All too often I hear the phrase, “compliance does not equal security”. While this statement is absolutely true, the statement in itself does not provide sufficient context. Compliance does not equal security, it more closely aligns with baseline governance for a subset of data. Security is merely a piece of the overall governance puzzle. Many business executives still see compliance as hindrance to success as opposed to a means to mitigate risk. Compliance is the beginning of the governance process, not the end. Concepts for the subset of data required to be protected by Federal mandate or Industry regulation can be applied across systems for an overall mitigation strategy, maturing your holistic security program.
Let’s use the recent Community Health Systems (CHS) data breach as an example. CHS, operating 206 Hospitals in 29 states, announced a data breach on Monday. Some reports suggest that Chinese hackers compromised CHS’s systems seeking Intellectual Property (IP). Successful exfiltration of IP was uncertain, but hackers successfully obtained 4.5 million patient records. Names, Social Security Numbers, addresses and telephone numbers were among the stated attributes stolen. Allegedly, no “medical data” was compromised. It was also reported that malware had already been removed from CHS devices and remediation efforts completed.
The Elephant in the Room ![breaches: the elephant in the room]()
This issue is not an Information Security issue, it’s a business issue. The breach comes a mere 19 days after CHS announced a second quarter profit increase of 27.2 percent, with the period ending June 30, 2014. Reports regarding the breach stated that it occurred between April and June 2014; also the second quarter of this year. Had CHS had invested a portion of those profits in an overall governance model including security initiatives, would the breach have occurred? Ample allocation of monetary and staffing resources by management is a major pain point that I hear from my clients. The previous attributes speak volumes regarding CHS assessment of risk and implementation of an overall security governance strategy. While CHS is required to comply with HIPAA; CHS’s management fails to see the risk in related to “out of scope” systems and the linkages to “in-scope” systems.
Putting the Pieces Together![putting the pieces together]( "risk: putting the pieces together")
Taking into consideration second quarter gains by CHS, time frame of the breach, and potential ramifications for both CHS and patients affected, one could conclude that operations is in the driver’s seat, willing to accept or ignore the risks of a weak or incomplete governance model. If the pieces of the puzzle are already in place for a subset of data, then why not apply the same principle to all systems? While this may seem like an unnecessary step, considering recent breaches, such as CHS or Target Corp.; what does your organization risk losing if they are not properly assessing risk or applying a governance model to all systems?
Blinded by the Light
Many times risks have been accepted because the solutions have not been evident from a business perspective. No one individual can have all the answers. I would recommend an honest discussion regarding overall risks and governance strategy with an objective third party, such as SecureState, to ensure your organization is on the right path.