Alan Kessler
Q&A with Alan Kessler
April 22, 2015
by Lauren Dubinsky, Senior Reporter
The majority — 92 percent — of health information technology decision makers believe that their organizations are somewhat or more vulnerable to insider threats and 49 percent feel extremely vulnerable, according to the 2015 Vormetric Insider Threat Report.
Furthermore, 62 percent of the decision makers reported that people who have access to all resources available from systems they manage as the most dangerous insider threat and partners with internal access and contractors were the second and third most dangerous.
DOTmed News had the opportunity to speak with Alan Kessler, CEO of Vormetric, about why these decision makers feel so vulnerable and what they can do to prevent insider threats at their organizations.
DOTmed News: Why is health care data so valuable?
Alan Kessler: Health care data has become one of the most desirable commodities for sale on “black” Internet sites because it typically contains enough detail to not only apply for credit cards or loans, but can also be used to generate large sums from fraudulent medical charges, or even to compromise patients’ existing financial accounts. As a result, stolen health care records command a large premium versus more mundane stolen information, such as credit card data.
DOTmed News: Why do the majority of HIT decision makers feel vulnerable to insider threats?
AK: The health care environment has grown more complex as the amount of data being exchanged has increased and the market itself broadened. Now included in the wider insider threat problem set are privileged users who manage IT infrastructure and have full access to the data on the systems that they manage.
[Those include] employees such as doctors, nurses, billing departments, administrators and other skilled health professionals, service providers and contractors with access to enterprise networks, such as IT, HVAC and SaaS providers and health care-specific organizations, such as postsecondary care facilities and insurance companies. Other threats are criminals who compromise any of these accounts.
Just as important of a contributor to this sentiment is the high rate of data breaches and compliance audit failures being reported. According to our report, 48 percent of U.S. health care organizations reported either encountering a data breach or failing a compliance audit in the last year.
Additionally, decision makers are also well aware that compromised health care data can lead to longer-term problems for individuals later on down the line. Identity theft can destroy credit results, and the exposure of private information can be very damaging to an individual’s reputation. Understanding the gravity of potential damage can further fuel fear.
DOTmed News: What can they do to try to prevent an insider threat from occurring at their organization?
AK: There are a number of ways to prevent against an insider threat breach. We recommend organizations that are serious about implementing a data-first security strategy do the following:
1) Integrate new encryption technology that minimizes operational impact and works with strong access controls for all important data sources.
2) Implement integrated data monitoring and technologies such as security information and event management (SIEM) systems to identify data usage and unusual and malicious access patterns is critical to maximizing security.
3) Concentrate on protecting data at the source. For most organizations, this will involve protecting a mix of on-premise databases and servers, and remote cloud and big data applications.
4) Develop an integrated data security strategy that includes monitoring, relevant access control and levels of data protection.
With network and endpoint security solutions failing to stop or even detect attacks by employee insiders, and advanced attacks using employee credentials, a layered defense combining traditional as well as advanced data protection techniques is the path forward.
DOTmed News: Is it enough just to meet compliance requirements?
AK: It is not enough for organizations to just meet compliance requirements. As we mentioned, 48 percent of U.S. health care respondents reported that their organization had failed a compliance audit or encountered a data breach in the last year. This indicates organizations are failing even basic data protection and/or not even making it to the low bar that is the compliance level.
The problem with compliance regimes is that they typically evolve over time, with years passing between standards revisions, and even longer periods for legislation. It is important that health care organizations take to heart the fact that this results in compliance requirements becoming a baseline for data protection, not a best practice. Threats can rapidly grow and change, leaving slow-moving compliance requirements behind as new threats emerge.
DOTmed New: Do you think health care organizations will be successful at securing health care data in the next five years or will it take longer than that?
AK: There’s no shortage of news, reports or anecdotes about insider threats and successful cyberattacks. Yet, certain companies still either have an “it won’t happen to me, so I don’t need to worry about it” attitude or the issue has not risen to the board level (thereby driving the board and senior executives to make data security a priority).
But, there is a silver lining — our 2015 report shows data protection as the number one priority for IT security spending within healthcare organizations, with compliance at number two. When we issued this report in 2013, compliance was king of the hill. This suggests health care organizations are starting to “get it”, but they are still behind where they need to be.
Reports we received about health care breaches also indicate that the data stolen was not encrypted. It’s necessary to not only encrypt appropriately, but to do so both when it’s in motion (secure communications) and when it is at rest (on storage devices), so that you don’t have an Edward Snowden-type event, or have an attacker compromise a technical administrative account to get to health care data.
Using the right encryption techniques for data-at-rest (encryption with access controls) might have stopped the vast majority of recent breaches, or made them much less extensive. We are seeing more and more organizations coming to us with a need for just these capabilities. Companies want to be able to reassure customers that they have encrypted the most sensitive/critical data at their disposal.
In a nutshell, we’re seeing proactive organizations do the following: a) evolve from protecting the minimal/least amount of data they are required to protect (based on compliance) to an “encrypt everything” approach b) evolve from delivering the least amount of control mandated by compliance to implementing aggressive access controls c) prioritize platforms and products that can support multiple use cases in multiple environments.
This favorably influences not only the cost of the data security solution but also the ability to attract, train and retain professionals capable of deploying and managing the solution and d) heavily weigh the operational impact of the data security solutions they choose.
