It is difficult (as in damn near useless) to write an article about reducing the "dwell time" for an industry such as healthcare that, seemingly on a daily basis, continues to let "laptops with ePHI" walk out the door completely unencrypted. I am convinced that it is perfect storm of ignorance, arrogance, chutzpa, and a lack of resources that has kept healthcare in the dark ages with respect to privacy and security. You often hear, "we save lives around here" and we don't have C-Suite time to focus on the agenda of "tree huggers," HIPAA consultants and lawyers, until of course there's a major breach, at which time bandwidth and money materialize out of thin air.
To be fair, healthcare is currently undergoing 150 years of change in five. The entire industry is being turned upside down and the mantra of "innovate or die" is not just consultant speak. The healthcare industry is under siege AND it is not all Obamacare. Rather, it is the rude awakening that we now live in the 21st century and healthcare is not immune from disruption. In fact, healthcare is primed for disruption given the amount of money flowing into healthcare startups. So the C-Suite has a lot on its mind and the more innovative of the lot will include privacy and security on the agenda. This is precisely the right time to re-engineer (and in many case engineer for the first time) a "built to last" privacy and security platform.
The Perimeter is Kaput
Finito. Over. It is not that you should stop protecting it, rather you need to change your worldview regarding it. Your perimeter defenses are incapable of keeping the bad guys out. There are far too many threat vectors for this to have ever been a realistic strategy. It certainly has gone the way of the typewriter. With "dwell time" measured, on average, in the
hundreds of days, the probability is high that someone is already poking around your house trying to find where the family jewels are hidden. What exactly is "dwell time?" A lay person's definition would be "the amount of time that an intruder has penetrated your network and has gone undetected." Obviously the longer the time the more likelihood that they have pulled the trigger in "the kill zone" and are just wandering around to see what else might be available. Notice how quickly we can go from the language of "lefties" to the language of war...the latter being clearly more apropos.
Get your House in Order First
It would be tempting to jump
right to where the war is being won or lost but nothing is as it appears when it comes to cybersecurity. If you don't have the
necessary scaffolding (i.e. policies, processes, training, etc.) in place, and the necessary compliance culture to underpin it, you will be hopelessly wandering around the desert in search of the bad guys when all you really need to do is look in the mirror. Most breaches occur because organizations are not "blocking and tackling" (e.g. lost or stolen laptops with unencrypted PHI stored on them) rather than because of sophisticated "hacks." It's not that we should ignore the latter, they are happening at an increasingly alarming rate, rather we should make sure we have the equivalent of high school degree, before attempting to get a PHD in cyber forensics.