Dennis Fisher: Okay, welcome
back to the Digital Underground podcast. This is the second in the
series of
CSO podcasts that I’m doing and I’m really excited. I’ve got Larry
Whiteside on the phone. He’s the chief information security officer
at the Visiting Nurse Service of New York.
So we’re going to talk a lot about what specific issues he faces in his
day to day job, how they can apply to other CSOs in other industries,
and what
we can all learn. So Larry thanks a lot
for being on the podcast.
Larry Whiteside: No problem at all.
Dennis Fisher: Alright, so let’s
start out kind of at the beginning of things.
How did you end up getting into the security game in the first place?
Larry Whiteside: It was
actually really interesting. Years ago
back when I was in college I wanted to be a programmer. So I took computer science courses and
thought that programming was going to be life and then what happened was I got
an internship to do programming and actually to do code review and after seeing
how black the coffee cups were of the guys who were doing the programming and
seeing the hours that they kept I realized that programming was not for
me. So I did that for two years mind
me. I realized that programming was not
what I wanted to end up doing and what I ended up doing, I joined the military
and when I joined the military I got my commission to become an Air Force
officer. My first job was as the chief
of the network control center. So I kind
of started out in the networking and total IT space and when I began to
implement our security framework there I realized that was much more
interesting space than the general networking space was. So it was just kind of by happenstance.
Dennis Fisher: So you said
that you were doing a little bit of code review right after college or while
you were in college. That’s
interesting. Was it specifically
security code review or were you looking for general bugs?
Larry Whiteside: I was looking
for general bugs and they wanted me to really just break the code. So my job was to just review the code of
these projects that these developers were working on and then review the
code. So I had it really good. I had a laptop that I would take with me and
I was reviewing code on this brick looking back at laptops.
Dennis Fisher: Yeah.
Larry Whiteside: I was
reviewing code on this brick and I would try to break it and see what types of
things I could do with that code outside of what it was supposed to do and I
guess looking at it outside of the box now I guess that was sort of one of the
security spaces but I just didn’t look at it then. At the time I was just a junior guy trying to
break into the programming space because in high school when I began to learn
stuff about computers, the fact that I was able to write my own program in
Fortran I thought was the coolest thing in the world. So getting this internship to do this and
review COBOL code I also thought was the coolest thing in the world for about
the first month.
Dennis Fisher: Yeah I think
for any of our listeners who are under maybe 30 we’re going to have to explain
what COBOL is as well as Fortran.
Larry Whiteside: True.
Dennis Fisher: I might have
to point them to a Wikipedia page or something.
So the interesting thing to me about that is up until really recently
there was not a lot of focus in the security industry and the software industry
in general on doing code reviews, looking for security bugs, trying to break
the code. Now it’s a big, big space with
a lot of sort of well-established companies doing it and a lot of consultants
making a whole of of money doing it. But
fifteen years ago I don’t think that was the case.
Larry Whiteside: Yeah and you
figure this was ’92 but when you think about what my level of experience was
stepping into that, the fact that they had an intern trying to do it, they
weren’t putting a whole lot behind it.
It was really here’s something to keep this guy busy so that we can
justify that we’re paying him and contributing to the whole welfare of the
school and the job program.
Dennis Fisher: Yeah, that’s
a good point. Yeah, if they have an 18
year old doing it it’s probably not a high priority. So when you got in the military what type of
security stuff did they throw you into?
Larry Whiteside: So it was
really initially all focused around network security and vulnerabilities, OS
vulnerabilities, particularly Microsoft.
So a lot of focus in my early days in the military was around perimeter
security. Firewalls in 1995 were the big
thing. Check Point came out and it was a
very big thing then Check Point came out and then the Air Force actually
created a defense in-depth strategy that they certified a specific firewall which
was Sidewinder owned by Secure Computing at the time as the Air Force firewall
of choice and so then they had a big program that they funded all the bases to
get this entire security suite which included a vulnerability scanner and just
a lot of different things. So that was
sort of my first break into the entire network security space. So it all dealt around perimeter security and
vulnerability and vulnerability scanning.
Dennis Fisher: And that was
kind of essentially what secure was then, network security. There was not a lot of differentiation
between desktop security, network security, internet security. It was all kind of lumped into the same
bucket really.
