Building an OSINT and Recon Program to address Healthcare Information Security issues

Abstract

 Building an OSINT and Recon Program to address Healthcare Information Security issues

 Healthcare has significant challenges with implementing effective information security programs. To start with, for as critical a resource as it is, it is continually underfunded or does not have the organizational reach that it needs to be effective. Combined with that is the uncertainty caused by the rapid introduction of new technologies into the environment, without consideration for the legacy technologies they replace, or in many cases the lack of education around said technologies. Many of them were brought in because some larger “model” health system successfully used them.

 Additionally, many large healthcare systems operate structurally very similar to large companies with multiple divisions. This means that effective communication is an aspirational goal.

 The Health Information Portability and Accountability Act, better known as HIPAA, has also caused significant fear with healthcare professionals. There have been a lot of charlatans in the industry who have recommended solutions for Healthcare Information Security and HIPAA compliance that are nothing more than security theater, providing in many cases worse solutions than having no security at all. Fear, Uncertainty, and Doubt as applied to the HIPAA Security Rule have done more to hurt the idea of healthcare information security than Ransomware.

 When it comes to assessing and addressing risk, numerous team members often refuse to give truthful answers due to fear for their jobs, and because many of them know that their concerns will not be addressed.

 This leads to an incomplete operating picture in many healthcare organizations that not even the senior executives completely understand or comprehend, which makes risk assessment, mitigation, and ongoing remediation a nearly impossible task.

 A major focus of what I have done over the past 11 years is to build Open Source Intelligence and Recon programs to understand the internal structures and makeups of healthcare organizations, and to be able to address risk and customer concerns through establishing relationships and building the real operational picture of the environment. Utilizing standard customer service skills, I have been able to build understandings of complex environments and their challenges and use that knowledge to develop risk management plans and large projects that address key issues.

 The structure of the talk, as I envision it, would be:

 I. Background on Healthcare Information Security – what makes it unique?

 II. How to catalog information about the environment and learn what unique devices and processes exist.

 III. How to work with customers to identify what they have and how its used – how to explain technology to those who do not understand.

 IV. Stopping Fear, Uncertainty, and Doubt with your fellow team members.

 V. Building continual communication and intelligence research into your daily work.

 VI. How to plan out who to speak with next as part of a plan.

 VII. How to deal with organizational politics and the reality of territorial managers.

 VIII. How to continually take information organized from sources and turn it into actionable intelligence.

 IX. Using actionable intelligence to reduce risk through minor changes in the environment.

 X. Continual Delivery and how that (or the lack thereof) impacts your credibility.

 XI. Serving the mission, allaying concerns, and being that ambassador of good practices based on OSINT and Recon.