Wheel of Fortune Moment - Security
by Timothy Hoffman
I’ve been blessed to work with some of the most outstanding doctors in the world at a premier academic research medical center that is considered to be one of the top ten in the USA. The organization has several hospitals and hundreds of clinics. There are an incredible number of specialties. The doctors and health professionals work tirelessly to provide solutions to some of the most complicated transplant problems, do research, and teach others how to overcome some of the world’s most challenging illnesses. Each of these doctors took their responsibilities seriously and many, if not most, went overboard at helping other humans. The relationships that were at the organization went beyond the surface.
Although I have worked a significant number of years within the cybersecurity bubble for a broad variety of other organizations (DoD space & ground systems - missile systems, insurance, banking, IoT, and automotive), my time at the University of California San Francisco (UCSF) was performed inside of an complex medical world where the terms were specific to healthcare and the focus was totally on the needs of the patient. The compliance aspects of cybersecurity were completed by people who worked seamlessly with the doctors, nurses and other staff to keep things going smoothly for the patients.
It is with this backdrop in mind that I offer the following – medical professionals running smaller offices and specialty clinics, urgent care centers, and other such facilities - must focus almost entirely on patient care. This means that compliance is often left to a catch-as-catch-can approach - so some of the following terms may be more complex than necessary for those in that category but please bear with me. This note is for you.
While discussing Cardio Thoracic surgery - have you ever run across Thoracic Aortic Dissection Repair? Yeah, well it is one of those really tricky surgeries that is not only complicated for doctors to do but hard to read and pronounce if you are not in the medical field. I get it. Cybersecurity also has terms and pronunciations that seem to be saying: blah blah blah. If that sounds silly, read on.
Splunk is a software platform to search, analyze and visualize the machine-generated data gathered from the websites, applications, sensors, devices etc. which make up your IT infrastructure and business. (Wikipedia) Wait, What? Why would medical professionals care about Splunk?
In April 2019 Splunk announced expanded artificial intelligence (AI) and machine learning (ML) that is embedded in premium solutions (Splunk ITSI and Splunk UBA) for specific IT and security use cases. Splunk has a Machine Learning Tool Kit (MLTK) and Splunk also integrates with the Internet of Medical Things (IoMT) in a way that helps the Enterprise healthcare organizations. For those who have never heard of Splunk - it can be compared to ELK and Sumo Logic - tools to help with logs. If you are lost - please don't worry - it will become clear.
Oh - and - let’s also not forget licensing of the product: Splunk is free to download and use if your daily indexing volume is less than 500MB and the Enterprise license starts at $6,000 for a 500MB per day perpetual license or $2,000 per year for a term license. The Splunk tool is considered a tiered license. The bigger the volume of daily indexing the cheaper it is.
What did we learn out of all of that?
For those who have not passed out just reading the amount of technical detail in the above few paragraphs I have a suggestion. You will not get any kind of multiplication of the level of security by buying a bunch of acronyms. NOTE: I am not saying do not buy Splunk for your enterprise. I am saying that if you run a smaller than Enterprise office - this is not your WHEEL OF FORTUNE moment. You have a requirements to protect information - not buy technical acronyms. Having more tools and more acronyms won't get you the understanding of security you want and need. Find a reliable professional to support your office and ensure you have clarity with expectations.
Consider this: Security Risk Assessment is a specific term that has tremendous meaning in that it accurately measures risks of the organization, however, it is lengthy, costly, and the terms are esoteric and confusing. Security Risk Assessment requires a security professional to work through the selection of the controls based on the type of business and types of sensitive information and to perform an analysis of the outcome of the Risk Assessment. Yes an analysis is required - see 45 CFR 164.308.
A Security Risk Review, by contrast, takes the top line items and determines where to start your compliance program by measuring in an easier to understand, less expensive (and less invasive way), and without the huge overhead of having to deal with the vendors who are selling acronym products and services that you don’t need. A short risk review can quickly analyze whether a full risk assessment is required and provide you with guidance on how to move forward.
If this sounds easier contact us. Oh Splunk? It's a great product - but you will find that it is more effectively used in large offices.
About the Author
Mr. Timothy Hoffman is a Healthcare Cybersecurity Executive with a US Navy cryptologic background, a serial entrepreneur, and Founder of Tim Hoffman & Associates, LLC. His professional credentials include a Master’s of Science from Central Michigan University and security industry certifications including: CISSP, Expert Rating PM, Cloud Security Alliance - Certificate of Cloud Security Knowledge, CompTIA Security+(CE), Network+(CE), and Certified Technical Trainer+, ITIL, ISO 27001 and many others. His strengths are found in alignment of technology solutions to business needs so as to support business through risk management. His ability to translate technical speak into everyday language has won him praise as has his skill in security program creation, risk assessment, policy & procedure writing, cloud system design, and network architecture. Notable career accomplishments include 5 books, 5 year radio talk show host in Italy, 3 year radio talk show host in the United States, multiple language facility with fluency in Italian, and his work as a platform trainer on IT & IT security topics for nearly 30 years.
The article has been originally published at: https://www.linkedin.com/pulse/wheel-fortune-moment-security-timothy-hoffman-ms-cissp/