Part II: Putting Together Information Security and Privacy Plans that Matter
In this series, Rebecca Herold and Nathan Gibson help explore the role and value of whole organization information security and privacy plans in the health care and senior living industries.
Enabling Better Health Care & Senior Care Outcomes with Technology This series focuses how the health care and senior care industries are enabling more autonomous living opportunities for all ages while improving and expanding care in face of the exponential growth of the senior population. These industries face labor shortages and a strain on existing systems that must evolve and scale while meeting information security and privacy requirements.
In the previous episode, we focused on purchasing and securing IoT monitoring devices, implementing platforms and securing the data associated with them. This time, Rebecca Herold and Nathan Gibson join us as we explore the role and value of whole organization information security and privacy plans. Do you have them? Should you have them? And what do they look like?
- Creating an Information Security Plan that achieves compliance and ensures the data is protected in the manner the organization needs.
- Putting a framework in place that addresses the full lifecycle of data and ensures human behaviors follow the plan with regular checks, tests, communication, and training to confirm everyone in the organization is aware and following the plan.
- How senior leaders must stay aware of how well the organization is implementing and evolving the plan.
- Successful security and privacy programs are the ones that coordinate closely and often report to the same person in the organization.
About Our Guests
Rebecca Herold has over 25 years of IT, info sec, and privacy experience. She is the owner and CEO of The Privacy Professor, founded in 2004, and Privacy Security Brainiacs, founded in 2020. Rebecca hosts the radio/podcast show, “Data Security & Privacy with the Privacy Professor.” She is an expert witness, entrepreneur and author who has received numerous awards and recognitions for her work throughout the course of her career. Rebecca has written 20 books to date, chapters in many books and hundreds of articles. Learn more about Rebecca.
Nathan Gibson is the Chief Security Architect and Director of Enterprise Security Architecture at Allstate. Nathan’s information security journey spans multiple industries including our nation’s Air Force, healthcare, fintech, residential and commercial security, with a heavy focus on cloud engineering security.
Read the Transcript
00:56 Matthew D Edwards: Welcome to the long way around the barn. This is the second episode in our series, discussing remote monitoring, management, security and privacy in the senior living industry. Last week, we focused on purchasing and securing IoT monitoring devices, implementing platforms and securing the data associated with them. This week, we dive into the role and value of whole organization, Information Security and Privacy plans. Do you have them? Should you have them? And what do they look like?
01:28 Matthew D Edwards: We have two exceptional experts for today’s discussion. Rebecca Herold has over 25 years of IT, info sec and privacy experience. She is the owner and CEO of the Privacy Professor, and most recently, Privacy Security Brainiacs. Rebecca hosts the radio podcast show Data Security and Privacy with the Privacy Professor. She’s an expert witness, entrepreneur and author, who has received numerous awards and recognitions for her work throughout the course of her career. Rebecca has written 20 books to date, chapters in many books and hundreds of articles. And Nathan Gibson. Nathan is the chief security architect and director of enterprise security architecture at Allstate. Nathan’s information security journey spans multiple industries, including our nation’s Air Force, the healthcare industry, Fintech, residential and commercial security, with a heavy focus on cloud adoption, engineering and security.
02:29 Matthew D Edwards: Thank you for joining us today. Question one, whole organizational information security plans, and basically senior living organizations, as they become more and more technology-savvy and dependent, the number of moving parts and exposures to risks and liabilities is only going to increase. Do you guys recommend the organizations formally create and implement whole organizational information security plans, for example, if they don’t have them already, should they? And if they are going to put them in place, what should they look like? How do they know when they’re done? What is a good model? What is an information security plan and why should the C-Suites and leaders and senior living communities have them? Nathan, would you like to lead us off, sir?
03:20 Nathan Gibson: Sure, I think that the short answer for that is yes, but there’s a long conversation surrounding that. There’s a right way and I think a wrong way for implementing information security plans. And if you go out to NIST or different federal guidance, NIST is National Institute of Standards and Technology, they’re gonna have sample templates for an information security plan. And if you’re implementing them for the right reason, which would be you’re truly looking to protect your customers or protect those people that you’re caring for and the data, then you’re actually gonna look at it and understand what it is. If you’re simply trying to check a box from a compliance perspective, then it’s very easy to take those and copy paste and label that, Hey, I have an information security plan, and you’re checking a box.
