Cyber risk management in healthcare

1 2 Page 2
Page 2 of 2

ISACA and KPMG have weighed in on this and it’s clearly an issue. ISACA states: “Information security is not only a technical issue, but a business and governance challenge that involves adequate risk management, reporting and accountability. Effective security requires the active involvement of executives to assess emerging threats and the organization’s response to them.” “To achieve effectiveness and sustainability in today’s complex, interconnected world, information security must be addressed at the highest levels of the organization, not regarded as a technical specialty relegated to the IT department.” Information Security Governance 2nd edition

Number 2, is that organizations are simply not aware of or are just not doing the compliance.

The 2014 Verizon PCI DSS report stated that only 11 percent of companies passed all 12 PCI DSS requirements. This report was for PCI not HIPAA, but the trend is the same wherever we look excluding the financial sector. The financial sector is highly regulated and this seems to make a big difference, it’s the most attacked because it’s where the money is and it’s the best in compliance. But as I have stated before, Compliance is the minimum! So it’s unfortunate we can’t even get everyone on board here, no wonder cyber criminals enjoy such easy access to so many organizations.

Let’s define compliance vs security. As I recently stated in a quote I made in the Nov. 17 issue of Fortune, “How Frank Blake kept his legacy from being hacked”, “Compliance is backward-looking and static, and security is forward-looking, dynamic, and intelligent.” Compliance is the foundation for security, it’s the minimum.

Number 3, Just where are organizations failing on compliance? Policies are not in place, I’m talking about a cyber-security policy, An acceptable use policy, remote access policy, wireless access policy, and a BYOD policy to name a few. Policy sets the stage, it tells everyone the CEO gets it and that all users play a critical role in properly managing risk within the organization. This includes your vendors. Remember Target had a vendor issue.

We see very little PEN testing, Shore Break Security's Mark Wolfgang advocates continuous PEN testing. He says if you are hacked quarterly then scan quarterly. Otherwise if you are like most organizations, which are hacked daily, PEN test and scan daily. This is a game changer and companies need to look closely at it, it’s a sure win for our side!

We also see too many administrator accounts or too many users with rights that are above and beyond what they need to do their jobs, this is called principal of least privilege, we see poor passwords and little or no user security awareness training. Humans are usually the weakest link and cyber criminals constantly exploit this by sending a phishing email to an unsuspecting user that’s willing click on that malicious attachment or link.

Number 4 Technology, remember that as a minimum you have a firewall and it's managed, an Intrusion Prevention/Detection system, anti-birus on all devices, Web filtering appliance, email filtering appliance and a sandbox device like Fire eye or Fortinet type technology. This sandbox technology is now needed to combat zero day exploits, they catch Advanced Persistent Threats that firewalls and anti-virus can’t detect or block. We constantly see out dated or unmanaged firewalls, or no one is looking at any device logs. Stay away from any product that claims to be a magic bullet, they will say: “this will solve all your security and compliance issues”. It’s never that simple.

Number 5, Risk assessments. When they are mandated by law they are often done, but not always in a manner that actually reduces risk. Sometimes organizations self-assess, this is a great first start but when checking your own work you will always miss what an independent audit can find. Make sure you are looking at the actual risk to the data you plan on protecting. If you don’t know where the data is how can you assure it’s protected? You can’t!

Number 6, this is cyber security at its best. If you are doing one through five, then you are likely compliant. Now it's time to concentrate on that dynamic and forward looking area, called security. Reach out to information sharing organizations like US CERT or the FBI InfraGard program, they allow you to get out of the silo and plug into what’s happening in other organizations. They allow you to share attack intelligence and methods of protection. It’s like neighborhood watch for your cyber business operations. Look at Splunk and similar technologies that employ data analytics to detect Indicators of Compromise that could slip through everything else you have in place.

Besides the fact that the Internet was not designed to be secure, we moved everything we had to it and did not consider the risk. To make matters worse we don’t always get a communication path to the CEO, all too often we try to push enterprise risk management from the bottom up, especially if the IT department is in charge of a part of it like cyber security. IT security is about managing IT devices in the IT department, this does not include managing and securing all corporate data alone. Its corporate governance and data governance that enables a chief risk officer to manage risk across the enterprise by working with all departments including the IT department, but not reporting to them. It must start with the CEO!

Finally, The 2014 SANS State of Cyber Security in Healthcare highlights the challenges ahead.

“This past year (2014) brought heightened recognition that health care information and health care identity are worth money—and that the bad guys can and will launch cyber-attacks against vulnerable health care networks. According to an article in United States Cybersecurity Magazine, the health care industry has seen more targets being discussed in 2014 than any other year.”

They also stated that trends in mobile and cloud computing are game changers as they require more specialized skills and knowledge to assure compliance and security are in place. Healthcare faces the same newer and evolving threat vectors that all organizations face but healthcare has its own unique challenges from regulators, stretched healthcare system, doing more with less but somehow still needs to get everyone on board in managing risk to all this health data that’s being demanded by patients and the industry as a within the current healthcare ecosystem. All of our healthcare records are at risk, this is really getting very personal, let’s fix this problem now!

George Grachis, CISA, CISSP, is a senior consultant with Maxis360, located in Orlando. He can be reached at or

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)