The subject of this post is in response to a Healthcare IT News article titled, “As data Vulnerabilities Escalate, Healthcare organizations need to supercharge security efforts” that addresses the vulnerability of data in many of today’s hospitals and how they have come under increased focus from malicious actors seeking to do harm. The bad guys know that, “…It literally becomes a life or death situation” so ransomware proliferates and (some) people are shocked when it happens.
The article goes on to talk about forms of back-ups (as you’ve seen me mention previously), knowing where the data is (that sounds familiar) and taking a holistic approach (seeing the forest through the trees). In the end though, if hospital administrators find it easier and cheaper to stock up on Bitcoin to pay the inevitable attack ransom rather than go down the much more difficult and resource consuming, but longer lasting approach, then little will change. That approach would generally look something like: work with data owners to identify your organizational and customer critical data, meta tag it, prioritize it, organize it into as few secured applications/systems/networks as necessary, then put as strong access and use controls around it as possible that still allow effective business operations using the technologies people have come to expect in this day and age.
An important consideration when carrying out such a program must be that the security controls and practices have to not only align with regulatory guidance, but they should also support effective business operations. A secure company that goes out of business due to cumbersome customer interactions isn’t what Information Security is all about.
It’s a vendor sponsored article to be sure, but that doesn’t decrease the message at all that security leaders need to be proactive in their approach and be prepared. Support good business and happy customers at the same time and you’ve got something that other professionals should emulate.