Each year hundreds of millions of dollars are spent on technology to ward off hackers, viruses, worms, trojan horses and other "barbarians at the gate." Yet as CISO for one of the nation's leading employee benefits organizations, it's not the threat of outside intruders that keeps me awake at night. Today, many of the biggest risks are internal — employees who through mistakes, mischief or malfeasance can cause serious damage to security of our systems and to sensitive data. This includes well-intentioned employees trying to do their job but who, by not following key policies, invite significant risk.
During the past several years we've all witnessed the risk of internal breaches growing exponentially — everything from the seemingly innocuous act of an employee leaving a laptop in the back seat of a car "for just a minute," to the well-publicized case of the Veterans Administration, where a computer was stolen out of an employee's home.
Add to that the potentially malevolent use of removable devices, such as USB thumb drives, to steal data from the worksite.
A recent article in The New York Times described how insiders at a New York hospital attempted to access former President Bill Clinton's medical records as a high profile example of the potential security and privacy concerns for electronic storage of sensitive medical information.
This is especially problematic because as a health care company, maintaining the privacy of our consumers' health information is a critical business and legal issue that's been regulated by HIPAA (Health Information Portability and Accountability Act). All of this means we have to redouble our efforts. While you may have security without privacy, you can't have privacy without security.
Fortunately, there appears to be a growing awareness among security officers and vendors that we must broaden our focus to bring our energy, talents and resources to bear on the emerging challenges of internal threats.
At CIGNA, internal information protection begins with securing the data accessed by our 26,500 employees — whether they are at work, at home or on the road. Much of our emphasis is on employee awareness. About 50 percent of our IP policy is based on human behavior — people doing the right things — and cannot be enforced via technology.
This process begins by requiring employees to use CIGNA-issued hardware only, and instituting a stringent software compliance policy that ensures that employees use only software and applications that are developed, licensed and fully vetted by CIGNA.
To protect information stored on desktops and laptops, we've rolled out an encrypting file system. To address the increased use of removable media we use a compression tool for CD encryption and, in 2007, we will deploy technology that encrypts data sent to removable devices. We also have been using email encryption for several years to protect sensitive data sent to designated constituents. The user determines which emails to designate as secure in accordance to our company policies.
Unfortunately, we do not yet have the technology to do encryption and decryption automatically through logic into system hardware — an area of obvious need that we're hoping an enterprising vendor will address in the future.
In addition to these broadly used safeguards, we also have specific technology and processes we deploy with "trusted users" — individuals who, because of the nature of their positions, are credentialed to have higher levels of access to data.
To ensure these people are using their heightened access appropriately, we maintain an audit path that tracks their activity. We use newly available technology to selectively monitor the use of certain applications and storage devices, network communications, clipboard cutting and pasting, and printing. The system alerts administrators about how devices are being used and can block usage.
Significantly, this technology takes the risk out of adding security features to legacy and other applications and gives us the ability to centrally monitor and protect the use of sensitive data governed by rules and regulatory requirements such as HIPAA. At the same time, because it can be applied to legacy systems, it has helped save on application development and re-programming costs and reduces the risk of bugs being introduced to the application.
Looking ahead, we are actively pursuing a data loss prevention solution, which integrates content, context and location awareness along with encryption and data level access controls to reduce the risk of information loss or misuse. This tool also promises to help control and protect corporate data inside and outside of an organization.
In short, we are increasing our focus on a critical 21st century security and privacy threat that's so close-up we could overlook it, if we're not especially vigilant: the "barbarian" inside our gates.
- Craig Shumard is CISO of Philadelphia-based CIGNA.
HIPAA is intended to simplify and standardize the administrative functions of health care. It requires the adoptions and implementation of standards for security, privacy and management of electronic health care transactions. It applies to all health care organizations that choose to exchange data electronically. It further requires that such organizations as providers, insurers, billing agencies, clearinghouses, vendors and employees comply with the act by the year 2003. Compliance involves addressing the following four key areas specified by the Department of Health and Human Services (DHHS):
Administrative procedures — Procedures for establishing and enforcing security policies.
Physical safeguards — Safeguards that protect physical computer and network facilities.
Technical security services — Services that protect, control and monitor access to healthcare information.
Technical security mechanisms — Mechanisms for protecting information and restricting access to data transmitted over networks.
— Jon Gossels, president and CEO, SystemExperts