Privacy & security: ‘theater’ vs. reality
July 2, 2015 in Medical Technology
At the Healthcare IT News Privacy Security Forum in Chicago on Wednesday, Jim Goddard, executive director of Kaiser Permanente’s Cyber Risk Defense Center, made the case that healthcare organizations too often depend on security protections that aren’t much more than “theater.”
As awareness – if not panic – about the true scale and complexity of the risk has grown in recent years, many hospitals and health systems have upped their security budgets and spent freely on technologies they hope will protect them from the shadowy hackers taking aim at their IT systems.
But Goddard suggested a more nuanced approach is needed – a “delicate balancing act” that makes smart use of technology while also capitalizing on a people-based approach to protecting patient privacy.
“Breaches are more frequent and more destructive than they’ve ever been,” said Goddard, and the problem is “doing nothing but getting worse.”
Even so, many health organizations are operating under the “illusion that we can take 20 years of accelerating complexity, 20 years of risk being added to our environment,” and simply “come in with one tool and eliminate it,” said Goddard.
It’s only human nature to think that way, he reasons: “Humans love simplicity.”
The idea that bulking up security technology – firewalls, other intrusion prevention tools – will put up impenetrable walls around hospitals’ troves of invaluable data is appealing, of course.
It’s also incorrect. Worse, it “skews the way we invest,” said Goddard. “We invest less in people because we want cool new shiny tools.”
Tools, he said, that “give us false comfort.”
Too many corners of the industry suffer from a “myopic focus on prevention,” said Goddard. “We build walls, and when walls fail we build another wall.”
Hackers “only have to find one hole,” he said. And “once some gets past the wall, they can hang around for months or years,” undetected.
Rather than prevention, the focus should be more on detection and response, said Goddard. That requires smart staffing, much more than technology.
“We need human intelligence – people who have had experiences,” he said. “It goes way beyond organizational knowledge.”
By combining that human insight with “innovative” technology and what Goddard calls process fusion – a strategy that “ties the people with the tools” – Kaiser has been able to make some serious strides in risk reduction, he said.
The focus shouldn’t just be on technology: it should be on “how does technology enable our intelligence,” he said. “Security is collaborative business.”
As if to prove Goddard’s point, in the next session at the Privacy Security Forum, Kevin Johnson, an ethical hacker whose exploits have been highlighted many times on this site, spent an hour showing the audience just how vulnerable that pocket-sized computer in your hand really is – and why it’s ultimately up to the user, not any real or imaginary technology safeguards, to keep its data secure.
With mobile devices and their myriad apps now here to stay, Johnson led the audience in a workshop that demonstrated tools and techniques for doing penetration testing of smartphones and apps, offering attendees the knowledge to help uncover the security risks inherent in so many mobile devices.
“If you can’t test it, you probably shouldn’t use it,” said Johnson, who showed how smartphones increased computing power means increased data – and increased risk – a reality about which many organizations embracing BYOD policies sometimes seem only vaguely aware.
Johnson knows whence he speaks – he once hacked into a Fitbit so it would show him waking 8,700 miles in a single day – and he sought to give the audience the insight necessary to make the right decisions about the storage and transmission of sensitive smartphone data.
In detail, he showed how apps are oftentimes wide open to potential misuse – unencrypted and communicating freely with untold numbers of unknown third parties.
“Mobile devices are making privacy difficult,” he said. “Consumers, developers and organizations need to evaluate what they are doing.”
That can only come from one place, said Johnson: “Privacy is about protecting your information … the responsibility is yours.”