In today's digital environment, no industry is immune to cyber threats. Due to the steep black market price tag attached to healthcare records and the immense amount of information contained in hospital networks and databases, the healthcare industry has more at stake than most others.
At a recent business technology leadership forum hosted by The Executives' Club of Chicago called "Safeguarding Your Business: The Impact of Growing Cyber Threats," panelists addressed cross-industry issues in cybersecurity.
Panelists were Paul Bivian, CISO with the City of Chicago; Tom Corn, senior vice president of security products at VMware; Kevin Novak, CISO of Northern Trust; and Richard Rushing, CISO of Motorola Mobility.
"The threats are real. The actors are real," Mr. Novak said. "The fact of the matter is it's organized criminals, it's state-based actors, it's scrip kitties, it's all sorts of actors. And they are all attacking all sorts of audiences. It's not just data against data anymore."
Here are 10 key takeaways from the panel discussion.
1. Breaches are less binary and more gray. Data breaches are inevitable. However, determining the extent of the breach is not always so simple. A desktop computer being compromised could seem minute at first, but after a closer look, turns out to be a larger issue. "It's a constant shade of gray of how we respond rather than kind of, 'Were we breached,' and you start having escalation points based on what you find out as you go," Mr. Novak said. He says an institution's playbook and processes have to adapt as more is discovered, and the right people must be involved.
2. Go massively public. Once a data breach occurs and an institution is aware of an infiltration, there's only one thing to do, according to Mr. Corn. "You go massively public," he said. "You tell everyone in the world that this infrastructure can't be trusted and you have to switch to something else." He noted that when he was at RSA, a company that experienced a high-profile attack, they immediately went public with the breach. He said that this choice to opt for transparency presented further breaches in other systems.
3. Security is not just the responsibility of security. A data breach requires the involvement of every part of the institution, along with law enforcement and attorneys. "It becomes a bit of a madhouse," Mr. Corn said. "It's not the time you technically want to start figuring out what kind of things can you shut down without shutting down critical systems." Rather, he says, it's a time when institutions must figure out what information they will communicate publicly, and how that will be done. "You have to have a plan because you do not want to be making this up in the middle of that mayhem," Mr. Corn added.
4. Define response plans by category. Institutions need to have an instant response plan in the event of a data breach. But it's not enough to just have a plan — the institution must practice the plan, according to Mr. Bivian. Institutions also need to make sure they have a core team that will be able to triage the events because that team will decide how the institution will determine the category of incident, what action the institution should take and who the institution needs to alert, among other things. He recommends providing checklists based on category to give the incident handler an idea of the steps they need to take. "You need to get your incident response plan, practice it and know who to engage," Mr. Bivian said.
5. Treat all environments as hostile. Breaches are intentional and happen at intentional times. Hackers often know how to exploit an institution's weaknesses, including planning attacks on holidays or at times when they can expect the organization to be understaffed and caught off guard. Therefore, institutions must treat all of their environments as hostile. "Make sure you ... have the right systems helping you sort the needles from the haystacks. That's kind of the predecessor to having a response plan," Mr. Novak said.
6. The engineers who built the Internet couldn't foresee today's challenges. "The problems that we're seeing today in terms of keeping cyber systems secure in some ways stem from how we built the Internet," Mr. Novak said. The infrastructure of the Internet was never intended for the uses being asked of it today, and healthcare is seeing the ramifications of that as CISOs and engineers struggle to design systems and codes that are impervious to hackers and cyberattacks. "Fixing this problem will involve restructuring and redesigning Internet infrastructure in a global sense," Mr. Novak said.
7. Cyberthreats will increase by orders of magnitude in the coming years. "Ten or 15 years ago we only had to worry about 3,000 core hackers performing cyberattacks on a regular basis," Mr. Rushing said. "If you look forward about 10 years to now, it's about three million. Ten years in the future it's going to be 300 million." This is the magnitude organizations will have to deal with. Within 10 years there are going to be large-scale cyberattacks that will affect medical centers, businesses and power grids. "It's not a really pretty picture, unfortunately," Mr. Rushing said. "Organizations will have to have to adopt the mindset that it's them against the world, which is a hard reality." It's not to say that collaboration won't exist, he says, but institutions will have to adopt the security posture that they can't trust the third parties they work with whose systems may be vulnerable and they can't trust their employees who may bring infected devices into our system from home. It's going to require a different sort of framework that isn't yet set up today.
8. The paradigm will shift from trying to prevent breaches to learning how to offer trusted services in a compromised environment. "Almost every organization today has a compromised system somewhere," Mr. Corn said. "It doesn't mean there's an active campaign to attack your system, but so long as people are writing the software that makes up security systems, there will be vulnerabilities and bugs." Organizations can expect to have security lapses within all environments and the new challenge is going to be how to run services that customers and clients can trust, even though they are running on infrastructures that can't be trusted. This will involve a very big change in how services are compartmentalized and how infrastructure can be aligned with services. A lot of technologies are coming out to help organizations make headway on this, Mr. Corn said. Many of them are actually not security technologies, but architectural technologies that will help in this regard.
9. Most IoT devices start from a baseline of compromised security. "There are a couple of caveats that make the Internet of Things really difficult to measure in terms of security," Mr. Rushing said. The devices are generally made to be low-powered, meaning they don't do things very securely with encryption, which uses a lot of power. Oftentimes there's only an emphasis on sending data wirelessly rather than a consideration to who will see the data as it connects wirelessly. As these devices communicate through the air, it's usually unencrypted. This isn't necessarily a bad thing, as right now many of these devices perform arbitrary tasks. "But when we begin to approach the 'IoT 2.0', there is bidirectional communication to be concerned about because the devices will be capable of making changes to the overall system," he said.
10. You can't secure the cloud. Without rethinking entirely how networks function there's no way to make sure every aspect of a cloud is secure. "Before we were working with the cloud, there were two places to position security: end points and networks," Mr. Corn said. "Both have lots of flaws, neither is ubiquitous throughout an organization's infrastructure and there are lots of different pieces of technology in both places." However, the cloud offers a tremendous opportunity; It's a kind of ubiquitous software layer that is like a translation between applications and physical infrastructure. "It opens up an interesting opportunity," Mr. Corn said. Beyond simply having a presence everywhere, the cloud enables the creation of virtual data centers. Engineers can use these to fix problems on the front end, rather than having wide open networks where problems are dealt with after the fact.