Privacy & Security

Penn Medicine CISO: 3 Strategies every security team should have

After all the cybersecurity threats and events in the last 12 months, infosec teams should focus on these priorities as they craft strategies into the future.
By Dan Costantino
February 19, 2018
09:08 AM

The information security industry had no shortage of moments that kept us all on our toes in 2017. Among the top headlines, we saw new variations of ransomware, such as WannaCry using cryptoworms to infect an estimated 300,000-plus computer systems in just four days. One of the largest credit agencies in the U.S. suffered a breach that affected over 100 million consumers and researchers uncovered a hardware-level vulnerability in processors, affecting nearly every computer released since the mid-90s. 

For those who are unaware of the cyber-threats present all around us, many believe 2017 was a year that served as another wakeup call for what the digital world is up against. Others, who are already highly-aware of the threats we face, understand that while some of these attacks and discoveries proved to be highly sophisticated, cyber-criminals will continue to do what they do best – go after the path of least resistance. 

Information Security leaders need to use this new level of awareness as an opportunity to implement some of the fundamental security controls that are no-brainers to an outsider, but require an extraordinary amount of coordination, support, and understanding from the business. 

Patch management. It’s been one of the number one recommended security controls for as long as we can remember, but getting patch management right continues to be a thorn in the side of many security programs around the world. This can be due to decentralized IT, fear of breaking applications and systems, or the worst-case scenario – you still have systems in your environment that are no longer supported. Getting this fundamental process in place will save organizations an incredible amount of time and pain, as seen from attacks such as WannaCry and Not Petya in 2017. When you break out basic cyber hygiene, patch management should always be part of the conversation.

Cloud Security. If you don’t think your business is already operating in the cloud some way or another, you’re probably wrong. That said, if a strategic data-center cloud model is in place or in the works, security teams should be inserting themselves into that planning or build-out as early as possible. Moving to the cloud without a security strategy incorporated can be a disaster waiting to happen. Your cloud environment should truly be an extension of your data-center, and for many security teams, it’s a fresh opportunity to get it right from the start. 

Email Protection. The old adage “if it’s not broken, don’t fix it” rings true for cyber-criminals as well. The fact is, sophisticated breaches may make it to the top of the news headlines, but criminals will continue asking employees for their credentials and information as long as they keep handing them out. Implementing a strong email security program, including DMARC, layered with stronger identity protection, such as two-factor authentication, will put organizations in a much safer place. Don’t forget about security awareness. Achieving a level of awareness that turns your workforce into security advocates (not professionals) should be the goal.

These are just three of the many strategies information security teams should have on their roadmap for 2018. Key initiatives, such as medical device security, increased network segmentation, vulnerability management, and user behavioral analytics are a few others that many programs remain zeroed in on as we move into the future. 

Dan Costantino is the Chief Information Security Officer at Penn Medicine. 

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Cybersecurity experts John Riggi and Richard Staynings speak at the HIMSS Healthcare Cybersecurity Forum.
Majority of cyberattacks are through third-party vendors

Most Read

How AI is transforming cybersecurity, on defense and offense
Generative AI is this CISO's 'really eager intern'
HIMSSCast: Toward safer and more secure use of AI
Q&A: How redundancy enabled resilience after Crowdstrike outage
What providers need to know about migrating their EHR to the cloud
The Light Collective amplifies its call for patient data rights

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

More Stories

Doctor looks at a desktop computer screen in a medical office
Vendor AI Roundup: Enhanced EHR offerings designed to give practices a leg up
Dennis Chornenky at UC Davis Health_PART 1_AI in healthcare concept art Photo by Just_Super/E+/Getty Images
UC Davis Health's inaugural AI chief discusses the responsibilities of the role
Greg Garcia of HSCC at the HIMSS Healthcare Cybersecurity Forum
Work like 'a beehive, an ant colony' to protect against cyber intruders
Hands use a Medtronic device on a patient's hand to aid in testing pulse oximetry quality
Medtronic dismissed from pulse oximeter lawsuit, FDA still working on guidance
Elena Branche of Druid AI on AI
Cutting through the AI hype to ensure investments have impacts
Dr. Don Rucker at 1upHealth_Physician at laptop with medical data Photo by Tippapatt/iStock/Getty Images Plus
Looking under the hood of Medicare Advantage star ratings
Clinician reviews medical notes on a tablet
OpenAI's general purpose speech recognition model is flawed, researchers say
Oracle booth at HIMSS
New Oracle EHR promises AI-enabled reinvention