On June 7th, 2022, yet another data breach occurred, as per the healthcareinfosecurity.com website, and is the largest health data breach reported to federal regulators so far this year. The breach has impacted two million individuals after the company noticed an “unknown actor” had gained “access” for two weeks. Whether the intruder lurked for two weeks or more usually is hard to quantify and prove. Data breach stories have become the norm in the past decade.
Regardless of these security incidents, security controls must be implemented to protect assets more than ever. With appropriate policies, standards, frameworks, and implementation of standards, risk can be greatly reduced. A proactive cybersecurity strategy combined with robust security controls can result in keeping malicious actors at bay. In addition, meeting regulatory compliance can become much more manageable. By nature, healthcare data is sensitive, and a prime target for attackers for malicious purposes and will continue to be a prime target. Healthcare business processes are amid upgrades by replacing old, archaic, and legacy systems with the latest, efficient, and modern technology, streamlining the business processes. Technology upgrades such as replacing systems that use a four-digit password with a stronger password combined with multifactor authentication and risk-based authentication are not uncommon in almost every industry vertical.
Over the years, organizations have implemented security controls as a part of the risk mitigation process. Security risk cannot be altogether eliminated, but a strong control standard and framework can be used to safeguard an organization’s assets. A comprehensive policy is essential for security controls to be effective, which will mandate strong security controls. But to implement strong security controls, a well-established security framework based on a recognized standard is mandatory.
With so many breaches due to wrong access control policies and access control implementations, a control framework heavy on “identity and access management controls” may be a better choice for implementing a strong security safeguard for protecting organizations’ assets. Should organizations choose to give access control preference over other security controls? Even better if access control becomes an essential part of the business process since it stems from day one of employment or even before for all users and systems. Yes, process monitoring, data leak prevention, etc., are important, but access control transpires all security controls and, more importantly, business processes irrespective of industry.
There are plenty of standardized frameworks one can take advantage of depending on an organization’s needs. Some of the popular frameworks are as follows:
That answer lies in the assets an organization wants to protect and establish the risk posture first. What types of assets do we need to protect and what is the probability of a breach? When data is only accessed while on the network, a different methodology and control framework is required than when data is accessed from anywhere around the globe. If “Cloud First” or “Cloud Only” is my business strategy, should I just utilize the NIST Cloud Security Framework? With any standard-based framework, the scope of the implementation of the framework is critical. For example, HITRUST is an extensive security framework that includes a risk management framework and fourteen operational control families. However, implementing the controls is a considerable undertaking that companies may not have an appetite for. So, the organization usually chooses a subset of controls from a framework pertinent to their respective organization.
Not choosing any standard is a bad choice!
The choice will depend on your organization’s needs which will mandate reviewing multiple factors such as regulatory compliance and industry-leading practices. Each of the listed frameworks has its pros and cons. However, each may be unique to an organization and can be leveraged to strengthen security posture and mitigate risk. Utilizing frameworks also demonstrates due diligence to safeguard the organization’s assets. Common examples of control frameworks are COBIT in publicly traded companies, while healthcare organizations may choose HITRUST. Both private and publicly traded companies use ISO.
With cybersecurity consultants in high demand and scarce human capital available in the current market, it is even more challenging for organizations to have full-time staff to manage cybersecurity processes and safeguard assets. iQuasar Cyber, Inc. can provide expert guidance on selecting a control framework and implementing a proper strategy to reduce cybersecurity risk.
Call iQuasar Cyber, Inc. for a free consulting hour to learn more about our services and how iQuasar Cyber can help you secure your assets. iQuasar Cyber consultants can talk on the phone about your security needs and put a plan for combating breaches
