Risk
4/6/2011
03:57 PM
Connect Directly
RSS
E-Mail
50%
50%

Healthcare Data Security In Transition

Hackers are not as big a problem as insiders snooping on electronic medical and financial records, and the legal penalties for violating security rules are getting tougher.

Health IT Boosts Patient Care, Safety
(click image for larger view)
Slideshow: Health IT Boosts Patient Care, Safety
As hospitals shift their security efforts, healthcare data security is in transition. External hackers are less of a concern these days than insiders snooping on electronic medical and financial records. Hospitals are exchanging more data with small physician practices that may not have adequate safeguards in place, while mobile devices are extending networks far beyond institutional walls. Plus, federal privacy and security standards are getting stronger, as are the penalties for violating those rules.

"Your biggest [threats] are internal," Terrell Herzig, information security officer for the University of Alabama at Birmingham Health System (UAB), said Tuesday at a health IT conference in Atlanta. Employees have been known to take unauthorized peeks at the records of VIPs such as local celebrities or prominent citizens, and with more than 50 million uninsured Americans, there is a thriving black market for stolen and fraudulent health plan identification numbers.

"We're emphasizing awareness and education" for employees and medical staff, said Mark Moroses, chief information officer of Continuum Health Partners, a five-hospital system in New York City. "We try not to have a heavy hand in a less-than-egregious breach. The education loop is what we focus on."

Still, after a local newspaper exposed security vulnerabilities at a Continuum hospital by getting an insider to point out how to access patient records, Moroses helped authorities arrest and prosecute the employee, who, it turned out, had stolen patient identities at another hospital but hadn't been caught. "We did a better job of collecting the evidence," Moroses said.

"You can't lock down everything," said Cigdem Delano, chief information officer at Morehouse School of Medicine (MSM) in Atlanta said. "No matter what you do, there's always going to be a human factor."

Meanwhile, security and compliance officers are trying to strike a delicate balance between protecting their data and making the IT systems so difficult to navigate that users -- particularly those fickle creatures known as physicians -- rebel.

"You can also have too much security," Delano said. At least one person in the MSM legal department wanted Department of Defense-level security in the clinical IT server room, he said. But the medical school isn't doing anything with national security implications such as bioterrorism research.

On the other hand, UAB has some contracts with the National Institutes of Health that involve potentially sensitive data, but didn't want to frustrate end users by forcing them to enter complicated passwords each time they turned away from the computer for a few seconds. Herzig and his team chose thin clients with two-factor authentication in the form of smart cards. If users remove their cards without logging out, their sessions stay frozen. They can reinsert the cards at other workstations and simply re-enter a personal identification number to resume working.

Continuum has essentially turned its computers-on-wheels into dumb terminals, Moroses said, and by next year will only have thin clients available to most end users. This is what Mike Wall, CEO of DICOM Grid, a Phoenix-based provider of cloud storage and archiving of digital medical images, calls a "zero footprint" from a security standpoint: no data stored on local computers.

"The whole zero-footprint thing is great," said Herzig, particularly in the age of mobility. "We made the decision that we were going to manage data, not devices," he said.

Sometimes, though, it's impossible to keep all data in-house, especially as an increasing number of patients ask for electronic copies of medical records and images. That's where encryption comes in. Herzig spoke of finding a CD clearly marked with a patient's name lying in the hospital's parking lot. The image on the disc was not secured.

This apparently is a common occurrence. "Every facility I go to, there's a CD problem," said Wall, whose company, of course, has an interest in moving images to the cloud.

According to Moroses, only in the past two years or so have major information security vendors been able to offer healthcare organizations end-to-end encryption products and services. Before then, it was rather piecemeal.

"We went through what I affectionately call encryption conniptions," Herzig adds. "It's got to be continuous across the whole space."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.