Risk
5/9/2013
11:32 AM
50%
50%

Health IT Execs' Top Worries: Security, BYOD, Cloud

Personal mobile devices still present huge security challenge, say HIMSS Analytics focus group participants.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
Seven senior IT executives who participated in a focus group conducted by analyst group HIMSS Analytics cited data security concerns -- especially those related to the growing use of personal mobile devices -- as among their top challenges. Other pressing issues included the growth in data storage needs and health information exchange.

Although the focus group was small, what the participants said reflected the IT infrastructure priorities of the industry, as represented in a recent survey by the Health Information Management and Systems Society (HIMSS), according to a report on the focus group.

The IT executives lamented their loss of control over device management in a "bring your own device" (BYOD) environment. As one participant noted, "you can't lock down [providers'] personal e-mail."

[ Want more on BYOD in healthcare? Read Halamka Knows Perils And Promise Of Healthcare BYOD. ]

Another participant pointed out that with the proliferation of personal smartphones and iPads in hospitals, "data is exchanged insecurely whether you like it or not," regardless of how many security controls are put in place. Providers tend to find workarounds that can jeopardize data security, several people said.

According to a December 2012 HIMSS survey on mobile devices, 75% of hospitals are using "remote wipe" capabilities to eliminate data on lost or stolen devices. Also, many facilities are using mobile devices to access data but not to store it, noted Jennifer Horowitz, senior research director of HIMSS Analytics, in an interview.

"For the most part, organizations are viewing these devices as access tools and not necessarily as storage tools. They don't want the data [to reside] on the device," she said.

The focus group participants pointed out that the use of wireless networks makes it difficult, if not impossible, to prevent employee use of the Internet for personal reasons. Although some hospitals tried to restrict access to websites such as Amazon, Facebook and Twitter, they found that employees figured out how to reach those sites by using their institution's guest network.

When clinicians are working, rather than playing, they might encounter "drop zones" in their wireless networks where the signals to mobile devices fade out. Participants reported using a variety of solutions to address this problem, including "virtual desktops" that let users who experience a dropped signal pick up where they left off when wireless access is restored. One participant said his institution used a microwave network to transmit and receive data in places where cellular signals are blocked.

Data storage was cited as another problem, mainly because of the spread of data-hungry picture archiving and communications systems (PACS). Among the issues were "the ability to store an ever-increasing number of data-intensive images, challenges in exchanging images created by remote clinicians, and securing images taken with a mobile imaging machine," according to the report.

One participant said his organization had trouble linking to remote sites because the only solution available was "painfully slow." Yet he did not mention the possibility of using a cloud service to store data and applications.

In general, the participants "were approaching the use of cloud computing with caution," the report said. Some executives said they were comfortable with the use of a private cloud hosted by their primary health IT vendor. But they were still more likely to store administrative data in the cloud than clinical data containing personal health information.

One major obstacle to using the cloud, Horowitz pointed out, is the difficulty that providers have had in obtaining business associate agreements (BAAs) from cloud vendors. Under the latest HIPAA rules, providers are required to have BAAs with cloud computing firms. If they don't, they could get in trouble with the government, and they also run the risk of being sued if there is a security breach involving personal health information.

"If hospitals put their information out there in the cloud, and anybody else has access to or control over it, hospitals need to feel secure that the appropriate security mechanisms are put into place," Horowitz said.

Although Microsoft and Box recently announced that they have HIPAA-compliant BAAs, some other public cloud vendors apparently don't. It is unclear, however, why any technology vendor that hosts a private cloud service designed primarily for hospitals or physician practices would not sign a BAA.

Lisa Gallagher, VP of technology solutions for HIMSS, told InformationWeek that in the recent past, "some cloud vendors were reluctant to sign BAAs." But the new HIPAA Omnibus Rule makes it clear that all providers must have such agreements in place with cloud providers. "So, now cloud providers must sign BAAs when their services include receiving and storing PHI [personal health information]."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
josephmalone29
50%
50%
josephmalone29,
User Rank: Apprentice
5/26/2013 | 10:35:16 PM
re: Health IT Execs' Top Worries: Security, BYOD, Cloud
I can understand that healhcare IT is waiting to see if there is a back lash to BYOD, but if you are using HIPAA compliant data security in your BYOD policy, such as a HIPAA compliant text messaging app like Tigertext, then it should not ever really be an issue. We are going one step further, and actually developing our own app incorporating TigerConnect API by Tigertext, as well as HIPAA compliant email intigration, to make for a secure and easy to use BYOD solution which when combined with our BYOD policy will do a very good job of lowering the BYOD risk.
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
5/12/2013 | 5:26:39 AM
re: Health IT Execs' Top Worries: Security, BYOD, Cloud
I guess I can see why a lot of these cloud vendors are reluctant to sign new BAA as the penalties for any breach of patient data can be quite steep, but if you are going to market your cloud as secure enough for PHI, then you better be able to back up your claims. I for one would switch cloud services if my vendor said he didnG«÷t want to sign a BAA. It gives of a sense that your information is not secure with the cloud service.

Jay Simmons
Information Week Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.