CynergisTek : Security Validation and Why Should it be the New Mindset in 2021

Security Validation and Why Should it be the New Mindset in 2021

February 1, 2021David Finn

• Share this Article
• Facebook
• Twitter
• Email
• LinkedIn

While the concept of security validation has been around for some time, at CynergisTek it is part of our methodology - - our lifestyle - - that we apply to everything we do. There are products such as our partner Mandiant's Security Validation tool in the market to test security controls and the need to do this has never been greater, and it is our recommendation that security validation become the ethos of all organizations to truly and systematically thwart off cyber-attacks and strengthen one's cyber hygiene.

Continuous Change

We learned many lessons from COIVID-19 and were forced to make many changes, basically re-thinking security. One of the things we learned is that making changes creates, often unanticipated changes in how things work. We put in tools, set the parameters, created the alerts, or blocks and we think that everything we set up will work forever - - no matter what changes we make in people, process, or technology. Change is happening every day and the mind shift for 2021 is to assure that the controls you have implemented are actually "controlling" the people, processes, and technologies in the ways they were intended and working in the planned manner.

Why Security Validation is Important.

Our environment exploded across all sectors with Work-from-Home, expansion of the attack surface and in healthcare, the look and shape of networks changed massively, nearly overnight. The launching of testing and even direct patient care in parking lots, gift shops, civic centers and tents not only created new changes and demands at these sites, but they also changed how things now had to work within and across the organization and who came into your network and systems, your organization's healthcare resources and how. Examples include:

• Visiting clinician using a guest account but with no training
• Long-time employee using his/her corporate email from a personal device at home that is shared with a spouse and children
• Employees coming in over unsecured Wi-Fi networks
• And then there was telehealth

With a very different care delivery model, the healthcare industry is faced with a new delivery model of information and information technology at the same time. This included the people, the processes and the technology and includes the security and privacy issues around all these things. What worked pre-COVID might still work. But then again, it might not. Or it might work but not in the same way with new devices, new connectivity, shared devices, and maybe very different work flows and processes for the people and technology. Security validation provides these answers.

New Tools. Not a New Approach.

Testing technical controls can be tedious, particularly across multiple tools all at play in the same environment however it is a new requirement in a post-COVID-19 world: on-going or even on-demand testing of security controls. Your computer environment, network, applications, and move to the cloud are going too fast not to make sure on a regular basis that those controls are in place. Are working. Are doing what you want and need. And that the people and processes are also responding to controls and alerts appropriately.

It's More than a Tool. It's in our DNA.

A fool with a tool can still be a fool. That is where CynergisTek comes in. Validating security controls - - people, process and technology is what we do. We were born from it, starting out as an assessment firm using NIST CSF and moved to using NIST as a standard assessment tool before most other organizations adopted this framework (along with the HIPAA Security Rule). In 2021, the Federal Government, through an amendment to the HITECH Act, has recognized NIST and the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015 as "recognized security practices" and the Secretary shall consider whether the covered entity or business associate has demonstrated that it has recognized security practices in place. These considerations may include: 1) mitigation of fines; 2) early, favorable termination of audit, and 3) mitigation of remedies that would otherwise be agreed to in any agreement with respect to resolving potential violations of the HIPAA Security Rule.

Tools are, however, only the beginning of the story. At CynergisTek it is not only a lifestyle but a lifecycle. Security is a process, you build, assess, remediate and then you must validate - - else your building, assessing and remediation are for naught. Ultimately, security comes down to processes and people.

As a company who performs hundreds of assessments per year, we ask if procedures are in place and take it a step further by asking to see them. Our assessors want to see if they have been implemented and are in place, that people are trained on them. When were those policies or procedures last reviewed? You have a great inventory of PCs and Servers but is anyone looking after the IoT devices or medical devices on your network? Clinical Engineering says it is IT, IT says it is Security. The methodology or the last step in the security lifecycle is to validate that this is the case or not.

How CynergisTek Validates Security.

We validate your technical security controls and it's a step we perform in all of our services, from Security Risk Assessments to Vendor Security Management, to Compromise Assessment to Privacy Monitoring and even pen testing. We do not stop validating controls at the technology. We look at the people and the processes. We think of it as our job to help you assure that all those things are working together, working to reduce your risk.

About the Author

David Finn is the Executive Vice President of Strategic Innovations at CynergisTek. David has been involved in leading the planning, management, and control of enterprise-wide, mission-critical information technology and business processes for more than 30 years. His unique experience in risk management and control objectives of technology (including audit, security, and privacy) allows him a distinctive perspective in the design and implementation of business applications and the processes that the technology must support. David is focused on using technology as an enabler of operating efficiency and deriving business value through the optimization and control of technology. He is known for creatively engaging all types of audiences, conveying messages that even change-resistant users listen to and remember. David is a member of the Health Management Technology Editorial Advisory Board.

Follow on Twitter Follow on Linkedin Visit Website