Information Security is More than Information Technology
By Nick Coussoule, SVP & CIO, BlueCross BlueShield of Tennessee
Training. Education. Role play. More training. These are the key ingredients of a secure organization, because at its core, information security is about people. Generally they are the weakest link in the security chain, yet they are also the first line of defense and the greatest asset to protect private information.
A significant number of breaches, including very public ones, began with an individual doing something they should not, such as opening a malicious attachment or clicking on a phishing email.
As a result, we recognize that security and risk management is not confined to the IT department. It takes an enterprise-wide effort of vigilance and awareness to ensure that data remains secure.
The healthcare industry, as well as others, has been the recent target of cyber-attacks that has resulted in millions of people having their personal information stolen. We conduct business in a dangerous time, when the number of bad actors is at an all-time high, and their methods of treachery are more sophisticated than ever.
"It boils down to having technical safeguards in place, while shoring up holes in the defenses with constant education, training and testing"
From personal medical data, social security numbers and financial data, BlueCross BlueShield of Tennessee is entrusted with an immense amount of private information. The BlueCross mission is to provide our members with peace of mind through better health, yet we also want them to have peace of mind that their private information is protected.
Not only is that our moral obligation, but HIPAA regulations and federal law require it. But it takes much more than just being compliant. The threat landscape is always changing, and it requires the ability to react quickly to security threats while constantly improving existing security measures. Maintaining confidence of the members who trust us with their personal information and protecting the data that we use daily to conduct business requires flexibility and fluidity.
There is never a time when we feel we are secure, that our safeguards are adequate and our information is protected. Information security, risk management practices mean continuous anticipation of potential threats, while remaining agile enough to identify and respond to new threats as they arise.
Historically, security was thought of as a technology organization with a focus on technology solutions and named as IT Security. Protection mechanisms were layered throughout technology and known as Defense in Depth. Companies built defined perimeters in order to protect their internal systems from external threats–a so-called military style DMZ was put in place and controlled all internal and external communications and transfers of data.
Today, those perimeters are disappearing. Companies are sourcing to external business partners, and they are working to create a balance between business needs and security. Focus remains on being compliant and meeting legal requirements, but security is not something that can be “achieved” through compliance only means. The threat landscape and risks are always changing; thereby, requiring a continuous improvement and response to protecting information. Recognizing this, healthcare companies are utilizing risk management-driven security programs to meet the changing landscape of technology and evolving threats, all while meeting the demands of business.
The Good Practices of Risk-Driven Security
They embed security practices within the operational process. They monitor and measure results. They hire, develop, and train a capable security staff and begin to run security teams as its own business within the enterprise.
Companies established security programs with administrative, physical and technical safeguards. They adopted an industry standard security framework and best practices for information security risk programs.
Identifying the major information risks facing the organization is a top priority and constantly monitoring for threats and changes to the regulatory landscape are now the new world order.
These best practices include assessing risks, measuring, recording, and prioritizing based on the risk assessment findings. It is imperative to establish a training regimen and implement it to communicate threats and responses throughout the enterprise.
As guardian of information, Information Security departments must take ownership of their risk decisions and communicate security decisions and responses throughout the organization.
Training for the entire organization on how to recognize and respond to threats is now a vital part of daily operations. It is no longer adequate to conduct training with employees and expect them to be aware and responsive to security threats. Training should be an ongoing process to keep employees engaged and aware of new threats to security.
We are continuously testing our system and continuously adapting to changing security threats, first educating our workforce to recognize threats and take the appropriate response, then testing to reinforce their training and to keep them alert and on-guard.
It boils down to having technical safeguards in place, while shoring up holes in the defenses with constant education, training and testing. There is no system that is 100 percent foolproof, but the closest thing is a workforce on constant watch.