Tony and I were discussing why banks seem to be a magnitude more militant than most industries in tracking and fixing IT security issues. It’s not that other businesses don’t have as much to lose, look at the medical, government, financial and government sectors. All of them maintain vast repositories of sensitive client data, medical and financial records, but our experience shows that few are willing to commit to scheduled IT audits, or even consistent vulnerability tests or intrusion detection. Banks, on the other hand, even small ones, almost always have a coordinated IT security plan in place.
On the surface, the answer is obvious.All of the above industries are regulated, but only banks are examined! Whether it’s the state, the FDIC, FFIEC or all of them, even the smallest banks are visited by an examiner regularly. If they fail an exam, they can lose their charter. So, they MUST stay on top of Infosec. No choice. Even if the bank were to have a security problem, they can prove that they used industry standard best practices. Even though the bank would have to adhere to some rigorous reporting guidelines, it would be harder to sue the bank because they took prudent steps.
Now, take the other industries, specifically medical. Banks are guided by the Gramm-Leach-Blighley Act (GLBA), which mandates that all client sensitive data must be held securely. Likewise the medical field, only they are governed by the Health Insurance Portability and Accountability Act (HIPAA), which requires that all sensitive personal medical records be secured. Basically, both industries are governed by the same type of regulation, with similar penalties for violations. Yet, almost every bank, but almost NO medical organizations maintain formal, third party oversight. Like I said before, banks are examined. GLBA has teeth, HIPAA does not. So, the vast majority of medical organizations may or may not be secure. The medical records (social security numbers, credit card numbers, very personal medical histories) of countless tens of thousands may or may not be secure. Who knows?
I’ll tell you this…when the lawyers get done with tobacco, breast implants, class actions, hot fast food coffee and whatever is currently the most lucrative way to use the legal system to extort large sums of money, the fact that much of the medical industry has not adhered to industry standard best practices in Infosec will be a fat target for them. If a doctor, clinic or hospital can be found to have coughed up some private medical records to a hacker, it’ll be open season; negligence, violation of federal statutes, nonfeasance, malfeasance, 65 in a 45, parking over the red line, you name it, the lawyers will be on it. The experts will be able to document the security breakdown forensically, the breach will be obvious and the fact that no procedures were in place, no monitoring, no scanning, nothing except an obsolete firewall standing between the patients’ secrets and the bad guys will be translated into lots and lots of $,000,000,000s.
Maybe, eventually, the medical industry (and public companies, governed by the Sarbanes-Oxley Act controlling sensitive company information) will wise up and begin to formulate a “best practices” for Infosec in their industry, with independent, third party audits, monitoring of traffic, assets and policies. Maybe the feds will begin to examine medical establishments for adherence to Infosec best practices.
Until then, I’d beef up the liability insurance.