October 2, 2019
To celebrate National Cybersecurity Awareness Month (NCSAM), we sat down with Steve Gantz, Chief Security and Privacy Officer at Cognosante to discuss industry trends and what’s on the horizon.
Q. Steve, what would you consider the driver for Cognosante’s commitment to Cybersecurity?
Cybersecurity is all about managing risk. From an organizational standpoint, so much of our work for customers involves handling data that belongs to various populations across the country. From states and Federal agencies to individual citizens, data impacts the benefits they receive from the government, doubling its importance—if data concerning health insurance, healthcare, and public assistance is lost or damaged there can be severe consequences. We consider ourselves custodians of data—we safeguard it as best we can with the tools we have available.
Q. Why are rigorous security programs beneficial?
If you have internet access, you need a security program. Security programs pose a valid, yet sometimes uncomfortable question—what is your risk tolerance? We as a company have a reputation for being pretty risk-averse, instilling a higher confidence in people that their data, information assets, and systems are protected because of additional security measures that have been put in place. This helps alleviate organizational concerns that would ultimately hinder program delivery or business operations. Because of our work in the healthcare and public sector space, we are also subject to various Federal regulations that require us to maintain a strong security posture.
Q. NCSAM has carved out the following theme for 2019 Cybersecurity Awareness Month—Own IT. Secure IT. Protect IT. Let’s take a deeper dive:
Own IT—what are some of Cognosante’s best practices for device application security?
Many security people like to say users are the weakest link—you can put strong controls in place but can’t always control what users are doing. From an Own IT perspective, it is a partnership—our IT and security programs take the lead in making sure we have the right tools, people, processes, and technologies in place, but rely on employees to understand their responsibilities and be cyber aware.
Application is a perfect example. The systems people log into every day to record their time, check their benefits, or access customer-specific content should only be accessible by the people who require access. We manage login controls and password rules to mitigate the likelihood of personal data getting exposed, but employees are ultimately responsible for creating passwords that don’t include 1234, for example.
Employees enjoy using laptops and mobile devices, but with that comes increased risk. To mitigate, we install technology that requires login controls that allow us to delete company information if devices get lost—less personal photos or videos, of course! We also have visibility into employee behavior on company-issued devices (not to be Big Brother!). Monitoring tools help us identify if someone tries to install ransomware or participate in other harmful behavior—we can quickly lock computers and servers at risk, protecting the company at-large.
Secure IT—Why is multi-factor authentication important?
Multi-factor authentication is a balancing act. You can always add more security, but not at the expense of productivity. Nowadays, we’re almost seeing an end to passwords; Apple now has face ID for most apps. People have dozens of passwords, and managing these is now part of the debate. We require every employee update their passwords on a regular basis, but should these be compromised, we consider multi-factor authentication an extra layer of security that takes very little extra time.
Protect IT—Information security in the healthcare space is critical. How does Cognosante protect customer data and keep information safe?
How do you protect health data? You encrypt it! That way, if it gets lost, no one can do anything with it—we do this universally. Whether data is at rest or in transit, we run everything in the cloud and put practices in place that prevent people from taking screenshots, for example. We also host clean facilities making it very difficult for bad actors to take sensitive data and misuse it. Individuals who work in these environments are not allowed paper, pencils, or cell phone access. We must protect against possible insider threats, so we put physical controls in place—providing yet another example of how we keep the best interest of our customers top of mind.
Q. How does cybersecurity show up in our everyday lives?
Aspects of cybersecurity show up everywhere, whether people realize it or not. The idea of Prevent. Detect. Respond. dates back 40-50 years—since security became a discipline. The emphasis on these, however, is what’s paramount. Everyone used to focus on prevention—think stronger locks on doors or setting up a burglar alarm. In the last five or six years, however, data breaches have become so bad that it’s no longer a question of if, it’s a matter of when an attack will happen—shifting focus to detection.
People don’t necessarily take the time to fully understand how companies use data. Smart TV’s, for example, report what is being watched as often as once per minute. This enables a more targeted approach to advertising, and while some of the population may appreciate this, others find it creepy. Security is pervasive. Enabling two-step authenticator or secondary approvals on Facebook, Twitter, or Amazon accounts, for example, would prevent account hijacking, but people resist due to convenience. The funny thing is, since the 90’s we’ve all carried around a two-step authenticator—ATM pins. And while we seemed okay with this once upon a time, we are seeing another shift in customer convenience and security—some banks now authorize money withdrawals without pins, provided you can verify it’s you!
Q. What are your theories on cybersecurity trends in 2020?
Password managers: I think we will see a lot of emphasis placed on how people manage their own information and security. While we can suggest training and provide password guidance, people are ultimately responsible for maintaining this information. I think we will see an uptick in the number of people using password managers.
Data privacy: People are more aware of data privacy and protection; just look at the Facebook-Cambridge Analytica scandal. The right to be forgotten (to regulate the processing of personal data) in Europe has had a trickle effect in the U.S., but we still haven’t seen implementation of consistent privacy legislature. States are implementing their own privacy controls resulting in inconsistencies with how personal data is protected and what happens when it is compromised. Privacy drives security—you can’t provide privacy protection without security controls in place.
Behavioral analytics: It’s amazing to see how long systems are compromised before realization—lasting months, or even years! Organizations should know and monitor how systems are accessed and when. Are authorized users logging late at night for no good reason? Behavior like this is worth monitoring.
Internet of things: The healthcare space has lots of medical devices connected to the internet, but they don’t have proper security controls in place. Where does the data go? Who is looking at it? What happens if someone introduces erroneous data into health data and changes a prescription from micrograms to milligrams? You could kill someone! I think there will be more government regulation and approvals put in place around the release of new medical devices and how they come to market, ultimately impacting our work in the healthcare space.