Part 2 of the interview/podcast with Alan Brill, Senior Managing Director at Kroll Inc., to discuss the importance of log management & analysis for security in healthcare organizations.
Highlights of part 2 of this interview include:
- Identifying critical areas for potential security breaches
- Kroll Inc’s methodology & approach to security
- Healthcare Security vs. Other Industry Security Issues
- Ensuring Security is a priority at your healthcare organization
HIT Consultant: What other critical areas can serve as a guide for healthcare organizations as it relates to potential security breaches?
Alan Brill: That really involves understanding how particular healthcare organizations are using technology. For each application, for each kind of processing that you’re doing, you have to look and see what logs are available and what logs are turned on. Because it’s not just network level logs like a server log or a proxy log or a firewall log that you have to consider. But, many applications offer, in some cases, extremely efficient and effective log creation. Question though, do you have it turned on? Do you have it tuned right? How long are you maintaining those logs? How are you maintaining those logs? So, I think everybody has to look at their networks and their systems to see what they can do in house.
Second, we talked a few minutes ago about the evolution of healthcare security from purely an internal question to broader question. As healthcare organizations turn to sources like the cloud and like remote computing. And one of the things I think that every healthcare organization should do is to look across its suite of applications, is for those they are not hosting, that are not running on a remote server, that are running in the cloud if you will. They should be asking the questions, what logs are there, what security features are there, what record keeping is turned on, how much does it give me the granularity that I really need to understand what’s going on and who is involved in it? So again, if you spend some time doing that before an incident occurs, if an event occurs, you are going to be in much better shape to understand what happened, when it happened and what your response is going to have to be.
HIT Consultant: So, I know you initially touched on this before, but can you breakdown what is Kroll’s methodology for log management and analysis?
Alan Brill: Well, it’s really not so much our methodology for managing logs, that’s really something our clients do. What we are involved in is working with our clients before they have an incident. To look at their entire issue of log management to figure out exactly what is and is not being logged. How those logs are being maintained, whether there are tools that provide for log consolidation, whether there are tools that are available that can do some version of log analysis. Some of those tools can be simple, as we said before; others are going to be beyond the means of all, but the largest organizations. It is really the matter of getting the right amount of logging, the right amount of length of storage of the log, and the ability to keep them in a secure fashion and to use them appropriately.
Our methodology really is very simple, when we are informed of a potential incident, we work with our clients to secure and safeguard those logs. We want to make sure nothing happens to them. You have to remember that in a malware incident, you cannot assume that the bad guys are not going to notice that you know what’s going on. They might not come in and start erasing logs. For that reason, one of the things we do very quickly is to capture those logs, copy them so that they are not online, they are not subject to loss or theft, and they cannot be manipulated by the bad guys. Once that happens, we then can take the time to figure out how those logs may or may not be able to help us at various points in our investigation. And then to use them to gather the data that we need to understand with our clients what happened, what records were involved, who the perpetrators may have been and what their reporting requirements are in conjunction with their counsel.
HIT Consultant: How does the healthcare industry fare in comparison to other industries when it comes to security breaches?
Alan Brill: The problem that the healthcare industry faces is that the identify data that is typical in healthcare institutions is something that has value to the bad guys. Getting into systems of healthcare providers can lead to opportunities for all sorts of fraud. Financial fraud you may have credit card numbers that you keep, you may have other information about people’s finances and the ability to pay. You have information that somebody can use commit healthcare fraud, that is they have enough information so that they can appear to be somebody else who is entitled to healthcare and cause that person’s record to suddenly get data from another individual and make life very difficult for everyone involved. Like financial services institutions, healthcare has requirements for security whether they are primary as in the financial services area from laws like Gramm-Leach Bliley or HIPPA/HITECH, you have rules you have to follow. And that gives the healthcare industry a leg up on most other industries because there is a standard that they have to meet, and because other organizations in other fields don’t necessarily have to meet. So, that’s on the plus side that following the rules and having those rules gives the healthcare industry a real motivation to try to do the right thing. The downside is, even with those rules in place, not everybody is doing the right thing. People aren’t doing something as simple as taking an annual look at their logging to see whether they are doing it, whether they are doing it enough, whether they are maintaining it long enough. You know, as we go in after something terrible happens and we find that we don’t have the logs that we need, because for example, in some cases they may be only kept for 24 or 48 hours, and as you know, it can take a lot longer than to have an indication that something bad happens, and so effectively there are no logs.
And when you go back and you say, well if you analyze your systems you’ll probably have a half a gigabyte a day worth of logs and you suddenly realize that very large hard drives, thousand gigabyte hard drives, are probably under a hundred dollars today. It starts to become a question of isn’t it cost effective to do the right thing. If doing the right thing that’s going to give you a tremendous leg up on understanding what happened if there was an incident starts to become very inexpensive, under $100 bucks. How can you not do it? So, I think the evolution is that the healthcare industry has the motivation of the security laws relating to healthcare/HIPPA/HITECH and so forth equivalent laws in other countries. Just because those laws are there doesn’t mean that people haven’t done the right thing yet and doing the right thing is what this is all about. And it is not the right thing simply because the law says it is; it is the right thing because it protects your organization in the event something happens. It means that rather than playing the guessing game of what happened, what did they see, what did they export, where do we stand, where do we have to report to third parties on. You turn that into actionable knowledge; you turn that into being able to say we know they got to these records, they did not get to those records, here’s what happened and now can make intelligent decisions about what we are going to do about it, how we are going to remediate it and what we have to report.
