October being the 15th National Cybersecurity Month, we at HIMSS Media marked the occasion by focusing on infosec every day.
Along the way, we encountered some new ideas, contrarian perspectives and not-widely discussed tactics for improving your security posture.
Here are five of those.
1. Identity theft can be “synthetic” – and that includes the medical variety. When breaches happen like the ones at Facebook and Uber, among others, cybercriminals can take that data or keep it then piece together forged identities to commit all manner of fraud, medical identity theft among those. There are steps health organization can take to fight back, beginning with inventorying data to find protected health information and understand where it lives, then prioritize different data, apply safeguard and keep reviewing it. Read the full article here.
2. CIOs and CISOs, as well as IT and infosec shops, can implement – and benefit from – a cybersecurity dashboard. But what does one look like? Security dashboards should include a number of metrics on your current threat level, a record of events and incidents that have already happened (such as scans, probes, unauthorized access and authentication errors). Dashboards should help security decision-makers pinpoint brute force attacks, malware and phishing campaigns happening, policy violations and non-compliant medical devices or apps attached to the network. Read the full article here.
3. Consumerism is forcing hospitals to teardown those network perimeters they worked so hard to build. No, that’s not as crazy as it sounds. “We’re taking down the perimeter,” Intermountain CISO Karl West said at the HIMSS Healthcare Security Forum this month. “The future environment we’re striving for is consumer-centric.” Intermountain is not alone, either. Sentara Healthcare, for instance, is putting mobile apps and its patient portal on a public cloud to become more customer-centric, too. Read the full article here.
4. Not all white hat hackers are the same. That goes for companies that run penetration testing in particular. As Sentara CISO Dan Bowden said: “If I get a clean pen test I fire the vendor and say, ‘Don’t come back.'” That’s because that ethical hacker is not trying hard enough to uncover vulnerabilities. Here is a rundown of what to look for in a pen tester including advice about what makes the good ones succeed, budgetary and contractual considerations and a checklist for picking a pen tester. Read the full article here.
5. Humans might not be the weakest link, after all, but security still has to be designed with them in mind. The idea that people will always be susceptible to phishing, whaling and other attacks is, of course, a long-held belief and one that is hard to refute. But at the same Healthcare Security Forum former White House CIO Theresa Payton said that the notion is true of technology as well. She pointed to the fact that the infosec industry has been chanting the mantra that “people are the weakest link” for 15 years as evidence that the strategy just doesn’t work. Yes, human error will persist in the form or recycled passwords and clicking on malicious links but technology will continue to fail as well. “Humans are not the weakest link,” said Payton. “Technology is open to be hacked and data can never be 100 percent secure. We have to design for the human.” Read the full article.