[BreachExchange] Security basics for healthcare CIOs

Audrey McNeil audrey at riskbasedsecurity.com
Thu Aug 25 19:54:23 EDT 2016


http://healthstandards.com/blog/2016/08/25/cio-security-concerns/

The world has changed, and the environment in which we live in is
threatened. IT professionals and leaders ought to discover creative ways to
leverage their resources and better defend against cyber attacks. It is a
tough call to balance the cost of IT security operations against the risk
of a security breach. CISOs and CIOs are rarely appreciated when everything
is going on well; instead, they face the wrath of the public when a
security incident happens, despite their best efforts using limited
resources and budget.

The right balance between innovation and the need to control risk requires
a comprehensive security strategy that includes policy measures, processes,
and technology. Below are the basic security areas that CIOs should include
in their operation.

Password culture

Passwords are the currency of the digital era: people use them to log into
their emails, bank accounts, online forums, social networking tools, banks,
and credit card accounts among others. People need to know that poor or
weak passwords put them at risk. Password complexity is directly related to
password security.

Advanced hackers use programs that generate passwords using combinations of
personal information and are capable of many login attempts. Since we live
in times when almost everyone has become an identity theft victim, taking a
clear-headed approach to password security and complexity is a big part in
controlling cyber theft.

Protecting hardware

The majority of the information we have is stored on a computer software or
program. Physical threats are common, and it would be a mistake to assume
that it is the only threat. CIOs can take some measures to reduce physical
threats:

Know your neighbors
Review how you protect entry points
Install surveillance gadgets
Protect network cables
Lock network devices like routers, servers, etc.
Secure your access points when using wireless networks

Information security empowerment

Businesses face many external and internal digital threats that can corrupt
hardware and compromise the security of data. Your intellectual property or
private date could be used in fraud or cyber crimes. Therefore, CIOs need
to educate employees on how to prevent themselves from phishing, online
scams, and pharmers.

Managing incidents and respond

Sometimes, when two similar security incidents happen in two different
locations, you need security intelligence to link them so that patterns
that may indicate a potential threat does not go unnoticed. A company needs
to have cognitive analytics and automated response, which includes creating
an automated and unified system to enable a business to monitor its
operations and respond fast.

Building a risk-awareness culture

Anyone can be an infection point for a business, whether it’s from clicking
a suspicious attachment or plugging in the wrong USB stick. The effort to
create a secure business must be holistic. CIOs should build a
risk-awareness culture that involves defining the risks and goals, followed
by education.

Third-party management

The technical ecosystem of data usually includes third parties such as
vendors, intermediaries, and suppliers. Insecure practices in third party
companies or networks connected with a business can create exploitable
security loopholes. The best starting point is listing all third parties
that a firm is transacting with and prioritize this list based on the level
of information overlap and the critical nature of the information. By doing
so, the company can proceed to look at the security measures the third
party has in place and take the appropriate controls.

Fast response

It is important to respond quickly to a security incidence to detect and
prioritize security threats. Serious events require a quick response from
the senior security analysts. They must employ such remedy actions like
file quarantining, blocking an IP address, or wiping a laptop. The
effective incident response needs security experts to be available on a
24-hour basis, although the case could be different for institutions with a
dedicated CSIRT team.

Controlled network access

Policing would be much easier if each vehicle in every city carried a
unique radio tag lined with a sensor. The same concept can be applied to
data security. Firms that channel registered data through monitored access
points can have a far easier time spotting and isolating malware.

Managing information assets

Information assets include all equipment that can be used to generate,
manipulate, or store information. Such assets include hardware, including
computers and flash disks, internal and external databases, and physical
faults. Businesses must keep an inventory of all these assets and a lay out
a clear plan for ensuring their safety. The plan has to be communicated to
all stakeholders that manage or handle these assets in their day-to-day
activities.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160825/56502919/attachment.html>


More information about the BreachExchange mailing list