Top security needs philosophical shift
August 30, 2014 in Medical Technology
If you knew that assailants or robbers had continuous access to your house, how would that change the way you manage home security? And if the door and window locks, fences, even the big-ticket alarm systems were not enough?
One option: You might assume every time you walk inside that someone is lying in wait.
That’s a core tenet of the Assumption of Breach methodology that Seattle Children’s Hospital Chief Information Security Officer Cris Ewell intends to delve into at the HIMSS Media and Healthcare IT News Privacy and Security Forum in Boston Sept. 8-9.
Here, Ewell speaks about the methodology, what he considers the three types of adversaries to guard against, and the need for balancing both risk and federal regulations.
Q: The title of your session is The New Security Reality: Assume the Breach and Reduce Your Risk, wherein you are slated to discuss the Assumption of Breach concept. What is AOB all about?
A: In today’s world, security controls just are not enough to protect an organization against the cyber threats that are out there, both internal and external, and if you solely rely on the very prescriptive controls, whether you believe in NIST, ISO, HIPAA or any of those things, it’s the wrong philosophy to take from a very strategic point. And so AOB is ‘forget about protecting the perimeter’ because that philosophy is gone. You can’t put up larger walls, you can’t post more guards, you can’t do those things to keep the people out, therefore change your philosophy to ‘they’re already inside.’ Now what would you do to protect that information?
[Learn more: Privacy and Security Forum]
Q: What sparked the need for AOB at Seattle Children’s?
A: I’ve been doing this kind of philosophy for the last 15 years. It was actually part of my master’s thesis and my doctorate in this particular area looking at how we can change the practices we have because prescriptive controls just don’t work — and we’re seeing that with more and more breaches.
We know there have been firmware breaches, for instance. You can put all the controls you want on a laptop, a computer, a host server, but if the adversary controls the firmware, it doesn’t matter. And we need other philosophies to determine what kind of risk you have in the organization.
Q: You mentioned NIST, ISO and of course HIPPA. There is a perception that HIPAA is actually giving healthcare entities a false feeling of security in that many believe if they comply they’re secure, but the reality is that’s far from true. Are there major problems with these standards or why do you think they’re not enough?
A: I am not a fan of prescriptive controls. The caveat is that you must have someone really strong in risk methodology, how to use risk in an organization and how to determine when it’s appropriate to have that risk. So you can’t just say ‘no prescriptive controls.’ And the difficulty is we don’t have enough trained information security professionals in risk to really understand what it means and have that strategic discussion at a board level.
But I think there are some good things out of HIPAA, PCI, NIST or ISO or HITRUST or any of the other ones that are out there. They give good guidelines, but if all your controls are based on compliance, you aren’t doing enough. You may be doing too much in some areas — you can way overspend on security and not have any benefit from that.
[See also: CIO talks stepping it up with security.]
Q: So, who do you consider to be those adversaries? Are we talking about state actors, organized crime, your competitors? You mentioned, for instance, trusted partners …
A: I group them in three areas. When I look at the threat actors out there, I have external threats, and those are people that should have no trust, no privilege on your system. Those include state-sponsored events, cybercriminals, former employees, hackers, activists, maybe even terrorist groups. Look at Boston with Anonymous on there. That’s a real scenario that hospitals need to worry about.
Outside of external, then we have those partners. Suppliers, hosting providers, business partners. And then there are the internal. If you look at healthcare in general, I think the largest threats are internal. We still have people losing stuff and if you look at Health and Human Services’ list of breaches with more than 500 records, it’s still stolen computers, lost machines, missing laptops and devices. And then you have the unauthorized access, the snooping. Those are still high events. Those are internal, and we should be able to solve those.
Q: Now for the nearly mandatory question in security discussions: What keeps you up at night?
A: The things that are very difficult to detect. State-sponsored and organized crime. These are the really smart people who are after data. They’re not after one or two medical records, they don’t care about some VIP. The pediatric group is a great area for identity theft because a lot of times parents don’t review the credit-worthiness of their children until they go to college or apply for their first loan. So that’s a treasure trove of a long period of time where you could commit identity theft on those individuals. So that’s what organized crime is looking at: Data for financial gain. Credit card fraud. Pharmaceutical threats, and that’s where we get into prescription fraud and those sorts of crimes. That’s why identity theft is a multi-billion business in the United States.
Q: Your second on the list of adversaries was business partners …
A: It’s just a big unknown. That implied trust that they will do the right things with your data, that’s not good enough for me. I look at the risk and ask ‘okay, you have maybe 500,000 or even 1 million of our records, how are you protecting that information?’ If they answer ‘trust us, we’re protecting it,’ well, that’s just not good enough. And of course HIPAA doesn’t require any type of audit. We have to look at our obligation as a covered entity to ensure those partners are actively protecting our information. This is a really difficult area. And then you have other organizations that say ‘what’s HIPAA?’ The full gamut is a huge risk area for us, so I spend a good amount of my time in contract negotiations. I work very closely with legal to review all those and try to determine what our risk is, how much data they have, how sophisticated they are as an organization, and what influence we can have.
[Learn more: Privacy and Security Forum]