Number 5 Risk assessments. When they are mandated by law they are often done, but not always in a manner that actually reduces risk. Sometimes organizations self-assess, this is a great first start but when checking your own work you will always miss what an independent audit can find. Make sure you are looking at the actual risk to the data you plan on protecting. If you don't know where the data is how can you assure it's protected? You can't!
Number 6 This is cybersecurity at its best. If you are doing one through five, then you are likely compliant. Now it's time to concentrate on that dynamic and forward looking area, called security. Reach out to information sharing organizations like US CERT or the FBI InfraGard program, they allow you to get out of the silo and plug into what's happening in other organizations. They allow you to share attack intelligence and methods of protection. It's like neighborhood watch for your cyberbusiness operations. Look at Splunk and similar technologies that employ data analytics to detect Indicators of Compromise that could slip through everything else you have in place.
Besides the fact that the Internet was not designed to be secure, we moved everything we had to it and did not consider the risk. To make matters worse we don't always get a communication path to the CEO, all too often we try to push enterprise risk management from the bottom up, especially if the IT department is in charge of a part of it like cybersecurity. IT security is about managing IT devices in the IT department, this does not include managing and securing all corporate data alone. Its corporate governance and data governance that enables a chief risk officer to manage risk across the enterprise by working with all departments including the IT department, but not reporting to them. It must start with the CEO!
Finally, The 2014 SANS State of Cyber Security in Healthcare highlights the challenges ahead.
"This past year (2014) brought heightened recognition that health care information and health care identity are worth money — and that the bad guys can and will launch cyberattacks against vulnerable health care networks. According to an article in United States Cybersecurity Magazine, the health care industry has seen more targets being discussed in 2014 than any other year."
They also stated that trends in mobile and cloud computing are game changers as they require more specialized skills and knowledge to assure compliance and security are in place. Healthcare faces the same newer and evolving threat vectors that all organizations face but healthcare has its own unique challenges from regulators, stretched healthcare system, doing more with less but somehow still needs to get everyone on board in managing risk to all this health data that's being demanded by patients and the industry as a within the current healthcare ecosystem. All of our healthcare records are at risk, this is really getting very personal, let's fix this problem now!
Sign up for CIO Asia eNewsletters.