Larry Whiteside: Absolutely,
absolutely, and what happened is back then with that being the case, everybody
was so worried about the external threat and in DOD it has been somewhat true
over the years that the largest external threat, the number I think they gave
back in the ‘90s was 80% external and 20% internal.
Dennis Fisher: Right.
Larry Whiteside: So that was
really where the main focus was and so when Check Point came out and all these
different firewall technologies began to hit the streets it was a very, very
strong push to get that done and be very smart in that aspect.
Dennis Fisher: So that’s
obviously changed a lot in the time you’ve been involved in security. Now we hear a lot about the internal threat,
the insider threat, data thefts, all of that kind of stuff. Have you seen the responses to the threats
change a lot since your first years in the industry?
Larry Whiteside: Absolutely, it
is a total 180 that has been done where initially I was talking about the
80/20. Now they say like 30% external
and 70% internal as far as the threats go and how your data is actually leaving
the door and the funny thing I look at is as I’ve been through different
businesses, I’ve been in DOD and federal and the private space and I’ve been a
consultant running a consulting practice, and all these different spaces,
financial services, as I’ve looked internally and looked at what people
consider to be data leaving the door, a lot of it out of that 70% has been
through just pure bad business practices.
Dennis Fisher: Right.
Larry Whiteside: It’s not
necessarily people doing things to harm the company. It’s just a lot of people want to get things
done and they don’t necessarily know the means to get them done.
Dennis Fisher: But the end
result usually ends up as the same thing no matter what your intention
was. Bad things happen to your company.
Larry Whiteside: That’s it,
bad, bad, bad.
Dennis Fisher: So let’s
talk a little bit about what the Visiting Nurse Service is. What exactly is the business that you guys
are involved in?
Larry Whiteside: So we’re in a
rather unique space. We’re a home
healthcare company and it actually branches beyond that because we’ve got what
was considered a hospice hospital for terminally ill people and we do a lot of
managed care. But our prime business is
basically providing the exact same service that you would get in a hospital in
someone’s home and what happens is that our goal is to transition people from a
hospital bed because those things are running you, just to have a bed,
regardless of the services, just to have the bed is tens of thousands of
dollars a night. So our goal is to
transition people from hospitals into their homes and provide them the same
level of care where they’re getting a nurse that we have that visits them on a
daily basis and our visits go from pretty much spanning the entire gambit of
care. So it could be a physical therapist.
It could be a speech therapist. It could
be somebody who needs to care for wounds.
It could be pretty much anything you could need.
Dennis Fisher: So being
involved in the healthcare industry, compliance and specifically HIPAA I would
imagine are a big part of your job these days.
Larry Whiteside: HIPAA is a
very, very big part. It’s something that
we think about all the time. For me,
coming into the healthcare space, the funny thing is having transitioned out of
financial services and having been in a lot of the other spaces, I realize that
a lot of things are similar. However
healthcare poses some specific challenges because think about walking into a
hospital room and you look at maybe ten devices that are around that room that
are taking some sort of medical statistic on the patient who may be in the
bed. So we may that same type of thing
in some people’s homes but all of those are pieces of equipment, the operating
systems. So we’ve got critical data
coming in all shapes, forms, and fashions and it has to all be gathered
electronically, put together, and somehow reported on and put into what’s
considered a patient record. So it’s a
very, very unique environment.
Dennis Fisher: So how is
that patient data from those home devices, how do you get that to a central
location?
Larry Whiteside: So we have
what’s called a tele-health network where we get vital statistics from patients
in their homes and that comes in via good old-fashioned dialup. We don’t have a lot of the threats of being
live connected to the internet but we also have on top of that I’ve got nurses who
are completely mobile 99.9% of the time going into these homes utilizing
tablets and with those tablets they have to gather information and vitals and
information about the medicine that’s being dispensed and how much they’ve
taken and just regular clinical notes about the patient and get that back into
the patient record. So there are a lot
of challenges because the data that we have to use and we have to keep central
is very, very mobile.
Dennis Fisher: So you’ve
got not only the patient data on those devices, you’ve got the stuff on the
tablets, and then you’ve got it sitting in databases somewhere in a data
center. So you’ve got a whole lot of
sort of touch points where the data could potentially be vulnerable.
Larry Whiteside: Absolutely.
