Are you looking to fortify your healthcare organization’s information security practices, but aren’t sure where to start? Maybe you’ve heard a rule-of-thumb about how much budget you should allocate towards these services, but aren’t sure if that’s realistic for your company? Or, just how safe is it to move your data to the cloud?
These are just some of the questions we covered in Forcura’s recent webinar, “Fortify Your Organization’s Cyber Security With Proactive Strategies.” Forcura Chief Information Security Officer Eric VanTassel and guest panelists Ian Bush, President of Quadrant Information Security, and Justin Bain, IT and Cyber Security Officer for Visiting Nurse Service of New York, gave real-world advice to our audience of healthcare providers just like you. Five of them are recapped below for your convenience.
Q: Where do you start in developing a Risk Assessment?
A: Eric: Start by inventorying the assets in your organization that are at risk to a cyber security attack. This could include patient data, hardware like laptops and servers, and applications. Once you have a list of what is vulnerable, then you can evaluate the inherent risk to each, the mitigating controls to those risks that are in place and that will give you the residual risk. This gives you the blueprint for where you have the most risk and that can help in prioritizing where you need additional mitigating controls.
Justin: I've worked for both large and small businesses, and the smaller businesses would really benefit by going to the HealthIT.gov website to get the security risk assessment tool that they've developed. It's great for small business because it will walk you through the HIPAA risk assessment. It's not the full cyber security that I would recommend, but it's a starting place and at least you'll have gone through that one time, before you go out and get a third party to do it for you next time.
Q: What other actions can we take to improve our understanding of risk?
A: Eric: Engaging with a third party to review your policies and procedures, the risk assessment and your overall information security program is a good start. Some of the third parties can do much more to help you understand your risk including conducting vulnerability scans and penetration tests, which can often identify critical holes in your security posture that need to be addressed quickly.
Q: Would you say the cost of reputable, web-based software vendors should be part of the 5 to 15% allocation experts suggest should come out of the budget for security costs?
A: Ian: It really depends on how that software is being leveraged, but when you think of security-related technologies and the people responsible for managing those as well as vendors, that doesn't necessarily mean it can't be included. You should think about what's your budget for third-party consulting, what's your budget for your technology surrounding SIM and endpoint, and managing incident response.
Eric: Things like penetration testing and vulnerability assessments are definitely part of that equation. You could spend 100% of your budget just trying to secure your infrastructure, and that's probably not enough. Really, you're trying to put the money in the right places to get the biggest bang for your buck. And that's how you're going to sell it to the executives.
Q: How much extra security could an organization achieve by eliminating all locally-stored data and putting everything in the hands of a secure cloud solution?
A: Justin: I've been a big proponent in my organization for moving to cloud services for document storage. The benefit is that it has a lot of the tools and security properties built into it, so that all you have to do is turn them on. Now you do have to turn them on, which means usually finding someone who knows how to do that, and that does have a cost associated with it, but you flip the switch and it just kind of hums along in the background. If you have to retrofit your on-premise servers to do that same work, it takes a lot longer and has a lot bigger lift, whereas if you can move it to a cloud service, those security use cases, whatever they may be, are being taken care of. Things like data loss prevention, revoking access to a file after it has been shared, encrypting – all of those things are easier to do in the cloud than it is necessarily to do with an on-premise environment.
Ian: I’m a big fan of cloud; we deal with it quite a bit since our solutions exist in the cloud. We have customers that have a blended approach, but just keep in mind, the attackers are getting more and more sophisticated too. You're dealing with organized criminal-type hacking organizations, even state- and nation-sponsored perpetrators. My point is they know where that data is going, but for the most part, I agree. I think there's still going to be some limitations, so there's no easy answer here. There's no one-stop shopping.
Eric: The term “secure cloud solution” is a little bit of a misnomer. There's a shared responsibility to the security for any cloud implementation. If you are not doing your portion of that shared responsibility model, then you're not secure and that cloud is not secure. There are plenty of instances where someone left an S3 bucket publicly exposed, or an RDS database publicly exposed or something like that. It's not Amazon or Azure or Google cloud's fault when that exists, that is on the company. So just because you're in the cloud does not remove your responsibility for securing that infrastructure.
Q: Do you believe the problems facing companies today will ever go away, or will we at least see a decline in threats effecting organizations?
A: Ian: I've been in this space now almost 20 years, and I can tell you it's gotten a lot worse than where it was 15 years ago. It's a constant game of cat-and-mouse. They're getting more and more sophisticated and it's our job as the good guys to stay in lockstep and be just as sharp. Companies are trying to operate more efficiently. They're trying to be more paperless. They're trying to put information on the internet. They're trying to make things quicker and more available to their their customers. That means data is going online and there's risk associated with that. So unfortunately, I don't think it's going away. If you are a security practitioner, it's job security for you. Just stay on top of it. It's going to get worse, and I don't mean to scare anyone, but it is what it is.
Want to hear more from these IT security practitioners? Check out the webinar on-demand for more information about:
- How to build and maintain your cyber security on a budget,
- How to gain buy-in from executives to optimize a program,
- How you might compare a boutique security vendor to a larger one, and
- How you can best prepare your colleagues and leaders for a security breach.
