It’s Time to Re-Examine Risk Management

March 30, 2015

Attacks Against Anthem, Others Are a Call to Action

By Bob Chaput, March 27, 2015

Bob Chaput

Just as 9/11 shattered our assumptions about the impregnability of U.S. defense systems, the recent Anthem Inc., Premera Blue Cross and Community Health Systems mega-breaches show that we need a top-to-bottom re-examination of what information risk management really requires.

To be fair, most healthcare boards of directors and C-suite executives have had their hands full just dealing with the Affordable Care Act and the momentous shift from the fee-for-service model to value-based care. That may be the reason why so many healthcare boards and C-suites are either ill-informed or disengaged from information risk management.

“We must move from the technical/tactical/spot-welding approach to a business architectural solution that’s strategic.”

In the wake of the highly publicized Community Health Systems, Anthem and now Premera hacking incidents, most organizations are scrambling to play catch-up – often trying to “checklist” their way to security. By default, and in the absence of board and C-suite direction, this approach is often too technical, too tactical and involves too much spot-welding.

Here are some reasons why it’s not a matter of if, but when, the next Anthem-style disaster strikes:

Most organizations don’t truly understand the scope of the problem. Although the Anthem hacking incident, which affected 78.8 million individuals, made headlines worldwide, hackers only account for about 8 percent of major health data breaches since September 2009, according to the Department of Health and Human Services. The other 92 percent are mainly due to preventable mistakes made by an organization’s own employees and business associates – losing a laptop containing unencrypted PHI, improperly disposing of paper records, “snooping” into and disclosing confidential data, etc. A health system might pat itself on the back for avoiding an Anthem-type breach, then get stung by a smaller scale breach that can still tarnish its reputation and cost millions to remedy.

The value and vulnerability of patient data are increasing dramatically. The anticipated growth of the national eHealth Exchange means that the likelihood of breaches will continue to rise. The exchange is predicted to soon connect hundreds of hospitals and thousands of medical groups. Hackers will no doubt be encouraged by what the Anthem thieves got their hands on: dates of birth, physical and e-mail addresses, and Social Security numbers of nearly 80 million individuals. That’s the equivalent of the entire populations of California, New York, Illinois and Maryland.

Too few organizations have a formal process for benchmarking the maturity of their IRM programs. The healthcare field is way behind other industries in this regard. The FBI said as much in its April 2014 Privacy Industry Notice and its August 2014 Alert. Many manufacturers and retailers routinely use maturity models to test the efficacy of their supply chain management and business intelligence. Healthcare needs to make it a priority to benchmark its IRM programs.

The term “data security expert” doesn’t equate with “risk management expert.” Too many healthcare organizations rely on their IT staff to ward off hackers, forgetting that breaches also come in a variety of low-tech (or no-tech) varieties. Plus the Anthem breach begs the question: What were the “experts” really doing?

Although the hackers did penetrate several layers of Anthem security, they may have gained access to the huge database by using a stolen password. And numerous media reports suggest that Anthem hadn’t bothered to encrypt the database. At the very least, we shouldn’t be making it easier for hackers to do their job. Whether the Anthem hackers were part of an international cyber-espionage team – or just brainy teenagers – doesn’t really matter. Several news organizations are reporting that the insurer will soon exhaust its $100 million cyber-insurance coverage to meet the staggering cost of identity theft repair and credit monitoring.

The healthcare field has “HIPAA compliance” myopia. The Anthem breach proves once and for all that information risk management is much more than a HIPAA compliance issue. IRM has a direct impact on patient safety and quality of care. But even more than that, it’s a discipline that’s essential to the health of a company’s brand and bottom line.

The Anthem breach demonstrates that there’s still a glaring need for better board and C-suite education about what constitutes comprehensive IRM. We must move from the technical/tactical/spot-welding approach to a business architectural solution that’s strategic. To do so, healthcare organizations need to use new benchmarking tools to help them assess the maturity of their IRM initiatives.

