Former FBI cyber section chief on using data mapping to mitigate breach risk
The healthcare industry is one of the most complex in terms of data. Patient information of all types are being transmitted both within organizations and among third parties. Keeping that data safe is a huge undertaking.
Most often, healthcare organizations use many vendors to handle data, through testing, security protocols and more. Data mapping is one technique designed to help organizations understand all of the involved risks and determine the location of the data at any given time.
That's according to John Riggi, head of the Cybersecurity and Financial Crimes Unit for BDO Consulting and former chief of the FBI's Cyber Division Outreach Section.
"The most fundamental premise is that cyber risk can't be eliminated – it can only be mitigated," Riggi said. "Healthcare organizations need to understand what criminals want to steal and how to protect it."
Quite literally, data mapping means determining the assets held within an organization, understanding networks within the enterprise and how the data moves within it. It's a lot like plumbing in a house: You have to know where the pipes go and how the water flows, said Judy Selby, managing director, technology advisory service for BDO Consulting.
According to Selby, healthcare leaders can accomplish this in three steps:
- First, perform a third-party assessment to determine where your organization stands and its most prevalent risks. For some, this may also mean finding out if your organization has already been breached.
- The second step is an 'infinite response and practice plan,' which will help leaders better respond when an event occurs and mitigate the impact of the breach.
- Third, leaders must institute a strong training program for employees.
"Leaders need to take an inventory of the IT assets, through a process of interviewing within the enterprise to determine the data being used, the programs using the data and how it moves through the organization," Selby said. This includes hardware and software aspects, and again, how it moves within the organization.
Mobile devices are another area often overlooked in terms of security, Riggi explained. Many employees use their devices for both personal and business use. Hospitals need to take an inventory of every device on the network – and the network needs to be password protected.
"There needs to be a culture of information security in an organization," Riggi said. "The best protection is when the c-suite understands this risk and it's emphasized within the organization."
"When you think about it," Selby added. "Top down prioritization is the most effective way to approach this issue. In every instance (within an organization) it's the leaders that set the priorities and control the purse strings. They are the ones who can really set the tone for others to follow."