Every day another breech/hack report makes the news. Cyber threat mitigation, forensics, protection protocols and practices are broadly improving. These services are necessary investments for any responsible use of internet enabled technology, which today, means all technology. Increasingly, criminal cyber activity is well funded, disciplined, targeted and determined. Defense in Depth strategies are necessary and increasingly effective, but a determined, patient attacker has only to find one weakness, or exploit one distracted authorized user to gain credentials and access to enterprise data assets.
Too often, we have made valuable data conveniently available. Management craves metrics. Metrics require consolidated data stores. Consolidated data store flexibility and integrity are often maximized by aggregating all available digitized data from operational systems and processes. Perhaps little thought to enterprise risk management was given to data base design and content definitions. We may have created conveniently consolidated data warehouses for analytic use which makes cyber theft much easier after security has been defeated.
A review of analytic utilization of enterprise consolidated data is likely to reveal that any personal identification and credit information contained in these stores is unnecessary to serving the functional needs of the enterprise. It can be a simple move to “de-identify” enterprise data stores by overlaying these fields at capture with null characters. A cyber thief can defeat your defenses, and still come away empty handed or tackle a new challenge of sweeping the enterprise for those operating data stores that must contain sensitive information. However, these “working” data stores used for service delivery, billing and collections and other business operations processes are often physically and logically distributed and segmented, making recognition and extraction much more difficult and more easily detected. In summary:
- Invest in “defense in depth” cyber threat mitigation strategies, practices and technologies.
- Review all enterprise data stores for patient identity and personal consumer information, evaluate necessity of these elements to analytics.
- Mask all incoming, high risk data elements with null characters to preserve application investment while eliminating an unnecessary source of enterprise risk.
- Adopt policy and controls to periodically “sweep” the enterprise for new sources of data risk, avoid creation of enterprise wide operating data stores which must contain such data.
- Protect “operating level data” with field level encryption at rest and in motion.
When is a health care data breech a non-reportable and private event? When data stolen does not contain anything of regulatory value. Minimize enterprise risk, do not create data pools that needlessly contain valuable, legally protected personal data.
Cyber threat/security programs should be reviewed on a regular basis. Boards may benefit from engagement of an outside, experienced adviser. Contact BrightWork Advisory, LLC today to discuss your specific engagement needs.