Is Your Entity More Secure than HHS?
Experts: Gov Security Flaws Also Common in Private Sector
… For instance, issues relating to CIO-CISO hierarchy also are widespread, says Tom Walsh, founder of his own security consulting firm.
“We sometimes refer to this as, ‘the fox guarding the hen house,'” he says. “In some organizations, information security reports to other departments, such as compliance, legal, etc. There are pros and cons to both arrangements. Mainly depends on the personalities involved and whether the CISO has influence.”
Also, the information security reporting structure varies widely in healthcare, notes Keith Fricke, a principal consultant at tw-Security. “There are debates about whether information security should report to parts of the org chart other than IT. Some say there are conflicts of interest in having information security report up to the CIO. Others say that keeping information security within IT can foster collaborative relationships rather than adversarial ones.”
Another common problem at many private sector healthcare organizations is being “unable to provide accurate information about security incidents within their own networks,” Walsh says. That’s often due to a lack of documentation, he says. “IT people don’t like to document things. Many times they are just so busy trying to address the incident and return the organization back to normal operations, incidents go undocumented.”
One of the most critical flaws at HHS cited by the committee report is “breaches … resulted from misconfigurations,” Walsh says. “That’s more of a patch management/vulnerability management issue. Those are operational breakdowns and not necessarily the fault of the CISO,” he says. However, that issue “is the most serious” because it could potentially lead to a significant breach.
… Getting the top levels of leadership to understand an organization’s information security challenges also helps, Fricke says. “Board-level interest and visibility is helping information security programs gain the traction those programs need” at some entities, he notes.