Fixing Broken Data Governance ProgramsExperts Say Mega Breaches Indicate Governance Gone Wrong
The breach at Community Health Systems raises "some of the common issues we've seen at clients, whether they're in healthcare or otherwise," says attorney Ron Raether, partner at the law firm Faruki Ireland & Cox, P.L.L. in an interview with Information Security Media Group.
Those issues include, for example, establishing procedures and practices for quickly addressing software vulnerabilities when they are discovered, says security expert Andrea Hoy, CEO of the consulting firm A. Hoy & Associates, who also took part in the interview.
In the case of Community Health Systems, some security experts believe Chinese hackers gained initial access to the hospital chain's systems, compromising data of 4.5 million patients, by taking advantage of the OpenSSL vulnerability known as Heartbleed.
A software patch to address the Heartbleed flaw was available within three days of the OpenSSL vulnerability being disclosed, Hoy notes. However, the patch apparently wasn't applied by Community Health Systems, she says. "I think vulnerability management was inadequate."
When building a data governance program, however, healthcare organizations face some unique challenges, Raether says. "In a normal business, you're trying to balance information technology with business requirements," he says. But in healthcare, there are additional complexities, including workflow needs of physician and nurses, and, especially, ensuring the safety of patients.
"Trying to find that balance of accountability and empowerment, especially in a healthcare environment, can be particularly tricky," he says. "Information security takes up a much higher calling in these institutions because keeping [patient] healthcare information ... private and secure is of great importance, especially given the negative consequences if a bad guy gets ahold of [patients'] medical file or insurance information," he says.
In the interview, Raether and Hoy also discuss:
- Common mistakes that healthcare entities make in their governance programs,
- Why having a CISO or other information security leader "integrated" into the senior leadership team is critical.
- How the Internet of Things, including wearable health technologies, affect governance programs;
Raether is partner at Faruki Ireland & Cox in Dayton, Ohio. His experience with technology-related issues spans an array of legal areas, including patent; antitrust; licensing and contracts; employment; trademark; domain name disputes; and federal and state privacy statutes.
Hoy is CEO of A. Hoy & Associates, which provides "virtual CISO" services as well other information security consulting and training services, including helping to establish policies and procedures to comply with the NIST CyberSecurity Framework. Hoy is serving her second term as the elected vice president of the Information Systems Security Association.