Real vs. Regulatory Risk

Posted by Venkat Rajaji on Thu, Apr 28, 2016

Risk is a word you hear every day and it has become common place across the security industry. What is risk? What does it really mean? And why is it so important? Most importantly, how should we think about the impact of these risks and how we mitigate it?

Riisk is composed of: Impact x Likelihood. 

Impact- The damage caused by the risk, criticality of the assets, the actual data in the systems, the liability associated with an audit finding

Likelihood - The probability that an event will occur. When we think about likelihood we think about usage patterns, access levels for individuals and accounts,and exposure or vulnerability of such systems.


Within the context of Information Security there are two types of risk that companies face, real risk and regulatory risk.


Regulatory risk is associated with not being complaint with any number iStock_000026774677_Large_1.jpgof regulations. The penalty for this might be financial penalties, incarceration or a drop in stock prices if said issues are "material" enough to require reporting. For example, compliance within the healthcare industry with data privacy and HIPAA, companies within the Financial Services industry and SOX compliance, or retail organizations or anyone else accepting credit cards who must adhere to PCI compliance. What regulatory risk calls for is the implementation of a governance process for which to ensure compliance.


When you think about real risk, you're thinking about things like customer and consumer data, credit card information, employee data, SSNs, and access to processes like the recent Iranian nuclear processing  centrifuges that were hacked into and then stopped and started over and over until they blew up.  Here, governance process is not enough. This is now about protection and the impact is far greater than just a fine. Reputational damage, brand image, liability, and other major financial damages will impact the company.


Compliance regulations have helped and have forced companies to put in place governance processes to mitigate some risk. However, this drive for compliance has led to a lot of rubber stamping. Reason being, there is too much data and we don't know what is important and what is just another request. So the compliance checks themselves often don't do enough to protect the companies or their customers.


cyber-311111.jpgWe need the ability to really understand risk within the constricts of impact and likelihood. In order to satisfy both regulatory needs and to mitigate against real risk we need solutions that provide context for these risks. Context might be things like access levels, known vulnerabilities to systems, criticality of business systems and the data stored in those systems. This helps us better understand our enterprise risk.  Done correctly, this automation and intelligence also dramatically improves understanding of how you are actually doing and how that is changing over time (read actually managing this stuff), efficiency (read cost savings) and efficacy (real and regulatory risk reduction).


To manage both real and regulatory risk, you need to deter bad touches (inappropriate access) to information and processes. Since motivated bad guys have proven that they still might find creative ways in, you need to detect when that happens, and ebook_Assessing_the_Risk.pngonce you do that, you better figure out how to remediate the issues really quickly. The Courion suite of solutions are designed to solve exactly this problem across both the physical (vulnerability management) and logical (access management) worlds.


Looking for more information on how to mitigate both real and regulatory risk? Download Assessing the Risk of Identity and Access to learn how to identify and remediate both your real and regulatory risk. 

Tags: risk management, security risk, cyber risk, risk

Fitbit Accounts Taken Over, Indiana University Health Arnett Hospital Loses USB Drive and Much More in This Week's #TechTuesday Roundup

Posted by Harley Boykin - Marketing Coordinator on Tue, Jan 19, 2016

In this week's #TechTuesday roundup: Fitbit users fall victim to account takeovers, Indiana University Health Arnett Hospital Loses USB Drive with over 29,000 patient records, the U.S. Federal Financial Institutions Examination Council warns banks of an increase in ransomware, encrypted emails can be read on Blackberry devices and a recently patched XXS vulnerability on eBay invited spearphishing.

Tags: cyber risk, ransomware, healthcare data, #techtuesday, Hacking, vulnerability, spearphishing

Beware Black Friday Threats

Posted by Ashley Sims - Marketing Manager on Mon, Nov 23, 2015

While most American's are already dreaming of turkey, stuffing, family time, and leftovers there is another national holiday this week- Black Friday. 

Maybe you aren't ready to camp out the night before and fight for some silly toy with the rest of the world but one thing you can be sure of is that hackers are gearing up for their most fruitful day of the year. Everyone remembers the Target data breach one infamous Black Friday years ago but what you don't see are the other millions of attacks that are launched on that day. 