04:18 Nathan Gibson: And there’s a difference between being compliant and being secure or actually protecting the data the way you should and the way you want to. And each organization, I think depending on the technology they offer, is gonna have a different set of standards and a different set of policies because their technologies are different. So if they look at it from, “Hey, we’re gonna bring in this capability and spend the time to document a particular policy for when that can be used and how it must be used, and technical guidance,” that collection of documents over time, that becomes your information security standard.
04:57 Nathan Gibson: Those are the types of things I think organizations should strive for. A lot of times, the technology they’re using is gonna be based off a vendor. So it’s also equally important for them to understand the vendor and understand those vendor’s privacy policies and practices and procedures, and maybe even that vendor can help them institute their own standards based off other customers that are using their product. So even though they may not have those skills in-house, they can ask for that question, ask for that service when they’re purchasing that particular product or capability from vendor, can you help me implement internal policies and standards to appropriately operationalize this product or this service?
05:43 Matthew D Edwards: Okay, Alright, Rebecca, what are your thoughts on this?
05:47 Rebecca Herold: Yeah, absolutely, and I agree with what Nathan said, and I would add to that too. A lot of folks who are listening, if they’re from senior living organizations or they have loved ones who are there, I think also add to just that need that Nathan talked about. Just think about all of the information that is within senior living organizations. And it’s not just technical, in fact, there is so much information within these organizations that is written down on paper, that is written on whiteboards, that is written on bulletin boards, that are on chalkboards, that are on the outside of people’s doors when you go to visit a resident.
06:39 Rebecca Herold: So it’s so, so important to make sure that all of that information is protected. And the best way to make sure that you’re protecting not just your residents and your visitors, but also just think about the actual organization itself, you have a reputation, each senior living organization wants to be trusted. If you don’t have a strong and consistently followed security program with some applicable rules that are specific to your organization and your risk environment, then you’re going to have bad things happen. It could be accidentally, maybe somebody wrote their password down and left it on the registration desk, and somebody saw that when they came in to see someone, or maybe a sales person saw that when they came in.
07:43 Rebecca Herold: All of a sudden now someone else knows what perhaps your ID and password is to get into the Senior Living Organization website. Or if they see files of your residents, do you know how lucrative it is to have the personal information of senior citizens and use that to perform identity fraud and other bad things. So, there’re so many reasons, as Nathan said, beyond compliance, certainly compliance is there to set up really the minimum necessary to make sure you have basic security controls in place, but you also must always go beyond those basic minimums to identify where are these additional problems that you might not have in a check list, but still are problems.
08:44 Rebecca Herold: Somebody brings in an Alexa because they know that the residents are going to enjoy that. Well, you know what, Alexas are really cool. I’ve been experimenting with one since last December, and they are fun, you can play some really cool music, I love Ella Fitzgerald so much. I play music by here, I know the Senior Living Organization folks would love to hear all their old favorites, right. But if you have that going and it’s not a 100% perfect, it’s also taking information based upon keywords and storing it in the cloud. And that information has been compromised before, has been misused before, it has been shared with third parties before. So you need to just make sure you know what your environment is like and where all the risks are. You might have these digital spies and other types of spies on feet coming in and out of your organization that you don’t know about, so… Yeah, you need to… Every organization needs to have a information security and privacy program in place. No organization cannot have one today and still be safe from bad things happening.
10:16 Matthew D Edwards: That’s a really good call out that I’d like to amplify, if you don’t mind, which is, Rebecca, you mentioned that information security plans don’t only cover technical things, but it covers all types of information and that behavioral… It’s behavioral information, it’s experiential information, and as well as the technological considerations. And so a lot of people that we’ve run into through time have assumed that common sense was common and that passwords shouldn’t be stored on post-it notes, or passwords shouldn’t be stored out in plain sight for everyone else to use or that entire staff shouldn’t be using the same login credentials for one application, those types of things. I think that those are the types of things that you’re referring to also, which is to have a plan, talks about the behavioral, experiential, the technological, all of the aspects of data, not just I bought a device, I plugged it in, and now I have a plan. Am I getting that correctly?