Dennis Fisher: So how much
training, if any, do the nurses who are going into these homes get when it
comes to security and being careful with the data?
Larry Whiteside: They get a lot
of training. For them it actually comes
with their licenses. So nurses are very
well-regulated group of people. So they
have a lot of licenses and there are a lot of stipulations to keep those
licenses. So they have to know the HIPAA
regulations extremely well, unlike financial services, if you really go ask you
average financial services person about any specific line items in SOX it’s
very rare that you’re going to find that they can actually quote any of
them. They may be able to quote one but
beyond one most people aren’t going to be able to quote them. But if you go to nurses who don’t have to
deal with HIPAA from a technology standpoint, they know HIPAA extremely well
because HIPAA is tied to their licenses where if they violate HIPAA or any part
of the HIPAA regulations from a privacy or security standpoint they could lose
their license.
Dennis Fisher: Wow, I didn’t realize that.
Larry Whiteside: And if they
lose their license they can’t work.
Dennis Fisher: Yeah, I
didn’t realize it was that closely tied to their license renewals, wow.
Larry Whiteside: Yeah, and I
really didn’t know that until I got into this field and I did some tagalongs
with a couple of our nurses to just see what they do on a daily basis as
they’re doing their patient visits and making their daily rounds and having a
discussion with one of the nurses she identified that I’m aware of HIPAA and
what my responsibilities are because I know that if I violate any of these
HIPAA privacy or whatever laws intentionally – now don’t get m wrong. There are the accidental violations of they
lost a form or the computer was lost or whatever but if you intentionally
violate any of the HIPAA guidelines then
there is a possibility that you could lose your license. We have a very strong training around that as
part of their new employee training and just ongoing HIPAA awareness training.
Dennis Fisher: Wow that’s
impressive. I didn’t realize that. That’s excellent. So with the tablets that the nurses carry
around with them, do you guys go to the lengths of using encryption on the
tablets and things like that?
Larry Whiteside: Oh yeah, we go
to every length you could possibly imagine.
They’ve got all of their external ports USB, CD-ROMs are all locked
down
so you can’t write anything to them. They
have a state-based SSL VPN so every time they turn that box on whether
they are
plugging up to a hard core Ethernet cable or getting wireless and the
wireless
is actually locked down to only our Wi-Fi and they can only connect to
our
802.11. They’ve also got broadband card
in there but regardless of what kind of connection they get, that
state-based
SSL VPN brings them back into our environment.
So any connectivity forces them back to us. So they are basically
always connected. We have those things locked down tighter than
pantyhose two sizes small.
Dennis Fisher: I like
it. Encrypting the data on the devices
is one of those things that just seems like kind of a no-brainer that not a lot
of organizations do even now. I think
the encryption guy has gotten a bad name in the last ten years as being really
difficult to implement and kind of a burden on the organization but I don’t
think it’s that way anymore.
Larry Whiteside: I agree and I
have implemented it now a few times in different verticals and with the tablets
it’s funny because we actually took a different approach rather than going with
a whole disk approach. With the tablets
what we chose to do was do a folder based approach based on where the data for
the local applications has stored the information. So the nurses don’t have the capability to
store any clinical data anywhere other than a specific folder and that folder
is encrypted so that we don’t have to worry about it because it just made it a
lot simpler from an implementation standpoint and when we’re building the
images to do that. Now the rest of our
laptops we’ve got whole disk encryption because the rest of our laptops don’t
have those types of controls around them.
So any non-clinical laptop we’ve got whole disk encryption deployed on
it because we know that like myself if I happen to have clinical data on the
laptop that I use I can store it pretty much anywhere I want. But I agree that encryption did get a bar rap
a number of years ago. There were a
couple companies that had a chance to really take those misnomers out of the
market and really make their footprint very well-known and they didn’t. But now I look at encryption as just one of
the commodities that you should almost expect to be on any mobile laptop or
tablet.
Dennis Fisher: Yeah,
especially when you’re dealing with something like medical data. But other organizations too, I was at a
conference last week or earlier this week actually of these traveling meeting
planners who collected tons of data as well.
It’s not medical data but it’s credit card information, it’s all kinds
of other stuff, payment information, home addresses sometimes, that kind of
thing and the session that I was part of was on data breaches and a lot of
people in the room really had no idea what the extent of the data breach
problem, what tools were able to help them, that kind of thing. So you sort of get an understanding of how
these data breaches are happening because there’s a lot of data being collected
and people not being careful with it.
