Healthcare Security Strategies: Balancing Compliance and Risk
In an exclusive interview, Dean Ocampo of SafeNet Inc. discusses:
- Top data protection challenges for healthcare organizations;
- Strategies for tackling cloud computing and health information exchanges;
- How to get started now in improving data protection.
Ocampo has more than 13 years of networking and information security experience. Prior to joining SafeNet he held various product marketing, product management and consulting roles at high tech and Internet security companies including Imperva, Check Point Software, Digital Persona, ADC Telecommunications, and BearingPoint Consulting. Â Ocampo holds a BS in Mechanical Engineering and a BMus in Music Performance from Northwestern University. Â He is a certified CISSP, CCNA, CCSA, CCSE.
TOM FIELD: What's the latest in healthcare data protection? Hi, this is Tom Field, Editorial Director with Information Security Media Group, and I'm talking today with Dean Ocampo, Solutions Strategies Director with SafeNet, Inc. Dean, what do you see as being the top data protection challenges for healthcare organizations today, and I guess I'd specifically ask about regulatory compliance and the threat landscape.
DEAN OCAMPO: Just in general, there have been the challenges and the sobering reality that compliance doesn't necessarily mean security. So, I think organizations are trying to figure out, 'Even if I'm down the road of compliance, how come I'm still running across breaches?' Right? So, if you look at how folks are trying to translate what meaningful use is, and trying to get some funds for exchanging electronic patient information - it is taking a bit of the focus off of how they overall secure the data. So, those are a couple of challenges that I see. You know, I did a quick look this morning, just to see what some of the latest news is on the healthcare front, and I see, just this week, we're seeing Rite Aid has settled some fees for exposing some patient information via how they put some information in the trash, etc. I see another university hospital has lost some information for a flash drive. So organizations continue to run across security breaches, despite the fact that they believe that they are well on the way towards compliance. And I think you asked the question about threat landscape, as well?
A couple of things there, kind of along those trends, I think that one of the big things that I hear from customers is the whole insider threat. I think a lot of times when we wrote the regulations, we thought about privileged users and maybe the admins, but I think we might have neglected the malicious insider. And we're seeing in breaches in general that insiders are one of the biggest, biggest threats. But that may also be the result of, I think, this general economic landscape. We've been seeing more cases where people are being laid off, or the employees are becoming embittered, and they're taking off the IT staff, and they walk away either leaving bombs in the system, or taking information with them. So, insiders are a big one, top of mind, for customers. The big one that makes headlines, I just mentioned this earlier, we had one on a flash drive that was earlier this week. We're seeing a lot of portable loss that continues to make news, also exposing the fact that most organizations haven't figured out their portable drive and media strategy when it comes to information. And, kind of my big thing, and this applies across the board in an aggressive and regulatory field, is the fact that we focused a lot on security on our solutions. I think we've hit the maturation phase where organizations are starting to think more holistically, and I think these breaches that we are seeing are causing them to think more about it. But I can't think about those discrete elements. I really have to think about how my information flows through my system from a life cycle approach. And if I go and look for my life cycle approach, I can do a couple of things. One is I can start having better controls, to make sure that I avoid breaches, because I've thought about how information is passed on between different systems. But, it also means that I can get higher operational efficiency because I can realize and spot redundancies and other things, to where I can reduce costs from a life cycle perspective.
FIELD: You talked about portable media and laptops, and certainly, we see a lot of breaches. In your experience, with your customers, where do you see healthcare organizations struggling the most to protect critical data?
OCAMPO: Well, I think you're right; it's on the portable media side. I would have said a few years ago that it would be on the authentication side. But I think that most organizations have some strategy in place to figure out, you know, 'What are the ways that I can control how people act with this information?' What they're slow with is, 'Okay, now what do I do with information that moves from a portable perspective?' So, just to get into the bits and bytes, more on the cryptography side: Cryptography is a great solution for, I like to call it, the command and control layer for security inside healthcare organizations, because it can really put that wrapper of confidentiality around it, around data that can follow it through the organization. And that's what I talked about before, where you need to start thinking outside of silos of encryption and privacy. If we think more holistically about encrypting our data through a life cycle, we can start avoiding issues where information at some point in the life cycle ends up at a portable media drive. So, I think that organizations are trying to figure out how to extend their cryptography and encryption solutions to a larger part of the organization, specifically things like media drives. I think we've got a bit of a handle on how they are doing it from a laptop perspective. It becomes more of an issue of operationally, how far are they on the rollout? I am seeing a weaker deployment on the media side. That's where I think a lot of organizations need to do some work.
FIELD: So, Dean, certainly, you have a lot of opportunity to see healthcare organizations. How are some of your customers responding to these challenges that we have discussed?
OCAMPO: Well, again, as I said before, they are looking at more of a 'How do I leverage my infrastructure?' And that happens a couple of different ways. One is to look at the authentication side. So as I mentioned, companies have come up with some authentication strategy, what they are looking at to do is mature the solutions, and how do I leverage that to other things? Now, if you look at multi-factor authentication, they fall into two camps. There are one-time passwords, which might be your token ID with a number on it, or there might be PKI-based solutions; there might be a USB stick. You know, a lot of organizations may have gone with authentication for VPN access because it's a quick one. But it doesn't leverage itself very well. So, I am seeing organizations on the authentication side mature their solutions to more PKI-based. And the reasons why they're doing that is to leverage that investment so that they can take that authentication and not just get into things like VPN's or their applications, but then, to do other things, like digital signing certificate and doing some other value added things with the same investment.