It’s moving from the unknown to the known that is really the focus of everything we talked about today. Doing that becomes less and less costly and more and more realistic for more healthcare institutions ranging from major medical centers down to single physician offices.
HIT Consultant: What actions can be done for healthcare organizations to ensure that security and maintenance is a priority in their budget?
Alan Brill: I think the first thing you have to do is you have to have a commitment to follow the rules not just to the letter, but to their spirit and ask the question, what should we be doing? What are the alternatives to what we are doing now that would give us a higher level of security that would give us a higher level of sustainability and reliability that would help us if we had a disaster of some sort and had to recover from it? And then look at those organizations with whom you work, your business associates and see what they’re doing. Because it’s your data and your patient’s data and even though you may send it to somebody else for processing or storage, it is still your responsibility. You’re the one that they are going to call if something goes wrong. So, I think in terms of budget the thing to do is start out by understanding what you are spending now and what you are getting for that money. And then take a look and say well given the changes in technology, how much would it costs us do more and in fact is that worth it to us or should we just do things differently than we doing them now? Or maybe we get more effective use of our funds? We use better tools, we use more efficient tools.
The real key probably to all of this is taking the time to ask the question and to get a good answer. Time and time again when we work with our clients, we find that is the key. That taking that time to say what are we doing, what should we be doing, what could we be doing and what is the financial impact of that leads to cases where we see organizations that are getting significant increases in the security over sensitive information with little or no increasing costs. Just because you want to do things a little different doesn’t mean it is going to be more expensive. Just because you need security over a wide range of systems and systems that are now in the cloud, doesn’t necessarily mean that you are going to have to do a big expenditure. It may mean working with your vendors; it may mean looking at alternative tools.
But the bottom line, what choice do we have? The reality of today’s information security situation is this, YOU WILL BE ATTACKED. It is not a matter of whether you will be attached, it is a matter of when, the form the attack will take and the value of your information that leads to a decision on the part of the bad guys is how persistent and how hard they are going to hit you. It is estimated that a new site coming up online on the internet will get its first scan by bad guys within minutes. You’re no different. You’re probably being scanned all the time looking for vulnerabilities. The key is don’t have easy vulnerabilities. It is very difficult for us to go into a client and tell them that the major breach they just suffered was one that had been reporting two years ago and there was a batch to their software that would have stopped it dead had been out there for two years, but nobody ever implemented it. Do the simple things, keep things up to date. Make sure you are doing reasonable maintenance, make sure you are using current versions of software, make sure you are logging the things that ought to be logged and that you are keeping the logs for a long enough periods. That combination removes a lot of low hanging fruit and it doesn’t make you invulnerable. There is no such thing as 100% security, but it absolutely makes it harder for them to hit you and get away with it. You need to know when something happens, if you can’t prevent it, you need to notice it and react to it. And the things we have been talking about today largely go to that. How do you know that your preventives systems have been breached and that something has happened? Then in that case, you can answer the question exactly what happened? Maybe who was involved, but at the very least getting the knowledge of what happened in a more objective way than you otherwise might be able to.
HIT Consultant: Closing Comments/Thoughts?
Alan Brill: One thing you can guarantee is that technology is evolving and it’s evolving faster and faster. We now look at things that happened in our offices, in our hospitals, in our pharmacies, in our clinics. But as you move more into telemedicine where data is originating in patient’s homes and is being uploaded on a regular basis. As we move toward portability of electronic medical records, as we move toward new and evolving systems of payment you can be certain that the risk factors are going to change; some will go up and some risks will go down. The fact will remain that you are a target and that you are probably being attacked at least on a low level on a regular basis. So, I think the key is continual vigilance; you can never get to the point of saying it’s good enough. Because the best you can is say it is good enough right now, today, under the circumstances in which we find ourselves. But standing still is not an option. We run into case after case after case at Kroll, where an organization just stopped maintaining the system that was still operational and that system, even though they did nothing to it, became highly vulnerable because new kinds of attacks were developed. They didn’t patch to prevent them and they got hit and thousands and thousands of records go out the door. The price of security is vigilance and making sure that it is something that is not just seen as a technical issue, but is recognized as a legal issue and operational issue and is one that is regularly looked at by the senior officials of the organization with an eye toward acting in a more efficient and effective method and to make sure that you are compliant with the rules, regulations and laws and that you are providing your organization with a commercially reasonable level of control and security.
About Kroll: Kroll, the world’s leading risk consulting company, provides a broad range of investigative, intelligence, financial, security, technology and supplier management services to help clients reduce risks, solve problems and capitalize on opportunities. Headquartered in New York with offices in 52 cities and 29 countries, Kroll has a multidisciplinary team of approximately 2,800 employees and serves a global clientele of law firms, financial institutions, corporations, non-profit institutions, government agencies and individuals.