Larry Whiteside: Well and I’ll
tell you I think part of the reason with that is because a lot of
people don’t
really understand a) the value of the data they have or b) when they
start
putting data together. So one guy may be
working on one specific subset of data and then somebody sends him
something
else and he begins working on another project that has another subset
of data
and it’s not until you begin combining datasets that that data then
really
truly becomes valuable and a lot of people don’t realize that they’re
doing
that, that they have combined data sets through multiple projects that
now when
you combine those data sets, that is extremely valuable information and
it used
to happen in the military quite a bit.
Somebody would get an email about one particular topic and somebody
else
would send them another email expanding on it but then the information
that
they included in that follow-up email then made that entire email
classified. So that piece is really hard
to deal with but I think it’s simple. A lot of people don’t want to.
They think it’s very expensive. They hear encryption. They think a)
it’s going to affect how fast
my computer is and I can’t afford for my computer to be a millisecond
slower
because then it’s going to take me hours more to get my work done and
the cost,
they just don’t know what the cost is and they think it’s $1,000 per
laptop to
encrypt it.
Dennis Fisher: Which isn’t even close to the truth these days.
Larry Whiteside: No, not at all.
Dennis Fisher: And whatever
the cost is, it’s certainly less than seeing your company’s name in The Wall Street Journal as having lost a million customer records.
Larry Whiteside: I’ll tell you,
you know the analogy I use every day in my business and when I speak with
people in the industry is insurance and you can say auto insurance, life
insurance, any insurance. Everybody in
the room when I ask the question raises their hand because they have insurance
and nobody says, “You know what, I’m not going to buy any insurance because the
likelihood of that happening to me is low.” Everybody does it because they know that
eventually it’s going to happen.
Eventually it’s going to happen and the cost of having this in place is
so much less than even if you were to go 20 years without having an incident
and then that one incident happens, not having it could cost you your
livelihood and that’s the same thing for companies. Not having it could cost you so much in brand
reputation and it could cost you so much from just the reporting and everything
else that you have to do for your clients, it could drive companies out of
business and I just tell everybody is it worth it, is it worth that?
Dennis Fisher: Yeah that’s
a good point. You think about it, yeah
the insurance analogy I think is a perfect one because if you don’t have car
insurance and you get in an accident ,especially if it’s your fault, you’re
paying a whole lot of money.
Larry Whiteside: A whole lot,
you’re paying for your own repairs, other people’s repairs, if they got hurt,
the medical bills for the other people, it could be extremely disastrous to you
financially, disastrous personally.
Dennis Fisher: Right,
right, and so there’s a lot of states hat mandate that you have to have auto
insurance, some that don’t, and I think we’re getting to that point with these
breach disclosure laws where they’re not mandating encryption but they’re
saying listen, if you lose a laptop but it had full disk encryption on it you
don’t necessarily have to report that loss to us.
Larry Whiteside: Yeah and
that’s why what I think the states are starting to do is states are starting to
recognize due diligence. They’re starting
to recognize that you can’t penalize the companies that are trying and make
them do the same thing that we are making companies who are boneheads and
aren’t trying do. So that’s why they’re
putting in clauses like if you have full disk data ,if the data is encrypted,
you don’t have to notify and in some states in some cases they’ll say you have
to show that it was encrypted. You have
to give some sort of mechanism to prove that it was encrypted. But as long as you can prove that data was
encrypted, you don’t have to notify and I think that that’s fair. I think that it’s fair because for companies
that have gone the distance, put in the effort to do their due diligence, I
don’t think that they should be held accountable to the same levels that those
who are just boneheads and not doing what is easily done these days.
Dennis Fisher: Yeah, I
agree with you. it’s a good point and I
think more and more states are gonna adopt that stance as we go forward and if
there’s ever a federal breach disclosure law I have a feeling you’ll see that
in there as well.
Larry Whiteside: Right and I’ll
tell you as far as breach disclosures, so when I came into healthcare it’s been
about two years now, almost two years that I’ve been in this position and I
always just assume that from a disclosure standpoint that if we were to happen
to have a breach that I had certain notifications that I had to make and the
reality is they just created that law for those rules for the healthcare
industry.
