Evidence-based security: Using data and analytics to protect health information

Penn Medicine CISO Dan Costantino outlines the steps to gathering information so you can plan strategically and educate the business about threats.
By Dan Costantino
09:42 AM
Share
Dan Constantino speaking to HIMSS TV

Dan Costantino, CISO at Penn Medicine, will be speaking at the upcoming HIMSS Healthcare Security Forum in Boston, Oct. 15-16.

Choosing an approach to information security for many programs is rarely as straightforward as it may seem.

So-called best practices, compliance, and frameworks appear around every corner, all of which have a slightly unique take on a similar grouping of foundational security control areas. This increasing amount of information, regulated or not, can be your best friend or worst enemy.

Infosec teams can easily get sucked into the business of hammering home controls based on what a best practice suggested, rather than what the business actually needs.

Let’s discuss how all of this information can aid a program, and where an evidence-based approach comes into play in order to take the organization’s posture to a more thoughtful and heightened level.

Comply with rules and regulations

Compliance is a no-brainer. It’s not just a good idea to follow regulated compliance, it’s the law. For this purpose alone, security programs must understand and follow regulated compliance by implementing the core controls necessary to do so.

Often times this is a very non-prescriptive approach, but one that can aid a program in identifying many of the foundational security controls and risk management necessary to protect information assets. Business stakeholders tend to be very interested in regulated compliance and supportive of maintaining it.

Security leaders must use this opportunity to implement controls that not only comply with law, but align with business operations.

Take a risk-based approach

Assuming the organization is compliant with regulated law, this is the time where security programs can really shine by taking a risk-based approach.

Aside from industry-recognized frameworks, such as the NIST Cybersecurity Framework and HITRUST, many of the controls and planning necessary to increase the level of security posture are buried in the data.
Business leaders and boards often ask the question; how much security is enough? The answer should always be “just enough.”

If your program is compliant and aligned with a selected framework, implementing security controls that aren’t aligned to a business mission or a significant risk will put the program in jeopardy of losing organizational trust.

Security programs need to be business enablers, and in order to do so they must look at the data and show supporting evidence for why new controls are a good idea.

Gather two key types of data

There are two types of data that security teams can draw from, both of which will prove invaluable to planning and influence within the business.

First, data published by many industry-leading organizations needs to be gathered and studied by security programs. What is the industry seeing as a top threat? Where are attacks most often coming from? What are some of the key challenges other programs like yours face in accomplishing their mission? These are all questions every security program should be asking themselves, and many of the answers are publically available in the data being published on a quarterly or annual basis by several trusted sources. If the top attack vector is phishing, security programs need to gather data to support this and begin to plan internally for how to protect their business from these types of attacks. Security awareness training, two-factor authentication, email filtering and advanced threat protection mechanisms should be on the roadmap and aligned to this threat and evidence.

The second type of data security programs need to be gathering is internal to their business. Aggregating industry data from trusted sources is a great start, but your mission needs to be supporting and enabling your business. What does the evidence within your business show you? Are employees mishandling data on a regular basis? Perhaps your data classification policies and data handling guidelines need to be updated. It could be that structured data repositories are missing in key areas, or employees simply lack the education or technology necessary to make good decisions with sensitive information. This is the kind of research that will enable thoughtful recommendations and propel your security program to a heightened level within the business.

Put the evidence to work

Finally, use the data and evidence gathered by trusted sources and within your business to shape your strategic planning. For example, no framework will prescriptively point your program to the evidence that the increasing interconnection of devices will lead to new types of risk that must be addressed.

Lean on the data to support planning for the protection of IoT and medical devices. If industry research is telling you a new threat is emerging and your business is heading down a path that will expose them to it, you should be planning and educating the business through the use of this data and supporting evidence — regardless of what a framework may be telling you.

Focus on Cybersecurity

In October, we take a deep dive into security strategy and pressing threats.