Guest post by Jay Schulman, managing principal, Cigital.
Throughout the past two years, if you’re like me, you’ve had your credit card number stolen a number of times. I’m up to six. In one case, someone purchased a $500 TV with my stolen card information. Yet, I sit here today having lost nothing. Every bank and institution has made me whole. The money that was taken was quickly replaced. While I can complain about the inconvenience, I haven’t lost anything.
The financial industry has the luxury of replacing what was taken. The healthcare industry does not.
Once your medical record is stolen, there is no way for the institution to take that information back. If an electronic medical record (EMR) or MRI system is breached, the information and images are out in the open. While the credit card companies can trace fraud back to a common source, it’s very hard for healthcare companies to figure out who has been breached. That’s why the security of healthcare information is so important.
While many healthcare organizations are HIPAA compliant, that only reflects on their ability to properly control personal health information. It doesn’t necessarily assert that you are secure.
As a healthcare organization, you need to take a holistic approach to secure your environment. This includes:
- Understanding your portfolio – what applications and systems are in your environment? Understanding the applications, their development languages, what data they store and access, and other pertinent data points are key to understanding your portfolio. Understanding what needs to be secured is a critical and often missed first step.
- Assessing the risk of the portfolio and making priorities. It’s easy to say “anything with personal health information (PHI) needs to be secured.” But, do you understand where PHI is stored or what areas of the network or systems can access systems with PHI? The retail breaches of the past two years have taught us that attackers aren’t always going directly to the critical systems but instead to weak links in the environment. Those weak links can give an attacker access to your data.
- Performing a threat model to properly understand those weaknesses. A threat model looks at an environment, who the actors are that can breach your system, and what actions they could perform (steal data or cause a denial of service for example). Given the results of the threat model, you can develop a new ranking of the portfolio.
- Determining the best ways to improve the security of the environment. If the organization writing the software is highly outsourced or primarily buys commercial software, assessing their risk is important. Otherwise, how can you be sure that they know how to write secure software? With medical devices, being able to assess the risk and impact of the device to your environment before you put it on your network is essential. Two years ago, many hospitals would assume the device was secure. Today many are starting assume they are not.
If you write your own applications, an assessment and roadmap to improve the security of your own software is the beginnings of building out a Software Security Group (SSG). An SSG can sustainably manage and improve the security of your software.
We are at a crossroads in healthcare today. As an industry, we have treated financial data as having to be more secure than healthcare data. I believe that tide is turning. Through its 510k assessment process, the FDA is making sure medical device companies are evaluating information security risks. We are starting to see hospitals hire CISOs and build information security teams to secure their environments.
Taking a holistic approach may be the difference in creating an effective security program.