← Back to Insights
July 13, 2016
capital formation design
Download PDF 
Authors
David W. Johnson
Topics
Consumerism Innovation
Channels
Commentaries

Rethinking Cyber-Security: A New Paradigm for Democratizing Data Exchange

Liberated data connects people, informs decision-making, stimulates innovation, streamlines production, creates wealth and advances humanity.  The upward trajectory of human accomplishment arises from ever-more sophisticated data exchange supporting ever-more complex win-win partnerships.

With the inevitability of water flowing downhill, data yearns to be free and available. Protecting data without stifling its productive potential has been a universal challenge throughout history. Societies that protect and liberate data prosper. Societies that protect and restrict data falter.

Perimeter-based network systems have proven inadequate. They’re cumbersome and vulnerable to attack. The list of hacked healthcare companies reads like a “who’s who” of payors and providers.

Healthcare cyber-security systems constrain-information sharing and don’t deliver the protection and privacy demanded by patients and regulators. This represents a failure of imagination.

Health companies seek to secure information by locking it up when liberating data is essential to advancing medical care. The key is to “think different” and employ strategies that both protect and democratize data exchange.

Making Copies: What Data Is and Does

Software creates and manages digital information. Data geeks use the term digital objects to describe bundles of zeroes and ones that comprise digital information.

Digital objects are as real as letters on paper; however, they are microscopic and move at the speed of light.  Like printed letters, digital objects carry data that conveys meaning (information) and/or instructions (software).

Printed words and streams of zeroes are different ways of encoding information.

Digital objects distribute and multiply through virtual copying. When people send e-mails, for example, recipients receive identical copies of those e-mails. Copies proliferate as e-mails distribute through cyber-space and “live” simultaneously on multiple computers

Paraphrasing Rob Schneider’s “Making Copies” skit on Saturday Night Live, the increasing ease and speed of “making (and moving) copies” of digital information is the essence of the current information revolution. These copies flow to billions of inter-connected computers, mobile devices and cell phones.

Digital connectivity enhances productivity, but also makes data vulnerable to widespread cyber-attacks that compromise data control. The speed, density and ubiquity of digitized copies moving through cyberspace gives cyber-criminals access to sensitive data in multiple locations.

Here’s a thought-provoking question: how many computers have copies of any given individual’s emails and shared files? The answer, of course, is far more than any of us could imagine.

Protecting a Leaky Perimeter: Inspectors; Firewalls; Pipes and Safes

Most cyber-security technologies have the look and feel of medieval castles where defenders employed high walls, moats, flame-throwers and boiling oil to ward off attackers. For the last twenty years, cyber-security has employed similar types of perimeter defenses to protect data. Here’s what they are:

  • Inspectors: search digital objects for malicious instructions that copy and move data surreptitiously or deny owner access to data. They also inspect outbound data to prevent hackers from sending information they shouldn’t.
  • Firewalls: create a perimeter around a universe of digital objects. Unfortunately, firewalls contain thousands of potentially-vulnerable openings (ports) to transmit and receive data.
  • Pipes: are encrypted barriers that surround moving digital objects, but only when they are moving. The vast majority of your digital objects are not on the move at any point in time.
  • Safes: use cryptographic containers to store data. Whole disk encryption and encrypted folders protect some digital objects when the computer is off, or the folder is closed. Like physical safes, they only protect things you are not using.

Unfortunately, inspectors, firewalls, pipes, and safes are “leaky.” They don’t control all data-copying. These traditional cyber-defenses do not deal effectively with malicious “insiders” and, more importantly, do not prevent copies flowing to non-controlled computers.

Resilient Cyber-Defenses: Absorbing Attacks Without Compromising Data Integrity

Paradigms shift. Simple, elegant concepts supplant calcified strategies that no longer work. The U.S. military reversed its fortunes during the second Iraq war by replacing large, centralized deployments with more numerous, much smaller and nimbler deployments that worked in concert with local residents. Together they defeated al Qaeda militants.