No matter if you're a retailer or consumer you should be continuously monitoring your accounts throughout the holiday season to keep your accounts and networks safe. 

Here are 5 tips for keeping your information safe this Black Friday. 


Are you watching what's happening in your network? With a Quick Scan of your system we can show you where you greatest threats lie. 

Start My Quick-Scan

Tags: cybersecurity, cyber risk, threats, cyber security, cyber attack, black friday threats, cyber threat

#TechTuesday Roundup: Malicious InstaAgent App Pulled from Stores, Rally Health Launches Online Healthcare Shopping Experience, and More

Posted by Harley Boykin on Tue, Nov 17, 2015

Tags: cyber risk, IOT, #techtuesday, healthcare IT, malicious software

Interview with a Healthcare Security Expert: William "Buddy" Gillespie, HCISPP

Posted by Ashley Sims - Marketing Manager on Thu, Nov 05, 2015

At Courion, we strive to provide the most innovative solutions possible to allow our customers to detect and remediate risks across all organizations in any industry. We read, we research, and we do our best to stay on top of every new threat, breach, rule, and regulation. However, to truly understand what is happening in the industry and on the ground every day, we turn to the experts who have lived through these scenarios and can help us better understand what you need as a customer.

Today, we welcome one of these experts to our blog in the first post of a new series we will call “An Interview with the Expert”. This week’s guest is Mr. William “Buddy” Gillespie, a highly accomplished visionary, driven Senior Healthcare IT Executive. Mr. Gillespie is a leader with extensive experience and achievements within Healthcare Information Technology (HIT) including strategic positioning, budgeting, staff recruitment, customer service, and implementation and consulting, customer support, customer relationship management, privacy and security sales/marketing and collaborative relationship positioning with multiple HIT vendors and business associates.

He has expertise in Health Information Technology, HIPAA Privacy and Security (HCISPP Certified) and most recently with Analytics and Health Information Exchange (HIE) has included extensive work with Electronic Medical Records (EMR), state-wide HIEs, and marketing of Disaster Recovery/Cloud Hosting solutions.

A certified Healthcare Information Security and Privacy Practitioner (HCISPP), Mr. Gillespie served as the VP, CIO, and CTO at WellSpan health, an integrated delivery system based in York, Pennsylvania and serving more than 70,000 people in south central PA. As the CTO, Mr. Gillespie was responsible for the strategic and tactical efforts surrounding the business and clinical systems at WellSpan. Now “retired”, he works as a consultant, presenter, and active member of several prestigious organizations.

Here is what Mr. Gillespie had to say:

Courion Corporation: What are the biggest challenges you have seen in the last 6 years?

Buddy Gillespie: The last 6 years has been a fast-train for Health Information Technology and has resulted in a huge magnitude of change to the delivery of healthcare. The major force vector behind the high rate of change has been the HITECH Act.  There is no doubt that this Act was the major catalyst to get hospitals to invest in the EMR and other related technologies. The number one change has been in the way patient care is delivered.  Physicians, for the most part, no longer fight technology but embrace it. The question on the table, is will the changes sustain or will they fall back, we can only hope that Meaningful Use is “too big to fail”.

CC: What are the strongest emerging drivers and trends in healthcare?

BG: I would say the sustainability of HITECH, Electronic Health Records, Meaningful Use, and the Triple Aim.

In 2009, the HITECH Act was signed into law which established the goal to implement the Electronic Health Record across all healthcare providers and thereby establish a road to have every caregiver to utilize the EHR in a manner which constitutes a “meaningful use” of the patient data.  Rules were established to define Meaningful Use and if the provider achieved the goal incentive payments would be paid to the providers.  The Act was setup into three phases and each phase have its own criteria/rules to define the objectives for achievement. Ninety percent of providers have achieved the first two phases and over $20 billion dollars have been paid-out in incentives. The criteria for the final phase have been released and providers are gearing up. The ultimate goal of the HITECH Act and Meaningful Use is to meet the three pillars of the Triple Aim: Reduce the cost of healthcare, increase quality and improve the patient experience.  The question now becomes how successful have the first two phases been in meeting the goals of the HITECH Act and the Triple Aim.  Surveys to that regard have resulted in mixed reactions. While the overall feeling is positive some have responded that the Act has created additional burden on an already excessive patient load for physicians.  There is no doubt that the Act has resulted in the expansion of the EHR to a level never before seen in healthcare.  Today over 50 percent of physician practices and over 60 percent of hospitals have implemented a robust EHR.  Phase Three will be the ultimate test of the success factors for the HITECH Act.  That phase will build on the first two phases and take into account the pros and cons of the first two phases. 

