FBI advice: Respect info security fundamentals … or else
As assistant special agent in the cyber division of the San Francisco office of the FBI, Malcolm Palmore said two of the biggest lessons learned from past FBI breach investigations center on information sharing and the fundamentals. He should know, having seen quite a bit when it comes to cybersecurity failures and successes.
“Information sharing is one of the key mitigation strategies that any information security practice can employ to enhance their security posture,” Palmore said. “There are a number of groups out there that provide intelligence on the cyberthreat landscape as it relates to malware, bot-nets and more, and the more entities that avail themselves of the information, the better the overall posture will be.”
But Palmore also said a lack of respect for the fundamentals of information security can spell disaster.
“No matter how complex the impact, oftentimes what we find at the end in a post-mortem is information security fundamentals are not being adhered to,” he said. “Log management, auditing, identity access management, training personnel on awareness and social engineering and spear-phishing, and inoculating employees to these vectors so they are more aware – these all are key.”
Healthcare organizations can leverage the FBI’s tremendous resources to help head off breaches.
“One of the things we do at a high level is most FBI field offices have an aggressive cyber-outreach composed of the management personnel in that field office responsible for cyber matters,” he said. “In San Francisco, myself and six other supervisors are responsible for engaging with private sector security partners. We talk to them about what we see on the cyberthreat landscape and maybe bring to their attention some things we are seeing that they may not have seen. The last thing we want is for entities to get themselves involved in a situation like ransomware and not know who to call in their local FBI office.”
As for identifying a critical weakness in cybersecurity today, Palmore does not hesitate in his answer.
“The biggest weak spot is the lack of standardization among the entire private sector landscape as it relates to the security frameworks and the implementation of those frameworks,” he said. “Healthcare has sets of rules mostly governed by HIPAA that require them to put into place security levels of protection and to advise when those levels of protection have been violated. But outside of healthcare and the payment card industry, most companies are left to their own devices to figure this landscape out.”
There are many security frameworks available, there are recommendations from the government, but there are no required standards, Palmore added.
“I think we will get to the point in the not too distant future where there will be a requirement in that vein to get certain types of cyber insurance or to have certain things in order to do business with the government,” he said. “That is where we are headed.”
Palmore will deliver a keynote address on cybersecurity issues at the HIMSS and Healthcare IT News Privacy & Security Forum, May 11-12, 2017, in San Francisco, during a session entitled “Know Your Enemies: Cyber Trends and Emerging Threats.”