Risk
4/6/2011
03:57 PM
Connect Directly
RSS
E-Mail
50%
50%

Healthcare Data Security In Transition

Hackers are not as big a problem as insiders snooping on electronic medical and financial records, and the legal penalties for violating security rules are getting tougher.

Health IT Boosts Patient Care, Safety
(click image for larger view)
Slideshow: Health IT Boosts Patient Care, Safety
As hospitals shift their security efforts, healthcare data security is in transition. External hackers are less of a concern these days than insiders snooping on electronic medical and financial records. Hospitals are exchanging more data with small physician practices that may not have adequate safeguards in place, while mobile devices are extending networks far beyond institutional walls. Plus, federal privacy and security standards are getting stronger, as are the penalties for violating those rules.

"Your biggest [threats] are internal," Terrell Herzig, information security officer for the University of Alabama at Birmingham Health System (UAB), said Tuesday at a health IT conference in Atlanta. Employees have been known to take unauthorized peeks at the records of VIPs such as local celebrities or prominent citizens, and with more than 50 million uninsured Americans, there is a thriving black market for stolen and fraudulent health plan identification numbers.

"We're emphasizing awareness and education" for employees and medical staff, said Mark Moroses, chief information officer of Continuum Health Partners, a five-hospital system in New York City. "We try not to have a heavy hand in a less-than-egregious breach. The education loop is what we focus on."

Still, after a local newspaper exposed security vulnerabilities at a Continuum hospital by getting an insider to point out how to access patient records, Moroses helped authorities arrest and prosecute the employee, who, it turned out, had stolen patient identities at another hospital but hadn't been caught. "We did a better job of collecting the evidence," Moroses said.

"You can't lock down everything," said Cigdem Delano, chief information officer at Morehouse School of Medicine (MSM) in Atlanta said. "No matter what you do, there's always going to be a human factor."

Meanwhile, security and compliance officers are trying to strike a delicate balance between protecting their data and making the IT systems so difficult to navigate that users -- particularly those fickle creatures known as physicians -- rebel.

"You can also have too much security," Delano said. At least one person in the MSM legal department wanted Department of Defense-level security in the clinical IT server room, he said. But the medical school isn't doing anything with national security implications such as bioterrorism research.

On the other hand, UAB has some contracts with the National Institutes of Health that involve potentially sensitive data, but didn't want to frustrate end users by forcing them to enter complicated passwords each time they turned away from the computer for a few seconds. Herzig and his team chose thin clients with two-factor authentication in the form of smart cards. If users remove their cards without logging out, their sessions stay frozen. They can reinsert the cards at other workstations and simply re-enter a personal identification number to resume working.

Continuum has essentially turned its computers-on-wheels into dumb terminals, Moroses said, and by next year will only have thin clients available to most end users. This is what Mike Wall, CEO of DICOM Grid, a Phoenix-based provider of cloud storage and archiving of digital medical images, calls a "zero footprint" from a security standpoint: no data stored on local computers.

"The whole zero-footprint thing is great," said Herzig, particularly in the age of mobility. "We made the decision that we were going to manage data, not devices," he said.

Sometimes, though, it's impossible to keep all data in-house, especially as an increasing number of patients ask for electronic copies of medical records and images. That's where encryption comes in. Herzig spoke of finding a CD clearly marked with a patient's name lying in the hospital's parking lot. The image on the disc was not secured.

This apparently is a common occurrence. "Every facility I go to, there's a CD problem," said Wall, whose company, of course, has an interest in moving images to the cloud.

According to Moroses, only in the past two years or so have major information security vendors been able to offer healthcare organizations end-to-end encryption products and services. Before then, it was rather piecemeal.

"We went through what I affectionately call encryption conniptions," Herzig adds. "It's got to be continuous across the whole space."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.