11:33 Rebecca Herold: Yes, and I would add to that, it must consider the full life cycle of information as well because there are some significant risks when you’re collecting information. When you have new residents come into your senior living organization, think about it, they fill out how many forms? And I know because as we talked about before the show, my mother was in a facility because of early onset Alzheimer’s, and then my father was in a facility because of cancer. And when filling out so many forms and so many times you’re filling out 20 forms and they’re asking you the same thing on 10 of those pages, where are those pages going physical, that’s physical information. And they say, “Well, don’t worry about it. We’re going to input this into the system, so then it’s… All that going to be safe in our computer.” Well, where are you putting the physical paper when you’ve got it input into the computer. Will you throw it away?
12:47 Rebecca Herold: There it comes to the end of the life cycle, right. You’ve input it, and now how are you throwing that away? Can I find my information that I just put down for my parents back behind your facility in the alleyway dumpster? A lot of people find information there, so even that physical information, you need to make sure that you deal with that, too.
13:14 Nathan Gibson: And I would add on to what Professor Herold was saying. In between there, likely what’s happening is they’re collecting that information on paper, and then what’s that data input process? What’s that look like? If they get so many forms, and this isn’t just the initial… This is if they have Medicaid claims or Medicare claims potentially. Is that sitting next to a scanner, just a pile of paper sitting there waiting for the night crew to come in and scan those and input into those systems, while they’re sitting there, who has access to that data?
13:48 Nathan Gibson: I think you mentioned spies with feet, right, who’s coming in and out of your facility. How you’re locking those up, and that’s where your information security program can be as simple as setting some operational processes, document, saying, Hey, when we collect this document from the patient or a patient’s relative, this is the place that it goes and have a discussion around, how are we securing that, how long does it sit there? Who’s authorized to get access to that and then what’s the next step. And just documenting that process right there, that simple thing is not a complex thing, but that’s part of your information security program and your plan and becomes an operational standard at that point.
14:37 Rebecca Herold: Well, and I wanna just quickly emphasize, I love that you brought that up, Nathan, because having it documented is so important because the people in your organization will not consistently follow these practices if it is not written down. If you have just one person who’s not doing something, that one person could cause a huge problem, a huge breach or a huge outage because they didn’t consistently follow what everyone else was doing, it needs to be written in policies and procedures.
15:18 Matthew D Edwards: One of the things I wonder then, and you guys could both expound on this, one of the things I wonder then is when you’re talking about the data, all of the different forms of the data, you’re also talking about the types… If you’re talking about the types, but you’re also talking about locations. And so as part of an information security plan, then do you recommend or what do you recommend as it relates to in order to have a policy or a procedure or to have an opinion, you need to know what you have, you need to know where it is, and you need to understand who’s accessing it, how it’s being used, all of those types of things, is understanding that if it’s an asset inventory or it’s an inventory of all data in the organization, do you consider that to be a critical component of the information security plan itself?
16:09 Nathan Gibson: Absolutely. First off, I would assume, and professor can probably speak more to this based off her experience, but there are some standard forms that is usually filled out when somebody is being admitted into a facility or transient through a facility and understanding what data you’re collecting on those forms and classifying that data, and then from that point, setting rules around that data classification, knowing that, Hey, this particular form does have sensitive data, so we’re only going to allow it to be stored in these locations, so once you collect it, we’re only allowing it to go in this location, and understanding that and putting that in policy and then enforcing that. I think it would also add is, it actually helps the organization take security out of it, helps them be more streamlined. If you have a new employee that comes in, what better way to quickly get them up to speed, than having exact operational standard that they can read on how they collect data where it must go to maintain a consistent, predictable, repeatable operation for the business and onboarding new employees quickly.
17:19 Nathan Gibson: So I think, yes, it does become more difficult when you’re dealing with paper documents, that has to probably change quite a bit. But yes, knowing where that data’s at, and what data you’re collecting is something that should be in your standard and your organization’s way of classifying it. We consider this extremely sensitive data, so therefore only these roles or titles within the organization can have access to it underneath these circumstances, that’s super critical to have in your plan.
