Issue link: https://securitytechnologyexecutive.epubxp.com/i/690996
As data f lows throughout an organization in support of business processes and func- tions, identifying where sensitive data is located, where it's going and who in an organi- zation is ultimately accountable for its' secu- rity is a must-have exercise. By preventing gaps that a traditional, silo-based approach can overlook, end users can be more effective with data and adopt innovations to enhance business processes and functions. The job of protecting private information, medical records, and other sensitive PHI data is difficult and complex at best. Regardless of a rogue employee or the most recent Ransom- ware, healthcare data security practitioners in data-driven organizations need to proactively support and encourage a culture of data-aware- ness while securing it at rest and to under- standing users in order to enable them within context, with the right data, in the right place and at the right time. The value of holding data hostage is just as profitable for criminals as trading it on the dark web and these latest threats should serve as a warning beacon to medical facilities to evaluate the systems, equipment, and process- es they employ to protect sensitive informa- tion in the face of the data security threats we face today. The vulnerabilities and threat vectors faced by hospitals and other medical facilities are growing exponentially and everybody should be aware of the value of data and the need to protect it. Without the proactive support of everybody, no security practice can be consis- tently successful, data security requires the proactive support of everybody touching the data and centralized devolution of enterprise- wide policies and their consistent enforce- ment keeps data protected, wherever it is stored, sent or used. ■ 36 SECURITY TECHNOLOGY EXECUTIVE • May/June 2016 www.SecurityInfoWatch.com CYBERSECURITY users who require it. Organizations are seek- ing an approach flexible enough to enable criti- cal access without making themselves an easy target for bad actors but this requires a culture change and an adherence to best practices from those working in the industry. Along with an increase in Ransomware occur- rences, 2016 offers HIPAA's second phase of auditing (with a maximum penalty of $1.5 mil- lion per year for violations) as a benchmark for practitioners of PHI security to engage with security as part of a bigger picture about pri- vacy and regulation, loyalty and reputation. The audit's reach extends to 'business associates' in financial services and other verticals well versed with data regulations and protections, and 'covered entities' can benefit much from their ecosystem's skills and experiences with technol- ogy and security and the best practices that have evolved as a result. Ironically HIPAA encourages the use of encryption for data protection and while some organizations take this even further, utilizing tokenization or other de-identification tech- nologies to keep data safe in use and at rest, sadly these approaches offer little defense where Ransomware is concerned. Only good security hygiene and training for all employees that high- lights the security hazards most associated with their roles – like legacy passwords or unsolicited macro-enabled attachments in emails – will help avoid the devastation of such attacks. Privileged users, such as DBAs and system administrators should be prevented from unnecessarily accessing data with the enforce- ment of available Least Privilege Rules; offer- ing maximum threat awareness with the least amount of information required to both employees and patients minimizes the both risk and scope of the threat. Similarly, making full and frequent off-site systems backups and verifying that online appli- cations are secure and free of the most common and dangerous attack vectors as malware often leverages known bugs is crucial to avoiding compromise and its impact. Monitoring "nor- mal" network activity allows organizations to identify anomalous behavior and whitelisting permissible applications and declaring anything else vetoed can work for some organizations although many may find the administration and practical limitations too onerous. Calm after the Storm Other steps security professionals in the healthcare industry can take are more general and help to avoid reputational and financial damage that a data breach can cause. Ransom demands vary but Hollywood Presbyterian Medical Center was recently reported to have paid $17,000 after negotiations during which nearly 1,000 patients had to be relocated to other hospitals. About the Author: Suni Munshani joined Protegrity as CEO in May of 2011 to accelerate growth and execute strategies to extend Protegrity's leadership position in the enterprise data security market. He brings more than 25 years of broad and diverse global business experience to Protegrity. Prior to joining Protegrity, Suni was the CEO of Novitaz, a customized data provider for the retail and hospitality sectors. Prior to Novitaz, he served as a managing partner at Persephone Investments, a venture capital firm focused on early-stage investments. While at Persephone, Suni led the firm's investment in Synetics, Inc. and eventually assumed the role of CEO and led Synetics' acquisition to Affiliated Computer Services, a NASDAQ listed company that was later acquired by Lockheed Martin.