"What's going to be different as the years go on is that there's going to be more of these types of devices, and there's going to be a demand by employees to use them," says Newton, a veteran IT security leader who is currently CISO at Virginia's Carilion Clinic.
In an interview with Information Security Media Group [transcript below], Newton speaks to the threats that are top-of-mind for CISOs outlined in a new report from Wisegate, a private association of senior IT leaders.
And while proponents of bring-your-own-device see greater productivity and cost efficiencies, Newton says the risks still outweigh the benefits.
"My biggest concern over this is trying to maintain these devices from a variety of manufacturers, models and operating systems," he says. "And we read so much about them being lost with confidential information on these devices."
By allowing corporate data on the devices, organizations are tasked with several challenges. "How do you separate corporate data from personal data," Newton asks. "If the device is lost, how can you remotely clean a device off without destroying maybe what's on the personal side of it?"
In an interview about this new study, Newton discusses:
- Top IT security threats worrying CISOs;
- How to approach security awareness;
- Advice on how to mitigate top threats.
Newton is corporate information security officer for Carilion Clinic and its affiliates. He works within the technology services group and in conjunction with Carilion's privacy officer, legal counsel, internal audit, compliance and other relevant departments to ensure that the information security program is addressed and maintained. He has more than 40 years experience in IT, from programming to project management and other various levels of management. Twenty-nine of those years have been in information/data security - 13 years in the financial arena and 16 years in healthcare. Newton writes security policies and procedures, develops security awareness programs and is the HIPAA/HITECH coordinator for Carilion.
TOM FIELD: To start out, why don't you tell us a little bit about yourself and about the clinic, please?
TOM NEWTON: I was hired by Carilion about 16 years ago as their information security officer and business recovery planner. Over the past several years, I've kind of migrated away from the technical side of both security and planning, concentrating more on the business side of those two issues. I work very closely with compliance, with legal, and I review and sign off on business associate agreements for the organization and coordinate the internal and external audits. I work very closely with our privacy officer and have for the last 12 years, and we have an extremely good relationship, and she has helped me tremendously with unauthorized access and resolving privacy issues.
I work closely with risk management and with the technical services group to maintain and upgrade our security capabilities throughout the year. My background is primarily financial. I was the CISO and business recovery planner for 13 years for Dominion Bankshares before coming to Carilion.
Carilion Clinic is the largest healthcare provider in Southwest Virginia. We have eight hospitals, 100 and some-odd clinics and 12,000 employees, give or take a few. We're a teaching hospital. We have partnered with Virginia Tech to create the Virginia Tech Carilion School of Medicine and also are associated with the Jefferson College of Health Sciences. Also, we're the only trauma 1 hospital in the area.
Top IT Security Threats
FIELD: Wisegate is out with its new report, Preparing for the Top IT Security Threats of 2013. What do you see as some of the top threats that have emerged, and why do they pose a unique threat this year, do you believe?
NEWTON: We still have the same threats we've always had with the various viruses and malware, denial-of-services and that type of stuff. We have to keep an eye on that. But from now on, I think we've got some issues that are unique that we haven't seen in the past, and the first one I think is the enormous expansion in the amount of data that's being collected and trying to protect this data that's being shared - in our instance, in our in-house environment, an alarming rate is shared and resides on virtual devices, on registries. Business associates have this information, a lot of our information. Sometimes it's in the cloud, and these provide a tremendous amount of control issues that we have to address.
Secondly, individuals coming out of high school and college have a more technical background than employees in the past, and they're finding workarounds to make their job easier, which is good. But in doing so, they will put our data in a compromising position, such as putting it out on Dropbox. I've always had a fear of waking up one morning and finding our data on Facebook and Twitter, and I think that every organization needs a very strong social media policy and one that's enforceable.
Next is just trying to educate and inform the employees of the importance to them and our organization in protecting data, of the risks that they're taking in storing confidential data on mobile devices. If an organization cannot show that they can protect their data, they will lose the trust of their clients and lose value. When you lose value, you start losing jobs.
FIELD: Let's dive into a few of these specific threats. The first one that jumps to mind is the bring-your-own-device trend. This has been an issue for organizations probably for about two years now. How has threat evolved for organizations in 2013? What are the challenges they face?
NEWTON: What's going to be different as the years go on is that there's going to be more of these types of devices and there's going to be a demand by employees to use them. There's some advantages maybe of that; the employees could be more productive if he or she is using a device that they're familiar with. There's been some talk about being more cost-efficient if the employee provides their own devices versus the organization, but I haven't seen any real proof of that.
