Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:50 AM

Duke Revamps Access

Duke Medical Center looks to lock down patient data and ease the strain on IT staff

Duke University Medical Center is currently overhauling its security and storage operations in an attempt to lock down its critical data and meet its regulatory commitments.

Rafael Rodriguez, the Medical Center's associate CIO, says the organization is looking to ease the strain on its helpdesk by deploying Tivoli's Identity Manager software to handle passwords across a slew of complex medical systems.

"About 40 percent of the calls to our helpdesk are for password resets," he explains. With Identity Manager, end users can reset the passwords themselves, and these can then be synchronized across medical systems, laptops, and workstations.

With around 1,500 faculty physicians and over 800 staff members, setting and resetting passwords has traditionally been something of a logistical nightmare for Rodriguez and his staff. "Some end users had as many as 20 different applications, so you can imagine this was quite a high pain point," he explains.

After choosing Tivoli earlier this year, the Center is now deploying the software, and Rodriguez expects to have the password system in production mode in the fourth quarter. Initially, he says, the organization will roll out Identity Manager across six key applications, followed by another six by the middle of 2008.

"Our primary focus is clinical applications," he explains, adding that a patient information application and the hospital's system for ordering medications will be amongst the first to get the new password protection. "We also plan to manage the passwords for our email systems."

The applications are hosted on two IBM pSeries mainframes running the AIX operating system. These, in turn, are linked to the university's 170-Tbyte SAN, which is built from Cisco MDS Directors and hardware from HP, IBM, and Sun.

Rodriguez explains that the password lockdown will be particularly useful during the summer when the Center gets an influx of doctors. "This month, we have the new class of residents coming in," he says. "This will make the process of setting up passwords and setting up accounts on the different systems automatic."

Duke is also looking to boost its internal security. For example, if a doctor or nurse forgets to sign off from a computer linked to the patient records system, the software monitors the device and ends the session, requiring the next user to sign on again.

Although he would not reveal specifics, Rodriguez says that the Center spent "several thousands of dollars" on the Tivoli product, although he is looking for a speedy ROI. "I expect that we would get a return on this investment in the next couple of years."

In addition to Tivoli, Duke also looked at a product from BMC for handling its passwords, although Rodriguez says that the former won out thanks to its ability to support a range of different systems. "Tivoli made a commitment to do this work with us in the academic medical environment, which is complex," he says, adding that Identity Manager was also competitively priced.

The deployment, according to Rodriguez, is also helping the University meet its Health Insurance Portability and Accountability Act (HIPAA) commitments, which dictate who can access patients' medical records. (See Users Self-Destruct on Governance.) "Because all the passwords are synchronized, the end user can set up stronger passwords [so] they don't have to write them down," he explains. "[So] there's less risk that the passwords will be compromised."

Additionally, the Center is better positioned to meet the stringent audit requirements of HIPAA. "Identity Manager has its own audits of people who have changed passwords and audits of who is accessing the system," says Rodriguez.

But the exec admits that deploying this type of technology in a byzantine multi-system medical environment is easier said than done. "The challenge is that this is a complex environment because we have a lot of different applications working together."

At the same time it is deploying Identity Manager, however, Duke is rolling out IBM's SAN Volume Controller to better monitor its SAN. Although this is not yet in production, Rodriguez says that the move was prompted by growing volumes of data on the SAN.

The University's health system currently accounts for 130 of the SAN's 170 storage volumes, with the remainder allocated to the Duke campus. Only 90 percent of health system data, however, is currently held on the SAN, and Rodriguez is planning to migrate the remaining 10 percent at some point in the future. "[The] targets for expansion are data in remote data centers."

— James Rogers, Senior Editor, Byte and Switch

  • BMC Software Inc. (NYSE: BMC)
  • Cisco Systems Inc. (Nasdaq: CSCO)
  • EMC Corp. (NYSE: EMC)
  • Hewlett-Packard Co. (NYSE: HPQ)
  • IBM Corp. (NYSE: IBM)

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 10/23/2020
    Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
    David Pearson, Principal Threat Researcher,  10/21/2020
    Are You One COVID-19 Test Away From a Cybersecurity Disaster?
    Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    Special Report: Computing's New Normal
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    How IT Security Organizations are Attacking the Cybersecurity Problem
    How IT Security Organizations are Attacking the Cybersecurity Problem
    The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-10-27
    checkpath in OpenRC through 0.42.1 might allow local users to take ownership of arbitrary files because a non-terminal path component can be a symlink.
    PUBLISHED: 2020-10-26
    libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a non-random/predictable session_id.
    PUBLISHED: 2020-10-26
    An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application usi...
    PUBLISHED: 2020-10-26
    Ruckus through is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.
    PUBLISHED: 2020-10-26
    Ruckus vRioT through has an API backdoor that is hardcoded into validate_token.py. An unauthenticated attacker can interact with the service API by using a backdoor value as the Authorization header.