Data security, or cyber security, is and has been on everyone’s minds now for some time. The hits just keep coming even as organizations step up their efforts to keep data protected. In the area of healthcare, it is especially true that you would want to keep personal health records protected and out of the “bad guys’” hands.
You may think you have taken the steps needed to protect your company’s data. Let’s ask some questions and let your answers guide you to your own conclusion. How does your data security currently stack up?
1) Do you think your annual SAS 70/SOC1 is the best tool to audit data protection compliance? No, that standard is too low.
Your Statement of Controls (SOC – the audit that replaced the earlier SAS 70) attests primarily to workflow associated with financial impacts. While some data protection controls are covered in the SOC1, they are woefully insufficient to assure your board, your management or your clients that your data protection practice has been objectively reviewed. The International Organization for Standardization (ISO) 27001 certification is the gold standard for international-caliber data protection. SOC2 and SOC3 attestations are a step in the right direction, but the ISO 27001 is more mature and accepted internationally.
Does your firm certify to the ISO 27001:2013 standard? Do your vendors?
2) Do you think antivirus software is the best protection against malware? No, that standard is too low.
Today’s malicious software differs radically from viruses from just a few years ago. Traditional antivirus software can only protect against things it has previously seen; new malware is specifically designed to constantly change itself to bypass traditional antivirus software. Application whitelisting software is quickly replacing antivirus software on workstations and servers of the best data protection organizations.
Does your firm use application whitelisting software on every workstation? Do your vendors?
3) Do you think your security policies will protect you? No, that standard is too low.
Security policies focus on administrative controls – things your employees are supposed to do but may not actually be doing. Technical controls (i.e. computer-enforced) are critical to align and enforce what you intend to happen. Policies can guide your technical controls, but they aren’t sufficient and offer little real protection.
Does your compliance and security team emphasize technical controls over administrative controls and policies? Do your vendors?
4) Do you think penetration testing is the best way to double check your internet-facing software so it can't be hacked? No, that standard is too low.
Your software – any software – has errors and flaws deep within the programming code just waiting to eat you alive. These flaws don’t show up with standard testing. Tools like binary code testers analyze the logic and software vulnerabilities for ALL of the programming in your code, not just the code that’s operating when regular testing occurs.
Does your company use binary source code review software? Do your vendors?
5) And last but not least, do you think HIPAA is the data protection standard to meet? I think you know the answer! No, that standard is too low.
HIPAA requirements tend to pick and choose what to protect and often require only relatively loose technical protections. Healthcare data security should behave more like large financial institutions, creating multiple layers of security around everything and following rigorous frameworks designed to protect both transactions and data at rest. Shoot for data protection compliance comparable to big banks in your systems; you’ll not only meet HIPAA requirements, you’ll dramatically reduce your risk of data breach.
Does your company align to the financial industry’s standards for data storage, transmission and destruction? Do your vendors?
Do you get the idea by now? Say it with me…if you think your standard protections are enough, no that standard is too low! I may sound like a broken record, but in all seriousness (and this is a very serious issue) you must be vigilant; when you think you have done all you can do, dig deeper and find out how you can do more to protect your data and your employees’ or clients’ data.
I would be interested to hear your thoughts, concerns or suggestions on other ways companies can work to protect their data. Let’s start a dialogue; share your perspective in the comments.
Robert Jackson, SVP, Information Security Officer