Q&A: Andy Weeks Discusses the Challenges of Reconciling Security and Compliance

Dennis Fisher: Okay, welcome to the Digital Underground podcast. This is the third in our CSO series of podcasts with high level information security professionals and I’m very happy to have on the line today my guest Andy Weeks who is the manager of risk and compliance for enterprise information security at Humana, Inc.  It’s a long title but it’s a big organization that has a lot of security and compliance concerns.  So we’re gonna talk to Andy about all of that and hopefully shed a little light on how difficult it is to run that kind of program in such a big Fortune 100 organization.  So, Andy thanks for joining the podcast today.

Andy Weeks: No problem, glad to be here.

Dennis Fisher: Alright, so let’s start out sort of very basic.  I think a lot of people know the name of Humana but they’re not necessarily sure what Humana does.  So give us a little background on what Humana does and what kind of organization it is.

Andy Weeks: Absolutely.  Humana is, sort of the short answer, a health benefits company.  We are in the business of insuring that people are able to get the healthcare that they need primarily through commercial and government sponsored health insurance.  Most folks may be more familiar with Humana from our previous business where we’re focused as a hospital company but have been focused for the last decade or so on the health benefits industry and have a real focus on bending the trend, helping our customers be better prepared to make good decisions around their healthcare, reducing the cost of service while also reducing the cost of benefits to our primary customers and are perceived as a real leader in that marketplace.  So the key element for us is to find ways to provide better healthcare at lower cost.  My part in that is in helping make certain that all of our stakeholders’ information is adequately secured.  As you can imagine in the healthcare industry privacy is a major concern.  The safety of our corporate information is a major concern.  So those are the things that we really focus no

Dennis Fisher: Okay so your customers are both individual health insurance holders like me or anybody else along with healthcare organizations themselves?

Andy Weeks: Generally speaking we have our government business focuses on Medicare and military healthcare.  We have individual insures who may purchase health insurance from us and then we have large group customers which would be your traditional corporate health insurance buys, so via a large company who would come to us looking to insure all of their employees.

Dennis Fisher: Okay and so you said you’ve been there for about a little more than six years now and Humana has been going through a really rapid growth phase for most of that time it looks like.  What was the information security program like when you got there six years ago?

Andy Weeks: That’s a great question.  When I got here we were just in the midst of building up our HIPAA compliance and so there was a lot of focus on the regulatory requirements and the privacy requirements associated with HIPAA.  We were a fairly immature organization.  Not long after I got there we started implementing an annual security program maturity assessment.  We used the Carnegie Mellon CMM security maturity model to begin measuring the maturity of our program against ISO and we have seen a very steady increase in maturity of our security program during that time.  But I would say we were probably between a 1½ and a 2 on the capability and maturity model when we first implemented our enterprise information security program.

Dennis Fisher: Okay and was that immaturity just the result of it not being a top priority at the time?

Andy Weeks: I think it was a variety of things.  I don’t think we were unusual among companies of our size in terms of our maturity.  At that point in time I can even remember that the common quote was build the crunchy exterior and the soft interior.  Let’s really focus on perimeter security.  So there’s a lot of emphasis being placed on putting firewalls on the outside, getting workstation level controls like antivirus in place, and I think that a lot of companies felt like if they had those key elements in place that was really the extent of their security program.  So it was a very operationally focused view of security rather than looking at it in a more broad holistic way.

Dennis Fisher: Yeah, that’s exactly right.  That focus on network security and perimeter security was I think to the detriment of a lot of things in the early part of this decade.  It had people very focused on things that were easily sort of improbable but didn’t make huge differences in what the overall security posture of the organization might have been.

Andy Weeks: No question.

Dennis Fisher: So what were the challenges for you in the security organization dealing with Humana’s really rapid growth over the last few years?

Andy Weeks: Well several fold, one was to recognize that we are in a highly regulated industry, a lot of emphasis being placed on the security of the organization through regulatory requirements and yet as we were going through growth we did not necessarily see a commensurate growth in spending on security.  As a matter of fact one of the key things that we’re focused on even today as an organization is continuing to leverage the scale of the organization while keeping our costs in line so that ultimately our administrative costs or our overhead is decreasing relative to the revenue and so that puts a lot of pressure on building a solid security program when the requirements for security continue to increase.

Dennis Fisher: So how are you dealing with that sort of budget crunch there?  That’s a pretty difficult challenge in an organize your size I’d imagine.

