Dave Newell founded information security services firm Loptr LLC in 2013 and has over two decades experience working with large and small companies nationwide to improve their information security programs and lower their risk of online threats and cyber attacks. I interviewed on the topic of privacy and information security in healthcare. This article contains an abridged version of the interview. You can listen to the full audio version of the interview below and can download the full transcript.
Mattox: There is so much going on with security, Dave. What do you check regularly to keep up-to-date with security threats and other information on the security front?
Newell: Every morning I spend about half an hour reading through security news. And so what I’ve done is, along with the rest of my consulting team, we put together a reading list of sources of information security news. So those come into our tablets and computers every morning and I spend about a half an hour every day reading. And even then, it’s really hard to keep up because there’s so much going on. We share this list of reading sources [with our clients] and we encourage organizations to put together a set of sources that they [follow].
Mattox: So one of those things you’ve probably read a lot about is ransomware, which is probably the biggest threat this year and especially with healthcare organizations. They seem to be particularly vulnerable. What can hospitals and clinics, particularly small practices in our membership, do to mitigate this threat, and what are the most important steps to take to guard against this?
Newell: Yeah, that’s a good question. And the answer is really when it comes to ransomware that it’s a very challenging threat, and it can be very hard for organizations to defend against it. And the reason is that, unlike some of the security threats that we worry about, ransomware can come through a number of different paths. And so one of the things that can happen is bad guys, when they’re attacking your organization, can try to break into computer systems and install ransomware. Or you can you be infected by ransomware just by visiting a website that has already been compromised. Or you can get ransomware in a way that I think most of us think about it arriving, which is it arrives in an email. Because ransomware can come from a lot of different paths, it’s really hard for folks to defend against.
So when we look at how we defend against ransomware, one of the things that happens is, you have to be able to secure the end-point. I’m talking about the computers or laptops that are where ransomware initially attacks. Making sure that our operating systems are patched and up-to-date, removing software that we don’t need and patching some of the riskiest software that’s out there like Flash and browsers and Adobe products and Java. [Run] anti-virus or anti-malware software. And then the other thing that you need to do is focus on training and make sure that people are on the front lines, that is these people that are receiving emails, understand what to do or what not to do to avoid ransomware. Make sure that people understand how ransomware can get into your organization and what you can do to stop it which really comes down to not doing things. Don’t click on things. Don’t open attachments.
Mattox: You also have done a number of risk assessments for healthcare providers. What are the most important things that smaller practices can do to help keep them safe?
Newell: Well, a few years ago, I was at a conference that NIST and the Office of Civil Rights. At this conference, a person from OCR said that one of the things that they look at when they’re doing a HIPAA audit is your risk analysis. What they said was that there are no organizations that they have found that have done a good risk analysis that do not use encryption. The point here is that, you can’t be doing a good job of securing healthcare data if you’re not using encryption on your desktops and laptops.
There’s a set of what I guess we would call table stakes for security programs. Organizations need to have policies and procedures in place. They need to have done some kind of risk analysis. They need to do training and awareness as well. If we go into an organization and don’t find those things in place, that can be a red flag in terms of HIPAA compliance. A last area that I’ll mention is logging. You need to review your logs and monitor for security incidents. You need to be able to capture information about what’s going on in your organization.
Mattox: Sort of contrary to that, are there things that you see being done in hospitals or other organizations that you think are misguided or are not a good use of resources for security?
Newell: One of the broad things that we see is that folks tend to confuse information security and compliance, or risk management and compliance. There tends to be a confusion that things that we do to comply with the HIPAA security rule are the same as being secure. There [are] a lot of things that you need to do to manage risk and not all of them are in the HIPAA security rule. A mistake that we see organizations make is that they focus on just hitting a checklist of: do I have this document, do I have this piece of software, do I have that piece of hardware? [People] focus on having things versus doing things. There’s a quote that I often refer to from Bruce Schneier, “Security is a process, not a product.” This big mistake that we see is that folks tend to think about security and say, “Oh, security is having a firewall or having antivirus software.” Where security is really about using those tools, monitoring your environment and making sure that everything that you have is actually working.
Mattox: What have you found to be the most effective way to articulate the business value of security and privacy to management?
Newell: We put together what we call “a 60-second assessment”. If you didn’t have a lot of time and money and you needed to get a quick understanding of [your] security, how would you do that? There’s one question that is my favorite. [When] I’m talking to the senior management in a healthcare organization, I say, “Go back and ask your IT people, ‘How many [network] connections did we have from Russia yesterday?’” The point of asking this question is to understand whether you can know. Because most of us in healthcare in the United States do not really need network connections from Russia. If you looked at that and said, “Well, you know what? I don’t actually provide healthcare to anybody in Russia. There shouldn’t be any Russian connections.”
What you’ll find in a lot of cases is that you actually can’t get a good answer. Even if you get a response like this, “Well, I can find out for you.” [If] it takes you a day or a week to find out who connected to your network, you still have a problem. If the answer is, “We do not know who’s connecting to our network,” then it’s pretty clear that you’re not getting enough value out of your information security.
Dave Newell founded information security services firm Loptr LLC in 2013. Newell has over two decades experience working with large and small companies nationwide to improve their information security programs and lower their risk of online threats and cyber attacks. Dave started and led Denver-based Crave Technology in 1995 before joining Computer Task Group (CTG) in 2005, where he led a consulting team providing information security solutions to clients including healthcare providers, payers, and health information exchanges.
You can contact Dave at firstname.lastname@example.org or visit Loptr’s web site at www.loptrllc.com.