What's Biosurveillance Got to Do with Infosec?Thinking Strategically, Not Just Tactically
At first glance, a Government Accountability Office report issued this past week about creating a national biosurveillance strategy wouldn't be of interest to those charged with safeguarding IT, whether for governments, healthcare organizations or other types of businesses.
And, if you focus just on IT security, that assumption is right. After all, the report in the form of a letter to the heads of the Senate and House Homeland Security Committees begins:
" A catastrophic biological event, such as a terrorist attack with a weapon of mass destruction or a naturally occurring pandemic, could cause thousands of casualties or more, weaken the economy, damage public morale and confidence, and threaten national security."
Scary stuff, for sure, and one in which security plays a vital role. But IT security? No way. Neither the terms information security nor cybersecurity appear in the 101-page document.
Still, on reflection, it would be short sighted for managers and professionals involved in IT security, especially for those who support individuals and organizations responsible for health preparedness, to ignore the GAO report. Why? It comes down to information risk management.
Think of it this way: IT security involves the tools and processes needed to assure information and information systems remain secure; it's mostly tactical. Information risk management is strategic. To successfully protect IT systems, you need to understand the mission of the organization, in order to assess the risks, and then make smart decisions. Biosurveillance will be a mission that's tech-heavy, and those charged with protecting these technologies must understand why they're being used. The experts in biosurveillance queried by GAO for its report ranked information-sharing tools and analytical products as the fourth most important category in their field
One such network the respondents feel as vital is PulseNet, a federally run, early-warning system for outbreaks of food-borne diseases. The network has participants from public-health laboratories in all 50 states, federal regulatory agencies and some state agricultural laboratories and is coordinated by Centers for Disease Control. PulseNet contributes to the identification and investigation of outbreaks of food-borne and bacterial diseases through comparison of the molecular "fingerprints" of food-borne pathogens from patients and their food, water and animal sources.
To protect the likes of PulseNet, IT security practitioners should understand why the bits, bytes and network connections - the technologies - are important to their organization's goals. Ignorance of the mission, for IT security folks, isn't bliss.