Want to beat auditors and adversaries? Think like an attacker

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.govhealthit.com/news/want-beat-auditors-and-adversaries-think-attacker

Security is always a top concern, but the stakes are particularly high in
the healthcare industry. The Department of Health and Human Services Office
for Civil Rights (OCR) is conducting a tough new round of “desk” audits to
measure HIPAA compliance, and their enforcement action against Concentra
Health Services earlier this year is proof they’re not messing around.

Their investigation of Concentra discovered that assessments conducted by
the company had identified risks (specifically a lack of encryption on
laptops) that they failed to address prior to a laptop being stolen from
one of its facilities. Concentra was also found to have insufficient
security management processes in place to protect personal health
information. They were fined $1.7 million.

And if the OCR doesn’t catch you slacking on the security front, hackers
still might. Community Health Systems, which operates 206 hospitals across
the United States, recently revealed that hackers broke into its computers
and stole data on 4.5 million patients. This includes names, Social
Security numbers, physical addresses, birthdays and telephone numbers. In
addition to dealing with fines, Community Health will feel the impact of
this breach in its patient numbers. Would you go back to a hospital that
put you at risk of identify fraud? I didn’t think so.

Unless you’re ready to accept millions of dollars in fines or a massive
data breach as regular costs of doing business, it’s time to get serious
about risk assessments and risk management. They’re the keys to surviving
and thriving in this new environment.

Your organization has probably made substantial investments in security
technology. In addition to network firewalls and endpoint protection
products, you’ve likely deployed data encryption technology, intrusion
detection and prevention systems, vulnerability scanners and log management
software, to name a few solutions.

Those tools are important, but are the IT security dollars you are spending
today significantly reducing your exposure to risk? Will your current
security controls convince auditors that your IT environment and EHR system
have been adequately secured from inadvertent data loss or deliberate cyber
intrusions? Simply running periodic vulnerability scans, monitoring
security events, and tuning device configuration is not enough. In fact,
the result is a mountain of data, requiring time and valuable resources to
process.  And in most cases, your teams are already strapped for time. You
need a way to narrow your focus on the most vulnerable points of your
network and applications.

You can (and should) take your security program a step further with attack
intelligence. This requires looking at your organization through the eyes
of an attacker. Understanding how real adversaries will behave in your
environment is critical to understanding which vulnerabilities pose the
greatest threat to your organization, so you can plan your defense strategy
accordingly.

Think of it this way: if a vulnerability somewhere within your organization
could lead an attacker only as far as week’s lunch menu, is it a priority?
Is it an area where you should be focusing your limited resources? Of
course not. But if a vulnerability could lead an attacker all the way to
the medical record application servers or the backend databases that hold
ePHI, it must be addressed immediately. Attack intelligence enables to you
cut through the noise, and focus on protecting the crown jewels.

If you can predict where the hackers will strike and build your defenses
accordingly, you will find the major security gaps before the “bad guys”
(or the “good guys” looking out for patients’ right to privacy) beat you to
it.

This strategy will help your program meet crucial industry regulations,
make your security team more efficient, and most importantly, protect
patients. So take a hard look at your security program through the eyes of
an attacker.

Do you like what you see?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!