17:55 Rebecca Herold: To add to that, just think about it, how can you protect data and make sure it’s used appropriately, unless you know exactly what information you have and in what form it is, and where it’s located. I mean my gosh, just imagine, what if every one of us had 20 credit cards, but yeah, we didn’t keep track of where those credit cards were. Now, maybe there might be a credit card in your home safe and you have it locked up, that one’s probably pretty secure. But what if you have five of those credit cards out in your… Maybe in your automobile and you go to a restaurant to do it and leave it in there… Somebody gets your credit card. Are you gonna even know that if you didn’t know your credit card was there to begin with? So keeping track of all of your information is kind of like keeping track of your own personal values, because if you don’t know where things are that you value, and if you don’t know how to protect them, then things are going to happen to those valuables and you’re going to really be sad and mad at yourself for not securing them and keeping track of them to begin with, that’s the same way with any business.
19:15 Rebecca Herold: A business has to consider information as being valuable and they need to know what information they have so that they can then determine how they need to protect it in all the locations where it’s located. Because kind of like Nathan was talking about with the classification and so on, if you have certain high value information and it’s located some place that might be a high-risk area, like out in a public area, that will need much more security around it than if you had it some place perhaps within many walls, within the center of a building that all have locks on them and very tight access controls.
19:58 Matthew D Edwards: Alright, alright, that’s good. So let me summarize these things, if you don’t mind. So far, basically what I believe you both have well-communicated is, hey, an information security plan is non-negotiable, it must exist if you’re a business and you have employees and clients, you’re likely collecting information, and that’s not just technical things. So while we’re talking about the senior living community, and we’re talking about the adoption of Internet of Things devices and technology and networks, where there’s a whole lot of data and privacy and planning that required there, it also includes everything leading up to and around it, and afterwards as well, which could be paper-based, it could be experiential, it could be relational, communicative, Post-It notes, the doors. So what data do you collect? Where is it located? Who has access to it? And then what’s your plan, what’s the plan to collect it, what’s your plan to store, what’s your plan to share and engage with it. So it has to be done on purpose, and while we all want to trust, we need to have a plan and then trust that we’re all using the plan as opposed to just trusting the merits of good character and great people and sometimes hairy days and, it’s a tough day.
21:20 Rebecca Herold: Exactly, and I might add, make sure you know if people are using their personally owned devices and include those devices in your program, because you absolutely have to protect data everywhere, even if it’s not on your organization’s own computer systems within your own facility walls. And I know in a lot of organizations, people are now, especially with work from home, people are using their own personally-owned laptops and… Oh my gosh, I’m looking right here at a USB drive that has 64 gigabytes of storage on it, and I know a lot of workers who use these handy-dandy tools to take home and do work at home. Or they probably already have them there, and it’s easy to collect because this one only costs $9 and so I could have probably a dozen of those, make sure all of your program covers those personally owned devices and storage devices and that you have training so that the people using them, know how to secure them.
22:37 Nathan Gibson: And what the professor just said on training, that’s the most key part. Having a information security plan and doing regularly training on that and testing the effectiveness of your training is important. You can document everything, but if you’re not training your employees, you run into situations where, somebody may be just trying to do their job in just situational… I see it all the time. Somebody calls into make a payment and your computer is down. Okay, I’m gonna pull out a sticky note here, what’s your credit card number, and write that down on the sticky note, what’s your CVV, the security code on the back. And the expiration date and everything, and they stick that on their desk, and then later that day when the computer comes back up, I’m gonna go process that payment now. What happened to that sticky note that has that payment card data on it, or what happened to that sticky note that had that person’s social security number on it?
23:42 Matthew D Edwards: And your training on your information security plan isn’t about this is our policy, you must read it, take a test and follow it. It’s more about, Hey, this is what we are charged with, this is why we’re trying to protect data, here are the threats to that here, the people who are trying to gather that, to bring that threat awareness or the vulnerability awareness to the employees, so they can do their part in those situations where the policy may not cover it exactly. It helps bring them that situational awareness so they can do their part to continually protect the data, so that training is a key part.
