Look in the mirror. You may have a robust, compliant security infrastructure in place, but all it takes is one employee to click on a phishing email to compromise your network and your data.
Healthcare organizations struggle to stay secure and compliant with HIPAA and PCI in an environment of constant, changing threats. We interviewed Brook Chelmo, Senior Marketing Manager at SonicWALL, about the steep challenges these organizations face. His overarching message? Those that rely on check-box compliance for security do so at their peril.
Here’s what Mr. Chelmo said about how regulated organizations can stay safe.
CHECKMARK COMPLIANCE DOES NOT MAKE A ROBUST SECURITY SOLUTION
Vendors like to beat customers over the head with compliance because it leads to more sales. But if an organization focuses too heavily on compliance, it can achieve “checkmark security” while leaving itself wide open to attack. Let’s unpack this a little.
Are you encrypting data in transit and at rest? Are you protecting your data in a way that makes sense to your environment? Have you considered the physician who brings his or her work laptop or mobile device home?
How is your content filtering solution configured?
What is it capable of? Are employees checking Facebook on breaks? Are they googling Black Friday deals and ending up on sites that inject malware or steal payment data? Many of these concerns are not likely to be covered by compliance checkboxes.
AT THE END OF THE DAY, SECURITY IS ABOUT EMPLOYEE TRAINING
I don’t think there are compliance checkboxes for running employee phishing tests every three months. Those are the best practices that really help you stay secure.
The truth is that most IT managers look at compliance as a sword of Damocles, not a comfort.
If you’re responsible for personal data, you risk steep compliance fines. Personally, I feel that a hospital should not be fined unless it’s clear that its intention was not to comply. Instead, the should be allowed to invest that money back into the organization’s security.
USE A NETWORK SANDBOX SOLUTION TO DETONATE THREATS
Hackers create new malware variances every day. In the past year, we’ve detected 64 million pieces of unique malware and blocked 2.2 trillion IPS attacks. That’s why we developed a network sandbox solution called Capture ATP. If the firewall detects suspicious code, Capture ATP takes it to an isolated and protected environment in the cloud and runs the code to see exactly what it does.
Capture ATP uses a multi-engine strategy that detects malware-related actions at the application, operating system and hardware levels. Since the launch of the service on August 1, 2016, we have uncovered over 1400 brand-new variants of malware. Our customers have an extra layer of protection that offers good performance, reporting and automation so they don’t have to monitor their traffic all of the time.
IN MOST ORGANIZATIONS, PEOPLE ARE THE WEAKEST SECURITY LINK.
Email addresses, even the CIO’s, are always available and easy to exploit. For example, a hacker could spoof a marketing director’s email with a message that says, “I have an interview coming up and attached is a list of questions.” All it takes is one person to open the attachment and now you have ransomware or a Trojan behind the firewall. That’s why employee training and phishing tests are so important.
Also important -- get a good next-generation firewall, ensure you have ways to detect attacks when they happen and ways to stop the exfiltration of data and make sure your solutions can protect from malware hidden in encrypted traffic.
You need a good mobile endpoint protection strategy that stops malware from infecting mobile devices when they’re outside the network. You also need multi-factor authentication so hackers can’t access your network after they start hacking connections through public Wi-Fi.
WHEN IT COMES TO DETERMINING YOUR SECURITY BUDGET, CONSIDER THE BLACK MARKET VALUE OF YOUR DATA
If I were to hack your hospital network, what would the data be worth on the market? Is your security budget in line with this number? Even so, security is always a balance between fortification, access and inspection. You can’t put in so many security solutions and policies that it’s difficult for employees to get to the network or customers to the website.
TO ASSESS RISK, GO HACK YOURSELF
Two words: penetration testing. Penetration testers help you find vulnerabilities and figure out how to protect yourself. Hire an outside organization to attempt to hack into your network and see how vulnerable you are. If your organization is spending $3 million securing medical records, spend $100,000 to make sure you’re secure in all areas, not just the one or two that are most obvious.
Capture ATP data shows us that the average company gets hit by eight-to-ten new forms of malware or ransomware every year. All it takes is one attack to bring your organization to its knees.