Protecting data assets should be part of a comprehensive security and compliance program for any company that creates, maintains and stores sensitive information. Cathie Brown has deep experience in this space. She currently is the Vice President of Professional Services at Clearwater Compliance, Inc. the leading provider of cyber risk management and HIPAA compliance solutions for healthcare providers and their partners. Prior to that, Cathie held a number of senior leadership roles including serving as the Deputy CISO for the Commonwealth of Virginia and as the CISO/VP of Governance, Risk and Compliance at Impact Makers, Inc.
Chris Pillay, CEO of Semele Data recently interviewed Cathie about industry trends she is seeing with a particular emphasis on data privacy and what companies should be doing to protect their data assets.
Chris: Seems like data breaches are becoming a fairly regular occurrence. With the news of the recent Equifax settlement, it seems the financial impacts are not a trivial matter. Are firms out there still challenged to close vulnerabilities?
Cathie: Absolutely! Securing and protecting data has to be a top priority today. The Equifax settlement you reference takes it up a notch in terms of accountability by the company to provide remediation options for consumers at a cost of over $450 million. Closing vulnerabilities is only one step of an overall risk management program. It’s important and it is challenging, but it becomes more manageable once you’ve established processes and polices around data protection.
Chris: The data footprint of firms is growing exponentially. How is this growth affecting enterprises from a risk perspective?
Cathie: In some ways we have a perfect storm. We have the data footprint exploding because we’ve been collecting data for many years and now, we’re able to use incredible tools and with analytics, do some amazing things. Many organizations also have an exploding attack surface as more and more devices are connected to the internet and company networks. Obviously, this creates a risk level that must be taken seriously. I still encounter companies that believe this is an IT issue and it is not. I can’t stress enough that information risk management must be on the BOD agenda.
Chris: In an industry such as healthcare where HIPAA compliance and Business Associate Agreements are in play, this must be even more acute?
Cathie: In almost all industries, we are dealing with some aspect of customer or consumer livelihoods, whether it be identity theft or scams that steal money. In healthcare, we are dealing with the health and outcomes of patients. We are all patients or have family members who are patients at some point in time, so healthcare is very personal. Healthcare records bring a premium on the black market because they contain so much information and because there is such emphasis on the need for the information to be correct. We also can’t ‘cancel’ a medical record and get a new one, like we can a credit card. There is also a lot of innovation going on in healthcare that relies on data. Fortunately, the Office for Civil Rights (OCR), which enforces HIPAA, and NIST (National Institute of Standards and Technology) work together to provide guidance, tools, and enforcement for managing risk in the healthcare industry. It can be overwhelming because healthcare is a complex ecosystem.
Chris: Obviously, the focus has been on protecting networks and educating employees about avoiding phishing and social engineering scams, but what insider threats? What are you seeing and what are people doing about them?
Cathie: Network security has been a focus for a longtime and I think that aspect of risk management is more mature. You are right that the current focus is on phishing and social engineering because these are the most prevalent attack vectors right now, or how hackers get access to systems. ‘Ransomware’ has been in the news a lot and many of these cases have originated through phishing. Protecting from the outside is important, but insider threats pose the greatest risks. Some of the items I see is the lack of Information Risk Management at the program level, or risk assessments performed annually and then put on a shelf, and not knowing where all the sensitive data is and not having an accurate inventory of assets. Another area that poses a considerable risk is when production data is used in development, test and training environments.
Chris: Glad you mentioned “testing with production data” as an insider threat. We assume that their lower environments and systems are protected in the same manner as their production systems and environments, so what is the real vulnerability there?
Cathie: Production data is paramount to the business, regardless of the industry. This is what we’re all working to protect. We all know production systems get the focus and funding. Even if the same technical controls exist in test environments, the same amount of rigor usually doesn’t. There is more opportunity for exposure of data to staff who do not have the ‘need to know’ and harder to maintain the ‘minimum necessary’ standard. There is also more opportunity for data loss without detection such as downloading the data to a thumb drive or hiding it in outbound emails. Using production data in a test or non-production environment is a breach waiting to happen.
Chris: In your new role at Clearwater, you help firms ensure they are in compliance and are addressing vulnerabilities. How would the implementation of a test data management solution be viewed through the compliance lens?
Cathie: One of the solutions we provide is Information Risk Management through the use of professional services and a platform called IRM|Analysis with modules for Security and Privacy. The use of production data in a test environment would be considered a risk with a high impact. This would be captured in a risk register for remediation as a priority. In the situation where an organization has implemented a test data management solution, the risk level would drop significantly due to mitigation and compliance would be higher.
Chris: Do you have specific recommendations for reducing data related risks?
Cathie: Yes! First and most important is to know where all of the sensitive data is. There are tools that can help with discovery. Put policies and procedures in place to govern how that data is accessed, processed, stored and transmitted. Perform a thorough risk assessment to identify likelihood and impact of the risks associated with the data. Remediate the risks, such as obfuscating test data and then perform monitoring and regular audits to ensure that production records don’t leak back into those test databases.
Chris: Thanks Cathie! If an organization was interested in learning more about Clearwater’s services and how you can help them reduce risk, how can they learn more?
Chris: I can be contacted via email at: firstname.lastname@example.org.
About Semele: Semele Data is focused 100% on the test data management space. We understand the importance of being able to quickly and safely provision great test data. It’s all we do, and we do it well. We are a team of former consultants with deep expertise in IT and large, complex financial/banking systems. Our founder and management team have extensive experience in creating new companies and products and in successfully implementing these products within leading national organizations. Learn more at www.semeledata.com.
About Clearwater: Founded in 2009, Clearwater’s original mission was to help healthcare organizations become and remain compliant with HIPAA’s Privacy, Breach Notification, and Security rules. Today Clearwater is the leading provider of cyber risk management and HIPAA compliance solutions for healthcare providers and their partners, delivering privacy and security solutions to more than 400 customers since its founding in 2009. Clearwater has been voted Best in KLAS for Cybersecurity Advisory Services by its customers and has received a top rating for Compliance and Risk Management Solutions in Black Book for the past 3 years. Learn more at www.clearwatercompliance.com.
About the Author.
Christopher B. Pillay is the President & CEO of Semele, formerly the product division of Meridian Technologies, an award-winning IT consulting, staffing, and technology company that Chris co-founded in 1998. With over 25 years in the technology industry, Pillay helps clients, including some of the largest banks and healthcare companies in the US, solve complex data management issues. Pillay believes in taking a collaborative approach with his clients to get to the heart of the business challenge and develop innovative solutions for long-term success.
You can follow Chris at: https://www.linkedin.com/in/chris-pillay-7839b41/