RSA 2015: In the healthcare industry, security must innovate with business
Security teams struggle with understanding how healthcare business works, Frank Kim said at RSA Conference 2015.
The cost per healthcare record stolen in a data breach in 2014 was $359, a figure that Frank Kim, CISO with the SANS Institute and former executive director of cyber security with Kaiser Permanente, said he found alarming.
Speaking during a session on healthcare security at RSA Conference 2015 in San Francisco, Kim said teams face many obstacles when it comes to security in the healthcare industry, including getting buy-in, justifying costs, spending effectively, being proactive instead of reactive, and lacking knowledge and understanding of how business works.
“We have to learn how to innovate with business,” Kim emphasized, explaining that legislation, mobility and personalization are forces driving healthcare innovation in the U.S.
Speaking on legislation, Kim pointed to Meaningful Use, which he said has created a need for securing electronic health records. With the introduction of the Affordable Care Act, teams must secure new ways of delivering healthcare, Kim explained, adding that - all the while - the trust of members must be maintained.
With regard to mobility, Kim said, “One of the key trends in healthcare delivery is meeting members where they are. There's definitely this shift from the facility to the home.”
Kim said remote care introduces the idea of the perimeter not existing, or - following a question from an audience member - that the perimeter is elastic and changing. He said that network, endpoint and application security controls are important, that regular assessments must be performed, and that additional systems must be implemented to monitor remote systems.
On the subject of personalization, Kim pointed to a cloud-synced medication management app for mobiles, as well as other devices that gather highly personalized and specific data on members. With more and more information being made available, Kim said security teams need to determine what data is pertinent, and must leverage mobile and cloud security protections.