Marene Allison is chief information security officer at Johnson & Johnson. At the (ISC)2 Congress in Atlanta, Eleanor Dallaway sat down to talk healthcare information security risks, the perils of electronic data storage, and why physical and information security have never quite married…
“Healthcare information security threats are the same as all threats, but how they are keyed is slightly different”, said Allison. Credit card data is a consideration, although Allison adds that there are better places for cyber-criminals to go on the hunt for credit card data. “Ecommerce is their bread and butter”, she said.
Cyber-criminals are, she added, looking for identity information to set up false credit card accounts, and commit healthcare insurance fraud. “Nobody actually cares about what drugs we take. Michael Jackson’s health records? Now, that’s valuable. But celebrity healthcare information is the only data that anyone’s interested in.”
Proprietary information is one of the main concerns. “Drug manufacturers and medical device manufacturers have intellectual property that is of high-value. You have to consider that foreign governments will want this intellectual property, and also think about industrial espionage.” Allison recalled a personal story from a past role in the telecommunications industry, when due to an office fire, the organization discovered high-speed cables which had been installed secretly by the Chinese to conduct espionage.
You have to consider that foreign governments will want this intellectual property, and also think about industrial espionage
“As a Fortune 42 company, we are an automatic target because we’re so profitable”, she said. In sponsoring the World Cup, Johnson & Johnson became a target for Anonymous. “Their main attack vector is to deface the website, and to be honest, the general population are pretty immune to that now”, she said. “Hacktivists are yet to deploy hard-core military grade APTs or hacks.”
In addition to hacktivists, Allison listed insider threats, criminal groups, nation states and large-scale vulnerabilities as Johnson & Johnson’s biggest challenges. “Take Heartbleed or Shellshock for example”, she said, “we’re constantly dealing with threats, patching, threats, patching.” In one week, Johnson & Johnson scanned and detected 1400 attempts to exploit bash.
Of all of these aforementioned challenges, Allison considers those that impair reputation as those with the potential for causing the most damage. “You have to weigh your industry against what is most important and what could cause the most harm. In healthcare, intellectual property, money, reputation and propriety information are king.”
Classify Your Data, and Your Devices
Laptops, declared Allison, “are bad news to security.” Her recommendation? Have two systems, unconnected. “Classify your data and segregate it onto two different devices.”
Electronic data storage, in addition to being more open to compromise, is also more complex. “On paper, you know where things are. Electronically, you forget what is stored where and data gets lost.”
Introducing personal responsibility and accountability for data protection is absolutely essential, Allison said. “My privacy officer tells me I have to encrypt all sorts of data, and I say ‘but what about the phone book?’. Sometimes I think we’ve gone kind of crazy about this”.
As a CISO who has worked in various organizations, Allison has spent much time considering the relationship between physical and information security. “A lot of physical security people see IT security as a different domain, but IT security typically sees physical security as a part of the same domain.”
In reality, though, the two tend to be two separate disciplines, she admits. “In most companies, there is no overlap. The exception is the government, where they pay $50 for a smart card.” Security, she considered, should be like an onion. “Just layer it, layer it, layer it.”