24:20 Matthew D Edwards: That makes sense. So training needs to be a part of this on purpose. So let me transition this conversation to privacy. Do you believe that privacy is a component of the larger information security plan, or is a privacy plan its own entity? What’s your perspective on that, and then what composes a good privacy plan in an organization that’s collecting not only paper-based data, but they’re also collecting data based… Device-based data all over the place, what are your thoughts on privacy and what does that look like for folks?
25:02 Rebecca Herold: Well, privacy definitely has a lot of overlaps with information security. I mean, you have to protect the information, certainly. I think a very common misconception is that privacy means that you only protect data by encrypting it or it’s just about confidentiality. It goes so much more beyond that. Privacy means that you are giving the individuals about how their private and personal information applies, you are giving them some control over that information, you’re letting them know, Hey, here’s the information we’re collecting from you, and by the way, here’s how we’re using it, and here’s who we’re sharing it with, and here’s how long.
25:56 Rebecca Herold: We’re going to keep it and retain it, and here’s how you can get access to it, because we wanna make sure that it’s accurate because if this information is not accurate, it can have impact on your personal life when that inaccurate data gets out there and is being used to make decisions about your life. So yes, I’ve been doing privacy and information security management since around 1993, when I wanted to address privacy. I was responsible for creating the security requirements for what that was going to be… And I think it ended up being the first online Internet Bank in 1994. And I was establishing the security requirements and I was doing research and I found the OECD privacy principles. I thought, these make lot of sense because this is a bank, and a bank has a lot of personal data. I happened to know the CEO and I thought… I’ll mention to him that it’s important for the legal counsel to address privacy.
27:20 Rebecca Herold: Well, at that point in time, just think about it, ’93-’94, there were no laws or regulations, so the General Counsel said “Sounds like a good idea, but it’s not my problem because there’s no legal requirement”. So the CEO told me, “Hey, Rebecca why don’t you go ahead and take care of privacy while you’re doing security,” and that’s where I learned throughout the years that it’s so important for security and privacy areas to work together. I think we need… You asked before about, should that be part of the program? Should it be separate entities? I say that it should be… Maybe possibly two areas, but they have to be integrated. And in fact, I see the most successful security and privacy programs are the ones that really coordinate closely and often report to the same person in the organization.
28:18 Rebecca Herold: They don’t have the privacy officer reporting to the General Council and the security person reporting to the CIO, they actually have a Chief Information Assurance officer who is responsible for all information and that comes down and covers privacy and security equally. And they’re kind of outside of the CIO and the general council area. Because I’ve learned from just experience, if you start getting put into the IT area, or into the legal area, oftentimes needs and risks do not get addressed appropriately because you don’t have enough authority in that organization to say “We need to do this. It’s important.” Sometimes you get overruled in these organizations, when you’re talking about senior living organizations, those might have a little bit different setup with regard to executives and their org charts, but still they need to understand that you need to address security and privacy, the different issues between them. But at the same time, they can’t be done in isolation of each other, they have to work cooperatively in order to be successful.
29:43 Matthew D Edwards: Well stated.
29:46 Nathan Gibson: Yeah, I would echo what Professor Herold said. I work closely with my counterparts on the privacy side, the chief privacy officer, and very passionate group of privacy, I guess, I would call them engineers, architects, but more often advocates is the best way I can describe it. Now to answer your question about how I see privacy and information security, and it may take a little bit different view on this, the privacy folks also have kind of an ethical watchdog component to it. It’s not just about what data you’re collecting, everything Professor Herold said absolutely… But they’re also there to make sure that the organization is doing the ethical thing. We are collecting this data specifically and solely for this purpose, and when another group or department comes by and has great innovative ideas, that’s absolutely fantastic. That privacy plan and those privacy professionals are there to say, “Hold on a second, I’m gonna be the voice of the customer. Have we communicated with the customer that we’re gonna do this? We need to give them the option to choose whether or not they want to do this.” It’s going beyond typical, this is what exactly the law says I can and can’t do with this data from a privacy perspective.
