Ask the Expert: InfoSec Requirements for Health Insurance Providers, Part 4
David Pearson, Co-Founder and CTO of Iceberg Networks sat down with us to answer more of the top questions about the concerns he’s hearing from insurance providers surrounding security configuration management. The following is an edited transcript of the conversation.
What piece of advice would you give to Medicare/Medicaid insurance providers who are struggling to maintain regulatory compliance?
The mantra “automate, automate, automate” is going to be first on everyone’s lips and that’s a noble approach to it. I think the problem that they will encounter is that they can only automate so much and they have probably already automated to the extent they can with those point solution tools. The advice that would likely be most helpful is to look at the program as a whole and understand where you’re spending a lot of your energy and the disruption it’s causing to the organization. Solve that problem.
If you look at what you need to do first, you need to be able to understand what the people are doing on a periodic basis and figure out how to turn that into part of how they do their job. So instead of making this a big audit and collect information for reporting purposes, if in their day-to-day activities they were simply configuring the systems the way they were designed and then logging the evidence that the systems are configured appropriately as they are going through the actual configuration activities and they had a process in place to do some sort of system checking, as they often do for health checks on systems. It would convert it from being a big effort on a quarterly or semi-annual basis into being a smoothed-out effort over everybody’s workdays.
If (companies) can figure out how to, instead of treating this as a big audit and package assembly job, and turn it into simply “I’m going to do the checks as they are needed”, it becomes a much more manageable environment.
To do that, you would need to have centralized tooling to manage all the data. If you try to do this following spreadsheets, then you end up with the difficult problems of hundreds of people trying to contribute to the same spreadsheet which becomes unmanageable. You really do need some sort of system where you can “meat out” the work to the people who need to do it in just the right amount and have those people enter their data into a system. So when you need to, you can push a button and compile all of that information into the big reporting package that’s required.