NetWitness’ Edward Schwartz on healthcare security

We recently interviewed Edward Schwartz, chief security officer for IT security firm NetWitness (recently acquired by RSA) to get his thoughts on the move to electronic medical records and the impact on the security and privacy of those records. During his extensive career, Schwartz has served in various executive positions for a number of security vendors including CTO of ManTech Security Technologies Corp, SVP of operations of Guardent Inc. and EVP of operations for Predictive Systems. Schwartz also worked as CISO at Nationwide Insurance. CSOonline: How complex are the security challenges facing the health care industry today?

Schwartz: When you think about it, health care is a much more complex process than payments. There are different entities involved in the process: the payers, the providers, labs, administrators, and consumers. Some of the providers are very, very large entities and they could potentially get the attention of the regulators. There are certainly opportunities for consumers to file breach complaints. They could take private action and have some recourse. But what do you do about the mid-tier and smaller providers? They have very little incentive to do security from a regulatory perspective, at least in most places today. And, frankly, where they are adding security to any degree that is useful is going to introduce additional expense to a model that’s already ridden with so much expense as it is. I don’t see an easy fix to this. And, for consumers, unfortunately the nature of the breach is different. Once your personal health information is made public, you may not be able to get your privacy back.

When it comes to specific security expertise, do you think it makes sense in the healthcare industry for them to outsource traditional security services?

Schwartz: I think what organizations need to do is take a close look at what they’re good at and what they’re not. If you sit down and say, “Listen, we’re a mid-size organization. We’re good at providing healthcare. We’re good at paying the bills for people who submit claims. We’ve got one security person, and we really can’t afford a real security team and real technology.” Then I think it’s time to start thinking about outsourcing.

Where do you think the biggest gaps are between where many health care providers should be and where they actually are?

Schwartz: When you look at it today, you see that even with the best efforts by mature industry sectors with mature approaches to information security still have significant breaches.

The most critical data thefts are still evading legacy technologies and legacy defense and depth types of defenses. If organizations that can today afford to buy the technologies and have the right staff are not successful at stopping some of these data breaches, what hope is there for organizations that are just starting out and don’t have the same level of resources as some of the larger companies? I think it’s a problem.

Part of the problem is there’s a sense that the security practices that have worked for years — database protection, network security, web application security are sufficient. We know that the top attacks include techniques such as SQL injection, cross-site scripting, zero-day malware, all of which require additional efforts to secure. The question becomes whether healthcare organizations are ready and willing to both invest on the technology and the manpower to deal with those problems? If not, then they have to look at alternative models for securing that information.

To fill immediate gaps, health care companies need to start with their data. Look at the data. Look at what they’re making available. Then ask: “Do we have the ability to protect this in today’s environment?” Whether it’s within the internal network, presenting itself on a Website for somebody, or whether it’s a consumer, provider, or payer or a hospital that’s just changing records. They need to understand how they we dealing with the security of this data? If they can’t even do that assessment, that’s a bad sign too. They need to get help with that.

Do you expect to see a market for medical identity theft and patient records?

Schwartz: Yes, but there’s more to it. Think of the deluge of data out there that is available to cyber criminals, nation-states, and others. Then put yourself in the shoes of an intelligence organization or a criminal group that’s looking to break in somewhere. The more information you have about someone and the more you know about their vulnerabilities or other factors about these individuals, the better the picture you have of potential avenues of attack. So beyond the obviously deeply personal information contained in electronic medical records, there’s also intelligence value for nation states. There is value to cyber criminals, relative to finding weaknesses within organizations. There may be human weaknesses that they could exploit or they can offer financial incentives to individuals to cooperate with them.

What do you think the long term answer to keeping medical records secure will be?

Schwartz: I think we are going to see a services model become more pervasive in health care. That is the only way this move to electronic medical records are going to work. We are going to need big service providers to step in and provide traditional and cloud based services along every aspect of the delivery chain. There is a huge opportunity for service providers to not only provide secure medical record services, but traditional services such as business continuity, resilience, and of course security and privacy related services. Certainly at the low end and the mid-tier, these organizations, even if they can afford to invest in these things on their own, without the help of service providers, they’re just going to end up doing a bad job of it. Nothing personal there, but that’s just the way it is.