31:17 Nathan Gibson: And it’s more about, “Hey, are we doing the right thing by our customers? Do our corporate policies, do our corporate standards and procedures reflect our ethics and our values as it pertains to protecting our customers data, only using the data in the way we stated we would use it, not trying to blur between the lines or trying to figure out how to make an extra buck or whatever.” They are that advocate, they’re speaking on behalf of the customer. And the security plan is a component of privacy in a sense, because part of security is okay when it’s on technical solutions, how do we make sure it’s encrypted or how we make sure that it’s secure in transit or it’s only being stored where we allow it. That’s one small component of a larger privacy plan, which is more around communicating and being ethical and truthful on what data we’re collecting, what we’re using it for, and giving people the opportunity, a choice, to update that data or ask us to get rid of that data, if needed. That’s really a privacy plan in the privacy program and the professionals that operate them.
32:33 Matthew D Edwards: So if I could summarize, based on what I’ve heard so far, before we move on to another interesting question, it sounds to me like the idea of information security plan must exist, the idea of privacy on purpose must exist, and whether they are one idea or two ideas, they’re basically so interwoven that they must both exist.
33:00 Rebecca Herold: Well, I was just gonna say, when you’re talking about that interweaving, definitely, I wanna give kind of a real world example, too. And I’ll use HIPAA because I know that senior living organizations as covered entities, most of them are anyway, under the Health Insurance Portability Accountability Act or HIPPA. We have the privacy role and the security role. And I know that a lot of organizations deal with each of those requirements separately in the organization. However, real world, the privacy rule requires that you give your patients, your residents access to their personal information. So oftentimes that information is given to them via online portals. Now the privacy office is going to say, “Okay, well, we’re going to make a policy that we must give all of our patients, all of our residents access to their health records,” that means that privacy real requirement.
34:07 Rebecca Herold: Well, who’s going to have to implement the actual access to that information within the system? It’s going to have to be the IT area, and the information security area has to be involved because in order to meet the privacy real requirements, which also include a very wide requirement to follow the security role, have safe guards in place, they are going to have to be able to implement security over the way in which patients are given access to that patient information. They have to work together because the security officer, they need to understand if what they’re giving access to is everything that is necessary to meet the privacy real requirements and then to log for the accounting of disclosures requirement, that access not only by the patient, by other people who need to get access to it as well.
35:09 Rebecca Herold: So those of your listeners who might have responsibilities for these might recognize that, yes, accounting of disclosures and access to information in all forms, not just digital, but also physical, you have to coordinate how that is done securely with the security officer as well. So I think that’s a very important real world scenario that every type of organization has to deal with.
36:32 Matthew D Edwards: For organizations, whether they have experience with it or not, after they have these in place, they have an information security plan, they have a privacy plan, all is right with the world, and they believe that things are great. How do senior leaders and these organizations stay aware of how well their organization is actually doing implementing these ideas. In other words, just because we have it doesn’t mean we do it, but if we are implementing and doing these things how do I know on a regular basis as a leader, if I’m not involved in it day-to-day, how do I know that we’re doing it well? Or doing it at all for that matter, how do they know? Nathan.
37:20 Nathan Gibson: Yeah, so, essentially, what we do in our role is called effectiveness testing. How effective are our administrative controls, our operational controls and our technical controls? And part of a healthy information security program is to have appropriate effectiveness testing. And effectiveness testing can be anything from audits like we are probably mostly familiar with. Somebody comes in and actually takes a look at your policies, your standards and your procedures that make up your information security plan, and then they observe day-to-day operations and historical artifacts and actions to see if people are actually adhering to those policies and standards that you have in place.
38:11 Nathan Gibson: So having an effective testing program, both internal and external, whether you contract occasionally with an external third party to come and evaluate or have somebody dedicated internal whose job is to go through and just randomly spot check these standards and the processes and procedures as they are in action. The other thing is to have a healthy reporting mechanism for employees that when they do see something that violate standards or procedures, that everyone’s comfortable with elevating that so that organizations can understand, employees won’t have fear of reprisal necessarily because they violated a particular standard, violating HIPAA privacy rule.
