I recently painted a pretty bleak picture of healthcare security, describing the threat IT professionals face when they are responsible for data that is ripe for stealing and selling on the black market. I'm updating my LinkedIn profile to remove all data-related projects as we speak.
But the risk extends well beyond IT. From CIOs, CISOs, and IT VPs to researchers, the finance department, IT systems administrators, brokers, benefit administrators, physician credentialing experts, and HR background checkers -- any of these healthcare professionals could be at risk, too. We all have evolved in our jobs to have access to incredible amounts of valuable data to crunch and find process improvements. It's a tough economy, and data access is crucial to lean initiatives.
How to keep this data -- and the people who handle it -- safe? We need to look at things from a different perspective. Has our emphasis on anytime, anywhere access and distributed data analysis resulted in a physical security threat to our workforce? Are there business functions where the risks outweigh the benefits and we could roll back a bit?
[Does your business follow least-privilege practices? Read 2014: The Year of Privilege Vulnerabilities.]
National security industries have secrets to keep and, with a few notable exceptions, have done a pretty good job of making sure large-scale breaches of their data don't occur. These breaches mostly involve insiders, though -- a different discussion. These industries also don't provide remote access from the Internet to their secure networks. They require that data analysis and access activities occur onsite.
They classify and categorize data that can be shared on their public networks, and they do not allow certain classifications of data (i.e., secret or top secret) to be placed on that network. They maintain an air gap between the types of data that would cause some harm if breached and data that could cause great harm. They require two-person controls for many administrative functions, so that it takes collusion to compromise sensitive information.
Reading this might already be alarming some business leaders out there. Some clinicians might argue that better shielded data could hurt patients. But wait, hear me out. I'm not proposing a SIPRNet for healthcare. I'm suggesting that first we must assess whether the efficiency of anywhere, anytime access to data is worth the risk of harm to our organizations and even to us personally, should armed assailants target us. Curbing remote access to data that isn't needed remotely is a great first step.
Second, I'd like to call for new information delivery technologies capable of differentiating between internal and external access, and behaving accordingly so that large quantities of data can't be accessed from outside our protected networks.
It might mean CFOs have to wait until business hours to request a revenue summary from analysts. But let's still create tools that make a single x-ray at a time accessible to on-call radiologists, so they can diagnose from home a patient waiting in emergency.
Regardless of what future technology looks like, I challenge all of us to consider how much we really need anywhere, anytime data access. Before password mugging becomes a plague, let's agree it's important to invest some thought -- and maybe a formal business review -- of current remote data access policies that create opportunities for criminals.
Apply now for the 2015 InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company's business goals. Winners will be recognized at the InformationWeek Conference, April 27-28, 2015, at the Mandalay Bay in Las Vegas. Application period ends Jan. 16, 2015.