January 28 marked Data Privacy Day, and a number of organizations across the United State and Europe hosted film screenings, town hall meetings, webinars and other events over the following week in order to share information and resources related to data privacy. Among those events was a panel discussion hosted by Peak 10, which brought together a number of experts to discuss threats to data privacy, best practice defenses and a number of other topics.
It was the first in a series of expert roundtable panel chats that Peak 10 will host throughout this year. (The next takes place March 5. Details to follow.)
Panelists for the data privacy discussion included:
- Kyle Duke, Vice President, IT & CSIO, Cigna HealthSpring
- Andrew Jaquity, CTO and Senior Vice President of Cloud Strategy,, SilverSky;
- Manny Ladis, Senior Vice President of Sales & Marketing, Dizzion: and
- David Kidd, Director of Quality Assurance and Compliance, Peak 10.
If you missed the event, highlights of the are provided below.
Most common online attacks?
Andrew: Email is the leading method for launching attacks, followed by denial of service (DoS). Phishing schemers attempt to compromise data and get their hands on social security or credit card information and secrets. DoS attacks are often used as a cover for other malicious activity. Financial services are subject to frequent attacks, but healthcare is increasingly a target. Medical fraud can be very lucrative, and protections are less mature in the healthcare industry, which makes it an easier target.
Who’s more vulnerable, small business or big enterprises?
Andrew: Smaller companies are attacked more frequently; there are more of them, and they are softer targets. Email accounts for about 80% of those attacks. Big companies spend more on security in actual dollars, making them tougher targets. So, they will attract more sophisticated, and more complex attacks like we saw with Target and Neiman Marcus.
How does the flood of regulations effect best practices?
David: HIPAA is a good example. Rather than get very technically specific, the regulations set up a framework for compliance, what needs to be accomplished and with a shared vocabulary. Solution design to comply with that framework was left to the technicians, who could share methods and learn from one another. From there, best practices evolved. Protecting patient data reinforced the importance of data encryption, which has actually carried over well beyond healthcare and produced better products.
Are there different levels of compliance depending on company revenue; are the attacks different?
David: Regardless of size, a common security and compliance framework should be followed. From that point of view, size has no bearing on compliance. It comes down to where the weakest link is. As the Target example showed, however, the greater the reward, the more sophisticated you can expect the attack and the attackers to be.
Do HIPAA compliance requirements extend internationally?
David: Yes, and international issues regarding the handling of data is a hot topic. Data governed by HIPAA must remain within the U.S. jurisdiction; it cannot go out of country. Foreign healthcare-related companies with U.S. operations must follow the same rules and honor all requirements.
What BYOD issues are you seeing?
Manny: Organizations need to start with what they want to do and the regulations they want to put in place, and then create the standards. They can then roll them out and enforce them. Many companies are simply reacting without a real plan, which is causing problems and vulnerabilities.
We don’t want data on devices. It should be stored and accessed from one location. There are issues that need to be addressed; keeping personal and corporate data separate is a big one.
Andrew: Mobile device management (MDM) can help put a structure around BYOD. There are three parts to it. First, you have to understand the legal and compliance issues related to that data. As we’ve discussed, the EU and US are different. Then, as Manny said, you create the policies. Technology alignment follows. Define the user agreement up front with policies to match.
Describe the role of CSIO.
Kyle: CSIO is a relatively new role, and it’s changing quickly. I started a CSIO roundtable group in my area five years ago; we need a much larger table today than we did then. My role was very operational at first. Since then, we’ve created enough value in the position so that now it’s part of the leadership team and far more strategic. It’s extending more into risk management.
How do you engage employees in being stewards of security?
Kyle: The message must be constant and consistent. It must be in front of employees all the time, not just a once-a-year refresher. Programs are only as good as how employees behave. We don’t want to be viewed as the security police necessarily. When we do have issues, we take the stance of being partner to help dissect the issue. It may be workflow-related, or there’s a technical hurdle. We need to help solve problem and not alienate the employee.
How do you assess risk?
Kyle: We started with a framework; ISO was a good one. We applied that as a measuring stick and did a gap analysis to see how we stacked up. Then I put on my risk assessment hat and built out a three-year risk assessment strategy, making the needed adjustments along the way. Every year, we have a plan laid out that gets us better program support and funding.
David: I tell customers to make themselves a small target. Hold on to as little data as possible for the shortest period of time allowable, and keep access limited to as few people as possible.
Andrew: If you don’t need it, get rid of it. People can’t steal data you don’t have.
Please talk about what’s happening with the Safe Harbor guidelines.
David: It’s been in the news a lot. I believe most of the problem is political posturing. The EU has very strict privacy guidelines, which some Europeans believe are hampering business development. Still, the EU is asserting its authority, insisting that the U.S. comply with its rules – and we should. We may be the international commerce powerhouse, but the U.S. is being too casual in following Safe Harbor guidelines. Our Department of Commerce needs to take this more seriously; it is a sovereignty issue for the EU. Perhaps self-certification by U.S. companies is too weak. Perhaps something more prescriptive than what is laid out in Safe Harbor is needed. Whatever it takes, I believe a compromise will be struck.
The next Peak 10 expert roundtable panel chat, entitled “Expert Roundtable Video Panel Chat on Compliance”, takes place March 5 at 1 p.m. Join us for another insightful, informative session by registering here.