Cause for alarm

What keeps IT security officers up at night
By Erin McCann
11:04 AM
Share

It's not just the thought of having a data security breach that scares Kaiser Permanente's Jim Doggett. It's the far-reaching damage such an event could wreak that really keeps him up at night.

Doggett, the chief security officer and chief technology risk officer at the 38-hospital Kaiser Permanente, who kicked off the HIMSS Media and Healthcare IT News Privacy and Security Forum in San Diego this June, said that these days, if an organization reports a data breach, they're going to see serious repercussions.

"What scares me more is the impact of these," he said.

"If you go back three of four years, if one of these companies had had a similar breach, what would have happened? Would you have seen their CEO resign? Would you have seen them testifying before Congress? Would you have seen their stock price plummet?" asked Doggett, referring to the massive Target breach affecting 40 million consumers that resulted in a 46 percent plunge in fourth quarter profits.

Sure, an organization might have received bad press for a period of time and had to have forked over credit monitoring to affected consumers. But Doggett argued that the effects would not have been as severe as they are now. 

Michael Allred, information security consultant and identity and access team manager at Intermountain, who also spoke at the forum Monday, agreed. 

Allred recalled a conversation he had with his chief information officer, who very seriously told him: "If we have a data security breach, someone's going to lose their job." That's just the nature of the game nowadays. 

This reality, Doggett said, can be partially attributed the changing nature of chief security officer's role. He recounted his earlier years in the financial sector IT. Back then, the role of security officer was akin to that of a "security cop." Now, in a world dominated by a consumer-driven model, bottom lines and fiscal growth goals, it's about being a "business enablement person," he said. 

In other words, folks in health IT security need to be concerned about the business side of things and the needs of that business. 

Thus, if a patient – the consumer – neither trusts your organization nor is satisfied with how their data is being handled, they'll go elsewhere. That's not good for bottom lines. 

Subsequently, the rapidly growing market of cybercrime means big-time bad news for this business piece of the puzzle.

"Cybercriminal is an industry," Doggett said. "It's well funded; it's well organized. They're patient, and they make money."

The other thing about healthcare security, he noted, is that it's built around compliance. HIPAA has requirements; meaningful use has security mandates; even the FDA and FTC have policies now applicable to healthcare organizations. 

Sure, an organization may be HIPAA and HITECH compliant, but what about the security piece?

"I think we can be completely HIPAA compliant and not even be close to being secure," said Doggett. "Compliance does not equal security … at best, compliance, rules and regulations that are done are probably 10 years old, so they're really solving yesterday's problems."

So, how to address this? There's no straight and simple answer, said Doggett, who himself is still grappling with these issues.  

Adaption is king. Whether or not security folks like it, the job's not just being about a technician anymore. "We still have the be the best technicians on earth," he said, but "we need them to be business executives who understand the business we focus on."