Dennis Fisher: Really?
Larry Whiteside: They just
began to mandate the high-trust rules.
Dennis Fisher: Yeah that’s
right.
Larry Whiteside: You have to
now report this to these entities. So
I’ve spoke to a lot of people regarding the high-trust rules to include Gartner
and a whole lot of other industry analysts and magazines and it was actually
pretty shocking to me that this is the first mandate for that type of reporting
in the healthcare industry because I always just assumed it was there already.
Dennis Fisher: Yeah, you
know what? I did too because I saw a
story I think this week or maybe late last week talking about –
Larry Whiteside: Last week,
mhm.
Dennis Fisher: Yeah,
talking about the mandate for this and I looked at it and thought wait a
minute, what do you mean they’re mandating it now?
Larry Whiteside: Exactly, it’s
2009, hello!
Dennis Fisher: Yeah, it has
to be in HIPAA somewhere but no, it’s not.
So yeah, it’s sort of amazing how far behind some industries are. Others are sort of creeping up on getting
there but there’s a broad spectrum of where things lay right now. So looking at all the data that you have to
collect, do you have any strategies for trying to minimize collecting unnecessary
data or keeping things longer than you absolutely have to to try and minimize
the risk?
Larry Whiteside: I’ll tell you,
that is a constant hurdle. Retention in
the healthcare industry is probably one of the biggest hurdles that
exists
simply because when you’re dealing with patient information and records
associated with patients and you’re dealing with we’ve also got the HR
stuff
and business development stuff. So we’ve
got all these different categories, right, that we have to figure out
how to
deal with it and that is one of the biggest hurdles to deal with on a
daily
basis is what is your system of record, right, because the reality is
there are
gonna be little bits and traces of certain types of data in a lot of
different
places. You’ve got email where you’re
doing internal and external communications with things. you’ve got all
these different – if you have
a document management system or something, you’ve got all these
different areas
where data may exist, right, and it’s what is your system of record.
What do you consider to be your system of
record and then what type of retention policy are you going to put
around the
different classifications of data that you have for these different
environments? HR has their requirements. Different clinical
requirements have their
requirements. How do you make that and
that is a constant hurdle. That is a
constant hurdle that we have to deal with on a daily basis. Another
big hurdle is just that data
classification. In the healthcare
industry you figure any time it has medical data in it it’s critical
and so in
healthcare institutions there are multiple clinical departments and
everyone is
dealing with a different subset of a patient’s record. So it’s almost
all critical information. It’s all critical information.
Dennis Fisher: And
depending on the size of the healthcare facility they may be keeping separate
databases. They may have separate
systems for classifying that.
Larry Whiteside: That’s exactly
right. If you’ve got very disparate business units that sit regionally or
globally dispersed and they’re having to deal with these things, a lot of times
you have different systems in different places.
So just from an architecture standpoint it’s easier for them to access,
store, and save the type of information they’re working with. So it can become very challenging.
Dennis Fisher: Yeah, I can
imagine. So aside from the data breach
nightmare of waking up and getting the phone call that somebody lost a laptop
with records on it whether they’re encrypted or not, what are the things that
you really worry about now? What kind of
threats are really at the top of your priority list these days?
Larry Whiteside: For me from a
threat perspective my main threat is the insider threat and I’ll give some
context around that. one of the things
that I’m extremely concerned about is in our industry as a whole a lot of
people tend to sit and stay in the companies they’ve been with for a long time
and so because of that when people tend to stay in one company for a long
period of time they tend to have multiple positions and having those multiple
positions, you tend to not do a great job looking at what they used to have
access to as you’re giving them access to the new things that they need.
Dennis Fisher: Ah, yeah.
Larry Whiteside: And so going
back and revoking and the whole identity and access management piece in the
healthcare arena in general is one of the areas that is extremely, extremely
challenging because it’s access to clinical type information and how do you
break that down into the different subsets and different classes and levels of
information that they need to access and then determine based on positions that
they’re in which subset of that they need to access. So that is very, very difficult to just put
process around and manage on a regular basis.
Dennis Fisher: Yeah, and I
don’t think that’s unique to your industry either. I’ve heard that same concern in financial
services, as you mentioned earlier, government agencies as people move around,
all of that kind of thing. It’s just one
of the sorts of inherent hazards of moving people around and letting them do
their jobs.
