In this second installment of “A Seismic Shift in the Digital Health Landscape” we present six less common approaches to IT security that savvy developers should be learning about and applying as appropriate. Catch up on Part 1 here.
In the “good old days”, a strong firewall and decent encryption may have been protection enough. No longer. In light of the devastating malware now in unknown hands, developers need to know what can be done today to lock down data and systems for this challenging IT future?
Here are six important, but less-often considered suggestions for protecting data and systems:
1. Learn what hackers are up to
Hackers frequently telegraph their methods, tactics and strategies via events, forums and message boards of various sorts. Often, this is motivated by a desire to claim “bragging rights” to the discovery of a new vulnerability or the creation of a new exploit. You are less likely to be surprised by, and unprepared for a new type of attack if you’ve already read about it online or heard about it at a hacker conference.
Be sure someone on your team keeps up with hacker news from websites such as Hacker News, 2600, Kaspersky’s ThreatPost, or similar sites. Blogs and news feeds from InfoSec experts like Bruce Schneier’s CRYPTO-GRAM and Brian Krebs’ Krebs on Security are excellent ways to stay current on malware and exploits. Follow the development of key hacker exploits from conferences such as BlackHat, DEFCON, ShmooCon, THOTCON, and others. Many key presentations are posted online shortly after each of these events, so costly travel and days away from work are not always necessary.
2. Reduce and Monitor Privileged Accounts (a Lot)
This is a frequently overlooked method to help lock down your digital ecosystem. The latest phishing techniques have made senior employee logins a far easier attack vector than software or network exploits. Attackers use privileged accounts to gain access to every system, application and end-user device in an organization. These accounts allow for fast, easy lateral movement through networks and companies. Privileged accounts also allow attackers to delete logs and other data that could provide evidence of hackers’ activities.
Most organizations don’t know how many privileged accounts they have or where those accounts are, and many do not continuously monitor activity on those accounts. Yet, between 80% and 100% of all serious security incidents involve privileged accounts. Cisco recently estimated that organizations in the cloud can remove privileges from 75 percent of Admin accounts with little to no business impact. (See this [pdf])
3. Consider New Technologies for Information Security
Explore the possibilities opened up by such technologies as Immutable Servers and Infrastructure (See this, and this), Deception Tech and Techniques (See here, here, and here), Zero-Trust Networks (See this and this), and Artificial Intelligence Platforms for InfoSec (See here [pdf] and here). These are but a few of the most important new approaches being created that developers and IT shops can begin learning and using today to resist the attacks of tomorrow.
If you are unfamiliar with any of these new approaches to information security, do your homework, interview vendors, test products and services, and deploy whatever you can to avoid damage from the seismic shift now underway in the digital landscape.
4. Find and Use a Reliable Bug Bounty Program
Bug bounty programs and Hackathons have been implemented by Facebook, Yahoo!, Google, Reddit, Square, and Microsoft because they work. Find bugs in your code privately, before hackers find and exploit them publicly. And paying out a smaller reward early is better than paying much more to remediate a public hack later.
5. Find an IT Security Framework and Get Compliant
As a health app developer, HIPAA compliance is a must, but it’s far from being the only great InfoSec framework. Be sure you become familiar the CIS Critical Security Controls, OWASP, ISO, NIST, and other relevant standards and frameworks. The comprehensive, curated approaches to data security these frameworks provide offer the strongest long-term preventive posture organizations can have. Never forget that the costs associated with preventing IT attacks are almost always far lower than the costs associated with recovering from attacks and mitigating the damages they cause.
6. Find the Most Secure Vendors and Partners
Carefully explore the information security of your partners and vendors, and migrate to more secure ones if you must. In olden times, common folk ran for the security of the local lord’s castle when invading armies approached. Today, among partners and vendors, find the strongest castles you can, and move your apps and systems inside their walls.
A seismic shift in the digital health landscape is happening today, all around us. You might not have felt it yet, but you will. It doesn’t have to shake your world apart though. Developers, keep your cool and keep improving. You can do this.