A security program is a living organism. Its parts should (ideally) all work together as an organized network.
It’s important to remember that while compliance is a single point-in-time demonstration, security is an ongoing, everyday effort. That’s why it’s so important to focus on building the right security program, rather than getting caught up thinking about compliance. Federal regulatory requirements don’t exist to actively protect the public’s information; they exist to make sure you do. Your security program is your active, day-to-day protection of electronic protected health information (ePHI). Compliance is just the demonstration of how your security program meets regulatory requirements.
Beyond its role with compliance, security needs to be seen as a living organism because it’s protecting against constantly evolving threats in a fluid landscape.
There are two aspects of “living” security: Active and Adaptive. Let’s take a quick look at both.
Active security exists in the infrastructure, policies, and management of your security platform. You can build a secure infrastructure, but if it doesn’t have actively vigilant layers, your data is at risk.
The infrastructure of a secure server should be built with multiple layers of active protection with expertly engineered and configured enterprise hardware, and expert security engineers should be monitoring all points around the clock, able to react quickly to threats before they can cause any problems. Most of the time, though, active security isn’t enough. What happens, for instance, when the landscape suddenly changes?
Let’s look at the flu vaccine as an example. The flu vaccine is an active security measure. Each year, the World Health Organization predicts (guesses) which handful of flu virus strains will be the most problematic and develops their vaccine accordingly. But what if the scientists are wrong? What if the virus evolves? At that point, there is nothing the flu vaccine can do. Flu vaccines are active but not adaptive.
Adaptive security refers to the ability of your security program to evolve over time with the changing landscape.
Fixed security protects you from past threats and industry experts’ best guesses as to how future threats will attack. It is a one-time application of security measures that become obsolete as soon as they are implemented. These security measures lack the ability to react to the unexpected.
Adaptive security, however, protects you from existing threats and can evolve quickly to protect against new threats as they emerge.
What You Can Do
Whether you’re searching out a new security platform or simply evaluating the one you have, you should be assured that your solution functions as a living organism, both active and adaptive. Here are a few things to consider to get you started:
- How does this service provider view security? Your security solution provider should see security as a living organism — anything other than that and they are putting you and your customers at risk.
- Where are the living layers of security? Any secure server solution can show you an impressive-looking sample topology. It may even have imposing graphics to make you feel safe and secure. Look closely at the layers of protection and make sure you understand where the security is active and adaptive.
- How is the security “living”? It’s not enough to merely claim that a solution has active measures as part of the infrastructure — you should know how it is active.
Whatever you do for your secure server solution, it must be built on the idea that security is a living organism. Threats are always evolving. It’s always been that way, and it always will be. But by implementing active and adaptive measures, your security system can stay one step ahead.