Andy Weeks: Yeah, the key element is to make certain you’re focusing in the right areas and I mentioned the capability and maturity model assessment.  That was a real help to us.  Because we did that based on the ISO 27002 standard we were able to really hone in on very specific domains where we were weak.  So by picking out the two or three areas of weakness we were able to focus our efforts in those specific areas and apply the limited dollars we had to increase our maturity and so by measuring that on an annual basis and now we’re moving to a more continuous basis of measuring that, we’re able to really focus where the dollars are spent for real value.

Dennis Fisher: Okay, so trying to get the best value for your money as everybody is in this economy.

Andy Weeks: Absolutely.  When you spend you want to make certain you’re spending on things that have real impact.  I think the second thing that we did was change from a data security or a network security based view towards a more information security based view which says that at the end of the day no matter how well you protect the perimeter and no matter how well you protect the network and how well you protect the end points, if you’re not protecting the information, whether that’s at rest or in transit, you’ve really not done your job and so changing that focus was a real challenge for us but one that ultimately has paid great dividends.

Dennis Fisher: So what were those specific areas of weakness that you ended up focusing on, the two or three areas?

Andy Weeks: Well you can look at a number of different elements of the program that we really have focused spending time on.  Operational security, as I mentioned earlier, is something that I think we actually did pretty well.  But if you start looking at things like how we handled our incident management process, that’s an area where we’ve made tremendous progress and again, that’s fairly operationally focused.  But then you start moving into things like how do we bring awareness to our associates so that they are starting to make good decisions about the information?  What are we doing around data classification?  Do we know exactly what is in the data that we’re protecting so that we know where we can start to focus our most intensive efforts from an information protection perspective?  That’s another area where we’re really trying to make progress.  So, moving away from that sort of operational focus, not because we’re not emphasizing it but because quite frankly we’ve got solid technologies in place there, towards more of an awareness based program is where I think we’ve seen the most benefit and most progress in the last couple of years.

Dennis Fisher: Okay.  Yeah, you mentioned sort of employee awareness stuff.  There’s a big push for that maybe in the last four or five years, getting employees involved in the whole security program and making them part of the solution to the problem and I kind of hear this cynical view in the industry that that’s never really worked and user education is just kind of a waste of money because they’ll never really get it.  They’re still going to open malicious emails and download applications from the internet that are going to wreck their computers.  So it sounds to me like you’ve had a little bit of success with that.  How much of that security awareness and user education do you guys do?

Andy Weeks: Well I think the real key here is sort of a traditional awareness program is based on this concept of let’s put newsletters out there, let’s do email blasts, let’s put pages out on the intranet and of course we do all of that.  But I think the real point of the spear from our perspective has been in getting to real time point of use education.  So by using some of the end point security tools that we’ve got in place we’re able to actually give real time feedback to our associates that says what you’re getting ready to do is potentially risky, are you sure you want to do this, or in some cases even what you’re getting ready to do is so risky that we’re going to prevent you from doing it but let us tell you why we’re preventing it and then by giving them that real time education you’re not depending on uptake.  You’re getting them at the point of behavior.  Therefore it’s a much more realistic and real lesson to them.

Dennis Fisher: That’s an interesting point.  I haven’t heard many people who have implemented that kind of thing because a lot of times you’ll see these tools that will just say no you can’t do that but the end user has no idea why they can’t do that or why they shouldn’t do that.

Andy Weeks: Exactly.

Dennis Fisher: So have you found that that’s made a difference with your employees?

Andy Weeks: Oh there’s no question.  In those very specific areas where we have been giving point in time information and we are now measuring the behavior we’re seeing a down tick in those kinds of behaviors.  A lot of companies, I think you’ll be familiar with this, those who have put in place for example web filtering technologies definitely see if they measure the sites that folks are going to they’ll see that when they implement active blocking that the number of attempts to go to those sites goes down because of that real time feedback.  But to your point if you don’t tell them why you’re blocking it, it’s kind of a cynical behavior change if you will, like I know I can’t go there, you’re blocking me, but I don’t really know why and as a matter of fact I’m going to work hard to try to get around the controls that you’ve put in place.

Dennis Fisher: Right, that’s exactly right.

Andy Weeks: We’ve even had folks within the business who’ve said I’m going to send people home to be able to get to websites that are blocked and what we’d rather they do is say hey, let’s engage in real dialogue.  Let’s try to talk about why someone is trying to go someplace that normally we would block and come up with reasonable and secure alternatives rather than trying to just get around the system.

Dennis Fisher: Yeah, it’s an excellent point.  I think more organizations should do that.  They’d find themselves with less annoyed and more successful employees I would imagine.  So given that you guys are in the healthcare industry and compliance is such a huge part of what you do, do you even separate compliance versus information security these days in terms of what you’re focusing on and how much of your time is spent on one versus the other?

