Security Technology Executive

NOV-DEC 2017

Issue link:

Contents of this Issue


Page 30 of 71 OVER COAX. IR Vari-focal Dome Ultra Low-Light Box 360˚ IR Fisheye IR Vari-focal Bullet The HIPAA security rule covers only 19 of the elements contained in the CSF. The myth of a "secured perim- eter" is becoming outdated, as BYOD, IoT, and interde- pendencies between interconnected covered entities blurred traditional boundaries. Adopting continuous improvement as a measurable performance goal helps insulate healthcare organizations from stagnation. 8 Develop a formal risk management process Finally, executives should be fully engaged in the risk management process. Every incident that negatively impacts either confidentiality, integrity, or availability should have a root cause analysis performed. For the integrated delivery team's disaster referred in the intro- duction, the root cause can be traced back to an under- scoped risk assessment, managers who misunderstood and even downplayed the impact of critical risks, and a lack of executive leadership that allowed risk manage- ment decisions to be made too low in the management hierarchy. Those same lower-level managers identified the risks but their overconfidence in legacy technology led to poor design decisions. In the end, the "system" was ill-prepared to respond to a visible threat due to organizational inertia, even when the threat was identi- fied before the attack. Summary The executives in this specific example never had an opportunity to learn that newer technologies, quicker communications, avoiding unnecessary risks, and better planning , all of which could have saved them. Without warning and only weeks after launch, a small perimeter breach quickly escalated into a catastrophic event. The alerting system detect- ed the threat before the initial breach, but the com- munications process was not able to alert executives to change course. A root cause analysis later proved that internal segmentation was not designed to ade- quately contain the breach once it occurred, so the internal damage control systems were overwhelmed. After the threat successfully breached the perimeter, calls for external assistance were unable to reach out- side help because the regulations at the time were decades behind current technology. Thus no one was listening for a distress call in the middle of the night. When the executives recognized what all was lost, they also understood that their disaster recovery plan, e.g., the number of lifeboats, did not have the capacity to save all the passen- gers and crew. So, on that cold April night over 105 years ago, 2,224 users learned that a small hole in the perimeter, totaling just 1.1 square meters, was enough to sink the Titanic in two hours. Request information: About the Author: Clyde Hewitt, CISSP, CHS is v ice president of securit y strategy at CynergisTek . He brings more than 30 years of executive leadership experience in cybersecurit y to his position with CynergisTek , where his many responsibilities include being the senior securit y ad v isor and client executive, thought leader and developer of strategic direction for information and cybersecurit y ser v ices, nationwide business development lead for securit y ser v ices, and contributor to CynergisTek 's industry outreach and educational events.

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - NOV-DEC 2017