Top 3 Data Security Lessons from Bio-IT World Expo 2016
By Joe Stanganelli
May 18, 2016 | On day one of Bio-IT World Conference & Expo this year, Bio-IT World asked Michael Dimitruk, Sales Director at Accunet Solutions (one of the conference's perennial exhibitors), what he thought would be the biggest takeaway from this year's conference.
His answer was seven words long: "Secure data is better than cheap data."
Dimitruk's pith proved particularly prescient over the following three days. For all the talk at this year's Bio-IT World Expo about data sharing, interoperability, and the cloud, the IT topics of data stewardship and data security featured prominently. An entire conference track was devoted to the topic of data security, and its undercurrents trickled throughout other presentations.
"[T]he real threat that I see...today [is that] we have so many things that are connecting to the Internet," Brian Bissett, a senior member of the IEEE with a federal-government pedigree, told conference attendees during a presentation on IT security policies. "We have all these vulnerabilities, and as administrators we don't get to vet security of all these things—and if we don't allow them access, there's a cost associated with that too.
Bissett's point was especially well taken among attendees. As connected medical devices are being increasingly deployed as part of the Internet of Things, and as clinical research organizations demand greater collaboration and data accessibility, data security innovation is essential to healthcare and life-science innovation.
As such, here are the three biggest security takeaways from this year's conference on new—and old—threats to your data, and countermeasures against those threats, along with tips for organizations in healthcare and the life sciences on how to act on what the experts had to say.
Don't Just Trust; Verify Cloud Vendors' Data Security Claims.
"Cloud computing changes the whole [security] equation," Bissett warned his audience. "In terms of cloud services, an administrator may no longer have control over their network, their OS, the applications actually being deployed—and as a result of this enterprise IT system, they're constantly opened up to risk."
The answer to this problem, said Bissett, is to take personal responsibility throughout the IT organization regardless of the level cloud deployment, taking nothing for granted.
"Any business that is a custodian for information, just because you put the information on the cloud, that doesn't mitigate you from being responsible for that [information if] the cloud provider doesn't have adequate security," said Bissett.
"Don't just send everything to Amazon, don't just send everything to Google[,] unless you have done your checks and balances," Ketan Paranjape, Intel's General Manager of Life Sciences and Analytics, accordingly recommended during an on-site interview with Bio-IT World—and these so-called checks and balances demand getting into the nitty gritty.
Some presenters on cloud topics got granular. During a first-day workshop on cloud scalability, R. Mark Adams, a computational biologist and Partner at GroupEP, urged workshop participants to thoroughly review cloud vendors' security controls.
"Do they include personally identifiable information? That's an important question," said Adams—who followed up with another important question for cloud vendors: "What qualifies as personally identifiable information?"
And what of cloud vendor sales staff and marketers who assure prospects that they "regularly" conduct security reviews?
"Ask what 'regularly' means," suggested Dianne Pacheco, Information Security Officer of the Jackson Laboratory, in a separate conference presentation. "I asked one [cloud] vendor, [who] said, 'Once a year.' That's not sufficient."
Indeed, Pacheco was quick to point out—security aside—important compliance considerations are at play among myriad government oversight agencies, necessitating thorough cloud due diligence.
"It doesn't matter that you have agreements in place with your cloud providers," Pacheco said. "A breach of that data is your breach—not their breach."
Accordingly, urged Pacheco, boasts about how secure, private, and compliant cloud solutions are should be met with caution at best—and, to be sure, on the conference's first day, one cloud boast in particular drew especial attention in this regard.
For Information Security, Virtualization Can Be Your Best Friend.
Shortly after Adams's workshop presentation, Google engineer Benny Ayalew presented to the same audience, displaying a slide with a picture of Google's servers that boasted in big bold letters, "Google Cloud Platform lets you run your apps on the same system as Google."
Ayalew was asked as to how precisely true this statement really was. After all, if hackers could access and compromise Target's POS data via an HVAC vendor's systems as they did a couple of years back, then would tech-giant Google actually use the same systems for its cloud customers as it does for its search engine, email, and social media users—as well as its internal systems?
"Yes, it is in fact the very same," Ayalew asserted when pressed on this subject during Q&A. "Everything we run is container-based [and] destroyed when your session is done."
Could virtualization be what health-IT needs to secure genomics data, medical devices, and the medical Internet of Things? A near all-purpose security salve that could have prevented the 2013 Target breach? Ayalew's responses seemed to indicate so—and he went on to present Google as setting an example in security through virtualization.
"We build that [security] in," Ayalew told Bio-IT World in a post-presentation interview. "Containers with well-architected security measures are the way to provide skill and flexibility, [and] they're best used within a well-fortified cloud environment. [E]ach of our containers is sort of a hermetically sealed VM [and] doesn't trust anything in the infrastructure."
Bissett, too, asserted that virtual instances provide one of the best ways for an organization to protect itself from cyber attacks from "certain…threats" – most notably, viruses, ransomware, and other malware. Bissett went on to explain how virtualization presents an additional—and unique—immunity to contemporary ransomware in particular.
"Something that's very interesting [about] the ransomware that is out now [is that] it will detect if you are running a virtual instance of something, and if you are, the ransomware will not install," Bissett told his audience. "And the reason [ransomware programmers] don't want the ransomware to install is because [virtualization] is a perfect vehicle for people to reverse engineer it and look at how it works safely."
Don't Move the Data to the Tools; Move the Tools to the Data.
Bissett and Ayalew are far from alone in their advocacy of security via virtualization in the healthcare and life-science space. Intel's Paranjape, too, expressed especial enthusiasm to Bio-IT World about Docker-like configurations and other virtualization techniques. To Paranjape, virtualized tools like these have become an information-security essential in this sector because of their ability to increase much-needed analytics collaboration to get around the cloud's inherent security and privacy issues when it comes to "geographical boundaries."
"Data has to be protected [and] shouldn't leave the boundary it's supposed to be in," observed Paranjape. "Why move it? [There's] no point in moving all the data. Just leave it where it is; [cloud providers] will just send you the compute."
Other conference speakers and attendees echoed Paranjape's call to move compute power instead of actual data as a much-needed data-security, privacy, and even cost measure. Adams urged attendees at a pre-conference workshop to ask themselves what the bigger priority is when it comes to the cloud: the storage capabilities, or the compute; Adams then answered his own question, citing that "immediate business concerns" tend to rely upon the compute.
Research clients' primary pain points, however, typically involve not wanting to deal with these technical concerns because of the distraction it causes them from their primary work. Paranjape told Bio-IT World that these clients often complain that they "don't want to keep downloading the latest patch" (understandably so; patch management is often cited as even IT departments' top security headache).
"If I can provide that as a service, if I can download that patch for them, that's what [they] want," explained Paranjape. "[For the client,] good security should just be an afterthought."