What scares security officers the most

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthcareitnews.com/news/what-scares-health-security-officers-the-most

It's not just the thought of having a data security breach that scares
Kaiser Permanente's Jim Doggett. It's the far-reaching damage such an event
could wreak that really keeps him up at night.

Doggett, the chief security officer and chief technology risk officer at
the 38-hospital Kaiser Permanente, who kicked off the HIMSS
Media/Healthcare IT News Privacy and Security Forum in San Diego this week,
said that these days, if an organization reports a data breach, they're
going to see serious repercussions.

"What scares me more is the impact of these," he said.

"If you go back three of four years, if one of these companies had had a
similar breach, what would have happened? Would you have seen their CEO
resign? Would you have seen them testifying before Congress? Would you have
seen their stock price plummet?" asked Doggett, referring to the massive
Target breach affecting 40 million consumers that resulted in a 46 percent
plunge in fourth quarter profits.

Sure, an organization might have received bad press for a period of time
and had to have forked over credit monitoring to affected consumers. But
Doggett argued that the effects would not have been as severe as they are
now.

Michael Allred, information security consultant and identity and access
team manager at Intermountain, who also spoke at the forum Monday, agreed.

Allred recalled a conversation he had with his chief information officer,
who very seriously told him: "If we have a data security breach, someone's
going to lose their job." That's just the nature of the game nowadays.

This reality, Doggett said, can be partially attributed the changing nature
of chief security officer's role. He recounted his earlier years in the
financial sector IT. Back then, the role of security officer was akin to
that of a "security cop." Now, in a world dominated by a consumer-driven
model, bottom lines and fiscal growth goals, it's about being a "business
enablement person," he said.

In other words, folks in health IT security need to be concerned about the
business side of things and the needs of that business.

Thus, if a patient -- the consumer -- neither trusts your organization nor
is satisfied with how their data is being handled, they'll go elsewhere.
That’s not good for bottom lines.

Subsequently, the rapidly growing market of cybercrime means big-time bad
news for this business piece of the puzzle.

"Cybercriminal is an industry," Doggett said. "It's well funded; it's well
organized. They're patient, and they make money."

The other thing about healthcare security, he noted, is that it's built
around compliance. HIPAA has requirements; meaningful use has security
mandates; even the FDA and FTC have policies now applicable to healthcare
organizations.

Sure, an organization may be HIPAA and HITECH compliant, but what about the
security piece?

"I think we can be completely HIPAA compliant and not even be close to
being secure," said Doggett. "Compliance does not equal security … at best,
compliance, rules and regulations that are done are probably 10 years old,
so they're really solving yesterday's problems."

So, how to address this? There’s no straight and simple answer, said
Doggett, who himself is still grappling with these issues.

Adaption is king. Whether or not security folks like it, the job’s not just
being about a technician anymore. "We still have the be the best
technicians on earth," he said, but "we need them to be business executives
who understand the business we focus on."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!