In my opinion the real critical success factor will be sustainability.  Once the dollar incentives are gone and the “awe gee” reaction has passed, will the current level of Meaningful Use survive? I think not unless health systems and providers continue to monitor, nurture and invest in the resources and technology to sustain Meaningful Use.

CC: We’ve all heard about the new phase 2 for the OCR and the HIPAA Audit program. What do you think will be the biggest impact and how can companies prepare?

BG: The Office for Civil Rights (OCR) has announced that they are ready to start the second phase of the HIPAA/HITECH audit program. The scope of Phase 2 will be to audit 200 plus covered entities.  The audit criteria will be benchmarked to the compliance of the HIPAA Privacy and Security Rules plus the requirements for Breach Notification.  The Covered Entities Audits will be followed by audits of the Business Associates to include EMR vendors, Cloud Service Providers, and other BAs in the HIPAA Chain of Trust continuum.

Although OCR has indicated that the first round of audits will be a review of policies and processes, additional on-site audits will be more comprehensive in nature and focus on a deep-dive of internal technology and other types of mitigating solutions in place to support risk prevention. 

So what is a good rule of thumb for preparing for the OCR audit?  First of all make the assumption that you will be part of the 200 plus and prepare a plan sooner than later.

The plan should be kept simple and kept to a few basic components:

  • Review OCR’s audit protocol and be well versed on the HIPAA and HITECH regulations
  • Review your documentation and insure you have the most recent HIPAA guidelines, policies, and procedures in place and the organization is well-educated relative to those documents
  • Have a clear understanding on what OCR’s expectations/process is relative to providing your documentation to the auditors.
  • Orchestrate a “mock” audit with all internal parties and simulate a real audit.
  • Lastly, establish a communication chain within your organization to communicate events, timelines, tasks, status, etc.


For more on our conversation with Mr. Gillespie, 

join us next month for Part 2 of our interview 

or register today for our webinar,

Improving Operational Efficiencies in Healthcare Organizations

Wednesday, November 11, 2015 at 11AM 



Tags: cybersecurity, cyber risk, healthcare, cyber security, healthcare IT, Cyberattack, healthcare security

5 Cyber-Security Mistakes That Will Make You Scream

Posted by Ashley Sims - Marketing Manager on Thu, Oct 22, 2015

Your employees are the core of your business and what makes it great. However, they can also be the cause of risk in your organization. Establishing a culture of security is the best defense you can have against external threats to your company.

Here are some of the top mistakes employees make and how to stop them.


Tags: cyber risk, IAM, cyber security, BYOD, Culture of security, intelligent IAM

How to Mitigate Cyber Risk in an "Always-On" Society

Posted by Corey Talbert - Business Development on Thu, Oct 15, 2015


It's week two of National Cyber Security Week, and the theme could not be more relevant to our everyday lives: security for the always connected. How many devices do you have within your reach right now? How many emails did you answer on your cell phone, work or personal, after you got home last night? What about the number of alerts from Facebook or Twitter that you woke up to?


All of these are examples of how our lives have become constantly connected.


I'm not saying that being constantly connected is a bad thing. It's actually kind of amazing. We can instantly communicate with customers from around the world. We can send files across continents within seconds. We can watch someone in Japan order a pizza live on Periscope any time of day. Ok, I guess they aren’t all amazing, but you get the idea.


