The Need for Speed Part 2

Throughout 2017, the SecureWorks Incident Response Group conducted 950 incident response engagements. The average time the threat had remained undetected in the client’s network was 380 days. Clearly, the need to more rapidly detect the presence of an adversary in an organization’s environment must improve.

The need for rapid detection of an adversary’s presence is but one aspect of an organization’s cybersecurity defense model in need of an increase in tempo. If an organization is to be successful in mitigating the risk to critical digital assets and the increasing risk to patient safety, the tempo of decision making related to the execution of the strategy for each objective in the information security program must be increased.

In the context of compliance to the HIPAA Security Rule, the oversight method for achieving compliance to the individual requirements of the rule is known as “Due Diligence”. It is a point in time snapshot of the state of the compliance effort. There is no urgency related to it other than, perhaps, a date on the organization’s calendar for completion of the compliance checklist. Decision making needed from this oversight lacks urgency, in most instances, as well.

The difference between compliance and security is that security is a steady state effort where oversight is accomplished through “Continuous Monitoring” of the operational environment for vulnerabilities and threats to those vulnerabilities. For the steady state to be maintained, speed in decision making is, most often, the deciding factor. Minus a decision-making tempo to match the cybercriminal most often leads to an interruption of the steady state and the consequences of the required breach notification to the Office for Civil Rights. Additionally, as the investigation of the breach continues, there most certainly will be intermittent interruptions of the steady state.

In any conflict, there is a series of moves and countermoves. Much like conventional warfare, cybersecurity warfare is a resource-based conflict affected by the human factor and their ability to deal with the ambiguity and uncertainty of circumstances as they change. All too often, in healthcare today, the changes are perceived through the lens of the preexisting cultural view of compliance and what “should be”.

The closed environment of compliance is unable to account for the changes that are occurring in the healthcare security environment and, in some instances, is creating a mental “entropy” (i.e. disorder) as the majority of the industry continues to look inward and try to make old methods work for challenges they were never meant to solve. It is sort of like the old adage, “When the only tool you have is a hammer, everything is a nail.”

The OODA Loop is a learning system, a method for dealing with uncertainty and a strategy for winning the new challenges as a healthcare provider grapples with the changing circumstances of interoperability, technology explosion, ever changing attack surfaces, the vulnerabilities being introduced, and the risks related to the growing number of vulnerabilities.  

In Part 3, we will look at the first step, “Observe”, of the OODA Loop.