2009 Healthcare IT Security Priorities
In our last blog posting, we discussed three priorities all organizations should focus on in 2009: security, productivity and manageable IdM projects. Today we're looking more closely at enterprise security.
Businesses continue to grapple with economic realities, making hard decisions to stay competitive during the downturn. These decisions can have a negative impact on IT security - as IT staffs are re-organized, budgets slashed and security professionals tasked with doing more with less while addressing data security. Unfortunately, as this is happening, the number of vulnerabilities they're tasked with covering is growing. The latest news about the logic bomb at Fannie Mae just reinforces the need for additional vigilance as organizations down size.
The challenges can be overwhelming, but they're not insurmountable. So where do you start? The important thing is to have a plan - think through the challenges and anticipate possible problems. With that in mind, here are three areas you can address to make sure your company is secure:
Identify and deal with your greatest areas of risk
It may sound simple, but it represents a shift in philosophy and mindset, moving away from comprehensive, enterprise-wide projects that take years to fully implement with little to show for in return. Given the constraints in staffing and budgets, IT staffs need to focus on the immediate areas of security risk and make sure those gaps are closed. For example, if you're undergoing a company-wide reorganization, start by asking yourself: Can we immediately revoke access of former employees, and alter access to employees whose job functions have changed? Are we fully aware of all access points of dismissed consultants? If the answer is no to either of those questions, then you're at risk and have identified your first project. Assess what potential damage can be perpetrated if revocation is not immediate or all inclusive.
To understand the risk you face, just look at the case that came out last week about the former employee of Fannie Mae who was charged with implanting malware on the company's network that could have potentially caused millions of dollars in damages. While the case is still pending, the fact remains that this former employee, in the time between when he was informed of being laid off and when he left the building, was able to plant a logic bomb that could have wiped out data on 4000 servers . This remains one of the biggest security risk facing organizations - one that can be dealt with quickly and efficiently with the proper systems and processes in place.
Know who is getting on your system
Trust has never been a sound security strategy, especially when you consider the number of insider related security breaches over the last year. The nature of business dictates that you need to know what your employees are accessing, providing the ability to track users and audit usage. Having confidence in who is getting on your system means believing more than just who someone is as a username and password. It means relying on strong authentication and using a comprehensive model of device-based authentication to prove the user's identity. The dramatic reduction in the cost of fingerprint biometric scanners, card scanners and tokens allows for corporate wide deployment of new technology that is now mainstream. Think about this in the context of what happens if the wrong person is getting onto a computer, the network, an application or conducting a transaction within an application. It's become best practice in many businesses to require biometric authentication or building smart cards for enforcing user authentication and access whenever sensitive information or applications are at stake.
Have demonstratable ROI for your project
The general consensus of the CIOs I've spoken to recently is that they are being selective in the security projects they tackle in 2009 - undertaking only those projects that can yield immediate results either to improve business productivity or reduce security risk. We discussed this recently with some of our customers in a webinar roundtable discussion. If you weren't able to attend, I encourage you to download the webinar to see how they're addressing the security challenges in 2009.
So what challenges are you facing?
What steps are you taking to tackle security in 2009?
Feel free to email me if your organization is facing a different set of challenges in the coming year.