Compliance Mindset Can Lead to Epic Security Fail

There have been abundant warnings that compliance with government regulations alone would not be adequate to protect companies from the kinds of cyberthreats the world faces today. However, Premera learned that lesson the hard way. Auditors with the U.S. Office of Personal Management in January 2014 recommended that Premera address two areas of system administration: more timely installation of software patches and upgrades; and creation of configuration baselines so it could effectively audit its server and database security settings. However, those weren't very serious deficiencies in the minds of the auditors, who wrote in their final report released in November, that "nothing came to our attention that caused us to believe that Premera is not in compliance with the HIPAA security, privacy, and national provider identifier regulations." The company was breached in May 2014. Although that was six months before the feds released their final audit report, Premera didn't discover the breach until January 2015. Common Problems Granted, the OPM's audit was a general one -- one designed to audit information systems related only to the claims processing applications used at Premera -- and not as rigorous as those conducted for compliance with HIPAA security and privacy regulations by the U.S. Office of Civil Rights. "The scope and depth of the OPM audit was likely just a subset of what would have been covered by a true HIPAA audit conducted by OCR," said Ulf Mattsson, CTO of Protegrity. "Based on the information provided in the audit report, there's no way to know for sure how Premera would have performed if it had been audited by OCR," he told TechNewsWorld. "The problems cited by the audit are probably pretty common to all organizations. While fixing those problems can improve an organization's security posture slightly, by no means were they likely the cause of the massive data breach at Premera," Mattsson said. "The storing of sensitive data without being encrypted is the more likely culprit," he added. Checkbox Security It's unlikely that even a rigorous audit would have deterred Premera's data thieves. "Since HIPAA does not require companies to encrypt their data at rest, even passing a true HIPAA audit by OCR may not have prevented the Premera breach," Mattsson said. Although compliance rules are supposed to set minimum standards for protecting data, many companies treat them as maximum benchmarks. "Cases like Premera and thousands of others are proof that if you follow compliance -- the checkbox approach to security -- it doesn't mean you're more secure," said Torsten George, vice president for marketing at Agiliance. "You can schedule an audit, but you can't schedule a cyberattack," he told TechNewsWorld. "You have to change your way of thinking. You have get away from these three-to-six-month sprints to get to compliance and then forget about it," George said. "Security needs to be part of your day-to-day operations," he added, "not just something you do to get through an audit review." Antiquated Thinking Healthcare security audits have some fundamental problems. "HIPAA is focused on prevention of threats," said Mike Davis, CTO of CounterTack. "As we all know, prevention doesn't always work. Hackers still get in," he told TechNewsWorld. "There's very little in HIPAA that requires healthcare institutions to detect threats," Davis added. For example, HIPAA requires access to patient records be restricted, but it doesn't require that access to the records be monitored. "You lock down the users, so only Bob can access patient information, but if an attacker takes over Bob's account, he has access to the patient information and you'd never know," he explained. The standards used by HIPAA are outdated, maintained Tom Kellermann, chief cybersecurity officer for Trend Micro. "They're based on perimeter defense, and they're over reliant on encryption of data," he told TechNewsWorld. "They focus on threats relevant 10 years ago," Kellermann continued. "The threats today are a thousand times more sophisticated."