Security in a Post-9/11 WorldDisaster Recovery Planning Still Lacking, Security Expert Laments
Organizations need to improve incident detection, or "the ability to actually detect when they are being attacked or when something is going on that shouldn't be going on within their environment," says McMillan in an interview with HealthcareInfoSecurity's Howard Anderson (transcript below).
Over the past 10 years, it's become evident that information held within organizations in many industries has more value to criminals, McMillan says. "Social Security numbers or medical identification numbers or credit card numbers ... all these things have street value," he notes.
In the interview, McMillan also:
- Notes that the 9/11 attacks called attention to the need for backup data centers as well as improved security training for all staff members.
- Contends that "the biggest area of weakness" is a continuing focus on disaster recovery as it relates to core systems "and not to the network as a whole."
- Advocates the creation of a "legitimate information security standard" in healthcare, either through a federal mandate or an industry-led voluntary effort. "We still have 50 percent of hospitals who are lacking a full-time security person," he notes. "We still have a lot of hospitals that are not conducting regular risk assessments." That won't change, he argues, "until we have a credible standard with specific requirements that a network has to meet."
McMillan is co-founder and CEO of CynergisTek Inc. an Austin, Texas-based firm specializing in information security and regulatory compliance in healthcare, financial services and other industries. He has more than 30 years of security and risk management experience, including 20 years at the Department of Defense, most recently at the Defense Threat Reduction Agency.
Security CatalystHOWARD ANDERSON: Looking back, do you think the 9/11 attacks were a catalyst for ramping up information security in all business sectors?
MAC MCMILLAN: I think they were a catalyst for ramping up security in a lot of different areas, and probably one of the main areas that they helped ramp up was in the area of disaster recovery and business continuity. Clearly, a lot of organizations found themselves cut off from their systems and their data [because of] the events that occurred. ... It basically brought home the need to make sure that we had a good disaster recovery plan and business continuity plan and that we had back-up data centers that weren't located near the primary facility but they were far enough away that they actually provided and afforded the right level of protection and assurance that we would be able to reconstitute those capabilities. I think it also brought home the real need for better diligence in training our workforce and our staff with respect to being more aware of what was going on around them. ...
... We learned from not only the 9/11 attacks but other events that happened ... that we ... rely on so many systems ... that any interruption is going to affect the business or is going to affect our ability to carry out the mission. It really does require a different level of due diligence than we had given it before.
Lessons LearnedANDERSON: What are the greatest information security lessons we've learned in the past 10 years in all sectors, and especially in healthcare?
MCMILLAN: I think one of the things we've learned is just how vulnerable our systems can be. I think we've also learned just how important it is to really pay attention to the folks that have access to our systems. In healthcare, in particular, our biggest concern and our biggest threat is still the authorized user inside who takes advantage of their privileges or inappropriately uses their access to look at things that they're not supposed to or do things that they shouldn't.
I think we've also learned that our data really has value, unfortunately, to folks that would like to use it for ill-got gain. It doesn't really matter what industry you're in today. If you are collecting things like Social Security numbers or medical identification numbers or credit card numbers, etc., all these things have street value. And if people can get hold of them they will, and it can actually hurt individuals when they do.
Areas for ImprovementANDERSON: In what security areas do we still have a lot of work left to do?
MCMILLAN: I think probably there are two really big areas. The first one is what I call incident detection, the ability of organizations to actually detect when they are being attacked or when something is going on that shouldn't be going on within their environment. There are a couple of pieces that play into that. One is the level of sophistication of the network itself with respect to security technologies ... being able to detect when a rogue device is trying to connect to your network, being able to detect when somebody is doing something that they shouldn't with respect to their privileges, etc.
Then the other one is harnessing the information or the intelligence that the network and the applications are capable of producing for us to really know what is going on in real-time in our environment and be able to be proactive in avoiding some of the incidents that unfortunately happen to organizations.
Business Continuity & Disaster RecoveryANDERSON: When it comes to disaster recovery planning and business continuity, what have been the biggest improvements in the past decade, and what are the biggest remaining weaknesses?
MCMILLAN: The biggest area of weakness that I see is, in most organizations, we are still focused on disaster recovery as it relates to our core systems and not to our network as a whole. There are a lot of auxiliary systems and ancillary systems that actually feed those core systems that are, in some cases, just as important or even, in many cases, can be single points of failure if something happens to them. They don't get the same level of attention as our core clinical system does. And that's not to say that those core systems should not get that level of attention, because they should. It's just that we need to go beyond those core systems now and really address the entire environment to the best of our ability in terms of being able to reconstitute or the capability to deliver the mission.
Security Standard NeededANDERSON: Finally, what is the single most important information security change you'd like to see implemented in the years ahead?
MCMILLAN: What I would like to see is a real legitimate information security standard adopted for the [healthcare] industry, one that [would enable] qualified individuals to ... build programs and manage them effectively and have the tools and the framework to work within. We are still not there. We still have 50 percent of our hospitals that are lacking a full-time security person. We still have a lot of hospitals that are not conducting regular risk assessments and don't have this detection capability that I spoke of earlier, or don't have anywhere near a proactive capability to monitor what goes on in their environment. Those are the kinds of things that I don't think are going to happen until we have a credible standard that actually provides that level of specificity with respect to requirements that our networks have to meet.
ANDERSON: So you are talking about a federal mandate of a certain level of security that all healthcare organizations would have to provide?
MCMILLAN: It doesn't have to be a federal mandate. It could actually even be an industry-initiated change, just like, if you look at the credit card industry, the Payment Card Industry standard and the Payment Card Industry Council are something that that industry proactively developed to respond to the issues they were having around credit card fraud and credit card abuse. They didn't wait for the federal government to weigh in and say, "You need to have a standard out there that adequately protects these systems." It could be even something that the industry through the ONC [Office of the National Coordinator for Health IT] or HIMSS [Healthcare Information and Management Systems Society] or some other organization picks up the banner and says, "You know what? We need to do this. This is important. These systems are important; our hospitals run on these systems. We have a tremendous amount of patient information that is critical not only to the care of individuals but to their privacy and personal well-being."
We really need to step up and have a better framework and a better standard that we build systems and manage systems by.