Risk
4/6/2011
03:57 PM
Connect Directly
RSS
E-Mail
50%
50%

Healthcare Data Security In Transition

Hackers are not as big a problem as insiders snooping on electronic medical and financial records, and the legal penalties for violating security rules are getting tougher.

Health IT Boosts Patient Care, Safety
(click image for larger view)
Slideshow: Health IT Boosts Patient Care, Safety
As hospitals shift their security efforts, healthcare data security is in transition. External hackers are less of a concern these days than insiders snooping on electronic medical and financial records. Hospitals are exchanging more data with small physician practices that may not have adequate safeguards in place, while mobile devices are extending networks far beyond institutional walls. Plus, federal privacy and security standards are getting stronger, as are the penalties for violating those rules.

"Your biggest [threats] are internal," Terrell Herzig, information security officer for the University of Alabama at Birmingham Health System (UAB), said Tuesday at a health IT conference in Atlanta. Employees have been known to take unauthorized peeks at the records of VIPs such as local celebrities or prominent citizens, and with more than 50 million uninsured Americans, there is a thriving black market for stolen and fraudulent health plan identification numbers.

"We're emphasizing awareness and education" for employees and medical staff, said Mark Moroses, chief information officer of Continuum Health Partners, a five-hospital system in New York City. "We try not to have a heavy hand in a less-than-egregious breach. The education loop is what we focus on."

Still, after a local newspaper exposed security vulnerabilities at a Continuum hospital by getting an insider to point out how to access patient records, Moroses helped authorities arrest and prosecute the employee, who, it turned out, had stolen patient identities at another hospital but hadn't been caught. "We did a better job of collecting the evidence," Moroses said.

"You can't lock down everything," said Cigdem Delano, chief information officer at Morehouse School of Medicine (MSM) in Atlanta said. "No matter what you do, there's always going to be a human factor."

Meanwhile, security and compliance officers are trying to strike a delicate balance between protecting their data and making the IT systems so difficult to navigate that users -- particularly those fickle creatures known as physicians -- rebel.

"You can also have too much security," Delano said. At least one person in the MSM legal department wanted Department of Defense-level security in the clinical IT server room, he said. But the medical school isn't doing anything with national security implications such as bioterrorism research.

On the other hand, UAB has some contracts with the National Institutes of Health that involve potentially sensitive data, but didn't want to frustrate end users by forcing them to enter complicated passwords each time they turned away from the computer for a few seconds. Herzig and his team chose thin clients with two-factor authentication in the form of smart cards. If users remove their cards without logging out, their sessions stay frozen. They can reinsert the cards at other workstations and simply re-enter a personal identification number to resume working.

Continuum has essentially turned its computers-on-wheels into dumb terminals, Moroses said, and by next year will only have thin clients available to most end users. This is what Mike Wall, CEO of DICOM Grid, a Phoenix-based provider of cloud storage and archiving of digital medical images, calls a "zero footprint" from a security standpoint: no data stored on local computers.

"The whole zero-footprint thing is great," said Herzig, particularly in the age of mobility. "We made the decision that we were going to manage data, not devices," he said.

Sometimes, though, it's impossible to keep all data in-house, especially as an increasing number of patients ask for electronic copies of medical records and images. That's where encryption comes in. Herzig spoke of finding a CD clearly marked with a patient's name lying in the hospital's parking lot. The image on the disc was not secured.

This apparently is a common occurrence. "Every facility I go to, there's a CD problem," said Wall, whose company, of course, has an interest in moving images to the cloud.

According to Moroses, only in the past two years or so have major information security vendors been able to offer healthcare organizations end-to-end encryption products and services. Before then, it was rather piecemeal.

"We went through what I affectionately call encryption conniptions," Herzig adds. "It's got to be continuous across the whole space."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5701
Published: 2014-10-20
Multiple SQL injection vulnerabilities in dotProject before 2.1.7 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) search_string or (2) where parameter in a contacts action, (3) dept_id parameter in a departments action, (4) project_id[] parameter in a project ...

CVE-2012-5865
Published: 2014-10-20
SQL injection vulnerability in dispatch.php in Achievo 1.4.5 allows remote authenticated users to execute arbitrary SQL commands via the activityid parameter in a stats action.

CVE-2012-5866
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in include.php in Achievo 1.4.5 allows remote attackers to inject arbitrary web script or HTML via the field parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.