Information Security Blog

Recently, I had the opportunity to read “Eye of the Storm – Key findings from the 2012 Global State of Information Security Survey” published by PWC (Pricewaterhouse Coopers). While the study is vendor/technology/industry/geography neutral – it really crystallized the angst that most of our healthcare clients are experiencing. Consider some of the Key Findings detailed in their survey and their applicability to healthcare:

Client requirements and compliance are the greatest drivers to information security change/investment: Between HIPAA/HITECH, EMR meaningful use, and the rise of the Business Associate Agreement – the need to prove security/compliance to key stakeholders (customers, management, and auditors) is escalating rapidly at the same time.

Companies now have greater insights than they’ve ever had into cybercrimes and other incidents: While I (non-strongly) agree with this statement in general, I definitely don’t see this in healthcare. I think my clients in healthcare feel the same way – which leads to that awful feeling of I know what I don’t know. I would argue that most organizations lack effective incident detection mechanisms (especially for Advanced Persistent Threats) and even those that do often have insufficient Incident Response capacity. We have seen a notable increase in the number of forensic investigation we have performed in the health care vertical over the last 9 month period.

One of the most dangerous cyber threats is an Advanced Persistent Threat attack: Generally speaking, more mature Information Security Management Systems are required to prevent and/or detect. The lack of funding/attention paid to HIPAA post its initial release, coupled with the significant and rapid rise in attention, investment, new technology, and its associated risk (e.g., Healthcare Identity Theft) has resulted in rapidly evolving (and hence immature) Information Security Management Systems in many healthcare organizations. Once EMR and mobility initiatives are fully deployed and stabilized I am hoping that we will see a move to the managerial, operational and supporting technical controls (e.g., NAC, SEM, IDM, Security Awareness Training, ISO 27001) necessary to address these type of attacks.

Managing the security-related risks associated with partners, vendors and suppliers has always been an issue. It’s getting worse: While this is an issue everywhere, HITECH moved this issue front and center in the Healthcare space. In the complex processes that support patient care and ensuing payments for same, virtually every healthcare organization is reliant on a myriad of third-party vendors for providing key services. Unfortunately, most lack sophisticated enough Vendor Risk Management programs to identify their vendors that require due diligence, determine the extent/rigor of the validation, deliver (or review) the assessments, and govern/monitor the process to manage security incidents and address deviations from contracted security levels. As I’ve noted before, one area that gets “sticky” is “sixth party risk” (managing the risk associated with your vendors’ vendors).

The percentage of CXO’s confident in the effectiveness of their Information Security activities has fallen from 84% to 72% over the last 7 years: My strong suspicion is that the dip in healthcare confidence exceeds that in most industries, with the possible exception of Energy.

Mobile devices and social media represent a significant new line of risk – and defense: The healthcare industry has perhaps the greatest demand for mobility – and hence the greatest challenge. Interestingly, only 37% of the respondents cited that they have a security strategy for mobile devices. We have noted that some of our clients that do have a security strategy for mobile devices have not extended it to address employee use of personal devices.

While the findings regarding “the eye of the storm” were cross industry – it’s clear that many of the most notable findings are current – and significant – pain-points for healthcare information security.

As PWC also points out at the 10,000 foot level the “answer” is easy:

• Leadership
• Strategy
• Alignment with the business
• Customer-centric approach

The challenge is executing at ground level.

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.