Risk
5/9/2013
11:32 AM
Connect Directly
RSS
E-Mail
50%
50%

Health IT Execs' Top Worries: Security, BYOD, Cloud

Personal mobile devices still present huge security challenge, say HIMSS Analytics focus group participants.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
Seven senior IT executives who participated in a focus group conducted by analyst group HIMSS Analytics cited data security concerns -- especially those related to the growing use of personal mobile devices -- as among their top challenges. Other pressing issues included the growth in data storage needs and health information exchange.

Although the focus group was small, what the participants said reflected the IT infrastructure priorities of the industry, as represented in a recent survey by the Health Information Management and Systems Society (HIMSS), according to a report on the focus group.

The IT executives lamented their loss of control over device management in a "bring your own device" (BYOD) environment. As one participant noted, "you can't lock down [providers'] personal e-mail."

[ Want more on BYOD in healthcare? Read Halamka Knows Perils And Promise Of Healthcare BYOD. ]

Another participant pointed out that with the proliferation of personal smartphones and iPads in hospitals, "data is exchanged insecurely whether you like it or not," regardless of how many security controls are put in place. Providers tend to find workarounds that can jeopardize data security, several people said.

According to a December 2012 HIMSS survey on mobile devices, 75% of hospitals are using "remote wipe" capabilities to eliminate data on lost or stolen devices. Also, many facilities are using mobile devices to access data but not to store it, noted Jennifer Horowitz, senior research director of HIMSS Analytics, in an interview.

"For the most part, organizations are viewing these devices as access tools and not necessarily as storage tools. They don't want the data [to reside] on the device," she said.

The focus group participants pointed out that the use of wireless networks makes it difficult, if not impossible, to prevent employee use of the Internet for personal reasons. Although some hospitals tried to restrict access to websites such as Amazon, Facebook and Twitter, they found that employees figured out how to reach those sites by using their institution's guest network.

When clinicians are working, rather than playing, they might encounter "drop zones" in their wireless networks where the signals to mobile devices fade out. Participants reported using a variety of solutions to address this problem, including "virtual desktops" that let users who experience a dropped signal pick up where they left off when wireless access is restored. One participant said his institution used a microwave network to transmit and receive data in places where cellular signals are blocked.

Data storage was cited as another problem, mainly because of the spread of data-hungry picture archiving and communications systems (PACS). Among the issues were "the ability to store an ever-increasing number of data-intensive images, challenges in exchanging images created by remote clinicians, and securing images taken with a mobile imaging machine," according to the report.

One participant said his organization had trouble linking to remote sites because the only solution available was "painfully slow." Yet he did not mention the possibility of using a cloud service to store data and applications.

In general, the participants "were approaching the use of cloud computing with caution," the report said. Some executives said they were comfortable with the use of a private cloud hosted by their primary health IT vendor. But they were still more likely to store administrative data in the cloud than clinical data containing personal health information.

One major obstacle to using the cloud, Horowitz pointed out, is the difficulty that providers have had in obtaining business associate agreements (BAAs) from cloud vendors. Under the latest HIPAA rules, providers are required to have BAAs with cloud computing firms. If they don't, they could get in trouble with the government, and they also run the risk of being sued if there is a security breach involving personal health information.

"If hospitals put their information out there in the cloud, and anybody else has access to or control over it, hospitals need to feel secure that the appropriate security mechanisms are put into place," Horowitz said.

Although Microsoft and Box recently announced that they have HIPAA-compliant BAAs, some other public cloud vendors apparently don't. It is unclear, however, why any technology vendor that hosts a private cloud service designed primarily for hospitals or physician practices would not sign a BAA.

Lisa Gallagher, VP of technology solutions for HIMSS, told InformationWeek that in the recent past, "some cloud vendors were reluctant to sign BAAs." But the new HIPAA Omnibus Rule makes it clear that all providers must have such agreements in place with cloud providers. "So, now cloud providers must sign BAAs when their services include receiving and storing PHI [personal health information]."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
josephmalone29
50%
50%
josephmalone29,
User Rank: Apprentice
5/26/2013 | 10:35:16 PM
re: Health IT Execs' Top Worries: Security, BYOD, Cloud
I can understand that healhcare IT is waiting to see if there is a back lash to BYOD, but if you are using HIPAA compliant data security in your BYOD policy, such as a HIPAA compliant text messaging app like Tigertext, then it should not ever really be an issue. We are going one step further, and actually developing our own app incorporating TigerConnect API by Tigertext, as well as HIPAA compliant email intigration, to make for a secure and easy to use BYOD solution which when combined with our BYOD policy will do a very good job of lowering the BYOD risk.
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
5/12/2013 | 5:26:39 AM
re: Health IT Execs' Top Worries: Security, BYOD, Cloud
I guess I can see why a lot of these cloud vendors are reluctant to sign new BAA as the penalties for any breach of patient data can be quite steep, but if you are going to market your cloud as secure enough for PHI, then you better be able to back up your claims. I for one would switch cloud services if my vendor said he didnGÇÖt want to sign a BAA. It gives of a sense that your information is not secure with the cloud service.

Jay Simmons
Information Week Contributor
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4734
Published: 2014-07-21
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

CVE-2014-4960
Published: 2014-07-21
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.

CVE-2014-5016
Published: 2014-07-21
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to appl...

CVE-2014-5017
Published: 2014-07-21
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter...

CVE-2014-5018
Published: 2014-07-21
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.