Tuesday, March 24, 2015

Healthcare GRC and Social Engineering

There is some debate over whether or not the CHS, Anthem and Premera data breaches were the result of "sophisticated" attacks. The jury is still out, but cautious journalists are using quotation marks to indicate that this explanation is not universally accepted. Regardless of the sophistication of these attacks, attacks they certainly are, and healthcare organizations should be prepared for the onslaught to continue, because healthcare data breaches are so lucrative. They have to assume they are being targeted by criminal hackers for fun and profit.

Maybe former Intel CEO Andrew S. Grove's book title got it right: only the paranoid survive. Perhaps healthcare organizations could learn from their corporate antitheses, the tobacco companies, who have many enemies, but are protected by a culture of hardened security.

There is certainly room for technological solutions to help manage risk, but we must recognize that the most frequent cause of data breaches is human behavior. (According to a Verizon data breach report, about 76% of network intrusions involve weak credentials -- bad passwords.) The biggest risk to the security of your data is your people. No amount of monitoring using sophisticating technology can protect your data from bad decisions by people on your network.

Let's not forget the subtitle of Grove's book: How to Exploit the Crisis Points that Challenge Every Company and Career. The threat to data is also an opportunity to establish a culture of data governance. In such a culture, the value of data is recognized, and human behavior is shaped by this recognition.

Human behavior is a critical factor, because social engineering is how malware and other created vulnerabilities find their way into your network. It is essential that your systems have malware protection, but it is equally important that your people know what not to click.

A strong governance, risk management and compliance (GRC) culture fights social engineering with social engineering.

If healthcare organizations can learn to fend off the cyber attackers, they will be in a better position to fend off the lawyers bearing class action law suits.

No comments:

Post a Comment