Openness supports productivity and creates opportunity, but it also creates security and compliance risk. Think about the number of users and applications that you have in your organization. That number seems to grow every day as do their permission and access requests. Do you have multiple devices for these users? Then that number just doubled again. What about a ‘bring your own device’ policy? Do you have one? If not, then you are allowing access to your network on a host of unsecure devices. If you do, then do you have differentiated networks for employees, guests, contractors, and so on?


Organizations have to find a way to balance the risk of exposing their data with the need to grant access to their employees, partners, and customers. At the same time, you must put governance controls in place to make sure that data is only accessible to the right people, at the right time, on the right device. The key to this balance is not trying to lock down everything in sight, but being able to assess the greatest areas for risk to the business and allocate your resources wisely.


Until now, the biggest challenge has been figuring out which assets pose the biggest risk, where they live, who has access to them and what users are doing with these assets. However, if you really want to protect your organization, you need to know that information right now, in real time and not through periodic reviews once or twice each year. It's simple; if your users are on your network 24/7 then you need to be able to see what they are doing 24/7. 


The best way to protect and monitor the massive amount of information that you have is through an Identity and Access Management system. It's not only complex, it is critical if you are in one of the many industries regulated by corporate or government policies and regulations. These systems grow more complex every day due to the sheer amount of data that we are adding into our networks and can require substantial investments in both administrative and financial resources. However, no investment can compare the security of your data, the full compliance of your company and the reputation of your brand.


In our evolving "always-on" culture, we have to be prepared to do more than pass a yearly audit. Too many organizations make the mistake of primarily focusing on passing their audit and being seen as compliant within regulations rather than using their IAM system as a business enabler. An IAM solution is a way to protect your entire organization from potential risks to business and, unlike your employees, it is able to work 24/7 for you.


Is your IAM solution working for you? Are you using it as a business enabler and assessing your risk in real-time, or are you simply using it as a tool to get through your annual review? Assessing access risk in anytime is crucial in our culture and is the key to a fully compliant organization.


Have more questions about how to assess your risk in real-time? Want to know how an IAM solution can help keep you secure in our always-on, cloud based world? Download our white paper today and learn more about managing risk in today’s business.


Tags: cybersecurity, cyber risk, IAM, cloud, IAM in the cloud, intelligent IAM, Cyberattack

Building a Culture of Security in Your Organization


It's the most wonderful time of the year! No, not Christmas, not even Halloween, it's National Cyber Security Awareness Month! Here at Courion, we take this month very seriously and will be serving you content all month long to help strengthen your organization's security. 

The theme for this week's #CyberAware month is "Creating a Culture of Cybersecurity at Work", and we believe that is the first step to building a truly secure organization. To help your employees become more security-minded, we put together an eBook with a few tips on "Building a Culture of Security". 

Our book starts with a very simple truth: You are the target. Hackers aren't knocking down actual doors and walls to get into your system. Instead, they are sneaking in through user credentials and open portals. To build a culture of security in your organization, your employees need to know how hackers are targeting them and what they can do to keep themselves and the organization safe. 

"How to Build a Culture of Security" contains information on: 

  • Avoiding Phishing
  • Social Engineering
  • BYOD Policies
  • Working Remotely 
  • Data Retention Policies
  • And more! 

Make your organization safer; download our eBook and start building your culture of security today. 


Tags: cybersecurity, cyber risk, cyber security, security

The Risk of Mobile Payments

Posted by Ashley Sims - Marketing Manager on Thu, Oct 01, 2015

ISACA recently conducted a survey of over 900 security experts around the globe to get their opinions on the risks of mobile payment systems. While most of the data won’t surprise you, the number of security experts using mobile payments, even though they are aware of the risks, might. Is the level of convenience enough to overlook the security risk?  Read on and decide for yourself.  


Tags: cybersecurity, cyber risk, cyber security, cyber-attakc, mobile payment security, financial services security, security, Cyberattack, mobile payments

Trivia Crack promposals, hacked uber rides,"dislike" buttons and more in this week's #TechTuesday

Posted by Harley Boykin on Tue, Sep 29, 2015

Tags: cybersecurity, cyber risk, #techtuesday, hacker, cyber attack, risk, hackers, Cyberattack, Hacking, tech tuesday