If the CHS breach was a wake-up call, the massive Anthem breach was a bugle blaring across healthcare boardrooms and C-suites nationwide. Let’s hope that it rouses leaders to action.

Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US, is CEO of Clearwater Compliance, an information risk management advisory firm based in Nashville, Tenn., that offers an IRM benchmarking tool.

Go to original article…

Third-Party Breaches: Eyeing the Risks

March 27, 2015

BitSight’s Stephen Boyer on the Merits of Continuous Monitoring

By Information Security Media Group, February 17, 2015

Target is the high-profile example, but many organizations have been breached through third-party vulnerabilities. Where are the security gaps, and how can they be filled? BitSight’s Stephen Boyer offers insight.Boyer, CTO and co-founder of BitSight Technologies, sees the Target breach as transformational for the industry. It showed that a CEO could be fired as a direct result of a breach.

“Now what we’re seeing is boards of directors getting much more involved,” Boyer says. “They’re asking questions about cybersecurity performance.”

And they want to know specifically which of your third-party service providers leaves you most vulnerable to a breach.

As organizations examine these relationships, they also increasingly turn to continuous monitoring solutions. “[This movement] is a lot different than typically what has been done in the past, which is ‘how do I get continuous visibility into not just myself, but also my third parties, so I can better understand where the risks are and take action in a timely manner?'”

In an interview about data breaches and third-party risks, Boyer discusses:

  • How recent breaches have deeply impacted organizations;
  • Results of a new Forrester survey of third-party risks;
  • How continuous monitoring can help organizations reduce these risks.

Boyer is the CTO, co-founder, and board member of BitSight Technologies. Previously, he has worked at Saperix, Lincoln Lab and Caldera.

Third-Party Risks

TOM FIELD: In the past year, we’ve seen so many high-profile data breaches. I’m thinking about Target, but certainly that there were others, and they resulted because of third-party vulnerabilities. As I talk with security leaders, I certainly hear their frustration in trying to mitigate something that they can’t control and to prepare their organizations to respond to an incident that really doesn’t happen on their purview. Does that match what you’ve seen in the past year as well?

STEPHEN BOYER: Absolutely. I think you articulated it really well. It has been very transformational over the last year. I would say the Target breach, having the CEO let go from that, has really been a transformational event for the industry. Now what we see is that boards of directors are becoming much more involved. They’re asking questions around cybersecurity performance and also wondering how we are doing with respect to our supply chain and our third parties in trying to mitigate those risks. That’s moving up to the board level.

Additionally, what we’re also seeing is risk transfer options. Companies realize that even if they invest heavily in security and train their staff, there’s always some risk or some threat that they can’t account for that they want to be able to transfer into cyber-insurance. We’re seeing a growth there.

Then, also, we’re seeing legislators perk up and become much more interested and asking more questions than they previously had been, specifically with respect to third-party risk management.

Impact on Breached Organizations

FIELD: You make a good point. I traveled to a lot of places all over the world in the past year, places where you never will find a Target store, but everybody knows about the Target breach because it resulted in the CEO losing his job. When you look back on Target and some of the other high-profile breaches, what do you see as common threads in terms of the impacts on the organizations that were breached?

BOYER: It really kind of depends on the situation of the company and their industry. But what we’ve seen is that companies have moved to an outsourcing model. For all the variety of efficiencies that exist in terms of cost and capability, they have outsourcing open up their networks and provide data to someone else, and they’ve increased that trust relationship, which has been a very difficult thing to manage and mitigate. “I’m now moving the parameter of my company and I’m extending the enterprise out to a variety of different companies.” That could be somebody who’s providing heating and ventilation; that could be someone else who’s providing some sort of IT services. They all have access into data or into the networks, and those are points of vulnerability.

Survey Findings

FIELD: You just conducted a new survey with Forrester that’s on third-party risks. Can you share with me some of the key findings?

 

Read full article…