Feb 20, 2015 By Jean-Paul Bergeaux In Blog

Anthem Hack Should Silence Calls For Regulatory Over Voluntary

The NIST Cyber Security Framework was created in response to President Obama’s call for our Federal Government to do more to help American companies secure their environments.  The framework is a voluntary starting point for companies to use, instead of having to start from scratch or hire a security firm to create a baseline to work from.

The NIST framework is a fantastic partnership between public and private experts in the cyber security field.  It’s a great starting place for any CISO, CEO or CIO to begin assessing how to build or improve their cyber security infrastructure.  However, the framework is not a checklist that proves an organization is secure.  Some on Capitol Hill do not seem to understand this.  At a recent Senate hearing, a senator said, “The voluntary program works as long as everybody is volunteering.” Another said, “I believe there needs to be greater government direction, legislative involvement, for the moment….”

These gentlemen from both of the major parties don’t get it.  The framework has to be voluntary because many parts of the framework don’t apply to all organizations.  Who decides in the regulatory environment which parts would apply and which would not? Even if it were implemented completely and perfectly, the framework won’t necessarily make an organization secure.  The point of a framework is to help organizations move forward by eliminating the tedious job of creating a baseline or investigating competing ideas to agree on a baseline.  With that work reduced, it allows organizations to focus resources such as time and money towards innovating and sharing both successes and failures with the community. But the framework, on its own, doesn’t guarantee security.

A major breach at a leading healthcare company made this point loud and clear.  Anthem (formerly WellPoint) has been highly involved in adapting the NIST framework specifically for the healthcare industry in what is called the HITRUST Common Security Framework (CSF).   The same day as the hearing, Anthem, which uses the CSF adaptation of the NIST framework, announced it had been hacked by a sophisticated and highly-coordinated external attack that had compromised 80 million customer and employee records.  This included many forms of personally identifiable information (PII) and is quite embarrassing, but makes the point.  Even those that voluntarily follow frameworks are not necessarily secure.  So why change it from voluntary?

Please note that I commend the NIST framework, the HITRUST CSF and Anthem for working hard to secure the company’s IT environment and contribute to the security of the rest of the health care industry. My point is this: The NIST framework is an excellent starting point, but it is just a starting point—not an end-all/be-all solution—for building a robust cyber security infrastructure. Proper safeguards need to be implemented and tested to ensure the framework dictates a security posture that actually works.