Former NSA agent shares insights for simplifying health data security
The fog of war is an old expression that refers to the chaos during battles, and the inability oftentimes to understand what happened throughout combat. Tony Sager, senior vice president of the Center for Internet Security, referred to the data security realm today as the fog of more.
“The challenge today is where the fog comes in: There are too many security resources and organizations are left sorting out these ‘magic beans’ and marketplace claims and conflicting consulting opinions,” Sager explained. “For most defenders, it is just overwhelming. Where do I begin, what do I convince the boss we need to pay attention to? If you think of this as a fog problem, then everything comes down to priority. Defenders have limited budgets, limited time and limited attention from the boss, so everything you do in defense needs prioritization. What is the problem I am really trying to solve?”
So how can healthcare organizations simplify the challenge of data security today? Sager has some suggestions for finding one’s way out of the fog.
Learn more at the Privacy & Security Forum in Boston, Dec. 5-7, 2016.
“There is a phrase I use, the defender’s dilemma, which involves three parts,” he said. “First, figure out what to do in this noisy environment; second, actually do it, which means get a budget, convince your boss, scour the marketplace and buy things; and third, explain what you have done to other parties over and over again, to regulators, auditors, supply chain partners and so on.”
A good place to start is with what organizations in different industries have in common, rather than with what makes an industry unique, Sager suggested.
“We need a uniform way to talk about the security problem and help us all globally prioritize,” he said. “Everyone is unique, but not at the 80-90 percent level as enterprises trying to survive in cyberspace. We have much more in common than we do that is different. If you start with what is different, then the job of figuring out threats is just overwhelming. If you treat this more like an 80/20 rule, we are on the Internet and there is a soup of bad stuff we all have to deal with, then the issue becomes how do we quickly identify this list of things we have to attack that we all have to do.”
That is the thrust of the Center for Internet Security’s Critical Security Controls, guidelines for organizations, including in healthcare, to foundationally secure their information assets.
“Rather than expect every enterprise to figure this out on their own, let’s put our heads together,” Sager explained. “I organize volunteers from across industries to absorb all of the information one can get, very few enterprises have the time to absorb all of this. And the key word for me is whenever you see the verb ‘share,’ think ‘translate.’ The point of the sharing is to translate millions of data points into actions. A defender does not have time to deal with millions of data points a day, a week, a month. What they really need to know is how can I translate all of that in order to deal with it?”
The Center for Internet Security pulls together large communities that bring their security knowledge from across industries, then translates that knowledge into controls.
“The history of security has been about really smart people daydreaming a thousand different ways to be hacked,” he said. “But we are focused on what is really happening now and translating that into positive steps, and we publish that and give it away.”
The Privacy & Security Forum takes place in Boston Dec. 5-7, 2016. What to expect:
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ What's the fundamental problem with cybersecurity? Relying on the Internet
⇒ Budgets grow but breaches continue without best practices
⇒ Think offshoring PHI is safe? You may not be if a business associate breaches