39:02 Nathan Gibson: It sounds like a pretty scary thing, but if a process or procedure is broken or training is ineffective… We talked about training earlier, the organization needs to know that. So it’s important not for leaders to necessarily have heavy-handed approach to policy violations, but more treat those as opportunities where you’re testing your program and you are making changes, whether that be enhanced training or whether that be a total change of procedure because you found out something you documented in the past. May not be applicable today or may not be working today because new technology came in or new processes came in place. Employees are innovative all the time, they may find out ways to do things better and cheaper, but we may need to amend the policies and processes or tweak their innovative ideas to ensure that it’s still meeting the initial objectives of that information security program and plan.
40:04 Rebecca Herold: And I would add, too. All of this is so important to be part of a full risk management program, that’s a subset of your overall security program. What Nathan talked about, one of the things I love, and I think the different types of senior living organizations and other healthcare organizations can do as well. And I think Nathan mentioned this, but I wanna highlight it because I found it’s very, very useful. I used to call them doing a work area walk-throughs. I do them after hours, but basically what I would do is I’d get my team together, and I do this for other clients too, and we would go through the areas and just see in the areas where people have their work stations, are they still logged in. Are they logged in and actually in this screen where patient data is being shown, do they have files laying on top of their desk? All the different things that you can actually see, and here’s when, oh, this is still common today, 25 years later, 30 years later, it’s still common today, sticky notes under your keyboards with your passwords written on it. Do the work area walk-throughs. This not only helps you to find where people need more training and not just formal training, but also reminders.
41:36 Rebecca Herold: They’re fun things to do, different types of activities so people can see what they’re doing with regard to how they would handle security and privacy. Another thing I’ve done with some hospital systems is I have use case exercises. So I get different teams together within an organization, give them a scenario, it’s usually a breach or some other type of security incident and see if they can follow the published security and privacy policies within the organization, in order to appropriately address that situation. You have your policies and procedures written for your employees to follow. So do you know if they’re going to be able to follow them when they really need to in disasters or business recovery, and certainly…
42:30 Rebecca Herold: In Iowa with the derecho, we had a lot of disaster recovery and business continuity being tested here in the past week. So doing those use case exercises is another way. You can call that it falls right under your training requirements for many different regulations beyond HIPPA, but it’s not a formal training where they’re sitting there looking at their screen. They’re actually doing things and it’s something that sticks in their mind for quite a while. And also doing other types of fun things. Have guest speakers, and I don’t know if any of you remember Clifford Stoll? Clifford Stoll wrote The Cuckoo’s Egg. He actually, in 1987, busted the first huge ring of Russian hackers into a university on the west coast because he noticed a two or three cent discrepancy within the system and he just wouldn’t let it go. And why would he let it go because everybody told him that two cents was within their range of acceptability for errors, and he was like, no, this isn’t right, so anyway, read that book, The Cuckoo’s Egg, it’s still very good.
43:47 Rebecca Herold: I had him come in to be a guest speaker, and he was so good. He kind of reminded me of Einstein in the way his look and his hair especially was, but talk about engaging. And it got people interested and it made them think about security for many, many months after that. And how do I know? I know, because I saw the number of hits on our internet website was so high for many months after he was there, and people were calling and actually giving me… Calling when they saw a concern, is this a problem? Should we be worried about this? And I love that because it meant that they had really taken in that message of information security is important and it’s important to recognize when something might be wrong. So all of this falls under risk management, because it is helping everyone in your organization to identify where risks may be, and also then take actions when they think there’s a risk and they need your help as security or privacy officer to let them know whether or not that is something they need to be concerned with.
45:12 Matthew D Edwards: Let me summarize some of the things I think we’ve talked about today, and then I’m interested in some final thoughts that you may have yet unspoken. Basically, what we’ve discussed is Information Security and Privacy plans must exist. And in order to do those things, you need to know what you have, where it is, who’s engaged with it, how it’s being utilized, and its full life cycle from birth to end of life cycle and what you’re gonna do at each stage along the way. And that includes everything from paper to marker boards, to Post-It Notes, although there should be no Post-It notes all the way out to the digital stuff, which includes the adoption of Internet of Things devices for remote monitoring in order to enable autonomy for our elders and eventually, maybe even us. So the privacy and security plans need to exist, it needs to be done on purpose, but then after it exists, you need to put in place a framework or a behavior that says, Hey, I’m going to regularly check, regularly test, regularly train to make sure that everyone is informed, everyone is practicing, everyone is heading in the same direction in the way that we need to.
