Page 13 - Layout 1
P. 13

CYBER
                                                                         SECURITY

  Why you ask? “Because that’s where the money is,” as suc-              abstract nature of cybersecurity threats, leadership does not worry
cinctly stated by famed bank robber Willie Sutton. That money            about attacks, and security budgets suffer. No daily threat of stolen
attracts sophisticated attackers, who have been hacking away at          money equals a false sense of security.
banks for over two decades. As a result, banks (mostly) have
their security act together.                                             No. 3 Unfamiliar adversaries 
                                                                           Governmental organizations are used to getting attacked by na-
  A typical follow up question, though, gets me on my soapbox
fast — and that question is, “As a security guy, what industries         tion states. Financial services companies are battling organized
scare you the most?” I get that question more frequently than you        crime hacking syndicates who are both savvy and sophisticated. In
might imagine and my answer is many times the healthcare indus-          the healthcare sector, the likely adversaries will be nation states as
try. Here’s why:                                                         part of a larger international crisis, or Eastern European hackers,
                                                                         when they find out how to monetize either target. This lack of
  In healthcare, the stakes are high — the well-being of my family       day-to-day understanding of the threats lessens the sense of ur-
— which is critically important to me. If a credit card company          gency in certain healthcare organizations.
loses my data, I get a new card with free credit monitoring. If a
healthcare provider loses my electronic patient information, I can’t     No. 4 Too much vendor trust 
get new information. That’s my stuff!                                      The healthcare industry has a highly trusted relationship with

  The reason the security of our healthcare industry scares me is        large systems and product vendors. But because they have worked
not just the impact, but how consistently ill-prepared the industry      so closely for a long time, they rarely question whether these part-
is to defend against sophisticated attacks. I say this as a 20-year se-  ners conducted adequate security testing of their products or net-
curity consultant who has worked in four different companies and         works beyond simple vendor checklists (compared to other
delivered hundreds of security assessments, penetration tests, and       industries). In financial services companies, by comparison, secu-
other projects.                                                          rity leaders ALWAYS question vendor claims. In contrast, certain
                                                                         medical products provide vendor lock-in and a client mismatch of
  In muted tones, many security veterans believe that sooner or          power. Witness the many medical devices that ran on Windows
later Eastern European organized-crime hacker consortia or nation        XP well after that operating system was declared “end of life” by
states will direct their attention to healthcare targets. But what       Microsoft. This mismatch means that many healthcare organiza-
scares me the most are four significant mismatches between the           tions had little option but to accept that certain medical system
sophisticated attackers and defenders in the healthcare industry:        ran on outdated software well after it should have.

No. 1 Closed systems                                                       The healthcare industry shares many of the same security is-
  In healthcare, there are efforts to push patient information into      sues as other industries in our country. But it also has a unique
                                                                         role in society to protect our most sensitive healthcare informa-
Health Information Exchanges. These meta-databases in the cloud          tion. Given the stakes, let’s hope that some of the factors out-
provide better and more responsive healthcare. Patients who need         lined above change soon.
care away from home will have access to their private health infor-
mation remotely. Regrettably, availability is trumping security on                          John Dickson is an internationally recognized secu-
many rollouts and these sites are not built to the same security                         rity leader, entrepreneur and Principal at Denim
standards as those in the financial industry. Healthcare.gov is more                     Group, Ltd. in San Antonio. He has nearly 20 years
the standard and not the exception.                                                      hands-on experience in intrusion detection, network
                                                                                         security and application security in the commercial,
No. 2 A false sense of security                                          public and military sectors. He is currently the Chairman of the San
  Healthcare views many cybersecurity threats in the abstract.           Antonio Chamber of Commerce Cyber Security Committee where eco-
                                                                         nomic development, workforce and advocacy issues involving San An-
There are no Targets or Home Depots in the industry, and ar-             tonio’s growing cyber security industry are coordinated.
guably (at least as far as we know), sophisticated attackers are not
attacking them as frequently as banks. They’ve not had the number
of near-death experiences as other industries, and because of the

                                                                         visit us at www.bcms.org 13
   8   9   10   11   12   13   14   15   16   17   18