On the encryption side, I see a bit of maturation in how folks look holistically at encryption. So, we go from a couple of years ago, where you would have a conversation with one app group on how they approach cryptography, and you have another discussion with another group that approaches how to do data base encryption, you have another group that might try to figure out what the strategies were in file share. You've seen organizations trying to figure out, 'Okay, I've got all this going on. How do I manage it from a larger perspective, and making sure that I have consistency from a policy perspective? And then, also, how do I try to then leverage that investment so that I make sure that I have my policy being delivered across my different encryption points, but I don't have to do a lot of manual systems on top of that?'
I think the last thing I mentioned kind of along the lines of authentication is I'm seeing more use of digital signing as, as we move into our organizations being federated. Maybe with these health exchanges, or with other partners, there is a need to do more attestation from a digital perspective, and I'm seeing more digital signing happening in the world.
FIELD: Well, I'm glad you mentioned the health information exchanges. There are actually a couple of emerging technologies or disciplines that I wanted to get your insights on. One is health information exchanges, and the other is cloud computing. What do healthcare organizations need to be thinking about in these arenas?
OCAMPO: Actually I see the two as quite related. But, on the health information exchanges, first of all, it's an absolutely fantastic idea, that as a healthcare consumer, I'm glad to see the initiatives. As I mentioned before, my concern is: When I look at the conversations going on with healthcare exchanges, it's still really more in the early cycle, where people are figuring out 'How do I do these? What are the technologies that I use?' And especially right now, 'What is the definition of meaningful use? How do I get these federal dollars?'
Just to step back again, when I look at how the market is looking at these things, I see the level of security conversation is still lower than I'd like it to be. Health information exchanges are just trying to figure the bits and bytes of how they enable exchanging information between different elements and how they handle federation, which is really trying to get into the nuts and bolts of security. So, I still think we are early there in the market.
You asked a question about cloud security, and I think it's related because when you start looking at technologies, cloud computing is an absolutely fantastic way of exchanging information for these health exchange systems, because they are a great way to get two different unrelated systems, maybe geographic related. And so cloud computing is a big one in healthcare. Actually, in all markets in general. So, a couple of things that I see there is the overall question of 'How do I apply security to cloud computing?' I know cloud computing is also a very early market, and one of the issues is that the regulations that we have, the structure and framework of how we look at security, was really meant for an iron data center model. So, they are not necessarily applicable to the cloud computing world. So, you're seeing a lot of struggle there, of 'What security controls do I put in place?' A couple of other things include the whole issue of federations. If you're building a health information exchange, just about by definition, you're doing some type of federation between different trust elements, different hospitals, health organizations in a region. So, trying to handle federation, simply from an authentication perspective, 'How do I make sure that I authenticate users when I have different federated entities who are accessing at ...' Another difficult problem, I think, to solve is, without trying to spend too much time on it is, when you look at software service and cloud=based computing, by definition they are a multi-tenancy model. So, these healthcare exchanges are dumping patient information into, essentially, one big data pool, and that's necessary for a common use of scales and how the architectures work. But it also has real privacy concerns. So, creating a policy so that one person has one condition, say HIV-positive, and wants that to go to certain healthcare providers, but not others. It becomes a real question about, 'How do I make sure that's done properly when it goes into the cloud-based infrastructures? How do I make sure I have the right controls to make sure that is enforced as it moves inside and outside the cloud-based models, and how do I map my authentication authorization and attestation to that solution?' So, there are a lot of things still to work out from a cloud-based perspective, and I think it's a great, enabling technology, but there is still some homework to be done.
FIELD: Dean, let's talk about the SafeNet product suite. What do you have in the suite that is helping healthcare organizations get a handle on all of these challenges we have discussed?
OCAMPO: Well, I think first of all is our information life cycle approach to security. And the reason why I say that is it is our way of looking at the world, but it helps to really foster a conversation, rather than getting right into individual technologies. We can have more of a consultative approach with the customers. You know, we have a large portfolio. To be able to work with, 'Okay, let's talk about how your information passes through different parts of your system. How do you handle attestation? How do you handle authentication and authorization? How do you handle privacy'" And, then we can map a suite of solutions to address a larger issue of making sure that we have protection to follow through the life cycle. From a product perspective, that passes down into some product lines. We have products around identity. We can do things like multi-factor authentication, digital signatures, things that help out with transactions, and make sure that we do validation and verification through our hardware security modules, helping out with digital signing and key management, as well, making sure that the data within applications and databases can be encrypted in transactions. We then have solutions that can help you when data sits or moves in different parts of your system. This would be encryption for file shares, for file folders, for folder encryption, etc., even network attached storage. And then, finally, you know LAN-based encryption, when you're passing information between your data centers, or even out to different cloud providers. So, you know, for those folks who are looking to secure information for their organization, I think that we have a great suite of solutions to help them with the overall life cycle of protecting their data.
FIELD: Dean, just a final question for you. Based on your experience, where is the best place a healthcare organization can start now to improve their healthcare data protection?
OCAMPO: Well, there are usually two things I bring up in the conversation first. One is: Typically. most organizations have some type of authentication in place. Let's talk about leveraging your authentication into larger uses. Most organizations that have authentication probably have some type of PKI digital signing in place. So, look to move things like PKI-based authentication, to do your digital signing. That's a quick hit for a lot of customers. And I also think encryption is huge. Again, the penetration of encryption on the media side ... is still lower than we would like it to be. So, look at your overall solution set for encrypting data, and its life cycle at the desktop and file shares, and as it moves out to other parts of the organization. So, those are really a couple of quick hits that will solve some of the big news items that healthcare folks are finding.