46:27 Matthew D Edwards: So the things that you’ve communicated should be no surprise to people, which is, Hey yes, you need to have them. Yes, you need to do it on purpose. And by the way, you’re actually never done. So after these things come to exist, you haven’t said it, so I’m asserting it, but you’re never done. These exist, they have to continue to exist, you have to continue to train, continue to practice, continue to audit and test and verify and validate, you’re never done. So thank you for articulating these things because it’s not only Internet of Things, it’s everything inside the organization, but I wonder, do you have any parting thoughts for us that you haven’t mentioned yet, Nathan, Rebecca, any additional thoughts you’d like people to consider along the way?
47:25 Nathan Gibson: Yes, I would just say it may seem overwhelming at first, information security program or plan, and if you don’t know what that is, you may have a tendency to go Google that. The good news, bad news is there’s gonna be a plethora of information out there and there’s a lot of guidance. One of the most common is the National Institute of Standards and Technology, specifically, the special publication 800 series. It’s a great resource to go out to learn about what you should be thinking about in your information security plan, but don’t get overwhelmed by it. You can start simple by creating simple procedures about, Hey, when we have this form that needs to fill out, here is our procedure on this form, customer fills it out and we do A, B and C with it all the way from when they finish it and hand it off to you to when you eventually hand it in the shredder. Detailed description, plans and all that is, is giving your employee and your staff directions on how to do your business, but you’re adding in the security components in there to make sure you understand every step of the way, so it can be that simple.
48:42 Nathan Gibson: And over time, as you create more and more simple documents like that, that becomes your information security plan. That is helping you ensure that you’re protecting your clients and your customers and consumer’s data at that point, and then you can use those references like NIST to help you understand, “What am I not thinking about? What else do I need help with?” And it can help guide you, so don’t let it overwhelm you.
49:14 Matthew D Edwards: Yeah, very good. So use NIST 800 series as an excellent starting point, but start small. Rebecca.
49:23 Rebecca Herold: Yes, and I would add. Everyone needs to remember and think about the fact that these concepts that you use to secure what’s within your organization, these apply to your own life. Everyone basically now has their own computers, everyone has their own smart devices or own smart phones, WiFi networks, I mean, not everyone, but it’s getting there one of these days, it will be ubiquitous. It will be pretty much anywhere you go, you’re actually going to be, if not leaving a digital vapor trail around you, you’re going to be passing through other people’s digital vapor trails because everyone is having computing devices. So when you think about developing these controls, think about the fact that you can use these same concepts, and same controls within your own home. You can use them within your own WiFi network at home and so on. So you need to keep that in mind and just view this as an opportunity to use what you’re doing at work to also improve your own home life with regard to your digital assets and your paper assets and secure them better as far as that goes.
50:50 Matthew D Edwards: Well, this has been an outstanding conversation today. And I am confident that in just the short amount of time that we’ve been together, we haven’t even come close to communicating or amplifying all of the things that are occurring in both of your minds this entire conversation. So thank you for distilling a lot of your experience and your thoughts and your perspectives down into smaller bite-sized chunks for everybody to think through.
51:18 Matthew D Edwards: Today, we’ve talked about information security plans, we’ve talked about the value of privacy plans and doing both of those things on purpose and a lot of the work that goes into getting there. But then we’ve also talked about after it’s in place, how do you know you’re doing the right thing correctly and completely on a regular basis, well into the future? These aspects, these conversations help people get started, but there’s a whole lot of work after that, and they’re probably going to have to have one or more people who exist in the company to do these things on purpose on a regular basis. And both of you have experienced leading and guiding and training those types of organizations and those teams and those implementations companies large and small, so thank you for taking the time to teach us. Thank you for a wonderful conversation. And I look forward to talking with you both again in the future.
52:15 Nathan Gibson: Likewise. Thank you, Matthew.
52:15 Rebecca Herold: Oh thank you very much. I enjoyed it.