Security theater refers to security measures that make people feel secure but don’t provide actual safety. It is about the perception of security rather than security itself. And when it comes to cybersecurity, many features can lull users into feeling protected. But there are numerous threat vectors (or entry points) into any system, which means there needs to be more than just one simple solution. Real security must address and defend rather than just act as a security blanket. For healthcare organizations tasked with providing solid patient care and safeguarding protected health information (PHI), security theater is not enough.
RELATED: Why is healthcare a juicy target for cybercrime?
A layered cybersecurity program (with strong features such as HIPAA compliant email) is more important than smoke and mirrors.
What is security theater?
Wikipedia defines security theater as actions that “provide the feeling of improved security while doing little or nothing to achieve it.” The term was first coined by Bruce Schneier, a computer security specialist and writer, to address the war on terrorism. According to Schneier, security theater addresses movie-plot threats or overly specific attack scenarios. One of the examples he highlights is when commuters take off their shoes to go through airport security. This is why Schneier states, “Security theater refers to security measures that make people feel more secure without doing anything to actually improve their security.” While security theater may alleviate fear it also provides a false feeling of safety. This means people are less on guard and may miss real threats. Moreover, security theater measures can consume funding and resources that could (and should) be spent elsewhere.
Cybersecurity theater
Within the cyber world, security theater checks off the boxes that make you feel defended. Antivirus software, check. Complex password policy, check. Pop-up email warnings, check. For HIPAA compliance it might also mean employee awareness training, patient portals, and policies/procedures on device use.
RELATED: HIPAA stands for . . .
Healthcare organizations typically have large, vulnerable attack surfaces, which are composed of all the threat vectors that allow unauthorized entry into any system. And none of the above-mentioned features truly block access points on their own. Employee training that is out of date and not continuously reiterated does not teach anything. Moreover, employee awareness training on its own is not enough. Email portals, with their superfluous access steps, do not mean security. And policies and procedures around device use mean nothing without other measures to back them up.
What should you do instead?
According to Schneier, the best method of security is the traditional "follow the evidence" approach. In other words, utilizing cybersecurity that provides protection based on what an organization needs. Real cybersecurity measures must be grounded in a risk-based approach, which is why a HIPAA risk assessment is a great place to start. A risk assessment helps covered entities figure out the most effective and most appropriate administrative, physical, and technical safeguards needed. A mandatory risk assessment encourages healthcare providers to continuously check, assess, and update their policies and procedures. It demonstrates which access points and endpoints must be secured. Only after such an investigation can an organization truly decide what combination of cybersecurity features will protect PHI.
Paubox Email Suite—practical and necessary
But no matter what, one thing that every covered entity needs is strong email security, which is where Paubox comes in. Paubox Email Suite’s zero-step protection does exactly what it is supposed to do. It removes the worry and stress from electronic communication without relying on security theater. Our HITRUST CSF certified solution encrypts all emails automatically.
Moreover, it works on every type of device and integrates with your existing email platform (e.g., Microsoft 365, Google Workspace, or Microsoft Exchange). There is nothing to download and no extra account to create or monitor. No extra password. No extra clicks or web pages to wade through to get to a place where patients can communicate with doctors. Finally, Paubox Email Suite utilizes two-factor authentication, which is a crucial part of the Zero Trust security framework—which is, in fact, a truly useful security methodology supported by the NSA and CISA.
Paubox’s security measures are useful and valuable without being showy. That’s because security does not need to be observable to make a difference. Security theater is the exact opposite, a show, and should not be the focus of any cybersecurity program.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.