As usual, one article triggered a series of thoughts to connect from various news pieces that have been building up in my head over the past week. Let's start with the most recent first. Reading this article on what security concerns the leadership in healthcare the most got me thinking. Particularly this quote from the article: “The goal in healthcare generally is treating those patients, not privacy and security. You don’t see the same focus on security in healthcare that you do in the financial sector.” Yeah, that sounds about right. Makes sense from what I've seen and experienced. I'm sure we've all seen that there are signs in hospitals and other health care places that say 'No Smoking, Oxygen In Use' or some such thing. These rules make sense to all of us. We all get it. Problem is, there is no such rule about no hacking hospitals. 'Our pricing model doesn't let us afford ample security staff, so please don't hack us' just doesn't carry the weight as 'don't smoke or you'll blow us all up.' Patients' health is their primary focus, thankfully, and the data is just a way to describe the current condition and progress so that you can achieve the good health outcome of your client. Essentially, it is a model that hasn't evolved in light of the data revolution of the computer age. This brings me to my next thought...government security clearances.
Old thinking meets new technology
I heard an NPR story where whomever they were quoting said that the government security clearance process hadn't evolved since the 50's. The process dictates that an investigator go out to the applicant's neighborhood and question his or her neighbors to see if anyone had been going in or out of the applicant's house that might look like a 'commie.' I happen to agree with the final point, that being this process really needs to be updated and, sadly, I can't even remember my neighbors' names. It certainly isn't Ward and June Cleaver.
So how many other industries are out there and laboring under out-moded thinking? Such thinking that doesn't take into account the connected nature of our information society and the raw monetary value of nearly every bit and byte of information. When I was sub-contracting for the Navy, we had an admiral tour our facility and tell us how important it was that we were doing the security jobs that we were doing. To highlight his point, he told us of his own personal realization of how things had changed when asked the helmsman on an aircraft carrier of how the wheel was connected to the rudder. The sailor described the general networking nature of the system and the admiral immediately realized that the helm was in some far-removed way connected to the internet. He immediately became a believer in that instant.
Health Care and many other industries comply with security rules because they are forced to do so. It is not part of their business model to protect data. The data is simply too far removed from the direct money line. You could argue that if my identity gets stolen and I have to declare bankruptcy and can't pay my hospital bill, that money is certainly involved. Of course, you'll never win using that argument in a budget battle over whether to buy that new radiology gizmo or a two factor authentication system for the one or two nutters in IT that whine about security.
Security doesn't make money...except in banking
One of the few industries that really gets what data security is about is the financial sector because of the specific linkage of data directly equating to money. That information in their database that says I have $50 in my checking account...yeah, that IS money, not much in my case, but money none the less. If tomorrow, by some mysterious happenstance, it were to say that I have $5000 in my account, they would believe it if there were no other checks or balances to say otherwise. Data is money.
There are plenty of industries that labor under the least compliance model. This basically dictates that I will do the minimum necessary to comply with the rules. Doing either more than the minimum or less than the minimum is seen as equally bad. Now for those that are unfamiliar with this thinking and working some place that does what is right, let me explain this to you, because it is an easy thing to miss. In a least compliance place, people that are too far out in front of the pack are perceived as just as likely to draw regulatory scrutiny as those that are below the minimums. As a result, everyone in the industry tries to do what the other guys are doing, regardless of whether or not it makes good security sense. To their way of thinking, doing something different and too far away from everyone else means that the regulator will surely give you the once over and you could be declared wrong in your strategy. The alternative that you could be declared right and exceeding expectations is so far outside of their thinking that it is immediately dismissed as a far remote possibility and not worthy of consideration. Data is money here too, just not in a form that is easily recognizable by the business.
Security standards never go down, only up
The problem with minimum compliance is that when the bad guys up their game, and they always do, you are left outside of the safe zone and have to do something to catch up. While you are left outside of the safe zone, the bad guys can have at you with impunity while you try to figure out what to do next. Any soldier can tell you that trying to make a completely new plan under direct fire is no treat. Always better to have a contingency plan before hand and use it when needed and better still if you are safely back at base and can put the new plan into effect on tomorrow's patrol.
We are so focused on the next, best, new thing that we never stop to think about the wisdom and responsibility of having and using that new thing. Mobile tablets in health care...what a great way to put a wealth of information at the fingertips of our healthcare professionals. Mobile devices are cropping up everywhere and very few business models have the basic understanding necessary to protect the information that their new-found toys are enabling. Standing on the shoulders of giants.... Bah, it's an old concept and it makes me feel old for voicing it.
I guess my point is that as a security professional, you really need to be on your toes when you operate in any business that just doesn't see the direct link between data and money. Being forced to comply with regulations without having a supporting business model that truly values the reasons for compliance isn't a recipe for success in security. Waste not, want not...the bad guys certainly don't. The very mobility and power of tablets makes them even more valuable to bad guys. Hey, that privacy information may only be worth a few pennies in the dark corners of the internet, but over a few hundred million times it adds up. I think there may be a movie plot in there...nah, I'm sure it's been done before.