I recently read a story about a man who won the lottery. Unlike most, this man opted for an annuity payment rather than the lump sum payment. This resulted in a smaller yet substantial sum of money being awarded annually over a twenty-year period. As time went on, the man lived extravagantly without regard for the future of himself and his family. A few close friends and family members strongly encouraged some restraint, but the man ignored them. A couple years before the annuity was to end, he was asked what his plan was going to be once the money was gone. He shrugged and replied, “I’ll win again.”
Luck, obscurity, and the law of large numbers
Many in the information security field have a similar mindset to this man described above. Luck, obscurity, and the law of large numbers often hide serious structural and operational flaws. Often, we are deluded in believing our defenses have held when in fact, they haven’t even begun to be tested. When faced with an advanced, persistent threat, no one is immune. In fact, Kevin Mitnick’s penetration testing firm boasts a 100% penetration when permitted to use social engineering techniques. Zero day vulnerabilities are traded and sold to the highest bidder – awaiting their weaponization and deployment.
I don’t intend to be an alarmist or overly pessimistic, but the truth is that it’s nearly impossible to protect oneself when doing everything correctly. What scares me most are those who do not even attempt to meet the basic security practices. Perhaps it’s the lack of intentionality that best describes the organizations most at risk. The good news is that if you’re reading this, you’re not described in the category above.
Ensure an appropriate defensive posture is in place
It’s far too easy to downplay the severity and likelihood of such an incident affecting a given entity. Justifications are made such as “we’re too small”, “they’re too busy going after those with real money”, “security is a luxury that we can’t afford”, or my personal favorite, “it’s just not a priority of this organization at this time.” There will always be bigger fish to fry, larger problems to solve, and operational issues directly affecting patient care or the bottom line. These constants do not change the external threat landscape and the need to ensure an appropriate defensive posture is implemented.
If we look back on some the bigger breaches that made the headlines over the past few years, many of them were largely avoidable. Equifax could have patched the vulnerability in Apache Struts two months prior to their breach. The Office of Personnel Management could have implemented multi-factor authentication and hardened their policies, procedures and staff against social engineering. Organizations around the globe could have easily prevented Wannacry and Petya ransomware variants by simply enforcing Windows updates. Instead, the malware caused billions of dollars in damages in major organizations such as Fedex, the UK’s National Health Service, Maersk and numerous hospitals and healthcare providers across the world.
While the technical underpinnings of these incidents are interesting to people like me, the question of why it was allowed to occur in the first place is far more intriguing. Taking some liberties from William Law’s famous quote, “if we ask ourselves why …these breaches occur… your own heart will tell you that it is neither through ignorance nor inability, but purely because you never thoroughly intended it.”
Taking a step towards intentionality and ownership
Intentionality requires a measurable goal and a steadfast commitment to improvement. It means placing security as a variable early in the planning phase and aggressively adhering to the risk thresholds and security posture put in place. It also means recognizing and actively resisting the tendency to let things slide. It also means being resolute in a mandate that may never matter. It’s a natural human tendency to favor the short-term over the long-term and inclination to let things become “someone else’s problem.”
It’s our job as auditors to provide an assessment representing your status at a particular moment of time. It’s a snapshot that can be used to gauge progress in your security plan and suggest improvements. It’s a step towards intentionality and ownership. We can’t solve all your security and privacy concerns – that’s an impossible task for an outsider to achieve. However, we can serve as a mile marker and a weathervane – aligning your intentionality with our technology and expertise. And that’s a reasonable plan that isn’t reliant upon chance and happenstance. Give us a call and let us show you how the HIPAA One® software can help.