Understanding Insurance Security

Sean Murphy, VP & CISO, Premera Blue Cross

Sean Murphy, VP & CISO, Premera Blue Cross

Traditionally, the healthcare industry has been reluctant to embrace the cloud. In many cases, for good reason. There were unclear supplier obligations under HIPAA along with sketchy access and data control provisions that really slowed adoption. Over the last few years, these concerns have begun to be addressed, especially in terms of large cloud service providers, I think healthcare organizations have started to embrace the benefits of cloud computing. From a security perspective, cloud actually improves security in some ways over on-premise environments. I find that large cloud computing suppliers can provide more cost-efficient robust physical security controls, better access to highly-qualified security personnel, and best-in-class security assets. Additionally, I can expect better vulnerability management as critical updates are done with improved consistency. Another benefit is in the area of asset, data availability and recovery. In “as a service” (XaaS) models, the cost benefit for business resiliency and disaster recovery are very attractive.

The first challenge is in determining real value. Security requirements are most often cited as meeting with resistance from business and even IT decision makers. But candidly, my experience is that many challenges are self-inflicted wounds coming from security technology that promises more than it can deliver. The business remembers these false starts and develops a reluctance to fund every new, shiny security technology without demonstrated value. Therefore, implementation of new security technology must better address the “people, process, technology” triad. Solutions implemented without personnel trained to use them will run inefficiently or sit idle. Security and business processes cannot operate independent of each other. Security must be built into business and IT initiatives. At the same time, security must be savvy about business processes and IT production service levels to facilitate availability and uptime.

And last, new security technology and security requirements are a reality of the insurance business, especially healthcare insurance. So, we have to make sure we optimize what we already have. From there, we always need to make sure additions are complementary and measurably reduce risk by maturing our security capabilities.

Quick Tips for Security

It starts with understanding the business. From there, I would say understand the risk. So, the first step is to know which risks are most important to the insurance sector and address them explicitly. The second step is to innovate around integration of devices or singular “point” solutions.

One device that can protect, detect, and recover up and down the entire Open Systems Interconnection (OSI) model is innovation I am interested in seeing. Ultimately, I need to have one view and machine-level learning of the threat intelligence provided by internal and external monitoring and alerting systems. Negotiating APIs with various vendors with niche solutions is a non-starter.

Where is Insurance Security Heading?

Keeping with the theme of integration, optimization, and cloud adoption, I would expect to see in the near future, better technology around extending and preserving corporate security policies in cloud environments, especially around Cloud Access Security Brokers (CASB) and Identity and Access Management (IAM) technology. This is because of the hybrid nature of on-premise environments being interconnected to multiple large cloud providers and increasingly more connected IoT. We have to look for the best options to maintain and enforce efficient policies in all the environments in a seamless and transparent way.

Over the course of my career, I have learned three lessons. First, healthcare information security is different. To effectively apply enterprise information security to a healthcare organization, you really have to understand healthcare, particularly the physician workflow and patient safety impact of security changes.

Second, training and awareness efforts remain highly important and effective. Credentialed users (or the valid credentials of users) are the start of a majority of data breaches. Rather than approaching end users as the root cause of the problem, you need to enlist their help as the first line of defense and first responders. It really comes down to an organizational culture of security being everyone’s responsibility, not just the niche of Information Security or even the IT department.

The third lesson has to do with the evolution of the CISO’s role within an organization. With the advancement of the role to the C-suite comes newer responsibilities of decision-making. The business acknowledges the value in integrating good security up front and top down rather than as an afterthought in business partner relationships, vendor management, system development, and technology procurement.

Integration is Key to Cost-efficiency

The best way technology can be used to mitigate rising security solution costs is to integrate multiple solutions into one and reduce the human interface requirement. Combine into one system the capabilities to protect network resources, monitor, and alert on network traffic, and then remediate and recover network assets to minimize downtime. However, the complexity of that single system should not demand an inordinate increase in personnel to run the solution. as it just substitutes one cost with another.

Additionally, security solutions can automate manual tasks and learning to more quickly assimilate and take action on threat intelligence streams against data that is gathered within the environment. Big data and Artificial Intelligence (AI) represent exciting opportunities for creating force multipliers versus each new solution requiring a manpower tradeoff or increased personnel to operate, refine, and orchestrate.

I think you need to answer two questions every day―So what? And, what else? When we do a periodic assessment of our security tools inventory, one of the key components is looking at the data the devices give us. They all generate gobs of data in reports. Does any of that data actually measure added security or reduced risk? The tough task is determining “so what?” At every level of analysis (tactical,

operational, strategic) you have to know the answer. The “what else?” question measures the value we are getting now and forecasts additional capabilities we can gain from our tools.

Recently, we embarked on a tools rationalization view of our environment against the Center for Internet Security (CIS) Controls for Effective Cyber Defense to help us address where we have adequate assets and where we have gaps. The gaps are being addressed via a security roadmap as well as addressing “what else” our current tools can do to realize additional capabilities or integrate into other tools to improve the overall coverage. In these ways, we drive more value out of our security solutions and, by extension, our security solution suppliers.