Beyond Compliance: Forrester's 5 Key Principles
Khalid Kark, vice president at Forrester Research, recently wrote an in-depth report on healthcare information security in which he described five key principles.
In an interview, Kark discusses each principle, including:
Kark focuses on information security issues for clients of Forrester Research, a Cambridge, Mass.-based firm that offers consulting as well as research reports.
HOWARD ANDERSON: This is Howard Anderson, Managing Editor at Information Security Media Group. Today we are talking with Khalid Kark, vice president at Forrester Research, a Cambridge, Massachusetts-based research company. Mr. Kark recently produced an in-depth report on healthcare information security. Thanks so much for joining us today, Khalid. In your recent report, you talked about how healthcare should apply five proven principles for information security, so we are going to go over each of those one at a time here today. The first cardinal rule you listed is "take a risk-based approach and look beyond regulatory compliance." Please elaborate on that a little.
KHALID KARK: Over the years, a lot of organizations, when they got hit with new regulations...went after complying with those regulations. So...here are the specific check boxes that I need to check, in order to comply, and I'm going to just focus in on that. And what that led to was, people did one regulation another year later. And they went through that same exercise, and then another regulation came along, and so on and so forth. A lot of people recently have started to take a step back from all that, and say, "This is not really a good way of doing it over and over again, where you are repeating a lot of the stuff in terms of understanding and addressing security controls." So what you need to do is create a broader risk framework. And the risk framework shouldn't necessarily be based on all the regulations that you need to comply with, but should take into account some of the specific corporate requirements that you may have... So, the risk framework, in our view, needs to be spread across the organization, and yes, compliance to regulations should be a great side benefit of it. Compliance to regulations shouldn't really drive your security program...You have to think broader than that...You create a broader framework, you map multiple regulations to that framework, and then have the compliance to those regulations as a great side benefit of doing it effectively and from a risk perspective.
ANDERSON: The second rule you mentioned was "Follow the data through its entire life cycle." Tell us briefly what that means.
KARK: In the past, security has been traditionally focused on infrastructure security. So, you put in a firewall, you ensure that your network is secure, and you've got the IPS, the Intrusion Prevention System, the IDS, the Intrusion Detection System, and so on. And a lot of the focus is on, well, the pipe that carries my data needs to be secured. Now what is happening is you don't have a perimeter anymore in your environment. I mean, you've got people who access your environment from different parts of the globe. There are different business partners that you share information with, and there are other third parties and outsourcers that you share sensitive information with. Now if one of those avenues is able to disclose some of that information, that's basically it. So a lot of times you may not really have control over the infrastructure.
Let's say if you've got a third party that processes your billing information. Billing information may contain a lot of sensitive information. Now, what happens is you don't have control over the infrastructure of the billing company. All you can do is put a contractual requirement and say, "Yeah, you've got to secure that information." But, more importantly, we need to put the security on the data, not necessarily on the infrastructure.
Infrastructure security is necessary and useful. But, to me, it is much more important to ensure and figure out the data-level security, because that is where your crown jewels are. You may be able to protect the network and the perimeter, but there are a lot of avenues outside of those two domains where your sensitive information may be residing outside your organization, and you need to be able to control and protect that information. So, you need to set parameters and rules around what kind of information goes out from your organization, and how protected is it. I mean, you can have the best security that you can get, but then, when...information leaves your organization, you have no control over it...There is no absolute solution here. But, there are things that you can do to actually add elements of security to the data, and put the requirements on protecting the actual data, as opposed to just relying on infrastructure to protect it.
ANDERSON: The third rule you mentioned is "Equip yourself with the ability to monitor and respond to security incidents." What specific steps should healthcare organizations take?
KARK: Healthcare companies aren't really equipped to handle security breaches. But healthcare companies actually have a lot more at stake...because healthcare information, once it gets disclosed, cannot be replaced. You can always replace a credit card, you can always replace your bank accounts, and so on. I see a lot of healthcare organizations struggling with this, because they haven't really considered this to be an important area--to be able to respond to incidents appropriately...But a lot of the impact of a particular security incident can be reduced if you've got a robust incident management program in place.
So a lot of organizations have suffered because they had a breach and they had no clue what to do with it, and they spent twice or thrice or sometimes four times as much, in terms of responding to a breach because they didn't have anything pre-planned. Also, there may be PR disasters if you don't have the right people involved in coordinating a lot of these efforts. So, investing in incident management is essential, especially with some of the new healthcare requirements that are coming along, to be able to respond and react to security breaches.
I was reading a report somewhere where it said that the amount of healthcare breaches has doubled in the last year. So, I think that more and more people are realizing that that is important information that they could go after, and there aren't any significant defenses there yet. But, I think it is going to be hugely important for healthcare companies to be able to build that capability in-house. I know a lot of times they struggle with making their case, because you are basically creating a capability and you don't know when you are going to have a breach, but when you do, it saves you a lot of time, effort, money and hassle...to be able to have that capability in place.
ANDERSON: The fourth principal you mentioned is "focus on third parties and business associates." This is particularly important in light of the HITECH Act's breach notification provisions, isn't that correct?
KARK: Yes, absolutely...Third-party security is something that many, many companies, even in more mature industries, such as financial services, struggle with. In healthcare, this is one of the fundamental issues that you need to address in order to be anywhere close to where you want to be in terms of security.
I was talking to a health care provider that managed several hundred hospitals across the U.S. And the chief security officer there was saying that for each one of the hospitals, they've got about 200 third parties that they share some sensitive information with...In the past, a lot of (healthcare organizations assumed that because the third party) is a service provider of some sort they should have adequate security...You cannot rely on that anymore....You have to do your due diligence, and it becomes a very, very complicated issue for healthcare companies. There are tools and technologies out there that aggregate a lot of the data from your third parties and analyze it, and you can find out the critical areas that you need to focus in on. But it is a huge undertaking.
ANDERSON: Your final principle was "Be prepared to respond to the changing technology and threat landscape." What's the best way to stay well-prepared?
KARK: Obviously we have been responding to changes in technology for a long time, and technology doesn't stay still....But there is also a fundamental shift in user behavior that we need to be aware of. I was talking to a health care company recently, and what they were struggling with was a lot of people in their environment wanted to access social media web sites--Facebook and LinkedIn, and so on and so forth. And those could be really beneficial tools in certain contexts. But the CISO or the security people there were in general very hesitant to allow that, because obviously, that introduces a whole new level of risks, and we have seen, definitely, an increase in social media attacks.
And so, it becomes really hard to figure out what are you going to allow and what are you not going to allow. What is the risk appetite? What is a useful technology to have in certain contexts and what is not? I would recommend really thinking through it and creating a policy that enables the business, but also manages the risk simultaneously. A few years from now, we will be in a situation where we will be forced to deal with these things in our environment, but right now we are not. But, I think we still need to somehow give the business flexibility. A lot of times, the marketing departments, for example, need access to social media web sites to do their job. Others may need it for other kinds of collaboration or networking. So, we need to be really careful in allowing what the business needs, but also managing the risks around it.
And I think you could start off with a high-level policy and awareness around these things, and then gradually add the controls necessary and build the architectural security, the architectures necessary to be able to protect against those threats.
Another (change) that many of us tend not to think too much about is the...specificity of the attacks has increased tremendously. I was talking to a health care company that actually had to double their staff that was just looking at external threats. So, they had to increase their staff to four people, just monitoring and managing the external threat paradigm.
ANDERSON: Thank you very much. We've been talking today with Khalid Kark of Forrester Research. This is Howard Anderson of the Information Security Media Group.