and que- rying massive volumes of unstructured or semi-structured time series event data. How can we access that data for audits and investiga- tions? Stitching together a scenario for investigation takes time, money and is subject to error. Access to data in a single place with appropriate access controls by user is essential for an enterprise-wide approach. The ability to automatically analyze relevant data from patient systems and IT systems in order to identify anomalous patterns that could indicate potential malicious activity increases effectiveness. An incident response plan. The Verizon 2013 Data Breach Investigations Report found that in 22 percent of the inci- dents investigated, it took months to contain the breach. Security events happen, yet many organizations don't have an incident response plan in place with a designated team and documented processes and policies so that the right people are notified at the right time. With fines that mount as breaches progress, technology solutions that have an alerting mecha- nism that ties into the incident response process will help expedite investigation and action and minimize risk. Healthcare organizations are facing cyber threats daily and the need to protect highly sensitive patient data is critical. Government fines are skyrocketing and for many healthcare organizations, paying the fines and enduring the collateral damage is a cost they can ill-afford. With a better understanding of the key ways to lower the costs of a breach, healthcare organizations can bridge the gap between the privacy office and the enterprise security department for a faster, more accurate and cost-effective approach to data protection. ❚ Kim Lennan ser ves as Director of Healthcare Markets for Hexis Cyber Solutions, a subsidiary of The KEYW Holding Corporation based in Hanover, Maryland, which provides complete cybersecurity solutions for commercial companies, government agencies and the intelligence community. "Technology and compliance leaders at healthcare organizations need to take a holistic approach to security risk management to allow for true visibility and full spectrum threat remediation." STE_22-23_0314 Lennan Healthcare.indd 23 3/14/14 11:12 AM