Larry Whiteside: Absolutely. My next biggest concern is President Obama’s
administration has done a good job of making a lot of money available to help
make records electronic in the healthcare industry and that’s really the first
step in taking the healthcare industry into the next phase of technology. The problem is now we’ve got databases that
are everywhere and all over the place and we have historically not put a lot of
controls around database access either in a dead environment or a production
environment and that is the next phase as I look at my organization and a lot
of other organizations out there that I know about. Having controls around these databases that
this information is going to sit in as we move forward into this next phase of
technology for healthcare is going to be another key critical area because now
you’ve got your crown jewels in a single solitary location which is this
monster database that’s going to sit somewhere because at some point you’re
going to have to consolidate what is considered your patient record because you
can’t have this so-called electronic patient record sitting one piece here and
another there. you’re going to have to
have this consolidated patient record that you can go to and say this is all
the information we have about the patient and putting some security and
controls around that and keeping them and maintaining them moving forward as
part of the identity and access management strategy for the companies is going
to be interesting.
Dennis Fisher: Yeah that’s
going to be a huge challenge and I always wondered about the security
of the
paper records in general anyway because you walk into your doctor’s
office and
you see those giant nine-foot moving racks of patient records and
there’s just
a bunch of people wandering around back there pulling files. They
could be doing anything with those. There are fax machines there.
They all have email. There are scanners there. There’s plenty of
opportunity but I guess
it’s a little more difficult than making this giant target of the
electronic
medical record database for these guys.
Larry Whiteside: Right and so
the key is that it would be easy for you or I to walk into a doctor’s office,
socially engineer our way that we could walk into the back because social
engineering is the oldest form of information security, right?
Dennis Fisher: Sure.
Larry Whiteside: Being able to talk
your way into any particular situation and these doctors’ offices, if you know
the lingo, if you know the right things to say, you can pretty much get the
records of somebody relatively easily and it’s a scary thought but it’s a
reality. But what’s going to happen is a
lot of that stuff is now already being pushed into an electronic form. The more scary thought than you being able to
go back there and get a record because getting a record isn’t that big of a deal
because you’ve got to get the right one with the right information but the more
scary part is going to be that now all of those same aloof people that we’ve
seen sitting in doctors’ offices over the years and no disrespect to them but
now there’s going to be electronic access to that same database of people. So now what will happen is if you use those
same skills you sit down at a computer and now you’ve got access to a whole
slew of them. How long does it take you
to write something to a USB and USBs are how big now?
Dennis Fisher: Right, yeah.
Larry Whiteside: If you walk
out of an office with 20 records in your arm, that’s pretty noticeable but if
you walk out with a USB stick in your arm, how noticeable is that?
Dennis Fisher: Yeah and you
could have tens of thousands in there.
Larry Whiteside: Exactly.
Dennis Fisher: And the
chances are one of them will be of some value to you.
Larry Whiteside: Exactly.
Dennis Fisher: Wow, that’s
given me plenty of things to keep me up tonight. That’s excellent. I can’t imagine you get much sleep thinking
about all this stuff.
Larry Whiteside: Well you know
what’s funny is I had a conversation with somebody not too long ago and I
talked about the mindset that you have to have in security and I said the true
good security people have a certain mindset that even when they walk into a
retail store they are looking around, looking where cameras are, and they’re
basically taking an assessment of the environment.
Dennis Fisher: Yep.
Larry Whiteside: Taking an
assessment of the environment and what’ going on and you don’t sleep a
lot. You don’t sleep a lot because you
are just always in that mindset everywhere you walk, everywhere you go. You see where video cameras are and not that
you want to take advantage. You just are
extremely aware of the situation from a security aspect just because you have
that mindset on a regular basis.
Dennis Fisher: Yeah I think
you’re exactly right. Every security guy I know is like that. You walk down the street with them and it’s
an education as they point out the lapses and the cameras and all the things
they could take advantage of. It’s
pretty scary. Alright, well Larry
listen, I really appreciate your time.
It was an excellent conversation and hopefully we’ll do it again
sometime.
Larry Whiteside: Great, I appreciate
the call.
Dennis Fisher: Alright,
thank Larry, take care.
Larry Whiteside: Alright, you
too, bye.
Dennis Fisher: Bye.