Risk
5/9/2013
11:32 AM
Connect Directly
RSS
E-Mail
50%
50%

Health IT Execs' Top Worries: Security, BYOD, Cloud

Personal mobile devices still present huge security challenge, say HIMSS Analytics focus group participants.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
Seven senior IT executives who participated in a focus group conducted by analyst group HIMSS Analytics cited data security concerns -- especially those related to the growing use of personal mobile devices -- as among their top challenges. Other pressing issues included the growth in data storage needs and health information exchange.

Although the focus group was small, what the participants said reflected the IT infrastructure priorities of the industry, as represented in a recent survey by the Health Information Management and Systems Society (HIMSS), according to a report on the focus group.

The IT executives lamented their loss of control over device management in a "bring your own device" (BYOD) environment. As one participant noted, "you can't lock down [providers'] personal e-mail."

[ Want more on BYOD in healthcare? Read Halamka Knows Perils And Promise Of Healthcare BYOD. ]

Another participant pointed out that with the proliferation of personal smartphones and iPads in hospitals, "data is exchanged insecurely whether you like it or not," regardless of how many security controls are put in place. Providers tend to find workarounds that can jeopardize data security, several people said.

According to a December 2012 HIMSS survey on mobile devices, 75% of hospitals are using "remote wipe" capabilities to eliminate data on lost or stolen devices. Also, many facilities are using mobile devices to access data but not to store it, noted Jennifer Horowitz, senior research director of HIMSS Analytics, in an interview.

"For the most part, organizations are viewing these devices as access tools and not necessarily as storage tools. They don't want the data [to reside] on the device," she said.

The focus group participants pointed out that the use of wireless networks makes it difficult, if not impossible, to prevent employee use of the Internet for personal reasons. Although some hospitals tried to restrict access to websites such as Amazon, Facebook and Twitter, they found that employees figured out how to reach those sites by using their institution's guest network.

When clinicians are working, rather than playing, they might encounter "drop zones" in their wireless networks where the signals to mobile devices fade out. Participants reported using a variety of solutions to address this problem, including "virtual desktops" that let users who experience a dropped signal pick up where they left off when wireless access is restored. One participant said his institution used a microwave network to transmit and receive data in places where cellular signals are blocked.

Data storage was cited as another problem, mainly because of the spread of data-hungry picture archiving and communications systems (PACS). Among the issues were "the ability to store an ever-increasing number of data-intensive images, challenges in exchanging images created by remote clinicians, and securing images taken with a mobile imaging machine," according to the report.

One participant said his organization had trouble linking to remote sites because the only solution available was "painfully slow." Yet he did not mention the possibility of using a cloud service to store data and applications.

In general, the participants "were approaching the use of cloud computing with caution," the report said. Some executives said they were comfortable with the use of a private cloud hosted by their primary health IT vendor. But they were still more likely to store administrative data in the cloud than clinical data containing personal health information.

One major obstacle to using the cloud, Horowitz pointed out, is the difficulty that providers have had in obtaining business associate agreements (BAAs) from cloud vendors. Under the latest HIPAA rules, providers are required to have BAAs with cloud computing firms. If they don't, they could get in trouble with the government, and they also run the risk of being sued if there is a security breach involving personal health information.

"If hospitals put their information out there in the cloud, and anybody else has access to or control over it, hospitals need to feel secure that the appropriate security mechanisms are put into place," Horowitz said.

Although Microsoft and Box recently announced that they have HIPAA-compliant BAAs, some other public cloud vendors apparently don't. It is unclear, however, why any technology vendor that hosts a private cloud service designed primarily for hospitals or physician practices would not sign a BAA.

Lisa Gallagher, VP of technology solutions for HIMSS, told InformationWeek that in the recent past, "some cloud vendors were reluctant to sign BAAs." But the new HIPAA Omnibus Rule makes it clear that all providers must have such agreements in place with cloud providers. "So, now cloud providers must sign BAAs when their services include receiving and storing PHI [personal health information]."

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
jaysimmons
50%
50%
jaysimmons,
User Rank: Apprentice
5/12/2013 | 5:26:39 AM
re: Health IT Execs' Top Worries: Security, BYOD, Cloud
I guess I can see why a lot of these cloud vendors are reluctant to sign new BAA as the penalties for any breach of patient data can be quite steep, but if you are going to market your cloud as secure enough for PHI, then you better be able to back up your claims. I for one would switch cloud services if my vendor said he didnGÇÖt want to sign a BAA. It gives of a sense that your information is not secure with the cloud service.

Jay Simmons
Information Week Contributor
josephmalone29
50%
50%
josephmalone29,
User Rank: Apprentice
5/26/2013 | 10:35:16 PM
re: Health IT Execs' Top Worries: Security, BYOD, Cloud
I can understand that healhcare IT is waiting to see if there is a back lash to BYOD, but if you are using HIPAA compliant data security in your BYOD policy, such as a HIPAA compliant text messaging app like Tigertext, then it should not ever really be an issue. We are going one step further, and actually developing our own app incorporating TigerConnect API by Tigertext, as well as HIPAA compliant email intigration, to make for a secure and easy to use BYOD solution which when combined with our BYOD policy will do a very good job of lowering the BYOD risk.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.