Cybercrime takes many forms, yet the news is fond of showcasing data theft stories that involve large, national retail brands that we all do business with. And while the loss of credit card data is important, has financial implications for the affected retailer, and is inconvenient to customers who now have to close down credit cards, getting a new card issued pales in comparison to the potentially damaging effects of compromised healthcare data.
Arguably, one of the most damaging types of breaches to individuals is the theft, leak or mishandling of healthcare data. When medical records are stolen, the amount of accompanying data often contained in these records enables criminals to potentially impact that individual not just for a credit card billing cycle, but rather for life. There is no changing much of the detail in those files; it’s inherently tied to the individual person, representing the details of their health history, unlike a credit card number that can be easily rotated and refreshed. The integrity and the privacy surrounding these records are paramount.
Robert Wood, who runs the trust and security teams at Nuna, a healthcare analytics company based out of San Francisco, CA, takes information security very seriously. In this role, Robert oversees security, privacy, and governance, risk and compliance (GRC) at Nuna. While he initially became involved with security because he loves working on things that protect and help other people, being able to apply that passion to the healthcare industry was icing on the cake for Robert.
“Nuna takes the responsibility of protecting its customer information very seriously and I was drawn to them because of the impact my work can have,” said Wood.
Nuna works with various stakeholders in the healthcare industry, dealing with claims and benefits information to build data warehouses and analytics tools to give stakeholders insight into how they can deliver more accessible, more affordable healthcare. So, as one can imagine, almost all the customer data they deal with is sensitive.
Given his respect and appreciation for the risk his organization must deal with, Robert has a very holistic view on his security responsibilities. And while Robert can’t afford to neglect any security area, it’s not lost on him that application security tends to be the one of the most tangible to his customers.
“The applications are what our customers see and touch,” said Wood. “This is why we partnered with Cobalt Labs; we are using their agile pen test service to ensure Nuna has the best possible application security posture possible.”
During the conversation with ITSPmagazine, Robert shared a number of lessons he’s learned over the years:
The big picture is key. As a security executive, you have to focus on what's important to the business. If you can't, that's a potential leadership issue and will lead to blind spots.
Apply a diversity of backgrounds, skills, experiences, and perspectives. This makes for the most effective security team. For example, if I hired a Cobalt pen tester as a full time Nuna employee, they would eventually succumb to a level of internal group-think because they would constantly be thinking about Nuna’s infrastructure, apps, and processes. Being on the outside as part of Cobalt, however, they are constantly being exposed to a myriad of different clients, threats, techniques, and patterns that make them extraordinarily effective.
Try to address security issues by theme. As an example, when evaluating the results of a pen test, it’s tempting to fix the issues one at a time as they come in or as they pop to the top of the stack; or perhaps quickly dealing with the low hanging fruit. However, if you look across the data set and approach the fixes strategically, you can, and likely will, have more of an impact. As an example, if an application continues to have cross-site scripting issues identified, this is suggestive of possible design changes, application-wide configurations that could be implemented, process changes around code review, or other enhancements. Case in point, it’s very effective to look for commonalities between issues and tech stacks, or issues and teams. What themes emerge? Is there a way to design away the issues such that the theme is broadly dealt with?
Automate as much as you can. For example, let’s say we find a number of SQL injection issues. That’s almost certainly because we’re incorrectly using SQL constructs in the framework. Why can’t we write, as part of our normal build and integration testing process, a simple check for the use of those SQL constructs that match the root cause of the issue and tell people when it is spotted? In this way, you’d quickly eliminate the use of an insecure mechanism.
Don’t settle for PDF reports (or any other static format). Make sure that the data you are using to make decisions is accessible and usable in a live, up-to-the-second form if you want, or need, to be able to respond in kind. Cobalt’s findings roll right into the development process, providing real-time access and interactive communication with the engineers responsible for resolving the vulnerabilities and other security issues identified.
Strive for a multi-disciplined skill set. People tend to hyper focus on a particular aspect of security when they are getting started. Even experienced folks often get mired in detail. As a security professional, the best thing to do is to study as much stuff as you possibly can to expand your perspective. This applies to studies beyond the field of security entirely. How do successful law enforcement agencies operate, how about social psychology, politics, or economics? How do other fields measure and deal with risk in a business context? Being able to think about your challenges in other terms serves the team well across the entire range of experiences.
About Robert Wood
Robert Wood runs the trust team at Nuna, which is responsible for security, privacy and compliance; our core directive is to protect one of the nation's largest collective healthcare data sets.