Andy Weeks: That’s a really good question.  We kind of have a catchphrase that we use within the organization and that is compliance is not the objective, it’s the natural result and what that really reflects is we are not out there trying to just achieve compliance at the expense of good security practices.  We really operate from a perspective that says you know if we do the right things from a security standpoint we’re going to be compliant.  Now, that doesn’t mean that you can’t go out and that we don’t have an obligation to understand what the regulatory requirements are and make certain that we’re meeting those.  But if we do that in the context of a broad security program that again is another tactic that we use to best leverage the limited dollars that we have for information protection.  We’ve done that through the establishment of a common security framework and that framework incorporates not only the regulatory requirements. They also incorporate best practices and that starts with some of the published industry best practices out there.  It’s organized for example around the ISO standard.  It’s also incorporating high-trust which is the health industry approach.  It would be very similar to PCI.  Let’s take all of the health industry requirements.  Let’s come up with a common set of standards and if we could all find ourselves compliant with that high trust framework them we will have common level of information protection across the entire healthcare industry and so that’s another key element of that framework and then obviously building in the contract compliance requirements that we have coming from our customers as well, pulling all those together into a single framework really allows us to be much more cost effective and more just overall effective in how we deliver those information protection capabilities.

Dennis Fisher: Yeah, so for a business like yours in which the data that you hold is really essentially what your business is, the value and the integrity of that data is just a huge part of what you guys do, you see all these data breaches that happen.  How much of a concern is that to you and how do you go about protecting those databases?  That’s got to be huge.  It’s got to be right at the top of your list of priorities I would imagine.

Andy Weeks: Oh absolutely, the thing that keeps me up at night is the concern that I’m gonna find out that the information that we’re trusted with, which if you think about it, this is very personal information.  If you’ve got an insured member’s health information, that is some of the most sensitive information in anyone’s life.  If that were to be disclosed, we’re talking about a real issue that is the core of what we’re trying to prevent and so looking at where we have that information stored, making certain that we understand where our point of weaknesses are so that we can effectively address those is one of the key pieces of our program.  So as I look, for example, at our database environment, being able to assess where the information is contained is the first step there.  Once we’ve established where the information is contained, understanding where we have vulnerabilities is the next piece of that and then finally putting together a strategy for addressing those vulnerabilities.  That’s almost a feedback loop, continuous activity to be able to understand the information, understand the weaknesses, address the weaknesses, and then continue to measure that and that’s the process that we follow on a day to day basis.

Dennis Fisher: Has the sort of explosion of the smart mobile devices like smart mobile phones and Blackberries and iPhones and those sort of things, how much more difficult has that made your job in terms of protecting the data at every point?

Andy Weeks: That’s something that we’re watching very closely.  At this point there is just a little bit of push towards mobility in the health industry.  The point of use of the information is at the point of use of the service.  So for example most people don’t think about their health information unless they’re in their doctor’s office or they’re in the emergency room.  What we’re now beginning to see is an increasing need for mobility around that.  So as you walk into a health clinic for example the ability for someone to carry with them their electronic medical record is something that is very exciting from a healthcare perspective but also very challenging from an information protection perspective. So being able to have a handle on the information protection, where it lies as it’s moving and as it becomes more mobile is going to be a real challenge for us over the next couple of years.

Dennis Fisher: Okay, have you put in any sort of restrictions on the types of devices that you want to deploy in your organization?

Andy Weeks: Today we have a very limited number of mobility devices that we utilize that are very policy based.  It allows us to control the movement of information and so that’s one way that we’ve approached that and I think long-term that’s probably not scalable.  Long-term we’re probably going to need to look at how we can be more open about the devices that we support for example.  Maybe from a corporate perspective we’re only talking about 30,000-40,000 people’s information that we need to protect when we look at it from an employee perspective.  But when you scale that out and look across our entire subscriber base, you’re talking literally millions of people who have access to information that we need to control and so that’s where it’s going to be very interesting on a long-term basis in terms of how we manage that flow of information.

Dennis Fisher: Yeah, and especially since you guys are subject to so many government regulations.  You’re going to have to take those into account when you look at those policies as well.

Andy Weeks: Absolutely, absolutely.

Dennis Fisher: Alright, well Andy listen, I really appreciate your time.  Thank you so much for doing this.  I think it was excellent.  I think the listeners should get a lot of good information and good ideas from what you guys are doing at Humana.

Andy Weeks: Well I appreciate your time and enjoyed sharing at least a little bit of what we’re doing.  I hope it’s helpful to those folks.

Dennis Fisher: Absolutely.  Thanks again Andy, take care.

Andy Weeks: Alright, take care.

Dennis Fisher: Bye.

Andy Weeks: Bye-bye.