My biggest concern over this is trying to maintain these devices from a variety of manufacturers, models and operating systems, and of course we read so much about them being lost with confidential information on these devices. If you allow corporate data to go on these devices, how do you separate corporate data from personal data, and, if the device is lost, how can you remotely clean a device off without destroying maybe what's on the personal side of it? There are all kinds of issues along that line. Another one would be e-discovery issues. How do you retrieve data for legal reasons, should you get a subpoena for such?
FIELD: Awareness is one of the other top threats that's highlighted, and this strikes me as one that has always been a challenge for organizations. Why more so now? Why does it rise to the top of the threats?
NEWTON: I think because employees have a greater capability of moving data around and storing it in places that are not secure, like on their personal device, Dropbox, Google Docs and whatnot. We have to educate them on the risks they're accepting and the position they're putting their organization and themselves in when doing so. In healthcare, I think there are issues in personal lives that sometimes outweigh the consequences or the risk that they're taking when accessing data, and I'll give you an example of that.
We have had an employee who had a custody battle with their ex-husband over custody of their children, so she wanted to look in his medical record to see if there's anything there that she could use to discredit him, and she did that. We caught her in an audit, and the results of that and the consequences of that violation was that she not only lost custody of her children, but she also lost her job. We have to continue to help employees comprehend the consequences of unauthorized access to protected data. In Virginia, an employee can be sued by a patient if their privacy has been violated; and if you're a nurse, you could lose your license.
FIELD: Cloud security is one of the other threats that emerged at the top. What do you find to be the most serious and real concerns about cloud security? It's a topic that people have talked about for some time now.
NEWTON: The report points out that the concerns are around data compromise, data loss and unreliability. But it's also the loss of control which concerns me the most. Personally, I'm just not comfortable in the cloud. An example of that would be when I've been giving someone I hardly know my credit cards, bank and check books, Social Security numbers, all of my personal information you keep on me, and in return all I'm going to get back is a piece of paper with some type of guarantee to access my data and protect my information. How would I sleep at night? Until I have some level of comfort with cloud providers, I'm not inclined to place protected health information in that type of environment. And I realize that over time clouds may be the thing and the way to go, but for right now I'm not comfortable with that and I'm not ready to go there quite yet.
Need for Greater Awareness
FIELD: Let's talk now about some of the prescriptions the report makes to address some of these threats. One comes back to one of the threats that we talked about, and it's the need for greater awareness. Again, this is a topic that organizations have tackled for years, many unsuccessfully. What will be most effective? What's most effective for you when it comes to increasing awareness?
NEWTON: I wish I knew what was most effective, and I think that's a good question. I have written scripts for videos that have been published and shown in-house. I've traveled our facilities giving presentations for departments and groups. I've published flyers. I've written articles for departments and organizational newsletters. I've written policies, and I still have people that violate our policies and procedures. This is even after they've signed an access and confidentiality agreement saying that they wouldn't do that, they wouldn't look at patient information and that they didn't have a need to know. They do that anyway. It really bothers me sometimes to think of why they would do that, but I think they have to reach the point where we can convince the employee that protecting data within the organization is in their best interest. Personal issues or desires cannot outweigh the organizational issues when it comes to protecting data. Protecting data will help to ensure that they can keep their job and it will protect them from personal liability.
Mid-level and senior management must also take a role in this awareness. They have to practice good security intelligence for any hope of our employees doing the same thing.
Tech First Adopters: IT Departments
FIELD: One of the other prescriptions was that IT departments ought to be first adopters of technology. How is this going to help organizations to mitigate their threats?
NEWTON: I'm very much a proponent of this. I think it's an excellent idea. I can see how a product can come in and we can work with it and see how it works. We can look at how it might impact workflows, productivity, system performance, and get all that work done before we actually share it with the rest of the organization. But once that's done, I think it's very important to have the department or area identify that it's an ambassador for this new process. It always helps to have that person and that organization to go out front and be the one that sells a product, and not just IT, because a lot of times they just think it's something IT is trying to push down on them. But if they can show another department that's using it and using it well, it just works out so much better.
FIELD: Final question for you. There are a number of threats that are discussed in this report. You've got your own organization to tend to. What advice would you give to organizations, including your own, about how to mitigate the top security threats?
NEWTON: I think we have to never give up and we have to keep on pushing towards the mark. We have to never forget that it's not our responsibility alone to protect data; it's every employee's responsibility. Without them, we will lose. We're only a facilitator of good and appropriate data practices. At the end of the day, we know that we did the best job we could with the resources we have to create the tenet of data security within the organization.