Senior Advisor, Center for Digital Government
Sept 1, 2016
I’ve seen a lot of security trends through the years, but this one caught my eye as quite significant. According to IBM’s 2016 Cyber Security Intelligence Index 2015 was “the year of the healthcare breach.” This was the year the healthcare vertical surpassed the financial services, manufacturing and government sectors for suffering the most damaging attacks. It’s certainly nothing to brag about. And in 2014, healthcare wasn’t even in the top six suffering breaches of this magnitude.
Five of the eight largest healthcare breaches since the beginning of 2010 – those with over one million records compromised – took place in the first six months of 2015. This struck me as clearly a distressing trend for healthcare. The healthcare industry has been caught in something of a perfect storm. First, for insurance providers, hospital systems, and doctor’s offices, the common challenge for healthcare companies large and small is to access PII (personally identifiable information) in a secure manner. That’s a simple enough goal, but there are numerous complexities beneath the surface that have impacted the health care industry more than others. One is the government mandate for healthcare to rapidly adopt electronic health records (with a 9.4% adoption rate in 2008 skyrocketing to 96.9% rate in 2014) which left security teams unprepared for a broad new threat plane. The contributing factors continue from there – add the growing number of mergers and consolidations that are part of the healthcare landscape. These evolving enterprises must often bring together disparate business technologies that run the overall business. That’s a lot of sleepless nights for the IT and SOC teams to make sure they get everything right. But the devil’s always in the detail – it is where the gaps in security arise. Hackers love those details.
Consider as well, a number of healthcare enterprises that are buying much of the software to run the business from different software providers. But wait, there’s more. Other complexities include a large number of organizations have environments on-premises, but are also moving to solutions in the cloud. In many cases, if they’re running their own on-premise solutions they’re using an external organizations and software to help them do reconciliation to compare to industry averages. Yet every time enterprises use these services the software companies providing them may or may not have strong security practices.
With all this complexity and vulnerability, what’s a CISO supposed to do? This much is certain, all these factors represent a broad range of challenges organizations both large and small must contend with to assure security and they bring the queasy realization that these organizations can no longer protect the perimeter with existing security strategies. That’s a lot of heartburn and more sleepless nights. But it’s not all bad news. To achieve reliable security assurance, it all begins with the basics: knowing who’s in your network.
So in the face of these fast-evolving technologies, and the staggering amount of digital exhaust originating from a host of sources, it’s time for CISOs to put on their thinking caps. They need a new way of closing the gap between what access is granted and how users are using the access. Traditional Identity Access Management (IAM) solutions that lack discovery of access use are just not flexible enough to do the job anymore. To close this gap, it is necessary to supplement IAM with a risk based identity analytics (IdA) solution employing advanced machine learning drawing from big data and often integrated with user and entity behavior analytics (UEBA) solutions. This kind of solution can manage, orchestrate and effectively monitor all identities with a risk-based approach for all systems of an enterprise’s hybrid environment. The net result is risk-based certifications, detection of access outliers, clean up of access, dormant and orphan accounts, plus newly defined roles from machine learning to replace legacy roles that are often over privileged. Then you know what access is provided to what users, and what those users are doing with it. Only then can the basic goal of security assurance be achieved. But always keep that basic starting point in mind: you must know who’s in your network, and you can only do that if you have the right up-to-date tools to do the job.