It’s especially sensitive for two of the industries most susceptible to hack attacks: financial services and health care. As multiple news sources have noted, when it comes to hackers, no one wants to paint a bull’s-eye on his or her organization’s IT infrastructure. People don’t want to discuss their organization’s specific strategies.
But there are general practices in those industries that other businesses can learn from and use. As the data breaches that hit Target and Home Depot demonstrated, nearly any kind of business can be victimized. And they don’t have to be major retailers.
Jim Nelms, chief information security officer for the Mayo Clinic, says that the health care “user community” has become more aware of providers and insurers that have had precious customer data stolen. Those customers know that they “have a choice of hospitals,” he says. And that truth extends to other types of businesses, so that the consumer is likely to think, “If a company can’t take care of my information, I’m probably not going to use its services or buy its products.”
As many types of businesses use cloud services, Internet-based updates for scanners and copiers, mobile communication devices for employees, and other technologies, they’re creating more opportunities for digital thieves. A breach can cost any business, regardless of size, money and customers. So one of the lessons that financial services and health care industries can teach other businesses is this: Cybersecurity can no longer be an afterthought—it needs to be a crucial part of day-to-day operations.
U.S. banks generally have been more diligent than some industry sectors have been about protecting their businesses from data breaches—though they’re still vulnerable, as last year’s JPMorgan Chase breaches demonstrated. But as the Mayo Clinic’s Nelms says, while health care technology is leading-edge, health care information technology “not so much.”
Health care facilities are “very easy prey” for hackers, he notes, because they’ve traditionally put most of their money and time into patient care and new treatment technologies. (Health insurers also have been attacked: Indianapolis-based Anthem Inc. announced early this year that hackers had made off with personal information of nearly 80 million people.)
What’s more, he says, in medicine, information is often shared: Physicians share patient information with colleagues and nurses; electronic medical records traverse many parts of the health care system. “We’re not going to change the way we practice medicine to fit into an existing information security program,” Nelms says. “We have to develop new programs.”
Though not at liberty to say what specific programs Mayo has developed, he does observe that “the Internet has brought a different approach to practicing security in all businesses. The volume of data we generate is increasing exponentially. So many of the techniques we used 10 years ago to protect our homes and institutions, like network firewalls, don’t work as well.” A firewall, he adds, “operates like a tollbooth. Every piece of data that comes through has to be analyzed” to determine whether it’s safe.
With information so widely distributed over the Internet and on mobile devices, health care employees—like those at any business—can accidentally leave digital doors unlocked for cyber-thieves to enter. Sometimes it’s carelessly leaving devices where they can be pilfered. In other cases, it’s “phishing” attacks, where people receive fake emails, seemingly from colleagues, vendors and others, containing dangerous links that, once clicked, give hackers a “hole” through which they can break into a company’s network.
To help its employees learn the crucial importance of their role in cybersecurity, Mayo Clinic has put in place an extensive program in behavior management communications that’s part of its information security program. The goal, he adds, is to make Mayo staff aware of habits that might put the health system’s valuable information at risk, such as opening improper emails, and leaving laptops and smartphones unattended.
Part of that is simply making people understand that there is a threat, which often comes as a surprise to employees, even at Mayo. As Nelms says, “there’s the belief for most people that ‘I don’t have anything of interest to anyone, so why would they [target] me?’ Well, they do, because you’re part of the company.”
Looking ahead, Nelms says that Mayo is working on ways to identify people rather than devices. That way, the information you need to have access to is available “through whatever device.” Second, Mayo is moving to protect data, “not the systems that the data is housed in.” The information can be situated in numerous places across the IT system, and needs to be protected no matter where it is.
Mayo Clinic has had a focus on cybersecurity for many years. According to Greg Vetter, New York City-based health care consulting director for accounting and consulting firm McGladrey, one of the reasons other health care providers are quickly catching up is the Health Insurance Portability and Accountability Act (HIPAA), passed by Congress in 1996. One of HIPAA’s key provisions is the privacy of patient medical records. In the past few years, thanks in large part to the Affordable Care Act, regulators have used HIPAA privacy provisions to levy “really significant fines” on providers that have experienced data breaches, Vetter says.
To counter these threats, “one of the first requirements of the HIPAA security [protocol] is a detailed risk assessment,” he says. A risk assessment is a holistic approach to cybersecurity, Vetter says. An organization examines all of its “assets”—including servers, desktops, paper files, back-up tape and so on. They also include other devices that can retain information, including printers and copiers. What the assessment is looking for are “vulnerabilities.” What a business is evaluating are risks, not only of potential breaches, but also breakdowns of other processes, such as employees who aren’t regularly changing passwords or a lack of data encryption.
Health care systems have become more rigorous about formal risk assessments in the past two years, Vetter says. They also are increasingly using software like FairWarning that can track certain bits of data. These programs track who is accessing patient information and send out alerts if there’s an apparently inappropriate user of that data.
Todd Carpenter, co-owner and chief engineer at Minneapolis-based IT consultancy Adventium Labs, says that if he had to pick one best practice, it would be “network segregation”—keeping different types of data separate from one another. Financial information is kept on one network, for instance, that is completely unconnected to the Internet, access to which is kept on a separate network. “And the networks don’t cross,” he says.
