Author: Chris Cronin, ISO 27001 Auditor
Most InfoSec professionals don’t want to think about becoming the next victim of a major data breach to make the headlines. And yet when faced with another major data breach it is a time when Executive Management and security teams reflect on their own insecurities. The latest breach is being reported as the largest data breach of health information or protected health information (PHI) in U.S. history with 80 million records stolen. The high profile breaches of Sony, Target and Home Depot, brand themselves in consumer’s minds, as Americans deal with the direct and indirect effects. And now we have a large healthcare insurance provider running its incident response cycle.
Medical identity theft (MIT) is a different type of fraud and is big business for hackers. Medical identities are commanding hefty price tags – as much as $50 per record or more. Insurance companies and medical facilities are prime targets– they will get breached; it’s just a matter of time. Even organizations as invested as the big banks, get hit by hackers (think JP Morgan Chase) but what this breach is showing us is that your ability to respond correctly to the breach is paramount and can keep ongoing liabilities in check and brand perception positive.
So what can insurance companies do to help mitigate the risk of a data breach and demonstrate duty of care?
- Risk Management – Conduct a baseline risk assessment. Start by understanding the risks in your organization and their potential impacts to the business. This allows you to prioritize your security strategy in a way that regulators understand and the C-level respects. Perform on-going risk management maintenance (at least quarterly) to stay current on risk priorities and treatment plans.
- Pen Testing – Have your networks tested for vulnerabilities by humans (not just vulnerability scans). Understanding where you’re vulnerable is half the battle. Discover where you are likely to get hacked before the hackers do. But focus on the highest risk vectors and assets first. These high-risk vectors may not be obvious, so work with penetration testers, also known as ethical hackers, who also have on-the-ground experience with incident response.
- Malware Threat Assessment – Find out if malware is already in your networks, or if you are a target of APTs, zero-days or other malicious attacks. Many tools now exist to determine if you have a systemic issue with malware.
- Incident Response Planning – Ready the organization for an incident. This helps you respond to security incidents in compliance with regulations, and in a manner that your customers, clients and members will feel respected. This may include a review and update of the incident response plan, first responder training, crisis management training, review of technology in place to aid investigations, and a Service Level Agreement (SLA) with an incident response firm. See HALOCK’s Incident Response Plan Checklist for tips.
As Winston Churchill once said “Never let a good crisis go to waste.” In the same spirit, don’t let this data breach go by the wayside without acting. Strike while the iron is still hot and approach Executive Management now regarding the security needs of your organization. If you’ve had security projects stalled, now is the time to re-approach the topic with senior management. This is an opportunity to improve security and reduce your organization’s liability. Bad things are going to happen; it’s how we plan and respond that matters.