Last week, Target was under the spotlight yet again when the retailer's chief financial officer John Mulligan testified at a Senate hearing on ways to protect consumer data.
At the hearing, the company came under fire from senators for ignoring several warning signs that could have prevented the massive breach that resulted in the theft of more than 100 million customers' personal information. There's no doubt that organizations that collect Americans' data have to step up their game when it comes to data security.
One industry that's also grappling with security issues and the best way to protect consumer data is the one most vulnerable to data breaches -- the health-care sector.
Verizon Enterprise Solutions, a company that provides technology management services for businesses, is part of the investigation into several data breaches that occurred last year. The company's managing director of healthcare cloud and security, Maureen Kaplan, discussed some of the problems still facing most organizations when it comes to data protection, and offered lessons for retailers from the health-care sector.
An edited version of our conversation follows, with added notes:
Amrita Jayakumar: Generally speaking, what can organizations do to improve data security?
Maureen Kaplan: Organizations need to look at their entire security practice in a holistic sense, from data protection to identity protection to disaster recovery. They need to have a comprehensive plan. Being compliant [with industry standards] does not mean being secure. [Note: Target was deemed compliant with Payment Card Industry standards two months before the breach.]
AJ: What are some of the specific areas that need improvement?
MK: First, making sure that critical information -- like patient records in health care -- is segmented away from the general network, and that controls are put in place and evaluated on a regular basis.
Second, looking at user permissions: which individuals are on the network, do they have access [only] to the necessary systems for their job? Make sure that access governance to critical information is stringently applied. A strong identity management program that will let you track and review [who has access to what] regularly.
Third, organizations need a governance model that incorporates threats that exist outside an organization’s network. Technology alone isn't enough. You have to have the ability to recognize when something is going wrong and how to react to it.
AJ: What's the health-care industry doing that's different when it comes to data security?
MK: For health-care organizations in particular, it’s a struggle [because] they’re running up against a different business model than they were five years ago.
AJ: Can you elaborate on that?
MK: Traditional medicine was delivered to address the patient's condition. The new business model is tied to wellness. Now it's more like -- “What are you doing to maintain the health of a population as well as improving their care on a disease front?”
The coding standards for health care are changing. Instead of a single way of categorizing an incident, there are potentially 20 ways. From a security standpoint, it's making [health-care organizations'] environments more complicated. They have to really roll up their sleeves and think differently about the way they protect data in the organization.
[Read this Wonkblog explainer for more information on changes to the health-care coding model].
AJ: What can other sectors learn from health care?
MK: Health care comes with an underlying scrutiny of compliance. But for other sectors that don't face regulation, it's like once the horse has left the barn, companies say 'Oh I should have done that!" In health care, they lead the pace in that area. [Note: By law, health-care providers have to adhere to data privacy requirements. In addition, a 2013 federal regulation requires companies to publicly report breaches affecting 500 or more people.]
AJ: What makes an organization successful at protecting data?
MK: What's frustrating for software professionals is that it takes minutes to exfiltrate data from a network but it takes a company weeks and months to respond.
Successful organizations recognize where they have their strengths. If their primary business is not delivering security, they should recognize that giving those controls to another organization is essential, rather than say ‘you know what, a minimal standard is good enough.’ There's no such thing as perfect security, but it’s becoming a business imperative that organizations move beyond minimal protections.
AJ: So what's holding back good security practices? Should there be new guidelines for data security?
MK: Many organizations look at their security practices by a maturity model. There are a number of industry standard organizations that make recommendations. But it’s one thing to have a framework, it’s another to have the funding. There are a lot of really smart ideas, it's just getting the organization and leadership behind it and the know-how.
If you get executives that stand behind [good security practice], you’re far more likely to be successful.