This is because the operational impact of an enterprise-wide deployment can be costly if done so without the right architecture and data security platform solution. Change is happening, albeit slowly. With this in mind, we think the next five years is a bit ambitious. It will likely take closer to a decade.
Furthermore, 62 percent of the decision makers reported that people who have access to all resources available from systems they manage as the most dangerous insider threat and partners with internal access and contractors were the second and third most dangerous.
DOTmed News had the opportunity to speak with Alan Kessler, CEO of Vormetric, about why these decision makers feel so vulnerable and what they can do to prevent insider threats at their organizations.
DOTmed News: Why is health care data so valuable?
Alan Kessler: Health care data has become one of the most desirable commodities for sale on “black” Internet sites because it typically contains enough detail to not only apply for credit cards or loans, but can also be used to generate large sums from fraudulent medical charges, or even to compromise patients’ existing financial accounts. As a result, stolen health care records command a large premium versus more mundane stolen information, such as credit card data.
DOTmed News: Why do the majority of HIT decision makers feel vulnerable to insider threats?
AK: The health care environment has grown more complex as the amount of data being exchanged has increased and the market itself broadened. Now included in the wider insider threat problem set are privileged users who manage IT infrastructure and have full access to the data on the systems that they manage.
[Those include] employees such as doctors, nurses, billing departments, administrators and other skilled health professionals, service providers and contractors with access to enterprise networks, such as IT, HVAC and SaaS providers and health care-specific organizations, such as postsecondary care facilities and insurance companies. Other threats are criminals who compromise any of these accounts.
Just as important of a contributor to this sentiment is the high rate of data breaches and compliance audit failures being reported. According to our report, 48 percent of U.S. health care organizations reported either encountering a data breach or failing a compliance audit in the last year.
Additionally, decision makers are also well aware that compromised health care data can lead to longer-term problems for individuals later on down the line. Identity theft can destroy credit results, and the exposure of private information can be very damaging to an individual’s reputation. Understanding the gravity of potential damage can further fuel fear.
DOTmed News: What can they do to try to prevent an insider threat from occurring at their organization?
AK: There are a number of ways to prevent against an insider threat breach. We recommend organizations that are serious about implementing a data-first security strategy do the following:
1) Integrate new encryption technology that minimizes operational impact and works with strong access controls for all important data sources.
2) Implement integrated data monitoring and technologies such as security information and event management (SIEM) systems to identify data usage and unusual and malicious access patterns is critical to maximizing security.
3) Concentrate on protecting data at the source. For most organizations, this will involve protecting a mix of on-premise databases and servers, and remote cloud and big data applications.
4) Develop an integrated data security strategy that includes monitoring, relevant access control and levels of data protection.
With network and endpoint security solutions failing to stop or even detect attacks by employee insiders, and advanced attacks using employee credentials, a layered defense combining traditional as well as advanced data protection techniques is the path forward.
DOTmed News: Is it enough just to meet compliance requirements?
AK: It is not enough for organizations to just meet compliance requirements. As we mentioned, 48 percent of U.S. health care respondents reported that their organization had failed a compliance audit or encountered a data breach in the last year. This indicates organizations are failing even basic data protection and/or not even making it to the low bar that is the compliance level.
The problem with compliance regimes is that they typically evolve over time, with years passing between standards revisions, and even longer periods for legislation. It is important that health care organizations take to heart the fact that this results in compliance requirements becoming a baseline for data protection, not a best practice. Threats can rapidly grow and change, leaving slow-moving compliance requirements behind as new threats emerge.
DOTmed New: Do you think health care organizations will be successful at securing health care data in the next five years or will it take longer than that?
AK: There’s no shortage of news, reports or anecdotes about insider threats and successful cyberattacks. Yet, certain companies still either have an “it won’t happen to me, so I don’t need to worry about it” attitude or the issue has not risen to the board level (thereby driving the board and senior executives to make data security a priority).
But, there is a silver lining — our 2015 report shows data protection as the number one priority for IT security spending within healthcare organizations, with compliance at number two. When we issued this report in 2013, compliance was king of the hill. This suggests health care organizations are starting to “get it”, but they are still behind where they need to be.
Reports we received about health care breaches also indicate that the data stolen was not encrypted. It’s necessary to not only encrypt appropriately, but to do so both when it’s in motion (secure communications) and when it is at rest (on storage devices), so that you don’t have an Edward Snowden-type event, or have an attacker compromise a technical administrative account to get to health care data.
Using the right encryption techniques for data-at-rest (encryption with access controls) might have stopped the vast majority of recent breaches, or made them much less extensive. We are seeing more and more organizations coming to us with a need for just these capabilities. Companies want to be able to reassure customers that they have encrypted the most sensitive/critical data at their disposal.
In a nutshell, we’re seeing proactive organizations do the following: a) evolve from protecting the minimal/least amount of data they are required to protect (based on compliance) to an “encrypt everything” approach b) evolve from delivering the least amount of control mandated by compliance to implementing aggressive access controls c) prioritize platforms and products that can support multiple use cases in multiple environments.
This favorably influences not only the cost of the data security solution but also the ability to attract, train and retain professionals capable of deploying and managing the solution and d) heavily weigh the operational impact of the data security solutions they choose.
This is because the operational impact of an enterprise-wide deployment can be costly if done so without the right architecture and data security platform solution. Change is happening, albeit slowly. With this in mind, we think the next five years is a bit ambitious. It will likely take closer to a decade.