So if a company executive clicks on a phishing email, a firewall probably won’t protect the network from breach. “But if that executive’s machine isn’t connected to the company’s financial system, or has no access to personnel or client data, the risk of that [phishing] exposing something [valuable] is very low,” Carpenter says. He notes that network segregation is expensive. “It takes time and IT staff to maintain,” so it’s more common in large organizations. But, Carpenter says, small companies can do it with less expensive methods, such as using wireless Internet routers.
Carpenter also advises companies to make sure that devices connected to the Internet are protected. “Internet of things” technologies that allow companies to monitor and regulate building operations remotely, including HVAC systems and LED lighting, can provide a great deal of convenience—and another opening for hackers. Printers and scanners “ ‘phone ‘home’ regularly to get regular software updates,” Carpenter says. He recommends setting up internal networks so that the “things” plugged into the network can’t be hacked.
Another potential weak link, he notes, is employee Internet access. Many companies restrict their staff’s access to Facebook, YouTube and other time-suck sites—sometimes creating resentment among employees but better protecting their networks. Businesses that use social media communication as part of their marketing outreach can set up a separate network where people can log in to appropriate machines to get to the outside world. And again, that’s separate from where all the client data is stored.
Scott Larson is a former FBI cyber-crime investigator and current CEO of North Oaks-based Larson Security, which performs consulting, risk assessments and other cyber-protection services for banks, law firms, retailers, tech firms and health care organizations. He says that banks have continuously had to address new types of security, such as mobile and online banking. They’ve become adept at keeping all types of information separate—customer data, financial data, anything that is regulatory-based that could cause risk exposure, intellectual property, mergers and acquisition information, and human resources information.
But while banks might frustrate cyber-crooks, there are other types of businesses they can rob. “Last year, we saw a lot of payroll-related hacking,” such as rerouting of direct deposits, Larson says. He adds that there’s been a huge increase in hacking of tax returns. Other thieves have made off with company funds via illicit online wire transfers.
Like Carpenter and other cybersecurity experts, Larson recommends network segregation for businesses, as well as automatic updates and anti-virus programs. But he also says that businesses shouldn’t rely solely on technological fixes. There are security-incident products that combine anti-hacking methods, and alerts are available, but Larson says these products are still imperfect. Actual human beings need to be involved, and know what to look for. Businesses need people who can handle the day-to-day operation of a network, he says, because IT people “know what’s normal and what’s not on a company’s network.
“The Internet was never meant to secure information—it was designed to share information,” notes Daren Klum, founder and CEO of Brooklyn Center-based Secured2, which develops anti-hacking technologies. To protect digital data, the IT industry developed encryption, one of the key methods of “locking away” data. But while encryption works well, its protective capability is limited by the fact that data needs to be unencrypted to be read. And unencrypted data “is what the hackers target,” he says.
The technology that Secured2 has developed shrinks and “shreds” data into 10KB packets, distributing it to multiple locations on a hard drive, or to multiple cloud locations, such as Google and Amazon. The user can retrieve the information, which is restored into a “complete” configuration. Once the user has finished her task, the data is shredded and stored once again. “There’s never a physical file that sits ‘at rest.’ ” Secured2 also is developing a technology that causes a mobile device to, in effect, “self-destruct” if a thief tries to access the information it contains.
New technologies like Secured2’s will undoubtedly continue to be developed. “Security’s not an absolute, but you can definitely make it harder for attackers to get in,” Carpenter says. And one of the key ways to do that is to acknowledge that digital breaches are a serious threat. Cybersecurity, Larson says, “starts at the top.” He’s seeing companies with leaders focused on the issue, whether those are top executives or board of directors’ audit and risk committees.
“In the past 10 years, industries have learned that information security is part of the business process,” Mayo Clinic’s Nelms says. At Mayo, cyber-security becomes “part of the business decisions that support the strategic goals. It’s not a bolt-on.” TCB
Alan Abramson, senior vice president and chief information officer for Bloomington-based HealthPartners, offers this list of practices that his health system follows:
Implementing cybersecurity measures using a proprietary combination of tools from providers including Rapid7, Hewlett-Packard and Symantec.
Keeping out hackers, malware and other threats through network and web firewalls, anti-virus and malware protection on servers and workstations, and content filters to prevent access to inappropriate Internet sites, as well as those with a reputation for malicious software.
Preventing internal data from being exposed with methods that include full encryption on laptops and portable devices, protecting data from loss or theft, remote access tracking of portable devices that allow for locking and wiping of portable computers and smartphones, and vulnerability scans “to identify issues in our environment for mitigation.”
Creating security awareness among employees and having systems and processes in place in case of a cyber-breach. For example, says Abramson, “our security team will train teams within the company on how to avoid phishing scams by reporting suspicious emails. Roughly 10 days later, we will test team members by sending suspicious emails to test their responses.”
Gene Rebeck is a Duluth-based freelance journalist who writes monthly for Twin Cities Business.