This morning I came across this article over at TechTarget (SearchHealthIT). It’s about a healthcare shop in California and their approach to security. It’s an interesting read and the gist is that this particular shop, by virtue of their conclusion that “traditional cybersecurity technologies aren’t effective”, is embracing “next gen” tools instead. What are these next gen tools? They say they include microsegmentation and endpoint protection (via Cylance).
So, the thing I want to point out about this is something that I think is probably obvious to most folks that have been in the field for a while, but that might be a trap for those that haven’t. Specifically, that “new methods” is great – and absolutely, I agree with the conclusion that some legacy methods (e.g. perimeter defense, network monitoring, etc.) are less effective nowadays than they used to be. That said, getting on the bandwagon of the “new hotness” isn’t an excuse to not do the fundamentals.
The reason I’m calling this out specifically is that, as anybody who has had anything to do with security at an institutional healthcare provider knows, the track record for security in healthcare is… well, let’s call it “suboptimal.” So here’s the thing: it’s all good to get on board with new methods. I totally support that. But not if it’s coming as an excuse to not do the bare minimum blocking and tackling required to keep the shop humming. In other words, the position to eschew the past and go full bore on new models is one that I respect, and I think is awesome. However, it’s not an excuse to underinvest in controls that you might have failed to implement in years past… Note that I’m not implying that’s what this shop is doing. Just pointing out that there’s a danger. And it’s tempting to cover up sins of the past with a story of “we’re not doing that anyway.”
The trap comes about if you’re not keeping to a reasonable bar, there’s plenty of opportunity for armchair quarterbacking down the road. So don’t do that, k?