During the same war, the military dramatically cut battlefield deaths in half by standardizing triage procedures between field clinics, regional hospitals and major medical centers.

As Einstein observed, “the definition of insanity is repeatedly doing the same task in the same way and expecting different results.” The increasing levels, sophistication and effectiveness of cyber-attacks means that perimeter-based defenses are not equipped to meet the dual goals of liberating and protecting data.

Inspectors, firewalls, pipes, and safes all provide perimeter security, but can’t completely control exposed digital objects.  Computers create digital objects the same way they did thirty years ago – unprotected and vulnerable at conception.

To be fully effective, software engineers must imbed protection and control mechanisms into the data itself – into the digital objects. Self-protecting data facilitates data mobility without relinquishing data control.

Software creates controlled digital objects in two steps:

  • It encrypts each digital object with a distinct key that permits “reading” only by approved users.
  • It adds “use controls” to the digital objects that constrain what legitimate users can do with the object. (can/cannot forward, copy/paste, print, expires in x days, etc.)

This flips the cyber-security equation around. Instead of defending all data, each data object defends itself. It’s efficient. It’s lower cost. It’s more effective.

Consider the new paradigm. Would stealing copies of the digital objects matter? No. Breaking encryption is difficult and individually encrypting each object exponentially increases the difficulty and cost of stealing information.

Would controlled digital objects be more difficult to share?  Not at all.  Sharing becomes easier when users avoid navigating through the multiple security barriers embedded within existing perimeter defenses.

Would controlled digital objects make software harder to use? No. The encryption complexities are invisible to end-users.

This is not a theoretical exercise. The Army funded the creation of digital object-level control to enhance battlefield communications systems. Control and simplicity are really, really, important when the enemy is shooting at U.S. soldiers.

No More Excuses

In the same way that developing countries are applying cellular technology to avoid investment in land-based telecommunications infrastructure, health systems can by-pass expensive and inconsistent perimeter cyber-defenses by encrypting individual data objects. This new approach is simple, elegant and effective.

Even more important than securing data, confident healthcare providers will share information without fear to advance medical diagnostics, treatment and research. The “friction” associated with lumpy perimeter defenses will evaporate. Liberated data will flow to its highest and best uses. Enlightened health companies will lead the way.

About the Author

David W. Johnson

David Johnson is the CEO of 4sight Health, an advisory company working at the intersection of healthcare strategy, economics, innovation. Johnson is a healthcare thought leader, keynote speaker, and strategic advisor to organizations busting the status-quo to reform our healthcare system. He is the author of Market vs. Medicine: America’s Epic Fight for Better, Affordable Healthcare, and his second book, The Customer Revolution in Healthcare: Delivering Kinder, Smarter, Affordable Care for All (McGraw-Hill 2019). As a speaker, Dave plays the role of rebel, challenger, industry historian, investor and company evaluator to push audiences forward. (Watch bio video.) Johnson applies his 25+ years of investment banking in healthcare to identify ways the healthcare industry must change to deliver better care. He received a Masters in Public Policy from Harvard Kennedy School, an English degree from Colgate University, and served in the African Peace Corp service. Join over 10k+ healthcare executives who read our weekly insights and commentary on www.4sighthealth.com. His third book, Less Healthcare, More Health: The Prescription for a Happier, More Equitable and Productive America, will publish in 2024.

Recent Posts

Innovation
Podcast: Improving Patient Safety Is a Team Sport 3/28/24
The list of patient safety risks and hazards is getting longer. What will it take to make care… Read More
By March 28, 2024
Outcomes
My, How the Margins Have Fallen
About this time last year, I wrote about record profit margins that hospitals posted in 2021, according to… Read More
By March 27, 2024
Economics
In Case You Missed It: PE in Healthcare
Private equity (PE) is like a heat-seeking missile trained on targeting profit, while healthcare has been a more… Read More
By March 26, 2024