Healthcare Needs Cyber Security Leadership & Governance - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Healthcare // Security & Privacy
Commentary
9/23/2014
09:06 AM
Mansur Hasib
Mansur Hasib
Commentary
Connect Directly
Twitter
RSS
100%
0%

Healthcare Needs Cyber Security Leadership & Governance

Cyber security breaches point to a bigger problem than inadequate security technology or processes. They point to failed leadership and governance strategies.

Mental Health Tools: From Office To Pocket
Mental Health Tools: From Office To Pocket
(Click image for larger view and slideshow.)

Recent news that a bot infected a test server for the Healthcare.gov website points to failure of governance. Details of the Target, Community Health Systems, and Home Depot breaches also point to governance failures. On the surface it may appear to be a technical vulnerability. However, the problem is that too many healthcare and other organizations implement cyber security at the end of the development cycle, not at the beginning; they do not bake cyber security into all their business and development processes. They also tend to view the cost of cyber security as an unnecessary evil instead of a vital component of their business strategy. It is a failure of corporate leadership and governance -- not technology.

The telltale sign: This was a test server and was never supposed to be connected to the Internet -- apparently an adequate justification for many people. My question: Why does the test server not have the same security features of the production server that is connected to the Internet? The excuse I typically hear is that developers build these servers at will and do not install all appropriate security patches and features in the interest of expediency. A specialized team of people applies patches, fixes, and system hardening techniques much later. That is a failure of governance and leadership.

There are a few major problems with this patch-later approach:

  1. There is hardly enough time to do an adequate job of security testing of the system and this testing invariably conflicts with the production schedule, so senior executives (non-IT) make many compromises in the interest of launching on the advertised target date.
  2. Once IT applies some fixes, they tend to break some functionality, introduce new bugs, or produce several unexpected results.
  3. There is a high degree of friction between the developer team and the security team, both of which tend to forget they are on the same team.
  4. Training environments become completely unrelated to reality.

Every server must have standards that they adhere to, and anyone configuring a server has to adhere to those standards. This is standard operating procedure. It is imperative that healthcare organizations bake cyber security into the process at the beginning and not at the end. The advantages of this approach include:

  1. Cyber security becomes everyone’s responsibility, not just the "security team’s" job.
  2. The developer team and the security team establish a symbiotic relationship from the start.
  3. The organization establishes an engrained culture of appropriate cyber security and risk management.
  4. Nobody needs to fear even "accidental" connections of test servers to the Internet.
  5. The risk of future functionality problems or the danger of introducing new bugs is reduced.
  6. Training can occur on systems that are more realistic.
  7. Target deadlines for production do not compete with system security.

This is not an issue that can be fixed technically -- and organizations or politicians should not look for answers there. What we need is an organization's senior level business leaders to accept that cyber security is a risk management business process. For that, they must understand cyber security leadership at a business level. Business leaders need to implement a governance framework that makes cyber security a culture within the organization.

Do you need a deeper leadership bench? Send your most promising leaders to our InformationWeek Leadership Summit, Sept. 30 in New York City, for a day of peer learning and strategic speakers.

Dr. Mansur Hasib is the only cybersecurity professional in the world with 12 years' experience as CIO; a Doctor of Science (DSc) in Cybersecurity; CISSP (cybersecurity); PMP (project management), and CPHIMS (healthcare) certifications, who has written two books on the ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
100%
0%
securityaffairs,
User Rank: Strategist
9/23/2014 | 6:04:54 PM
Re: Security is everyone's responsibility
Diana I totally agree. Security community and healthcare industry must closely work to avoid serious repercussions for end-users and for the entire sector.

Security must be perceived as an opportunity, a necessity and not an expense to cut.
Alison_Diana
100%
0%
Alison_Diana,
User Rank: Author
9/23/2014 | 5:10:01 PM
Re: Security is everyone's responsibility
And those statistics come at a time when 100% of physician practices and hospitals are not on EHRs, the main focus of their digitization efforts for the past few years. As more images get placed on integrated platforms, as providers move to secure text messaging and adopt more telehealth solutions, then the target will get even huger. 
securityaffairs
100%
0%
securityaffairs,
User Rank: Strategist
9/23/2014 | 3:12:01 PM
Re: Security is everyone's responsibility
In 2013, the number of major data breaches of medical records, also called protected health information (PHI), was 804, affecting over 29.2 million patient records.

This is not a casualty. Health care systems are not designed with security in mind. The massive introduction of technology in the industry oblige medical staff, health care managers and vendors and developers to consider cyber security a must.

The consequence could be dramatic if security is not considered as a crucial ring of the supply chain for any medical service. 
Stratustician
100%
0%
Stratustician,
User Rank: Ninja
9/23/2014 | 2:02:28 PM
Security is everyone's responsibility
Great point that there needs to be a symbiotic relationship between developers and the security team.  Often this comes only from ensuring both parties are involved in all stages of the development and implementation lifecycle, not by simply applying security as an after thought. 
News
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Commentary
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Slideshows
Flash Poll