Recently I’ve heard in various discussion venues the argument that information security controls are an impediment to technology use, and that instead we should look at demotivating the hackers. With specific regard to medical devices, one commenter stated that generally, the best “bet in defending medical devices (as well as financial systems) is making the information useless/pointless for the attackers.” This is a dangerous attitude, and minimizes the true value of data on the devices.
Considering data on any type of computing device is considered as gold (hey, Facebook just bought WhatsApp for $19 Billion! What do they have that Facebook wants? A whole lotta data!!!), how could you make the data useless to attackers, while at the same time making it usalble and valuable for the purpose for which it was collected? Yes, encryption will make data unusable to attackers without the decryption key, but you still must implement security controls to keep those encryption keys out of malicious hands. And too often encryption is not correctly implemented (one study shows almost half of apps have encryption implemented incorrectly) , making it essentially ineffective. And with regard to medical devices, you also have hackers with the intent to do harm to the patient.
But, it is important to understand that information security, and privacy, controls are necessary for much more than simply defending against hackers.
Why do security incidents and privacy breaches occur?
There are three basic categories within which security incidents and privacy breach occur:
1) Malicious intent. This includes such activities as hacking as well as disgruntled insiders using their authorized capabilities to do bad things.
2) Mistakes. *EVERY* human being, no matter how educated and cautious, makes mistakes sooner or later. Some of these mistakes can have devastating consequences. These are not only mistakes with using technology, but also mistakes in building the technologies. (Case in point: the latest Apple iOS7 security flaw was a result of a *HORRIBLY BAD* programming mistake, or simple lack of programming education.)
3) Lack of knowledge. I’ve helped hundreds of organizations (the majority in the healthcare sector) with their information security and privacy initiatives, and audited hundreds of other companies’ information security and privacy programs. I’ve *NEVER* found an organization that gave too much training, or too much regular awareness communications. Organizations in general simply do not provide enough information security and privacy training, and do not send out enough reminders for how to mitigate security and privacy risks during normal work activities. When people don’t know how to work while preserving security and privacy, they will do things that result in security incidents and privacy breaches.
Three types personalities to consider
When I first started my career, one of my very experienced co-workers was a long-time fraud investigator for the large multi-national insurance and financial organization where I worked. He indicated that not only through his experience, but also through various studies done by his fraud institute group he belonged to, that in general people fall into three categories with regard to committing fraud, which also includes doing bad things such as hacking, stealing, etc.
- 10%: There will always be this portion of the population that will strive to follow the rules and never break them. Regardless of potential sanctions/punishment. The “goody two-shoes” population.
- 10%: There will always be this portion of the population that will strive to steal, commit fraud, hack, or do any other type of illegal activity. Regardless of potential sanctions/punishment. The “career criminals” and “bad seeds”.
- 80%: This large majority of the population will usually follow the rules, but *will* break them (to steal, hack, commit fraud, etc.) if they 1) think they can do so and get away with it without being caught (e.g., no oversight, lack of separation of duties, etc.); 2) justify in their mind why they should break the rules (e.g., they are underpaid, they should have gotten a promotion instead of Sue Doe, they were treated badly by a business, etc.); or 3) they become desperate (e.g., lose their job, lose their home, lose a loved one, etc.). Depending upon potential sanctions/punishment, their reasoning and opportunity will often lead to them taking action that is illegal.
Security and privacy controls are necessary beyond hacker defense
No matter how the incentives (both carrots and sticks) change for those who hack (those with malicious intent), we will still need strong security controls to mitigate the risks of those who make mistakes and who have not had enough training to know better.
No matter how the punishments change for those who hack, there will always be 10% who are going to do it anyway regardless of potential punishment, and 80% who, under the right circumstances, will do things they shouldn’t do.
In addition to incentives and sanctions we need to have multiple layers of information security and privacy controls built into technologies, including medical devices and other types of wearable computing devices, for all these reasons. Incentives and punishments alone are not enough to ensure appropriate levels of security.
When we also have the added health risks to the patient (e.g., when medical devices are involved) added on to information security and privacy risks, it should be even more compelling and clear that strong security and privacy need to be implemented within medical devices, right from the time they are engineered.
Bottom line for all organizations of all sizes…
The need for more security and privacy controls is greater than ever and not just simply because of the hacking threat alone. And it is only going to increase as we increase utilization of technologies, and increasingly depend upon technologies. Just because you cannot have 100% security (this has never existed, by the way, except for technology that was decommissioned, locked up and not used) doesn’t mean you should implement less controls. As technology, and uses of it, becomes more complex, the need becomes much greater for more layers of security and privacy controls. These must be built in, so that they are transparent and have as least of an impact as possible on usability.
This post was written as part of the IBM for Midsize Business (http://Goo.gl/t3fgW ) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.
Tags: audit, awareness, compliance, data protection, due diligence, hack, hacker, hacking, IBM, Information Security, information security policy, infosec, laws, medical device, midmarket, mobile device, non-compliance, outsourcing, penalties, personal information identifier, personal information item, policies, privacy, privacy policy, privacy professor, privacyprof, punishment, Rebecca Herold, risk assessment, risk management, sanctions, security, security procedure, training, vendor