Security ‘No. 1 Priority’ in VA IT Transformation
Security ‘No. 1 Priority’ in VA IT Transformation, Mid-Year Report Spotlights Initiatives to Protect Vets’ Data.
… “If any organization begins to lag in their security control investments, they will be challenged with establishing priorities and justifying ‘catch-up’ budgets,” says Mark Dill, principal consultant at consultancy tw-Security and former longtime CISO at the Cleveland Clinic. “Few can afford to fix all problems at once – so they spread their investments across multiple budget cycles. During this time, a fair amount of risk is often left unmitigated while the absolute emergencies are addressed.”
Other privacy and security experts note that many of the challenges being dealt with by the VA are similar to the struggles faced by other healthcare organizations, but on a different scale. The VA’s Veterans Health Administration is the largest integrated healthcare system in the U.S., with more than 1,700 sites of care, serving almost 9 million veterans each year.
“Every organization is doing its best to block malware,” notes Tom Walsh, CEO of consultancy tw-Security. However, “I believe that the VA would have a slightly different threat profile than most hospitals because the agency serves our veterans, and the motivations for attacks through malware may include political – including nation states that hate the U.S. – and religious groups.”
Efforts by the VA, as well as other healthcare entities, “to eliminate elevated user privileges, such as local admin rights and restricting ‘write’ access while allowing ‘read’ access, will go a long way to reduce the possible impacts if malware was able to penetrate the perimeter defenses,” Walsh notes.
“Most malware needs elevated privileges to do the most harm. This is the recommendation that we have been making to our healthcare customers for some time now.”